Feat: add traction tenant mode for secure webhook registration (#926)

* feat: implement tenant api fallback for webhook registration

Signed-off-by: Yuki I <omoge.real@gmail.com>

* feat: add traction tenant mode for secure webhook registration

Signed-off-by: Yuki I <omoge.real@gmail.com>

* feat: add traction tenant mode for secure webhook registration

Signed-off-by: Yuki I <omoge.real@gmail.com>

* test: improve coverage for webhook utils and config error handling

Signed-off-by: Yuki I <omoge.real@gmail.com>

* test: fix traction config test failures by setting instance attributes

Signed-off-by: Yuki I <omoge.real@gmail.com>

* feat: unify multi-tenant config and add traction mode support

Signed-off-by: Yuki I <omoge.real@gmail.com>

* feat: unify multi-tenant config and add traction mode support

Signed-off-by: Yuki I <omoge.real@gmail.com>

* refactor: centralize config in .env and clean manage script

Signed-off-by: Yuki I <omoge.real@gmail.com>

* fix: address code review feedback on traction mode

Signed-off-by: Yuki I <omoge.real@gmail.com>

* fix: implement token TTL caching and update deprecation docs

Signed-off-by: Yuki I <omoge.real@gmail.com>

* fix: implement token TTL caching and update deprecation docs

Signed-off-by: Yuki I <omoge.real@gmail.com>

* feat: make token cache TTL configurable via env var

Signed-off-by: Yuki I <omoge.real@gmail.com>

* fix: add validation for token cache TTL

Signed-off-by: Yuki I <omoge.real@gmail.com>

---------

Signed-off-by: Yuki I <omoge.real@gmail.com>

Author: MonolithicMonk

docker/.env.example

@@ -0,0 +1,146 @@
+############################################
+# Global / Logging
+############################################
+COMPOSE_PROJECT_NAME=vc-authn
+LOG_LEVEL=DEBUG
+LOG_WITH_JSON=false
+DEBUGGER=false
+
+############################################
+# Controller Database (Mongo)
+############################################
+MONGODB_HOST=controller-db
+MONGODB_PORT=27017
+MONGODB_NAME=oidccontroller
+OIDC_CONTROLLER_DB_USER=changeme
+OIDC_CONTROLLER_DB_USER_PWD=changeme
+
+
+############################################
+# OIDC Controller Service
+############################################
+CONTROLLER_SERVICE_PORT=5000
+
+# Public URLs
+CONTROLLER_URL=https://your-public-url.example.com
+CONTROLLER_WEB_HOOK_URL=https://your-public-url.example.com/webhooks
+CONTROLLER_API_KEY=
+
+# Controller Behavior
+CONTROLLER_CAMERA_REDIRECT_URL=wallet_howto
+CONTROLLER_PRESENTATION_EXPIRE_TIME=300
+CONTROLLER_PRESENTATION_CLEANUP_TIME=86400
+CONTROLLER_PRESENTATION_RECORD_RETENTION_HOURS=1
+CONTROLLER_CLEANUP_MAX_PRESENTATION_RECORDS=1000
+CONTROLLER_CLEANUP_MAX_CONNECTIONS=2000
+
+# Configuration Files & Paths
+CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE=/etc/controller-config/sessiontimeout.json
+CONTROLLER_VARIABLE_SUBSTITUTION_OVERRIDE=/etc/controller-config/user_variable_substitution.py
+CONTROLLER_TEMPLATE_DIR=/app/controller-config/templates
+
+# Verification Options
+INVITATION_LABEL="VC-AuthN"
+SET_NON_REVOKED=true
+ACAPY_PROOF_FORMAT=anoncreds
+USE_OOB_LOCAL_DID_SERVICE=true
+USE_CONNECTION_BASED_VERIFICATION=true
+USE_URL_DEEP_LINK=false
+WALLET_DEEP_LINK_PREFIX=bcwallet://aries_proof-request
+
+# Scaling & Caching
+CONTROLLER_REPLICAS=3
+USE_REDIS_ADAPTER=false
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_PASSWORD=
+REDIS_DB=0
+
+
+############################################
+# ACA-Py Agent
+############################################
+AGENT_HOST=localhost
+AGENT_NAME="VC-AuthN Agent"
+
+AGENT_HTTP_PORT=8030
+AGENT_ADMIN_PORT=8077
+
+# Traction / ACA-Py admin endpoints
+AGENT_ADMIN_URL=https://traction-admin.example.com
+AGENT_ENDPOINT=https://traction-acapy-endpoint.example.com
+
+AGENT_ADMIN_API_KEY=changeme
+AGENT_GENESIS_URL=https://test.bcovrin.vonx.io/genesis
+AGENT_WALLET_SEED=your-32-char-seed-here-00000000000000
+
+
+########################################################
+# ACA-Py Wallet / Tenant Identity
+#
+# When AGENT_TENANT_MODE=multi:
+#   ACAPY_TENANT_WALLET_ID  = Wallet ID
+#   ACAPY_TENANT_WALLET_KEY = Wallet Key
+#
+# When AGENT_TENANT_MODE=traction:
+#   ACAPY_TENANT_WALLET_ID  = Traction Tenant ID
+#   ACAPY_TENANT_WALLET_KEY = Traction Tenant API Key
+########################################################
+AGENT_TENANT_MODE=traction
+
+ACAPY_TENANT_WALLET_ID=your-tenant-id-here
+ACAPY_TENANT_WALLET_KEY=your-tenant-key-here
+
+# Cache TTL for tenant tokens in seconds (default: 3600)
+ACAPY_TOKEN_CACHE_TTL=3600
+
+# Legacy (ignored when ACAPY_TENANT_* is set)
+MT_ACAPY_WALLET_ID=legacy-wallet-id
+MT_ACAPY_WALLET_KEY=legacy-wallet-key
+
+
+##########################################################
+# ACA-Py Single-Tenant Settings (AGENT_TENANT_MODE=single)
+##########################################################
+ST_ACAPY_ADMIN_API_KEY_NAME=
+ST_ACAPY_ADMIN_API_KEY=
+
+
+##############################
+# Wallet Database (PostgreSQL)
+##############################
+WALLET_TYPE=postgres_storage
+WALLET_ENCRYPTION_KEY=key
+POSTGRESQL_WALLET_HOST=wallet-db
+POSTGRESQL_WALLET_PORT=5432
+POSTGRESQL_WALLET_DATABASE=wallet_db
+POSTGRESQL_WALLET_USER=walletuser
+POSTGRESQL_WALLET_PASSWORD=walletpassword
+
+
+############################################
+# OIDC Client
+############################################
+OIDC_CLIENT_ID=your-client-id
+OIDC_CLIENT_NAME="Your Application Name"
+OIDC_CLIENT_REDIRECT_URI=https://your-redirect-url.example.com
+OIDC_CLIENT_SECRET=your-client-secret
+
+
+############################################
+# Keycloak Database
+############################################
+KEYCLOAK_DB_NAME=keycloak
+KEYCLOAK_DB_USER=keycloak
+KEYCLOAK_DB_PASSWORD=changeme
+
+
+############################################
+# Keycloak Service
+############################################
+KEYCLOAK_DB_VENDOR=postgres
+KEYCLOAK_DB_ADDR=keycloak-db
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=admin
+KEYCLOAK_LOGLEVEL=WARN
+KEYCLOAK_ROOT_LOGLEVEL=WARN

docker/docker-compose.yaml

@@ -49,6 +49,11 @@ services:
       - ACAPY_TENANCY=${AGENT_TENANT_MODE}
       - ACAPY_AGENT_URL=${AGENT_ENDPOINT}
       - ACAPY_ADMIN_URL=${AGENT_ADMIN_URL}
+      # Unified Tenant / Wallet Configuration
+      - ACAPY_TENANT_WALLET_ID=${ACAPY_TENANT_WALLET_ID}
+      - ACAPY_TENANT_WALLET_KEY=${ACAPY_TENANT_WALLET_KEY}
+      - ACAPY_TOKEN_CACHE_TTL=3600
+      # Legacy variables (passed for backward compatibility)
       - MT_ACAPY_WALLET_ID=${MT_ACAPY_WALLET_ID}
       - MT_ACAPY_WALLET_KEY=${MT_ACAPY_WALLET_KEY}
       - ST_ACAPY_ADMIN_API_KEY=${AGENT_ADMIN_API_KEY}

docker/manage

@@ -169,112 +169,25 @@ configureEnvironment() {
     esac
   done
 
-  ## global
-  export COMPOSE_PROJECT_NAME="${COMPOSE_PROJECT_NAME:-vc-authn}"
-  export LOG_LEVEL=${LOG_LEVEL:-"DEBUG"}
-
-  # controller-db
-  export MONGODB_HOST="controller-db"
-  export MONGODB_PORT="27017"
-  export MONGODB_NAME="oidccontroller"
-  export OIDC_CONTROLLER_DB_USER="oidccontrolleruser"
-  export OIDC_CONTROLLER_DB_USER_PWD="oidccontrollerpass"
-
-
-  # controller
-  export CONTROLLER_SERVICE_PORT=${CONTROLLER_SERVICE_PORT:-5000}
-  export CONTROLLER_URL="${CONTROLLER_URL:-http://controller:5000}"
-  export CONTROLLER_WEB_HOOK_URL=${CONTROLLER_WEB_HOOK_URL:-${CONTROLLER_URL}/webhooks}
-  if [ ! -z "${CONTROLLER_API_KEY}" ]; then
-    CONTROLLER_WEB_HOOK_URL="${CONTROLLER_WEB_HOOK_URL}#${CONTROLLER_API_KEY}"
+  # Controller Webhook URL: Append API Key if present
+  if [ ! -z "${CONTROLLER_API_KEY}" ] && [[ "${CONTROLLER_WEB_HOOK_URL}" != *"#"* ]]; then
+    export CONTROLLER_WEB_HOOK_URL="${CONTROLLER_WEB_HOOK_URL}#${CONTROLLER_API_KEY}"
   fi
-  export ST_ACAPY_ADMIN_API_KEY_NAME="x-api-key"
-
-  # The redirect url can be a web link or the name of a template
-  export CONTROLLER_CAMERA_REDIRECT_URL="wallet_howto"
-
-  # The number of time in seconds a proof request will be valid for
-  export CONTROLLER_PRESENTATION_EXPIRE_TIME=10
-
-  # How long auth_sessions with matching the states in
-  # CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE are stored for in seconds
-  export CONTROLLER_PRESENTATION_CLEANUP_TIME=86400
-
-  # Presentation record cleanup configuration
-  # How long to retain presentation records in hours (default: 24 hours)
-  export CONTROLLER_PRESENTATION_RECORD_RETENTION_HOURS=1
-
-  # Resource limits for cleanup operations to prevent excessive processing
-  # Maximum presentation records to process per cleanup cycle (default: 1000)
-  export CONTROLLER_CLEANUP_MAX_PRESENTATION_RECORDS=1000
-  # Maximum connections to process per cleanup cycle (default: 2000)
-  export CONTROLLER_CLEANUP_MAX_CONNECTIONS=2000
-
-  # The path to the auth_session timeouts config file
-  export CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE="/app/controller-config/sessiontimeout.json"
-
-  # Extend Variable Substitutions
-  export CONTROLLER_VARIABLE_SUBSTITUTION_OVERRIDE="/app/controller-config/user_variable_substitution.py"
-
-  # template configuration
-  export CONTROLLER_TEMPLATE_DIR="/app/controller-config/templates"
-
-  #controller app settings
-  export INVITATION_LABEL=${INVITATION_LABEL:-"VC-AuthN"}
-  export SET_NON_REVOKED="True"
-  export ACAPY_PROOF_FORMAT=${ACAPY_PROOF_FORMAT:-indy}
-  export USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE:-"true"}
-  export USE_CONNECTION_BASED_VERIFICATION=${USE_CONNECTION_BASED_VERIFICATION:-"true"}
-  export WALLET_DEEP_LINK_PREFIX=${WALLET_DEEP_LINK_PREFIX:-"bcwallet://aries_proof-request"}
-
-  # Multi-pod configuration
-  export CONTROLLER_REPLICAS=${CONTROLLER_REPLICAS:-3}
-
-  # Redis Configuration (required for multi-pod)
-  export REDIS_HOST=${REDIS_HOST:-"redis"}
-  export REDIS_PORT=${REDIS_PORT:-"6379"}
-  export REDIS_PASSWORD=${REDIS_PASSWORD:-""}
-  export REDIS_DB=${REDIS_DB:-"0"}
-  export USE_REDIS_ADAPTER=${USE_REDIS_ADAPTER:-"true"}
-
-  # agent
-  export AGENT_TENANT_MODE="${AGENT_TENANT_MODE:-single}"
-  export AGENT_HOST=${AGENT_HOST:-aca-py}
-  export AGENT_NAME="VC-AuthN Agent"
-  export AGENT_HTTP_PORT=${AGENT_HTTP_PORT:-8030}
-  export AGENT_ADMIN_PORT=${AGENT_ADMIN_PORT:-"8077"}
-  export AGENT_ADMIN_URL=${AGENT_ADMIN_URL:-http://$AGENT_HOST:$AGENT_ADMIN_PORT}
-  export AGENT_ENDPOINT=${AGENT_ENDPOINT:-http://$AGENT_HOST:$AGENT_HTTP_PORT}
-  export AGENT_ADMIN_API_KEY=${AGENT_ADMIN_API_KEY}
+
+  # Agent Admin Mode: Append API Key if present
   export AGENT_ADMIN_MODE="admin-insecure-mode"
   if [ ! -z "${AGENT_ADMIN_API_KEY}" ]; then
-    AGENT_ADMIN_MODE="admin-api-key ${AGENT_ADMIN_API_KEY}"
+    export AGENT_ADMIN_MODE="admin-api-key ${AGENT_ADMIN_API_KEY}"
+  fi
+
+  # Agent URLs: Construct from Host/Port if not explicitly set
+  if [ -z "${AGENT_ENDPOINT}" ]; then
+    export AGENT_ENDPOINT="http://${AGENT_HOST}:${AGENT_HTTP_PORT}"
+  fi
+
+  if [ -z "${AGENT_ADMIN_URL}" ]; then
+    export AGENT_ADMIN_URL="http://${AGENT_HOST}:${AGENT_ADMIN_PORT}"
   fi
-  export AGENT_WALLET_SEED=${AGENT_WALLET_SEED}
-  export MT_ACAPY_WALLET_ID=${MT_ACAPY_WALLET_ID}
-  export MT_ACAPY_WALLET_KEY=${MT_ACAPY_WALLET_KEY}
-
-  # keycloak-db
-  export KEYCLOAK_DB_NAME="keycloak"
-  export KEYCLOAK_DB_USER="keycloak"
-  export KEYCLOAK_DB_PASSWORD="keycloak"
-
-  # keycloak
-  export KEYCLOAK_DB_VENDOR="postgres"
-  export KEYCLOAK_DB_ADDR="keycloak-db"
-  export KEYCLOAK_USER="admin"
-  export KEYCLOAK_PASSWORD="admin"
-  export KEYCLOAK_LOGLEVEL="WARN"
-  export KEYCLOAK_ROOT_LOGLEVEL="WARN"
-
-  # wallet-db
-  export WALLET_TYPE="postgres_storage"
-  export WALLET_ENCRYPTION_KEY="key"
-  export POSTGRESQL_WALLET_HOST="wallet-db"
-  export POSTGRESQL_WALLET_PORT="5432"
-  export POSTGRESQL_WALLET_DATABASE="wallet_db"
-  export POSTGRESQL_WALLET_USER="walletuser"
-  export POSTGRESQL_WALLET_PASSWORD="walletpassword"
 }
 
 getStartupParams() {