#3663: change credentialsubject to map, use casting instead of marshalling where possible

Author: reinkrul

api/ssi_types_test.go

@@ -129,10 +129,14 @@ func createVerifiableCredential() vcr.VerifiableCredential {
 			ssi.MustParseURI("NutsOrganizationCredential"),
 			ssi.MustParseURI("VerifiableCredential"),
 		},
-		Issuer:            ssi.MustParseURI("did:nuts:CuE3qeFGGLhEAS3gKzhMCeqd1dGa9at5JCbmCfyMU2Ey"),
-		IssuanceDate:      issuanceDate,
-		CredentialSubject: []interface{}{"subject"},
-		Proof:             []interface{}{"because"},
+		Issuer:       ssi.MustParseURI("did:nuts:CuE3qeFGGLhEAS3gKzhMCeqd1dGa9at5JCbmCfyMU2Ey"),
+		IssuanceDate: issuanceDate,
+		CredentialSubject: []map[string]any{
+			{
+				"id": "subject",
+			},
+		},
+		Proof: []interface{}{"because"},
 	}
 }
 

auth/api/auth/v1/api_test.go

@@ -34,6 +34,7 @@ import (
 	"github.com/nuts-foundation/nuts-node/auth/services/oauth"
 	"github.com/nuts-foundation/nuts-node/core"
 	"github.com/nuts-foundation/nuts-node/core/to"
+	"github.com/nuts-foundation/nuts-node/test"
 	"github.com/nuts-foundation/nuts-node/vcr"
 	"github.com/nuts-foundation/nuts-node/vcr/credential"
 	"github.com/nuts-foundation/nuts-node/vdr"
@@ -507,7 +508,7 @@ func TestWrapper_RequestAccessToken(t *testing.T) {
 				Type:         []ssi.URI{*credential.NutsAuthorizationCredentialTypeURI, vc.VerifiableCredentialTypeV1URI()},
 				Issuer:       vdr.TestDIDA.URI(),
 				IssuanceDate: issuanceDate,
-				CredentialSubject: []interface{}{credential.NutsAuthorizationCredentialSubject{
+				CredentialSubject: []map[string]any{test.MustRemarshalIntoMap(credential.NutsAuthorizationCredentialSubject{
 					ID:           vdr.TestDIDB.String(),
 					PurposeOfUse: "eTransfer",
 					Resources: []credential.Resource{
@@ -517,7 +518,7 @@ func TestWrapper_RequestAccessToken(t *testing.T) {
 							UserContext: true,
 						},
 					},
-				}},
+				})},
 				Proof: []interface{}{vc.Proof{}},
 			},
 		}

auth/api/iam/api.go

@@ -754,12 +754,7 @@ func (r Wrapper) RequestServiceAccessToken(ctx context.Context, request RequestS
 	// by the nuts-node to build the correct wallet for a DID. See https://github.com/nuts-foundation/nuts-node/issues/3696
 	// As a sideeffect it is no longer possible to pass signed credentials to this API.
 	for _, cred := range credentials {
-		var credentialSubject []map[string]interface{}
-		if err := cred.UnmarshalCredentialSubject(&credentialSubject); err != nil {
-			// extremely unlikely
-			return nil, core.InvalidInputError("failed to parse credentialSubject.id: %w", err)
-		}
-		for _, credSub := range credentialSubject {
+		for _, credSub := range cred.CredentialSubject {
 			if _, ok := credSub["id"]; ok {
 				return nil, core.InvalidInputError("self-asserted credentials MUST NOT contain a 'credentialSubject.id'")
 			}

auth/api/iam/api_test.go

@@ -1034,7 +1034,7 @@ func TestWrapper_RequestServiceAccessToken(t *testing.T) {
 			body.Credentials = &[]vc.VerifiableCredential{
 				{
 					ID:                to.Ptr(ssi.MustParseURI("not empty")),
-					CredentialSubject: []any{map[string]string{"id": "not empty"}},
+					CredentialSubject: []map[string]any{{"id": "not empty"}},
 				},
 			}
 			request := RequestServiceAccessTokenRequestObject{SubjectID: holderSubjectID, Body: body}
@@ -1498,7 +1498,7 @@ func createIssuerCredential(issuerDID did.DID, holderDID did.DID) *vc.Verifiable
 		Issuer:            issuerDID.URI(),
 		Context:           []ssi.URI{credential.NutsV1ContextURI},
 		Type:              []ssi.URI{credType},
-		CredentialSubject: []interface{}{map[string]interface{}{"id": holderDID.String()}},
+		CredentialSubject: []map[string]any{{"id": holderDID.String()}},
 		IssuanceDate:      time.Now(),
 	}
 	verifiableCredential, _ := vc.CreateJWTVerifiableCredential(nil, template, captureFn)

auth/api/iam/s2s_vptoken_test.go

@@ -308,7 +308,7 @@ func TestWrapper_handleS2SAccessTokenRequest(t *testing.T) {
 		t.Run("VC without credentialSubject.id", func(t *testing.T) {
 			ctx := newTestClient(t)
 			presentation := test.CreateJSONLDPresentation(t, *subjectDID, proofVisitor, vc.VerifiableCredential{
-				CredentialSubject: []interface{}{map[string]string{}},
+				CredentialSubject: []map[string]any{{}},
 			})
 
 			resp, err := ctx.client.handleS2SAccessTokenRequest(context.Background(), clientID, issuerSubjectID, requestedScope, submissionJSON, presentation.Raw())
@@ -353,8 +353,8 @@ func TestWrapper_handleS2SAccessTokenRequest(t *testing.T) {
 		// This indicates the client presented credentials that don't actually match the presentation definition,
 		// which could indicate a malicious client.
 		otherVerifiableCredential := vc.VerifiableCredential{
-			CredentialSubject: []interface{}{
-				map[string]interface{}{
+			CredentialSubject: []map[string]any{
+				{
 					"id": subjectDID.String(),
 					// just for demonstration purposes, what matters is that the credential does not match the presentation definition.
 					"IsAdministrator": true,

auth/api/iam/user.go

@@ -180,8 +180,8 @@ func (r Wrapper) issueEmployeeCredential(ctx context.Context, session user.Sessi
 		Issuer:         issuerDID,
 		IssuanceDate:   issuanceDate,
 		ExpirationDate: &expirationDate,
-		CredentialSubject: []interface{}{
-			map[string]string{
+		CredentialSubject: []map[string]any{
+			{
 				"id":         session.Wallet.DID.String(),
 				"identifier": userDetails.Id,
 				"name":       userDetails.Name,

auth/api/iam/user_test.go

@@ -131,8 +131,8 @@ func TestWrapper_handleUserLanding(t *testing.T) {
 		assert.Equal(t, jwa.EC, sessionKey.KeyType())
 		// check for details of issued NutsEmployeeCredential
 		assert.Equal(t, "NutsEmployeeCredential", employeeCredentialTemplate.Type[0].String())
-		employeeCredentialSubject := employeeCredentialTemplate.CredentialSubject[0].(map[string]string)
-		assert.True(t, strings.HasPrefix(employeeCredentialSubject["id"], "did:jwk:"))
+		employeeCredentialSubject := employeeCredentialTemplate.CredentialSubject[0]
+		assert.True(t, strings.HasPrefix(employeeCredentialSubject["id"].(string), "did:jwk:"))
 		assert.Equal(t, userDetails.Id, employeeCredentialSubject["identifier"])
 		assert.Equal(t, userDetails.Name, employeeCredentialSubject["name"])
 		assert.Equal(t, userDetails.Role, employeeCredentialSubject["roleName"])

auth/client/iam/openid4vp_test.go

@@ -292,8 +292,8 @@ func TestRelyingParty_RequestRFC021AccessToken(t *testing.T) {
 					credential.NutsV1ContextURI,
 				},
 				Type: []ssi.URI{vc.VerifiableCredentialTypeV1URI(), ssi.MustParseURI("NutsEmployeeCredential")},
-				CredentialSubject: []interface{}{
-					map[string]interface{}{
+				CredentialSubject: []map[string]any{
+					{
 						"roleName":   "employee",
 						"name":       "John Doe",
 						"identifier": "123",

auth/services/oauth/relying_party_test.go

@@ -133,17 +133,19 @@ func TestService_CreateJwtBearerToken(t *testing.T) {
 		Type:         []ssi.URI{*credential.NutsAuthorizationCredentialTypeURI, vc.VerifiableCredentialTypeV1URI()},
 		Issuer:       vdr.TestDIDA.URI(),
 		IssuanceDate: issuanceDate,
-		CredentialSubject: []interface{}{credential.NutsAuthorizationCredentialSubject{
-			ID:           vdr.TestDIDB.String(),
-			PurposeOfUse: "eTransfer",
-			Resources: []credential.Resource{
-				{
-					Path:        "/composition/1",
-					Operations:  []string{"read"},
-					UserContext: true,
+		CredentialSubject: []map[string]any{
+			{
+				"id":           vdr.TestDIDB.String(),
+				"purposeOfUse": "eTransfer",
+				"resources": []any{
+					map[string]any{
+						"path":        "/composition/1",
+						"operations":  []string{"read"},
+						"userContext": true,
+					},
 				},
 			},
-		}},
+		},
 		Proof: []interface{}{vc.Proof{}},
 	}
 

auth/services/selfsigned/signer_test.go

@@ -247,7 +247,7 @@ func TestSessionStore_SigningSessionStatus(t *testing.T) {
 				assert.Equal(t, employer.URI(), credential.Issuer)
 				assert.Equal(t, []ssi.URI{ssi.MustParseURI("NutsEmployeeCredential")}, credential.Type)
 
-				credentialSubject := credential.CredentialSubject[0].(map[string]interface{})
+				credentialSubject := credential.CredentialSubject[0]
 				assert.Equal(t, employer.String(), credentialSubject["id"])
 				assert.Equal(t, "Organization", credentialSubject["type"])
 				require.IsType(t, map[string]interface{}{}, credentialSubject["member"])

auth/services/selfsigned/types/types.go

@@ -20,7 +20,6 @@ package types
 
 import (
 	"context"
-	"encoding/json"
 	"github.com/nuts-foundation/nuts-node/vcr/credential"
 	"strings"
 	"time"
@@ -44,27 +43,26 @@ type Session struct {
 	Employee  Employee
 }
 
-func (s Session) CredentialSubject() []interface{} {
-	subject := EmployeeIdentityCredentialSubject{
-		BaseCredentialSubject: credential.BaseCredentialSubject{
-			ID: s.Employer,
+func (s Session) CredentialSubject() []map[string]any {
+	member := map[string]any{
+		"identifier": s.Employee.Identifier,
+		"member": map[string]any{
+			"familyName": s.Employee.FamilyName,
+			"initials":   s.Employee.Initials,
+			"type":       "Person",
 		},
-		Type: "Organization",
-		Member: EmployeeIdentityCredentialMember{
-			Identifier: s.Employee.Identifier,
-			Member: EmployeeIdentityCredentialMemberMember{
-				FamilyName: s.Employee.FamilyName,
-				Initials:   s.Employee.Initials,
-				Type:       "Person",
-			},
-			RoleName: s.Employee.RoleName,
-			Type:     "EmployeeRole",
+		"type": "EmployeeRole",
+	}
+	if s.Employee.RoleName != nil {
+		member["roleName"] = *s.Employee.RoleName
+	}
+	return []map[string]any{
+		{
+			"id":     s.Employer,
+			"type":   "Organization",
+			"member": member,
 		},
 	}
-	data, _ := json.Marshal(subject)
-	result := map[string]interface{}{}
-	_ = json.Unmarshal(data, &result)
-	return []interface{}{result}
 }
 
 // HumanReadableContract returns the contract text without the contract type (e.g. "NL:LoginContract:v3")

auth/services/selfsigned/types/types_test.go

@@ -55,7 +55,7 @@ func TestSession_CredentialSubject(t *testing.T) {
 		}
 		res := s.CredentialSubject()
 		require.Len(t, res, 1)
-		subject := res[0].(map[string]interface{})
+		subject := res[0]
 		// subject is an organization and contains information about the employer
 		require.Equal(t, "did:nuts:123", subject["id"])
 		require.Equal(t, "Organization", subject["type"])

auth/services/selfsigned/validator_test.go

@@ -448,10 +448,10 @@ func createOrganizationCredential(issuerDID string) vc.VerifiableCredential {
 		Context: []ssi.URI{credential.NutsV1ContextURI},
 		Type:    []ssi.URI{ssi.MustParseURI("NutsOrganizationCredential")},
 		Issuer:  did.MustParseDID(issuerDID).URI(),
-		CredentialSubject: []interface{}{
-			credential.NutsOrganizationCredentialSubject{
-				ID: issuerDID,
-				Organization: map[string]string{
+		CredentialSubject: []map[string]any{
+			{
+				"id": issuerDID,
+				"organization": map[string]string{
 					"name": "CareBears",
 					"city": "CareTown",
 				},

didman/didman.go

@@ -38,7 +38,6 @@ import (
 	"github.com/nuts-foundation/nuts-node/didman/log"
 	"github.com/nuts-foundation/nuts-node/jsonld"
 	"github.com/nuts-foundation/nuts-node/vcr"
-	"github.com/nuts-foundation/nuts-node/vcr/credential"
 )
 
 // ModuleName contains the name of this module: Didman
@@ -501,13 +500,7 @@ func (d *didman) resolveOrganizationDIDDocument(organization vc.VerifiableCreden
 	if len(organization.CredentialSubject) == 0 {
 		return nil, did.DID{}, errors.New("no credential subjects in organization credential")
 	}
-	credentialSubject := make([]credential.BaseCredentialSubject, 0)
-	err := organization.UnmarshalCredentialSubject(&credentialSubject)
-	if err != nil {
-		return nil, did.DID{}, fmt.Errorf("unable to get DID from organization credential: %w", err)
-	}
-	organizationDIDStr := credentialSubject[0].ID
-	organizationDID, err := did.ParseDID(organizationDIDStr)
+	organizationDID, err := organization.SubjectDID()
 	if err != nil {
 		return nil, did.DID{}, fmt.Errorf("unable to parse DID from organization credential: %w", err)
 	}

didman/didman_test.go

@@ -859,8 +859,8 @@ func TestDidman_SearchOrganizations(t *testing.T) {
 		ctx := newMockContext(t)
 		credentialWithInvalidSubjectID := vc.VerifiableCredential{}
 		_ = json.Unmarshal([]byte(jsonld.TestOrganizationCredential), &credentialWithInvalidSubjectID)
-		credentialWithInvalidSubjectID.CredentialSubject = []interface{}{
-			map[string]interface{}{
+		credentialWithInvalidSubjectID.CredentialSubject = []map[string]any{
+			{
 				"id": "90",
 			},
 		}
@@ -877,8 +877,8 @@ func TestDidman_SearchOrganizations(t *testing.T) {
 		ctx := newMockContext(t)
 		credentialWithoutSubjectID := vc.VerifiableCredential{}
 		_ = json.Unmarshal([]byte(jsonld.TestOrganizationCredential), &credentialWithoutSubjectID)
-		credentialWithoutSubjectID.CredentialSubject = []interface{}{
-			map[string]interface{}{},
+		credentialWithoutSubjectID.CredentialSubject = []map[string]any{
+			{},
 		}
 
 		ctx.vcr.EXPECT().Search(reqCtx, searchTerms, false, nil).Return([]vc.VerifiableCredential{credentialWithoutSubjectID}, nil)

discovery/client.go

@@ -239,7 +239,7 @@ func (r *clientRegistrationManager) findCredentialsAndBuildPresentation(ctx cont
 		registrationCredential = vc.VerifiableCredential{
 			Context:           []ssi.URI{vc.VCContextV1URI(), credential.NutsV1ContextURI},
 			Type:              []ssi.URI{vc.VerifiableCredentialTypeV1URI(), credential.DiscoveryRegistrationCredentialTypeV1URI()},
-			CredentialSubject: []interface{}{parameters},
+			CredentialSubject: []map[string]any{parameters},
 		}
 		credentials = append(credentials, credential.AutoCorrectSelfAttestedCredential(registrationCredential, subjectDID))
 	}

discovery/test.go

@@ -197,7 +197,7 @@ func createCredential(issuerDID did.DID, subjectDID did.DID, credentialSubject m
 		Issuer:            issuerDID.URI(),
 		IssuanceDate:      issuanceDate,
 		ExpirationDate:    &expirationDate,
-		CredentialSubject: []interface{}{credentialSubject},
+		CredentialSubject: []map[string]any{credentialSubject},
 	}, func(ctx context.Context, claims map[string]interface{}, headers map[string]interface{}) (string, error) {
 		if claimVisitor != nil {
 			claimVisitor(claims)
@@ -214,7 +214,7 @@ func createHolderCredential(subjectDID did.DID, credentialSubject map[string]int
 	c := vc.VerifiableCredential{
 		Context:           []ssi.URI{vc.VCContextV1URI(), credential.NutsV1ContextURI},
 		Type:              []ssi.URI{vc.VerifiableCredentialTypeV1URI(), credential.DiscoveryRegistrationCredentialTypeV1URI()},
-		CredentialSubject: []interface{}{credentialSubject},
+		CredentialSubject: []map[string]any{credentialSubject},
 	}
 	c = credential.AutoCorrectSelfAttestedCredential(c, subjectDID)
 	// serialize/deserialize

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/nats-io/nats-server/v2 v2.10.26
 	github.com/nats-io/nats.go v1.39.1
 	github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b
-	github.com/nuts-foundation/go-did v0.15.0
+	github.com/nuts-foundation/go-did v0.15.1-0.20250319081900-aa2a47f72926
 	github.com/nuts-foundation/go-leia/v4 v4.1.0
 	github.com/nuts-foundation/go-stoabs v1.11.0
 	github.com/nuts-foundation/sqlite v1.0.0

go.sum

@@ -365,6 +365,12 @@ github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b h1:80
 github.com/nuts-foundation/crypto-ecies v0.0.0-20211207143025-5b84f9efce2b/go.mod h1:6YUioYirD6/8IahZkoS4Ypc8xbeJW76Xdk1QKcziNTM=
 github.com/nuts-foundation/go-did v0.15.0 h1:aNl6KC8jiyRJGl9PPKFBboLLC0wUm5h+tjE1UBDQEPw=
 github.com/nuts-foundation/go-did v0.15.0/go.mod h1:swjCJvcRxc+i1nyieIERWEb3vFb4N7iYC+qen2OIbNg=
+github.com/nuts-foundation/go-did v0.15.1-0.20250318150623-d2ac97c002b6 h1:8dPWXKbZbe10YtN2o3vNKw9jzHF4l0k4S/ZLA+JZ/bo=
+github.com/nuts-foundation/go-did v0.15.1-0.20250318150623-d2ac97c002b6/go.mod h1:+CKZlsyh7oXp35uXfXkWkauVKgAFmxxhvV9EFDc1Ips=
+github.com/nuts-foundation/go-did v0.15.1-0.20250318154645-e72bfe1fdc5b h1:705SSiJW5L6ZtcCseFAej2aIdDz3T223acONGsXjT9g=
+github.com/nuts-foundation/go-did v0.15.1-0.20250318154645-e72bfe1fdc5b/go.mod h1:+CKZlsyh7oXp35uXfXkWkauVKgAFmxxhvV9EFDc1Ips=
+github.com/nuts-foundation/go-did v0.15.1-0.20250319081900-aa2a47f72926 h1:9E0uBk36lyEQCaXI/8ElgJO7ng/71ZCIvsHoezVllLY=
+github.com/nuts-foundation/go-did v0.15.1-0.20250319081900-aa2a47f72926/go.mod h1:+CKZlsyh7oXp35uXfXkWkauVKgAFmxxhvV9EFDc1Ips=
 github.com/nuts-foundation/go-leia/v4 v4.1.0 h1:5Jo9c5hL4G6IP4JTI/UpPfpY6BILlHbdv9+PTf4lc14=
 github.com/nuts-foundation/go-leia/v4 v4.1.0/go.mod h1:tYveGED8tSbQYhZNv2DVTc51c2zEWmSF+MG96PAtalY=
 github.com/nuts-foundation/go-stoabs v1.11.0 h1:q18jVruPdFcVhodDrnKuhq/24i0pUC/YXgzJS0glKUU=

test/json.go

@@ -0,0 +1,19 @@
+package test
+
+import "encoding/json"
+
+func remarshal(src interface{}, dst interface{}) error {
+	asJSON, err := json.Marshal(src)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(asJSON, &dst)
+}
+
+func MustRemarshalIntoMap(v interface{}) map[string]any {
+	var result map[string]interface{}
+	if err := remarshal(v, &result); err != nil {
+		panic(err)
+	}
+	return result
+}