Merge pull request #7 from bloock/feature/EIT-3571

Author: edutomesco

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	entgo.io/ent v0.12.4
-	github.com/bloock/bloock-sdk-go/v2 v2.7.2
+	github.com/bloock/bloock-sdk-go/v2 v2.8.0-beta.1
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/gin-contrib/logger v0.2.6
 	github.com/gin-gonic/gin v1.9.1
@@ -17,7 +17,6 @@ require (
 	github.com/rs/zerolog v1.29.1
 	github.com/spf13/viper v1.16.0
 	github.com/stretchr/testify v1.8.4
-
 )
 
 require (

go.sum

@@ -47,8 +47,8 @@ github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tj
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/bloock/bloock-sdk-go/v2 v2.7.2 h1:1yNtZ6UFGoUFhDsPdKepZgui/u2qhUztI34Y/B4kJiA=
-github.com/bloock/bloock-sdk-go/v2 v2.7.2/go.mod h1:RrRlRYIeIWjkzibXo+m9uAUMcP5lASHgl04UhjwSLdw=
+github.com/bloock/bloock-sdk-go/v2 v2.8.0-beta.1 h1:Og6cJOuAMwlpOsIkV/Gm7gdeL36u2Hz+Te4TMj6lX6w=
+github.com/bloock/bloock-sdk-go/v2 v2.8.0-beta.1/go.mod h1:RrRlRYIeIWjkzibXo+m9uAUMcP5lASHgl04UhjwSLdw=
 github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
 github.com/bytedance/sonic v1.9.2 h1:GDaNjuWSGu09guE9Oql0MSTNhNCLlWwO8y/xM5BzcbM=
 github.com/bytedance/sonic v1.9.2/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U=

internal/domain/access_control_type.go

@@ -0,0 +1,37 @@
+package domain
+
+import (
+	"errors"
+	"strings"
+)
+
+var (
+	ErrEmptyAccessCode = errors.New("empty access code provided")
+)
+
+type AccessControlType int
+
+const (
+	TotpAccessControl   AccessControlType = iota
+	SecretAccessControl AccessControlType = iota
+)
+
+func (t AccessControlType) String() string {
+	switch t {
+	case TotpAccessControl:
+		return "totp"
+	case SecretAccessControl:
+		return "secret"
+	}
+	return ""
+}
+
+func ParseAccessControlType(value string) (AccessControlType, error) {
+	switch strings.ToLower(value) {
+	case "totp":
+		return TotpAccessControl, nil
+	case "secret":
+		return SecretAccessControl, nil
+	}
+	return 0, errors.New("invalid access control type")
+}

internal/domain/repository/authenticity_repository.go

@@ -9,7 +9,7 @@ import (
 
 type AuthenticityRepository interface {
 	SignWithLocalKey(ctx context.Context, data []byte, localKey key.LocalKey) (string, *record.Record, error)
-	SignWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey) (string, *record.Record, error)
+	SignWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey, accessControl *key.AccessControl) (string, *record.Record, error)
 	SignWithLocalCertificate(ctx context.Context, data []byte, localCertificate key.LocalCertificate) (string, *record.Record, error)
-	SignWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate) (string, *record.Record, error)
+	SignWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate, accessControl *key.AccessControl) (string, *record.Record, error)
 }

internal/domain/repository/encryption_repository.go

@@ -9,6 +9,6 @@ import (
 
 type EncryptionRepository interface {
 	EncryptWithLocalKey(ctx context.Context, data []byte, localKey key.LocalKey) (*record.Record, error)
-	EncryptWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey) (*record.Record, error)
-	EncryptWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate) (*record.Record, error)
+	EncryptWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey, accessControl *key.AccessControl) (*record.Record, error)
+	EncryptWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate, accessControl *key.AccessControl) (*record.Record, error)
 }

internal/platform/repository/authenticity_repository.go

@@ -44,8 +44,8 @@ func (b BloockAuthenticityRepository) SignWithLocalKey(ctx context.Context, data
 	return signatures[0].Signature, &rec, nil
 }
 
-func (b BloockAuthenticityRepository) SignWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey) (string, *record.Record, error) {
-	signer := authenticity.NewSignerWithManagedKey(managedKey, nil)
+func (b BloockAuthenticityRepository) SignWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey, accessControl *key.AccessControl) (string, *record.Record, error) {
+	signer := authenticity.NewSignerWithManagedKey(managedKey, nil, accessControl)
 	rec, err := b.client.RecordClient.FromBytes(data).WithSigner(signer).Build()
 	if err != nil {
 		b.logger.Error().Err(err).Msg("")
@@ -76,8 +76,8 @@ func (b BloockAuthenticityRepository) SignWithLocalCertificate(ctx context.Conte
 	return signatures[0].Signature, &rec, nil
 }
 
-func (b BloockAuthenticityRepository) SignWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate) (string, *record.Record, error) {
-	signer := authenticity.NewSignerWithManagedCertificate(managedCertificate, nil)
+func (b BloockAuthenticityRepository) SignWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate, accessControl *key.AccessControl) (string, *record.Record, error) {
+	signer := authenticity.NewSignerWithManagedCertificate(managedCertificate, nil, accessControl)
 	rec, err := b.client.RecordClient.FromBytes(data).WithSigner(signer).Build()
 	if err != nil {
 		b.logger.Error().Err(err).Msg("")

internal/platform/repository/encryption_repository.go

@@ -39,8 +39,8 @@ func (b BloockEncryptionRepository) EncryptWithLocalKey(ctx context.Context, dat
 	return &rec, nil
 }
 
-func (b BloockEncryptionRepository) EncryptWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey) (*record.Record, error) {
-	encrypter := encryption.NewEncrypterWithManagedKey(managedKey)
+func (b BloockEncryptionRepository) EncryptWithManagedKey(ctx context.Context, data []byte, managedKey key.ManagedKey, accessControl *key.AccessControl) (*record.Record, error) {
+	encrypter := encryption.NewEncrypterWithManagedKey(managedKey, accessControl)
 	rec, err := b.client.RecordClient.FromBytes(data).WithEncrypter(encrypter).Build()
 	if err != nil {
 		b.logger.Error().Err(err).Msg("")
@@ -50,8 +50,8 @@ func (b BloockEncryptionRepository) EncryptWithManagedKey(ctx context.Context, d
 	return &rec, nil
 }
 
-func (b BloockEncryptionRepository) EncryptWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate) (*record.Record, error) {
-	encrypter := encryption.NewEncrypterWithManagedCertificate(managedCertificate)
+func (b BloockEncryptionRepository) EncryptWithManagedCertificate(ctx context.Context, data []byte, managedCertificate key.ManagedCertificate, accessControl *key.AccessControl) (*record.Record, error) {
+	encrypter := encryption.NewEncrypterWithManagedCertificate(managedCertificate, accessControl)
 	rec, err := b.client.RecordClient.FromBytes(data).WithEncrypter(encrypter).Build()
 	if err != nil {
 		b.logger.Error().Err(err).Msg("")

internal/platform/repository/key_repository.go

@@ -2,7 +2,6 @@ package repository
 
 import (
 	"context"
-
 	"github.com/bloock/bloock-managed-api/internal/domain/repository"
 	"github.com/bloock/bloock-managed-api/internal/pkg"
 	"github.com/bloock/bloock-sdk-go/v2/client"

internal/service/process/process_service.go

@@ -3,6 +3,7 @@ package process
 import (
 	"context"
 	"errors"
+	"github.com/bloock/bloock-sdk-go/v2/entity/key"
 	"net/http"
 	"net/url"
 	"path"
@@ -208,8 +209,13 @@ func (s ProcessService) sign(ctx context.Context, file *domain.File, request *re
 			return nil, "", nil, err
 		}
 
+		accessControl, err := s.buildAccessControl(request.AccessControl)
+		if err != nil {
+			return nil, "", nil, err
+		}
+
 		signature, record, err := s.authenticityRepository.
-			SignWithManagedKey(ctx, file.Bytes(), *managedKey)
+			SignWithManagedKey(ctx, file.Bytes(), *managedKey, accessControl)
 		if err != nil {
 			return nil, "", nil, err
 		}
@@ -235,8 +241,13 @@ func (s ProcessService) sign(ctx context.Context, file *domain.File, request *re
 			return nil, "", nil, err
 		}
 
+		accessControl, err := s.buildAccessControl(request.AccessControl)
+		if err != nil {
+			return nil, "", nil, err
+		}
+
 		signature, record, err := s.authenticityRepository.
-			SignWithManagedCertificate(ctx, file.Bytes(), *managedCertificate)
+			SignWithManagedCertificate(ctx, file.Bytes(), *managedCertificate, accessControl)
 		if err != nil {
 			return nil, "", nil, err
 		}
@@ -266,7 +277,12 @@ func (s ProcessService) encrypt(ctx context.Context, file *domain.File, request
 			return nil, nil, err
 		}
 
-		record, err := s.encryptionRepository.EncryptWithManagedKey(ctx, file.Bytes(), *managedKey)
+		accessControl, err := s.buildAccessControl(request.AccessControl)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		record, err := s.encryptionRepository.EncryptWithManagedKey(ctx, file.Bytes(), *managedKey, accessControl)
 		if err != nil {
 			return nil, record, err
 		}
@@ -280,7 +296,12 @@ func (s ProcessService) encrypt(ctx context.Context, file *domain.File, request
 			return nil, nil, err
 		}
 
-		record, err := s.encryptionRepository.EncryptWithManagedCertificate(ctx, file.Bytes(), *managedCertificate)
+		accessControl, err := s.buildAccessControl(request.AccessControl)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		record, err := s.encryptionRepository.EncryptWithManagedCertificate(ctx, file.Bytes(), *managedCertificate, accessControl)
 		if err != nil {
 			return nil, record, err
 		}
@@ -343,3 +364,23 @@ func (n ProcessService) notify(ctx context.Context, certifications []domain.Cert
 
 	return nil
 }
+
+func (n ProcessService) buildAccessControl(request *request.AccessControlRequest) (*key.AccessControl, error) {
+	var accessControl key.AccessControl
+
+	if request != nil {
+		code := request.AccessCode
+		switch request.AccessControlType {
+		case domain.TotpAccessControl:
+			accessControl.AccessControlTotp = key.NewAccessControlTotp(code)
+		case domain.SecretAccessControl:
+			accessControl.AccessControlSecret = key.NewAccessControlSecret(code)
+		default:
+			return nil, errors.New("invalid access control type")
+		}
+	} else {
+		return nil, nil
+	}
+
+	return &accessControl, nil
+}

internal/service/process/request/process_request.go

@@ -33,13 +33,19 @@ type ManagedCertificateRequest struct {
 	Uuid uuid.UUID
 }
 
+type AccessControlRequest struct {
+	AccessControlType domain.AccessControlType
+	AccessCode        string
+}
+
 type AuthenticityRequest struct {
 	Enabled            bool
 	KeySource          domain.KeyType
 	LocalKey           *LocalKeyRequest
 	LocalCertificate   *LocalCertificateRequest
 	ManagedKey         *ManagedKeyRequest
 	ManagedCertificate *ManagedCertificateRequest
+	AccessControl      *AccessControlRequest
 }
 
 type EncryptionRequest struct {
@@ -49,6 +55,7 @@ type EncryptionRequest struct {
 	LocalCertificate   *LocalCertificateRequest
 	ManagedKey         *ManagedKeyRequest
 	ManagedCertificate *ManagedCertificateRequest
+	AccessControl      *AccessControlRequest
 }
 
 type AvailabilityRequest struct {
@@ -125,6 +132,23 @@ func NewProcessRequest(file domain.File, request *request.ProcessFormRequest) (*
 			}
 		}
 
+		if request.Authenticity.AccessEnabled {
+			if request.Authenticity.AccessCode == "" {
+				return nil, domain.ErrEmptyAccessCode
+			}
+			authenticityAccessType, err := domain.ParseAccessControlType(request.Authenticity.AccessType)
+			if err != nil {
+				return nil, err
+			}
+			accessControl := &AccessControlRequest{
+				AccessControlType: authenticityAccessType,
+			}
+			accessControl.AccessCode = request.Authenticity.AccessCode
+			authenticityRequest.AccessControl = accessControl
+		} else {
+			authenticityRequest.AccessControl = nil
+		}
+
 		processRequestInstance.Authenticity = authenticityRequest
 	}
 
@@ -177,6 +201,23 @@ func NewProcessRequest(file domain.File, request *request.ProcessFormRequest) (*
 			}
 		}
 
+		if request.Encryption.AccessEnabled {
+			if request.Encryption.AccessCode == "" {
+				return nil, domain.ErrEmptyAccessCode
+			}
+			encryptionAccessType, err := domain.ParseAccessControlType(request.Encryption.AccessType)
+			if err != nil {
+				return nil, err
+			}
+			accessControl := &AccessControlRequest{
+				AccessControlType: encryptionAccessType,
+			}
+			accessControl.AccessCode = request.Encryption.AccessCode
+			encryptionRequest.AccessControl = accessControl
+		} else {
+			encryptionRequest.AccessControl = nil
+		}
+
 		processRequestInstance.Encryption = encryptionRequest
 	}
 

pkg/request/process_request.go

@@ -9,15 +9,21 @@ type ProcessFormIntegrityRequest struct {
 }
 
 type ProcessFormAuthenticityRequest struct {
-	Enabled   bool   `form:"authenticity.enabled,default=false"`
-	KeySource string `form:"authenticity.keySource"`
-	Key       string `form:"authenticity.key"`
+	Enabled       bool   `form:"authenticity.enabled,default=false"`
+	KeySource     string `form:"authenticity.keySource"`
+	Key           string `form:"authenticity.key"`
+	AccessEnabled bool   `form:"authenticity.accessEnabled,default=false"`
+	AccessType    string `form:"authenticity.accessType"`
+	AccessCode    string `form:"authenticity.accessCode"`
 }
 
 type ProcessFormEncryptionRequest struct {
-	Enabled   bool   `form:"encryption.enabled,default=false"`
-	KeySource string `form:"encryption.keySource"`
-	Key       string `form:"encryption.key"`
+	Enabled       bool   `form:"encryption.enabled,default=false"`
+	KeySource     string `form:"encryption.keySource"`
+	Key           string `form:"encryption.key"`
+	AccessEnabled bool   `form:"encryption.accessEnabled,default=false"`
+	AccessType    string `form:"encryption.accessType"`
+	AccessCode    string `form:"encryption.accessCode"`
 }
 
 type ProcessFormAvailabilityRequest struct {