Merge pull request #26 from consumer-reports-innovation-lab/091

JohnSzingerCR · web-flow · commit 6fd5d7086afa · 2023-12-20T09:29:42.000-05:00
verify key uses base64 encoding, version to 091
diff --git a/README.md b/README.md
@@ -1,14 +1,14 @@
 # OSIRAA - Open Source Implementers’ Reference Authorized Agent
 
-Version 0.9.0 - Updated September 2023
+Version 0.9.1 - Updated December 2023
 
 ## OSIRAA is a live and available for use at [https://osiraa.datarightsprotocol.org/](https://osiraa.datarightsprotocol.org/).
 
 ## How to Use this App:
 OSIRAA (Open Source Implementers’ Reference Authorized Agent) is a test suite designed to simulate the role of an Authorized Agent in a Data Rights Protocol (DRP) environment.    The application tests for the availability, correctness and completeness of API endpoints of a Privacy Infrastructure Provider (PIP) or Covered Business (CB) partner application.  See <a href="https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md" target="blank">https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md</a> for more info on DRP system roles and API specification.
 
 ## Admin Tool
-A user may model a Privacy Infrastructure Provider (PIP) or Covered Business (CB) in the Admin Tool, along with any number of users.  This is a standard Python app, so you must first create an admin superuser before you can administer data configurations.  For version 0.9, the Discovery Endpoint for a Covered Business has been depricated; it has been replaced by a Service Directory.  The Service Directory holds discoverable information for all DPR impelementers in a common place.  This information is periodically queried and the database automatically updated.
+A user may model a Privacy Infrastructure Provider (PIP) or Covered Business (CB) in the Admin Tool, along with any number of users.  This is a standard Python app, so you must first create an admin superuser before you can administer data configurations.  For version 0.9.1, the Discovery Endpoint for a Covered Business has been depricated; it has been replaced by a Service Directory.  The Service Directory holds discoverable information for all DPR impelementers in a common place.  This information is periodically queried and the database automatically updated.
 
 ## Cert Tests Definitions
 The Data Rights Protocol is centered on a set of API calls between an Authorized Agent (AA) and a Privacy Infrastructure Provider or Covered Business, on behalf of a User exercising his or her data rights.
diff --git a/drp_aa_mvp/data_rights_request/models.py b/drp_aa_mvp/data_rights_request/models.py
@@ -39,7 +39,7 @@
 
 """
 class RequestMetaData():
-    version     = "0.9"
+    version     = "0.9.1"
 """
 
 IN_PROGRESS     = 'in_progress'
diff --git a/drp_aa_mvp/data_rights_request/templates/data_rights_request/data_rights.json b/drp_aa_mvp/data_rights_request/templates/data_rights_request/data_rights.json
@@ -1,5 +1,5 @@
 {
-  "version": "0.8",
+  "version": "0.9.1",
   "api_base": "https://example.com/data-rights",
   "actions": ["sale:opt-out", "sale:opt-in", "access", "deletion"],
   "user_relationships": [ ]
diff --git a/drp_aa_mvp/data_rights_request/templates/drp_aa_mvp/index.html b/drp_aa_mvp/data_rights_request/templates/drp_aa_mvp/index.html
@@ -2,13 +2,13 @@
 <h2>OSIRAA - Open Source Implementer's Reference Authorized Agent</h2>
 <br/>
 
-<h3>Version 0.9.0 - Updated September 2023</h3>
+<h3>Version 0.9.1 - Updated December 2023</h3>
 
 <p><b>How to Use this App:</b><br/>
 OSIRAA (Open Source Implementer's Reference Authorized Agent) is test suite designed to simulate the role of an Authorized Agent in a Digital Rights Protocol (DRP) environment.    The application tests for the availability, correctness and completeness of API endpoints of a Privacy Infrastructure Provider (PIP) or Covered Business (CB) partner application.  See <a href="https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md" target="blank">https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md</a> for more info on DRP system roles and API specification.</p>
 
 <p><b><a href="/admin/">Admin Tool</a></b><br/>
-A user may model a PIP or Covered Business in the Admin Tool, along with any number of users.  This is a standard Python app, so you must first create an admin superuser in the usual way before you can administer data configurations.  For version 0.9, the Discovery Endpoint for a Covered Business has been depricated; it has been replaced by a Service Directory.  The Service Directory holds discoverable information for all DPR impelementers in a common place.  This information is periodically queried and the database automatically updated.
+A user may model a PIP or Covered Business in the Admin Tool, along with any number of users.  This is a standard Python app, so you must first create an admin superuser in the usual way before you can administer data configurations.  For version 0.9.1, the Discovery Endpoint for a Covered Business has been depricated; it has been replaced by a Service Directory.  The Service Directory holds discoverable information for all DPR impelementers in a common place.  This information is periodically queried and the database automatically updated.
 </p>
 
 <p><a href="/reporting/"><b>Cert Tests Definitions</b></a><br/>
diff --git a/drp_aa_mvp/data_rights_request/views.py b/drp_aa_mvp/data_rights_request/views.py
@@ -17,7 +17,7 @@
 from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import render
 from nacl import signing
-from nacl.encoding import HexEncoder
+from nacl.encoding import Base64Encoder
 from nacl.public import PrivateKey
 from reporting.views import (test_agent_information_endpoint, test_exercise_endpoint, #test_discovery_endpoint, 
                              test_status_endpoint, test_revoked_endpoint, test_pairwise_key_setup_endpoint)
@@ -95,7 +95,7 @@
 """
 
 # todo: these keys actually should be generated offline before we start using the app
-# and get them from the v0.9 service directory which will be a part of this dhango app, along with OSIRPIP
+# and get them from the v0.9.1 service directory which will be a part of this dhango app, along with OSIRPIP
 # for now we'll generate the keys one-time only
 def load_pynacl_keys() -> Tuple[signing.SigningKey, signing.VerifyKey]:
     path = os.environ.get("OSIRAA_KEY_FILE", "./keys.json")
@@ -105,23 +105,23 @@ def load_pynacl_keys() -> Tuple[signing.SigningKey, signing.VerifyKey]:
            signing_key = signing.SigningKey.generate()
            verify_key = signing_key.verify_key
            json.dump({
-               "signing_key": signing_key.encode(encoder=HexEncoder).decode(),
-               "verify_key": verify_key.encode(encoder=HexEncoder).decode()
+               "signing_key": signing_key.encode(encoder=Base64Encoder).decode(),
+               "verify_key": verify_key.encode(encoder=Base64Encoder).decode()
            }, f)
 
     with open(path, "r") as f:
         jason = json.load(f)
-        return (signing.SigningKey(jason["signing_key"], encoder=HexEncoder),
-                signing.VerifyKey(jason["verify_key"], encoder=HexEncoder))
+        return (signing.SigningKey(jason["signing_key"], encoder=Base64Encoder),
+                signing.VerifyKey(jason["verify_key"], encoder=Base64Encoder))
 
 
 signing_key, verify_key = load_pynacl_keys()
 
 
 # the public key and signing key as b64 strings
-signing_key_hex = signing_key.encode(encoder=HexEncoder)  # remains secret, never shared, but remains with AA model
-verify_key_hex = verify_key.encode(encoder=HexEncoder)    # we're going to store hex encoded verify key in the service directory
-logger.debug(f"verify_key is {verify_key_hex}")
+signing_key_b64 = signing_key.encode(encoder=Base64Encoder)  # remains secret, never shared, but remains with AA model
+verify_key_b64 = verify_key.encode(encoder=Base64Encoder)    # we're going to store base64 encoded verify key in the service directory
+logger.debug(f"verify_key is {verify_key_b64}")
 
 selected_covered_biz: Optional[CoveredBusiness] = None
 
@@ -205,7 +205,7 @@ def select_covered_business(request):
     return render(request, 'data_rights_request/index.html', context)
 
 
-# depricated for 0.9, replace with a call to the service directory
+# depricated for 0.9.1, replace with a call to the service directory
 """
 def send_request_discover_data_rights(request):
     covered_biz_id  = request.POST.get('sel_covered_biz_id')
@@ -577,9 +577,9 @@ def get_request_actions_form_display (covered_biz):
 
 def sign_request(signing_key, request_obj):
     signed_obj = signing_key.sign(json.dumps(request_obj).encode())
-    bencoded = base64.b64encode(signed_obj)
+    b64encoded = base64.b64encode(signed_obj)
 
-    return bencoded
+    return b64encoded
 
 
 def create_setup_pairwise_key_request_json(covered_biz_id):
@@ -664,7 +664,7 @@ def create_exercise_request_json(user_identity, covered_biz, request_action, cov
         "issued-at":    str(issued_time),
 
         # 2
-        "drp.version": "0.9",
+        "drp.version": "0.9.1",
         "exercise": request_action,
         "regime": covered_regime,
         "relationships": [],
diff --git a/drp_aa_mvp/drp_pip/migrations/0001_initial.py b/drp_aa_mvp/drp_pip/migrations/0001_initial.py
@@ -21,7 +21,7 @@ class Migration(migrations.Migration):
                 ('logo', models.ImageField(blank=True, upload_to='company-logos', verbose_name='Logo Image')),
                 ('logo_thumbnail', models.ImageField(blank=True, upload_to='company-logos/thumbnails')),
                 ('subtitle_description', models.TextField(blank=True)),
-                ('verify_key', models.TextField(verbose_name='Hex encoded key to verify signed requests')),
+                ('verify_key', models.TextField(verbose_name='Base64 encoded key to verify signed requests')),
             ],
         ),
     ]
diff --git a/drp_aa_mvp/drp_pip/models.py b/drp_aa_mvp/drp_pip/models.py
@@ -24,7 +24,7 @@ class AuthorizedAgent(models.Model):
     logo_thumbnail        = models.ImageField(upload_to='company-logos/thumbnails', blank=True)
     subtitle_description  = models.TextField(blank=True)
 
-    verify_key            = models.TextField('Hex encoded key to verify signed requests')
+    verify_key            = models.TextField('Base64 encoded key to verify signed requests')
     bearer_token          = models.TextField('pair-wise token between AA and CB', blank=True)
 
     def __str__(self):
diff --git a/drp_aa_mvp/drp_pip/views.py b/drp_aa_mvp/drp_pip/views.py
@@ -10,7 +10,7 @@
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_http_methods
 from django.http import JsonResponse, HttpResponse, HttpRequest
-from nacl.encoding import HexEncoder
+from nacl.encoding import Base64Encoder
 from nacl.signing import VerifyKey
 from nacl.utils import random
 import nacl.exceptions
@@ -29,16 +29,6 @@
 
 OSIRAA_PIP_CB_ID  = os.environ.get("OSIRAA_PIP_CB_ID", "osiraa-local-001")
 
-# todo: @RRIX - this has been depricated for 0.9 and can be removed, correct?
-"""
-@csrf_exempt
-def static_discovery(request):
-    return JsonResponse({
-        "version": "0.8",
-        "actions": ["sale:opt-out", "sale:opt-in", "access", "deletion"],
-        "api_base": f"{request.scheme}://{request.get_host()}/pip/",
-    })
-"""
 
 """
 Privacy Infrastructure Providers MUST validate the message in this order:
@@ -76,7 +66,7 @@ def register_agent(request, aa_id: str):
         return HttpResponse(status=403)
 
     # make a token and persist it...
-    agent.bearer_token = HexEncoder.encode(random(size=64)).decode()
+    agent.bearer_token = Base64Encoder.encode(random(size=64)).decode()
     try:
         agent.save()
         return  JsonResponse({
@@ -207,10 +197,10 @@ def validate_message_to_agent(agent: AuthorizedAgent, request: HttpRequest) -> d
     now = arrow.get()
 
     aa_id = agent.aa_id
-    verify_key_hex = agent.verify_key
-    verify_key = VerifyKey(verify_key_hex, encoder=HexEncoder)
+    verify_key_b64 = agent.verify_key
+    verify_key = VerifyKey(verify_key_b64, encoder=Base64Encoder)
 
-    logger.debug(f"vk is {verify_key_hex}")
+    logger.debug(f"vk is {verify_key_b64}")
     logger.debug(f"agent is {aa_id}")
 
     decoded = base64.b64decode(request.body)
diff --git a/drp_aa_mvp/reporting/templates/reporting/index.html b/drp_aa_mvp/reporting/templates/reporting/index.html
@@ -4,19 +4,19 @@ <h2>OSIRAA - Open Source Implementer's Reference Authorized Agent</h2>
 
 <h3>DRP Cert Test Suite</h3>
 
-<p>Version 0.9.0 - Updated Septmeber 2023</p>
+<p>Version 0.9.1 - Updated December 2023</p>
 
 <p>See also <a href="https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md" target="blank">https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/data-rights-protocol.md</a></p>
 
 <br/>
 
-<!---“Data Rights Discovery” endpoint is depricated in 0.9 -->
+<!-- “Data Rights Discovery” endpoint is depricated in 0.9.1 -->
 <!--
 <p><b>1. &nbsp;	GET /.well-known/data-rights.json (“Data Rights Discovery” endpoint)</b></p>
 <ul>
     <li>Covered Business's domain SHOULD have a /.well-known/data-rights.json</li>
     <li>Discovery Endpoint MUST be valid JSON</li>
-    <li>Discovery Endpoint MUST contain a version field (currently 0.8)</li>
+    <li>Discovery Endpoint MUST contain a version field (currently 0.9.1)</li>
     <li>Discovery Endpoint MUST provide a field “api_base”
         <ul>
             <li>“api_base” url MUST be a well-formed url</li>
@@ -46,7 +46,7 @@ <h3>DRP Cert Test Suite</h3>
             <br/>
 
             <span>The second grouping contains data about the Data Rights Request</span>
-            <li>“drp.version” - a string referencing the current protocol version "0.9"</li>
+            <li>“drp.version” - a string referencing the current protocol version "0.9.1"</li>
             <li>“exercise” - string specifying the Rights Action: [ access | deletion | sale:opt_out | sale:opt_in | access:categories | access:specific ]</li>
             <li>“regime” (optional) - a string specifying the legal regime under which the Data Request is being taken: [ ccpa | voluntary ]</li>
             <li>“relationships” (optional) - a list of string 'hints' for the Covered Business</li>
diff --git a/drp_aa_mvp/reporting/views.py b/drp_aa_mvp/reporting/views.py
@@ -14,7 +14,7 @@ def index(request):
 
 
 #---------------------------------------------------------------------------------------------------------------------#
-# test_discovery_endpoint - depricated for 0.9
+# test_discovery_endpoint - depricated for 0.9.1
 
 """
 def test_discovery_endpoint(request_url, responses):
@@ -24,7 +24,7 @@ def test_discovery_endpoint(request_url, responses):
     1.  GET /.well-known/data-rights.json ("Data Rights Discovery" endpoint)
         - Covered Business's domain SHOULD have a /.well-known/data-rights.json
         - Discovery Endpoint MUST be valid JSON
-        - Discovery Endpoint MUST contain a version field (currently 0.8)
+        - Discovery Endpoint MUST contain a version field (currently 0.9.1)
         - Discovery Endpoint MUST provide a field “api_base”
           - “api_base” url MUST be a well-formed url
           - “api_base” url MUST be valid for subsequent calls
@@ -62,7 +62,7 @@ def test_discovery_endpoint(request_url, responses):
     is_valid_json = test_is_valid_json(response)
     test_results.append({'name': 'Is valid json', 'result': is_valid_json})
 
-    # test Discovery Endpoint MUST contain a version field (currently 0.8)
+    # test Discovery Endpoint MUST contain a version field (currently 0.9.1)
     contains_version_field = test_contains_version_field(response)
     test_results.append({'name': 'Contains version field', 'result': contains_version_field})
 
@@ -117,7 +117,7 @@ def test_contains_version_field(response):
         response_json = json.loads(response.text)
     except ValueError as e:
         return False 
-    return 'version' in response_json and response_json['version'] == '0.8'  
+    return 'version' in response_json and response_json['version'] == '0.9.1'  
 
 def test_contains_api_base(response):
     try:
@@ -192,7 +192,7 @@ def test_exercise_endpoint(request_json, response):
         - “business-id” - a string identifying the Covered Business which the request is being sent to
         - “expires-at” - an ISO 8601-encoded timestamp expressing when the request should no longer be considered viable
         - “issued-at” - an ISO 8601-encoded timestamp expressing when the request was created.
-        - “drp.version” - a string referencing the current protocol version "0.9"
+        - “drp.version” - a string referencing the current protocol version "0.9.1"
         - “exercise” - string specifying the Rights Action: [ access | deletion | sale:opt_out | sale:opt_in | access:categories | access:specific ]
         - “regime” (optional) - a string specifying the legal regime under which the Data Request is being taken: [ ccpa | voluntary ]
         - “relationships” (optional) - a list of string 'hints' for the Covered Business

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "0.8",`
	`2`	`+ "version": "0.9.1",`
`3`	`3`	`"api_base": "https://example.com/data-rights",`
`4`	`4`	`"actions": ["sale:opt-out", "sale:opt-in", "access", "deletion"],`
`5`	`5`	`"user_relationships": [ ]`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ class Migration(migrations.Migration):`
`21`	`21`	`('logo', models.ImageField(blank=True, upload_to='company-logos', verbose_name='Logo Image')),`
`22`	`22`	`('logo_thumbnail', models.ImageField(blank=True, upload_to='company-logos/thumbnails')),`
`23`	`23`	`('subtitle_description', models.TextField(blank=True)),`
`24`		`- ('verify_key', models.TextField(verbose_name='Hex encoded key to verify signed requests')),`
	`24`	`+ ('verify_key', models.TextField(verbose_name='Base64 encoded key to verify signed requests')),`
`25`	`25`	`],`
`26`	`26`	`),`
`27`	`27`	`]`