Merge branch 'master' into fix/2755

* master: (40 commits)
  Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#2889)
  StatusList2021: add e2e test (#2881)
  remove default storage backend (#2885)
  Bump github.com/lestrrat-go/jwx/v2 from 2.0.20 to 2.0.21 (#2887)
  SQL: Rename table vdr_didweb to did (#2882)
  VDR: Replace v2 API panics with errors (#2872)
  Network: don't enable TLS when not configured (#2877)
  Statuslist: Merge issuer and verifier (#2851)
  revert go-version to stable (#2879)
  set column length for did and id (#2878)
  Bump golang from 1.22.0-alpine to 1.22.1-alpine (#2876)
  Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#2875)
  Docker: drop 'v' prefix from versions (#2855)
  Upgrade to go 1.22 (#2862)
  Bump google.golang.org/grpc from 1.62.0 to 1.62.1 (#2874)
  Bump golang.org/x/crypto from 0.20.0 to 0.21.0 (#2859)
  HTTP: correct status code logging for errors (#2848)
  IAM: Handle ErrNotFound for unknown tokens when introspecting (#2847)
  Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#2849)
  allow for empty VPs (#2840)
  ...

.circleci/config.yml

@@ -12,7 +12,7 @@ jobs:
   build:
     parallelism: 8
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.22
     steps:
       - checkout
 
@@ -36,7 +36,7 @@ jobs:
 
   report:
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.22
     steps:
       - checkout
       - attach_workspace:

.github/workflows/build-images.yaml

@@ -47,13 +47,10 @@ jobs:
           tags: |
             # generate 'master' tag for the master branch
             type=ref,event=branch,enable={{is_default_branch}},prefix=
-            # generate v5.2.1 tag
+            # generate 5.2.1 tag
             type=semver,pattern={{version}}
-            # generate v5 tag
-            type=semver,pattern={{major}}
           flavor: |
             latest=${{ steps.version.outputs.git_version == steps.get-latest-tag.outputs.tag }}
-            prefix=v,onlatest=false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/codeql-analysis.yml

@@ -45,6 +45,12 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        # use go version from go.mod.
+        go-version-file: 'go.mod'
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/e2e-tests.yaml

@@ -26,7 +26,8 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 'stable'
+          # use go version from go.mod.
+          go-version-file: 'go.mod'
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

Dockerfile

@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.22.0-alpine as builder
+FROM golang:1.22.1-alpine as builder
 
 ARG TARGETARCH
 ARG TARGETOS

audit/audit.go

@@ -51,6 +51,8 @@ const (
 	InvalidOAuthTokenEvent = "InvalidOAuthToken"
 	// VerifiableCredentialRetrievedEvent occurs when a VC is retrieved by the remote wallet.
 	VerifiableCredentialRetrievedEvent = "VerifiableCredentialRetrievedEvent"
+	// VerifiableCredentialRemovedEvent occurs when a VC is removed from a wallet.
+	VerifiableCredentialRemovedEvent = "VerifiableCredentialRemovedEvent"
 )
 
 const auditLogLevel = "audit"

auth/api/iam/api.go

@@ -226,8 +226,12 @@ func (r Wrapper) IntrospectAccessToken(_ context.Context, request IntrospectAcce
 	token := AccessToken{}
 	if err := r.accessTokenServerStore().Get(request.Body.Token, &token); err != nil {
 		// Return 200 + 'Active = false' when token is invalid or malformed
-		log.Logger().Debug("IntrospectAccessToken: failed to get token from store")
-		return IntrospectAccessToken200JSONResponse{}, err
+		if errors.Is(err, storage.ErrNotFound) {
+			log.Logger().Debug("IntrospectAccessToken: token not found (unknown or expired)")
+			return IntrospectAccessToken200JSONResponse{}, nil
+		}
+		log.Logger().WithError(err).Error("IntrospectAccessToken: failed to retrieve token")
+		return nil, err
 	}
 
 	if token.Expiration.Before(time.Now()) {

auth/api/iam/api_test.go

@@ -23,14 +23,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-  "net/http"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"
 
 	"github.com/labstack/echo/v4"
-  	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	ssi "github.com/nuts-foundation/go-did"
@@ -42,11 +42,11 @@ import (
 	"github.com/nuts-foundation/nuts-node/auth/oauth"
 	oauthServices "github.com/nuts-foundation/nuts-node/auth/services/oauth"
 	"github.com/nuts-foundation/nuts-node/core"
-  "github.com/nuts-foundation/nuts-node/crypto"
+	"github.com/nuts-foundation/nuts-node/crypto"
 	"github.com/nuts-foundation/nuts-node/jsonld"
 	"github.com/nuts-foundation/nuts-node/policy"
 	"github.com/nuts-foundation/nuts-node/storage"
-  "github.com/nuts-foundation/nuts-node/test"
+	"github.com/nuts-foundation/nuts-node/test"
 	"github.com/nuts-foundation/nuts-node/vcr"
 	"github.com/nuts-foundation/nuts-node/vcr/holder"
 	"github.com/nuts-foundation/nuts-node/vcr/issuer"
@@ -564,9 +564,16 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
 	})
+	t.Run("error - other store error", func(t *testing.T) {
+		// token is invalid JSON
+		require.NoError(t, ctx.client.accessTokenServerStore().Put("err", "{"))
+		res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "err"}})
+		assert.ErrorContains(t, err, "json: cannot unmarshal")
+		assert.Nil(t, res)
+	})
 	t.Run("error - does not exist", func(t *testing.T) {
 		res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "does not exist"}})
-		require.ErrorIs(t, err, storage.ErrNotFound)
+		require.NoError(t, err)
 		assert.Equal(t, res, IntrospectAccessToken200JSONResponse{})
 	})
 	t.Run("error - expired token", func(t *testing.T) {

auth/api/iam/openid4vp_test.go

@@ -194,10 +194,9 @@ func TestWrapper_handleAuthorizeRequestFromVerifier(t *testing.T) {
 
 		require.NoError(t, err)
 	})
-	t.Run("invalid presentation_definition_uri", func(t *testing.T) {
+	t.Run("fetching client metadata failed", func(t *testing.T) {
 		ctx := newTestClient(t)
 		params := defaultParams()
-		params[presentationDefUriParam] = "://example.com"
 		ctx.iamClient.EXPECT().ClientMetadata(gomock.Any(), "https://example.com/.well-known/authorization-server/iam/verifier").Return(nil, assert.AnError)
 		expectPostError(t, ctx, oauth.ServerError, "failed to get client metadata (verifier)", responseURI, "state")
 

auth/api/iam/validation.go

@@ -33,6 +33,9 @@ import (
 // validatePresentationSigner checks if the presenter of the VP is the same as the subject of the VCs being presented.
 // All returned errors can be used as description in an OAuth2 error.
 func validatePresentationSigner(presentation vc.VerifiablePresentation, expectedCredentialSubjectDID did.DID) (*did.DID, error) {
+	if len(presentation.VerifiableCredential) == 0 {
+		return credential.PresentationSigner(presentation)
+	}
 	subjectDID, err := credential.PresenterIsCredentialSubject(presentation)
 	if err != nil {
 		return nil, err

auth/api/iam/validation_test.go

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2024 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package iam
+
+import (
+	"testing"
+
+	"github.com/nuts-foundation/go-did/did"
+	"github.com/nuts-foundation/go-did/vc"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_validatePresentationSigner(t *testing.T) {
+	signer := did.MustParseDID("did:example:123")
+	vp, _ := vc.ParseVerifiablePresentation(`{"proof":[{"verificationMethod":"did:example:123#first-vm"}]}`)
+	t.Run("ok - empty presentation", func(t *testing.T) {
+		subjectDID, err := validatePresentationSigner(*vp, signer)
+
+		assert.Nil(t, err)
+		assert.NotNil(t, subjectDID)
+	})
+}

auth/auth_test.go

@@ -34,9 +34,9 @@ import (
 func TestAuth_Configure(t *testing.T) {
 	tlsServerConfig := *core.NewServerConfig()
 	tlsServerConfig.URL = "https://nuts.nl"
-	tlsServerConfig.LegacyTLS.TrustStoreFile = "test/certs/ca.pem"
-	tlsServerConfig.LegacyTLS.CertKeyFile = "test/certs/example.com.key"
-	tlsServerConfig.LegacyTLS.CertFile = "test/certs/example.com.pem"
+	tlsServerConfig.TLS.TrustStoreFile = "test/certs/ca.pem"
+	tlsServerConfig.TLS.CertKeyFile = "test/certs/example.com.key"
+	tlsServerConfig.TLS.CertFile = "test/certs/example.com.pem"
 
 	t.Run("ok", func(t *testing.T) {
 		config := DefaultConfig()