vta-service 0.10.1

Service for Verifiable Trust Agents operating in Verifiable Trust Communities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265

//! Integration test for **authenticate via a DI-signed Trust Task over REST** —
//! the transport-agnostic `auth/authenticate/0.1` path.
//!
//! The holder posts a plain JSON `auth/authenticate/0.1` Trust Task whose
//! `eddsa-jcs-2022` Data-Integrity proof *is* the authentication — no DIDComm
//! packing / mediator required. Exercises the real route → DI-proof verify
//! (local `did:key` resolution) → canonical `handle_authenticate` →
//! session-state transition → token mint, end to end.
//!
//! Unlike the DIDComm `POST /auth/` round-trip (which needs a network DID
//! resolver and lives in the e2e suite), this path resolves `did:key` locally,
//! so the full sign-then-verify runs in-process here.

use axum::body::Body;
use axum::http::{Request, StatusCode};
use http_body_util::BodyExt;
use serde_json::{Value, json};
use tower::ServiceExt;

use affinidi_data_integrity::crypto_suites::CryptoSuite;
use affinidi_data_integrity::{DataIntegrityProof, prepare_sign_input};
use ed25519_dalek::{Signer, SigningKey};
use multibase::Base;
use trust_tasks_rs::{Proof, TrustTask};

use vta_service::test_support::{TestAppContext, build_test_app};

/// did:key + method-specific-id for an Ed25519 key (multicodec 0xed01).
fn did_key(sk: &SigningKey) -> (String, String) {
    let pk = sk.verifying_key();
    let mut mc = vec![0xed, 0x01];
    mc.extend_from_slice(pk.as_bytes());
    let mb = multibase::encode(Base::Base58Btc, mc);
    (format!("did:key:{mb}"), mb)
}

/// Grant `did` admin access so it clears the `/auth/challenge` ACL gate and the
/// authenticate role re-lookup.
async fn seed_admin_acl(ctx: &TestAppContext, did: &str) {
    let entry = vti_common::acl::AclEntry::new(did, vti_common::acl::Role::Admin, "test")
        .with_created_at(1);
    vti_common::acl::store_acl_entry(&ctx.acl_ks, &entry)
        .await
        .expect("seed admin ACL");
}

fn post(uri: &str, body: Vec<u8>) -> Request<Body> {
    Request::builder()
        .method("POST")
        .uri(uri)
        .header("content-type", "application/json")
        // Stable client IP so the per-IP rate limiter doesn't throttle a
        // parallel `cargo test` run interleaving with the rate-limit test.
        .header("x-forwarded-for", "203.0.113.7")
        .body(Body::from(body))
        .unwrap()
}

async fn send(router: &axum::Router, req: Request<Body>) -> (StatusCode, Value) {
    let resp = router.clone().oneshot(req).await.expect("request");
    let status = resp.status();
    let bytes = resp.into_body().collect().await.unwrap().to_bytes();
    let v: Value = serde_json::from_slice(&bytes)
        .unwrap_or_else(|_| json!({"raw": String::from_utf8_lossy(&bytes).to_string()}));
    (status, v)
}

/// Build a holder-signed `auth/authenticate/0.1` Trust Task document for the
/// given challenge + session, signed with `sk` (eddsa-jcs-2022).
fn signed_authenticate_doc(
    sk: &SigningKey,
    did: &str,
    vm: &str,
    challenge: &str,
    session_id: &str,
) -> TrustTask<Value> {
    let doc_json = json!({
        "id": "urn:uuid:authn-itest-1",
        "type": "https://trusttasks.org/spec/auth/authenticate/0.1",
        "issuer": did,
        "recipient": "did:key:z6MkTestVTA",
        "payload": { "challenge": challenge, "sessionId": session_id },
    });
    let mut doc: TrustTask<Value> = serde_json::from_value(doc_json).unwrap();
    let mut di = DataIntegrityProof::new(
        CryptoSuite::EddsaJcs2022,
        vm.to_string(),
        "authentication".to_string(),
        None,
        // Safely in the past — DI verify rejects future-dated proofs, and the
        // wall clock sits right on the 2026-06-01 boundary.
        Some("2026-05-31T12:00:00Z".to_string()),
        None,
    );
    let input = prepare_sign_input(&doc, &di, CryptoSuite::EddsaJcs2022).unwrap();
    di.proof_value = Some(multibase::encode(
        Base::Base58Btc,
        sk.sign(&input).to_bytes(),
    ));
    doc.proof = Some(serde_json::from_value::<Proof>(serde_json::to_value(&di).unwrap()).unwrap());
    doc
}

/// Run a real `/auth/challenge` for `did` and return `(session_id, challenge)`.
async fn obtain_challenge(router: &axum::Router, did: &str) -> (String, String) {
    let (status, body) = send(
        router,
        post(
            "/auth/challenge",
            json!({ "did": did }).to_string().into_bytes(),
        ),
    )
    .await;
    assert_eq!(status, StatusCode::OK, "challenge must issue: {body}");
    (
        body["sessionId"].as_str().unwrap().to_string(),
        body["challenge"].as_str().unwrap().to_string(),
    )
}

#[tokio::test]
async fn di_signed_authenticate_issues_tokens() {
    let (router, ctx) = build_test_app().await;
    let sk = SigningKey::from_bytes(&[7u8; 32]);
    let (did, mb) = did_key(&sk);
    let vm = format!("{did}#{mb}");
    seed_admin_acl(&ctx, &did).await;

    let (session_id, challenge) = obtain_challenge(&router, &did).await;
    let doc = signed_authenticate_doc(&sk, &did, &vm, &challenge, &session_id);

    let (status, body) = send(&router, post("/auth/", serde_json::to_vec(&doc).unwrap())).await;

    assert_eq!(
        status,
        StatusCode::OK,
        "DI-signed authenticate must succeed: {body}"
    );
    // A TT request gets a TT `#response` document back (what the engine's
    // parse_authenticate_response consumes): tokens + session under `payload`.
    assert!(
        body["type"]
            .as_str()
            .is_some_and(|t| t.ends_with("/auth/authenticate/0.1#response")),
        "response is a TT #response doc: {body}"
    );
    assert_eq!(body["payload"]["session"]["subject"], did, "{body}");
    assert_eq!(
        body["payload"]["session"]["acr"], "aal1",
        "first factor is AAL1: {body}"
    );
    assert!(
        body["payload"]["tokens"]["accessToken"]
            .as_str()
            .is_some_and(|t| !t.is_empty()),
        "an access token is issued: {body}"
    );

    // The session transitioned to Authenticated (so a replay can't re-auth).
    let stored = vti_common::auth::session::get_session(&ctx.sessions_ks, &session_id)
        .await
        .unwrap()
        .unwrap();
    assert_eq!(
        stored.state,
        vti_common::auth::session::SessionState::Authenticated
    );

    // Replay the exact same document: the session is no longer ChallengeSent.
    let (replay_status, _) = send(&router, post("/auth/", serde_json::to_vec(&doc).unwrap())).await;
    assert_ne!(
        replay_status,
        StatusCode::OK,
        "replaying the authenticate document must not re-authenticate"
    );
}

#[tokio::test]
async fn di_signed_authenticate_rejects_tampered_proof() {
    let (router, ctx) = build_test_app().await;
    let sk = SigningKey::from_bytes(&[8u8; 32]);
    let (did, mb) = did_key(&sk);
    let vm = format!("{did}#{mb}");
    seed_admin_acl(&ctx, &did).await;

    let (session_id, challenge) = obtain_challenge(&router, &did).await;
    let mut doc = signed_authenticate_doc(&sk, &did, &vm, &challenge, &session_id);

    // Corrupt the signature: flip a char near the START of the proofValue
    // (full 6 significant bits) so the tamper is never a no-op.
    let mut proof = serde_json::to_value(doc.proof.take().unwrap()).unwrap();
    let pv = proof["proofValue"].as_str().unwrap();
    let mut chars: Vec<char> = pv.chars().collect();
    // index 1 is the first base58 char after the multibase prefix 'z'.
    chars[1] = if chars[1] == 'A' { 'B' } else { 'A' };
    proof["proofValue"] = Value::String(chars.into_iter().collect());
    doc.proof = Some(serde_json::from_value(proof).unwrap());

    let (status, body) = send(&router, post("/auth/", serde_json::to_vec(&doc).unwrap())).await;
    assert_eq!(
        status,
        StatusCode::UNAUTHORIZED,
        "a tampered proof must be rejected: {body}"
    );

    // The session stays in ChallengeSent — no tokens were issued.
    let stored = vti_common::auth::session::get_session(&ctx.sessions_ks, &session_id)
        .await
        .unwrap()
        .unwrap();
    assert_eq!(
        stored.state,
        vti_common::auth::session::SessionState::ChallengeSent
    );
}

/// The challenge step also speaks Trust Tasks end-to-end: a TT
/// `auth/challenge/0.1` request returns a TT `#response` document the engine's
/// `parse_auth_challenge_response` consumes (payload `{challenge, sessionId,
/// expiresAt}`, addressed back to the holder).
#[tokio::test]
async fn tt_challenge_returns_tt_response_doc() {
    let (router, ctx) = build_test_app().await;
    let sk = SigningKey::from_bytes(&[11u8; 32]);
    let (did, _mb) = did_key(&sk);
    seed_admin_acl(&ctx, &did).await;

    let doc = json!({
        "id": "urn:uuid:challenge-itest-1",
        "type": "https://trusttasks.org/spec/auth/challenge/0.1",
        "issuer": did,
        "recipient": "did:key:z6MkTestVTA",
        "payload": { "subject": did },
    });
    let (status, body) = send(
        &router,
        post("/auth/challenge", serde_json::to_vec(&doc).unwrap()),
    )
    .await;

    assert_eq!(status, StatusCode::OK, "TT challenge must succeed: {body}");
    assert!(
        body["type"]
            .as_str()
            .is_some_and(|t| t.ends_with("/auth/challenge/0.1#response")),
        "response is a TT #response doc: {body}"
    );
    assert_eq!(
        body["recipient"], did,
        "addressed back to the holder: {body}"
    );
    assert!(
        body["payload"]["challenge"]
            .as_str()
            .is_some_and(|c| !c.is_empty()),
        "{body}"
    );
    assert!(
        body["payload"]["sessionId"]
            .as_str()
            .is_some_and(|s| !s.is_empty()),
        "{body}"
    );
    assert!(body["payload"]["expiresAt"].as_str().is_some(), "{body}");
}