config

type ClaimInclusion struct {
	// Key of the claim to be included. All objects under this key will be included unchanged.
	OriginalKey string `json:"originalKey" mapstructure:"originalKey"`
	// Key of the claim to be used in the jwt. If not provided, the original one will be used.
	NewKey string `json:"newKey" mapstructure:"newKey"`
}

type ClaimsQuery struct {
	// REQUIRED if claim_sets is present in the Credential Query; OPTIONAL otherwise. A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once.
	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
	//  The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Credential. See https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-claims-path-pointer
	Path []interface{} `json:"path,omitempty" mapstructure:"path,omitempty"`
	// A non-empty array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match exactly for at least one of the elements in the array.
	Values []interface{} `json:"values,omitempty" mapstructure:"values,omitempty"`
	// MDoc specific parameter, ignored for all other types. The flag can be set to inform that the reader wishes to keep(store) the data. In case of false, its data is only used to be dispalyed and verified.
	IntentToRetain bool `json:"intent_to_retain,omitempty" mapstructure:"intent_to_retain,omitempty"`
	// MDoc specific parameter, ignored for all other types. Refers to a namespace inside an mdoc.
	Namespace string `json:"namespace,omitempty" mapstructure:"namespace,omitempty"`
	// MDoc specific parameter, ignored for all other types. Identifier for the data-element in the namespace.
	ClaimName string `json:"claim_name,omitempty" mapstructure:"claim_name,omitempty"`
}

type ClientIdentification struct {
	// path to the did signing key(in pem format) for request object mode
	KeyPath string `mapstructure:"keyPath"`
	// algorithm used for the request signing key
	KeyAlgorithm string `mapstructure:"requestKeyAlgorithm"`
	// identification used by the verifier when requesting authorization. Can be a did, but also methods like x509_san_dns
	Id string `mapstructure:"id"`
	// optional path to the certifcate to embed in the jwt header
	CertificatePath string `mapstructure:"certificatePath"`
	// Kid used when key certificate does not include it. If both are missing, id is used
	Kid string `mapstructure:"kid"`
}

type ConfigClient interface {
	GetServices() (services []ConfiguredService, err error)
}

type ConfigRepo struct {
	// url of the configuration service to be used
	ConfigEndpoint string `mapstructure:"configEndpoint"`
	// statically configured services with their trust anchors and scopes.
	Services       []ConfiguredService `mapstructure:"services"`
	UpdateInterval int64               `mapstructure:"updateInterval" default:"30"`
}

type ConfigServer struct {
	// Whether the config server is enabled
	Enabled bool `mapstructure:"enabled" default:"false"`
	// Port to bind the config server
	Port int `mapstructure:"port" default:"8090"`
	// ReadTimeout is the maximum duration for reading the entire request (seconds)
	ReadTimeout int `mapstructure:"readTimeout" default:"5"`
	// WriteTimeout is the maximum duration before timing out writes of the response (seconds)
	WriteTimeout int `mapstructure:"writeTimeout" default:"10"`
	// IdleTimeout is the maximum amount of time to wait for the next request (seconds)
	IdleTimeout int `mapstructure:"idleTimeout" default:"120"`
	// ShutdownTimeout is the time allowed for active requests to finish during shutdown (seconds)
	ShutdownTimeout int `mapstructure:"shutdownTimeout" default:"5"`
}

type Configuration struct {
	Server       Server                `mapstructure:"server"`
	Verifier     Verifier              `mapstructure:"verifier"`
	Logging      logging.LoggingConfig `mapstructure:"logging"`
	ConfigRepo   ConfigRepo            `mapstructure:"configRepo"`
	M2M          M2M                   `mapstructure:"m2m"`
	Elsi         Elsi                  `mapstructure:"elsi"`
	Database     Database              `mapstructure:"database"`
	ConfigServer ConfigServer          `mapstructure:"configServer"`
}

type ConfiguredService struct {
	// Default OIDC scope to be used if none is specified
	DefaultOidcScope  string                `json:"defaultOidcScope" mapstructure:"defaultOidcScope"`
	ServiceScopes     map[string]ScopeEntry `json:"oidcScopes,omitempty" mapstructure:"oidcScopes"`
	Id                string                `json:"id" mapstructure:"id"`
	AuthorizationType string                `json:"authorizationType,omitempty" mapstructure:"authorizationType,omitempty"`
	AuthorizationPath string                `json:"authorizationPath,omitempty" mapstructure:"authorizationPath,omitempty"`
	// AllowedOrigins specifies the list of origins permitted for CORS requests
	// to this service. When empty or nil, no service-specific restriction is
	// applied and the verifier falls back to the global default (wildcard).
	// Set to ["*"] to explicitly allow all origins for this service.
	AllowedOrigins []string `json:"allowedOrigins,omitempty" mapstructure:"allowedOrigins,omitempty"`
}

type Constraints struct {
	// array of objects to describe the information to be included
	Fields []Fields `json:"fields" mapstructure:"fields"`
}

type Credential struct {
	// Type of the credential
	Type string `json:"type" mapstructure:"type"`
	// A list of (EBSI Trusted Issuers Registry compatible) endpoints to  retrieve the trusted participants from.
	TrustedParticipantsLists TrustedParticipantsLists `json:"trustedParticipantsLists,omitempty" mapstructure:"trustedParticipantsLists,omitempty"`
	// A list of (EBSI Trusted Issuers Registry compatible) endpoints to  retrieve the trusted issuers from. The attributes need to be formatted to comply with the verifiers requirements.
	TrustedIssuersLists TrustedIssuersLists `json:"trustedIssuersLists,omitempty" mapstructure:"trustedIssuersLists,omitempty"`
	// Configuration of Holder Verification
	HolderVerification HolderVerification `json:"holderVerification" mapstructure:"holderVerification"`
	// Does the given credential require a compliancy credential
	RequireCompliance bool `json:"requireCompliance" mapstructure:"requireCompliance"`
	// Configuration for the credential its inclusion into the JWT.
	JwtInclusion JwtInclusion `json:"jwtInclusion" mapstructure:"jwtInclusion"`
	// Per-credential configuration for the W3C Bitstring Status List /
	// StatusList2021 revocation-list check. When omitted or disabled no
	// revocation check is performed for credentials of this type, preserving
	// prior behaviour for configurations that do not opt in.
	CredentialStatus CredentialStatus `json:"credentialStatus" mapstructure:"credentialStatus"`
}

type CredentialQuery struct {
	// A string identifying the Credential in the response and, if provided, the constraints in credential_sets. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the Authorization Request, the same id MUST NOT be present more than once.
	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
	// A string that specifies the format of the requested Credential.
	Format string `json:"format,omitempty" mapstructure:"format,omitempty"`
	// A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is false.
	Multiple bool `json:"multiple" mapstructure:"multiple"`
	// A non-empty array of objects  that specifies claims in the requested Credential. Verifiers MUST NOT point to the same claim more than once in a single query. Wallets SHOULD ignore such duplicate claim queries.
	Claims []ClaimsQuery `json:"claims" mapstructure:"claims"`
	// Defines additional properties requested by the Verifier that apply to the metadata and validity data of the Credential. The properties of this object are defined per Credential Format. If empty, no specific constraints are placed on the metadata or validity of the requested Credential.
	Meta *MetaDataQuery `json:"meta,omitempty" mapstructure:"meta,omitempty"`
	// A boolean which indicates whether the Verifier requires a Cryptographic Holder Binding proof. Defaults to true when absent.
	RequireCryptographicHolderBinding *bool `json:"require_cryptographic_holder_binding,omitempty" mapstructure:"require_cryptographic_holder_binding"`
	// A non-empty array containing arrays of identifiers for elements in claims that specifies which combinations of claims for the Credential are requested.
	ClaimSets [][]string `json:"claim_sets,omitempty" mapstructure:"claim_sets,omitempty"`
	// A non-empty array of objects  that specifies expected authorities or trust frameworks that certify Issuers, that the Verifier will accept. Every Credential returned by the Wallet SHOULD match at least one of the conditions present in the corresponding trusted_authorities array if present.
	TrustedAuthorities []TrustedAuthorityQuery `json:"trusted_authorities" mapstructure:"trusted_authorities"`
}

type CredentialSetQuery struct {
	// A non-empty array, where each value in the array is a list of Credential Query identifiers representing one set of Credentials that satisfies the use case. The value of each element in the options array is a non-empty array of identifiers which reference elements in credentials.
	Options [][]string `json:"options,omitempty" mapstructure:"options,omitempty"`
	// A boolean which indicates whether this set of Credentials is required to satisfy the particular use case at the Verifier.
	Required bool `json:"required,omitempty" mapstructure:"required,omitempty"`
	// A string, number or object specifying the purpose of the query. This specification does not define a specific structure or specific values for this property. The purpose is intended to be used by the Verifier to communicate the reason for the query to the Wallet. The Wallet MAY use this information to show the user the reason for the request.
	Purpose interface{} `json:"purpose,omitempty" mapstructure:"purpose,omitempty"`
}

type CredentialStatus struct {
	// Enabled toggles the revocation-list check for this credential type.
	// When false (the default), no status-list lookup is performed for
	// credentials of this type.
	Enabled bool `json:"enabled" mapstructure:"enabled"`
	// AcceptedPurposes lists the status purposes this credential type enforces
	// (for example "revocation" or "suspension"). When empty callers should
	// fall back to DefaultAcceptedStatusPurposes(). The field is intentionally
	// left un-defaulted at mapstructure level so the YAML can distinguish
	// "not set" from an explicit empty list.
	AcceptedPurposes []string `json:"acceptedPurposes,omitempty" mapstructure:"acceptedPurposes,omitempty"`
	// RequireStatus rejects credentials of this type that are missing a
	// credentialStatus entry when set to true. Defaults to false so that
	// credentials without status information are accepted.
	RequireStatus bool `json:"requireStatus" mapstructure:"requireStatus"`
}

type DCQL struct {
	// A non-empty array of Credential Queries that specify the requested Credentials.
	Credentials []CredentialQuery `json:"credentials" mapstructure:"credentials"`
	// A non-empty array of Credential Set Queries that specifies additional constraints on which of the requested Credentials to return.
	CredentialSets []CredentialSetQuery `json:"credential_sets" mapstructure:"credential_sets"`
}

type Database struct {
	// Type of database: "postgres" or "mysql"
	Type string `mapstructure:"type"`
	// Host of the database server
	Host string `mapstructure:"host" default:"localhost"`
	// Port of the database server
	Port int `mapstructure:"port" default:"5432"`
	// Name of the database
	Name string `mapstructure:"name"`
	// User for database authentication
	User string `mapstructure:"user"`
	// Password for database authentication
	Password MaskedString `mapstructure:"password"`
	// SSLMode for the postgres connection (for mysql, use "true", "false", "skip-verify", or "preferred")
	SSLMode string `mapstructure:"sslMode" default:"disable"`
}

type Elsi struct {
	// should the support for did:elsi be enabled
	Enabled bool `mapstructure:"enabled" default:"false"`
	// endpoint of the validation service to be used for JAdES signatures
	ValidationEndpoint *ValidationEndpoint `mapstructure:"validationEndpoint"`
}

type EndpointEntry struct {
	// Type classifies the registry: TrustedIssuers or TrustedParticipants.
	Type EndpointType `json:"type" mapstructure:"type"`
	// ListType is the format of the registry list. Values: "ebsi", "gaia-x".
	// Defaults to "ebsi" when omitted.
	ListType string `json:"listType" mapstructure:"listType" default:"ebsi"`
	// Endpoint is the URL of the registry.
	Endpoint string `json:"endpoint" mapstructure:"endpoint"`
}

type EndpointType int

type Fields struct {
	// Id of the field
	Id string `json:"id" mapstructure:"id"`
	// A list of JsonPaths for the requested claim
	Path []string `json:"path" mapstructure:"path"`
	// Does it need to be included? Defaults to true when absent.
	Optional *bool `json:"optional,omitempty" mapstructure:"optional,omitempty"`
	// a custom filter to be applied on the fields, f.e. restrict to certain values
	Filter interface{} `json:"filter,omitempty" mapstructure:"filter"`
}

type FormatObject struct {
	// list of algorithms to be requested for credential - f.e. ES256
	Alg       []string `json:"alg" mapstructure:"alg"`
	ProofType []string `json:"proofType,omitempty" mapstructure:"proofType,omitempty"`
}

type HolderVerification struct {
	// should holder verification be enabled
	Enabled bool `json:"enabled" mapstructure:"enabled"`
	// the claim containing the holder; defaults to "subject" when absent.
	Claim string `json:"claim" mapstructure:"claim"`
}

type HttpClient interface {
	Get(url string) (resp *http.Response, err error)
}

type HttpConfigClient struct {
	// contains filtered or unexported fields
}

type InputDescriptor struct {
	// Id of the descriptor
	Id string `json:"id" mapstructure:"id"`
	// defines the information to be requested
	Constraints Constraints `json:"constraints" mapstructure:"constraints"`
	// Format of the credential to be requested
	Format map[string]FormatObject `json:"format,omitempty" mapstructure:"format,omitempty"`
	// A human readable name for the definition
	Name string `json:"name,omitempty" mapstructure:"name,omitempty"`
	// A string that describes the purpose for which the definition should be used
	Purpose string `json:"purpose,omitempty" mapstructure:"purpose,omitempty"`
}

type JwtInclusion struct {
	// Should the given credential be included into the generated JWT; defaults to true when absent.
	Enabled *bool `json:"enabled,omitempty" mapstructure:"enabled"`
	// Should the complete credential be embedded
	FullInclusion bool `json:"fullInclusion" mapstructure:"fullInclusion"`
	// Claims to be included. Default empty list
	ClaimsToInclude []ClaimInclusion `json:"claimsToInclude" mapstructure:"claimsToInclude"`
}

type M2M struct {
	// auth enabled for M2M interactions
	AuthEnabled bool `mapstructure:"authEnabled"`
	// path to the signing key(in pem format)
	KeyPath string `mapstructure:"keyPath"`
	// path to the credential to be used for auth
	CredentialPath string `mapstructure:"credentialPath"`
	// id of the verifier when retrieving tokens
	ClientId string `mapstructure:"clientId"`
	// verification method to be provided for the ld-proof
	VerificationMethod string `mapstructure:"verificationMethod" default:"JsonWebKey2020"`
	// signature type to be provided for the ld-proof
	SignatureType string `mapstructure:"signatureType" default:"JsonWebSignature2020"`
	// type of the provided key
	KeyType string `mapstructure:"keyType" default:"RSAPS256"`
}

type MaskedString string

type MetaDataQuery struct {
	// SD-JWT and JWT specific parameter. A non-empty array of strings that specifies allowed values for the type of the requested Verifiable Credential.The Wallet MAY return Credentials that inherit from any of the specified types, following the inheritance logic defined in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-10
	VctValues []string `json:"vct_values,omitempty" mapstructure:"vct_values,omitempty"`
	// Required for MDoc. String that specifies an allowed value for the doctype of the requested Verifiable Credential. It MUST be a valid doctype identifier as defined in https://www.iso.org/standard/69084.html
	DoctypeValue string `json:"doctype_value,omitempty" mapstructure:"doctype_value,omitempty"`
	// Required for ldp_vc. A non-empty array of string arrays. The Type value of the credential needs to be a subset of at least one of the string-arrays.
	TypeValues [][]string `json:"type_values,omitempty" mapstructure:"type_values,omitempty"`
}

type Policies struct {
	// policies that all credentials are checked against
	DefaultPolicies PolicyMap `mapstructure:"default"`
	// policies that used to check specific credential types. Key maps to the "credentialSubject.type" of the credential
	CredentialTypeSpecificPolicies map[string]PolicyMap `mapstructure:"credentialTypeSpecific"`
}

type PolicyConfigParameters map[string]interface{}

type PolicyMap map[string]PolicyConfigParameters

type PresentationDefinition struct {
	Id string `json:"id"`
	// List of requested inputs
	InputDescriptors []InputDescriptor `json:"input_descriptors" mapstructure:"input_descriptors"`
	// Format of the credential to be requested
	Format map[string]FormatObject `json:"format" mapstructure:"format"`
	// A human readable name for the definition
	Name string `json:"name,omitempty" mapstructure:"name,omitempty"`
	// A string that describes the purpose for which the definition should be used
	Purpose string `json:"purpose,omitempty" mapstructure:"purpose,omitempty"`
}

type RefreshToken struct {
	// Enabled controls whether the verifier issues refresh tokens alongside
	// access tokens. When false (the default), no refresh tokens are generated
	// and the refresh_token grant type is rejected.
	Enabled bool `mapstructure:"enabled" default:"false"`
	// Expiration is the lifetime of issued refresh tokens, in minutes.
	// Defaults to 2880 (48 hours). Only meaningful when Enabled is true.
	Expiration int `mapstructure:"expiration" default:"2880"`
	// CleanupInterval is how often (in seconds) expired refresh token rows are
	// purged from the database. 0 or negative disables cleanup.
	CleanupInterval int `mapstructure:"cleanupInterval" default:"60"`
	// HashSalt is the HMAC-SHA256 key used when hashing refresh tokens before
	// storage. Tokens are always hashed; this field controls whether the key
	// is stable across restarts. When empty a random salt is generated at
	// startup, meaning all issued tokens are invalidated when the server
	// restarts. Provide a fixed secret string to preserve tokens across
	// restarts.
	HashSalt MaskedString `mapstructure:"hashSalt"`
}

type ScopeEntry struct {
	// credential types with their trust configuration
	Credentials []Credential `json:"credentials" mapstructure:"credentials"`
	// 	Proofs to be requested - see https://identity.foundation/presentation-exchange/#presentation-definition
	PresentationDefinition *PresentationDefinition `json:"presentationDefinition,omitempty" mapstructure:"presentationDefinition,omitempty"`
	// Query to request the credentials to be included in the presentation
	DCQL *DCQL `json:"dcql,omitempty" mapstructure:"dcql,omitempty"`
	// When set, the claim are flatten to plain JWT-claims before being included, instead of keeping the credential/presentation structure, where the claims are under the key vc or vp
	FlatClaims bool `json:"flatClaims" mapstructure:"flatClaims"`
}

type Server struct {
	// host name of the verifier
	Host string `mapstructure:"host"`
	// port to bind the server
	Port int `mapstructure:"port" default:"8080"`
	// directory to read the template(s) from
	TemplateDir string `mapstructure:"templateDir" default:"views/"`
	// directory of static files to be provided, f.e. to be used inside the templates
	StaticDir string `mapstructure:"staticDir" default:"views/static/"`

	// ReadTimeout is the maximum duration for reading the entire request, including the body.
	ReadTimeout int `mapstructure:"readTimeout" default:"5"`
	// WriteTimeout is the maximum duration before timing out writes of the response.
	WriteTimeout int `mapstructure:"writeTimeout" default:"10"`
	// IdleTimeout is the maximum amount of time to wait for the next request when keep-alives are enabled.
	IdleTimeout int `mapstructure:"idleTimeout" default:"120"`
	// ShutdownTimeout is the time allowed for active requests to finish during shutdown.
	ShutdownTimeout int `mapstructure:"shutdownTimeout" default:"5"`
}

type ServicesResponse struct {
	Total      int                 `json:"total"`
	PageNumber int                 `json:"pageNumber"`
	PageSize   int                 `json:"pageSize"`
	Services   []ConfiguredService `json:"services"`
}

type TrustedAuthorityQuery struct {
	//  A string uniquely identifying the type of information about the issuer trust framework.
	Type string `json:"type" mapstructure:"type"`
	// A non-empty array of strings, where each string (value) contains information specific to the used Trusted Authorities Query type that allows the identification of an issuer, a trust framework, or a federation that an issuer belongs to.
	Values []string `json:"values" mapstructure:"values"`
}

type TrustedIssuersList struct {
	// Type of issuers list to be used — "ebsi" for v3/v4, "ebsi-v5" for v5.
	Type string `json:"type" mapstructure:"type"`
	// Url of the trusted issuers registry endpoint.
	Url string `json:"url" mapstructure:"url"`
}

type TrustedIssuersLists []TrustedIssuersList

type TrustedParticipantsList struct {
	// Type of praticipants list to be used - either gaia-x or ebsi
	Type string `json:"type" mapstructure:"type"`
	// url of the list
	Url string `json:"url" mapstructure:"url"`
}

type TrustedParticipantsLists []TrustedParticipantsList

type ValidationEndpoint struct {
	Host           string `mapstructure:"host"`
	ValidationPath string `mapstructure:"validationPath" default:"/validateSignature"`
	HealthPath     string `mapstructure:"healthPath" default:"/q/health/ready"`
}

type Verifier struct {
	// did to be used by the verifier
	Did string `mapstructure:"did"`
	// Identification to be used for the verifier
	ClientIdentification ClientIdentification `mapstructure:"clientIdentification"`
	// supported request modes - currently 'urlEncoded', 'byValue' and 'byReference' are available. In case of byValue, the keyPath has to be set.
	SupportedModes []string `mapstructure:"supportedModes" default:"urlEncoded"`
	// address of the (ebsi-compatible) trusted-issuers-registry for verifying the issuer
	TirAddress string `mapstructure:"tirAddress"`
	// expiry of the tir-cache entries
	TirCacheExpiry int `mapstructure:"tirCacheExpiry" default:"30"`
	// expiry of the til-cache entries
	TilCacheExpiry int `mapstructure:"tilCacheExpiry" default:"30"`
	// expiry of auth sessions
	SessionExpiry int `mapstructure:"sessionExpiry" default:"30"`
	// policies that shall be checked
	PolicyConfig Policies `mapstructure:"policies"`
	// path of the authorizationEndpoint to be provided in the .well-known/openid-configuration
	AuthorizationEndpoint string `mapstructure:"authorizationEndpoint"`
	// Validation mode for validating the vcs. Does not touch verification, just content validation.
	// applicable modes:
	// * `none`: No validation, just swallow everything
	// * `combined`: ld and schema validation
	// * `jsonLd`: uses JSON-LD parser for validation
	// * `baseContext`: validates that only the fields and values (when applicable)are present in the document. No extra fields are allowed (outside of credentialSubject).
	// Default is set to `none` to ensure backwards compatibility
	ValidationMode string `mapstructure:"validationMode" default:"none"`
	// algorithm to be used for the jwt signatures - currently supported: RS256 and ES256
	KeyAlgorithm string `mapstructure:"keyAlgorithm" default:"RS256"`
	// when set to true, the private key is generated on startup. Its not persisted and just kept in memory.
	GenerateKey bool `mapstructure:"generateKey" default:"true"`
	// path to the private key for jwt signatures
	KeyPath string `mapstructure:"keyPath"`
	// expiration time in minutes for JWT tokens
	JwtExpiration int `mapstructure:"jwtExpiration" default:"30"`
	// TTL, in seconds, for cached status-list credentials fetched by the
	// shared status-list client. Does NOT enable the revocation check — it
	// only parametrises the cache used when at least one credential opts in.
	StatusListCacheExpiry int `mapstructure:"statusListCacheExpiry" default:"300"`
	// Timeout, in seconds, for HTTP requests made by the shared status-list
	// client when fetching a status-list credential. Does NOT enable the
	// revocation check — it only parametrises the HTTP client used when at
	// least one credential opts in.
	StatusListHttpTimeout int `mapstructure:"statusListHttpTimeout" default:"10"`
	// RefreshToken groups all refresh token configuration.
	RefreshToken RefreshToken `mapstructure:"refreshToken"`
}