feat: wallet controller EDV & webkms customization

- Closes hyperledger-archives#2770 Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty · May 6, 2021 · 1f8a9a0 · 1f8a9a0
1 parent e929738
commit 1f8a9a0
Show file tree

Hide file tree

Showing 10 changed files with 294 additions and 110 deletions.
diff --git a/cmd/aries-agent-mobile/go.sum b/cmd/aries-agent-mobile/go.sum
@@ -174,6 +174,7 @@ github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvh
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692 h1:anEytYaCtUeVS4UpivolNp8S4ZPLIQaBrJAiZMh5CwE=
 github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692/go.mod h1:Vw8AblyCa1h6mVbNvbMXeZdlXVGu6Cq+TXZhD4oqvwE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=

diff --git a/cmd/aries-agent-rest/go.sum b/cmd/aries-agent-rest/go.sum
@@ -206,6 +206,7 @@ github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKe
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692 h1:anEytYaCtUeVS4UpivolNp8S4ZPLIQaBrJAiZMh5CwE=
 github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692/go.mod h1:Vw8AblyCa1h6mVbNvbMXeZdlXVGu6Cq+TXZhD4oqvwE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=

diff --git a/cmd/aries-js-worker/go.sum b/cmd/aries-js-worker/go.sum
@@ -174,6 +174,7 @@ github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvh
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692 h1:anEytYaCtUeVS4UpivolNp8S4ZPLIQaBrJAiZMh5CwE=
 github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20210422133815-2ef2d99cb692/go.mod h1:Vw8AblyCa1h6mVbNvbMXeZdlXVGu6Cq+TXZhD4oqvwE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=

diff --git a/pkg/controller/command/vcwallet/command.go b/pkg/controller/command/vcwallet/command.go
@@ -22,6 +22,7 @@ import (
 	"github.com/hyperledger/aries-framework-go/pkg/crypto"
 	"github.com/hyperledger/aries-framework-go/pkg/framework/aries/api/vdr"
 	"github.com/hyperledger/aries-framework-go/pkg/internal/logutil"
+	"github.com/hyperledger/aries-framework-go/pkg/kms/webkms"
 	"github.com/hyperledger/aries-framework-go/pkg/wallet"
 	"github.com/hyperledger/aries-framework-go/spi/storage"
 )
@@ -102,6 +103,28 @@ const (
 	emptyRawLength = 4
 )
 
+// HTTPHeaderSigner is for http header signing, typically used for zcapld functionality.
+type HTTPHeaderSigner interface {
+	// SignHeader header with capability.
+	SignHeader(req *http.Request, capabilityBytes []byte) (*http.Header, error)
+}
+
+// Config contains properties to customize verifiable credential wallet controller.
+// All properties of this config are optional, but they can be used to customize wallet's webkms and edv client's.
+type Config struct {
+	// EDV header signer, typically used for introducing zcapld feature.
+	EdvAuthSigner HTTPHeaderSigner
+	// Web KMS header signer, typically used for introducing zcapld feature.
+	WebKMSAuthSigner HTTPHeaderSigner
+	// option is a performance optimization that speeds up queries by getting full documents from
+	// the EDV server instead of only document locations.
+	EDVReturnFullDocumentsOnQuery bool
+	// this EDV option is a performance optimization that allows for restStore.Batch to only require one REST call.
+	EDVBatchEndpointExtensionEnabled bool
+	// Aries Web KMS cache size configuration.
+	WebKMSCacheSize int
+}
+
 // provider contains dependencies for the verifiable credential wallet command controller
 // and is typically created by using aries.Context().
 type provider interface {
@@ -113,12 +136,19 @@ type provider interface {
 
 // Command contains operations provided by verifiable credential wallet controller.
 type Command struct {
-	ctx provider
+	ctx    provider
+	config *Config
 }
 
 // New returns new verifiable credential wallet controller command instance.
-func New(p provider) *Command {
-	return &Command{ctx: p}
+func New(p provider, config *Config) *Command {
+	cmd := &Command{ctx: p, config: &Config{}}
+
+	if config != nil {
+		cmd.config = config
+	}
+
+	return cmd
 }
 
 // GetHandlers returns list of all commands supported by this controller command.
@@ -218,7 +248,7 @@ func (o *Command) Open(rw io.Writer, req io.Reader) command.Error {
 		return command.NewExecuteError(OpenWalletErrorCode, err)
 	}
 
-	token, err := vcWallet.Open(prepareUnlockOptions(request)...)
+	token, err := vcWallet.Open(prepareUnlockOptions(request, o.config)...)
 	if err != nil {
 		logutil.LogInfo(logger, CommandName, OpenMethod, err.Error())
 
@@ -586,31 +616,67 @@ func prepareProfileOptions(rqst *CreateOrUpdateProfileRequest) []wallet.ProfileO
 }
 
 // prepareUnlockOptions prepares options for unlocking wallet.
-func prepareUnlockOptions(rqst *UnlockWalletRequest) []wallet.UnlockOptions {
+func prepareUnlockOptions(rqst *UnlockWalletRequest, conf *Config) []wallet.UnlockOptions { // nolint:funlen,gocyclo
 	var options []wallet.UnlockOptions
 
 	if rqst.LocalKMSPassphrase != "" {
 		options = append(options, wallet.WithUnlockByPassphrase(rqst.LocalKMSPassphrase))
 	}
 
-	if rqst.WebKMSAuth != "" {
-		options = append(options, wallet.WithUnlockByAuthorizationToken(rqst.LocalKMSPassphrase))
+	var webkmsOpts []webkms.Opt
+
+	if rqst.WebKMSAuth != nil {
+		if rqst.WebKMSAuth.AuthToken != "" {
+			webkmsOpts = append(webkmsOpts, webkms.WithHeaders(
+				func(req *http.Request) (*http.Header, error) {
+					req.Header.Set("authorization", fmt.Sprintf("Bearer %s", rqst.EDVUnlock.AuthToken))
+
+					return &req.Header, nil
+				},
+			))
+		} else if rqst.WebKMSAuth.Capability != "" && conf.WebKMSAuthSigner != nil {
+			webkmsOpts = append(webkmsOpts, webkms.WithHeaders(
+				func(req *http.Request) (*http.Header, error) {
+					return conf.EdvAuthSigner.SignHeader(req, []byte(rqst.WebKMSAuth.Capability))
+				},
+			))
+		}
+	}
+
+	if conf.WebKMSCacheSize > 0 {
+		webkmsOpts = append(webkmsOpts, webkms.WithCache(conf.WebKMSCacheSize))
 	}
 
-	// TODO edv sign header function for zcap support #2433
+	var edvOpts []edv.RESTProviderOption
+
 	if rqst.EDVUnlock != nil {
 		if rqst.EDVUnlock.AuthToken != "" {
-			options = append(options, wallet.WithUnlockEDVOptions(edv.WithHeaders(
+			edvOpts = append(edvOpts, edv.WithHeaders(
 				func(req *http.Request) (*http.Header, error) {
 					req.Header.Set("authorization", fmt.Sprintf("Bearer %s", rqst.EDVUnlock.AuthToken))
 
 					return &req.Header, nil
 				},
-			)))
+			))
+		} else if rqst.EDVUnlock.Capability != "" && conf.EdvAuthSigner != nil {
+			edvOpts = append(edvOpts, edv.WithHeaders(
+				func(req *http.Request) (*http.Header, error) {
+					return conf.EdvAuthSigner.SignHeader(req, []byte(rqst.EDVUnlock.Capability))
+				},
+			))
 		}
 	}
 
-	// TODO web kms sign header function for zcap support #2433
+	if conf.EDVBatchEndpointExtensionEnabled {
+		edvOpts = append(edvOpts, edv.WithBatchEndpointExtension())
+	}
+
+	if conf.EDVReturnFullDocumentsOnQuery {
+		edvOpts = append(edvOpts, edv.WithFullDocumentsReturnedFromQueries())
+	}
+
+	options = append(options, wallet.WithUnlockWebKMSOptions(webkmsOpts...), wallet.WithUnlockEDVOptions(edvOpts...))
+
 	return options
 }