Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added EBA Data Admin feature support. Added role to the CredProcessState #99

Merged
merged 1 commit into from
Jan 8, 2025
Merged

Added EBA Data Admin feature support. Added role to the CredProcessState #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion scripts/keri/cf/verifier-config-docker.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@
],
"trustedLeis": [],
"allowedEcrRoles": [
"EBA Data Submitter"
"EBA Data Submitter",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some time soon the vlei-verifier repo configs won't contain these EBA specific values, perhaps we should refactor to a verifier-config-eba.json or verifier-config-docker-eba.json. Lets decide when that would be appropriate.

"EBA Data Admin"
],
"allowedSchemas": [
"ECR_SCHEMA",
Expand Down
3 changes: 2 additions & 1 deletion scripts/keri/cf/verifier-config-oor-allowed.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@

],
"allowedEcrRoles": [
"EBA Data Submitter"
"EBA Data Submitter",
"EBA Data Admin"
],
"allowedOorRoles": [
"HR Manager"
Expand Down
3 changes: 2 additions & 1 deletion scripts/keri/cf/verifier-config-public.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@
],
"trustedLeis": [],
"allowedEcrRoles": [
"EBA Data Submitter"
"EBA Data Submitter",
"EBA Data Admin"
],
"allowedSchemas": [
"ECR_SCHEMA",
Expand Down
3 changes: 2 additions & 1 deletion scripts/keri/cf/verifier-config-rootsid.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@
],
"trustedLeis": [],
"allowedEcrRoles": [
"EBA Data Submitter"
"EBA Data Submitter",
"EBA Data Admin"
],
"allowedSchemas": [
"ECR_SCHEMA",
Expand Down
3 changes: 2 additions & 1 deletion scripts/keri/cf/verifier-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@
],
"trustedLeis": [],
"allowedEcrRoles": [
"EBA Data Submitter"
"EBA Data Submitter",
"EBA Data Admin"
],
"allowedSchemas": [
"ECR_SCHEMA",
Expand Down
13 changes: 5 additions & 8 deletions src/verifier/core/authorizing.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,14 @@
from keri.core import coring
from keri.help import helping

from verifier.core.basing import Account, CredProcessState, AUTH_REVOKED
from verifier.core.basing import Account, CredProcessState, AUTH_REVOKED, AUTH_PENDING, AUTH_SUCCESS, AUTH_EXPIRE, \
AUTH_FAIL, CRED_CRYPT_VALID
from verifier.core.constants import Schema, EBA_DATA_SUBMITTER_ROLE
from verifier.core.resolve_env import VerifierEnvironment
from verifier.core.verifying import CRED_CRYPT_VALID

# Hard-coded vLEI Engagement context role to accept. This would be configurable in production
DEFAULT_EBA_ROLE = "EBA Data Submitter"

AUTH_PENDING = "Credential pending authorization"
AUTH_SUCCESS = "Credential authorized"
AUTH_FAIL = "Credential unauthorized"
AUTH_EXPIRE = "Credential authorization expired"


# Hard coded credential JSON Schema SAID for the vLEI Engagement Context Role Credential

Expand Down Expand Up @@ -139,7 +134,9 @@ def processPresentations(self):
# are there multiple creds for the same said?
passed_cred_filters, info = self.cred_filters(creder)
if passed_cred_filters:
cred_state = CredProcessState(said=state.said, state=AUTH_SUCCESS, info=info)
cred_state = CredProcessState(said=state.said, state=AUTH_SUCCESS, info=info,
role=creder.attrib["engagementContextRole"] or creder.attrib[
"officialRole"])
acct = Account(creder.attrib["i"], creder.said, creder.attrib["LEI"])
self.vdb.accts.pin(keys=(creder.attrib["i"],), val=acct)
else:
Expand Down
5 changes: 5 additions & 0 deletions src/verifier/core/basing.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ class CredProcessState:
said: Optional[str] = None
state: Optional[str] = None
info: Optional[str] = None
role: Optional[str] = None
date: str = field(default_factory=lambda: datetime.datetime.now(datetime.UTC).isoformat())

def __iter__(self):
Expand All @@ -31,6 +32,10 @@ def __iter__(self):
CRED_CRYPT_VALID = "Credential cryptographically valid"
CRED_AGE_OFF = "Credential presentation has aged off"
AUTH_REVOKED = "Credential revoked"
AUTH_PENDING = "Credential pending authorization"
AUTH_SUCCESS = "Credential authorized"
AUTH_FAIL = "Credential unauthorized"
AUTH_EXPIRE = "Credential authorization expired"

def cred_age_off(state: CredProcessState, timeout: float):
# cancel presentations that have been around longer than timeout
Expand Down
23 changes: 15 additions & 8 deletions src/verifier/core/verifying.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,18 @@
from keri import kering
from keri.core import coring, parsing, Siger
from keri.vdr import verifying, eventing

from verifier.core.authorizing import AUTH_EXPIRE
from verifier.core.basing import (
CRED_CRYPT_INVALID,
CRED_CRYPT_VALID,
CredProcessState,
cred_age_off, AUTH_REVOKED,
cred_age_off,
AUTH_REVOKED,
AUTH_PENDING,
AUTH_SUCCESS,
AUTH_EXPIRE,
AUTH_FAIL
)
from verifier.core.utils import process_revocations, add_root_of_trust, add_oobi, DigerBuilder

Expand Down Expand Up @@ -451,12 +458,12 @@ def on_get(self, req, rep, aid):
"""
rep.content_type = "application/json"
acct = self.vdb.accts.get(keys=(aid,))
state: CredProcessState = self.vdb.iss.get(keys=(aid,))
if aid not in self.hby.kevers:
rep.status = falcon.HTTP_UNAUTHORIZED
rep.data = json.dumps(dict(msg=f"unknown AID: {aid}")).encode("utf-8")
elif acct is None:
elif acct is None or state is None or state.state == AUTH_EXPIRE:
rep.status = falcon.HTTP_UNAUTHORIZED
state: CredProcessState = self.vdb.iss.get(keys=(aid,))
if state is None:
rep.data = json.dumps(
dict(
Expand All @@ -470,10 +477,12 @@ def on_get(self, req, rep, aid):
)
).encode("utf-8")
else:
state: CredProcessState = self.vdb.iss.get(keys=(aid,))
body = dict(
aid=aid,
said=acct.said,
lei=acct.lei,
role=state.role,
msg=f"AID {aid} w/ lei {acct.lei} has valid login account",
)

Expand Down Expand Up @@ -632,12 +641,10 @@ def on_post(self, req, rep):
type: string
description: qb64 AID of presenter
responses:
200:
description: AID is authorized to sign requests
202:
description: Signature valid
404:
description: AID has never presented any credentials
403:
description: AID has presented an invalid or subsequently revoked credential
description: Bad request
401:
description: provided signature is not valid against values of the request

Expand Down
Loading