feat: make VP request to CredentialService

eclipse-edc · paullatzelsperger · Nov 20, 2023 · Nov 15, 2023 · Nov 16, 2023 · Nov 16, 2023
commit 98ddb4226dc1e4242518a6e47ac09640dac8c912
diff --git a/extensions/common/iam/identity-trust/identity-trust-core/build.gradle.kts b/extensions/common/iam/identity-trust/identity-trust-core/build.gradle.kts
@@ -17,8 +17,9 @@ dependencies {
     implementation(project(":extensions:common:iam:identity-trust:identity-trust-sts:identity-trust-sts-embedded"))
     implementation(libs.nimbus.jwt)
 
-    testImplementation(testFixtures(project(":spi:common:identity-trust-spi")))
     testImplementation(project(":core:common:junit"))
+    testImplementation(testFixtures(project(":spi:common:identity-trust-spi")))
     testImplementation(libs.nimbus.jwt)
+    testImplementation(project(":extensions:common:json-ld"))
 }
 
diff --git a/...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IdentityAndTrustExtension.java b/...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IdentityAndTrustExtension.java
@@ -14,8 +14,10 @@
 
 package org.eclipse.edc.iam.identitytrust.core;
 
+import jakarta.json.Json;
 import org.eclipse.edc.iam.did.spi.resolution.DidResolverRegistry;
 import org.eclipse.edc.iam.identitytrust.IdentityAndTrustService;
+import org.eclipse.edc.iam.identitytrust.core.defaults.DefaultCredentialServiceClient;
 import org.eclipse.edc.iam.identitytrust.validation.SelfIssuedIdTokenValidator;
 import org.eclipse.edc.iam.identitytrust.verification.MultiFormatPresentationVerifier;
 import org.eclipse.edc.identitytrust.CredentialServiceClient;
@@ -41,6 +43,7 @@
 import org.eclipse.edc.verification.jwt.SelfIssuedIdTokenVerifier;
 
 import java.time.Clock;
+import java.util.Map;
 
 import static org.eclipse.edc.spi.CoreConstants.JSON_LD;
 
@@ -126,8 +129,8 @@ public JwtVerifier getJwtVerifier() {
 
     @Provider
     public CredentialServiceClient createClient(ServiceExtensionContext context) {
-        context.getMonitor().warning("Using a dummy CredentialServiceClient, that'll return null always. Don't use this in production use cases!");
-        return (csUrl, siTokenJwt, scopes) -> null;
+        return new DefaultCredentialServiceClient(httpClient, Json.createBuilderFactory(Map.of()),
+                typeManager.getMapper(JSON_LD), typeTransformerRegistry, jsonLd, context.getMonitor());
     }
 
     private String getOwnDid(ServiceExtensionContext context) {

diff --git a/.../java/org/eclipse/edc/iam/identitytrust/core/defaults/DefaultCredentialServiceClient.java b/.../java/org/eclipse/edc/iam/identitytrust/core/defaults/DefaultCredentialServiceClient.java
@@ -0,0 +1,152 @@
+/*
+ *  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.iam.identitytrust.core.defaults;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.nimbusds.jwt.SignedJWT;
+import jakarta.json.JsonBuilderFactory;
+import jakarta.json.JsonObject;
+import okhttp3.MediaType;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import org.eclipse.edc.identitytrust.CredentialServiceClient;
+import org.eclipse.edc.identitytrust.VcConstants;
+import org.eclipse.edc.identitytrust.model.CredentialFormat;
+import org.eclipse.edc.identitytrust.model.VerifiablePresentation;
+import org.eclipse.edc.identitytrust.model.VerifiablePresentationContainer;
+import org.eclipse.edc.identitytrust.model.credentialservice.PresentationQuery;
+import org.eclipse.edc.identitytrust.model.credentialservice.PresentationResponse;
+import org.eclipse.edc.jsonld.spi.JsonLd;
+import org.eclipse.edc.jsonld.spi.JsonLdKeywords;
+import org.eclipse.edc.spi.http.EdcHttpClient;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.result.AbstractResult;
+import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.transform.spi.TypeTransformerRegistry;
+
+import java.io.IOException;
+import java.text.ParseException;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static org.eclipse.edc.spi.result.Result.failure;
+import static org.eclipse.edc.spi.result.Result.success;
+
+public class DefaultCredentialServiceClient implements CredentialServiceClient {
+    private final EdcHttpClient httpClient;
+    private final JsonBuilderFactory jsonFactory;
+    private final ObjectMapper objectMapper;
+    private final TypeTransformerRegistry transformerRegistry;
+    private final JsonLd jsonLd;
+    private final Monitor monitor;
+
+    public DefaultCredentialServiceClient(EdcHttpClient httpClient, JsonBuilderFactory jsonFactory, ObjectMapper jsonLdMapper, TypeTransformerRegistry transformerRegistry, JsonLd jsonLd, Monitor monitor) {
+        this.httpClient = httpClient;
+        this.jsonFactory = jsonFactory;
+        this.objectMapper = jsonLdMapper.enable(DeserializationFeature.ACCEPT_SINGLE_VALUE_AS_ARRAY);
+        this.transformerRegistry = transformerRegistry;
+        this.jsonLd = jsonLd;
+        this.monitor = monitor;
+    }
+
+    @Override
+    public Result<List<VerifiablePresentationContainer>> requestPresentation(String credentialServiceUrl, String selfIssuedTokenJwt, List<String> scopes) {
+        var query = createPresentationQuery(scopes);
+
+        try {
+            var requestJson = objectMapper.writeValueAsString(query);
+            var request = new Request.Builder()
+                    .post(RequestBody.create(requestJson, MediaType.parse("application/json")))
+                    .url(credentialServiceUrl)
+                    .addHeader("Authorization", "%s".formatted(selfIssuedTokenJwt))
+                    .build();
+
+            var response = httpClient.execute(request);
+
+            var body = "";
+            if (response.body() != null) {
+                body = response.body().string();
+            }
+
+            if (response.isSuccessful() && response.body() != null) {
+                var presentationResponse = objectMapper.readValue(body, PresentationResponse.class);
+                return parseResponse(presentationResponse);
+            }
+            return failure("Presentation Query failed: HTTP %s, message: %s".formatted(response.code(), body));
+
+        } catch (IOException e) {
+            monitor.warning("Error requesting VP", e);
+            return failure("Error requesting VP: %s".formatted(e.getMessage()));
+        }
+
+    }
+
+    private Result<List<VerifiablePresentationContainer>> parseResponse(PresentationResponse presentationResponse) throws IOException {
+        var vpResults = Stream.of(presentationResponse.vpToken())
+                .map(this::parseVpToken)
+                .toList();
+
+        if (vpResults.stream().anyMatch(AbstractResult::failed)) {
+            return failure("One or more VP tokens could not be parsed. Details: %s".formatted(vpResults.stream().filter(Result::failed).map(AbstractResult::getFailureDetail).collect(Collectors.joining(","))));
+        }
+
+        return success(vpResults.stream().map(AbstractResult::getContent).toList());
+    }
+
+    private Result<VerifiablePresentationContainer> parseVpToken(Object vpObj) {
+        if (vpObj instanceof String) { // JWT VP
+            return parseJwtVp(vpObj.toString());
+        } else if (vpObj instanceof Map) { // LDP VP
+            return parseLdpVp(vpObj);
+        } else {
+            return failure("Unknown VP format: " + vpObj.getClass());
+        }
+    }
+
+    private Result<VerifiablePresentationContainer> parseLdpVp(Object vpObj) {
+        var jsonObj = objectMapper.convertValue(vpObj, JsonObject.class);
+        var rawStr = jsonObj.toString();
+
+        return jsonLd.expand(jsonObj)
+                .compose(expanded -> transformerRegistry.transform(expanded, VerifiablePresentation.class))
+                .map(vp -> new VerifiablePresentationContainer(rawStr, CredentialFormat.JSON_LD, vp));
+    }
+
+    private Result<VerifiablePresentationContainer> parseJwtVp(String rawJwt) {
+        try {
+            var jwt = SignedJWT.parse(rawJwt);
+            //todo: parse JWT VP
+            return success(new VerifiablePresentationContainer(rawJwt, CredentialFormat.JWT, null));
+        } catch (ParseException e) {
+            monitor.warning("Failed to parse JWT VP", e);
+            return failure("Failed to parse JWT VP: %s".formatted(e.getMessage()));
+        }
+    }
+
+    private JsonObject createPresentationQuery(List<String> scopes) {
+        var scopeArray = jsonFactory.createArrayBuilder();
+        scopes.forEach(scopeArray::add);
+        return jsonFactory.createObjectBuilder()
+                .add(JsonLdKeywords.CONTEXT, jsonFactory.createArrayBuilder()
+                        .add(VcConstants.PRESENTATION_EXCHANGE_URL)
+                        .add(VcConstants.IATP_CONTEXT_URL))
+                .add(JsonLdKeywords.TYPE, PresentationQuery.PRESENTATION_QUERY_TYPE_PROPERTY)
+                .add("scope", scopeArray.build())
+                .build();
+    }
+}
diff --git a/...a/org/eclipse/edc/iam/identitytrust/core/defaults/DefaultCredentialServiceClientTest.java b/...a/org/eclipse/edc/iam/identitytrust/core/defaults/DefaultCredentialServiceClientTest.java
@@ -0,0 +1,168 @@
+/*
+ *  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.iam.identitytrust.core.defaults;
+
+import jakarta.json.Json;
+import jakarta.json.JsonObject;
+import okhttp3.MediaType;
+import okhttp3.Protocol;
+import okhttp3.Response;
+import okhttp3.ResponseBody;
+import org.eclipse.edc.identitytrust.model.CredentialFormat;
+import org.eclipse.edc.identitytrust.model.CredentialSubject;
+import org.eclipse.edc.identitytrust.model.Issuer;
+import org.eclipse.edc.identitytrust.model.VerifiableCredential;
+import org.eclipse.edc.identitytrust.model.VerifiablePresentation;
+import org.eclipse.edc.jsonld.spi.JsonLd;
+import org.eclipse.edc.spi.http.EdcHttpClient;
+import org.eclipse.edc.transform.spi.TypeTransformerRegistry;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.List;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.eclipse.edc.jsonld.util.JacksonJsonLd.createObjectMapper;
+import static org.eclipse.edc.junit.testfixtures.TestUtils.getResourceFileContentAsString;
+import static org.eclipse.edc.spi.result.Result.success;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.isA;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class DefaultCredentialServiceClientTest {
+
+    private static final String CS_URL = "http://test.com/cs";
+    private final EdcHttpClient httpClientMock = mock();
+    private DefaultCredentialServiceClient client;
+
+    @BeforeEach
+    void setup() {
+        var registry = mock(TypeTransformerRegistry.class);
+        when(registry.transform(isA(JsonObject.class), eq(VerifiablePresentation.class)))
+                .thenReturn(success(createPresentation()));
+        var jsonLdMock = mock(JsonLd.class);
+        when(jsonLdMock.expand(any())).thenAnswer(a -> success(a.getArgument(0)));
+        client = new DefaultCredentialServiceClient(httpClientMock, Json.createBuilderFactory(Map.of()),
+                createObjectMapper(), registry, jsonLdMock, mock());
+    }
+
+    @Test
+    @DisplayName("CS returns a single LDP-VP")
+    void requestPresentation_singleLdpVp() throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(200, getResourceFileContentAsString("single_ldp-vp.json")));
+
+        var result = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(result.succeeded()).isTrue();
+        assertThat(result.getContent()).hasSize(1).allMatch(vpc -> vpc.format() == CredentialFormat.JSON_LD);
+    }
+
+    @Test
+    @DisplayName("CS returns a single JWT-VP")
+    void requestPresentation_singleJwtVp() throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(200, getResourceFileContentAsString("single_jwt-vp.json")));
+
+        var result = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(result.succeeded()).isTrue();
+        assertThat(result.getContent()).hasSize(1).allMatch(vpc -> vpc.format() == CredentialFormat.JWT);
+    }
+
+    @Test
+    @DisplayName("CS returns multiple VPs, one LDP-VP and a JWT-VP")
+    void requestPresentationLdp_multipleVp_mixed() throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(200, getResourceFileContentAsString("multiple_vp-token_mixed.json")));
+
+        var result = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(result.succeeded()).isTrue();
+        assertThat(result.getContent()).hasSize(2)
+                .anySatisfy(vp -> assertThat(vp.format()).isEqualTo(CredentialFormat.JSON_LD))
+                .anySatisfy(vp -> assertThat(vp.format()).isEqualTo(CredentialFormat.JWT));
+    }
+
+    @Test
+    @DisplayName("CS returns multiple LDP-VPs")
+    void requestPresentation_mulipleVp_onlyLdp() throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(200, getResourceFileContentAsString("multiple_vp-token_ldp.json")));
+
+        var result = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(result.succeeded()).isTrue();
+        assertThat(result.getContent()).hasSize(2)
+                .allSatisfy(vp -> assertThat(vp.format()).isEqualTo(CredentialFormat.JSON_LD));
+    }
+
+    @Test
+    @DisplayName("CS returns multiple JWT-VPs")
+    void requestPresentation_mulipleVp_onlyJwt() throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(200, getResourceFileContentAsString("multiple_vp-token_jwt.json")));
+
+        var result = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(result.succeeded()).isTrue();
+        assertThat(result.getContent()).hasSize(2)
+                .allSatisfy(vp -> assertThat(vp.format()).isEqualTo(CredentialFormat.JWT));
+    }
+
+    @ParameterizedTest(name = "CS returns HTTP error code {0}")
+    @ValueSource(ints = { 400, 401, 403, 503, 501 })
+    void requestPresentation_csReturnsError(int httpCode) throws IOException {
+        when(httpClientMock.execute(any()))
+                .thenReturn(response(httpCode, "Test failure"));
+
+        var res = client.requestPresentation(CS_URL, "foo", List.of());
+        assertThat(res.failed()).isTrue();
+        assertThat(res.getFailureDetail()).isEqualTo("Presentation Query failed: HTTP %s, message: Test failure".formatted(httpCode));
+    }
+
+    private VerifiablePresentation createPresentation() {
+        return VerifiablePresentation.Builder.newInstance()
+                .type("VerifiablePresentation")
+                .credential(VerifiableCredential.Builder.newInstance()
+                        .issuer(new Issuer("test-issuer", Map.of()))
+                        .type("VerifiableCredential")
+                        .issuanceDate(Instant.now())
+                        .credentialSubject(CredentialSubject.Builder.newInstance()
+                                .id("test-subject")
+                                .claim("foo", "bar")
+                                .build())
+                        .build())
+                .build();
+    }
+
+    private Response response(int code, String body) {
+        return new Response.Builder()
+                .request(mock())
+                .protocol(Protocol.HTTP_2)
+                .code(code) // status code
+                .message("")
+                .body(ResponseBody.create(
+                        body,
+                        MediaType.get("application/json; charset=utf-8")
+                ))
+                .build();
+    }
+
+
+}