This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
/
verification_types.go
95 lines (82 loc) · 3.9 KB
/
verification_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package v1 contains API definitions that can be used outside of this codebase.
// The v1 API is considered stable.
// It will only add new optional fields and no fields will be removed.
package v1
import (
"fmt"
"github.com/dgrijalva/jwt-go"
)
const (
// ExposureKeyHMACClaim is the JWT claim key for the HMAC of the TEKs
ExposureKeyHMACClaim = "tekmac"
// TransmissionRiskOverrideClaim is the JWT Claim key for transmission risk overrides
TransmissionRiskOverrideClaim = "trisk"
// ReportTypeClaim is the JWT claim for the report type (confirmed|likely|negative)
ReportTypeClaim = "reportType"
// SymptomOnsetIntervalClaim is the JWT claim for the interval representing the symptom onset.
SymptomOnsetIntervalClaim = "symptomOnsetInterval"
// TestDateIntervalClaim is the JWT claim for the interval representing the test date
TestDateIntervalClaim = "testDateInterval"
// KeyIDHeader is the standard JWT key ID header name.
KeyIDHeader = "kid"
// ReportType strings that correspond to what is defined in internal/pb/export/export.proto
// ReportTypeConfirmed indicates to set ReportType.CONFIRMED_TEST
ReportTypeConfirmed = "confirmed"
// ReportTypeClinical indicates to set ReportType.CONFIRMED_CLINICAL_DIAGNOSIS
ReportTypeClinical = "likely"
// ReportTypeNegative is allowed by the verification flow. These keys are not saved in the system.
ReportTypeNegative = "negative"
TransmissionRiskUnknown = 0
TransmissionRiskConfirmedStandard = 2
TransmissionRiskClinical = 4
TransmissionRiskNegative = 6
)
var (
ValidReportTypes = map[string]bool{
ReportTypeConfirmed: true,
ReportTypeClinical: true,
ReportTypeNegative: true,
}
)
// VerificationClaims represents the accepted Claims portion of the verification certificate JWT.
// This data is used to set data on the uploaded TEKs and will be reflected on export. See the export file format:
// https://github.com/google/exposure-notifications-server/blob/main/internal/pb/export/export.proto#L73
type VerificationClaims struct {
jwt.StandardClaims
// ReportType is one of 'confirmed', 'likely', or 'negative' as defined by the constants in this file.
// Required. Claims must contain a valid report type or the publish request won't have any effect.
ReportType string `json:"reportType"`
// SymptomOnsetInterval uses the same 10 minute interval timing as TEKs use. If an interval is provided that isn not the
// start of a UTC day, then it will be rounded down to the beginning of that UTC day. And from there the days +/- symptom
// onset will be calculated.
// Optional. If present, TEKs will be adjusted accordingly on publish.
SymptomOnsetInterval uint32 `json:"symptomOnsetInterval,omitempty"`
// SignedMac is the HMAC of the TEKs that may be uploaded with the certificate containing these claims.
// Required, indicates what can be uploaded with this certificate.
SignedMAC string `json:"tekmac"`
}
// NewVerificationClaims initializes a new VerificationClaims struct.
func NewVerificationClaims() *VerificationClaims {
return &VerificationClaims{}
}
// CustomClaimsValid returns nil if the custom claims are valid.
// .Valid() should still be called to validate the standard claims.
func (v *VerificationClaims) CustomClaimsValid() error {
if !ValidReportTypes[v.ReportType] {
return fmt.Errorf("invalid report type: %q", v.ReportType)
}
return nil
}