Merge branch main into oidc

Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>

.github/workflows/release-clients.yml

@@ -4,22 +4,26 @@ on:
   workflow_dispatch:
     inputs:
       releaseTag:
-        description: "Tag to release clients (e.g. identus-cloud-agent-v1.33.0)"
+        description: "Tag to release clients (e.g. cloud-agent-v1.33.0)"
         required: true
         type: string
   push:
     tags:
-      - "identus-cloud-agent-v*"
+      - "cloud-agent-v*"
+
+permissions:
+  contents: read
+  packages: write
 
 jobs:
   publish-clients:
-    name: 'Build and publish Identus-cloud-Agent clients'
+    name: "Build and publish Identus Cloud Agent clients"
     runs-on: ubuntu-latest
     env:
       VERSION_TAG: ${{inputs.releaseTag || github.ref_name}}
       GITHUB_ACTOR: "hyperledger-bot"
       GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-      NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+      NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
       - name: Checkout
@@ -35,7 +39,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.10'
+          python-version: "3.10"
 
       - name: Setup Gradle
         uses: gradle/gradle-build-action@v2.8.0

.github/workflows/scala-steward.yml

@@ -17,9 +17,12 @@ jobs:
       - uses: crazy-max/ghaction-import-gpg@v3
         id: import_gpg
         with:
-          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-private-key: ${{ secrets.HYP_BOT_GPG_PRIVATE }}
+          passphrase: ${{ secrets.HYP_BOT_GPG_PASSWORD }}
           git-user-signingkey: true
           git-commit-gpgsign: true
+          git_config_global: true
+          git_tag_gpgsign: true
 
       - name: Launch Scala Steward
         uses: scala-steward-org/scala-steward-action@v2

.scala-steward.conf

@@ -1,12 +1,23 @@
-buildRoots = [ "." ]
+buildRoots = ["."]
 
 pullRequests.grouping = [
-  { name = "all", title = "build: scala-steward dependency updates", "filter" = [{"group" = "*"}] }
+  {name = "tapir", title = "build: tapir dependency updates", "filter" = [{"group" = "com.softwaremill.sttp.tapir"}]},
+  {name = "zio", title = "build: zio dependency updates", "filter" = [{"group" = "dev.zio"}]},
+  {name = "dal", title = "build: DAL dependency update", "filter" = [{"group" = "io.getquill"}, {"group" = "flywaydb"}, {"group" = "org.postgresql"}, {"group" = "org.tpolecat"}]},
+  {name = "protobuf", title = "build: protobuf dependency update", "filter" = [{"group" = "com.thesamet*"}]},
+  {name = "sbt", title = "build: sbt and plugins dependency update", "filter" = [{"group" = "com.eed3si9n"}, {"group" = "com.github.sbt"}, {"group" = "org.scala-sbt"}, {"group" = "org.scalameta"}, {"group" = "org.scoverage"}]},
+  {name = "internal", title = "build: internal dependency updates", "filter" = [{"group" = "io.iohk.atala*"}, {"group" = "org.hyperledger.identus*"}]},
+  {name = "all", title = "build: scala-steward dependency updates", "filter" = [{"group" = "*"}]}
 ]
 
 updates.ignore = [
-#   { groupId = "com.softwaremill.sttp.tapir", artifactId = "tapir-json-zio" }, #TODO
-  { groupId = "com.github.dasniko", artifactId = "testcontainers-keycloak" }, #TODO
-  { groupId = "org.keycloak", artifactId = "keycloak-authz-client" }, #TODO
-  { groupId = "dev.zio", artifactId = "zio-interop-cats" } #TODO
+  #   { groupId = "com.softwaremill.sttp.tapir", artifactId = "tapir-json-zio" }, #TODO
+  {groupId = "com.github.dasniko", artifactId = "testcontainers-keycloak"}, #TODO
+  {groupId = "org.keycloak", artifactId = "keycloak-authz-client"}, #TODO
+  {groupId = "dev.zio", artifactId = "zio-interop-cats"} #TODO
 ]
+
+# If set, Scala Steward will only create or update `n` PRs each time it runs (see `pullRequests.frequency` above).
+# Useful if running frequently and/or CI build are costly
+# Default: null
+updates.limit = 5

README.md

@@ -10,6 +10,11 @@
   <a href="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/unit-tests.yml"> <img src="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/unit-tests.yml/badge.svg" alt="Unit tests" /> </a>
   <a href="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/integration-tests.yml"> <img src="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/integration-tests.yml/badge.svg" alt="End-to-end tests" /> </a>
   <a href="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/performance-tests.yml"> <img src="https://github.com/hyperledger/identus-cloud-agent/actions/workflows/performance-tests.yml/badge.svg" alt="Performance tests" /> </a>
+  <a href="https://scala-steward.org">
+      <img src="https://img.shields.io/badge/Scala_Steward-helping-blue.svg?style=flat&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAQCAMAAAARSr4IAAAAVFBMVEUAAACHjojlOy5NWlrKzcYRKjGFjIbp293YycuLa3pYY2LSqql4f3pCUFTgSjNodYRmcXUsPD/NTTbjRS+2jomhgnzNc223cGvZS0HaSD0XLjbaSjElhIr+AAAAAXRSTlMAQObYZgAAAHlJREFUCNdNyosOwyAIhWHAQS1Vt7a77/3fcxxdmv0xwmckutAR1nkm4ggbyEcg/wWmlGLDAA3oL50xi6fk5ffZ3E2E3QfZDCcCN2YtbEWZt+Drc6u6rlqv7Uk0LdKqqr5rk2UCRXOk0vmQKGfc94nOJyQjouF9H/wCc9gECEYfONoAAAAASUVORK5CYII=" alt="Scala Steward badge">
+  </a>
+
+
 </p>
 <hr>
 
@@ -87,7 +92,7 @@ sbt clean compile test docker:publishLocal
 
 ### Installation and usage
 
-Cloud Agent is distributed as a Docker image to be run in a containerized environment. All versions can be found [here](https://github.com/orgs/input-output-hk/packages/container/package/cloud-agent).
+Cloud Agent is distributed as a Docker image to be run in a containerized environment. Versions after v1.31.0 can be found [here](https://github.com/hyperledger/identus-cloud-agent/pkgs/container/identus-cloud-agent) and before v1.31.0, [here](https://github.com/orgs/input-output-hk/packages/container/package/prism-agent).
 
 The following sections describe how to run the Cloud Agent in different configurations.
 

build.sbt

@@ -85,8 +85,6 @@ lazy val V = new {
   val zioPreludeVersion = "1.0.0-RC24"
 
   val apollo = "1.2.14"
-  val bouncyCastle = "1.78.1"
-
   val jsonSchemaValidator = "1.3.2" // scala-steward:off //TODO 1.3.2 need to fix:
   // [error] 	org.hyperledger.identus.pollux.core.model.schema.AnoncredSchemaTypeSpec
   // [error] 	org.hyperledger.identus.pollux.core.model.schema.CredentialSchemaSpec

cloud-agent/client/generator/publish-clients.sh

@@ -2,6 +2,7 @@
 set -e
 
 AGENT_VERSION=${VERSION_TAG:13}
+echo version=${AGENT_VERSION}
 
 # install dependencies
 yarn

cloud-agent/client/generator/yarn.lock

@@ -457,9 +457,9 @@ figures@^3.0.0:
     escape-string-regexp "^1.0.5"
 
 follow-redirects@^1.14.9:
-  version "1.15.2"
-  resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz"
-  integrity sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==
+  version "1.15.6"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
+  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
 
 for-each@^0.3.3:
   version "0.3.3"

cloud-agent/client/typescript/package.json

@@ -13,7 +13,7 @@
     "openapi-client",
     "openapi-generator"
   ],
-  "license": "Unlicensed",
+  "license": "Apache-2.0",
   "main": "./dist/index.js",
   "type": "commonjs",
   "exports": {

cloud-agent/service/server/src/main/scala/org/hyperledger/identus/agent/server/config/AppConfig.scala

@@ -28,7 +28,7 @@ object AppConfig {
     val urlRegex = """^(http|https)://[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(:[0-9]{1,5})?(/.*)?$""".r
     urlRegex.findFirstMatchIn(url) match
       case Some(_) =>
-        Try(java.net.URL(url)).toEither.left.map(ex /*java.net.MalformedURLException*/ =>
+        Try(java.net.URI(url).toURL()).toEither.left.map(ex /*java.net.MalformedURLException*/ =>
           Config.Error.InvalidData(zio.Chunk.empty, ex.getMessage())
         )
       case _ => Left(Config.Error.InvalidData(zio.Chunk.empty, s"Invalid URL: $url"))

cloud-agent/service/server/src/main/scala/org/hyperledger/identus/event/controller/EventController.scala

@@ -15,7 +15,7 @@ import org.hyperledger.identus.iam.wallet.http.controller.WalletManagementContro
 import org.hyperledger.identus.shared.models.WalletAccessContext
 import zio.*
 
-import java.net.URL
+import java.net.URI
 import scala.language.implicitConversions
 import java.util.UUID
 
@@ -44,7 +44,9 @@ class EventControllerImpl(service: WalletManagementService) extends EventControl
       request: CreateWebhookNotification
   )(implicit rc: RequestContext): ZIO[WalletAccessContext, ErrorResponse, WebhookNotification] = {
     for {
-      url <- ZIO.attempt(new URL(request.url)).mapError(e => ErrorResponse.badRequest(detail = Some(e.toString())))
+      url <- ZIO
+        .attempt(new URI(request.url).toURL())
+        .mapError(e => ErrorResponse.badRequest(detail = Some(e.toString())))
       notificationConfig <- EventNotificationConfig.applyWallet(url, request.customHeaders.getOrElse(Map.empty))
       _ <- service
         .createWalletNotification(notificationConfig)

cloud-agent/service/server/src/main/scala/org/hyperledger/identus/presentproof/controller/http/PresentationStatus.scala

@@ -44,7 +44,6 @@ object PresentationStatus {
         p.attachments.head.data match {
           case Base64(data) =>
             val base64Decoded = new String(java.util.Base64.getDecoder.decode(data))
-            println(s"Base64decode:\n\n ${base64Decoded} \n\n")
             Seq(base64Decoded)
           case any => ???
         }

cloud-agent/service/server/src/test/scala/org/hyperledger/identus/agent/server/AgentInitializationSpec.scala

@@ -23,6 +23,7 @@ import zio.test.*
 import zio.test.Assertion.*
 import zio.test.ZIOSpecDefault
 
+import java.net.URI
 import java.net.URL
 
 object AgentInitializationSpec extends ZIOSpecDefault, PostgresTestContainerSupport, ApolloSpecHelper {
@@ -113,7 +114,7 @@ object AgentInitializationSpec extends ZIOSpecDefault, PostgresTestContainerSupp
     test("create wallet with provided webhook") {
       val url = "http://example.com"
       for {
-        _ <- AgentInitialization.run.overrideConfig(webhookUrl = Some(URL(url)))
+        _ <- AgentInitialization.run.overrideConfig(webhookUrl = Some(URI(url).toURL()))
         webhooks <- ZIO
           .serviceWithZIO[WalletNonSecretStorage](
             _.walletNotification
@@ -127,7 +128,7 @@ object AgentInitializationSpec extends ZIOSpecDefault, PostgresTestContainerSupp
       val url = "http://example.com"
       val apiKey = "secret"
       for {
-        _ <- AgentInitialization.run.overrideConfig(webhookUrl = Some(URL(url)), webhookApiKey = Some(apiKey))
+        _ <- AgentInitialization.run.overrideConfig(webhookUrl = Some(URI(url).toURL()), webhookApiKey = Some(apiKey))
         webhooks <- ZIO
           .serviceWithZIO[WalletNonSecretStorage](
             _.walletNotification

cloud-agent/service/server/src/test/scala/org/hyperledger/identus/pollux/credentialdefinition/CredentialDefinitionLookupAndPaginationSpec.scala

@@ -38,10 +38,8 @@ object CredentialDefinitionLookupAndPaginationSpec
             .get(uri)
             .response(asJsonAlways[CredentialDefinitionResponsePage])
             .send(backend)
-        } yield {
-          println(response)
-          response
-        }
+        } yield response
+      _ <- ZIO.log(response.toString)
       firstPage <- ZIO.fromEither(response.body)
       otherPagesStream = zio.stream.ZStream
         .unfoldZIO[Any, Throwable, CredentialDefinitionResponsePage, CredentialDefinitionResponsePage](firstPage)(

cloud-agent/service/wallet-api/src/main/scala/org/hyperledger/identus/agent/walletapi/sql/JdbcDIDNonSecretStorage.scala

@@ -242,32 +242,6 @@ class JdbcDIDNonSecretStorage(xa: Transactor[ContextAwareTask], xb: Transactor[T
       }
   }
 
-  override def listHdKeyPath(
-      did: PrismDID
-  ): RIO[WalletAccessContext, Seq[(String, ArraySeq[Byte], ManagedDIDHdKeyPath)]] = {
-    val cxnIO =
-      sql"""
-        | SELECT
-        |   key_id,
-        |   operation_hash,
-        |   key_usage,
-        |   key_index
-        | FROM public.prism_did_key
-        | WHERE did = $did AND key_mode = ${KeyManagementMode.HD}
-        """.stripMargin
-        .query[(String, ArraySeq[Byte], VerificationRelationship | InternalKeyPurpose, Int)]
-        .to[List]
-
-    for {
-      state <- getManagedDIDState(did)
-      paths <- cxnIO.transactWallet(xa)
-    } yield state.map(_.didIndex).fold(Nil) { didIndex =>
-      paths.map { (keyId, operationHash, keyUsage, keyIndex) =>
-        (keyId, operationHash, ManagedDIDHdKeyPath(didIndex, keyUsage, keyIndex))
-      }
-    }
-  }
-
   override def insertKeyMeta(
       did: PrismDID,
       keyId: String,

cloud-agent/service/wallet-api/src/main/scala/org/hyperledger/identus/agent/walletapi/sql/package.scala

@@ -22,6 +22,7 @@ import zio.json.*
 import zio.json.ast.Json
 import zio.json.ast.Json.*
 
+import java.net.URI
 import java.net.URL
 import java.time.Instant
 import java.util.UUID
@@ -123,7 +124,7 @@ package object sql {
   given arraySeqByteGet: Get[ArraySeq[Byte]] = Get[Array[Byte]].map(ArraySeq.from)
   given arraySeqBytePut: Put[ArraySeq[Byte]] = Put[Array[Byte]].contramap(_.toArray)
 
-  given urlGet: Get[URL] = Get[String].map(URL(_))
+  given urlGet: Get[URL] = Get[String].map(URI(_).toURL())
   given urlPut: Put[URL] = Put[String].contramap(_.toString())
 
   given octetKeyPairGet: Get[OctetKeyPair] = Get[String].map(OctetKeyPair.parse)

cloud-agent/service/wallet-api/src/main/scala/org/hyperledger/identus/agent/walletapi/storage/DIDNonSecretStorage.scala

@@ -6,8 +6,6 @@ import org.hyperledger.identus.mercury.model.DidId
 import org.hyperledger.identus.shared.models.{WalletAccessContext, WalletId}
 import zio.*
 
-import scala.collection.immutable.ArraySeq
-
 trait DIDNonSecretStorage {
 
   def getManagedDIDState(did: PrismDID): RIO[WalletAccessContext, Option[ManagedDIDState]]
@@ -25,6 +23,7 @@ trait DIDNonSecretStorage {
 
   def getHdKeyCounter(did: PrismDID): RIO[WalletAccessContext, Option[HdKeyIndexCounter]]
 
+  /** Return a tuple of key metadata and the operation hash */
   def getKeyMeta(did: PrismDID, keyId: String): RIO[WalletAccessContext, Option[(ManagedDIDKeyMeta, Array[Byte])]]
 
   def insertKeyMeta(
@@ -34,8 +33,6 @@ trait DIDNonSecretStorage {
       operationHash: Array[Byte]
   ): RIO[WalletAccessContext, Unit]
 
-  def listHdKeyPath(did: PrismDID): RIO[WalletAccessContext, Seq[(String, ArraySeq[Byte], ManagedDIDHdKeyPath)]]
-
   /** Return a list of Managed DID as well as a count of all filtered items */
   def listManagedDID(
       offset: Option[Int],

cloud-agent/service/wallet-api/src/main/scala/org/hyperledger/identus/agent/walletapi/storage/MockDIDNonSecretStorage.scala

@@ -66,11 +66,6 @@ case class MockDIDNonSecretStorage(proxy: Proxy) extends DIDNonSecretStorage {
   ): RIO[WalletAccessContext, Unit] =
     proxy(MockDIDNonSecretStorage.InsertHdKeyMeta, (did, keyId, meta, operationHash))
 
-  override def listHdKeyPath(
-      did: PrismDID
-  ): RIO[WalletAccessContext, Seq[(String, ArraySeq[Byte], ManagedDIDHdKeyPath)]] =
-    proxy(MockDIDNonSecretStorage.ListHdKeyPath, did)
-
   override def listManagedDID(
       offset: Option[Int],
       limit: Option[Int]

cloud-agent/service/wallet-api/src/main/scala/org/hyperledger/identus/agent/walletapi/util/UpdateManagedDIDActionValidator.scala

@@ -2,10 +2,16 @@ package org.hyperledger.identus.agent.walletapi.util
 
 import org.hyperledger.identus.agent.walletapi.model.UpdateManagedDIDAction
 import org.hyperledger.identus.agent.walletapi.service.ManagedDIDService
+import org.hyperledger.identus.castor.core.model.did.EllipticCurve
+import org.hyperledger.identus.castor.core.model.did.VerificationRelationship
 
 object UpdateManagedDIDActionValidator {
 
-  def validate(actions: Seq[UpdateManagedDIDAction]): Either[String, Unit] = validateReservedKeyId(actions)
+  def validate(actions: Seq[UpdateManagedDIDAction]): Either[String, Unit] =
+    for {
+      _ <- validateReservedKeyId(actions)
+      _ <- validateCurveUsage(actions)
+    } yield ()
 
   private def validateReservedKeyId(actions: Seq[UpdateManagedDIDAction]): Either[String, Unit] = {
     val keyIds = actions.flatMap {
@@ -22,4 +28,27 @@ object UpdateManagedDIDActionValidator {
     else Right(())
   }
 
+  private def validateCurveUsage(actions: Seq[UpdateManagedDIDAction]): Either[String, Unit] = {
+    val ed25519AllowedUsage = Set(VerificationRelationship.Authentication, VerificationRelationship.AssertionMethod)
+    val x25519AllowedUsage = Set(VerificationRelationship.KeyAgreement)
+    val publicKeys = actions.collect { case UpdateManagedDIDAction.AddKey(template) => template }
+    val disallowedKeys = publicKeys
+      .filter { k =>
+        k.curve match {
+          case EllipticCurve.ED25519 => !ed25519AllowedUsage.contains(k.purpose)
+          case EllipticCurve.X25519  => !x25519AllowedUsage.contains(k.purpose)
+          case _                     => false
+        }
+      }
+      .map(_.id)
+
+    if (disallowedKeys.isEmpty) Right(())
+    else
+      Left(
+        s"Invalid key purpose for key ${disallowedKeys.mkString("[", ", ", "]")}. " +
+          s"Ed25519 must be used in ${ed25519AllowedUsage.mkString("[", ", ", "]")}. " +
+          s"X25519 must be used in ${x25519AllowedUsage.mkString("[", ", ", "]")}"
+      )
+  }
+
 }