baseid_did/methods/

web.rs

//! `did:web` method implementation.
//!
//! `did:web` resolves DID Documents by fetching them over HTTPS.
//! Practical for organizations and easy to deploy.
//!
//! Reference: <https://w3c-ccg.github.io/did-method-web/>

use baseid_core::error::DidError;

use crate::document::DidDocument;
use crate::resolution::{DidResolver, ResolutionMetadata, ResolutionResult};
use crate::url::DidUrl;

/// Resolver for `did:web` method.
pub struct DidWebResolver {
    http_client: reqwest::Client,
}

impl DidWebResolver {
    pub fn new() -> Self {
        Self {
            http_client: reqwest::Client::new(),
        }
    }

    /// Create a resolver with a custom HTTP client.
    ///
    /// Useful for testing or configuring timeouts, proxies, etc.
    pub fn with_client(client: reqwest::Client) -> Self {
        Self {
            http_client: client,
        }
    }
}

impl Default for DidWebResolver {
    fn default() -> Self {
        Self::new()
    }
}

impl DidResolver for DidWebResolver {
    fn method(&self) -> &str {
        "web"
    }

    async fn resolve(&self, did: &str) -> baseid_core::Result<ResolutionResult> {
        let url = did_to_url(did)?;

        let response = self
            .http_client
            .get(&url)
            .header("Accept", "application/did+ld+json, application/json")
            .send()
            .await
            .map_err(|_| DidError::ResolutionFailed)?;

        if !response.status().is_success() {
            if response.status().as_u16() == 404 {
                return Err(DidError::NotFound.into());
            }
            return Err(DidError::ResolutionFailed.into());
        }

        // Reject oversized responses to prevent memory exhaustion.
        if let Some(len) = response.content_length() {
            if len > MAX_RESPONSE_SIZE {
                return Err(DidError::ResolutionFailed.into());
            }
        }

        let document: DidDocument = response
            .json()
            .await
            .map_err(|_| DidError::ResolutionFailed)?;

        // Validate that the document id matches the requested DID.
        let parsed = DidUrl::parse(did)?;
        if document.id != parsed.did {
            return Err(DidError::ResolutionFailed.into());
        }

        Ok(ResolutionResult {
            document: Some(document),
            metadata: ResolutionMetadata {
                content_type: Some("application/did+ld+json".to_string()),
                error: None,
            },
        })
    }
}

/// Maximum response body size for DID Document fetches (1 MiB).
const MAX_RESPONSE_SIZE: u64 = 1024 * 1024;

/// Convert a `did:web` DID to the HTTPS URL where the DID Document is hosted.
///
/// Rules (per spec):
/// - `did:web:example.com` → `https://example.com/.well-known/did.json`
/// - `did:web:example.com:path:to` → `https://example.com/path/to/did.json`
/// - `did:web:example.com%3A3000` → `https://example.com:3000/.well-known/did.json`
///
/// Colons in the method-specific identifier are path separators.
/// Percent-encoded characters (like `%3A` for `:`) are decoded.
///
/// Rejects domains that resolve to private/reserved IP ranges (SSRF protection)
/// and path segments containing `..` (path traversal protection).
pub fn did_to_url(did: &str) -> baseid_core::Result<String> {
    let parsed = DidUrl::parse(did)?;
    if parsed.method != "web" {
        return Err(DidError::UnsupportedMethod.into());
    }

    // The method_id contains the domain (and optional path), with colons as separators.
    let segments: Vec<&str> = parsed.method_id.split(':').collect();
    if segments.is_empty() || segments[0].is_empty() {
        return Err(DidError::InvalidDid.into());
    }

    // Percent-decode the domain segment.
    let domain = percent_decode(segments[0])?;

    // SSRF protection: reject private/reserved domains
    if is_private_host(&domain) {
        return Err(DidError::ResolutionFailed.into());
    }

    if segments.len() == 1 {
        Ok(format!("https://{domain}/.well-known/did.json"))
    } else {
        let mut path_parts = Vec::with_capacity(segments.len() - 1);
        for seg in &segments[1..] {
            let decoded = percent_decode(seg)?;
            // Path traversal protection
            if decoded.contains("..") || decoded.starts_with('/') {
                return Err(DidError::InvalidDid.into());
            }
            path_parts.push(decoded);
        }
        Ok(format!(
            "https://{domain}/{}/did.json",
            path_parts.join("/")
        ))
    }
}

/// Percent-decode a DID segment, producing valid UTF-8.
fn percent_decode(input: &str) -> baseid_core::Result<String> {
    let mut bytes = Vec::with_capacity(input.len());
    let src = input.as_bytes();
    let mut i = 0;
    while i < src.len() {
        if src[i] == b'%' && i + 2 < src.len() {
            if let Ok(byte) =
                u8::from_str_radix(std::str::from_utf8(&src[i + 1..i + 3]).unwrap_or(""), 16)
            {
                bytes.push(byte);
                i += 3;
                continue;
            }
        }
        bytes.push(src[i]);
        i += 1;
    }
    String::from_utf8(bytes).map_err(|_| DidError::InvalidDid.into())
}

/// Check if a host string refers to a private or reserved IP address.
///
/// Rejects: localhost, 127.x, 10.x, 172.16-31.x, 192.168.x, 169.254.x,
/// 0.x, [::1], and other reserved ranges. This prevents SSRF attacks
/// when resolving did:web documents.
fn is_private_host(host: &str) -> bool {
    let host_lower = host.to_ascii_lowercase();

    // Strip port: for bracketed IPv6 like "[::1]:8080", split after ']'
    // For plain hosts like "localhost:3000", split on last ':'
    let hostname = if host_lower.starts_with('[') {
        // IPv6 bracket notation — hostname is everything up to and including ']'
        host_lower
            .split(']')
            .next()
            .map(|s| format!("{s}]"))
            .unwrap_or(host_lower.clone())
    } else {
        // For IPv4/hostname, strip port by taking up to the last ':'
        // But only if it looks like host:port (not an IPv6 without brackets)
        match host_lower.rfind(':') {
            Some(pos) if host_lower[pos + 1..].chars().all(|c| c.is_ascii_digit()) => {
                host_lower[..pos].to_string()
            }
            _ => host_lower.clone(),
        }
    };

    if hostname == "localhost" {
        return true;
    }

    // Try to parse as IPv4
    if let Ok(ip) = hostname.parse::<std::net::Ipv4Addr>() {
        return ip.is_loopback()       // 127.0.0.0/8
            || ip.is_private()         // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
            || ip.is_link_local()      // 169.254.0.0/16
            || ip.is_broadcast()       // 255.255.255.255
            || ip.is_unspecified()     // 0.0.0.0
            || ip.octets()[0] == 0; // 0.x.x.x
    }

    // Try to parse as IPv6 (with or without brackets)
    let v6_str = hostname
        .strip_prefix('[')
        .and_then(|s| s.strip_suffix(']'))
        .unwrap_or(&hostname);
    if let Ok(ip) = v6_str.parse::<std::net::Ipv6Addr>() {
        return ip.is_loopback()        // ::1
            || ip.is_unspecified()     // ::
            || ip.to_ipv4_mapped().is_some_and(|v4| {
                v4.is_loopback() || v4.is_private() || v4.is_link_local() || v4.is_unspecified()
            });
    }

    false
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn url_simple_domain() {
        let url = did_to_url("did:web:example.com").unwrap();
        assert_eq!(url, "https://example.com/.well-known/did.json");
    }

    #[test]
    fn url_domain_with_path() {
        let url = did_to_url("did:web:example.com:path:to:resource").unwrap();
        assert_eq!(url, "https://example.com/path/to/resource/did.json");
    }

    #[test]
    fn url_domain_with_port() {
        let url = did_to_url("did:web:example.com%3A3000").unwrap();
        assert_eq!(url, "https://example.com:3000/.well-known/did.json");
    }

    #[test]
    fn url_domain_with_port_and_path() {
        let url = did_to_url("did:web:example.com%3A3000:user:alice").unwrap();
        assert_eq!(url, "https://example.com:3000/user/alice/did.json");
    }

    #[test]
    fn url_subdomain() {
        let url = did_to_url("did:web:w3c-ccg.github.io").unwrap();
        assert_eq!(url, "https://w3c-ccg.github.io/.well-known/did.json");
    }

    #[test]
    fn url_subdomain_with_path() {
        let url = did_to_url("did:web:w3c-ccg.github.io:user:alice").unwrap();
        assert_eq!(url, "https://w3c-ccg.github.io/user/alice/did.json");
    }

    #[test]
    fn url_wrong_method_fails() {
        assert!(did_to_url("did:key:z6Mk...").is_err());
    }

    #[test]
    fn url_invalid_did_fails() {
        assert!(did_to_url("not-a-did").is_err());
    }

    #[test]
    fn percent_decode_basic() {
        assert_eq!(
            percent_decode("example.com%3A3000").unwrap(),
            "example.com:3000"
        );
        assert_eq!(percent_decode("hello%20world").unwrap(), "hello world");
        assert_eq!(percent_decode("nopercent").unwrap(), "nopercent");
    }

    #[test]
    fn percent_decode_invalid_utf8_rejected() {
        // %FF%FE is not valid UTF-8
        assert!(percent_decode("bad%FF%FE").is_err());
    }

    #[test]
    fn ssrf_localhost_rejected() {
        assert!(did_to_url("did:web:localhost").is_err());
        assert!(did_to_url("did:web:localhost%3A8080").is_err());
    }

    #[test]
    fn ssrf_private_ip_rejected() {
        assert!(did_to_url("did:web:127.0.0.1").is_err());
        assert!(did_to_url("did:web:10.0.0.1").is_err());
        assert!(did_to_url("did:web:192.168.1.1").is_err());
        assert!(did_to_url("did:web:172.16.0.1").is_err());
        assert!(did_to_url("did:web:169.254.1.1").is_err());
        assert!(did_to_url("did:web:0.0.0.0").is_err());
    }

    #[test]
    fn ssrf_ipv6_loopback_rejected() {
        // IPv6 literal must be percent-encoded in did:web (colons are separators)
        assert!(did_to_url("did:web:%5B%3A%3A1%5D").is_err());
    }

    #[test]
    fn is_private_host_unit() {
        assert!(is_private_host("localhost"));
        assert!(is_private_host("127.0.0.1"));
        assert!(is_private_host("10.0.0.1"));
        assert!(is_private_host("192.168.1.1"));
        assert!(is_private_host("[::1]"));
        assert!(is_private_host("localhost:8080"));
        assert!(!is_private_host("example.com"));
        assert!(!is_private_host("8.8.8.8"));
    }

    #[test]
    fn path_traversal_rejected() {
        assert!(did_to_url("did:web:example.com:..").is_err());
        assert!(did_to_url("did:web:example.com:path:..%2F..%2Fetc").is_err());
    }

    #[test]
    fn absolute_path_segment_rejected() {
        // Path segment starting with / after decode
        assert!(did_to_url("did:web:example.com:%2Fetc:passwd").is_err());
    }

    #[test]
    fn public_domain_accepted() {
        assert!(did_to_url("did:web:example.com").is_ok());
        assert!(did_to_url("did:web:baseid.ca").is_ok());
        assert!(did_to_url("did:web:gov.bc.ca:identity").is_ok());
    }

    #[test]
    fn resolver_wrong_method_fails() {
        let resolver = DidWebResolver::new();
        let result = tokio::runtime::Runtime::new()
            .unwrap()
            .block_on(resolver.resolve("did:key:z6Mk..."));
        assert!(result.is_err());
    }
}