{-# LANGUAGE DataKinds #-}
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE FlexibleInstances #-}
{-# LANGUAGE MultiParamTypeClasses #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE TemplateHaskell #-}

-- | Stability: experimental
-- This module exposes functions for processing and querying
-- [FIDO Metadata Service](https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html)
-- blobs and entries.
module Crypto.WebAuthn.Metadata.Service.Processing
  ( RootCertificate (..),
    ProcessingError (..),

import Control.Lens ((^.), (^?), _Just)
import Control.Lens.Combinators (makeClassyPrisms)
import Control.Monad.Except (MonadError, runExcept, throwError)
import Control.Monad.Reader (MonadReader, ask, runReaderT)
import Crypto.JOSE (AsError (_Error), fromX509Certificate)
import Crypto.JOSE.JWK.Store (VerificationKeyStore (getVerificationKeys))
import Crypto.JOSE.Types (URI)
import Crypto.JWT
  ( AsJWTError (_JWTError),
    HasX5c (x5c),
    HasX5u (x5u),
import Crypto.WebAuthn.Internal.DateOrphans ()
import Crypto.WebAuthn.Metadata.Service.Decode (decodeMetadataPayload)
import qualified Crypto.WebAuthn.Metadata.Service.Types as Service
import qualified Crypto.WebAuthn.Metadata.Service.WebIDL as ServiceIDL
import qualified Crypto.WebAuthn.Model as M
import Crypto.WebAuthn.Model.Identifier
    AuthenticatorIdentifier (AuthenticatorIdentifierFido2, AuthenticatorIdentifierFidoU2F),
import Data.Aeson (Value)
import qualified Data.Aeson.Types as Aeson
import qualified Data.ByteString as BS
import qualified Data.ByteString.Lazy as LBS
import Data.Either (partitionEithers)
import Data.FileEmbed (embedFile)
import Data.HashMap.Strict (HashMap, (!?))
import qualified Data.HashMap.Strict as HashMap
import Data.Hourglass (DateTime)
import Data.List.NonEmpty (NonEmpty)
import qualified Data.List.NonEmpty as NE
import Data.Text (Text)
import qualified Data.Text as Text
import Data.These (These (This))
import qualified Data.X509 as X509
import qualified Data.X509.CertificateStore as X509
import qualified Data.X509.Validation as X509
import GHC.Exts (fromList, toList)

-- | A root certificate along with the host it should be verified against
data RootCertificate = RootCertificate
  { -- | The root certificate itself
    RootCertificate -> CertificateStore
rootCertificateStore :: X509.CertificateStore,
    -- | The hostname it is for
    RootCertificate -> HostName
rootCertificateHostName :: X509.HostName

-- | Errors related to the processing of the metadata
data ProcessingError
  = -- | An error wrapping the errors encountered by the X509 Validation
    ProcessingValidationErrors (NE.NonEmpty X509.FailedReason)
  | -- | There was no x5c header present in the metadata JWT
  | -- | An error wrapping the general Errors from the JOSE library
    ProcessingJWSError Error
  | -- | An error wrapping the JWT specific Errors from the JOSE library
    ProcessingJWTError JWTError
  | -- | There was a x5u header present in the metadata JWT but this is unimplemented
    -- TODO: Implement step 4 of the
    -- [(spec)](https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#metadata-blob-object-processing-rules)
    ProcessingX5UPresent URI
  deriving (Int -> ProcessingError -> ShowS
[ProcessingError] -> ShowS
ProcessingError -> HostName
(Int -> ProcessingError -> ShowS)
-> (ProcessingError -> HostName)
-> ([ProcessingError] -> ShowS)
-> Show ProcessingError
forall a.
(Int -> a -> ShowS) -> (a -> HostName) -> ([a] -> ShowS) -> Show a
$cshowsPrec :: Int -> ProcessingError -> ShowS
showsPrec :: Int -> ProcessingError -> ShowS
$cshow :: ProcessingError -> HostName
show :: ProcessingError -> HostName
$cshowList :: [ProcessingError] -> ShowS
showList :: [ProcessingError] -> ShowS
Show, ProcessingError -> ProcessingError -> Bool
(ProcessingError -> ProcessingError -> Bool)
-> (ProcessingError -> ProcessingError -> Bool)
-> Eq ProcessingError
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: ProcessingError -> ProcessingError -> Bool
== :: ProcessingError -> ProcessingError -> Bool
$c/= :: ProcessingError -> ProcessingError -> Bool
/= :: ProcessingError -> ProcessingError -> Bool

-- | Create Prisms for the error type, used in the AsError and AsJWTError
-- instances below
makeClassyPrisms ''ProcessingError

-- | Instantiate JOSE's AsError typeclass as a simple cast to our own error
-- type. This allows using our own error type in JOSE operations.
instance AsError ProcessingError where
  _Error :: Prism' ProcessingError Error
_Error = p Error (f Error) -> p ProcessingError (f ProcessingError)
forall r. AsProcessingError r => Prism' r Error
Prism' ProcessingError Error

-- | Instantiate JOSE's AsJWTError typeclass as a simple cast to our own error
-- type. This allows using our own error type in JWT operations.
instance AsJWTError ProcessingError where
  _JWTError :: Prism' ProcessingError JWTError
_JWTError = p JWTError (f JWTError) -> p ProcessingError (f ProcessingError)
forall r. AsProcessingError r => Prism' r JWTError
Prism' ProcessingError JWTError

-- | The root certificate used for the blob downloaded from <https://mds.fidoalliance.org/>,
-- which can be found in [here](https://valid.r3.roots.globalsign.com/),
-- see also <https://fidoalliance.org/metadata/>
fidoAllianceRootCertificate :: RootCertificate
fidoAllianceRootCertificate :: RootCertificate
fidoAllianceRootCertificate =
    { rootCertificateStore :: CertificateStore
rootCertificateStore = [SignedCertificate] -> CertificateStore
X509.makeCertificateStore [SignedCertificate
      rootCertificateHostName :: HostName
rootCertificateHostName = HostName
    bytes :: BS.ByteString
    bytes :: ByteString
bytes = $(embedFile "root-certs/metadata/root.crt")
    rootCert :: X509.SignedCertificate
    rootCert :: SignedCertificate
rootCert = case ByteString -> Either HostName SignedCertificate
X509.decodeSignedCertificate ByteString
bytes of
      Left HostName
err -> HostName -> SignedCertificate
forall a. HasCallStack => HostName -> a
error HostName
      Right SignedCertificate
cert -> SignedCertificate

instance (MonadError ProcessingError m, MonadReader DateTime m) => VerificationKeyStore m (JWSHeader ()) p RootCertificate where
  getVerificationKeys :: JWSHeader () -> p -> RootCertificate -> m [JWK]
getVerificationKeys JWSHeader ()
header p
_ (RootCertificate CertificateStore
rootStore HostName
hostName) = do
    -- TODO: Implement step 4 of the spec, which says to try to get the chain
    -- from x5u first before trying x5c. See:
    -- <https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#metadata-blob-object-processing-rules>
    -- and <https://github.com/tweag/webauthn/issues/23>
    -- In order to prevent issues due to the lack of an implementation for x5u,
    -- we do check if it is empty before continuing. If not empty, we result in
    -- an error instead.
    case JWSHeader ()
header JWSHeader () -> Getting (First URI) (JWSHeader ()) URI -> Maybe URI
forall s a. s -> Getting (First a) s a -> Maybe a
^? (Maybe (HeaderParam () URI)
 -> Const (First URI) (Maybe (HeaderParam () URI)))
-> JWSHeader () -> Const (First URI) (JWSHeader ())
forall p. Lens' (JWSHeader p) (Maybe (HeaderParam p URI))
forall (a :: * -> *) p.
HasX5u a =>
Lens' (a p) (Maybe (HeaderParam p URI))
x5u ((Maybe (HeaderParam () URI)
  -> Const (First URI) (Maybe (HeaderParam () URI)))
 -> JWSHeader () -> Const (First URI) (JWSHeader ()))
-> ((URI -> Const (First URI) URI)
    -> Maybe (HeaderParam () URI)
    -> Const (First URI) (Maybe (HeaderParam () URI)))
-> Getting (First URI) (JWSHeader ()) URI
forall b c a. (b -> c) -> (a -> b) -> a -> c
. (HeaderParam () URI -> Const (First URI) (HeaderParam () URI))
-> Maybe (HeaderParam () URI)
-> Const (First URI) (Maybe (HeaderParam () URI))
forall a b (p :: * -> * -> *) (f :: * -> *).
(Choice p, Applicative f) =>
p a (f b) -> p (Maybe a) (f (Maybe b))
_Just ((HeaderParam () URI -> Const (First URI) (HeaderParam () URI))
 -> Maybe (HeaderParam () URI)
 -> Const (First URI) (Maybe (HeaderParam () URI)))
-> ((URI -> Const (First URI) URI)
    -> HeaderParam () URI -> Const (First URI) (HeaderParam () URI))
-> (URI -> Const (First URI) URI)
-> Maybe (HeaderParam () URI)
-> Const (First URI) (Maybe (HeaderParam () URI))
forall b c a. (b -> c) -> (a -> b) -> a -> c
. (URI -> Const (First URI) URI)
-> HeaderParam () URI -> Const (First URI) (HeaderParam () URI)
forall p a (f :: * -> *).
Functor f =>
(a -> f a) -> HeaderParam p a -> f (HeaderParam p a)
param of
      Maybe URI
Nothing -> () -> m ()
forall a. a -> m a
forall (f :: * -> *) a. Applicative f => a -> f a
pure ()
      Just URI
uri -> ProcessingError -> m ()
forall a. ProcessingError -> m a
forall e (m :: * -> *) a. MonadError e m => e -> m a
throwError (ProcessingError -> m ()) -> ProcessingError -> m ()
forall a b. (a -> b) -> a -> b
$ URI -> ProcessingError
ProcessingX5UPresent URI

    NonEmpty SignedCertificate
chain <- case JWSHeader ()
header JWSHeader ()
-> Getting
     (First (NonEmpty SignedCertificate))
     (JWSHeader ())
     (NonEmpty SignedCertificate)
-> Maybe (NonEmpty SignedCertificate)
forall s a. s -> Getting (First a) s a -> Maybe a
^? (Maybe (HeaderParam () (NonEmpty SignedCertificate))
 -> Const
      (First (NonEmpty SignedCertificate))
      (Maybe (HeaderParam () (NonEmpty SignedCertificate))))
-> JWSHeader ()
-> Const (First (NonEmpty SignedCertificate)) (JWSHeader ())
forall p.
  (JWSHeader p) (Maybe (HeaderParam p (NonEmpty SignedCertificate)))
forall (a :: * -> *) p.
HasX5c a =>
Lens' (a p) (Maybe (HeaderParam p (NonEmpty SignedCertificate)))
x5c ((Maybe (HeaderParam () (NonEmpty SignedCertificate))
  -> Const
       (First (NonEmpty SignedCertificate))
       (Maybe (HeaderParam () (NonEmpty SignedCertificate))))
 -> JWSHeader ()
 -> Const (First (NonEmpty SignedCertificate)) (JWSHeader ()))
-> ((NonEmpty SignedCertificate
     -> Const
          (First (NonEmpty SignedCertificate)) (NonEmpty SignedCertificate))
    -> Maybe (HeaderParam () (NonEmpty SignedCertificate))
    -> Const
         (First (NonEmpty SignedCertificate))
         (Maybe (HeaderParam () (NonEmpty SignedCertificate))))
-> Getting
     (First (NonEmpty SignedCertificate))
     (JWSHeader ())
     (NonEmpty SignedCertificate)
forall b c a. (b -> c) -> (a -> b) -> a -> c
. (HeaderParam () (NonEmpty SignedCertificate)
 -> Const
      (First (NonEmpty SignedCertificate))
      (HeaderParam () (NonEmpty SignedCertificate)))
-> Maybe (HeaderParam () (NonEmpty SignedCertificate))
-> Const
     (First (NonEmpty SignedCertificate))
     (Maybe (HeaderParam () (NonEmpty SignedCertificate)))
forall a b (p :: * -> * -> *) (f :: * -> *).
(Choice p, Applicative f) =>
p a (f b) -> p (Maybe a) (f (Maybe b))
_Just ((HeaderParam () (NonEmpty SignedCertificate)
  -> Const
       (First (NonEmpty SignedCertificate))
       (HeaderParam () (NonEmpty SignedCertificate)))
 -> Maybe (HeaderParam () (NonEmpty SignedCertificate))
 -> Const
      (First (NonEmpty SignedCertificate))
      (Maybe (HeaderParam () (NonEmpty SignedCertificate))))
-> ((NonEmpty SignedCertificate
     -> Const
          (First (NonEmpty SignedCertificate)) (NonEmpty SignedCertificate))
    -> HeaderParam () (NonEmpty SignedCertificate)
    -> Const
         (First (NonEmpty SignedCertificate))
         (HeaderParam () (NonEmpty SignedCertificate)))
-> (NonEmpty SignedCertificate
    -> Const
         (First (NonEmpty SignedCertificate)) (NonEmpty SignedCertificate))
-> Maybe (HeaderParam () (NonEmpty SignedCertificate))
-> Const
     (First (NonEmpty SignedCertificate))
     (Maybe (HeaderParam () (NonEmpty SignedCertificate)))
forall b c a. (b -> c) -> (a -> b) -> a -> c
. (NonEmpty SignedCertificate
 -> Const
      (First (NonEmpty SignedCertificate)) (NonEmpty SignedCertificate))
-> HeaderParam () (NonEmpty SignedCertificate)
-> Const
     (First (NonEmpty SignedCertificate))
     (HeaderParam () (NonEmpty SignedCertificate))
forall p a (f :: * -> *).
Functor f =>
(a -> f a) -> HeaderParam p a -> f (HeaderParam p a)
param of
      Maybe (NonEmpty SignedCertificate)
Nothing ->
        ProcessingError -> m (NonEmpty SignedCertificate)
forall a. ProcessingError -> m a
forall e (m :: * -> *) a. MonadError e m => e -> m a
throwError ProcessingError
      Just NonEmpty SignedCertificate
chain -> NonEmpty SignedCertificate -> m (NonEmpty SignedCertificate)
forall a. a -> m a
forall (m :: * -> *) a. Monad m => a -> m a
return NonEmpty SignedCertificate

now <- m DateTime
forall r (m :: * -> *). MonadReader r m => m r

    -- TODO: Check CRLs, see <https://github.com/tweag/haskell-fido2/issues/23>
    let validationErrors :: [FailedReason]
validationErrors =
-> ValidationHooks
-> ValidationChecks
-> CertificateStore
-> ServiceID
-> CertificateChain
-> [FailedReason]
hostName, ByteString
            ([SignedCertificate] -> CertificateChain
X509.CertificateChain (NonEmpty SignedCertificate -> [SignedCertificate]
forall a. NonEmpty a -> [a]
NE.toList NonEmpty SignedCertificate

    case [FailedReason] -> Maybe (NonEmpty FailedReason)
forall a. [a] -> Maybe (NonEmpty a)
NE.nonEmpty [FailedReason]
validationErrors of
      Maybe (NonEmpty FailedReason)
Nothing -> do
        -- Create a JWK from the leaf certificate, which is used to sign the payload
jwk <- SignedCertificate -> m JWK
forall e (m :: * -> *).
(AsError e, MonadError e m) =>
SignedCertificate -> m JWK
fromX509Certificate (NonEmpty SignedCertificate -> SignedCertificate
forall a. NonEmpty a -> a
NE.head NonEmpty SignedCertificate
        [JWK] -> m [JWK]
forall a. a -> m a
forall (m :: * -> *) a. Monad m => a -> m a
return [JWK
      Just NonEmpty FailedReason
errors ->
        ProcessingError -> m [JWK]
forall a. ProcessingError -> m a
forall e (m :: * -> *) a. MonadError e m => e -> m a
throwError (ProcessingError -> m [JWK]) -> ProcessingError -> m [JWK]
forall a b. (a -> b) -> a -> b
$ NonEmpty FailedReason -> ProcessingError
ProcessingValidationErrors NonEmpty FailedReason

-- | Extracts a FIDO Metadata payload JSON value from a JWT bytestring according to https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html
jwtToJson ::
  -- | The bytes of the JWT blob
  BS.ByteString ->
  -- | The root certificate the blob is signed with
  RootCertificate ->
  -- | The current time for which to validate the JWT blob
  DateTime ->
  Either ProcessingError (HashMap Text Value)
jwtToJson :: ByteString
-> RootCertificate
-> DateTime
-> Either ProcessingError (HashMap Text Value)
jwtToJson ByteString
blob RootCertificate
rootCert DateTime
now = Except ProcessingError (HashMap Text Value)
-> Either ProcessingError (HashMap Text Value)
forall e a. Except e a -> Either e a
runExcept (Except ProcessingError (HashMap Text Value)
 -> Either ProcessingError (HashMap Text Value))
-> Except ProcessingError (HashMap Text Value)
-> Either ProcessingError (HashMap Text Value)
forall a b. (a -> b) -> a -> b
$ do
jwt <- ByteString -> ExceptT ProcessingError Identity SignedJWT
forall a e (m :: * -> *).
(FromCompact a, AsError e, MonadError e m) =>
ByteString -> m a
decodeCompact (ByteString -> ExceptT ProcessingError Identity SignedJWT)
-> ByteString -> ExceptT ProcessingError Identity SignedJWT
forall a b. (a -> b) -> a -> b
$ ByteString -> ByteString
LBS.fromStrict ByteString
claims <- ReaderT DateTime (ExceptT ProcessingError Identity) ClaimsSet
-> DateTime -> ExceptT ProcessingError Identity ClaimsSet
forall r (m :: * -> *) a. ReaderT r m a -> r -> m a
runReaderT (JWTValidationSettings
-> RootCertificate
-> SignedJWT
-> ReaderT DateTime (ExceptT ProcessingError Identity) ClaimsSet
forall (m :: * -> *) a e k.
(MonadTime m, HasAllowedSkew a, HasAudiencePredicate a,
 HasIssuerPredicate a, HasCheckIssuedAt a, HasValidationSettings a,
 AsError e, AsJWTError e, MonadError e m,
 VerificationKeyStore m (JWSHeader ()) ClaimsSet k) =>
a -> k -> SignedJWT -> m ClaimsSet
verifyClaims ((StringOrURI -> Bool) -> JWTValidationSettings
defaultJWTValidationSettings (Bool -> StringOrURI -> Bool
forall a b. a -> b -> a
const Bool
True)) RootCertificate
rootCert SignedJWT
jwt) DateTime
  HashMap Text Value -> Except ProcessingError (HashMap Text Value)
forall a. a -> ExceptT ProcessingError Identity a
forall (m :: * -> *) a. Monad m => a -> m a
return (HashMap Text Value -> Except ProcessingError (HashMap Text Value))
-> (Map Text Value -> HashMap Text Value)
-> Map Text Value
-> Except ProcessingError (HashMap Text Value)
forall b c a. (b -> c) -> (a -> b) -> a -> c
. [(Text, Value)] -> HashMap Text Value
[Item (HashMap Text Value)] -> HashMap Text Value
forall l. IsList l => [Item l] -> l
fromList ([(Text, Value)] -> HashMap Text Value)
-> (Map Text Value -> [(Text, Value)])
-> Map Text Value
-> HashMap Text Value
forall b c a. (b -> c) -> (a -> b) -> a -> c
. Map Text Value -> [(Text, Value)]
Map Text Value -> [Item (Map Text Value)]
forall l. IsList l => l -> [Item l]
toList (Map Text Value -> Except ProcessingError (HashMap Text Value))
-> Map Text Value -> Except ProcessingError (HashMap Text Value)
forall a b. (a -> b) -> a -> b
$ ClaimsSet
claims ClaimsSet
-> Getting (Map Text Value) ClaimsSet (Map Text Value)
-> Map Text Value
forall s a. s -> Getting a s a -> a
^. Getting (Map Text Value) ClaimsSet (Map Text Value)
Lens' ClaimsSet (Map Text Value)

-- | Decodes a FIDO Metadata payload JSON value to a 'Service.MetadataPayload',
-- returning an error when the JSON is invalid, and ignoring any entries not
-- relevant for webauthn. For the purposes of implementing the
-- relying party the `Crypto.WebAuthn.Metadata.Service.Types.mpNextUpdate`
-- and `Crypto.WebAuthn.Metadata.Service.Types.mpEntries` fields are most
-- important.
jsonToPayload :: HashMap Text Value -> These (NonEmpty Text) Service.MetadataPayload
jsonToPayload :: HashMap Text Value -> These (NonEmpty Text) MetadataPayload
jsonToPayload HashMap Text Value
value = case (HashMap Text Value -> Parser MetadataBLOBPayload)
-> HashMap Text Value -> Either HostName MetadataBLOBPayload
forall a b. (a -> Parser b) -> a -> Either HostName b
Aeson.parseEither HashMap Text Value -> Parser MetadataBLOBPayload
metadataPayloadParser HashMap Text Value
value of
  Left HostName
err -> NonEmpty Text -> These (NonEmpty Text) MetadataPayload
forall a b. a -> These a b
This (HostName -> Text
Text.pack HostName
err Text -> [Text] -> NonEmpty Text
forall a. a -> [a] -> NonEmpty a
NE.:| [])
  Right MetadataBLOBPayload
payload -> MetadataBLOBPayload -> These (NonEmpty Text) MetadataPayload
decodeMetadataPayload MetadataBLOBPayload

metadataPayloadParser :: HashMap Text Aeson.Value -> Aeson.Parser ServiceIDL.MetadataBLOBPayload
metadataPayloadParser :: HashMap Text Value -> Parser MetadataBLOBPayload
metadataPayloadParser HashMap Text Value
hm = case (HashMap Text Value
hm HashMap Text Value -> Text -> Maybe Value
forall k v. (Eq k, Hashable k) => HashMap k v -> k -> Maybe v
!? Text
"legalHeader", HashMap Text Value
hm HashMap Text Value -> Text -> Maybe Value
forall k v. (Eq k, Hashable k) => HashMap k v -> k -> Maybe v
!? Text
"no", HashMap Text Value
hm HashMap Text Value -> Text -> Maybe Value
forall k v. (Eq k, Hashable k) => HashMap k v -> k -> Maybe v
!? Text
"nextUpdate", HashMap Text Value
hm HashMap Text Value -> Text -> Maybe Value
forall k v. (Eq k, Hashable k) => HashMap k v -> k -> Maybe v
!? Text
"entries") of
  (Just Value
legalHeader, Just Value
no, Just Value
nextUpdate, Just Value
entries) -> do
    Maybe Text
legalHeader <- Value -> Parser (Maybe Text)
forall a. FromJSON a => Value -> Parser a
Aeson.parseJSON Value
no <- Value -> Parser Int
forall a. FromJSON a => Value -> Parser a
Aeson.parseJSON Value
nextUpdate <- Value -> Parser Text
forall a. FromJSON a => Value -> Parser a
Aeson.parseJSON Value
entries <- Value -> Parser [MetadataBLOBPayloadEntry]
forall a. FromJSON a => Value -> Parser a
Aeson.parseJSON Value
    MetadataBLOBPayload -> Parser MetadataBLOBPayload
forall a. a -> Parser a
forall (f :: * -> *) a. Applicative f => a -> f a
pure (MetadataBLOBPayload -> Parser MetadataBLOBPayload)
-> MetadataBLOBPayload -> Parser MetadataBLOBPayload
forall a b. (a -> b) -> a -> b
      ServiceIDL.MetadataBLOBPayload {Int
Maybe Text
legalHeader :: Maybe Text
no :: Int
nextUpdate :: Text
entries :: [MetadataBLOBPayloadEntry]
$sel:legalHeader:MetadataBLOBPayload :: Maybe Text
$sel:no:MetadataBLOBPayload :: Int
$sel:nextUpdate:MetadataBLOBPayload :: Text
$sel:entries:MetadataBLOBPayload :: [MetadataBLOBPayloadEntry]
  (Maybe Value, Maybe Value, Maybe Value, Maybe Value)
_ -> HostName -> Parser MetadataBLOBPayload
forall a. HostName -> Parser a
forall (m :: * -> *) a. MonadFail m => HostName -> m a
fail HostName
"Could not decode MetadataBLOB: missing fields"

-- | Creates a 'Service.MetadataServiceRegistry' from a list of
-- 'Service.SomeMetadataEntry', which can either be obtained from a
-- 'Service.MetadataPayload's 'Service.mpEntries' field, or be constructed
-- directly
-- The resulting structure can be queried efficiently for
-- 'Service.MetadataEntry' using 'queryMetadata'
createMetadataRegistry :: [Service.SomeMetadataEntry] -> Service.MetadataServiceRegistry
createMetadataRegistry :: [SomeMetadataEntry] -> MetadataServiceRegistry
createMetadataRegistry [SomeMetadataEntry]
entries = Service.MetadataServiceRegistry {HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
HashMap AAGUID (MetadataEntry 'Fido2)
fido2Entries :: HashMap AAGUID (MetadataEntry 'Fido2)
fidoU2FEntries :: HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
fido2Entries :: HashMap AAGUID (MetadataEntry 'Fido2)
fidoU2FEntries :: HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
    fido2Entries :: HashMap AAGUID (MetadataEntry 'Fido2)
fido2Entries = [(AAGUID, MetadataEntry 'Fido2)]
-> HashMap AAGUID (MetadataEntry 'Fido2)
forall k v. (Eq k, Hashable k) => [(k, v)] -> HashMap k v
HashMap.fromList [(AAGUID, MetadataEntry 'Fido2)]
    fidoU2FEntries :: HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
fidoU2FEntries = [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
-> HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
forall k v. (Eq k, Hashable k) => [(k, v)] -> HashMap k v
HashMap.fromList [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
    ([(AAGUID, MetadataEntry 'Fido2)]
fido2Pairs, [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
fidoU2FPairs) = [Either
   (AAGUID, MetadataEntry 'Fido2)
   (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
-> ([(AAGUID, MetadataEntry 'Fido2)],
    [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)])
forall a b. [Either a b] -> ([a], [b])
partitionEithers ([Either
    (AAGUID, MetadataEntry 'Fido2)
    (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
 -> ([(AAGUID, MetadataEntry 'Fido2)],
     [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]))
-> [Either
      (AAGUID, MetadataEntry 'Fido2)
      (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
-> ([(AAGUID, MetadataEntry 'Fido2)],
    [(SubjectKeyIdentifier, MetadataEntry 'FidoU2F)])
forall a b. (a -> b) -> a -> b
$ (SomeMetadataEntry
 -> Either
      (AAGUID, MetadataEntry 'Fido2)
      (SubjectKeyIdentifier, MetadataEntry 'FidoU2F))
-> [SomeMetadataEntry]
-> [Either
      (AAGUID, MetadataEntry 'Fido2)
      (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)]
forall a b. (a -> b) -> [a] -> [b]
map SomeMetadataEntry
-> Either
     (AAGUID, MetadataEntry 'Fido2)
     (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)
fromSomeMetadataEntry [SomeMetadataEntry]

    fromSomeMetadataEntry :: Service.SomeMetadataEntry -> Either (AAGUID, Service.MetadataEntry 'M.Fido2) (SubjectKeyIdentifier, Service.MetadataEntry 'M.FidoU2F)
    fromSomeMetadataEntry :: SomeMetadataEntry
-> Either
     (AAGUID, MetadataEntry 'Fido2)
     (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)
fromSomeMetadataEntry (Service.SomeMetadataEntry entry :: MetadataEntry p
entry@Service.MetadataEntry {Maybe MetadataStatement
NonEmpty StatusReport
AuthenticatorIdentifier p
meIdentifier :: AuthenticatorIdentifier p
meMetadataStatement :: Maybe MetadataStatement
meStatusReports :: NonEmpty StatusReport
meTimeOfLastStatusChange :: Date
meIdentifier :: forall (p :: ProtocolKind).
MetadataEntry p -> AuthenticatorIdentifier p
meMetadataStatement :: forall (p :: ProtocolKind).
MetadataEntry p -> Maybe MetadataStatement
meStatusReports :: forall (p :: ProtocolKind).
MetadataEntry p -> NonEmpty StatusReport
meTimeOfLastStatusChange :: forall (p :: ProtocolKind). MetadataEntry p -> Date
..}) = case AuthenticatorIdentifier p
meIdentifier of
      AuthenticatorIdentifierFido2 AAGUID
aaguid -> (AAGUID, MetadataEntry 'Fido2)
-> Either
     (AAGUID, MetadataEntry 'Fido2)
     (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)
forall a b. a -> Either a b
aaguid, MetadataEntry p
MetadataEntry 'Fido2
      AuthenticatorIdentifierFidoU2F SubjectKeyIdentifier
subjectKeyIdentifier -> (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)
-> Either
     (AAGUID, MetadataEntry 'Fido2)
     (SubjectKeyIdentifier, MetadataEntry 'FidoU2F)
forall a b. b -> Either a b
Right (SubjectKeyIdentifier
subjectKeyIdentifier, MetadataEntry p
MetadataEntry 'FidoU2F

-- | Query a 'Service.MetadataEntry' for an 'M.AuthenticatorIdentifier'
queryMetadata ::
  Service.MetadataServiceRegistry ->
  AuthenticatorIdentifier p ->
  Maybe (Service.MetadataEntry p)
queryMetadata :: forall (p :: ProtocolKind).
-> AuthenticatorIdentifier p -> Maybe (MetadataEntry p)
queryMetadata MetadataServiceRegistry
registry (AuthenticatorIdentifierFido2 AAGUID
aaguid) =
-> HashMap AAGUID (MetadataEntry p) -> Maybe (MetadataEntry p)
forall k v. (Eq k, Hashable k) => k -> HashMap k v -> Maybe v
HashMap.lookup AAGUID
aaguid (MetadataServiceRegistry -> HashMap AAGUID (MetadataEntry 'Fido2)
Service.fido2Entries MetadataServiceRegistry
queryMetadata MetadataServiceRegistry
registry (AuthenticatorIdentifierFidoU2F SubjectKeyIdentifier
subjectKeyIdentifier) =
-> HashMap SubjectKeyIdentifier (MetadataEntry p)
-> Maybe (MetadataEntry p)
forall k v. (Eq k, Hashable k) => k -> HashMap k v -> Maybe v
HashMap.lookup SubjectKeyIdentifier
subjectKeyIdentifier (MetadataServiceRegistry
-> HashMap SubjectKeyIdentifier (MetadataEntry 'FidoU2F)
Service.fidoU2FEntries MetadataServiceRegistry