refactor: update get x509 certs logic

.env.demo

@@ -60,6 +60,14 @@ DCS_START_FROM_CURRENT_MONTH=true
 
 NODE_ENV=DEV
 
+# Authentication type for trust-service calls. Supported: NoAuth | ClientAuth (defaults to NoAuth if not set)
+TRUST_SERVICE_AUTH_TYPE=
+# Full token endpoint URL for ClientAuth (e.g. http://host:5000/v1/orgs/{clientId}/token)
+TRUST_SERVICE_TOKEN_URL=
+# Client credentials used for trust-service authentication (ClientAuth only)
+TRUST_SERVICE_CLIENT_ID=
+TRUST_SERVICE_CLIENT_SECRET=
+# Trust list URL — for NoAuth: GitHub/static JSON URL; for ClientAuth: trust-service base URL
 TRUST_LIST_URL=
 
 # Expiry is in seconds

.env.sample

@@ -42,15 +42,15 @@ INDICIO_TEST_GENESIS=`{"reqSignature":{},"txn":{"data":{"data":{"alias":"OpsNode
 {"reqSignature":{},"txn":{"data":{"data":{"alias":"lorica-identity-node1","blskey":"wUh24sVCQ8PHDgSb343g2eLxjD5vwxsrETfuV2sbwMNnYon9nhbaK5jcWTekvXtyiwxHxuiCCoZwKS97MQEAeC2oLbbMeKjYm212QwSnm7aKLEqTStXht35VqZvZLT7Q3mPQRYLjMGixdn4ocNHrBTMwPUQYycEqwaHWgE1ncDueXY","blskey_pop":"R2sMwF7UW6AaD4ALa1uB1YVPuP6JsdJ7LsUoViM9oySFqFt34C1x1tdHDysS9wwruzaaEFui6xNPqJ8eu3UBqcFKkoWhdsMqCALwe63ytxPwvtLtCffJLhHAcgrPC7DorXYdqhdG2cevdqc5oqFEAaKoFDBf12p5SsbbM4PYWCmVCb","client_ip":"35.225.220.151","client_port":"9702","node_ip":"35.224.26.110","node_port":"9701","services":["VALIDATOR"]},"dest":"k74ZsZuUaJEcB8RRxMwkCwdE5g1r9yzA3nx41qvYqYf"},"metadata":{"from":"Ex6hzsJFYzNJ7kzbfncNeU"},"type":"0"},"txnMetadata":{"seqNo":6,"txnId":"6880673ce4ae4a2352f103d2a6ae20469dd070f2027283a1da5e62a64a59d688"},"ver":"1"}
 {"reqSignature":{},"txn":{"data":{"data":{"alias":"cysecure-itn","blskey":"GdCvMLkkBYevRFi93b6qaj9G2u1W6Vnbg8QhRD1chhrWR8vRE8x9x7KXVeUBPFf6yW5qq2JCfA2frc8SGni2RwjtTagezfwAwnorLhVJqS5ZxTi4pgcw6smebnt4zWVhTkh6ugDHEypHwNQBcw5WhBZcEJKgNbyVLnHok9ob6cfr3u","blskey_pop":"RbH9mY7M5p3UB3oj4sT1skYwMkxjoUnja8eTYfcm83VcNbxC9zR9pCiRhk4q1dJT3wkDBPGNKnk2p83vaJYLcgMuJtzoWoJAWAxjb3Mcq8Agf6cgQpBuzBq2uCzFPuQCAhDS4Kv9iwA6FsRnfvoeFTs1hhgSJVxQzDWMVTVAD9uCqu","client_ip":"35.169.19.171","client_port":"9702","node_ip":"54.225.56.21","node_port":"9701","services":["VALIDATOR"]},"dest":"4ETBDmHzx8iDQB6Xygmo9nNXtMgq9f6hxGArNhQ6Hh3u"},"metadata":{"from":"uSXXXEdBicPHMMhr3ddNF"},"type":"0"},"txnMetadata":{"seqNo":7,"txnId":"3c21718b07806b2f193b35953dda5b68b288efd551dce4467ce890703d5ba549"},"ver":"1"}`
 
-PLATFORM_BASE_URL=        #CREDEBL BASE URL
-#if the agent is dedicated
-PLATFORM_DEDICATED_CLIENT_ID=
-PLATFORM_DEDICATED_CLIENT_SECRET=
-#If the agent is shared
-PLATFORM_SHARED_AGENT_CLIENT_ID=
-PLATFORM_SHARED_AGENT_CLIENT_SECRET=
-#Trust service url to fetch trusted certificates for TLS pinning
-TRUST_SERVICE_URL=
+# Authentication type for trust-service calls. Supported: NoAuth | ClientAuth (defaults to NoAuth if not set)
+TRUST_SERVICE_AUTH_TYPE=
+# Full token endpoint URL for ClientAuth (e.g. http://host:5000/v1/orgs/{clientId}/token)
+TRUST_SERVICE_TOKEN_URL=
+# Client credentials used for trust-service authentication (ClientAuth only)
+TRUST_SERVICE_CLIENT_ID=
+TRUST_SERVICE_CLIENT_SECRET=
+# Trust list URL — for NoAuth: GitHub/static JSON URL; for ClientAuth: trust-service base URL
+TRUST_LIST_URL=
 
 APP_URL=
 AGENT_HTTP_URL=
@@ -66,7 +66,6 @@ ROOT_CA_START_FROM_CURRENT_MONTH=
 DCS_START_FROM_CURRENT_MONTH=
 
 NODE_ENV=
-TRUST_LIST_URL=
 
 # Expiry is in seconds
 OID4VCI_CRED_OFFER_EXPIRY=3600

src/cliAgent.ts

@@ -65,7 +65,8 @@ import { IndicioAcceptanceMechanism, IndicioTransactionAuthorAgreement, Network,
 import { setupServer } from './server'
 import { generateSecretKey } from './utils/helpers'
 import { TsLogger } from './utils/logger'
-import { getMixedCredentialRequestToCredentialMapper, getTrustedCerts } from './utils/oid4vc-agent'
+import { getMixedCredentialRequestToCredentialMapper, getX509CertsByClientToken, getX509CertsByUrl } from './utils/oid4vc-agent'
+import { AuthTypes, getAuthType } from './utils/auth'
 import { PolygonDidRegistrar, PolygonDidResolver, PolygonModule } from '@ayanworks/credo-polygon-w3c-module'
 
 export type Transports = 'ws' | 'http'
@@ -272,14 +273,21 @@ const getModules = (
     x509: new X509Module({
       getTrustedCertificatesForVerification: async (
         agentContext,
-        { certificateChain: _certificateChain, verification: _verification },
+        { certificateChain, verification: _verification },
       ) => {
         //TODO: We need to trust the certificate tenant wise, for that we need to fetch those details from platform
         const tenantId = agentContext.contextCorrelationId
         console.log('[getTrustedCertificatesForVerification] tenantId from agentContext:', tenantId)
-        const certs: string[] = await getTrustedCerts(tenantId)
 
-        return certs
+        const authType = getAuthType()
+          console.log('[getTrustedCertificatesForVerification] authType:', authType)
+
+          if (authType === AuthTypes.ClientAuth) {
+            return await getX509CertsByClientToken(tenantId, certificateChain)
+          }
+
+          // NoAuth: return all certs from the static trust list URL
+          return await getX509CertsByUrl()
       },
     }),
   }

src/controllers/auth/AuthController.ts

@@ -1,11 +1,9 @@
 import axios from 'axios'
 import { Request as Req } from 'express'
-import { Body, Controller, Get, Path, Post, Request, Route, Tags } from 'tsoa'
+import { Body, Controller, Path, Post, Request, Route, Tags } from 'tsoa'
 import { injectable } from 'tsyringe'
 
 import { BadRequestError } from '../../errors'
-import { fetchDedicatedX509Certificates, fetchSharedAgentX509Certificates } from '../../utils/helpers'
-import { getTrustedCerts } from '../../utils/oid4vc-agent'
 
 interface OrgTokenRequest {
   clientId: string
@@ -30,35 +28,17 @@ export class AuthController extends Controller {
     @Path('orgId') orgId: string,
     @Body() body: OrgTokenRequest,
   ): Promise<OrgTokenResponse> {
-    const platformBaseUrl = process.env.PLATFORM_BASE_URL
-    if (!platformBaseUrl) {
-      throw new BadRequestError('PLATFORM_BASE_URL is not configured')
+    const trustServiceTokenUrl = process.env.TRUST_SERVICE_TOKEN_URL
+    if (!trustServiceTokenUrl) {
+      throw new BadRequestError('TRUST_SERVICE_TOKEN_URL is not configured')
     }
 
     const response = await axios.post<OrgTokenResponse>(
-      `${platformBaseUrl}/v1/orgs/${orgId}/token`,
+      `${trustServiceTokenUrl}`,
       { clientId: body.clientId, clientSecret: body.clientSecret },
       { headers: { 'Content-Type': 'application/json', accept: 'application/json' } },
     )
 
     return response.data
   }
-  // TODO: Remove these test endpoints after manual testing is done
-  @Get('/test/dedicated-x509-certificates')
-  public async testFetchDedicatedX509Certificates(@Request() _request: Req): Promise<string[]> {
-    return fetchDedicatedX509Certificates()
-  }
-
-  @Get('/test/shared-agent-x509-certificates')
-  public async testFetchSharedAgentX509Certificates(@Request() _request: Req): Promise<string[]> {
-    return fetchSharedAgentX509Certificates()
-  }
-
-  /**
-   * [TEMP] Manually trigger getTrustedCerts to test agent type detection and trust list fetch
-   */
-  @Get('/test/trusted-certs')
-  public async testGetTrustedCerts(@Request() _request: Req): Promise<string[]> {
-    return getTrustedCerts()
-  }
 }

src/routes/routes.ts

@@ -4051,111 +4051,6 @@ export function RegisterRoutes(app: Router) {
             }
         });
         // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-        const argsAuthController_testFetchDedicatedX509Certificates: Record<string, TsoaRoute.ParameterSchema> = {
-                _request: {"in":"request","name":"_request","required":true,"dataType":"object"},
-        };
-        app.get('/v1/orgs/test/dedicated-x509-certificates',
-            ...(fetchMiddlewares<RequestHandler>(AuthController)),
-            ...(fetchMiddlewares<RequestHandler>(AuthController.prototype.testFetchDedicatedX509Certificates)),
-
-            async function AuthController_testFetchDedicatedX509Certificates(request: ExRequest, response: ExResponse, next: any) {
-
-            // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-
-            let validatedArgs: any[] = [];
-            try {
-                validatedArgs = templateService.getValidatedArgs({ args: argsAuthController_testFetchDedicatedX509Certificates, request, response });
-
-                const container: IocContainer = typeof iocContainer === 'function' ? (iocContainer as IocContainerFactory)(request) : iocContainer;
-
-                const controller: any = await container.get<AuthController>(AuthController);
-                if (typeof controller['setStatus'] === 'function') {
-                controller.setStatus(undefined);
-                }
-
-              await templateService.apiHandler({
-                methodName: 'testFetchDedicatedX509Certificates',
-                controller,
-                response,
-                next,
-                validatedArgs,
-                successStatus: undefined,
-              });
-            } catch (err) {
-                return next(err);
-            }
-        });
-        // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-        const argsAuthController_testFetchSharedAgentX509Certificates: Record<string, TsoaRoute.ParameterSchema> = {
-                _request: {"in":"request","name":"_request","required":true,"dataType":"object"},
-        };
-        app.get('/v1/orgs/test/shared-agent-x509-certificates',
-            ...(fetchMiddlewares<RequestHandler>(AuthController)),
-            ...(fetchMiddlewares<RequestHandler>(AuthController.prototype.testFetchSharedAgentX509Certificates)),
-
-            async function AuthController_testFetchSharedAgentX509Certificates(request: ExRequest, response: ExResponse, next: any) {
-
-            // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-
-            let validatedArgs: any[] = [];
-            try {
-                validatedArgs = templateService.getValidatedArgs({ args: argsAuthController_testFetchSharedAgentX509Certificates, request, response });
-
-                const container: IocContainer = typeof iocContainer === 'function' ? (iocContainer as IocContainerFactory)(request) : iocContainer;
-
-                const controller: any = await container.get<AuthController>(AuthController);
-                if (typeof controller['setStatus'] === 'function') {
-                controller.setStatus(undefined);
-                }
-
-              await templateService.apiHandler({
-                methodName: 'testFetchSharedAgentX509Certificates',
-                controller,
-                response,
-                next,
-                validatedArgs,
-                successStatus: undefined,
-              });
-            } catch (err) {
-                return next(err);
-            }
-        });
-        // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-        const argsAuthController_testGetTrustedCerts: Record<string, TsoaRoute.ParameterSchema> = {
-                _request: {"in":"request","name":"_request","required":true,"dataType":"object"},
-        };
-        app.get('/v1/orgs/test/trusted-certs',
-            ...(fetchMiddlewares<RequestHandler>(AuthController)),
-            ...(fetchMiddlewares<RequestHandler>(AuthController.prototype.testGetTrustedCerts)),
-
-            async function AuthController_testGetTrustedCerts(request: ExRequest, response: ExResponse, next: any) {
-
-            // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-
-            let validatedArgs: any[] = [];
-            try {
-                validatedArgs = templateService.getValidatedArgs({ args: argsAuthController_testGetTrustedCerts, request, response });
-
-                const container: IocContainer = typeof iocContainer === 'function' ? (iocContainer as IocContainerFactory)(request) : iocContainer;
-
-                const controller: any = await container.get<AuthController>(AuthController);
-                if (typeof controller['setStatus'] === 'function') {
-                controller.setStatus(undefined);
-                }
-
-              await templateService.apiHandler({
-                methodName: 'testGetTrustedCerts',
-                controller,
-                response,
-                next,
-                validatedArgs,
-                successStatus: undefined,
-              });
-            } catch (err) {
-                return next(err);
-            }
-        });
-        // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
         const argsAgentController_getAgentInfo: Record<string, TsoaRoute.ParameterSchema> = {
                 request: {"in":"request","name":"request","required":true,"dataType":"object"},
         };

src/routes/swagger.json

@@ -7677,82 +7677,6 @@
 				}
 			}
 		},
-		"/v1/orgs/test/dedicated-x509-certificates": {
-			"get": {
-				"operationId": "TestFetchDedicatedX509Certificates",
-				"responses": {
-					"200": {
-						"description": "Ok",
-						"content": {
-							"application/json": {
-								"schema": {
-									"items": {
-										"type": "string"
-									},
-									"type": "array"
-								}
-							}
-						}
-					}
-				},
-				"tags": [
-					"Auth"
-				],
-				"security": [],
-				"parameters": []
-			}
-		},
-		"/v1/orgs/test/shared-agent-x509-certificates": {
-			"get": {
-				"operationId": "TestFetchSharedAgentX509Certificates",
-				"responses": {
-					"200": {
-						"description": "Ok",
-						"content": {
-							"application/json": {
-								"schema": {
-									"items": {
-										"type": "string"
-									},
-									"type": "array"
-								}
-							}
-						}
-					}
-				},
-				"tags": [
-					"Auth"
-				],
-				"security": [],
-				"parameters": []
-			}
-		},
-		"/v1/orgs/test/trusted-certs": {
-			"get": {
-				"operationId": "TestGetTrustedCerts",
-				"responses": {
-					"200": {
-						"description": "Ok",
-						"content": {
-							"application/json": {
-								"schema": {
-									"items": {
-										"type": "string"
-									},
-									"type": "array"
-								}
-							}
-						}
-					}
-				},
-				"description": "[TEMP] Manually trigger getTrustedCerts to test agent type detection and trust list fetch",
-				"tags": [
-					"Auth"
-				],
-				"security": [],
-				"parameters": []
-			}
-		},
 		"/agent": {
 			"get": {
 				"operationId": "GetAgentInfo",

src/server.ts

@@ -18,6 +18,7 @@ import { ValidateError } from 'tsoa'
 import { container } from 'tsyringe'
 
 import { setDynamicApiKey } from './authentication'
+import { validateAuthConfig } from './utils/auth'
 import { ErrorMessages } from './enums'
 import { BaseError } from './errors/errors'
 import { basicMessageEvents } from './events/BasicMessageEvents'
@@ -41,6 +42,7 @@ export const setupServer = async (
 ) => {
   await otelSDK.start()
   agent.config.logger.info('OpenTelemetry SDK started')
+  validateAuthConfig()
   container.registerInstance(Agent, agent as Agent)
   fs.writeFileSync('config.json', JSON.stringify(config, null, 2))