def build_from_dict(self, data: dict) -> RegisterDocument:
"""
Build a valid immutable register document from dict.
:param data: register document as dict
:return: valid register document
:raises:
IdentityInvalidDocumentError: if invalid dict data
IdentityInvalidDocumentError: if invalid document
IdentityRegisterDocumentKeyConflictError: if key name is not unique
"""
try:
for k in data['publicKey']:
self.add_public_key_obj(RegisterPublicKey.from_dict(k))
for k in data.get('authentication', []):
self.add_authentication_key_obj(RegisterAuthenticationPublicKey.from_dict(k))
for k in data.get('delegateAuthentication', []):
self.add_authentication_delegation_obj(RegisterDelegationProof.from_dict(k))
for k in data.get('delegateControl', []):
self.add_control_delegation_obj(RegisterDelegationProof.from_dict(k))
raw_controller = data.get('controller')
controller = Issuer.from_string(raw_controller) if raw_controller else None
return self.build(data['id'], DIDType(data['ioticsDIDType']), data['proof'], data.get('revoked', False),
Metadata.from_dict(data.get('metadata', {})), data.get('creator'),
data['ioticsSpecVersion'], data['updateTime'], controller)
except (TypeError, KeyError, ValueError) as err:
raise IdentityInvalidDocumentError(f'Can not parse invalid register document: \'{err}\'') from err
def get_valid_doc_from_token(
token: str,
get_controller_doc: GetControllerDocFunc) -> RegisterDocument:
"""
Get a valid RegisterDocument from a resolver token.
:param token: resolver token
:param get_controller_doc: get controller register document function
:return: valid register document
:raises:
IdentityResolverError: if invalid token
IdentityResolverError: if invalid document
"""
try:
unverified = JwtTokenHelper.decode_token(token)
doc = RegisterDocumentBuilder().build_from_dict(unverified['doc'])
issuer = Issuer.from_string(unverified['iss'])
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_control_only(
doc, issuer.name, get_controller_doc)
if not issuer_key:
raise IdentityInvalidRegisterIssuerError(
f'Invalid issuer {issuer}')
JwtTokenHelper.decode_and_verify_token(
token, issuer_key.public_key_base58, unverified['aud'])
return doc
except (KeyError, ValueError, IdentityValidationError,
IdentityInvalidRegisterIssuerError) as exc:
raise IdentityResolverError(
f'Can not deserialized invalid resolver token: \'{exc}\''
) from exc
def new_registered_identity(self, purpose: DIDType, key_pair_secrets: KeyPairSecrets,
name: str = None, override_doc: bool = False) -> RegisteredIdentity:
"""
Create and register a new registered identity and its associated register document against the resolver.
:param key_pair_secrets: new registered identity owner secrets
:param name: Optional new registered identity name (default: '#<purpose>-0')
following this pattern: '#[a-zA-Z\\-\\_0-9]{1, 24}'
:param purpose: registered identity purpose (HOST, TWIN, USER or AGENT)
:param override_doc: override registered identity document if already exist (default False)
:return: registered identity
:raises:
IdentityValidationError: if invalid secrets
IdentityValidationError: if invalid name
IdentityInvalidDocumentError: if document build error
IdentityResolverConflictError: register document already exists with different owners
IdentityResolverError: if can not interact with the resolver
IdentityDependencyError: if incompatible library dependency
"""
key_pair = KeyPairSecretsHelper.get_key_pair(key_pair_secrets)
did = AdvancedIdentityLocalApi.create_identifier(key_pair.public_bytes)
name = name or f'{ISSUER_SEPARATOR}{purpose}-0'
issuer = Issuer.build(did, name)
if override_doc:
self.register_new_doc(key_pair_secrets, issuer, purpose)
return RegisteredIdentity(key_pair_secrets, issuer)
issuer_key = IssuerKey.build(issuer.did, issuer.name, key_pair.public_base58)
return self.register_new_identity_if_not_exists(issuer_key, key_pair_secrets, purpose)
def test_get_auth_delegation_by_controller_returns_none_if_not_found(
auth_deleg_proof, min_doc_owner_pub_key):
doc = get_doc_with_keys(deleg_auth=auth_deleg_proof.values(),
public_keys=[min_doc_owner_pub_key])
issuer = Issuer.build('did:iotics:iotHHHHKpPGWyEC4FFo4d6oyzVVk6MXLmEgY',
'#DoesNotExist')
deleg_proof = RegisterDocumentHelper.get_register_delegation_proof_by_controller(
issuer, doc, include_auth=True)
assert not deleg_proof
def test_register_doc_raises_resolver_error_if_can_not_register(
valid_key_pair_secrets, valid_key_pair):
resolver_client = ResolverClientTestWithError(
register_err=IdentityResolverError('an error'))
api = AdvancedIdentityRegisterApi(resolver_client)
issuer = Issuer.build(make_identifier(valid_key_pair.public_bytes),
'#NewIssuer')
with pytest.raises(IdentityResolverError):
api.register_new_doc(valid_key_pair_secrets, issuer, DIDType.AGENT)
def test_get_valid_doc_from_token_raises_invalid_issuer_if_can_not_find_issuer(
simple_doc, valid_private_key):
not_in_doc_issuer = Issuer.build(simple_doc.did, '#NotInDoc')
token = get_inconsistent_token(str(not_in_doc_issuer),
simple_doc.to_dict(), valid_private_key)
with pytest.raises(IdentityResolverError) as err_wrapper:
ResolverSerializer.get_valid_doc_from_token(
token, get_controller_doc=raise_if_called)
assert isinstance(err_wrapper.value.__cause__,
IdentityInvalidRegisterIssuerError)
def test_build_proof_from_challenge_token_raises_issuer_error_if_issuer_not_in_doc(
register_doc, valid_private_key, valid_key_pair_secrets):
other_issuer = Issuer.build(register_doc.did, '#OtherIssuer')
proof = Proof.build(valid_key_pair_secrets,
other_issuer,
content=b'a content')
challenge_token = build_new_challenge_token(proof, valid_private_key)
resolver_client = ResolverClientTest(docs={register_doc.did: register_doc})
with pytest.raises(IdentityInvalidRegisterIssuerError):
Proof.from_challenge_token(resolver_client, challenge_token)
def get_valid_delegated_doc_and_deleg_proof(seed: bytes, issuer_name: str,
delegating_doc_id: str,
deleg_name: str):
secrets = KeyPairSecrets.build(seed, 'iotics/0/something/twindeleg')
public_base58 = KeyPairSecretsHelper.get_public_key_base58_from_key_pair_secrets(
secrets)
public_bytes = base58.b58decode(public_base58)
doc_id = make_identifier(public_bytes)
issuer = Issuer.build(doc_id, issuer_name)
proof = Proof.build(secrets, issuer, content=doc_id.encode())
deleg_key = get_delegation_register_proof(
subject_key_pair_secrets=secrets,
content=delegating_doc_id.encode(),
p_type=DelegationProofType.DID,
subject_issuer=Issuer.build(doc_id, issuer_name),
deleg_key_name=deleg_name)
delegated_doc = RegisterDocumentBuilder() \
.add_public_key_obj(RegisterPublicKey(issuer_name, public_base58, revoked=False)) \
.build(doc_id, DIDType.TWIN, proof=proof.signature, revoked=False)
return delegated_doc, deleg_key
def test_building_a_register_doc_raises_if_same_delegation_is_added_twice(
doc_keys):
duplicate_deleg_control_key1 = RegisterDelegationProof(
name=doc_keys['#deleg_control_key1'].name,
controller=Issuer('did:iotics:iotHjrmKpPGWyEC4FFo4d6oyzVVk6MXFFFFF',
'#AController'),
proof=doc_keys['#deleg_control_key1'].proof,
revoked=doc_keys['#deleg_control_key1'].revoked)
with pytest.raises(IdentityRegisterDocumentKeyConflictError):
RegisterDocumentBuilder() \
.add_control_delegation_obj(doc_keys['#deleg_control_key1']) \
.add_control_delegation_obj(duplicate_deleg_control_key1)
def test_can_get_issuer_by_public_key(valid_key_pair):
doc_did = make_identifier(valid_key_pair.public_bytes)
key_issuer = Issuer.build(doc_did, '#AnIssuer')
doc = RegisterDocumentBuilder() \
.add_public_key_obj(RegisterPublicKey(key_issuer.name, valid_key_pair.public_base58, revoked=False)) \
.build(key_issuer.did,
DIDType.TWIN,
proof='a proof, does not matter here',
revoked=False)
issuer = RegisterDocumentHelper.get_issuer_from_public_key(
doc, valid_key_pair.public_base58)
assert issuer == key_issuer
def test_can_register_a_doc(valid_key_pair_secrets, valid_key_pair):
resolver_client = ResolverClientTest(docs={})
api = AdvancedIdentityRegisterApi(resolver_client)
did = make_identifier(valid_key_pair.public_bytes)
issuer = Issuer.build(did, '#NewIssuer')
api.register_new_doc(valid_key_pair_secrets, issuer, DIDType.AGENT)
registered_doc = resolver_client.docs.get(issuer.did)
assert registered_doc
owner_key = registered_doc.public_keys.get(issuer.name)
assert owner_key.name == issuer.name
assert owner_key.base58 == valid_key_pair.public_base58
assert not owner_key.revoked
def doc_delegating_authentication(delegating_issuer_name, delegating_secrets,
allowed_issuer_secrets, allowed_issuer):
doc = get_valid_document_from_secret(delegating_secrets,
delegating_issuer_name)
delegating_issuer = Issuer.build(doc.did, delegating_issuer_name)
proof = Proof.build(allowed_issuer_secrets,
allowed_issuer,
content=delegating_issuer.did.encode())
return RegisterDocumentBuilder() \
.add_authentication_delegation_obj(RegisterDelegationProof.build('#ADeleg',
controller=allowed_issuer,
proof=proof.signature)) \
.build_from_existing(doc)
def test_validate_delegation_raises_validation_error_if_delegation_to_self(
deleg_doc_did, valid_key_pair_secrets):
deleg_proof = get_delegation_register_proof(
subject_key_pair_secrets=valid_key_pair_secrets,
# parent and delegated doc are the same
content=deleg_doc_did.encode(),
p_type=DelegationProofType.DID,
subject_issuer=Issuer.build(deleg_doc_did, '#AController'))
resolver_client = ResolverClientTest()
with pytest.raises(IdentityInvalidDocumentDelegationError):
DelegationValidation.validate_delegation(resolver_client,
doc_id=deleg_doc_did,
deleg_proof=deleg_proof)
def auth_deleg_proof():
issuer1 = Issuer.from_string(
'did:iotics:iotHHHHKpPGWyEC4FFo4d6oyzVVk6MXLmEgY#ctrl1')
issuer2 = Issuer.from_string(
'did:iotics:iotHHHHKpPGWyEC4FFo4d6oyzVVk6MXLmEgY#ctrl2')
issuer3 = Issuer.from_string(
'did:iotics:iotHHHHKpPGWyEC4FFo4d6oyzVVk6MXLmEgY#ctrl3')
return {
'#DelegAuthKey1':
RegisterDelegationProof.build('#DelegAuthKey1',
issuer1,
proof='proof',
revoked=False),
'#DelegAuthKey2':
RegisterDelegationProof.build('#DelegAuthKey2',
issuer2,
proof='proof',
revoked=False),
'#DelegAuthKey3':
RegisterDelegationProof.build('#DelegAuthKey3',
issuer3,
proof='proof',
revoked=False),
}
def test_validate_delegation_raises_validation_error_if_resolver_error(
doc_did, deleg_doc_did, valid_key_pair_secrets, resolver_err):
controller_name = '#AController'
deleg_proof = get_delegation_register_proof(
subject_key_pair_secrets=valid_key_pair_secrets,
content=doc_did.encode(),
p_type=DelegationProofType.DID,
subject_issuer=Issuer.build(deleg_doc_did, controller_name))
resolver_client = ResolverClientWithError(error_to_raise=resolver_err())
with pytest.raises(IdentityInvalidDocumentDelegationError) as err_wrapper:
DelegationValidation.validate_delegation(resolver_client,
doc_id=doc_did,
deleg_proof=deleg_proof)
assert isinstance(err_wrapper.value.__cause__, resolver_err)
def get_issuer_from_public_key(doc: RegisterDocument, public_base58: str) -> Optional[Issuer]:
"""
Find a register key by issuer and returns True/False if found.
Lookup in the register document public keys (and authentication keys if include_auth is set to True).
:param doc: existing register document
:param public_base58: public key to search for as base58 string
:return: Issuer or None
:raises:
IdentityValidationError: if invalid name or did
"""
for key in doc.public_keys.values():
if key.base58 == public_base58:
return Issuer.build(doc.did, key.name)
return None
def test_can_get_valid_issuer_for_control_only(issuer_name,
register_doc_and_deleg_doc):
doc, deleg_doc = register_doc_and_deleg_doc
def get_ctrl_doc(did: str):
assert did.startswith(did)
return deleg_doc
assert issuer_name in doc.public_keys or issuer_name in deleg_doc.public_keys
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_control_only(
doc, issuer_name, get_ctrl_doc)
assert issuer_key.issuer == Issuer.build(doc.did, issuer_name)
expected_base58 = doc.public_keys.get(
issuer_name, deleg_doc.public_keys.get(issuer_name))
assert expected_base58, f'test setup error, {issuer_name} should be in one of the docs public keys'
assert issuer_key.public_key_base58 == expected_base58.base58
def get_valid_document_from_secret(secrets: KeyPairSecrets,
issuer_name: str,
controller: Issuer = None):
public_base58 = KeyPairSecretsHelper.get_public_key_base58_from_key_pair_secrets(
secrets)
public_bytes = base58.b58decode(public_base58)
doc_id = make_identifier(public_bytes)
proof = Proof.build(secrets,
Issuer.build(doc_id, issuer_name),
content=doc_id.encode())
return RegisterDocumentBuilder() \
.add_public_key_obj(RegisterPublicKey(issuer_name, public_base58, revoked=False)) \
.build(doc_id,
DIDType.TWIN,
proof=proof.signature,
revoked=False,
controller=controller)
def test_verify_authentication_raises_auth_error_if_issuer_not_in_doc_keys_or_deleg(
authentication_subject_doc, valid_private_key):
not_auth_issuer = Issuer.build(authentication_subject_doc.did,
'#OtherIssuer')
token_from_not_auth_issuer = JwtTokenHelper.create_auth_token(
iss=str(not_auth_issuer),
sub=authentication_subject_doc.did,
aud='http://audience/',
duration=360,
private_key=valid_private_key)
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(
resolver_client, token=token_from_not_auth_issuer)
assert isinstance(err_wrapper.value.__cause__,
IdentityInvalidRegisterIssuerError)
def from_dict(data: dict):
"""
Build a register delegation public key from dict.
:param data: register delegation public key as dict
:return: valid register delegation key
:raises:
IdentityValidationError: if invalid register delegation public key as dict
"""
try:
controller = Issuer.from_string(data['controller'])
proof_type = DelegationProofType(data.get('proofType', DelegationProofType.DID.value))
return RegisterDelegationProof.build(data['id'], controller, data['proof'],
data.get('revoked', False),
proof_type)
except (TypeError, KeyError, ValueError) as err:
raise IdentityValidationError(f'Can not parse invalid register delegation proof: \'{err}\'') from err
def test_validate_delegation_raises_validation_error_if_invalid_delegation_proof(
doc_did, deleg_doc_did, valid_issuer_key, other_key_pair_secrets):
controller_name = '#AController'
corrupted_deleg_proof = get_delegation_register_proof(
subject_key_pair_secrets=other_key_pair_secrets,
content=doc_did.encode(),
p_type=DelegationProofType.DID,
subject_issuer=Issuer.build(deleg_doc_did, controller_name))
deleg_doc = get_delegation_doc_for(
controller_name=controller_name,
doc_id=deleg_doc_did,
public_base58=valid_issuer_key.public_key_base58)
resolver_client = ResolverClientTest(docs={deleg_doc_did: deleg_doc})
with pytest.raises(IdentityInvalidDocumentDelegationError) as err_wrapper:
DelegationValidation.validate_delegation(
resolver_client, doc_id=doc_did, deleg_proof=corrupted_deleg_proof)
assert isinstance(err_wrapper.value.__cause__, IdentityInvalidProofError)
def test_can_validate_delegation(doc_did, deleg_doc_did, valid_issuer_key,
valid_key_pair_secrets, proof_type,
get_content):
controller_name = '#AController'
deleg_proof = get_delegation_register_proof(
subject_key_pair_secrets=valid_key_pair_secrets,
content=get_content(doc_did),
p_type=proof_type,
subject_issuer=Issuer.build(deleg_doc_did, controller_name))
deleg_doc = get_delegation_doc_for(
controller_name=controller_name,
doc_id=deleg_doc_did,
public_base58=valid_issuer_key.public_key_base58)
resolver_client = ResolverClientTest(docs={deleg_doc_did: deleg_doc})
assert is_validator_run_success(DelegationValidation.validate_delegation,
resolver_client,
doc_id=doc_did,
deleg_proof=deleg_proof)
def remove_authentication_key_from_document(self, name: str,
doc_owner_key_pair: KeyPair,
doc_owner_issuer: Issuer) -> Issuer:
"""
Remove a register authentication public key from a register document.
:param name: authentication public key name
:param doc_owner_key_pair: register document owner key pair
:param doc_owner_issuer: register document owner issuer
:return: new key issuer
:raises:
IdentityValidationError: if invalid authentication public key name
IdentityInvalidDocumentError: if invalid register document
IdentityResolverError: if resolver error
"""
self._update_doc(doc_owner_key_pair, doc_owner_issuer, get_updated_doc=self.auth_key_api.remove_doc_key,
key_name=name)
return Issuer.build(doc_owner_issuer.did, name)
def test_validate_delegation_raises_validation_error_if_invalid_proof_type(
doc_did, deleg_doc_did, valid_issuer_key):
controller_name = '#AController'
deleg_proof = RegisterDelegationProof(name='#DelegKey',
controller=Issuer.build(
deleg_doc_did, controller_name),
proof='a signature',
proof_type='not existing type',
revoked=False)
deleg_doc = get_delegation_doc_for(
controller_name=controller_name,
doc_id=deleg_doc_did,
public_base58=valid_issuer_key.public_key_base58)
resolver_client = ResolverClientTest(docs={deleg_doc_did: deleg_doc})
with pytest.raises(IdentityInvalidDocumentDelegationError) as wrapper:
DelegationValidation.validate_delegation(resolver_client,
doc_id=doc_did,
deleg_proof=deleg_proof)
assert "Invalid proof: invalid type" in str(wrapper.value)
def test_can_validate_allowed_for_auth_with_controller_doc(
allowed_issuer, allowed_issuer_doc):
controller_issuer_doc = allowed_issuer_doc
controller_issuer = Issuer.build(controller_issuer_doc.did, '#Plop')
a_doc_with_controller_allowed_for_auth = get_valid_document(
new_seed(), '#ASubject', controller=controller_issuer)
resolver_docs = {
controller_issuer.did:
controller_issuer_doc,
a_doc_with_controller_allowed_for_auth.did:
a_doc_with_controller_allowed_for_auth
}
resolver_client = ResolverClientTest(docs=resolver_docs)
assert is_validator_run_success(
IdentityAuthValidation.validate_allowed_for_auth,
resolver_client,
allowed_issuer,
subject_id=a_doc_with_controller_allowed_for_auth.did)
def get_docs_for_issuer_key_from_auth_delegation(
doc_did: str, deleg_doc_did: str,
issuer: Issuer) -> Dict[str, RegisterDocument]:
"""
The issuer is in the auth delegation of the provided doc
And the issuer is in the auth keys of the delegation doc
"""
doc = get_doc_with_keys(deleg_control=[
RegisterDelegationProof.build(issuer.name,
controller=Issuer(
'deleg_doc_did', '#plop'),
proof='proof',
revoked=False),
])
deleg_doc = get_doc_with_keys(public_keys=[
RegisterPublicKey.build(issuer.name, 'base58Key1', revoked=False)
])
return {doc_did: doc, deleg_doc_did: deleg_doc}
def validate_new_document_proof(doc: RegisterDocument):
"""
Validate register document proof.
:param doc: register document.
:raises:
IdentityInvalidDocumentError: if register document initial owner public key has been removed
IdentityInvalidDocumentError: if register document proof is invalid
"""
try:
key = RegisterDocumentHelper.get_owner_register_public_key(doc)
if not key:
raise IdentityInvalidDocumentError(
f'Invalid document \'{doc.did}\', no owner public key')
ProofValidation.validate_proof(
Proof(Issuer.build(doc.did, key.name), doc.did.encode('ascii'),
doc.proof), key.base58)
except IdentityInvalidProofError as err:
raise IdentityInvalidDocumentError(
f'Invalid document \'{doc.did}\' proof: {err}') from err
def test_validate_delegation_raises_validation_error_if_content_does_not_match_proof_type(
doc_did, deleg_doc_did, valid_issuer_key, valid_key_pair_secrets,
wrong_type, get_content):
controller_name = '#AController'
deleg_proof = get_delegation_register_proof(
subject_key_pair_secrets=valid_key_pair_secrets,
content=get_content(doc_did),
p_type=wrong_type,
subject_issuer=Issuer.build(deleg_doc_did, controller_name))
deleg_doc = get_delegation_doc_for(
controller_name=controller_name,
doc_id=deleg_doc_did,
public_base58=valid_issuer_key.public_key_base58)
resolver_client = ResolverClientTest(docs={deleg_doc_did: deleg_doc})
with pytest.raises(IdentityInvalidDocumentDelegationError) as err_wrapper:
DelegationValidation.validate_delegation(resolver_client,
doc_id=doc_did,
deleg_proof=deleg_proof)
assert isinstance(err_wrapper.value.__cause__, IdentityInvalidProofError)
def revoke_authentication_key_from_document(self, name: str, revoked: bool,
doc_owner_key_pair: KeyPair,
doc_owner_issuer: Issuer) -> Issuer:
"""
Set register authentication public key revoke field.
:param name: authentication public key name
:param revoked: is revoked
:param doc_owner_key_pair: register document owner key pair
:param doc_owner_issuer: register document owner issuer
:return: new key issuer
:raises:
IdentityValidationError: if invalid authentication public key name
IdentityRegisterDocumentKeyNotFoundError: if register authentication public key not found
IdentityInvalidDocumentError: if invalid register document
IdentityResolverError: if resolver error
"""
self._update_doc(doc_owner_key_pair, doc_owner_issuer, get_updated_doc=self.auth_key_api.revoke_doc_key,
key_name=name, revoked=revoked)
return Issuer.build(doc_owner_issuer.did, name)
def test_can_get_valid_issuer_for_auth(issuer_name,
register_doc_and_deleg_doc):
doc, deleg_doc = register_doc_and_deleg_doc
def get_ctrl_doc(did: str):
assert did.startswith(did)
return deleg_doc
all_keys = list(doc.public_keys) + list(doc.auth_keys) + list(
deleg_doc.public_keys) + list(deleg_doc.auth_keys)
assert issuer_name in all_keys
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth(
doc, issuer_name, get_ctrl_doc)
assert issuer_key.issuer == Issuer.build(doc.did, issuer_name)
exp_base58 = doc.public_keys.get(issuer_name,
doc.auth_keys.get(issuer_name))
exp_base58 = exp_base58 or deleg_doc.public_keys.get(
issuer_name, deleg_doc.auth_keys.get(issuer_name))
assert exp_base58, f'test setup error, {issuer_name} should be in one of the docs public or auth keys'
assert issuer_key.public_key_base58 == exp_base58.base58
