Merge branch 'main' into feature/event-bus

Author: dbluhm

aries_cloudagent/admin/server.py

@@ -1,21 +1,22 @@
 """Admin server classes."""
 
 import asyncio
+from hmac import compare_digest
 import logging
 import re
+from typing import Callable, Coroutine
 import uuid
 import warnings
-from typing import Callable, Coroutine
 
-import aiohttp_cors
-import jwt
 from aiohttp import web
 from aiohttp_apispec import (
     docs,
     response_schema,
     setup_aiohttp_apispec,
     validation_middleware,
 )
+import aiohttp_cors
+import jwt
 from marshmallow import fields
 
 from ..config.injection_context import InjectionContext
@@ -197,6 +198,13 @@ async def debug_middleware(request: web.BaseRequest, handler: Coroutine):
     return await handler(request)
 
 
+def const_compare(string1, string2):
+    """Compare two strings in constant time."""
+    if string1 is None or string2 is None:
+        return False
+    return compare_digest(string1.encode(), string2.encode())
+
+
 class AdminServer(BaseAdminServer):
     """Admin HTTP server class."""
 
@@ -275,7 +283,7 @@ def is_unprotected_path(path: str):
             @web.middleware
             async def check_token(request: web.Request, handler):
                 header_admin_api_key = request.headers.get("x-api-key")
-                valid_key = self.admin_api_key == header_admin_api_key
+                valid_key = const_compare(self.admin_api_key, header_admin_api_key)
 
                 if valid_key or is_unprotected_path(request.path):
                     return await handler(request)
@@ -696,7 +704,9 @@ async def websocket_handler(self, request):
         else:
             header_admin_api_key = request.headers.get("x-api-key")
             # authenticated via http header?
-            queue.authenticated = header_admin_api_key == self.admin_api_key
+            queue.authenticated = const_compare(
+                header_admin_api_key, self.admin_api_key
+            )
 
         try:
             self.websocket_queues[socket_id] = queue
@@ -739,7 +749,9 @@ async def websocket_handler(self, request):
                                 LOGGER.exception(
                                     "Exception in websocket receiving task:"
                                 )
-                            if self.admin_api_key and self.admin_api_key == msg_api_key:
+                            if self.admin_api_key and const_compare(
+                                self.admin_api_key, msg_api_key
+                            ):
                                 # authenticated via websocket message
                                 queue.authenticated = True
 

aries_cloudagent/config/argparse.py

@@ -307,7 +307,6 @@ def add_arguments(self, parser: ArgumentParser):
             env_var="ACAPY_TEST_SUITE_ENDPOINT",
             help="URL endpoint for sending messages to the test suite agent.",
         )
-
         parser.add_argument(
             "--auto-accept-invites",
             action="store_true",
@@ -735,6 +734,12 @@ def add_arguments(self, parser: ArgumentParser):
                 "marking a connection as 'active'. Default: false."
             ),
         )
+        parser.add_argument(
+            "--auto-accept-intro-invitation-requests",
+            action="store_true",
+            env_var="ACAPY_AUTO_ACCEPT_INTRO_INVITATION_REQUESTS",
+            help="Automatically accept introduction invitations. Default: false.",
+        )
         parser.add_argument(
             "--invite-base-url",
             type=str,
@@ -840,6 +845,8 @@ def get_settings(self, args: Namespace) -> dict:
         settings = {}
         if args.auto_ping_connection:
             settings["auto_ping_connection"] = True
+        if args.auto_accept_intro_invitation_requests:
+            settings["auto_accept_intro_invitation_requests"] = True
         if args.invite_base_url:
             settings["invite_base_url"] = args.invite_base_url
         if args.monitor_ping:

aries_cloudagent/config/default_context.py

@@ -96,7 +96,7 @@ async def bind_providers(self, context: InjectionContext):
         # Allow action menu to be provided by driver
         context.injector.bind_instance(BaseMenuService, DriverMenuService(context))
         context.injector.bind_instance(
-            BaseIntroductionService, DemoIntroductionService(context)
+            BaseIntroductionService, DemoIntroductionService()
         )
 
     async def load_plugins(self, context: InjectionContext):
@@ -115,7 +115,7 @@ async def load_plugins(self, context: InjectionContext):
             "aries_cloudagent.messaging.credential_definitions"
         )
         plugin_registry.register_plugin("aries_cloudagent.messaging.schemas")
-        # plugin_registry.register_plugin("aries_cloudagent.messaging.jsonld")
+        plugin_registry.register_plugin("aries_cloudagent.messaging.jsonld")
         plugin_registry.register_plugin("aries_cloudagent.revocation")
         plugin_registry.register_plugin("aries_cloudagent.resolver")
         plugin_registry.register_plugin("aries_cloudagent.wallet")

aries_cloudagent/messaging/jsonld/create_verify_data.py

@@ -11,7 +11,11 @@
 
 from pyld import jsonld
 
-from .error import DroppedAttributeError, MissingVerificationMethodError
+from .error import (
+    DroppedAttributeError,
+    MissingVerificationMethodError,
+    SignatureTypeError,
+)
 
 
 def _canonize(data):
@@ -38,49 +42,62 @@ def _canonize_document(doc):
     return _canonize(_doc)
 
 
+def _created_at():
+    """Creation Timestamp."""
+
+    stamp = datetime.datetime.now(datetime.timezone.utc)
+    return stamp.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
 def create_verify_data(data, signature_options):
     """Encapsulate the process of constructing the string used during sign and verify."""
 
-    if "creator" in signature_options:
-        signature_options["verificationMethod"] = signature_options["creator"]
+    type_ = signature_options.get("type", "Ed25519Signature2018")
+    if type_ and type_ != "Ed25519Signature2018":
+        raise SignatureTypeError(f"invalid signature type {type_}.")
+
+    signature_options["verificationMethod"] = signature_options.get(
+        "creator", signature_options.get("verificationMethod")
+    )
 
     if not signature_options.get("verificationMethod"):
         raise MissingVerificationMethodError(
             "signature_options.verificationMethod is required"
         )
 
-    if "created" not in signature_options:
-        signature_options["created"] = datetime.datetime.now(
-            datetime.timezone.utc
-        ).strftime("%Y-%m-%dT%H:%M:%SZ")
-
-    if (
-        "type" not in signature_options
-        or signature_options["type"] != "Ed25519Signature2018"
-    ):
-        signature_options["type"] = "Ed25519Signature2018"
-
+    signature_options["created"] = signature_options.get("created", _created_at())
     [expanded] = jsonld.expand(data)
     framed = jsonld.compact(
         expanded, "https://w3id.org/security/v2", {"skipExpansion": True}
     )
 
     # Detect any dropped attributes during the expand/contract step.
-    if len(data) != len(framed):
-        raise DroppedAttributeError("Extra Attribute Detected")
-    if (
-        "proof" in data
-        and "proof" in framed
-        and len(data["proof"]) != len(framed["proof"])
-    ):
-        raise DroppedAttributeError("Extra Attribute Detected")
-    if (
-        "credentialSubject" in data
-        and "https://www.w3.org/2018/credentials#credentialSubject" in framed
-        and len(data["credentialSubject"])
-        != len(framed["https://www.w3.org/2018/credentials#credentialSubject"])
-    ):
-        raise DroppedAttributeError("Extra Attribute Detected")
+    if len(data) > len(framed):
+        # > check indicates dropped attrs < is a different error
+        # attempt to collect error report data
+        for_diff = jsonld.compact(expanded, data.get("@context"))
+        dropped = set(data.keys()) - set(for_diff.keys())
+        raise DroppedAttributeError(
+            f"{dropped} attributes dropped. "
+            "Provide definitions in context to correct."
+        )
+    # Check proof for dropped attributes
+    attr = [
+        ("proof", "proof"),
+        ("credentialSubject", "https://www.w3.org/2018/credentials#credentialSubject"),
+    ]
+    data_context = data.get("@context")
+    for mapping in attr:
+        data_attribute = data.get(mapping[0], {})
+        frame_attribute = framed.get(mapping[1], {})
+        if len(data_attribute) > len(frame_attribute):
+            for_diff = jsonld.compact(expanded, data_context)
+            for_diff_attribute = for_diff.get(mapping[1], {})
+            dropped = set(data_attribute.keys()) - set(for_diff_attribute.keys())
+            raise DroppedAttributeError(
+                f"in {mapping[0]}, {dropped} attributes dropped. "
+                "Provide definitions in context to correct."
+            )
 
     canonized_signature_options = _canonize_signature_options(signature_options)
     hash_of_canonized_signature_options = _sha256(canonized_signature_options)

aries_cloudagent/messaging/jsonld/credential.py

@@ -2,14 +2,14 @@
 
 import json
 
+from ...wallet.base import BaseWallet
 from ...wallet.util import (
     b64_to_bytes,
     b64_to_str,
     bytes_to_b64,
-    str_to_b64,
     naked_to_did_key,
+    str_to_b64,
 )
-
 from .create_verify_data import create_verify_data
 from .error import BadJWSHeaderError
 
@@ -35,7 +35,7 @@ def create_jws(encoded_header, verify_data):
     return (encoded_header + ".").encode("utf-8") + verify_data
 
 
-async def jws_sign(verify_data, verkey, wallet):
+async def jws_sign(session, verify_data, verkey):
     """Sign JWS."""
 
     header = {"alg": "EdDSA", "b64": False, "crit": ["b64"]}
@@ -44,6 +44,7 @@ async def jws_sign(verify_data, verkey, wallet):
 
     jws_to_sign = create_jws(encoded_header, verify_data)
 
+    wallet = session.inject(BaseWallet, required=True)
     signature = await wallet.sign_message(jws_to_sign, verkey)
 
     encoded_signature = bytes_to_b64(signature, urlsafe=True, pad=False)
@@ -60,7 +61,7 @@ def verify_jws_header(header):
         )
 
 
-async def jws_verify(verify_data, signature, public_key, wallet):
+async def jws_verify(session, verify_data, signature, public_key):
     """Detatched jws verify handling."""
 
     encoded_header, _, encoded_signature = signature.partition("..")
@@ -71,26 +72,25 @@ async def jws_verify(verify_data, signature, public_key, wallet):
     decoded_signature = b64_to_bytes(encoded_signature, urlsafe=True)
 
     jws_to_verify = create_jws(encoded_header, verify_data)
-
+    wallet = session.inject(BaseWallet, required=True)
     verified = await wallet.verify_message(jws_to_verify, decoded_signature, public_key)
 
     return verified
 
 
-async def sign_credential(credential, signature_options, verkey, wallet):
+async def sign_credential(session, credential, signature_options, verkey):
     """Sign Credential."""
 
     framed, verify_data_hex_string = create_verify_data(credential, signature_options)
     verify_data_bytes = bytes.fromhex(verify_data_hex_string)
-    jws = await jws_sign(verify_data_bytes, verkey, wallet)
-    document_with_proof = {**credential, "proof": {**signature_options, "jws": jws}}
-    return document_with_proof
+    jws = await jws_sign(session, verify_data_bytes, verkey)
+    return {**credential, "proof": {**signature_options, "jws": jws}}
 
 
-async def verify_credential(doc, verkey, wallet):
+async def verify_credential(session, doc, verkey):
     """Verify credential."""
 
     framed, verify_data_hex_string = create_verify_data(doc, doc["proof"])
     verify_data_bytes = bytes.fromhex(verify_data_hex_string)
-    valid = await jws_verify(verify_data_bytes, framed["proof"]["jws"], verkey, wallet)
+    valid = await jws_verify(session, verify_data_bytes, framed["proof"]["jws"], verkey)
     return valid

aries_cloudagent/messaging/jsonld/error.py

@@ -17,3 +17,11 @@ class DroppedAttributeError(BaseJSONLDMessagingError):
 
 class MissingVerificationMethodError(BaseJSONLDMessagingError):
     """Exception indicating missing verification method from signature options."""
+
+
+class SignatureTypeError(BaseJSONLDMessagingError):
+    """Exception indicating Signature type error."""
+
+
+class InvalidVerificationMethod(BaseJSONLDMessagingError):
+    """Exception indicating an invalid verification method in doc to verify."""