Merge pull request #105 from Concordium/ipinfo-company

Add parameter for /v1/ip_info to include company ID providers

ChangeLog.md

@@ -2,6 +2,10 @@
 
 ## Unreleased changes
 
+## 0.31.0
+
+- Introduce `/v2/ip_info` endpoint which includes Company ID providers. The information is provided to the service using `--ip-data-v2 <FILE>`.
+
 ## 0.30.1
 
 - Reduce the amount of set-cookie headers set in complex queries.

README.md

@@ -20,8 +20,9 @@ The wallet proxy provides the following endpoints:
 * `PUT /v0/testnetGTUDrop/{account address}`: request a CCD drop to the specified account
 * `GET /v0/health`: get a response specifying if the wallet proxy is up to date
 * `GET /v0/global`: get the cryptographic parameters obtained from the node it is connected to
-* `GET /v0/ip_info`: get the identity providers information, including links for
-  submitting initial identity issuance requests.
+* `GET /v0/ip_info`: get the identity providers information with links for submitting initial identity issuance requests.
+* `GET /v1/ip_info`: get the identity providers information with links for submitting identity issuance and recovery requests.
+* `GET /v2/ip_info`: get the identity providers information (including company ID providers) with for submitting identity issuance and recovery requests.
 * `GET /v0/bakerPool/{bakerId}`: get the status of a baker pool given the baker ID.
 * `GET /v0/chainParameters`: get the chain parameters.
 * `GET /v0/nextPayday`: get the next payday.
@@ -1127,6 +1128,7 @@ wallet-proxy --grpc-ip 127.0.0.1\
              --db "host=localhost port=5432 dbname=transaction-outcome user=postgres password=postgres"\
              --ip-data identity-providers-with-metadata.json\
              --ip-data-v1 identity-providers-with-metadata-v1.json\
+             --ip-data-v2 identity-providers-with-metadata-v2.json\
              --drop-account gtu-drop-account-0.json\
              --forced-update-config-v0 forced-update-config-v0.json\
              --forced-update-config-v1 forced-update-config-v1.json\
@@ -1141,6 +1143,7 @@ where
 - `--db "host=localhost port=5432 dbname=transaction-outcome user=postgres password=postgres"` is the transaction outcome database connection string
 - `--ip-data identity-providers-with-metadata.json` JSON file with identity providers, anonymity revokers and metadata needed for the version 0 identity flow
 - `--ip-data-v1 identity-providers-with-metadata.json` JSON file with identity providers and anonymity revokers and metadata needed for the version 1 identity flow
+- `--ip-data-v2 identity-providers-with-metadata.json` JSON file with identity providers (including company ID providers) and anonymity revokers and metadata needed for the version 1 identity flow
 - `--drop-account gtu-drop-account-0.json` keys of the gtu drop account
 - `--forced-update-config-v0 forced-update-config-v0.json` file with app update configuration for the old mobile wallet
 - `--forced-update-config-v1 forced-update-config-v1.json` file with app update configuration for the new mobile wallet
@@ -1259,6 +1262,62 @@ Where
 
 NB: It is OK to have the same identity provider listed multiple times in this file, i.e., the same identity provider could have two verification backends, in which case they would be listed twice in the list, the difference between the two instances being the `issuanceStart` and `icon` fields.
 
+### For the version 2 identity issuance flow
+This must be a valid JSON file which contains an array of JSON objects of the following form
+```json
+{
+  "metadata": {
+    "display": "Alternative display name",
+    "issuanceStart": "https://identity.provider/issuance-start",
+    "recoveryStart": "https://identity.provider/recovery-start",
+    "icon": "base 64 encoded png image",
+    "support": "<support@identity-provider.id>"
+  },
+  "ipInfo": {
+    "ipIdentity": 0,
+    "ipDescription": {
+      "name": "Short name as it appears on the chain.",
+      "url": "http/identity.provider",
+      "description": "Free form description"
+    },
+    "ipVerifyKey": "...",
+    "ipCdiVerifyKey": "74e905294a9377408d87ab4ddc4202731c4f971561eeaf423e82ae9509b8d057"
+  },
+  "arsInfos": {
+    "1": {
+      "arIdentity": 1,
+      "arDescription": {
+        "name": "AR-1",
+        "url": "",
+        "description": ""
+      },
+      "arPublicKey": "93fdc40bb8af4cb75caf8a53928d247be6285784b29578a06df312c28854c1bfac2fd0183967338b578772398d41201886a215138ec53d870e2878bbe731381927e08eaafe97003f6f4831f18e47c9ee8913c5f806064b57341785f0376af"
+    },
+    "2": {
+      "arIdentity": 2,
+      "arDescription": {
+        "name": "AR-2",
+        "url": "",
+        "description": ""
+      },
+      "arPublicKey": "93fdc40bb8af4cb75caf8a53928d247be6285784b29578a06df312c28854c1bfac2fd0183967338b578772398d41201ac7295a21c3c687112f454c1d222d74e0d9cc9249b3c1eef58eb66a8a039c0decf3ea413a656f6f2dbebb497b7a527"
+    }
+  }
+}
+```
+
+Where
+- the `ipInfo` field is the contents of the `identity-provider-*.pub.json` files generated by the genesis tool, minus the outer versioning.
+- the `arsInfos` field has the same format (minus the versioning) as the `anonymity_revokers.json` file generated by the genesis tool.
+- the `metadata` field needs to be constructed manually based on the desired setup and in communication with partners.
+  - the `issuanceStart` link is where the wallet submits the initial identity creation request.
+  - the `issuanceRecovery` link is where the wallet submits the identity recovery request.
+  - the `icon` needs to be a base64 encoded png image that should be obtained from the relevant identity provider.
+  - the `support` field must contain a valid support email of the identity provider.
+  - the `display` field is optional and is the name to display for this identity provider, this is useful for when the same ID provider is listed twice, to allow them to be distinguished.
+
+NB: It is OK to have the same identity provider listed multiple times in this file, i.e., the same identity provider could have two verification backends, in which case they would be listed twice in the list, the difference between the two instances being the `issuanceStart` and `icon` fields.
+
 ## Database setup
 
 The wallet-proxy needs access to the transaction logging database in the form of a PostgreSQL database.

app/Main.hs

@@ -47,6 +47,7 @@ data ProxyConfig = ProxyConfig
       pcHealthTolerance :: Maybe Int,
       pcIpInfo :: FilePath,
       pcIpInfoV1 :: FilePath,
+      pcIpInfoV2 :: FilePath,
       logLevel :: Logging.LogLevel,
       tcVersion :: Maybe String,
       tcUrl :: Maybe String
@@ -69,7 +70,8 @@ parser =
             <*> optional (strOption (long "forced-update-config-v1" <> metavar "FILE" <> help "file with the version configuration for forced app updates for the new mobile wallet."))
             <*> optional (option auto (long "health-tolerance" <> metavar "SECONDS" <> help "the maximum tolerated age of the last final block in seconds before the health query returns false."))
             <*> strOption (long "ip-data" <> metavar "FILE" <> help "File with public and private information on the identity providers, together with metadata.")
-            <*> strOption (long "ip-data-v1" <> metavar "FILE" <> help "File with public and private information on the identity providers for the flow without initial accounts, together with metadata.")
+            <*> strOption (long "ip-data-v1" <> metavar "FILE" <> help "File with public and private information on the identity providers (excluding Company ID providers) for the flow without initial accounts, together with metadata.")
+            <*> strOption (long "ip-data-v2" <> metavar "FILE" <> help "File with public and private information on the identity providers (including Company ID providers) for the flow without initial accounts, together with metadata.")
             <*> option (eitherReader Logging.logLevelFromString) (long "log-level" <> metavar "LOGLEVEL" <> value Logging.LLOff <> showDefault <> help "Log level. Can be one of either 'off', 'error', 'warning', 'info', 'debug' or 'trace'.")
             <*> optional (strOption (long "tc-version" <> metavar "STRING" <> help "Version of terms and conditions in effect."))
             <*> optional (strOption (long "tc-url" <> metavar "URL" <> help "Link to the terms and conditions."))
@@ -168,6 +170,7 @@ main = do
                 Right cfg -> return cfg
     Right ipInfo <- AE.eitherDecode' <$> LBS.readFile pcIpInfo
     Right ipInfoV1 <- AE.eitherDecode' <$> LBS.readFile pcIpInfoV1
+    Right ipInfoV2 <- AE.eitherDecode' <$> LBS.readFile pcIpInfoV2
     runStderrLoggingT . filterL $ do
         $logDebug ("Using iOS V0 update config: " <> fromString (show forcedUpdateConfigIOSV0))
         $logDebug ("Using Android V0 update config: " <> fromString (show forcedUpdateConfigAndroidV0))

src/Proxy.hs

@@ -204,6 +204,7 @@ data Proxy = Proxy
       globalInfo :: Value,
       ipInfo :: Value,
       ipInfoV1 :: Value,
+      ipInfoV2 :: Value,
       logLevel :: Logging.LogLevel,
       -- | The version of terms and conditions currently in effect.
       --  If not set the endpoint termsAndConditionsVersion is disabled.
@@ -259,6 +260,7 @@ mkYesod
 /v0/health HealthR GET
 /v0/ip_info IpsR GET
 /v1/ip_info IpsV1R GET
+/v2/ip_info IpsV2R GET
 /v1/accTransactions/#Text AccountTransactionsV1R GET
 /v0/bakerPool/#Word64 BakerPoolR GET
 /v0/chainParameters ChainParametersR GET
@@ -2314,6 +2316,9 @@ getIpsR = toTypedContent . ipInfo <$> getYesod
 getIpsV1R :: Handler TypedContent
 getIpsV1R = toTypedContent . ipInfoV1 <$> getYesod
 
+getIpsV2R :: Handler TypedContent
+getIpsV2R = toTypedContent . ipInfoV2 <$> getYesod
+
 getTermsAndConditionsVersion :: Handler TypedContent
 getTermsAndConditionsVersion = do
     mtcV <- tcVersion <$> getYesod