Masv status list db #231
Masv status list db #231
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements a Token Status List (TSL) database and service per draft-ietf-oauth-status-list specification, replacing the previous Sparse Merkle Tree registry implementation with a MongoDB-based status list system.
Key Changes:
- Replaces Merkle tree registry with Token Status List implementation supporting JWT/CWT formats
- Adds MongoDB collections for status lists, metadata, and credential subjects
- Implements mTLS support for gRPC communications with certificate fingerprint validation
- Adds admin GUI for searching and updating credential status entries
Reviewed changes
Copilot reviewed 89 out of 227 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| proto/v1-registry.proto | Replaces registry RPCs with TSL operations (add/update status, save credential subjects) |
| proto/v1-issuer.proto | Adds TSL section/index fields to credential replies |
| pkg/tsl/*.go | New package implementing TSL types, JWT/CWT token generation, compression/encoding |
| pkg/grpchelpers/*.go | New helpers for gRPC mTLS server/client configuration with fingerprint validation |
| internal/registry/db/*.go | MongoDB collections for TSL entries, metadata, and credential subjects |
| internal/registry/tslissuer/*.go | Service for TSL token generation with caching and refresh |
| internal/registry/httpserver/*.go | HTTP endpoints for status lists and admin GUI |
| internal/registry/grpcserver/*.go | gRPC endpoints for TSL operations |
| internal/registry/apiv1/*.go | API handlers for TSL operations, search, and status updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| // JWTConfig holds JWT-specific configuration for generating a Status List Token. | ||
| // Deprecated: Use StatusList.GenerateJWT with JWTSigningConfig instead. |
There was a problem hiding this comment.
The deprecation notice says 'Use StatusList.GenerateJWT with JWTSigningConfig instead' but doesn't explain the migration path. Consider adding an example or more detail about how to migrate existing code.
| // Deprecated: Use StatusList.GenerateJWT with JWTSigningConfig instead. | |
| // Deprecated: Use StatusList.GenerateJWT with JWTSigningConfig instead. | |
| // | |
| // Migration example: | |
| // // Old usage: | |
| // cfg := JWTConfig{ | |
| // SigningKey: myKey, | |
| // SigningMethod: jwt.SigningMethodES256, | |
| // // ... other fields ... | |
| // } | |
| // token, err := statusList.GenerateJWT(cfg) | |
| // | |
| // // New usage: | |
| // signingCfg := JWTSigningConfig{ | |
| // SigningKey: cfg.SigningKey, | |
| // SigningMethod: cfg.SigningMethod, | |
| // } | |
| // token, err := statusList.GenerateJWT(signingCfg) |
| for i := int64(0); i < sectionSize; i++ { | ||
| docs = append(docs, &TSLDoc{ | ||
| Index: i, | ||
| Status: uint8(rand.IntN(3)), |
There was a problem hiding this comment.
Magic number 3 for random status generation. Consider using a constant like const MaxStatusValue = 3 or referencing tsl.StatusSuspended + 1 to make the upper bound explicit and maintainable.
| } | ||
|
|
||
| filter := bson.M{"index": decoy.Index, "section": section} | ||
| updateDoc := bson.M{"$set": bson.M{"status": rand.Int64N(3)}} |
There was a problem hiding this comment.
Type mismatch: using rand.Int64N(3) which returns int64, but status field is uint8. This could cause data corruption. Use rand.IntN(3) and cast to uint8 like line 142.
| updateDoc := bson.M{"$set": bson.M{"status": rand.Int64N(3)}} | |
| updateDoc := bson.M{"$set": bson.M{"status": uint8(rand.IntN(3))}} |
| s = strings.ReplaceAll(s, `"`, """) | ||
| s = strings.ReplaceAll(s, "'", "'") |
There was a problem hiding this comment.
The escapeHTML function implements custom HTML escaping instead of using html.EscapeString from the standard library. This is error-prone and may miss edge cases. Use the standard library function instead.
| if c.tslIssuer != nil { | ||
| if invalidator, ok := c.tslIssuer.(interface{ InvalidateSection(int64) }); ok { | ||
| invalidator.InvalidateSection(req.Section) | ||
| } | ||
| } |
There was a problem hiding this comment.
The InvalidateSection method is called via type assertion but is not defined in the TSLIssuer interface. Either add this method to the interface or document why the optional behavior is needed.
| Options: &options.IndexOptions{ | ||
| Unique: &[]bool{true}[0], | ||
| }, | ||
| Options: options.Index().SetUnique(true), |
There was a problem hiding this comment.
Corrected spelling of 'concent' to 'consent' in filename.
|
Looks reasonable. I think most integrators will use the API to revoke but the GUI is a nice touch. |
leifj
left a comment
leifj
left a comment
There was a problem hiding this comment.
I think the TSL/CSL thing is pretty risky
docs/adr/08-function-return.md
Outdated
|
|
||
| ## Decision | ||
|
|
||
| We want to return a variable, if applicable named reply |
There was a problem hiding this comment.
Suggested new language:
When returning a single variable use the name "reply" unless the context makes this inappropriate.
internal/apigw/apiv1/handlers_tsl.go
Outdated
| "strconv" | ||
|
|
||
| "vc/internal/gen/registry/apiv1_registry" | ||
| "vc/pkg/tsl" |
There was a problem hiding this comment.
I am a bit uneasy about the term "tsl" here. I think there is a risk to confuse ourselves with "TSL" as in trust status list (ie etsi ts 119 612 trust status lists). If the intent is to model credential status lists then maybe CSL is the appropriate abreviation.
There was a problem hiding this comment.
I just took the name from https://drafts.oauth.net/draft-ietf-oauth-status-list/draft-ietf-oauth-status-list.html#name-historical-resolution-2. How about to rename tsl -> token status list, than it will be pretty clear what's indented.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
No description provided.