Merge pull request #284 from walt-id/283-ssikit-update-ebsitrustediss…

…uerregistrypolicy-to-verify-issuer-rights-permissions 283 ssikit update ebsitrustedissuerregistrypolicy to verify issuer rights permissions
walt-id · Apr 10, 2023 · d836237 · d836237
2 parents b0fbf52 + a4ce13b
commit d836237
Show file tree

Hide file tree

Showing 16 changed files with 422 additions and 33 deletions.
diff --git a/src/main/kotlin/id/walt/auditor/PolicyRegistryService.kt b/src/main/kotlin/id/walt/auditor/PolicyRegistryService.kt
@@ -142,12 +142,13 @@ open class PolicyRegistryService: WaltIdService() {
         register(JsonSchemaPolicy::class, JsonSchemaPolicyArg::class, "Verify by JSON schema")
         register(EbsiTrustedSchemaRegistryPolicy::class, "Verify by EBSI Trusted Schema Registry")
         register(EbsiTrustedIssuerDidPolicy::class, "Verify by trusted issuer did")
-        PolicyRegistry.register(
+        register(
             EbsiTrustedIssuerRegistryPolicy::class,
             EbsiTrustedIssuerRegistryPolicyArg::class,
             "Verify by an EBSI Trusted Issuers Registry compliant api.",
             true
         )
+        register(EbsiTrustedIssuerAccreditationPolicy::class,"Verify by issuer's authorized claims")
         register(EbsiTrustedSubjectDidPolicy::class, "Verify by trusted subject did")
         register(IssuedDateBeforePolicy::class, "Verify by issuance date")
         register(ValidFromBeforePolicy::class, "Verify by valid from")

diff --git a/src/main/kotlin/id/walt/auditor/policies/CredentialPropertyVerificationPolicies.kt b/src/main/kotlin/id/walt/auditor/policies/CredentialPropertyVerificationPolicies.kt
@@ -71,7 +71,8 @@ class CredentialStatusPolicy : SimpleVerificationPolicy() {
                 val result = rs.checkRevoked(cs.id)
                 revocationVerificationPolicy(result.isRevoked, result.timeOfRevocation)
             }
-
+            "StatusList2021Credential" -> VerificationPolicyResult.success()//TODO: implement
+            "CredentialStatusList2020" -> VerificationPolicyResult.success()//TODO: implement
             else -> VerificationPolicyResult.failure(UnsupportedOperationException("CredentialStatus type \"${cs.type}\" is not yet supported."))
         }
     }

diff --git a/src/main/kotlin/id/walt/auditor/policies/EbsiVerificationPolicies.kt b/src/main/kotlin/id/walt/auditor/policies/EbsiVerificationPolicies.kt
@@ -5,7 +5,6 @@ import id.walt.auditor.SimpleVerificationPolicy
 import id.walt.auditor.VerificationPolicyResult
 import id.walt.credentials.w3c.VerifiableCredential
 import id.walt.credentials.w3c.VerifiablePresentation
-import id.walt.model.TrustedIssuer
 import id.walt.model.TrustedIssuerType
 import id.walt.services.WaltIdServices
 import id.walt.services.did.DidService
@@ -102,28 +101,44 @@ class EbsiTrustedIssuerRegistryPolicy(registryArg: EbsiTrustedIssuerRegistryPoli
 
         val issuerDid = vc.issuerId!!
 
-        val resolvedIssuerDid = DidService.loadOrResolveAnyDid(issuerDid)
-            ?: throw IllegalArgumentException("Could not resolve issuer DID $issuerDid")
-
-        if (resolvedIssuerDid.id != issuerDid) {
-            return VerificationPolicyResult.failure(IllegalArgumentException("Resolved DID ${resolvedIssuerDid.id} does not match the issuer DID $issuerDid"))
+        // the issuer is registered in TIR
+        val tirRecord = fetchTirRecord(issuerDid)
+            ?: return VerificationPolicyResult.failure(IllegalArgumentException("Issuer has no record on TIR"))
+        // issuer is authorized to issue the vc's credential schema
+        val tirRecordAccreditationAttributes = tirRecord.attributes.filter {
+            val accreditation = VerifiableCredential.fromString(it.body)
+            (accreditation.credentialSubject?.properties?.get("authorisationClaims") as? List<HashMap<String, String>>)?.any {
+                it["authorisedSchemaId"] == vc.credentialSchema?.id
+            } ?: false
+        }.takeIf { it.isNotEmpty() }
+            ?: return VerificationPolicyResult.failure(IllegalArgumentException("Issuer has no authorization claims matching the credential schema"))
+        // the issuer has a valid Legal Entity Verifiable ID registered as an attribute in TIR
+        tirRecord.attributes.any {
+            VerifiableCredential.fromString(it.body).type.contains("VerifiableId")
+        }.takeIf { !it }?.run {
+            return VerificationPolicyResult.failure(IllegalArgumentException("Issuer has no VerifiableId registered as an attribute in TIR"))
+        }
+        // validate issuer type
+        tirRecordAccreditationAttributes.any {
+            it.issuerType.equals(argument.issuerType.name, ignoreCase = true)
+        }.takeIf { !it }?.run {
+            return VerificationPolicyResult.failure(IllegalArgumentException("Issuer type doesn't match"))
+        }
+        // verify issuer's accreditation
+        tirRecordAccreditationAttributes.any {
+            val accreditation = VerifiableCredential.fromString(it.body)
+            EbsiTrustedIssuerAccreditationPolicy().verify(accreditation).isSuccess
+        }.takeIf { !it }?.run {
+            return VerificationPolicyResult.failure(IllegalArgumentException("Issuer's accreditation is not valid"))
         }
-        var tirRecord: TrustedIssuer
-
 
-        return VerificationPolicyResult(runCatching {
-            tirRecord = TrustedIssuerClient.getIssuer(issuerDid, argument.registryAddress)
-            isValidTrustedIssuerRecord(tirRecord)
-        }.getOrElse {
-            log.debug { it }
-            log.warn { "Could not resolve issuer TIR record of $issuerDid" }
-            false
-        })
+        return VerificationPolicyResult.success()
     }
 
-    private fun isValidTrustedIssuerRecord(tirRecord: TrustedIssuer): Boolean = tirRecord.attributes.any {
-        it.issuerType.equals(TrustedIssuerType.TI.name, ignoreCase = true)
-    }
+    private fun fetchTirRecord(did: String) = runCatching {
+//        TrustedIssuerClient.getIssuer(did, argument.registryAddress)
+        TrustedIssuerClient.getIssuer(argument.issuerType)
+    }.getOrNull()
 
     override var applyToVP: Boolean = false
 }
@@ -143,6 +158,27 @@ class EbsiTrustedSubjectDidPolicy : SimpleVerificationPolicy() {
         } ?: false)
     }
 }
-fun main(){
-    runBlocking { println(WaltIdServices.httpNoAuth.get("https://data.deqar.eu/schema/v1.json").status == HttpStatusCode.OK) }
+
+class EbsiTrustedIssuerAccreditationPolicy : SimpleVerificationPolicy() {
+    override val description: String
+        get() = "Verify by issuer's authorized claims"
+
+    override fun doVerify(vc: VerifiableCredential): VerificationPolicyResult {
+        // get accreditations of the issuers
+        val tirRecords = (vc.properties["termsOfUse"] as? List<HashMap<String, String>>)?.filter {
+            it["type"] == "VerifiableAccreditation"
+        }?.mapNotNull {
+            // fetch the issuers registry attributes
+            runCatching { TrustedIssuerClient.getAttribute(it["id"]!!) }.getOrNull()
+        } ?: emptyList()
+
+        // check the credential schema to match the issuers' authorized schemas
+        return tirRecords.any {
+            // attribute's body field holds the credential as jwt
+            (VerifiableCredential.fromString(it.attribute.body).credentialSubject?.properties?.get("authorisationClaims") as? List<HashMap<String, String>>)?.any {
+                it["authorisedSchemaId"] == vc.credentialSchema?.id
+            } ?: false
+        }.takeIf { it }?.let { VerificationPolicyResult.success() }
+            ?: VerificationPolicyResult.failure(Throwable("Issuer has no authorization claims matching the credential schema"))
+    }
 }
diff --git a/src/main/kotlin/id/walt/model/Ebsi.kt b/src/main/kotlin/id/walt/model/Ebsi.kt
@@ -103,6 +103,12 @@ data class Attribute(
     val rootTao: String? = null,    //did:ebsi:zppVrNT9bBgMqxrJqVEnvyk
 )
 
+@Serializable
+data class AttributeRecord(
+    val did: String,
+    val attribute: Attribute
+)
+
 enum class TrustedIssuerType {
     RootTAO,
     TAO,

diff --git a/src/main/kotlin/id/walt/services/ecosystems/essif/TrustedIssuerClient.kt b/src/main/kotlin/id/walt/services/ecosystems/essif/TrustedIssuerClient.kt
@@ -1,9 +1,13 @@
 package id.walt.services.ecosystems.essif
 
 import com.beust.klaxon.Klaxon
+import id.walt.common.KlaxonWithConverters
 import id.walt.common.readEssif
+import id.walt.common.resolveContent
+import id.walt.model.AttributeRecord
 import id.walt.model.AuthRequestResponse
 import id.walt.model.TrustedIssuer
+import id.walt.model.TrustedIssuerType
 import id.walt.services.WaltIdServices
 import id.walt.services.ecosystems.essif.didebsi.EBSI_ENV_URL
 import id.walt.services.ecosystems.essif.enterprisewallet.EnterpriseWalletService
@@ -30,6 +34,7 @@ object TrustedIssuerClient {
     const val trustedIssuerPath = "trusted-issuers-registry/$apiVersion/issuers"
     const val trustedSchemaPath = "trusted-schemas-registry/$schemaApiVersion/schemas"
 
+    private const val attributesPath = "attributes"
     private const val trustedIssuerUrl = "http://localhost:7001/v2/trusted-issuer"
     private val enterpriseWalletService = EnterpriseWalletService.getService()
     private val httpClient = WaltIdServices.httpNoAuth
@@ -108,7 +113,7 @@ object TrustedIssuerClient {
     // returns trusted issuer record
     fun getIssuerRaw(did: String, registryAddress: String = "$domain/$trustedIssuerPath"): String = runBlocking {
         log.debug { "Getting trusted issuer with DID $did" }
-        val trustedIssuer: String = httpClient.get("$registryAddress/$did").bodyAsText()
+        val trustedIssuer: String = resolveContent("$registryAddress/$did")
         log.debug { trustedIssuer }
         return@runBlocking trustedIssuer
     }
@@ -118,6 +123,27 @@ object TrustedIssuerClient {
 
     fun getIssuer(did: String): TrustedIssuer = getIssuer(did, "$domain/$trustedIssuerPath")
 
+    @Deprecated(
+        "Mock solution for ebsi registry. To be removed",
+        ReplaceWith("getIssuer(did), getIssuer(did, registryAddress)")
+    )
+    fun getIssuer(type: TrustedIssuerType): TrustedIssuer = runBlocking {
+        when (type) {
+            TrustedIssuerType.TI -> "https://raw.githubusercontent.com/walt-id/waltid-ssikit/main/src/test/resources/ebsi/trusted-issuer-chain/ti-tir-record.json"
+            TrustedIssuerType.TAO -> "https://raw.githubusercontent.com/walt-id/waltid-ssikit/main/src/test/resources/ebsi/trusted-issuer-chain/tao-tir-record.json"
+            else -> ""
+        }.let {
+            KlaxonWithConverters().parse(resolveContent(it))!!
+        }
+    }
+
+    fun getAttribute(did: String, attributeId: String) =
+        getAttribute("$domain/$trustedIssuerPath/$did/$attributesPath/$attributeId")
+
+    fun getAttribute(url: String) = resolveContent(url).let {
+        KlaxonWithConverters().parse<AttributeRecord>(it)!!
+    }
+
     ///////////////////////////////////////////////////////////////////////////////////////////////
     //TODO: the methods below are stubbed - to be considered
 

diff --git a/...vc-templates/VerifiableAccreditation.json → ...n/resources/vc-templates/DeqarReport.json b/...vc-templates/VerifiableAccreditation.json → ...n/resources/vc-templates/DeqarReport.json
diff --git a/src/test/kotlin/id/walt/auditor/AuditorTest.kt b/src/test/kotlin/id/walt/auditor/AuditorTest.kt
@@ -3,18 +3,17 @@ package id.walt.auditor
 import com.beust.klaxon.JsonObject
 import id.walt.auditor.dynamic.DynamicPolicy
 import id.walt.auditor.dynamic.DynamicPolicyArg
-import id.walt.auditor.policies.EbsiTrustedSchemaRegistryPolicy
-import id.walt.auditor.policies.JsonSchemaPolicy
-import id.walt.auditor.policies.JsonSchemaPolicyArg
-import id.walt.auditor.policies.SignaturePolicy
+import id.walt.auditor.policies.*
+import id.walt.common.KlaxonWithConverters
 import id.walt.common.resolveContent
 import id.walt.credentials.w3c.JsonConverter
 import id.walt.credentials.w3c.VerifiableCredential
 import id.walt.credentials.w3c.toVerifiableCredential
 import id.walt.custodian.Custodian
-import id.walt.model.DidMethod
+import id.walt.model.*
 import id.walt.servicematrix.ServiceMatrix
 import id.walt.services.did.DidService
+import id.walt.services.ecosystems.essif.TrustedIssuerClient
 import id.walt.signatory.ProofConfig
 import id.walt.signatory.ProofType
 import id.walt.signatory.Signatory
@@ -25,16 +24,13 @@ import io.kotest.core.spec.style.StringSpec
 import io.kotest.core.test.TestCase
 import io.kotest.data.blocking.forAll
 import io.kotest.data.row
-import io.kotest.matchers.collections.beEmpty
 import io.kotest.matchers.collections.shouldBeSameSizeAs
-import io.kotest.matchers.collections.shouldContain
 import io.kotest.matchers.collections.shouldContainAll
 import io.kotest.matchers.shouldBe
+import io.mockk.*
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.jsonObject
-import net.bytebuddy.pool.TypePool.Resolution.Illegal
 import java.io.File
-import java.lang.IllegalArgumentException
 import java.net.URI
 import java.net.URL
 
@@ -362,5 +358,56 @@ class AuditorCommandTest : StringSpec() {
                 result.errors shouldBe message
             }
         }
+
+        "10. test EbsiTrustedIssuerAccreditationPolicy" {
+            forAll(
+                row("TIVerifiableAccreditationTIDiploma.json", "tao-tir-attribute.json", true, emptyList<Throwable>()),
+                row("TAOVerifiableAccreditation.json", "tao-tir-attribute.json", true, emptyList<Throwable>()),
+            ) { vcPath, attrPath, isSuccess, errors ->
+                val schemaPath = "src/test/resources/ebsi/trusted-issuer-chain/"
+                val policy = EbsiTrustedIssuerAccreditationPolicy()
+                val vc = resolveContent(schemaPath + vcPath).toVerifiableCredential()
+                val tirRecord = resolveContent(schemaPath + attrPath)
+                mockkStatic(::resolveContent)
+                every { resolveContent(any()) } returns tirRecord
+
+                val result = policy.verify(vc)
+
+                result.isSuccess shouldBe isSuccess
+                result.errors shouldBe errors
+
+                unmockkStatic(::resolveContent)
+            }
+        }
+
+        "11. test EbsiTrustedIssuerRegistryPolicy"{
+            forAll(
+                // self issued (tao accreditation)
+                row("TAOVerifiableAccreditation.json", "tao-tir-record.json", "tao-tir-attribute.json", TrustedIssuerType.TAO, true, emptyList<Throwable>()),
+                // issued by tao (ti accreditation)
+                row("TIVerifiableAccreditationTIDiploma.json", "tao-tir-record.json", "tao-tir-attribute.json", TrustedIssuerType.TAO, true, emptyList<Throwable>()),
+                // issued by issuer (diploma credential)
+                row("VerifiableDiploma.json", "ti-tir-record.json", "tao-tir-attribute.json", TrustedIssuerType.TI, true, emptyList<Throwable>()),
+            ) { vcPath, tirRecordPath, tirAttributePath, issuerType, isSuccess, errors ->
+                val schemaPath = "src/test/resources/ebsi/trusted-issuer-chain/"
+                val policy = EbsiTrustedIssuerRegistryPolicy(issuerType)
+                val vc = resolveContent(schemaPath + vcPath).toVerifiableCredential()
+                val attribute = KlaxonWithConverters().parse<AttributeRecord>(resolveContent (schemaPath + tirAttributePath))!!
+                val tirRecord = KlaxonWithConverters().parse<TrustedIssuer>(resolveContent(schemaPath + tirRecordPath))!!
+                mockkObject(DidService)
+                mockkObject(TrustedIssuerClient)
+                every { DidService.loadOrResolveAnyDid(any()) } returns Did(id = vc.issuerId!!)
+                every { TrustedIssuerClient.getAttribute(any()) } returns attribute
+                every { TrustedIssuerClient.getIssuer(any<TrustedIssuerType>()) } returns tirRecord
+
+                val result = policy.verify(vc)
+
+                result.isSuccess shouldBe isSuccess
+                result.errors shouldBe errors
+
+                unmockkObject(DidService)
+                unmockkObject(TrustedIssuerClient)
+            }
+        }
     }
 }
diff --git a/src/test/kotlin/id/walt/auditor/TrustedIssuerRegistryPolicyTest.kt b/src/test/kotlin/id/walt/auditor/TrustedIssuerRegistryPolicyTest.kt
@@ -13,6 +13,7 @@ import id.walt.services.ecosystems.essif.TrustedIssuerClient
 import id.walt.signatory.ProofConfig
 import id.walt.signatory.ProofType
 import id.walt.signatory.Signatory
+import io.kotest.core.annotation.Ignored
 import io.kotest.core.spec.style.AnnotationSpec
 import io.kotest.core.test.TestCase
 import io.kotest.matchers.shouldBe
@@ -21,6 +22,7 @@ import io.mockk.every
 import io.mockk.mockkObject
 import org.junit.jupiter.api.assertAll
 
+@Ignored
 class TrustedIssuerRegistryPolicyTest : AnnotationSpec() {
 
     private val defaultRegistry = "${TrustedIssuerClient.domain}/${TrustedIssuerClient.trustedIssuerPath}"

diff --git a/src/test/resources/ebsi/trusted-issuer-chain/TAOVerifiableAccreditation.json b/src/test/resources/ebsi/trusted-issuer-chain/TAOVerifiableAccreditation.json
@@ -0,0 +1,42 @@
+
+{
+    "@context": [
+        "https://www.w3.org/2018/credentials/v1"
+    ],
+    "id": "urn:uuid:4e1022a0-2406-4b82-9adf-b24825d67d9b",
+    "type": [
+        "VerifiableCredential",
+        "AccreditedVerifiableAttestation",
+        "VerifiableAccreditation"
+    ],
+    "issuer": "did:ebsi:ztSHfNUFDXmqBNkY8UBH8VE",
+    "termsOfUse": [
+        {
+            "type": "VerifiableAccreditation",
+            "id": "https://raw.githubusercontent.com/walt-id/waltid-ssikit/main/src/test/resources/ebsi/trusted-issuer-chain/tao-tir-attribute.json"
+        }
+    ],
+    "issuanceDate": "2022-01-01T00:00:00Z",
+    "validFrom": "2022-01-01T00:00:00Z",
+    "expirationDate": "2024-01-01T00:00:00Z",
+    "issued": "2022-01-01T00:00:00Z",
+    "credentialSubject": {
+        "id": "did:ebsi:ztSHfNUFDXmqBNkY8UBH8VE",
+        "authorisationClaims": [
+            {
+                "authorisedSchemaId": "https://essif.europa.eu/tsr-123/verifiable-accreditation.json"
+            },
+            {
+                "authorisedSchemaId": "https://essif.europa.eu/tsr-123/verifiable-accreditation-ti-diploma.json"
+            }
+        ]
+    },
+    "credentialStatus": {
+        "id": "https://essif.europa.eu/status/45",
+        "type": "CredentialStatusList2020"
+    },
+    "credentialSchema": {
+        "id": "https://essif.europa.eu/tsr-123/verifiable-accreditation.json",
+        "type": "FullJsonSchemaValidator2021"
+    }
+}