From f1326d79b755f621ac36d3cf874dd917c7d46f1a Mon Sep 17 00:00:00 2001 From: Felix Dittrich Date: Fri, 17 May 2024 14:55:12 +0200 Subject: [PATCH] Add Group Name Mapping Add Group DenyList --- .../config/KdsConfigProperties.java | 3 ++ .../service/did/DidTrustListService.java | 20 ++++++++-- src/main/resources/application.yml | 5 +++ .../service/DidTrustListServiceTest.java | 40 +++++++++++++------ src/test/resources/application.yml | 5 ++- 5 files changed, 56 insertions(+), 17 deletions(-) diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java b/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java index 18d302c..18b8190 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java @@ -116,6 +116,9 @@ public static class DidConfig { private DgcGatewayConnectorConfigProperties.KeyStoreWithAlias localKeyStore = new DgcGatewayConnectorConfigProperties.KeyStoreWithAlias(); + + private List groupDenyList = new ArrayList<>(); + private Map groupNameMapping = new HashMap<>(); @Getter @Setter diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java index d59468b..7359060 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java @@ -97,6 +97,7 @@ public class DidTrustListService { private final GitProvider gitProvider; private final DocumentLoader documentLoader; + private final KdsConfigProperties kdsConfigProperties; @RequiredArgsConstructor @Getter @@ -132,8 +133,6 @@ public void job() { List domains = signerInformationService.getDomainsList(); List countries = signerInformationService.getCountryList(); - // TODO: Add manual mapping for groups (e.g. CSCA -> CSA) - // TODO: Add deny list for groups (AUTHENTICATION, UPLOAD should not be contained) //CHECKSTYLE:OFF List groups = signerInformationService.getGroupList(); //CHECKSTYLE:ON @@ -176,7 +175,7 @@ public void job() { domain -> countries.forEach( country -> groups.forEach( group -> didSpecifications.add(new DidSpecification( - List.of(domain, getParticipantCode(country), group), + List.of(domain, getParticipantCode(country), getMappedGroupName(group)), () -> signerInformationService.getCertificatesByDomainParticipantGroup(domain, country, group), trustedIssuerService::getAllDid))))); @@ -206,7 +205,7 @@ private void saveDid(String containerPath, String didDocument) { private String generateTrustList(DidSpecification specification) { - List signerInformationEntities = specification.getCertSupplier().get(); + List signerInformationEntities = filterEntities(specification.getCertSupplier().get()); List trustedIssuerEntities = specification.getIssuerSupplier().get(); if (signerInformationEntities.isEmpty() || trustedIssuerEntities.isEmpty()) { @@ -335,6 +334,19 @@ private void addTrustListEntry(DidTrustList trustList, trustList.getVerificationMethod().add(trustListEntry); } + + private List filterEntities(List entities) { + return entities.stream() + .filter(entity -> kdsConfigProperties.getDid().getGroupDenyList().stream() + .noneMatch(e -> entity.getGroup().equalsIgnoreCase(e))) + .toList(); + } + + private String getMappedGroupName(String groupName) { + return kdsConfigProperties.getDid().getGroupNameMapping() + .computeIfAbsent(groupName, g -> g); + } + /** * Search for CSCA for DSC. * diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index f7639cf..107810b 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -108,3 +108,8 @@ dgc: XB: XXB XO: XXO XL: XCL + group-deny-list: + - AUTHENTICATION + - UPLOAD + group-name-mapping: + CSCA: CSA diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java index 865fcd4..4d41476 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java @@ -90,9 +90,9 @@ public class DidTrustListServiceTest { @MockBean DgcGatewayDownloadConnector dgcGatewayDownloadConnector; - X509Certificate certCscaDe, certCscaEu, certDscDe, certDscEu; + X509Certificate certCscaDe, certCscaEu, certDscDe, certDscEu, certUploadDe; - String certDscDeKid, certDscEuKid, certCscaDeKid, certCscaEuKid; + String certDscDeKid, certDscEuKid, certCscaDeKid, certCscaEuKid, certUploadDeKid; @AfterEach @@ -127,6 +127,11 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception { signerType); certDscEuKid = certificateUtils.getCertKid(certDscEu); + certUploadDe = CertificateTestUtils.generateCertificate(keyPairGenerator.generateKeyPair(), "DE", + "Upload Test", certCscaDe, cscaDeKeyPair.getPrivate(), + signerType); + certUploadDeKid = certificateUtils.getCertKid(certUploadDe); + signerInformationRepository.save(new SignerInformationEntity( null, certCscaDeKid, @@ -167,6 +172,17 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception { "DSC" )); + // Add Upload cert which should not be added to did + signerInformationRepository.save(new SignerInformationEntity( + null, + certUploadDeKid, + ZonedDateTime.now(), + Base64.getEncoder().encodeToString(certUploadDe.getEncoded()), + "DE", + "DCC", + "UPLOAD" + )); + trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("DE")); trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("EU")); trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("XY")); @@ -186,9 +202,9 @@ void testTrustList(boolean isEcAlgorithm) throws Exception { didTrustListService.job(); - Assertions.assertEquals(10, uploadArgumentCaptor.getAllValues().size()); + Assertions.assertEquals(12, uploadArgumentCaptor.getAllValues().size()); - int expectedNullDid = 1; + int expectedNullDid = 3; for (byte[] uploadedDid : uploadArgumentCaptor.getAllValues()) { @@ -251,12 +267,12 @@ void testTrustList(boolean isEcAlgorithm) throws Exception { assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:-:DEU#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)), certCscaDeKid, certCscaDe, null, "deu","did:web:abc:-:DEU"); break; - case "did:web:abc:DCC:XEU:CSCA": - Assertions.assertEquals("did:web:abc:DCC:XEU:CSCA", parsed.getController()); + case "did:web:abc:DCC:XEU:CSA": + Assertions.assertEquals("did:web:abc:DCC:XEU:CSA", parsed.getController()); Assertions.assertEquals(4, parsed.getVerificationMethod().size()); - assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:XEU:CSCA#" + URLEncoder.encode(certCscaEuKid, StandardCharsets.UTF_8)), - certCscaEuKid, certCscaEu, null, "xeu", "did:web:abc:DCC:XEU:CSCA"); + assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:XEU:CSA#" + URLEncoder.encode(certCscaEuKid, StandardCharsets.UTF_8)), + certCscaEuKid, certCscaEu, null, "xeu", "did:web:abc:DCC:XEU:CSA"); break; case "did:web:abc:DCC:DEU:DSC": Assertions.assertEquals("did:web:abc:DCC:DEU:DSC", parsed.getController()); @@ -265,12 +281,12 @@ void testTrustList(boolean isEcAlgorithm) throws Exception { assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:DSC#" + URLEncoder.encode(certDscDeKid, StandardCharsets.UTF_8)), certDscDeKid, certDscDe, null, "deu", "did:web:abc:DCC:DEU:DSC"); break; - case "did:web:abc:DCC:DEU:CSCA": - Assertions.assertEquals("did:web:abc:DCC:DEU:CSCA", parsed.getController()); + case "did:web:abc:DCC:DEU:CSA": + Assertions.assertEquals("did:web:abc:DCC:DEU:CSA", parsed.getController()); Assertions.assertEquals(4, parsed.getVerificationMethod().size()); - assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:CSCA#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)), - certCscaDeKid, certCscaDe, null, "deu", "did:web:abc:DCC:DEU:CSCA"); + assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:CSA#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)), + certCscaDeKid, certCscaDe, null, "deu", "did:web:abc:DCC:DEU:CSA"); break; case "did:web:abc:DCC:DEU": Assertions.assertEquals("did:web:abc:DCC:DEU", parsed.getController()); diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml index da9035d..de429fd 100644 --- a/src/test/resources/application.yml +++ b/src/test/resources/application.yml @@ -57,7 +57,10 @@ dgc: "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json virtualCountries: EU: XEU - + group-deny-list: + - UPLOAD + group-name-mapping: + CSCA: CSA universal: resolver: "https://dev.uniresolver.io/1.0/identifiers"