perf: adjust to fork

README.md

@@ -49,7 +49,7 @@ To use VC-AuthN for development and/or demo purposes, a pre-configured demo app
 In order to use the VC OIDC authentication, a couple of extra steps are required:
 
 - A proof-request configuration needs to be registered with VC-AuthN. To do
-  so, the following command can be used to post a configuration requesting a Hologram Wallet Showcase Person credential:
+  so, the following command can be used to post a configuration requesting a BC Wallet Showcase Person credential:
 
 ```bash
 curl -X 'POST' \
@@ -60,14 +60,31 @@ curl -X 'POST' \
   "ver_config_id": "showcase-person",
   "subject_identifier": "",
   "generate_consistent_identifier": true,
-  "requested_credentials": [
+  "proof_request": {
+    "name": "BC Wallet Showcase Person",
+    "version": "1.0",
+    "requested_attributes": [
+
       {
-        "credentialDefinitionId": "did:web:chatbot-demo.dev.2060.io?service=anoncreds&relativeRef=/credDef/8TsGLaSPVKPVMXK8APzBRcXZryxutvQuZnnTcDmbqd9p",
-        "attributes": [
-          "phoneNumber"
+        "names": ["given_names", "family_name", "country"],
+        "restrictions": [
+          {
+            "schema_name": "Person",
+            "issuer_did": "L6ASjmDDbDH7yPL1t2yFj9"
+          },
+          {
+            "schema_name": "Person",
+            "issuer_did": "QEquAHkM35w4XVT3Ku5yat"
+          },
+          {
+            "schema_name": "Person",
+            "issuer_did": "M6dhuFj5UwbhWkSLmvYSPc"
+          }
         ]
       }
     ],
+    "requested_predicates": []
+  }
 }'
 ```
 
@@ -94,7 +111,7 @@ curl -X 'POST' \
 }'
 ```
 
-- Lastly, obtain a Person Credential from the [Hologram Wallet Showcase](https://2060.io/use-cases/) by completing the lawyer demo.
+- Lastly, obtain a Person Credential from the [BC Wallet Showcase](https://digital.gov.bc.ca/digital-trust/showcase) by completing the lawyer demo.
 
 After all these steps have been completed, you should be able to authenticate with the demo application using the "Verified Credential Access" option.
 
@@ -127,4 +144,4 @@ This is a sample debugger launch configuration for VSCode that can be used by ad
         }
     ]
 }
-```
+```

charts/vc-authn-oidc/values.yaml

@@ -11,7 +11,7 @@ fullnameOverride: ""
 ## @param image.tag Overrides the image tag which defaults to the chart appVersion.
 ##
 image:
-  repository: io2060/vc-auth-2060
+  repository: ghcr.io/bcgov/vc-authn-oidc
   pullPolicy: IfNotPresent
   pullSecrets: []
   tag: ""
@@ -39,14 +39,21 @@ useHTTPS: true
 ## @param logLevel Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG
 logLevel: INFO
 
+## @param auth.api.existingSecret Specify the name of the secret containing `controllerApiKey` key.
 ## @param auth.token.privateKey.filename Specify the name of the signing key file
 ## @param auth.token.privateKey.existingSecret Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created.
 auth:
+  api:
+    existingSecret: ""
   token:
     privateKey:
       filename: jwt-token.pem
       existingSecret: ""
 
+## @param database.secret.existingSecret Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret.
+database:
+  existingSecret: ""
+
 ## @param podAnnotations Map of annotations to add to the acapy pods
 ##
 podAnnotations: {}
@@ -193,8 +200,10 @@ acapy:
   adminUrl: ""
   ## @param acapy.existingSecret Name of existing secret, required if `enabled` is `false`; Secret must contain `adminApiKey`, `walletKey`, and `webhookApiKey` keys.
   existingSecret: ""
-  ## @param acapy.agentSeed
-  agentSeed: ""
+  ## @param acapy.agentSeed.existingSecret Name of existing secret with the 'seed' key.
+  agentSeed:
+    existingSecret: ""
+
   ## @param acapy.image.repository
   ## @param acapy.image.pullPolicy
   ## @param acapy.image.pullSecrets [array]
@@ -204,7 +213,7 @@ acapy:
     repository: ghcr.io/hyperledger/aries-cloudagent-python
     pullPolicy: IfNotPresent
     pullSecrets: []
-    tag: py3.9-0.12.0rc0
+    tag: py3.9-0.12.1
 
   ## ServiceAccount configuration
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
@@ -341,6 +350,8 @@ acapy:
   ## @param acapy.walletStorageCredentials.admin_account Database account with CREATEDB role used to create additional databases per wallet.
   ## @param acapy.walletStorageCredentials.admin_password Database password for admin account.
   ## @param acapy.walletStorageCredentials.existingSecret Name of an existing secret containing 'database-user', 'database-password', 'admin-password' keys.
+  ## @param acapy.walletStorageCredentials.secretKeys.adminPasswordKey Key in existing secret containing admin password.
+  ## @param acapy.walletStorageCredentials.secretKeys.userPasswordKey Key in existing secret containing password .
   ##
   walletStorageCredentials:
     json: ""
@@ -349,6 +360,10 @@ acapy:
     admin_account: postgres
     admin_password: ""
     existingSecret: ""
+    secretKeys:
+      adminPasswordKey: admin-password
+      userPasswordKey: database-password
+
   ## @section Acapy tails persistence configuration
   persistence:
     ## @param acapy.persistence.existingClaim Name of an existing PVC to use
@@ -510,17 +525,6 @@ acapy:
       ##
       wildcardPolicy: None
 
-  ## Acapy secret configuration
-  ##
-  secret:
-    adminApiKey:
-      ## @param acapy.secret.adminApiKey.generated Generate admin api key
-      ##
-      generated: true
-      ## @param acapy.secret.adminApiKey.value Override admin api key
-      ##
-      value: ""
-
 ##  Overrides for bitnami/mongodb chart - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
 mongodb:
   auth:
@@ -646,7 +650,7 @@ postgresql:
       enabled: true
       ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
       ##
-      size: 1Gi
+      size: 5Gi
     ## Container Security Context
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
     ## @param postgresql.primary.containerSecurityContext.enabled Enable container security context
@@ -687,4 +691,4 @@ postgresql:
 
 ## @param postgresql-ha.enabled Deploy HA PostgreSQL chart. Not currently supported, provided for future use.
 postgresql-ha:
-  enabled: false
+  enabled: false

demo/vue/app/frontend/src/views/Home.vue

@@ -6,7 +6,7 @@
     <h4>Mobile Wallet</h4>
     <ul>
       <li>
-        Download Hologram Wallet to a mobile device
+        Download BC Wallet to a mobile device
         <a
           href="https://www2.gov.bc.ca/gov/content/governments/government-id/bc-wallet"
         >https://www2.gov.bc.ca/gov/content/governments/government-id/bc-wallet</a

docker/keycloak/config/keycloak_import.json

@@ -1074,7 +1074,7 @@
     "xContentTypeOptions": "nosniff",
     "xRobotsTag": "none",
     "xFrameOptions": "SAMEORIGIN",
-    "contentSecurityPolicy": "frame-src 'self' http://localhost:5000/; frame-ancestors 'self' http://localhost:8080/; object-src 'none';",
+    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
     "xXSSProtection": "1; mode=block",
     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
   },
@@ -1942,4 +1942,4 @@
   "clientPolicies": {
     "policies": []
   }
-}
+}

docs/ConfigurationGuide.md

@@ -77,7 +77,7 @@ Several functions in VC-AuthN can be tweaked by using the following environment
 | Variable                  | Type                                   | What it does                                                                                                                                                                                                                                                                                                                                                                                                                                           | NOTES                                                                                                                                   |
 | ------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
 | SET_NON_REVOKED           | bool                                   | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())`                                                                                                                                                                                                                                                                       |                                                                                                                                         |
-| USE_OOB_PRESENT_PROOF     | bool                                   | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | **TRUE:** Hologram Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' |
+| USE_OOB_PRESENT_PROOF     | bool                                   | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | **TRUE:** BC Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' |
 | USE_OOB_LOCAL_DID_SERVICE | bool                                   | Instructs VC-AuthN to use a local DID, it must be used when the agent service is not registered on the ledger with a public DID                                                                                                                                                                                                                                                                                                                        | Use this when `ACAPY_WALLET_LOCAL_DID` is set to `true` in the agent.                                                                   |
 | LOG_WITH_JSON             | bool                                   | If True, logging output should printed as JSON if False it will be pretty printed.                                                                                                                                                                                                                                                                                                                                                                     | Default behavior will print as JSON.                                                                                                    |
 | LOG_TIMESTAMP_FORMAT      | string                                 | determines the timestamp formatting used in logs                                                                                                                                                                                                                                                                                                                                                                                                       | Default is "iso"                                                                                                                        |
@@ -87,4 +87,4 @@ Several functions in VC-AuthN can be tweaked by using the following environment
 
 The basic structure of a proof-request configuration is described [here](README.md#data-model). Additional options are described via the Swagger document, and listed below:
 
-- `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request.
+- `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request.

docs/README.md

@@ -139,14 +139,16 @@ A verifiable credential presentation request configuration, takes the following
   "id": "<configuration-identifier>",
   "subject_identifier": "<attribute-name>",
   "generate_consistent_identifier": <true|false>,
-  "requested_credentials": [
+  "proof_request": {
+    "name": "Basic Proof",
+    "version": "1.0",
+    "requested_attributes": [
       {
-        "credentialDefinitionId": "did:web:chatbot-demo.dev.2060.io?service=anoncreds&relativeRef=/credDef/8TsGLaSPVKPVMXK8APzBRcXZryxutvQuZnnTcDmbqd9p",
-        "attributes": [
-          "phoneNumber"
-        ]
+        "names": ["email", "first_name", "last_name"]
+        "restrictions": []
       }
-    ],
+    ]
+  }
 }
 ```
 
@@ -156,8 +158,7 @@ This data model is inspired by that is defined and used in the [Hyperledger Indy
 - `id` : The identifier for the presentation configuration.
 - `subject_identifier` : See [here](#subject-identifer-mapping) for further details on the purpose of this field.
 - `generate_consistent_identifier` : Optional field defaulting to false. See [here](#subject-identifer-mapping) for more details.
-- `requested_credentials` : Contains details of the presentation request, specifying which credential should be submitted and its attributes.
-<!-- - `proof_request` : Contains the details on the presentation request, e.g which attributes are to be disclosed
+- `proof_request` : Contains the details on the presentation request, e.g which attributes are to be disclosed
     - `name` : The name that will accompany the presentation request
     - `version` : The version of the presentation request
     - `requested_attributes` : Is a list of requested attributes.
@@ -168,7 +169,7 @@ This data model is inspired by that is defined and used in the [Hyperledger Indy
             - `schema_name` : Name of the schema used for the credential the attribute is being disclosed from.
             - `schema_version` : Version of the schema used for the credential the attribute is being disclosed from.
             - `issuer_did` : DID of the issuer of the credential the attribute is being disclosed from.
-            - `cred_def_id` : Identifier of the credential definition the credential the attribute is being disclosed from. -->
+            - `cred_def_id` : Identifier of the credential definition the credential the attribute is being disclosed from.
 
 ### API
 
@@ -347,4 +348,4 @@ The following additional metadata must be present at the OP's `/.well-known/open
 - SIOP instead of DIDComm for the requests between the RP and IW?
 - Should the verifiable credential presentation configuration data model be a valid JSON-LD object
 - Should the `pres_req_conf_id` instead be a [URN](https://tools.ietf.org/html/rfc8141) so the OP does not necessarily have to host the additional configuration API?
-- Perhaps seperate things out so we have two specs, one for the RP <--> OP integration the other for AD <--> OP
+- Perhaps seperate things out so we have two specs, one for the RP <--> OP integration the other for AD <--> OP

oidc-controller/api/routers/oidc.py

@@ -82,89 +82,6 @@ async def poll_pres_exch_complete(pid: str, db: Database = Depends(get_db)):
     return {"proof_status": auth_session.proof_status}
 
 
-@log_debug
-@router.get("/qr", response_class=JSONResponse)
-async def get_authorize_qr(request: Request, db: Database = Depends(get_db)):
-    """Called by oidc platform."""
-    logger.debug(">>> get_authorize_qr")
-
-    # Verify OIDC forward payload
-    model = AuthorizationRequest().from_dict(request.query_params._dict)
-    model.verify()
-
-    try:
-        auth_req = provider.provider.parse_authentication_request(
-            urlencode(request.query_params._dict), request.headers
-        )
-    except InvalidAuthenticationRequest as e:
-        raise HTTPException(
-            status_code=http_status.HTTP_400_BAD_REQUEST,
-            detail=f"Invalid auth request: {e}",
-        )
-
-    #  create proof for this request
-    new_user_id = str(uuid.uuid4())
-    authn_response = provider.provider.authorize(model, new_user_id)
-
-    # retrieve presentation_request config.
-    client = AcapyClient()
-    ver_config_id = model.get("pres_req_conf_id")
-    ver_config = await VerificationConfigCRUD(db).get(ver_config_id)
-
-    # Create presentation_request to show on screen
-    response = client.create_presentation_request(ver_config.generate_proof_request())
-    pres_exch_dict = response.dict()
-
-    # Prepeare the presentation request
-    client = AcapyClient()
-
-    # Create and save OIDC AuthSession
-    new_auth_session = AuthSessionCreate(
-        response_url=authn_response.request(auth_req["redirect_uri"]),
-        pyop_auth_code=authn_response["code"],
-        request_parameters=model.to_dict(),
-        ver_config_id=ver_config_id,
-        pres_exch_id=response.proofExchangeId,
-        presentation_exchange=pres_exch_dict,
-        short_url=pres_exch_dict["shortUrl"],
-    )
-    auth_session = await AuthSessionCRUD(db).create(new_auth_session)
-
-    # QR CONTENTS
-    controller_host = settings.CONTROLLER_URL
-    url_to_message = (
-        controller_host + "/url/pres_exch/" + str(auth_session.pres_exch_id)
-    )
-    # CREATE the image
-    buff = io.BytesIO()
-    qrcode.make(url_to_message).save(buff, format="PNG")
-    image_contents = base64.b64encode(buff.getvalue()).decode("utf-8")
-    callback_url = f"""{controller_host}{AuthorizeCallbackUri}?pid={auth_session.id}"""
-
-    # Hologram deep link
-    wallet_deep_link = pres_exch_dict["url"]
-    short_url = pres_exch_dict["shortUrl"]
-    # This is the payload to send to the template
-    data = {
-        "image_contents": str(image_contents),
-        # "url_to_message": url_to_message,
-        "callback_url": str(callback_url),
-        # "add_asset": add_asset,
-        "pres_exch_id": str(auth_session.pres_exch_id),
-        "pid": str(auth_session.id),
-        "controller_host": str(controller_host),
-        "challenge_poll_uri": str(ChallengePollUri)
-        # "wallet_deep_link": wallet_deep_link,
-        # "short_url": short_url,
-    }
-
-    # Prepare the template
-    template_file = open("api/templates/verified_credentials.html", "r").read()
-    template = Template(template_file)
-
-    # Render and return the template
-    return data
-
 @log_debug
 @router.get(VerifiedCredentialAuthorizeUri, response_class=HTMLResponse)
 async def get_authorize(request: Request, db: Database = Depends(get_db)):

oidc-controller/api/routers/socketio.py

@@ -6,7 +6,7 @@
 
 connections = {}
 
-sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=[])
+sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=["*"])
 
 sio_app = socketio.ASGIApp(socketio_server=sio, socketio_path="/ws/socket.io")