baseid_did/methods/

webvh.rs

//! `did:webvh` method implementation (formerly `did:tdw`).
//!
//! Trust DID Web with Verifiable History — extends did:web with a
//! cryptographically verifiable log of all DID document changes.
//!
//! Reference: <https://identity.foundation/didwebvh/v1.0/>

use baseid_core::error::DidError;
use sha2::{Digest, Sha256};

use crate::document::DidDocument;
use crate::resolution::{DidResolver, ResolutionMetadata, ResolutionResult};

/// A single entry in the did:webvh log chain.
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct WebvhLogEntry {
    pub version_id: String,
    pub version_time: String,
    #[serde(default)]
    pub parameters: WebvhParameters,
    pub state: DidDocument,
}

/// Parameters for a did:webvh log entry.
#[derive(Debug, Clone, Default, serde::Serialize, serde::Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct WebvhParameters {
    #[serde(default)]
    pub method: String,
    #[serde(default)]
    pub scid: String,
    #[serde(default)]
    pub update_keys: Vec<String>,
    #[serde(default)]
    pub portable: bool,
    #[serde(default)]
    pub deactivated: bool,
    #[serde(default)]
    pub ttl: u64,
}

/// Resolver for `did:webvh` method.
///
/// Fetches the `.well-known/did.jsonl` file and processes the log chain.
pub struct DidWebvhResolver {
    client: reqwest::Client,
}

impl Default for DidWebvhResolver {
    fn default() -> Self {
        Self::new()
    }
}

impl DidWebvhResolver {
    pub fn new() -> Self {
        Self {
            client: reqwest::Client::new(),
        }
    }

    /// Convert a did:webvh DID to the HTTPS URL for fetching the log.
    pub fn did_to_url(did: &str) -> baseid_core::Result<String> {
        if !did.starts_with("did:webvh:") {
            return Err(DidError::UnsupportedMethod.into());
        }

        let rest = &did["did:webvh:".len()..];
        // Split on ':' — first part is SCID, rest is domain + path
        let parts: Vec<&str> = rest.splitn(2, ':').collect();
        if parts.len() < 2 {
            return Err(DidError::InvalidDid.into());
        }

        let _scid = parts[0];
        let domain_path = parts[1];

        // Process domain and path (same as did:web)
        let segments: Vec<&str> = domain_path.split(':').collect();
        let domain = segments[0].replace("%3A", ":");
        let path = if segments.len() > 1 {
            format!("/{}", segments[1..].join("/"))
        } else {
            "/.well-known".to_string()
        };

        Ok(format!("https://{domain}{path}/did.jsonl"))
    }

    /// Process a did:webvh log (JSONL content) and return the final DID document.
    pub fn process_log(did: &str, jsonl: &str) -> baseid_core::Result<DidDocument> {
        let mut last_doc: Option<DidDocument> = None;
        let mut expected_version = 1u64;

        for line in jsonl.lines() {
            let line = line.trim();
            if line.is_empty() {
                continue;
            }

            let entry: WebvhLogEntry =
                serde_json::from_str(line).map_err(|_| DidError::ResolutionFailed)?;

            // Validate version ordering
            let version_num = entry
                .version_id
                .split('-')
                .next()
                .and_then(|s| s.parse::<u64>().ok())
                .ok_or(DidError::ResolutionFailed)?;

            if version_num != expected_version {
                return Err(DidError::ResolutionFailed.into());
            }
            expected_version += 1;

            // Check if deactivated
            if entry.parameters.deactivated {
                return Err(DidError::NotFound.into());
            }

            let mut doc = entry.state;
            if doc.id.is_empty() {
                doc.id = did.to_string();
            }
            last_doc = Some(doc);
        }

        last_doc.ok_or_else(|| DidError::NotFound.into())
    }

    /// Compute the SCID from a preliminary log entry.
    pub fn compute_scid(preliminary_entry: &str) -> String {
        let hash = Sha256::digest(preliminary_entry.as_bytes());
        let mut multihash = vec![0x12, 0x20];
        multihash.extend_from_slice(&hash);
        format!("z{}", base58_encode(&multihash))
    }
}

impl DidResolver for DidWebvhResolver {
    fn method(&self) -> &str {
        "webvh"
    }

    async fn resolve(&self, did: &str) -> baseid_core::Result<ResolutionResult> {
        let url = Self::did_to_url(did)?;

        let response = self
            .client
            .get(&url)
            .send()
            .await
            .map_err(|_| DidError::ResolutionFailed)?;

        if !response.status().is_success() {
            return Err(DidError::NotFound.into());
        }

        let body = response
            .text()
            .await
            .map_err(|_| DidError::ResolutionFailed)?;

        let document = Self::process_log(did, &body)?;

        Ok(ResolutionResult {
            document: Some(document),
            metadata: ResolutionMetadata {
                content_type: Some("application/did+ld+json".to_string()),
                error: None,
            },
        })
    }
}

fn base58_encode(data: &[u8]) -> String {
    const ALPHABET: &[u8; 58] = b"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
    let mut result = Vec::new();
    let mut data = data.to_vec();
    let leading_zeros = data.iter().take_while(|&&b| b == 0).count();
    while !data.is_empty() {
        let mut remainder = 0u32;
        let mut new_data = Vec::new();
        for &byte in &data {
            let acc = (remainder << 8) | byte as u32;
            let digit = acc / 58;
            remainder = acc % 58;
            if !new_data.is_empty() || digit > 0 {
                new_data.push(digit as u8);
            }
        }
        result.push(ALPHABET[remainder as usize]);
        data = new_data;
    }
    result.extend(std::iter::repeat_n(b'1', leading_zeros));
    result.reverse();
    String::from_utf8(result).unwrap_or_default()
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::document::{VerificationMethod, VerificationRelationship};

    #[test]
    fn did_to_url_simple_domain() {
        let url = DidWebvhResolver::did_to_url("did:webvh:zSCID123:example.com").unwrap();
        assert_eq!(url, "https://example.com/.well-known/did.jsonl");
    }

    #[test]
    fn did_to_url_with_path() {
        let url =
            DidWebvhResolver::did_to_url("did:webvh:zSCID123:example.com:dids:issuer").unwrap();
        assert_eq!(url, "https://example.com/dids/issuer/did.jsonl");
    }

    #[test]
    fn did_to_url_with_port() {
        let url = DidWebvhResolver::did_to_url("did:webvh:zSCID123:example.com%3A3000").unwrap();
        assert_eq!(url, "https://example.com:3000/.well-known/did.jsonl");
    }

    #[test]
    fn process_single_entry_log() {
        let doc = DidDocument {
            id: "did:webvh:zSCID:example.com".to_string(),
            context: vec!["https://www.w3.org/ns/did/v1".to_string()],
            verification_method: vec![VerificationMethod {
                id: "#key-1".to_string(),
                r#type: "Multikey".to_string(),
                controller: "did:webvh:zSCID:example.com".to_string(),
                public_key_jwk: None,
                public_key_multibase: Some("z6MkTest".to_string()),
            }],
            authentication: vec![VerificationRelationship::Reference("#key-1".to_string())],
            assertion_method: vec![],
            key_agreement: vec![],
            service: vec![],
        };

        let entry = WebvhLogEntry {
            version_id: "1-hash123".to_string(),
            version_time: "2024-01-01T00:00:00Z".to_string(),
            parameters: WebvhParameters {
                method: "did:webvh:1.0".to_string(),
                scid: "zSCID".to_string(),
                ..Default::default()
            },
            state: doc,
        };

        let jsonl = serde_json::to_string(&entry).unwrap();
        let result = DidWebvhResolver::process_log("did:webvh:zSCID:example.com", &jsonl).unwrap();
        assert_eq!(result.verification_method.len(), 1);
    }

    #[test]
    fn process_multi_version_log() {
        let make_entry = |version: u64, key: &str| -> String {
            serde_json::to_string(&WebvhLogEntry {
                version_id: format!("{version}-hash{version}"),
                version_time: format!("2024-01-0{version}T00:00:00Z"),
                parameters: WebvhParameters::default(),
                state: DidDocument {
                    id: "did:webvh:zSCID:example.com".to_string(),
                    context: vec!["https://www.w3.org/ns/did/v1".to_string()],
                    verification_method: vec![VerificationMethod {
                        id: "#key-1".to_string(),
                        r#type: "Multikey".to_string(),
                        controller: String::new(),
                        public_key_jwk: None,
                        public_key_multibase: Some(key.to_string()),
                    }],
                    authentication: vec![],
                    assertion_method: vec![],
                    key_agreement: vec![],
                    service: vec![],
                },
            })
            .unwrap()
        };

        let jsonl = format!(
            "{}\n{}\n{}",
            make_entry(1, "zKey1"),
            make_entry(2, "zKey2"),
            make_entry(3, "zKey3")
        );
        let doc = DidWebvhResolver::process_log("did:webvh:zSCID:example.com", &jsonl).unwrap();
        // Should return the latest version
        assert_eq!(
            doc.verification_method[0].public_key_multibase.as_deref(),
            Some("zKey3")
        );
    }

    #[test]
    fn process_deactivated_did() {
        let entry = WebvhLogEntry {
            version_id: "1-hash".to_string(),
            version_time: "2024-01-01T00:00:00Z".to_string(),
            parameters: WebvhParameters {
                deactivated: true,
                ..Default::default()
            },
            state: DidDocument {
                id: String::new(),
                context: vec![],
                verification_method: vec![],
                authentication: vec![],
                assertion_method: vec![],
                key_agreement: vec![],
                service: vec![],
            },
        };
        let jsonl = serde_json::to_string(&entry).unwrap();
        let result = DidWebvhResolver::process_log("did:webvh:zSCID:example.com", &jsonl);
        assert!(result.is_err());
    }

    #[test]
    fn reject_invalid_version_order() {
        let entry1 = serde_json::to_string(&WebvhLogEntry {
            version_id: "1-hash1".to_string(),
            version_time: "2024-01-01T00:00:00Z".to_string(),
            parameters: WebvhParameters::default(),
            state: DidDocument {
                id: String::new(),
                context: vec![],
                verification_method: vec![],
                authentication: vec![],
                assertion_method: vec![],
                key_agreement: vec![],
                service: vec![],
            },
        })
        .unwrap();
        let entry3 = serde_json::to_string(&WebvhLogEntry {
            version_id: "3-hash3".to_string(), // Skipped version 2
            version_time: "2024-01-03T00:00:00Z".to_string(),
            parameters: WebvhParameters::default(),
            state: DidDocument {
                id: String::new(),
                context: vec![],
                verification_method: vec![],
                authentication: vec![],
                assertion_method: vec![],
                key_agreement: vec![],
                service: vec![],
            },
        })
        .unwrap();
        let jsonl = format!("{}\n{}", entry1, entry3);
        let result = DidWebvhResolver::process_log("did:webvh:zSCID:example.com", &jsonl);
        assert!(result.is_err());
    }

    #[test]
    fn compute_scid_deterministic() {
        let scid1 = DidWebvhResolver::compute_scid("test entry 1");
        let scid2 = DidWebvhResolver::compute_scid("test entry 1");
        let scid3 = DidWebvhResolver::compute_scid("test entry 2");
        assert_eq!(scid1, scid2); // Deterministic
        assert_ne!(scid1, scid3); // Different input → different SCID
        assert!(scid1.starts_with('z')); // Multibase base58btc
    }

    #[test]
    fn reject_invalid_did() {
        assert!(DidWebvhResolver::did_to_url("did:web:example.com").is_err());
        assert!(DidWebvhResolver::did_to_url("did:webvh:").is_err());
    }
}