feat: remove necessity to enable revocation for a credential type

dd577dca · Sietse Ringers · a4fd3be7 · dd577dca · dd577dca · a4fd3be7
Commit dd577dca authored Jan 21, 2020 by Sietse Ringers
6 changed files
--- a/internal/servercore/helpers.go
+++ b/internal/servercore/helpers.go
@@ -154,16 +154,6 @@ func (s *Server) validateIssuanceRequest(request *irma.IssuanceRequest) error {
 			return err
 		}

-		if s.conf.IrmaConfiguration.CredentialTypes[cred.CredentialTypeID].SupportsRevocation() {
-			enabled, err := s.conf.IrmaConfiguration.Revocation.RevocationEnabled(cred.CredentialTypeID)
-			if err != nil {
-				return err
-			}
-			if !enabled {
-				s.conf.Logger.WithFields(logrus.Fields{"cred": cred.CredentialTypeID}).Warn("revocation supported in scheme but not enabled")
-			}
-		}
-
 		// Ensure the credential has an expiry date
 		defaultValidity := irma.Timestamp(time.Now().AddDate(0, 6, 0))
 		if cred.Validity == nil {

--- a/internal/sessiontest/revocation_test.go
+++ b/internal/sessiontest/revocation_test.go
@@ -377,19 +377,11 @@ func startRevocationServer(t *testing.T) {
 	require.NoError(t, g.AutoMigrate((*irma.IssuanceRecord)(nil)).Error)
 	require.NoError(t, g.Close())

+	// Start revocation server
 	if revocationConfiguration == nil {
 		revocationConfiguration = revocationConf(t)
 	}
-	irmaconf := revocationConfiguration.IrmaConfiguration
-
-	// Enable revocation for our credential type
-	sk, err := irmaconf.Revocation.Keys.PrivateKeyLatest(revocationTestCred.IssuerIdentifier())
-	require.NoError(t, err)
-	require.NoError(t, irmaconf.Revocation.EnableRevocation(revocationTestCred, sk))
-
-	// Start revocation server
 	revocationServer, err = irmaserver.New(revocationConfiguration)
-	revocationConfiguration = revocationConfiguration
 	require.NoError(t, err)
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", revocationServer.HandlerFunc())

--- a/irma/cmd/revocation-enable.go
+++ b/irma/cmd/revocation-enable.go
-package cmd
-
-import (
-	irma "github.com/privacybydesign/irmago"
-	"github.com/spf13/cobra"
-)
-
-var revokeEnableCmd = &cobra.Command{
-	Use:   "enable CREDENTIALTYPE URL",
-	Short: "Enable revocation for a credential type",
-	Long: `Enable revocation for a given credential type.
-
-Must be done (and can only be done) by the issuer of the specified credential type, if enable in the
-scheme.`,
-	Args: cobra.ExactArgs(2),
-	Run: func(cmd *cobra.Command, args []string) {
-		flags := cmd.Flags()
-		schemespath, _ := flags.GetString("schemes-path")
-		authmethod, _ := flags.GetString("auth-method")
-		key, _ := flags.GetString("key")
-		name, _ := flags.GetString("name")
-		verbosity, _ := cmd.Flags().GetCount("verbose")
-		url := args[1]
-
-		request := &irma.RevocationRequest{
-			LDContext:      irma.LDContextRevocationRequest,
-			CredentialType: irma.NewCredentialTypeIdentifier(args[0]),
-			Enable:         true,
-		}
-
-		postRevocation(request, url, schemespath, authmethod, key, name, verbosity)
-	},
-}
-
-func init() {
-	flags := revokeEnableCmd.Flags()
-	flags.StringP("schemes-path", "s", irma.DefaultSchemesPath(), "path to irma_configuration")
-	flags.StringP("auth-method", "a", "none", "Authentication method to server (none, token, rsa, hmac)")
-	flags.String("key", "", "Key to sign request with")
-	flags.String("name", "", "Requestor name")
-	flags.CountP("verbose", "v", "verbose (repeatable)")
-
-	revocationCmd.AddCommand(revokeEnableCmd)
-}
--- a/requests.go
+++ b/requests.go
@@ -201,7 +201,6 @@ type RevocationRequest struct {
 	LDContext      string                   `json:"@context,omitempty"`
 	CredentialType CredentialTypeIdentifier `json:"type"`
 	Key            string                   `json:"revocationKey,omitempty"`
-	Enable         bool                     `json:"enable,omitempty"`
 }

 func (r *RevocationRequest) Validate() error {

--- a/revocation.go
+++ b/revocation.go
@@ -138,7 +138,7 @@ const (
 // only way to create such an initial accumulator and it must be called before anyone can use
 // revocation for this credential type. Requires the issuer private key.
 func (rs *RevocationStorage) EnableRevocation(typ CredentialTypeIdentifier, sk *revocation.PrivateKey) error {
-	enabled, err := rs.RevocationEnabled(typ)
+	enabled, err := rs.Exists(typ)
 	if err != nil {
 		return err
 	}
@@ -157,9 +157,8 @@ func (rs *RevocationStorage) EnableRevocation(typ CredentialTypeIdentifier, sk *
 	return nil
 }

-// RevocationEnabled returns whether or not revocation is enabled for the given credential type,
-// by checking if any revocation record exists in the database.
-func (rs *RevocationStorage) RevocationEnabled(typ CredentialTypeIdentifier) (bool, error) {
+// Exists returns whether or not an accumulator exists in the database for the given credential type.
+func (rs *RevocationStorage) Exists(typ CredentialTypeIdentifier) (bool, error) {
 	if rs.sqlMode {
 		return rs.db.Exists((*EventRecord)(nil), nil)
 	} else {

--- a/server/conf.go
+++ b/server/conf.go
@@ -228,16 +228,22 @@ func (conf *Configuration) verifyRevocation() error {
 		}

 		if settings.Mode == irma.RevocationModeServer {
-			enabled, err := conf.IrmaConfiguration.Revocation.RevocationEnabled(credid)
+			sk, err := conf.IrmaConfiguration.Revocation.Keys.PrivateKeyLatest(credid.IssuerIdentifier())
 			if err != nil {
-				return LogError(errors.WrapPrefix(err, "failed to check if revocation is enabled for "+credid.String(), 0))
-			}
-			if !enabled {
-				return LogError(errors.Errorf("revocation not enabled for %s", credid.String()))
+				return LogError(errors.WrapPrefix(err, "failed to load private key of "+credid.IssuerIdentifier().String()+" (required for revocation)", 0))
 			}
-			_, err = conf.IrmaConfiguration.Revocation.Keys.PrivateKeyLatest(credid.IssuerIdentifier())
+			rev := conf.IrmaConfiguration.Revocation
+			exists, err := rev.Exists(credid)
 			if err != nil {
-				return LogError(errors.WrapPrefix(err, "failed to load private key of "+credid.IssuerIdentifier().String()+" (required for revocation)", 0))
+				return LogError(errors.WrapPrefix(err, "failed to check if accumulator exists for "+credid.String(), 0))
+			}
+			conf.Logger.Info("revocation server mode enabled for " + credid.String())
+			if !exists {
+				conf.Logger.Warn("Creating initial accumulator for " + credid.String())
+				conf.Logger.Warn("Being the revocation server for a credential type comes with special responsibilities, a.o. that this server is always reachable online for any IRMA participant, and that the contents of the database to which the initial accumulator was just written is never deleted. Please read more at https://irma.app/docs/revocation/#issuer-responsibilities.")
+				if err = rev.EnableRevocation(credid, sk); err != nil {
+					return LogError(errors.WrapPrefix(err, "failed to create initial accumulator record for "+credid.String(), 0))
+				}
 			}
 		}
 	}