feat: wallet open options for webkms & EDV

- added more unlock wallet options to use all aries webkms & EDV customization opts. - can be used to pass auth & authz based http headers for EDV & web kms - closes hyperledger-archives#2763 Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>
sudeshrshetty · Apr 28, 2021 · 61315a4 · 61315a4
1 parent bc063ba
commit 61315a4
Show file tree

Hide file tree

Showing 8 changed files with 251 additions and 57 deletions.
diff --git a/pkg/wallet/contents.go b/pkg/wallet/contents.go
@@ -112,8 +112,8 @@ func newContentStore(p storage.Provider, pr *profile) *contentStore {
 	return &contentStore{open: storeLocked, close: noOp, provider: newWalletStorageProvider(pr, p)}
 }
 
-func (cs *contentStore) Open(auth string) error {
-	store, err := cs.provider.OpenStore(auth, storage.StoreConfiguration{TagNames: []string{
+func (cs *contentStore) Open(auth string, opts *unlockOpts) error {
+	store, err := cs.provider.OpenStore(auth, opts, storage.StoreConfiguration{TagNames: []string{
 		Collection.Name(), Credential.Name(), Connection.Name(), DIDResolutionResponse.Name(), Connection.Name(), Key.Name(),
 	}})
 	if err != nil {

diff --git a/pkg/wallet/contents_test.go b/pkg/wallet/contents_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
+	"github.com/hyperledger/aries-framework-go/component/storage/edv"
 	mockkms "github.com/hyperledger/aries-framework-go/pkg/mock/kms"
 	mockstorage "github.com/hyperledger/aries-framework-go/pkg/mock/storage"
 	"github.com/hyperledger/aries-framework-go/pkg/mock/vdr"
@@ -194,7 +195,7 @@ func TestContentStores(t *testing.T) {
 		require.Empty(t, sp.config.TagNames)
 
 		// open store
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 		require.EqualValues(t, sp.config.TagNames,
 			[]string{"collection", "credential", "connection", "didResolutionResponse", "connection", "key"})
 
@@ -205,22 +206,70 @@ func TestContentStores(t *testing.T) {
 		require.True(t, errors.Is(err, ErrWalletLocked))
 	})
 
+	t.Run("create new content store for EDV profile - success", func(t *testing.T) {
+		sp := getMockStorageProvider()
+
+		masterLock, err := getDefaultSecretLock(samplePassPhrase)
+		require.NoError(t, err)
+
+		masterLockCipherText, err := createMasterLock(masterLock)
+		require.NoError(t, err)
+		require.NotEmpty(t, masterLockCipherText)
+
+		profileInfo := &profile{
+			ID:               uuid.New().String(),
+			User:             uuid.New().String(),
+			MasterLockCipher: masterLockCipherText,
+			EDVConf: &edvConf{
+				ServerURL: sampleEDVServerURL,
+				VaultID:   sampleEDVVaultID,
+			},
+		}
+
+		tkn, err := keyManager().createKeyManager(profileInfo, sp, &unlockOpts{passphrase: samplePassPhrase})
+		require.NoError(t, err)
+		require.NotEmpty(t, tkn)
+
+		ok, err := profileInfo.setupEDVKeys(tkn, "", "")
+		require.NoError(t, err)
+		require.True(t, ok)
+
+		// create new store
+		contentStore := newContentStore(sp, profileInfo)
+		require.NotEmpty(t, contentStore)
+		require.Empty(t, sp.config.TagNames)
+
+		// open store
+		require.NoError(t, contentStore.Open(tkn, &unlockOpts{
+			edvOpts: []edv.RESTProviderOption{
+				edv.WithFullDocumentsReturnedFromQueries(),
+				edv.WithBatchEndpointExtension(),
+			},
+		}))
+
+		// close store
+		contentStore.Close()
+		store, err := contentStore.open(tkn)
+		require.Empty(t, store)
+		require.True(t, errors.Is(err, ErrWalletLocked))
+	})
+
 	t.Run("open store - failure", func(t *testing.T) {
 		sp := getMockStorageProvider()
 
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 
 		// open store error
 		sp.ErrOpenStoreHandle = errors.New(sampleContenttErr)
-		err := contentStore.Open(token)
+		err := contentStore.Open(token, &unlockOpts{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), sampleContenttErr)
 		require.Contains(t, err.Error(), "failed to open store")
 
 		// set store config error
 		sp.ErrOpenStoreHandle = nil
 		sp.failure = errors.New(sampleContenttErr)
-		err = contentStore.Open(token)
+		err = contentStore.Open(token, &unlockOpts{})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), sampleContenttErr)
 		require.Contains(t, err.Error(), "failed to set store config")
@@ -229,7 +278,7 @@ func TestContentStores(t *testing.T) {
 		sp.failure = nil
 		sp.Store.ErrClose = errors.New(sampleContenttErr)
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		contentStore.Close()
 	})
@@ -240,7 +289,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, nil))
 
 		err := contentStore.Save(token, Collection, []byte(sampleContentValid))
 		require.NoError(t, err)
@@ -260,7 +309,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, nil))
 
 		err := contentStore.Save(token, Collection, []byte(sampleContentNoID))
 		require.NoError(t, err)
@@ -272,7 +321,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		err := contentStore.Save(token, DIDResolutionResponse, []byte(didResolutionResult))
 		require.NoError(t, err)
@@ -386,7 +435,7 @@ func TestContentStores(t *testing.T) {
 		err = contentStore.Save(token, Credential, []byte(sampleContentValid))
 		require.True(t, errors.Is(err, ErrWalletLocked))
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		err = contentStore.Save(token, Credential, []byte(sampleContentValid))
 		require.Error(t, err)
@@ -415,7 +464,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		err := contentStore.Save(token, Collection, []byte(sampleContentValid))
 		require.NoError(t, err)
@@ -432,7 +481,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save
 		err := contentStore.Save(token, Collection, []byte(sampleContentValid))
@@ -455,7 +504,7 @@ func TestContentStores(t *testing.T) {
 		require.Empty(t, content)
 		require.True(t, errors.Is(err, ErrWalletLocked))
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// get
 		content, err = contentStore.Get(token, "did:example:123456789abcdefghi", Collection)
@@ -470,7 +519,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save
 		err := contentStore.Save(token, Collection, []byte(sampleContentValid))
@@ -499,7 +548,7 @@ func TestContentStores(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save
 		err := contentStore.Save(token, Collection, []byte(sampleContentValid))
@@ -558,7 +607,7 @@ func TestContentStore_GetAll(t *testing.T) {
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save test data
 		const count = 5
@@ -598,7 +647,7 @@ func TestContentStore_GetAll(t *testing.T) {
 		require.True(t, errors.Is(err, ErrWalletLocked))
 		require.Empty(t, allVcs)
 
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 		require.NoError(t, contentStore.Save(token, Credential, []byte(fmt.Sprintf(vcContent, uuid.New().String()))))
 
 		// iterator value error
@@ -613,7 +662,7 @@ func TestContentStore_GetAll(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAll(token, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrKey))
@@ -624,7 +673,7 @@ func TestContentStore_GetAll(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		require.NoError(t, contentStore.Save(token, Credential, []byte(fmt.Sprintf(vcContent, uuid.New().String()))))
 
@@ -637,7 +686,7 @@ func TestContentStore_GetAll(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAll(token, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrQuery))
@@ -655,7 +704,7 @@ func TestContentDIDResolver(t *testing.T) {
 
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save custom DID
 		err := contentStore.Save(token, DIDResolutionResponse, []byte(sampleDocResolutionResponse))
@@ -691,7 +740,7 @@ func TestContentDIDResolver(t *testing.T) {
 		require.Empty(t, didDoc)
 
 		// open store
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// DID not found
 		didDoc, err = contentVDR.Resolve("did:key:invalid")
@@ -778,7 +827,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		// save a collection
 		require.NoError(t, contentStore.Save(token, Collection, []byte(orgCollection)))
@@ -844,7 +893,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore := newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		err := contentStore.Save(token,
 			DIDResolutionResponse, []byte(didResolutionResult), AddByCollection(collectionID+"invalid"))
@@ -866,7 +915,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err := contentStore.GetAllByCollection(token, collectionID, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrGet))
@@ -877,7 +926,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAllByCollection(token, collectionID, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrValue))
@@ -888,7 +937,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAllByCollection(token, collectionID, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrKey))
@@ -899,7 +948,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAllByCollection(token, collectionID, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrNext))
@@ -910,7 +959,7 @@ func TestContentStore_Collections(t *testing.T) {
 
 		contentStore = newContentStore(sp, &profile{ID: uuid.New().String()})
 		require.NotEmpty(t, contentStore)
-		require.NoError(t, contentStore.Open(token))
+		require.NoError(t, contentStore.Open(token, &unlockOpts{}))
 
 		allVcs, err = contentStore.GetAllByCollection(token, collectionID, Credential)
 		require.True(t, errors.Is(err, sp.MockStoreProvider.Store.ErrQuery))

diff --git a/pkg/wallet/kmsclient.go b/pkg/wallet/kmsclient.go
@@ -121,7 +121,7 @@ func (k *walletKeyManager) createKeyManager(profileInfo *profile,
 		}
 	} else {
 		// remote kms
-		keyManager = createRemoteKeyManager(opts.authToken, profileInfo.KeyServerURL)
+		keyManager = createRemoteKeyManager(opts, profileInfo.KeyServerURL)
 	}
 
 	// generate token
@@ -232,12 +232,18 @@ func getDefaultSecretLock(passphrase string) (secretlock.Service, error) {
 }
 
 // createLocalKeyManager creates and returns remote KMS instance.
-func createRemoteKeyManager(auth, keyServerURL string) *webkms.RemoteKMS {
-	return webkms.New(keyServerURL, http.DefaultClient, webkms.WithHeaders(func(req *http.Request) (*http.Header, error) {
-		req.Header.Set("authorization", fmt.Sprintf("Bearer %s", auth))
+func createRemoteKeyManager(opts *unlockOpts, keyServerURL string) *webkms.RemoteKMS {
+	kmsOpts := opts.webkmsOpts
 
-		return &req.Header, nil
-	}))
+	if opts.authToken != "" {
+		kmsOpts = append(kmsOpts, webkms.WithHeaders(func(req *http.Request) (*http.Header, error) {
+			req.Header.Set("authorization", fmt.Sprintf("Bearer %s", opts.authToken))
+
+			return &req.Header, nil
+		}))
+	}
+
+	return webkms.New(keyServerURL, http.DefaultClient, kmsOpts...)
 }
 
 type kmsSigner struct {

diff --git a/pkg/wallet/options.go b/pkg/wallet/options.go
@@ -10,7 +10,9 @@ import (
 	"encoding/json"
 	"time"
 
+	"github.com/hyperledger/aries-framework-go/component/storage/edv"
 	"github.com/hyperledger/aries-framework-go/pkg/doc/verifiable"
+	"github.com/hyperledger/aries-framework-go/pkg/kms/webkms"
 	"github.com/hyperledger/aries-framework-go/pkg/secretlock"
 )
 
@@ -73,10 +75,14 @@ type unlockOpts struct {
 	secretLockSvc secretlock.Service
 
 	// remote(web) kms options
-	authToken string
+	authToken  string
+	webkmsOpts []webkms.Opt
 
 	// expiry
 	tokenExpiry time.Duration
+
+	// edv opts
+	edvOpts []edv.RESTProviderOption
 }
 
 // UnlockOptions is option for unlocking verifiable credential wallet key manager.
@@ -117,6 +123,22 @@ func WithUnlockExpiry(tokenExpiry time.Duration) UnlockOptions {
 	}
 }
 
+// WithUnlockWebKMSOptions can be used to provide custom aries web kms options for unlocking wallet.
+// This option can be used to set web kms client http header function instead of using WithUnlockByAuthorizationToken.
+func WithUnlockWebKMSOptions(webkmsOpts ...webkms.Opt) UnlockOptions {
+	return func(opts *unlockOpts) {
+		opts.webkmsOpts = webkmsOpts
+	}
+}
+
+// WithUnlockEDVOptions can be used to provide custom aries edv options for unlocking wallet.
+// Provided options will be considered only if given wallet profile is using EDV configurations.
+func WithUnlockEDVOptions(edvOpts ...edv.RESTProviderOption) UnlockOptions {
+	return func(opts *unlockOpts) {
+		opts.edvOpts = edvOpts
+	}
+}
+
 // proveOpts contains options for proving credentials.
 type proveOpts struct {
 	// IDs of credentials already saved in wallet.