From 2173f7ac9edfb5156ab8e24a46720f54a7caf077 Mon Sep 17 00:00:00 2001 From: Aidar Negimatzhanov Date: Mon, 6 Jan 2025 19:52:52 +0100 Subject: [PATCH] Added EBA Data Admin feature support. Added role to the CredProcessState --- scripts/keri/cf/verifier-config-docker.json | 3 ++- .../keri/cf/verifier-config-oor-allowed.json | 3 ++- scripts/keri/cf/verifier-config-public.json | 3 ++- scripts/keri/cf/verifier-config-rootsid.json | 3 ++- scripts/keri/cf/verifier-config.json | 3 ++- src/verifier/core/authorizing.py | 13 ++++------- src/verifier/core/basing.py | 5 ++++ src/verifier/core/verifying.py | 23 ++++++++++++------- 8 files changed, 35 insertions(+), 21 deletions(-) diff --git a/scripts/keri/cf/verifier-config-docker.json b/scripts/keri/cf/verifier-config-docker.json index 182ca32..edbefb8 100755 --- a/scripts/keri/cf/verifier-config-docker.json +++ b/scripts/keri/cf/verifier-config-docker.json @@ -16,7 +16,8 @@ ], "trustedLeis": [], "allowedEcrRoles": [ - "EBA Data Submitter" + "EBA Data Submitter", + "EBA Data Admin" ], "allowedSchemas": [ "ECR_SCHEMA", diff --git a/scripts/keri/cf/verifier-config-oor-allowed.json b/scripts/keri/cf/verifier-config-oor-allowed.json index d4eba6c..5925204 100755 --- a/scripts/keri/cf/verifier-config-oor-allowed.json +++ b/scripts/keri/cf/verifier-config-oor-allowed.json @@ -18,7 +18,8 @@ ], "allowedEcrRoles": [ - "EBA Data Submitter" + "EBA Data Submitter", + "EBA Data Admin" ], "allowedOorRoles": [ "HR Manager" diff --git a/scripts/keri/cf/verifier-config-public.json b/scripts/keri/cf/verifier-config-public.json index 985913d..4634dc4 100755 --- a/scripts/keri/cf/verifier-config-public.json +++ b/scripts/keri/cf/verifier-config-public.json @@ -31,7 +31,8 @@ ], "trustedLeis": [], "allowedEcrRoles": [ - "EBA Data Submitter" + "EBA Data Submitter", + "EBA Data Admin" ], "allowedSchemas": [ "ECR_SCHEMA", diff --git a/scripts/keri/cf/verifier-config-rootsid.json b/scripts/keri/cf/verifier-config-rootsid.json index e465f75..20a4f60 100755 --- a/scripts/keri/cf/verifier-config-rootsid.json +++ b/scripts/keri/cf/verifier-config-rootsid.json @@ -16,7 +16,8 @@ ], "trustedLeis": [], "allowedEcrRoles": [ - "EBA Data Submitter" + "EBA Data Submitter", + "EBA Data Admin" ], "allowedSchemas": [ "ECR_SCHEMA", diff --git a/scripts/keri/cf/verifier-config.json b/scripts/keri/cf/verifier-config.json index ab0b7db..523438b 100755 --- a/scripts/keri/cf/verifier-config.json +++ b/scripts/keri/cf/verifier-config.json @@ -16,7 +16,8 @@ ], "trustedLeis": [], "allowedEcrRoles": [ - "EBA Data Submitter" + "EBA Data Submitter", + "EBA Data Admin" ], "allowedSchemas": [ "ECR_SCHEMA", diff --git a/src/verifier/core/authorizing.py b/src/verifier/core/authorizing.py index 9f884e3..71f8844 100644 --- a/src/verifier/core/authorizing.py +++ b/src/verifier/core/authorizing.py @@ -15,19 +15,14 @@ from keri.core import coring from keri.help import helping -from verifier.core.basing import Account, CredProcessState, AUTH_REVOKED +from verifier.core.basing import Account, CredProcessState, AUTH_REVOKED, AUTH_PENDING, AUTH_SUCCESS, AUTH_EXPIRE, \ + AUTH_FAIL, CRED_CRYPT_VALID from verifier.core.constants import Schema, EBA_DATA_SUBMITTER_ROLE from verifier.core.resolve_env import VerifierEnvironment -from verifier.core.verifying import CRED_CRYPT_VALID # Hard-coded vLEI Engagement context role to accept. This would be configurable in production DEFAULT_EBA_ROLE = "EBA Data Submitter" -AUTH_PENDING = "Credential pending authorization" -AUTH_SUCCESS = "Credential authorized" -AUTH_FAIL = "Credential unauthorized" -AUTH_EXPIRE = "Credential authorization expired" - # Hard coded credential JSON Schema SAID for the vLEI Engagement Context Role Credential @@ -139,7 +134,9 @@ def processPresentations(self): # are there multiple creds for the same said? passed_cred_filters, info = self.cred_filters(creder) if passed_cred_filters: - cred_state = CredProcessState(said=state.said, state=AUTH_SUCCESS, info=info) + cred_state = CredProcessState(said=state.said, state=AUTH_SUCCESS, info=info, + role=creder.attrib["engagementContextRole"] or creder.attrib[ + "officialRole"]) acct = Account(creder.attrib["i"], creder.said, creder.attrib["LEI"]) self.vdb.accts.pin(keys=(creder.attrib["i"],), val=acct) else: diff --git a/src/verifier/core/basing.py b/src/verifier/core/basing.py index 5facd5a..613fa2b 100644 --- a/src/verifier/core/basing.py +++ b/src/verifier/core/basing.py @@ -22,6 +22,7 @@ class CredProcessState: said: Optional[str] = None state: Optional[str] = None info: Optional[str] = None + role: Optional[str] = None date: str = field(default_factory=lambda: datetime.datetime.now(datetime.UTC).isoformat()) def __iter__(self): @@ -31,6 +32,10 @@ def __iter__(self): CRED_CRYPT_VALID = "Credential cryptographically valid" CRED_AGE_OFF = "Credential presentation has aged off" AUTH_REVOKED = "Credential revoked" +AUTH_PENDING = "Credential pending authorization" +AUTH_SUCCESS = "Credential authorized" +AUTH_FAIL = "Credential unauthorized" +AUTH_EXPIRE = "Credential authorization expired" def cred_age_off(state: CredProcessState, timeout: float): # cancel presentations that have been around longer than timeout diff --git a/src/verifier/core/verifying.py b/src/verifier/core/verifying.py index 407cd79..8ecc079 100644 --- a/src/verifier/core/verifying.py +++ b/src/verifier/core/verifying.py @@ -7,11 +7,18 @@ from keri import kering from keri.core import coring, parsing, Siger from keri.vdr import verifying, eventing + +from verifier.core.authorizing import AUTH_EXPIRE from verifier.core.basing import ( CRED_CRYPT_INVALID, CRED_CRYPT_VALID, CredProcessState, - cred_age_off, AUTH_REVOKED, + cred_age_off, + AUTH_REVOKED, + AUTH_PENDING, + AUTH_SUCCESS, + AUTH_EXPIRE, + AUTH_FAIL ) from verifier.core.utils import process_revocations, add_root_of_trust, add_oobi, DigerBuilder @@ -451,12 +458,12 @@ def on_get(self, req, rep, aid): """ rep.content_type = "application/json" acct = self.vdb.accts.get(keys=(aid,)) + state: CredProcessState = self.vdb.iss.get(keys=(aid,)) if aid not in self.hby.kevers: rep.status = falcon.HTTP_UNAUTHORIZED rep.data = json.dumps(dict(msg=f"unknown AID: {aid}")).encode("utf-8") - elif acct is None: + elif acct is None or state is None or state.state == AUTH_EXPIRE: rep.status = falcon.HTTP_UNAUTHORIZED - state: CredProcessState = self.vdb.iss.get(keys=(aid,)) if state is None: rep.data = json.dumps( dict( @@ -470,10 +477,12 @@ def on_get(self, req, rep, aid): ) ).encode("utf-8") else: + state: CredProcessState = self.vdb.iss.get(keys=(aid,)) body = dict( aid=aid, said=acct.said, lei=acct.lei, + role=state.role, msg=f"AID {aid} w/ lei {acct.lei} has valid login account", ) @@ -632,12 +641,10 @@ def on_post(self, req, rep): type: string description: qb64 AID of presenter responses: - 200: - description: AID is authorized to sign requests + 202: + description: Signature valid 404: - description: AID has never presented any credentials - 403: - description: AID has presented an invalid or subsequently revoked credential + description: Bad request 401: description: provided signature is not valid against values of the request