Move role validation from the vlei-verifier to the reg-pilot-filer

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+
+## [v0.1.0] - 2025-01-27
+
+### Removed
+- **Role Validation in Verifier**:  
+  - The Verifier no longer validates roles for Engagement Context Role (ECR) or Official Organizational Role (OOR) credentials.  
+  - Configuration options `allowed_ecr_roles` and `allowed_oor_roles` have been removed.
+
+### Changed
+- **Role Validation Logic**:  
+  - Responsibility for role validation has been shifted to the **Reg-Pilot-Filer** service.  
+  - This change ensures better separation of concerns between services and makes vlei-verifier more generic.
+
 ## [v0.0.4] - 2024-12-25
 
 ### Added

README.md

@@ -83,20 +83,18 @@ You can customize the service behavior using these configuration options:
 - **`iurls`**: - OOBI URLs
 - **`durls`**: - Schema OOBI URLs
 - **`trustedLeis`**: A list of trusted LE identifiers.
-- **`allowedEcrRoles`**: Roles permitted for ECR credential authorization.
-- **`allowedOorRoles`**: Roles permitted for OOR credential authorization.
 - **`allowedSchemas`**: A list of schemas allowed for authorization.
 
 ### Default Configuration
 
 The default configuration file, **`verifier-config-public.json`**, is located in the **`scripts/keri/cf`** directory. By
 default:
 
-- **`trustedLeis`**, **`allowedEcrRoles`**, and **`allowedSchemas`** are empty.
+- **`trustedLeis`** and **`allowedSchemas`** are empty.
     - This means Schema and Role checks will fail, and any credential authorization will be rejected.
-- You must populate **`allowedEcrRoles`** and **`allowedSchemas`** or use a pre-configured file from *
+- You must populate **`allowedSchemas`** or use a pre-configured file from *
   *`scripts/keri/cf/examples`**.
-- You can also use **`verifier-config-test.json`** which has values set for the allowedEcrRoles and allowedSchemas.
+- You can also use **`verifier-config-test.json`** which has values set for the allowedSchemas.
 
 ### Example Configurations
 

scripts/keri/cf/examples/verifier-config-docker.json

@@ -15,10 +15,6 @@
     "http://host.docker.internal:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-    "EBA Data Submitter",
-    "EBA Data Admin"
-  ],
   "allowedSchemas": [
     "ECR_SCHEMA",
     "ECR_SCHEMA_PROD"

scripts/keri/cf/examples/verifier-config-public-eba.json

@@ -30,10 +30,6 @@
     "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-    "EBA Data Submitter",
-    "EBA Data Admin"
-  ],
   "allowedSchemas": [
     "ECR_SCHEMA",
     "ECR_SCHEMA_PROD"

scripts/keri/cf/examples/verifier-config.json

@@ -15,10 +15,6 @@
     "http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-    "EBA Data Submitter",
-    "EBA Data Admin"
-  ],
   "allowedSchemas": [
     "ECR_SCHEMA",
     "ECR_SCHEMA_PROD"

scripts/keri/cf/verifier-config-public.json

@@ -30,8 +30,6 @@
     "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-  ],
   "allowedSchemas": [
   ]
 }

scripts/keri/cf/verifier-config-rootsid.json

@@ -15,10 +15,6 @@
     "http://schemas.rootsid.cloud/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-    "EBA Data Submitter",
-    "EBA Data Admin"
-  ],
   "allowedSchemas": [
     "ECR_SCHEMA",
     "ECR_SCHEMA_PROD"

scripts/keri/cf/verifier-config-test.json

@@ -30,10 +30,6 @@
     "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
   ],
   "trustedLeis": [],
-  "allowedEcrRoles": [
-    "EBA Data Submitter",
-    "EBA Data Admin"
-  ],
   "allowedSchemas": [
     "ECR_SCHEMA",
     "ECR_SCHEMA_PROD"

setup.py

@@ -33,7 +33,7 @@
 
 setup(
     name='verifier',
-    version='0.0.4',  # also change in src/verifier/__init__.py
+    version='0.1.0',  # also change in src/verifier/__init__.py
     license='Apache Software License 2.0',
     description='Verifier: Proof of Concept vLEI Verifier',
     long_description="Verifier: Proof of Concept vLEI Verifier.",

src/verifier/__init__.py

@@ -1 +1 @@
-__version__ = '0.0.4'
+__version__ = '0.1.0'

src/verifier/app/cli/commands/server/start.py

@@ -125,8 +125,6 @@ def launch(args):
     allowed_schemas = [
         getattr(Schema, x) for x in config.get("allowedSchemas", []) if getattr(Schema, x, None)
     ]
-    allowed_ecr_roles = config.get("allowedEcrRoles", [])
-    allowed_oor_roles = config.get("allowedOorRoles", [])
     verifier_mode = os.environ.get("VERIFIER_ENV", "production")
     trusted_leis = config.get("trustedLeis", [])
     verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "True").lower() in ("true", "1")
@@ -141,10 +139,6 @@ def launch(args):
     print("ALLOWED", allowed_schemas)
     if allowed_schemas:
         ve_init_params["authAllowedSchemas"] = allowed_schemas
-    if allowed_ecr_roles:
-        ve_init_params["authAllowedEcrRoles"] = allowed_ecr_roles
-    if allowed_oor_roles:
-        ve_init_params["authAllowedOorRoles"] = allowed_oor_roles
 
     ve = VerifierEnvironment.initialize(**ve_init_params)
     if aeid is None:

src/verifier/core/authorizing.py

@@ -48,16 +48,10 @@ def setup(hby, vdb, reger):
             "invalid configuration, invalid LEIs in configuration"
         )
 
-    accepted_roles = env.authAllowedEcrRoles
-    if not isinstance(accepted_roles, list):
+    accepted_schemas = env.authAllowedSchemas
+    if not isinstance(accepted_schemas, list):
         raise kering.ConfigurationError(
-            "invalid configuration, invalid ECR Roles in configuration"
-        )
-
-    accepted_roles = env.authAllowedOorRoles
-    if not isinstance(accepted_roles, list):
-        raise kering.ConfigurationError(
-            "invalid configuration, invalid OOR Roles in configuration"
+            "invalid configuration, invalid Allowed Schemas in configuration"
         )
 
     authorizer = Authorizer(hby, vdb, reger)
@@ -174,12 +168,6 @@ def cred_filters(self, creder) -> tuple[bool, str]:
             elif len(self.env.trustedLeis) > 0 and creder.attrib["LEI"] not in self.env.trustedLeis:
                 # only process LEI filter if LEI list has been configured
                 res = False, f"LEI: {creder.attrib["LEI"]} not allowed"
-            elif (creder.schema in (Schema.ECR_SCHEMA, Schema.ECR_SCHEMA_PROD)
-                  and creder.attrib["engagementContextRole"] not in self.env.authAllowedEcrRoles):
-                res = False, f"{creder.attrib["engagementContextRole"]} is not a valid submitter role"
-            elif (creder.schema in (Schema.OOR_SCHEMA,)
-                  and creder.attrib["officialRole"] not in self.env.authAllowedOorRoles):
-                res = False, f"{creder.attrib["officialRole"]} is not a valid submitter role"
             elif not (chain := self.chain_filters(creder))[0]:
                 res = chain
             else:

src/verifier/core/resolve_env.py

@@ -14,8 +14,6 @@ class VerifierEnvironment:
     mode: str = "production"
     verifyRootOfTrust: bool = True
     authAllowedSchemas: List = field(default_factory=lambda: [])
-    authAllowedEcrRoles: List = field(default_factory=lambda: [])
-    authAllowedOorRoles: List = field(default_factory=lambda: [])
 
     _instance: "VerifierEnvironment" = None
 

tests/core/test_authorizing.py

@@ -20,11 +20,6 @@ def setup():
     allowed_schemas = [
         getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD", "TEST_SCHEMA")
     ]
-    allowed_ecr_roles = [
-        "EBA Data Submitter",
-        "EBA Data Admin"
-    ]
-    allowed_oor_roles = []
     verifier_mode = os.environ.get("VERIFIER_ENV", "production")
     trusted_leis = []
     verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1")
@@ -34,8 +29,6 @@ def setup():
         "trustedLeis": trusted_leis if trusted_leis else [],
         "verifyRootOfTrust": verify_rot,
         "authAllowedSchemas": allowed_schemas,
-        "authAllowedEcrRoles": allowed_ecr_roles,
-        "authAllowedOorRoles": allowed_oor_roles
     }
 
     VerifierEnvironment.initialize(**ve_init_params)
@@ -292,28 +285,6 @@ def test_ecr(seeder):
         assert passed_filters
         assert msg == f"Credential passed filters for user {hab.pre} with LEI {LEI1}"
 
-        # Test ECR with invalid role
-        ecr_cred_invalid = get_ecr_cred(
-            issuer=hab.pre,
-            recipient=hab.pre,
-            schema=Schema.ECR_SCHEMA,
-            registry=registry,
-            sedge=ecredge,
-            lei=LEI1,
-            role="INVALID_ROLE"  # Using an invalid role
-        )
-        hab, eccrdntler_invalid, ecsaid_invalid, eckmsgs_invalid, ectmsgs_invalid, ecimsgs_invalid, ecmsgs_invalid = get_cred(
-            hby, hab, regery, registry, verifier, Schema.ECR_SCHEMA, ecr_cred_invalid, seqner
-        )
-
-        auth = Authorizer(hby, vdb, eccrdntler_invalid.rgy.reger)
-        chain_success, chain_msg = auth.chain_filters(ecr_cred_invalid)
-        assert chain_success
-        assert chain_msg == f"QVI->LE->ECR_AUTH->ECR"
-        passed_filters, msg = auth.cred_filters(ecr_cred_invalid)
-        assert not passed_filters  # Should fail because of invalid role
-        assert "is not a valid submitter role" in msg
-
         data = '"@method": GET\n"@path": /verify/header\n"signify-resource": EHYfRWfM6RxYbzyodJ6SwYytlmCCW2gw5V-FsoX5BgGx\n"signify-timestamp": 2024-05-01T19:54:53.571000+00:00\n"@signature-params: (@method @path signify-resource signify-timestamp);created=1714593293;keyid=BOieebDzg4uaqZ2zuRAX1sTiCrD3pgGT3HtxqSEAo05b;alg=ed25519"'
         raw = data.encode("utf-8")
         cig = hab.sign(ser=raw, indexed=False)[0]

tests/core/test_verifying.py

@@ -21,11 +21,6 @@ def setup():
     allowed_schemas = [
         getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD", "TEST_SCHEMA")
     ]
-    allowed_ecr_roles = [
-        "EBA Data Submitter",
-        "EBA Data Admin"
-    ]
-    allowed_oor_roles = []
     verifier_mode = os.environ.get("VERIFIER_ENV", "production")
     trusted_leis = []
     verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1")
@@ -34,9 +29,7 @@ def setup():
         "mode": verifier_mode,
         "trustedLeis": trusted_leis if trusted_leis else [],
         "verifyRootOfTrust": verify_rot,
-        "authAllowedSchemas": allowed_schemas,
-        "authAllowedEcrRoles": allowed_ecr_roles,
-        "authAllowedOorRoles": allowed_oor_roles
+        "authAllowedSchemas": allowed_schemas
     }
 
     VerifierEnvironment.initialize(**ve_init_params)

tests/integration/test_service.py

@@ -23,11 +23,6 @@ def setup():
     allowed_schemas = [
         getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD")
     ]
-    allowed_ecr_roles = [
-        "EBA Data Submitter",
-        "EBA Data Admin"
-    ]
-    allowed_oor_roles = []
     verifier_mode = os.environ.get("VERIFIER_ENV", "production")
     trusted_leis = []
     verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1")
@@ -37,8 +32,6 @@ def setup():
         "trustedLeis": trusted_leis if trusted_leis else [],
         "verifyRootOfTrust": verify_rot,
         "authAllowedSchemas": allowed_schemas,
-        "authAllowedEcrRoles": allowed_ecr_roles,
-        "authAllowedOorRoles": allowed_oor_roles
     }
 
     VerifierEnvironment.initialize(**ve_init_params)