From ce5ef848568f749ebfb319e04859c8f25d533e53 Mon Sep 17 00:00:00 2001 From: Aidar Negimatzhanov Date: Mon, 27 Jan 2025 22:24:48 +0100 Subject: [PATCH] Move role validation from the vlei-verifier to the reg-pilot-filer --- CHANGELOG.md | 13 ++++++++ README.md | 8 ++--- .../cf/examples/verifier-config-docker.json | 4 --- .../examples/verifier-config-oor-allowed.json | 32 ------------------- .../examples/verifier-config-public-eba.json | 4 --- scripts/keri/cf/examples/verifier-config.json | 4 --- scripts/keri/cf/verifier-config-public.json | 2 -- scripts/keri/cf/verifier-config-rootsid.json | 4 --- scripts/keri/cf/verifier-config-test.json | 4 --- setup.py | 2 +- src/verifier/__init__.py | 2 +- src/verifier/app/cli/commands/server/start.py | 6 ---- src/verifier/core/authorizing.py | 18 ++--------- src/verifier/core/resolve_env.py | 2 -- tests/core/test_authorizing.py | 29 ----------------- tests/core/test_verifying.py | 9 +----- tests/integration/test_service.py | 7 ---- 17 files changed, 22 insertions(+), 128 deletions(-) delete mode 100755 scripts/keri/cf/examples/verifier-config-oor-allowed.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 9609e79..9e316e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Changelog + +## [v0.1.0] - 2025-01-27 + +### Removed +- **Role Validation in Verifier**: + - The Verifier no longer validates roles for Engagement Context Role (ECR) or Official Organizational Role (OOR) credentials. + - Configuration options `allowed_ecr_roles` and `allowed_oor_roles` have been removed. + +### Changed +- **Role Validation Logic**: + - Responsibility for role validation has been shifted to the **Reg-Pilot-Filer** service. + - This change ensures better separation of concerns between services and makes vlei-verifier more generic. + ## [v0.0.4] - 2024-12-25 ### Added diff --git a/README.md b/README.md index 657bfd0..cd33a09 100644 --- a/README.md +++ b/README.md @@ -83,8 +83,6 @@ You can customize the service behavior using these configuration options: - **`iurls`**: - OOBI URLs - **`durls`**: - Schema OOBI URLs - **`trustedLeis`**: A list of trusted LE identifiers. -- **`allowedEcrRoles`**: Roles permitted for ECR credential authorization. -- **`allowedOorRoles`**: Roles permitted for OOR credential authorization. - **`allowedSchemas`**: A list of schemas allowed for authorization. ### Default Configuration @@ -92,11 +90,11 @@ You can customize the service behavior using these configuration options: The default configuration file, **`verifier-config-public.json`**, is located in the **`scripts/keri/cf`** directory. By default: -- **`trustedLeis`**, **`allowedEcrRoles`**, and **`allowedSchemas`** are empty. +- **`trustedLeis`** and **`allowedSchemas`** are empty. - This means Schema and Role checks will fail, and any credential authorization will be rejected. -- You must populate **`allowedEcrRoles`** and **`allowedSchemas`** or use a pre-configured file from * +- You must populate **`allowedSchemas`** or use a pre-configured file from * *`scripts/keri/cf/examples`**. -- You can also use **`verifier-config-test.json`** which has values set for the allowedEcrRoles and allowedSchemas. +- You can also use **`verifier-config-test.json`** which has values set for the allowedSchemas. ### Example Configurations diff --git a/scripts/keri/cf/examples/verifier-config-docker.json b/scripts/keri/cf/examples/verifier-config-docker.json index edbefb8..45a2098 100755 --- a/scripts/keri/cf/examples/verifier-config-docker.json +++ b/scripts/keri/cf/examples/verifier-config-docker.json @@ -15,10 +15,6 @@ "http://host.docker.internal:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], "allowedSchemas": [ "ECR_SCHEMA", "ECR_SCHEMA_PROD" diff --git a/scripts/keri/cf/examples/verifier-config-oor-allowed.json b/scripts/keri/cf/examples/verifier-config-oor-allowed.json deleted file mode 100755 index 5925204..0000000 --- a/scripts/keri/cf/examples/verifier-config-oor-allowed.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "dt": "2022-01-20T12:57:59.823350+00:00", - "iurls": [ - "http://127.0.0.1:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller", - "http://127.0.0.1:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller", - "http://127.0.0.1:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller" - ], - "durls": [ - "http://127.0.0.1:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy", - "http://127.0.0.1:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi", - "http://127.0.0.1:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E", - "http://127.0.0.1:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw", - "http://127.0.0.1:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY", - "http://127.0.0.1:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g", - "http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" - ], - "trustedLeis": [ - - ], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], - "allowedOorRoles": [ - "HR Manager" - ], - "allowedSchemas": [ - "ECR_SCHEMA", - "ECR_SCHEMA_PROD", - "OOR_SCHEMA" - ] -} \ No newline at end of file diff --git a/scripts/keri/cf/examples/verifier-config-public-eba.json b/scripts/keri/cf/examples/verifier-config-public-eba.json index 4634dc4..b3cbe04 100755 --- a/scripts/keri/cf/examples/verifier-config-public-eba.json +++ b/scripts/keri/cf/examples/verifier-config-public-eba.json @@ -30,10 +30,6 @@ "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], "allowedSchemas": [ "ECR_SCHEMA", "ECR_SCHEMA_PROD" diff --git a/scripts/keri/cf/examples/verifier-config.json b/scripts/keri/cf/examples/verifier-config.json index 523438b..f75f834 100755 --- a/scripts/keri/cf/examples/verifier-config.json +++ b/scripts/keri/cf/examples/verifier-config.json @@ -15,10 +15,6 @@ "http://127.0.0.1:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], "allowedSchemas": [ "ECR_SCHEMA", "ECR_SCHEMA_PROD" diff --git a/scripts/keri/cf/verifier-config-public.json b/scripts/keri/cf/verifier-config-public.json index 5663557..d806250 100755 --- a/scripts/keri/cf/verifier-config-public.json +++ b/scripts/keri/cf/verifier-config-public.json @@ -30,8 +30,6 @@ "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - ], "allowedSchemas": [ ] } \ No newline at end of file diff --git a/scripts/keri/cf/verifier-config-rootsid.json b/scripts/keri/cf/verifier-config-rootsid.json index 20a4f60..ad2b207 100755 --- a/scripts/keri/cf/verifier-config-rootsid.json +++ b/scripts/keri/cf/verifier-config-rootsid.json @@ -15,10 +15,6 @@ "http://schemas.rootsid.cloud/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], "allowedSchemas": [ "ECR_SCHEMA", "ECR_SCHEMA_PROD" diff --git a/scripts/keri/cf/verifier-config-test.json b/scripts/keri/cf/verifier-config-test.json index 4634dc4..b3cbe04 100755 --- a/scripts/keri/cf/verifier-config-test.json +++ b/scripts/keri/cf/verifier-config-test.json @@ -30,10 +30,6 @@ "https://gleif-it.github.io/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao" ], "trustedLeis": [], - "allowedEcrRoles": [ - "EBA Data Submitter", - "EBA Data Admin" - ], "allowedSchemas": [ "ECR_SCHEMA", "ECR_SCHEMA_PROD" diff --git a/setup.py b/setup.py index 6ca0646..06f0912 100644 --- a/setup.py +++ b/setup.py @@ -33,7 +33,7 @@ setup( name='verifier', - version='0.0.4', # also change in src/verifier/__init__.py + version='0.1.0', # also change in src/verifier/__init__.py license='Apache Software License 2.0', description='Verifier: Proof of Concept vLEI Verifier', long_description="Verifier: Proof of Concept vLEI Verifier.", diff --git a/src/verifier/__init__.py b/src/verifier/__init__.py index cba8e59..541f859 100644 --- a/src/verifier/__init__.py +++ b/src/verifier/__init__.py @@ -1 +1 @@ -__version__ = '0.0.4' \ No newline at end of file +__version__ = '0.1.0' \ No newline at end of file diff --git a/src/verifier/app/cli/commands/server/start.py b/src/verifier/app/cli/commands/server/start.py index 9b12ba4..e7cbd68 100644 --- a/src/verifier/app/cli/commands/server/start.py +++ b/src/verifier/app/cli/commands/server/start.py @@ -125,8 +125,6 @@ def launch(args): allowed_schemas = [ getattr(Schema, x) for x in config.get("allowedSchemas", []) if getattr(Schema, x, None) ] - allowed_ecr_roles = config.get("allowedEcrRoles", []) - allowed_oor_roles = config.get("allowedOorRoles", []) verifier_mode = os.environ.get("VERIFIER_ENV", "production") trusted_leis = config.get("trustedLeis", []) verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "True").lower() in ("true", "1") @@ -141,10 +139,6 @@ def launch(args): print("ALLOWED", allowed_schemas) if allowed_schemas: ve_init_params["authAllowedSchemas"] = allowed_schemas - if allowed_ecr_roles: - ve_init_params["authAllowedEcrRoles"] = allowed_ecr_roles - if allowed_oor_roles: - ve_init_params["authAllowedOorRoles"] = allowed_oor_roles ve = VerifierEnvironment.initialize(**ve_init_params) if aeid is None: diff --git a/src/verifier/core/authorizing.py b/src/verifier/core/authorizing.py index 5ae08d1..09edd31 100644 --- a/src/verifier/core/authorizing.py +++ b/src/verifier/core/authorizing.py @@ -48,16 +48,10 @@ def setup(hby, vdb, reger): "invalid configuration, invalid LEIs in configuration" ) - accepted_roles = env.authAllowedEcrRoles - if not isinstance(accepted_roles, list): + accepted_schemas = env.authAllowedSchemas + if not isinstance(accepted_schemas, list): raise kering.ConfigurationError( - "invalid configuration, invalid ECR Roles in configuration" - ) - - accepted_roles = env.authAllowedOorRoles - if not isinstance(accepted_roles, list): - raise kering.ConfigurationError( - "invalid configuration, invalid OOR Roles in configuration" + "invalid configuration, invalid Allowed Schemas in configuration" ) authorizer = Authorizer(hby, vdb, reger) @@ -174,12 +168,6 @@ def cred_filters(self, creder) -> tuple[bool, str]: elif len(self.env.trustedLeis) > 0 and creder.attrib["LEI"] not in self.env.trustedLeis: # only process LEI filter if LEI list has been configured res = False, f"LEI: {creder.attrib["LEI"]} not allowed" - elif (creder.schema in (Schema.ECR_SCHEMA, Schema.ECR_SCHEMA_PROD) - and creder.attrib["engagementContextRole"] not in self.env.authAllowedEcrRoles): - res = False, f"{creder.attrib["engagementContextRole"]} is not a valid submitter role" - elif (creder.schema in (Schema.OOR_SCHEMA,) - and creder.attrib["officialRole"] not in self.env.authAllowedOorRoles): - res = False, f"{creder.attrib["officialRole"]} is not a valid submitter role" elif not (chain := self.chain_filters(creder))[0]: res = chain else: diff --git a/src/verifier/core/resolve_env.py b/src/verifier/core/resolve_env.py index bb617c8..6c8d017 100644 --- a/src/verifier/core/resolve_env.py +++ b/src/verifier/core/resolve_env.py @@ -14,8 +14,6 @@ class VerifierEnvironment: mode: str = "production" verifyRootOfTrust: bool = True authAllowedSchemas: List = field(default_factory=lambda: []) - authAllowedEcrRoles: List = field(default_factory=lambda: []) - authAllowedOorRoles: List = field(default_factory=lambda: []) _instance: "VerifierEnvironment" = None diff --git a/tests/core/test_authorizing.py b/tests/core/test_authorizing.py index 94ad071..84012a4 100644 --- a/tests/core/test_authorizing.py +++ b/tests/core/test_authorizing.py @@ -20,11 +20,6 @@ def setup(): allowed_schemas = [ getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD", "TEST_SCHEMA") ] - allowed_ecr_roles = [ - "EBA Data Submitter", - "EBA Data Admin" - ] - allowed_oor_roles = [] verifier_mode = os.environ.get("VERIFIER_ENV", "production") trusted_leis = [] verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1") @@ -34,8 +29,6 @@ def setup(): "trustedLeis": trusted_leis if trusted_leis else [], "verifyRootOfTrust": verify_rot, "authAllowedSchemas": allowed_schemas, - "authAllowedEcrRoles": allowed_ecr_roles, - "authAllowedOorRoles": allowed_oor_roles } VerifierEnvironment.initialize(**ve_init_params) @@ -292,28 +285,6 @@ def test_ecr(seeder): assert passed_filters assert msg == f"Credential passed filters for user {hab.pre} with LEI {LEI1}" - # Test ECR with invalid role - ecr_cred_invalid = get_ecr_cred( - issuer=hab.pre, - recipient=hab.pre, - schema=Schema.ECR_SCHEMA, - registry=registry, - sedge=ecredge, - lei=LEI1, - role="INVALID_ROLE" # Using an invalid role - ) - hab, eccrdntler_invalid, ecsaid_invalid, eckmsgs_invalid, ectmsgs_invalid, ecimsgs_invalid, ecmsgs_invalid = get_cred( - hby, hab, regery, registry, verifier, Schema.ECR_SCHEMA, ecr_cred_invalid, seqner - ) - - auth = Authorizer(hby, vdb, eccrdntler_invalid.rgy.reger) - chain_success, chain_msg = auth.chain_filters(ecr_cred_invalid) - assert chain_success - assert chain_msg == f"QVI->LE->ECR_AUTH->ECR" - passed_filters, msg = auth.cred_filters(ecr_cred_invalid) - assert not passed_filters # Should fail because of invalid role - assert "is not a valid submitter role" in msg - data = '"@method": GET\n"@path": /verify/header\n"signify-resource": EHYfRWfM6RxYbzyodJ6SwYytlmCCW2gw5V-FsoX5BgGx\n"signify-timestamp": 2024-05-01T19:54:53.571000+00:00\n"@signature-params: (@method @path signify-resource signify-timestamp);created=1714593293;keyid=BOieebDzg4uaqZ2zuRAX1sTiCrD3pgGT3HtxqSEAo05b;alg=ed25519"' raw = data.encode("utf-8") cig = hab.sign(ser=raw, indexed=False)[0] diff --git a/tests/core/test_verifying.py b/tests/core/test_verifying.py index aad0c85..2951f7e 100644 --- a/tests/core/test_verifying.py +++ b/tests/core/test_verifying.py @@ -21,11 +21,6 @@ def setup(): allowed_schemas = [ getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD", "TEST_SCHEMA") ] - allowed_ecr_roles = [ - "EBA Data Submitter", - "EBA Data Admin" - ] - allowed_oor_roles = [] verifier_mode = os.environ.get("VERIFIER_ENV", "production") trusted_leis = [] verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1") @@ -34,9 +29,7 @@ def setup(): "mode": verifier_mode, "trustedLeis": trusted_leis if trusted_leis else [], "verifyRootOfTrust": verify_rot, - "authAllowedSchemas": allowed_schemas, - "authAllowedEcrRoles": allowed_ecr_roles, - "authAllowedOorRoles": allowed_oor_roles + "authAllowedSchemas": allowed_schemas } VerifierEnvironment.initialize(**ve_init_params) diff --git a/tests/integration/test_service.py b/tests/integration/test_service.py index 4657478..1ff73fd 100644 --- a/tests/integration/test_service.py +++ b/tests/integration/test_service.py @@ -23,11 +23,6 @@ def setup(): allowed_schemas = [ getattr(Schema, x) for x in ("ECR_SCHEMA", "ECR_SCHEMA_PROD") ] - allowed_ecr_roles = [ - "EBA Data Submitter", - "EBA Data Admin" - ] - allowed_oor_roles = [] verifier_mode = os.environ.get("VERIFIER_ENV", "production") trusted_leis = [] verify_rot = os.getenv("VERIFY_ROOT_OF_TRUST", "False").lower() in ("true", "1") @@ -37,8 +32,6 @@ def setup(): "trustedLeis": trusted_leis if trusted_leis else [], "verifyRootOfTrust": verify_rot, "authAllowedSchemas": allowed_schemas, - "authAllowedEcrRoles": allowed_ecr_roles, - "authAllowedOorRoles": allowed_oor_roles } VerifierEnvironment.initialize(**ve_init_params)