Merge pull request #76 from FIWARE/fix/invalid-credential-types

fix(vc): Check if the VC has valid types before generating the token

Author: wistefan

verifier/trustedissuer.go

@@ -115,6 +115,7 @@ func verifyWithCredentialsConfig(verifiableCredential *verifiable.Credential, cr
 	for _, credentialType := range verifiableCredential.Contents().Types {
 		config, exists := credentialsConfigMap[credentialType]
 		if !exists {
+			logging.Log().Warnf("The credential type %s is not allowed by the config %s.", credentialType, logging.PrettyPrintObject(credentialsConfigMap))
 			subjectAllowed = false
 			break
 		}
@@ -135,9 +136,10 @@ func verifyForType(subjectToVerfiy verifiable.Subject, credentialConfig tir.Cred
 		if claim.Path != "" {
 			validClaim := verifyWithJsonPath(subjectToVerfiy, claim)
 			if validClaim {
-				logging.Log().Debugf("Claim with path %s is valid.", claim.Path)
+				logging.Log().Debugf("Claim with path %s is valid. Credential Subject %s", claim.Path, logging.PrettyPrintObject(subjectToVerfiy))
 				continue
 			} else {
+				logging.Log().Warnf("Claim with path %s is not valid.", claim.Path)
 				return false
 			}
 		} else {

verifier/verifier.go

@@ -68,6 +68,7 @@ var ErrorRedirectUriMismatch = errors.New("redirect_uri_does_not_match")
 var ErrorVerficationContextSetup = errors.New("no_valid_verification_context")
 var ErrorTokenUnparsable = errors.New("unable_to_parse_token")
 var ErrorRequiredCredentialNotProvided = errors.New("required_credential_not_provided")
+var ErrorNoValidCredentialTypeProvided = errors.New("no_valid_credential_type_provided")
 var ErrorUnsupportedRequestMode = errors.New("unsupported_request_mode")
 var ErrorNoExpiration = errors.New("no_jwt_expiration_set")
 var ErrorNoKeyId = errors.New("no_key_id_available")
@@ -613,6 +614,14 @@ func (v *CredentialVerifier) GenerateToken(clientId, subject, audience string, s
 			flatClaims, _ = v.credentialsConfig.GetFlatClaims(clientId, scope)
 		}
 	}
+	if len(credentialsToBeIncluded) == 0 {
+		vcTypes := []string{}
+		for k := range credentialsByType {
+			vcTypes = append(vcTypes, k)
+		}
+		logging.Log().Warnf("No valid credential type was provided. Provided credential type: %v", vcTypes)
+		return 0, "", ErrorNoValidCredentialTypeProvided
+	}
 	token, err := v.generateJWT(credentialsToBeIncluded, holder, audience, flatClaims)
 	if err != nil {
 		logging.Log().Warnf("Was not able to create the token. Err: %v", err)
@@ -1116,7 +1125,7 @@ func (v *CredentialVerifier) generateJWT(credentials []map[string]interface{}, h
 		jwtBuilder.Claim("verifiablePresentation", credentials)
 	} else {
 		logging.Log().Debugf("Credentials %s", logging.PrettyPrintObject(credentials))
-		jwtBuilder.Claim("verifiableCredential", credentials[0])
+		jwtBuilder.Claim("verifiableCredential", credentials)
 	}
 
 	token, err := jwtBuilder.Build()

verifier/verifier_test.go

@@ -1170,4 +1170,103 @@ func TestExtractCredentialTypes(t *testing.T) {
 			}
 		})
 	}
+
+}
+func TestGenerateToken(t *testing.T) {
+
+	logging.Configure(true, "DEBUG", true, []string{})
+
+	type test struct {
+		testName           string
+		clientId           string
+		subject            string
+		audience           string
+		scopes             []string
+		presentation       *verifiable.Presentation
+		credentialScopes   map[string]map[string]configModel.ScopeEntry
+		configError        error
+		mockTokenSignError error
+		expectedError      error
+	}
+
+	testKey := getECDSAKey()
+	emptyPresentation, _ := verifiable.NewPresentation()
+	vc1, _ := verifiable.CreateCredential(verifiable.CredentialContents{
+		ID:    "vc1",
+		Types: []string{"type1", "typeA"},
+	}, verifiable.CustomFields{})
+	invalidPresentation, _ := verifiable.NewPresentation(verifiable.WithCredentials(vc1))
+
+	tests := []test{
+		{
+			testName:           "When presentation is empty, ErrorNoValidCredentialTypeProvided should be returned",
+			clientId:           "test-client",
+			subject:            "subject-id",
+			audience:           "audience-id",
+			scopes:             []string{"test-scope"},
+			presentation:       emptyPresentation,
+			credentialScopes:   map[string]map[string]configModel.ScopeEntry{},
+			configError:        nil,
+			mockTokenSignError: nil,
+			expectedError:      ErrorNoValidCredentialTypeProvided,
+		},
+		{
+			testName:           "When presentation has not valid types, ErrorNoValidCredentialTypeProvided should be returned",
+			clientId:           "test-client",
+			subject:            "subject-id",
+			audience:           "audience-id",
+			scopes:             []string{"test-scope"},
+			presentation:       invalidPresentation,
+			credentialScopes:   map[string]map[string]configModel.ScopeEntry{},
+			configError:        nil,
+			mockTokenSignError: nil,
+			expectedError:      ErrorNoValidCredentialTypeProvided,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.testName, func(t *testing.T) {
+			mockConfig := mockCredentialConfig{mockScopes: tc.credentialScopes, mockError: tc.configError}
+
+			verifier := CredentialVerifier{
+				credentialsConfig:  &mockConfig,
+				validationServices: []ValidationService{},
+				signingKey:         testKey,
+				clock:              mockClock{},
+				tokenSigner:        mockTokenSigner{tc.mockTokenSignError},
+				signingAlgorithm:   "ES256",
+				host:               "https://verifier.example.com",
+				jwtExpiration:      time.Hour,
+			}
+
+			expiration, tokenString, err := verifier.GenerateToken(tc.clientId, tc.subject, tc.audience, tc.scopes, tc.presentation)
+
+			if tc.expectedError != nil {
+				if err == nil {
+					t.Errorf("%s - Expected error %v but got none.", tc.testName, tc.expectedError)
+					return
+				}
+				if err.Error() != tc.expectedError.Error() {
+					t.Errorf("%s - Expected error %v but was %v.", tc.testName, tc.expectedError, err)
+					return
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("%s - Expected no error but got %v.", tc.testName, err)
+				return
+			}
+
+			if tokenString == "" {
+				t.Errorf("%s - Expected token string but got empty.", tc.testName)
+				return
+			}
+
+			if expiration == 0 {
+				t.Errorf("%s - Expected expiration but got 0.", tc.testName)
+				return
+			}
+		})
+	}
 }