async def delete_tails(request, ident):
"""
Delete tails files by corresponding rev reg ids: all, by rev reg id, by cred def id, or by issuer DID.
:param request: Sanic request structure
:param ident: 'all' for no filter; rev reg id, cred def id, or issuer DID to filter by any such identifier
:return: empty text string
"""
dir_tails = pjoin(dirname(dirname(abspath(__file__))), 'tails')
if ident == 'all': # delete everything: 'all' is not valid base58 so it can't be any case below
rmtree(dir_tails)
makedirs(dir_tails, exist_ok=True)
elif ok_rev_reg_id(ident): # it's a rev reg id
path_tails = Tails.linked(dir_tails, ident)
if path_tails and isfile(path_tails):
unlink(path_tails)
LOGGER.info('Deleted %s', path_tails)
path_link = pjoin(Tails.dir(dir_tails, ident), ident)
if path_link and islink(path_link):
unlink(path_link)
LOGGER.info('Deleted %s', path_link)
elif ok_cred_def_id(ident): # it's a cred def id (starts with issuer DID)
dir_cd_id = pjoin(dir_tails, ident)
if isdir(dir_cd_id):
rmtree(dir_cd_id)
LOGGER.info('Deleted %s', dir_cd_id)
elif exists(dir_cd_id): # non-dir is squatting on name reserved for dir: it's corrupt; remove it
unlink(dir_cd_id)
LOGGER.info('Deleted spurious non-directory %s', dir_cd_id)
elif ok_did(ident): # it's an issuer DID
dirs_cd_id = {dirname(link) for link in Tails.links(dir_tails, ident)}
for dir_cd_id in dirs_cd_id:
if ok_cred_def_id(basename(dir_cd_id)):
if isdir(dir_cd_id):
rmtree(dir_cd_id)
LOGGER.info('Deleted %s', dir_cd_id)
elif exists(dir_cd_id): # non-dir is squatting on name reserved for dir: it's corrupt; remove it
unlink(dir_cd_id)
LOGGER.info('Deleted spurious non-directory %s', dir_cd_id)
else:
LOGGER.error('Token %s must be rev reg id, cred def id, or issuer DID', ident)
raise InvalidUsage('Token {} must be rev reg id, cred def id, or issuer DID'.format(ident))
LOGGER.info('Fulfilled DELETE request deleting tails files on filter %s', ident)
return response.text('')
async def _set_cred_def(cd_id: str) -> None:
nonlocal cd_id2cred_def
if not ok_cred_def_id(cd_id):
LOGGER.debug('Verifier.verify_proof <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
if cd_id not in cd_id2cred_def:
cd_id2cred_def[cd_id] = json.loads(await self.get_cred_def(cd_id)) # add to cache en passant
async def list_tails(request, ident):
"""
List tails files by corresponding rev reg ids: all, by rev reg id, by cred def id, or by issuer DID.
:param request: Sanic request structure
:param ident: 'all' for no filter; rev reg id, cred def id, or issuer DID to filter by any such identifier
:return: JSON array of rev reg ids corresponding to tails files available
"""
rv = []
dir_tails = pjoin(dirname(dirname(abspath(__file__))), 'tails')
if ident == 'all': # list everything: 'all' is not valid base58 so it can't be any case below
rv = [basename(link) for link in Tails.links(dir_tails)]
elif ok_rev_reg_id(ident) and Tails.linked(dir_tails, ident): # it's a rev reg id
rv = [ident]
elif ok_cred_def_id(ident): # it's a cred def id (starts with issuer DID)
rv = [basename(link) for link in Tails.links(dir_tails, ident.split(':')[0])
if rev_reg_id2cred_def_id(basename(link)) == ident]
elif ok_did(ident): # it's an issuer DID
rv = [basename(link) for link in Tails.links(dir_tails, ident)]
else:
LOGGER.error("Token %s must be 'all', rev reg id, cred def id, or issuer DID", ident)
raise InvalidUsage("Token {} must be 'all', rev reg id, cred def id, or issuer DID".format(ident))
LOGGER.info('Fulfilling GET request listing tails files on filter %s', ident)
return response.json(rv)
def next_tag(base_dir: str, cd_id: str) -> (str, int):
"""
Return the next tag name available for a new rev reg id on input cred def id in base directory,
and suggested size of associated rev reg.
:param base_dir: base directory for tails files, thereafter split by cred def id
:param cd_id: credential definition identifier of interest
:return: stringified least non-negative integer not yet used in a rev reg id associated with a tails file
in base directory, and recommendation for next size to use
"""
LOGGER.debug('Tails.next_tag >>> base_dir: %s, cd_id: %s', base_dir,
cd_id)
if not ok_cred_def_id(cd_id):
LOGGER.debug('Tails.next_tag <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
# append [-1] first to max existing tags: next tag is '0' if no tags so far
tag = 1 + max([
int(rev_reg_id2tag(basename(f)))
for f in Tails.links(base_dir) if cd_id in basename(f)
] + [-1])
size = min(2**(tag + 6), Tails.MAX_SIZE)
rv = (tag, size)
LOGGER.debug('Tails.next_tag <<< %s', rv)
return rv
def current_rev_reg_id(base_dir: str, cd_id: str) -> str:
"""
Return the current revocation registry identifier for
input credential definition identifier, in input directory.
Raise AbsentTails if no corresponding tails file, signifying no such revocation registry defined.
:param base_dir: base directory for tails files, thereafter split by cred def id
:param cd_id: credential definition identifier of interest
:return: identifier for current revocation registry on input credential definition identifier
"""
LOGGER.debug('Tails.current_rev_reg_id >>> base_dir: %s, cd_id: %s',
base_dir, cd_id)
if not ok_cred_def_id(cd_id):
LOGGER.debug('Tails.current_rev_reg_id <!< Bad cred def id %s',
cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
tags = [
int(rev_reg_id2tag(basename(f))) for f in Tails.links(base_dir)
if cd_id in basename(f)
]
if not tags:
raise AbsentTails(
'No tails files present for cred def id {}'.format(cd_id))
rv = rev_reg_id(cd_id, str(max(tags))) # ensure 10 > 9, not '9' > '10'
LOGGER.debug('Tails.current_rev_reg_id <<< %s', rv)
return rv
async def list_tails(request: Request, ident: str) -> HTTPResponse:
"""
List tails files by corresponding rev reg ids: all, by rev reg id, by cred def id, or by issuer DID.
:param request: Sanic request structure
:param ident: 'all' for no filter; rev reg id, cred def id, or issuer DID to filter by any such identifier
:return: HTTP response with JSON array of rev reg ids corresponding to available tails files
"""
rv = []
dir_tails = join(dirname(dirname(realpath(__file__))), 'tails')
if ident == 'all': # list everything: 'all' is not valid base58 so it can't be any case below
rv = [basename(link) for link in Tails.links(dir_tails)]
elif ok_rev_reg_id(ident): # it's a rev reg id
if Tails.linked(dir_tails, ident):
rv = [ident]
elif ok_cred_def_id(ident): # it's a cred def id (starts with issuer DID)
rv = [basename(link) for link in Tails.links(dir_tails, ident.split(':')[0])
if rev_reg_id2cred_def_id(basename(link)) == ident]
elif ok_did(ident): # it's an issuer DID
rv = [basename(link) for link in Tails.links(dir_tails, ident)]
else:
LOGGER.error('Token %s is not a valid specifier for tails files', ident)
return response.text('Token {} is not a valid specifier for tails files'.format(ident), status=400)
LOGGER.info('Fulfilling GET request listing tails files on filter %s', ident)
return response.json(rv)
async def load_cache_for_verification(self, archive: bool = False) -> int:
"""
Load schema, cred def, revocation caches; optionally archive enough to go
offline and be able to verify proof on content marked of interest in configuration.
Return timestamp (epoch seconds) of cache load event, also used as subdirectory
for cache archives.
:param archive: True to archive now or False to demur (subclasses may still
need to augment archivable caches further)
:return: cache load event timestamp (epoch seconds)
"""
LOGGER.debug('Verifier.load_cache_for_verification >>> archive: %s',
archive)
rv = int(time())
for s_id in self.config.get('archive-verifier-caches-on-close',
{}).get('schema_id', {}):
if ok_schema_id(s_id):
with SCHEMA_CACHE.lock:
await self.get_schema(s_id)
else:
LOGGER.info('Not archiving schema for specified bad id %s',
s_id)
for cd_id in self.config.get('archive-verifier-caches-on-close',
{}).get('cred_def_id', {}):
if ok_cred_def_id(cd_id):
with CRED_DEF_CACHE.lock:
await self.get_cred_def(cd_id)
else:
LOGGER.info('Not archiving cred def for specified bad id %s',
cd_id)
for rr_id in self.config.get('archive-verifier-caches-on-close',
{}).get('rev_reg_id', {}):
if ok_rev_reg_id(rr_id):
await self.get_rev_reg_def(rr_id)
with REVO_CACHE.lock:
revo_cache_entry = REVO_CACHE.get(rr_id, None)
if revo_cache_entry:
try:
await revo_cache_entry.get_state_json(
self._build_rr_state_json, rv, rv)
except ClosedPool:
LOGGER.warning(
'Verifier %s is offline from pool %s, cannot update revo cache reg state for %s to %s',
self.name, self.pool.name, rr_id, rv)
except AbsentPool:
LOGGER.warning(
'Verifier %s has no pool, cannot update revo cache reg state for %s to %s',
self.name, rr_id, rv)
else:
LOGGER.info('Not archiving rev reg for specified bad id %s',
rr_id)
if archive:
ArchivableCaches.archive(self.dir_cache)
LOGGER.debug('Verifier.load_cache_for_verification <<< %s', rv)
return rv
async def get_box_ids_issued(self) -> str:
"""
Return json object on lists of all unique box identifiers (schema identifiers,
credential definition identifiers, and revocation registry identifiers) for
all credential definitions and credentials issued; e.g.,
::
{
"schema_id": [
"R17v42T4pk...:2:tombstone:1.2",
...
],
"cred_def_id": [
"R17v42T4pk...:3:CL:19:tag",
...
]
"rev_reg_id": [
"R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:0",
"R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:1",
...
]
}
An issuer must issue a credential definition to include its schema identifier
in the returned values; the schema identifier in isolation belongs properly
to an Origin, not necessarily to an Issuer.
The operation may be useful for a Verifier anchor going off-line to seed its
cache before doing so.
:return: tuple of sets for schema ids, cred def ids, rev reg ids
"""
LOGGER.debug('Issuer.get_box_ids_issued >>>')
cd_ids = [d for d in listdir(self._dir_tails)
if isdir(join(self._dir_tails, d)) and ok_cred_def_id(d, self.did)]
s_ids = []
for cd_id in cd_ids:
try:
s_ids.append(json.loads(await self.get_schema(cred_def_id2seq_no(cd_id)))['id'])
except AbsentSchema:
LOGGER.error(
'Issuer %s has issued cred def %s but no corresponding schema on ledger',
self.wallet.name,
cd_id)
rr_ids = [basename(link) for link in Tails.links(self._dir_tails, self.did)]
rv = json.dumps({
'schema_id': s_ids,
'cred_def_id': cd_ids,
'rev_reg_id': rr_ids
})
LOGGER.debug('Issuer.get_box_ids_issued <<< %s', rv)
return rv
async def get_cred_def(self, cd_id: str) -> str:
"""
Get credential definition from ledger by its identifier.
Raise AbsentCredDef for no such credential definition, logging any error condition and raising
BadLedgerTxn on bad request. Raise ClosedPool if cred def not in cache and pool is closed.
Retrieve the credential definition from the anchor's credential definition cache if it has it; cache it
en passant if it does not (and if there is a corresponding credential definition on the ledger).
:param cd_id: (credential definition) identifier string ('<issuer-did>:3:CL:<schema-seq-no>:<tag>')
:return: credential definition json as retrieved from ledger, empty production for no such cred def
"""
LOGGER.debug('_BaseAnchor.get_cred_def >>> cd_id: %s', cd_id)
if not ok_cred_def_id(cd_id):
LOGGER.debug('_BaseAnchor._get_cred_def <!< Bad cred def id %s',
cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
rv_json = json.dumps({})
with CRED_DEF_CACHE.lock:
if cd_id in CRED_DEF_CACHE:
LOGGER.info(
'_BaseAnchor.get_cred_def: got cred def for %s from cache',
cd_id)
rv_json = json.dumps(CRED_DEF_CACHE[cd_id])
LOGGER.debug('_BaseAnchor.get_cred_def <<< %s', rv_json)
return rv_json
req_json = await ledger.build_get_cred_def_request(self.did, cd_id)
resp_json = await self._submit(req_json)
resp = json.loads(resp_json)
if not ('result' in resp and resp['result'].get('data', None)):
LOGGER.debug(
'_BaseAnchor.get_cred_def: <!< no cred def exists on %s',
cd_id)
raise AbsentCredDef('No cred def exists on {}'.format(cd_id))
try:
(_,
rv_json) = await ledger.parse_get_cred_def_response(resp_json)
except IndyError: # ledger replied, but there is no such cred def
LOGGER.debug(
'_BaseAnchor.get_cred_def: <!< no cred def exists on %s',
cd_id)
raise AbsentCredDef('No cred def exists on {}'.format(cd_id))
CRED_DEF_CACHE[cd_id] = json.loads(rv_json)
LOGGER.info(
'_BaseAnchor.get_cred_def: got cred def %s from ledger', cd_id)
LOGGER.debug('_BaseAnchor.get_cred_def <<< %s', rv_json)
return rv_json
def __init__(self, base_dir: str, cd_id: str, tag: str = None):
"""
Initialize programmatic association between revocation registry identifier
(on credential definition on input identifier plus tag, default most recent),
and tails file, via symbolic link.
Raise AbsentTails if (rev reg id) symbolic link or (tails hash) tails file not present.
:param base_dir: base directory for tails files, thereafter split by cred def id
:param cd_id: credential definition identifier of interest
:param tag: revocation registry identifier tag of interest, default to most recent
"""
LOGGER.debug('Issuer.__init__ >>> base_dir: %s, cd_id: %s, tag: %s',
base_dir, cd_id, tag)
if not ok_cred_def_id(cd_id):
LOGGER.debug('Tails.__init__ <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
if tag is None:
self._rr_id = Tails.current_rev_reg_id(base_dir, cd_id)
else: # including tag == 0
self._rr_id = rev_reg_id(cd_id, tag)
if self._rr_id not in [basename(f) for f in Tails.links(base_dir)]:
LOGGER.debug(
'Tails.__init__ <!< No tails file present for cred def id %s on rev reg id tag %s',
cd_id, tag)
raise AbsentTails(
'No tails file present for cred def id {} on rev reg id tag {}'
.format(cd_id, tag))
path_link = join(Tails.dir(base_dir, self._rr_id), self._rr_id)
if not islink(path_link):
raise AbsentTails(
'No symbolic link present at {} for rev reg id {}'.format(
path_link, self._rr_id))
path_tails = Tails.linked(base_dir, self._rr_id)
if not isfile(path_tails):
raise AbsentTails(
'No tails file present at {} for rev reg id {}'.format(
path_tails, self._rr_id))
self._tails_config_json = json.dumps({
'base_dir': dirname(path_tails),
'uri_pattern': '',
'file': basename(path_tails)
})
self._reader_handle = None
LOGGER.debug('Tails.__init__ <<<')
def dflt_interval(self, cd_id: str) -> (int, int):
"""
Return default non-revocation interval from latest 'to' times on delta frames
of revocation cache entries on indices stemming from input cred def id.
Compute the 'from'/'to' values as the earliest/latest 'to' values of all
cached delta frames on all rev reg ids stemming from the input cred def id.
E.g., on frames for
rev-reg-0: -[xx]---[xxxx]-[x]---[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]--> time
rev-reg-1: ----------------------[xxxx]----[xxx]---[xxxxxxxxxxxxxxxxxxxx]---------> time
rev-reg-2: -------------------------------------------[xx]-----[xxxx]-----[xxxxx]-> time
rev-reg-3: -----------------------------------------------------------[xxxxxxxx]--> time
return the most recent interval covering all matching revocation registries in the cache; i.e.,:
interval: -------------------------------------------------------------[*******]-> time
Raise CacheIndex if there are no matching entries.
:param cd_id: cred def identifier to match
:return: default non-revocation interval as 2-tuple (fro, to)
"""
LOGGER.debug('RevocationCache.dflt_interval >>>')
if not ok_cred_def_id(cd_id):
LOGGER.debug(
'RevocationCache.dflt_interval <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
fro = None
to = None
for rr_id in self:
if cd_id != rev_reg_id2cred_def_id(rr_id):
continue
entry = self[rr_id]
if entry.rr_delta_frames:
to = max(entry.rr_delta_frames, key=lambda f: f.to).to
fro = min(fro or to, to)
if not (fro and to):
LOGGER.debug(
'RevocationCache.dflt_interval <!< No data for default non-revoc interval on cred def id %s',
cd_id)
raise CacheIndex(
'No data for default non-revoc interval on cred def id {}'.
format(cd_id))
rv = (fro, to)
LOGGER.debug('RevocationCache.dflt_interval <<< %s', rv)
return rv
async def test_box_ids():
print(Ink.YELLOW('\n\n== Testing Box Identifier Checks =='))
assert ok_did('Q4zqM7aXqm7gDQkUVLng9h') # quibble: not technically a box id
assert not ok_did('Q4zqM7aXqm7gDQkUVLng9I')
assert not ok_did('Q4zqM7aXqm7gDQkUVLng')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9h')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9h')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9hx')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng90')
assert ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:3:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h::bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2::1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0a')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9I:2:bc-reg:1.0') # I is not in base58
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag') # protocol >= 1.4
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:4:CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h::CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9I:3:CL:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3::18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18z:tag')
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18') # protocol == 1.3
assert ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1') # protocol >= 1.4
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:5:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:4:CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL::CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:NOT_CL:20:tag:CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20z:tag:CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20::CL_ACCUM:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag::1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:1')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:')
assert not ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM')
assert ok_rev_reg_id('LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1') # protocol == 1.3
async def test_box_ids():
print(Ink.YELLOW('\n\n== Testing Identifier Checks =='))
assert ok_wallet_reft('49ad0727-8663-45ae-a115-12b09860f9c6')
assert not ok_wallet_reft('Q4zqM7aXqm7gDQkUVLng9I')
assert not ok_wallet_reft('49ad0727-45ae-a115-12b09860f9c6')
assert ok_did(
'Q4zqM7aXqm7gDQkUVLng9h') # quibble: not technically a box id
assert not ok_did('Q4zqM7aXqm7gDQkUVLng9I')
assert not ok_did('Q4zqM7aXqm7gDQkUVLng')
for value in (None, 'TRUSTEE', 'STEWARD', 'TRUST_ANCHOR', ''):
assert ok_role(value)
for value in (123, 'TRUSTY', 'STEW', 'ANCHOR', ' '):
assert not ok_role(value)
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9h')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9h')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9hx')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng90')
assert ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:3:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h::bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2::1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0a')
assert not ok_schema_id(
'Q4zqM7aXqm7gDQkUVLng9I:2:bc-reg:1.0') # I is not in base58
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag') # protocol >= 1.4
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:4:CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h::CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9I:3:CL:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3::18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18z:tag')
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18') # protocol == 1.3
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
) # protocol >= 1.4
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:5:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:4:CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL::CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:NOT_CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20z:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20::CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag::1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1'
) # protocol == 1.3
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert ok_endpoint('10.0.0.2:9702')
assert ok_endpoint('0.0.0.0:0')
assert not ok_endpoint('canada.gc.ca:8088')
assert not ok_endpoint(':37')
assert not ok_endpoint('http://url-wrong')
assert not ok_endpoint('2.3.4.5')
assert not ok_endpoint('2.3.4:8080')
assert not ok_endpoint('1.2.3.4:abc')
assert not ok_endpoint('1.2.3.4:1234.56')
async def create_cred(self,
cred_offer_json,
cred_req_json: str,
cred_attrs: dict,
rr_size: int = None) -> (str, str):
"""
Create credential as Issuer out of credential request and dict of key:value (raw, unencoded)
entries for attributes.
Return credential json, and if cred def supports revocation, credential revocation identifier.
Raise WalletState for closed wallet.
If the credential definition supports revocation, and the current revocation registry is full,
the processing creates a new revocation registry en passant. Depending on the revocation
registry size (by default starting at 64 and doubling iteratively through a maximum of 100000)
and the revocation registry builder posture (see RevRegBuilder.__init__()), this operation may
delay credential creation by several seconds. The use of an external revocation registry builder
runs a parallel process, skirting this delay, but is more costly at initialization.
:param cred_offer_json: credential offer json as created by Issuer
:param cred_req_json: credential request json as created by HolderProver
:param cred_attrs: dict mapping each attribute to its original value (the operation encodes it); e.g.,
::
{
'favourite_drink': 'martini',
'height': 180,
'last_visit_date': '2017-12-31',
'weaknesses': None
}
:param rr_size: size of new revocation registry (default as per RevRegBuilder.create_rev_reg()) if necessary
:return: tuple with newly issued credential json, credential revocation identifier (if cred def
supports revocation, None otherwise).
"""
LOGGER.debug(
'Issuer.create_cred >>> cred_offer_json: %s, cred_req_json: %s, cred_attrs: %s, rr_size: %s',
cred_offer_json, cred_req_json, cred_attrs, rr_size)
if not self.wallet.handle:
LOGGER.debug('Issuer.create_cred <!< Wallet %s is closed',
self.name)
raise WalletState('Wallet {} is closed'.format(self.name))
cd_id = json.loads(cred_offer_json)['cred_def_id']
if not ok_cred_def_id(cd_id):
LOGGER.debug('Issuer.create_cred <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
cred_def = json.loads(
await self.get_cred_def(cd_id)) # ensure cred def is in cache
if 'revocation' in cred_def['value']:
with REVO_CACHE.lock:
rr_id = Tails.current_rev_reg_id(self.dir_tails, cd_id)
tails = REVO_CACHE[rr_id].tails
assert tails # at (re)start, at cred def, Issuer sync_revoc_for_issue() sets this index in revo cache
try:
(
cred_json, cred_revoc_id, _
) = await anoncreds.issuer_create_credential( # issue by default to rr
self.wallet.handle, cred_offer_json, cred_req_json,
json.dumps({
k: cred_attr_value(cred_attrs[k])
for k in cred_attrs
}), rr_id, tails.reader_handle)
rv = (cred_json, cred_revoc_id)
except IndyError as x_indy:
if x_indy.error_code == ErrorCode.AnoncredsRevocationRegistryFullError:
(tag, rr_size_suggested) = Tails.next_tag(
self.dir_tails, cd_id)
rr_id = rev_reg_id(cd_id, tag)
if self.rrbx:
await self._set_rev_reg(rr_id, rr_size)
else:
await self.rrb.create_rev_reg(
rr_id, rr_size or rr_size_suggested)
await self._send_rev_reg_def(rr_id)
REVO_CACHE[rr_id].tails = await Tails(
self.dir_tails, cd_id).open() # symlink OK now
return await self.create_cred(cred_offer_json,
cred_req_json,
cred_attrs)
LOGGER.debug(
'Issuer.create_cred <!< cannot create cred, indy error code %s',
x_indy.error_code)
raise
else:
try:
(cred_json, _, _) = await anoncreds.issuer_create_credential(
self.wallet.handle, cred_offer_json, cred_req_json,
json.dumps({
k: cred_attr_value(cred_attrs[k])
for k in cred_attrs
}), None, None)
rv = (cred_json, None)
except IndyError as x_indy:
LOGGER.debug(
'Issuer.create_cred <!< cannot create cred, indy error code %s',
x_indy.error_code)
raise
LOGGER.debug('Issuer.create_cred <<< %s', rv)
return rv
async def create_cred(self,
cred_offer_json,
cred_req_json: str,
cred_attrs: dict,
rr_size: int = None) -> (str, str, int):
"""
Create credential as Issuer out of credential request and dict of key:value (raw, unencoded)
entries for attributes.
Return credential json, and if cred def supports revocation, credential revocation identifier
and revocation registry delta ledger timestamp (epoch seconds).
If the credential definition supports revocation, and the current revocation registry is full,
the processing creates a new revocation registry en passant. Depending on the revocation
registry size (by default starting at 256 and doubling iteratively through 4096), this
operation may delay credential creation by several seconds.
:param cred_offer_json: credential offer json as created by Issuer
:param cred_req_json: credential request json as created by HolderProver
:param cred_attrs: dict mapping each attribute to its raw value (the operation encodes it); e.g.,
::
{
'favourite_drink': 'martini',
'height': 180,
'last_visit_date': '2017-12-31',
'weaknesses': None
}
:param rr_size: size of new revocation registry (default as per _create_rev_reg()) if necessary
:return: newly issued credential json; credential revocation identifier (if cred def supports
revocation, None otherwise), and ledger timestamp (if cred def supports revocation, None otherwise)
"""
LOGGER.debug(
'Issuer.create_cred >>> cred_offer_json: %s, cred_req_json: %s, cred_attrs: %s, rr_size: %s',
cred_offer_json, cred_req_json, cred_attrs, rr_size)
cd_id = json.loads(cred_offer_json)['cred_def_id']
if not ok_cred_def_id(cd_id):
LOGGER.debug('Issuer.create_cred <!< Bad cred def id %s', cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
cred_def = json.loads(
await self.get_cred_def(cd_id)) # ensure cred def is in cache
if 'revocation' in cred_def['value']:
with REVO_CACHE.lock:
rr_id = Tails.current_rev_reg_id(self._dir_tails, cd_id)
tails = REVO_CACHE[rr_id].tails
assert tails # at (re)start, at cred def, Issuer sync_revoc() sets this index in revocation cache
try:
(cred_json, cred_revoc_id,
rr_delta_json) = await anoncreds.issuer_create_credential(
self.wallet.handle, cred_offer_json, cred_req_json,
json.dumps({
k: cred_attr_value(cred_attrs[k])
for k in cred_attrs
}), rr_id, tails.reader_handle)
# do not create rr delta frame and append to cached delta frames list: timestamp could lag or skew
rre_req_json = await ledger.build_revoc_reg_entry_request(
self.did, rr_id, 'CL_ACCUM', rr_delta_json)
await self._sign_submit(rre_req_json)
assert rr_id == tails.rr_id
resp_json = await self._sign_submit(rre_req_json)
resp = json.loads(resp_json)
rv = (cred_json, cred_revoc_id,
self.pool.protocol.txn2epoch(resp))
except IndyError as x_indy:
if x_indy.error_code == ErrorCode.AnoncredsRevocationRegistryFullError:
(tag, rr_size_suggested) = Tails.next_tag(
self._dir_tails, cd_id)
rr_id = rev_reg_id(cd_id, tag)
await self._create_rev_reg(
rr_id, rr_size or rr_size_suggested)
REVO_CACHE[rr_id].tails = await Tails(
self._dir_tails, cd_id).open()
return await self.create_cred(cred_offer_json,
cred_req_json, cred_attrs
) # should be ok now
LOGGER.debug(
'Issuer.create_cred: <!< cannot create cred, indy error code %s',
x_indy.error_code)
raise
else:
try:
(cred_json, _, _) = await anoncreds.issuer_create_credential(
self.wallet.handle, cred_offer_json, cred_req_json,
json.dumps({
k: cred_attr_value(cred_attrs[k])
for k in cred_attrs
}), None, None)
rv = (cred_json, _, _)
except IndyError as x_indy:
LOGGER.debug(
'Issuer.create_cred: <!< cannot create cred, indy error code %s',
x_indy.error_code)
raise
LOGGER.debug('Issuer.create_cred <<< %s', rv)
return rv
async def test_ids():
print(Ink.YELLOW('\n\n== Testing Identifier Checks =='))
assert ok_wallet_reft('49ad0727-8663-45ae-a115-12b09860f9c6')
assert not ok_wallet_reft('Q4zqM7aXqm7gDQkUVLng9I')
assert not ok_wallet_reft('49ad0727-45ae-a115-12b09860f9c6')
print('\n\n== 1 == Wallet referent identifier checks pass OK')
assert ok_did('Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_did('Q4zqM7aXqm7gDQkUVLng9I') # 'I' not a base58 char
assert not ok_did('Q4zqM7aXqm7gDQkUVLng') # too short
print('\n\n== 2 == Distributed identifier checks pass OK')
for value in (None, 'TRUSTEE', 'STEWARD', 'TRUST_ANCHOR', ''):
assert ok_role(value)
for value in (123, 'TRUSTY', 'STEW', 'ANCHOR', ' '):
assert not ok_role(value)
print('\n\n== 3 == Role identifier checks pass OK')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9h')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9h')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9hx')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng90')
print('\n\n== 4 == Tails hash identifier checks pass OK')
assert ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:3:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h::bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2::1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0a')
assert not ok_schema_id(
'Q4zqM7aXqm7gDQkUVLng9I:2:bc-reg:1.0') # I is not in base58
print('\n\n== 5 == Schema identifier checks pass OK')
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag') # protocol >= 1.4
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag'
) # long form
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Q4zqM7aXqm7gDQkUVLng9h') # issuer-did
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:Q999999999999999999999:2:schema_name:1.0:tag',
'Q4zqM7aXqm7gDQkUVLng9h') # long form, issuer-did
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag',
'Xxxxxxxxxxxxxxxxxxxxxx') # long form, issuer-did
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag'
) # long form
assert not ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:Q4zqM7aXqm7gDQkUVLng9h:schema_name:1.0:tag'
) # no :2:
assert not ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:QIIIIIIIII7gDQkUVLng9h:schema_name:1.0:tag'
) # I not base58
assert not ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:QIIIIIIIII7gDQkUVLng9h:schema_name:v1.0:tag'
) # bad version
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:4:CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h::CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9I:3:CL:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3::18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18z:tag')
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18') # protocol == 1.3
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert ok_cred_def_id(
rev_reg_id2cred_def_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag:CL_ACCUM:1'
))
print('\n\n== 6 == Credential definition identifier checks pass OK')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
) # protocol >= 1.4
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert ok_rev_reg_id( # long form
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag:CL_ACCUM:1'
)
assert ok_rev_reg_id( # long form
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:Q4zqM7aXqm7gDQkUVLng9h:2:schema_name:1.0:tag:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:5:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:4:CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL::CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:NOT_CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20z:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20::CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag::1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1'
) # protocol == 1.3
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
print('\n\n== 7 == Revocation registry identifier checks pass OK')
async def delete_tails(request: Request, ident: str, epoch: int) -> HTTPResponse:
"""
Delete tails files by corresponding rev reg ids: all, by rev reg id, by cred def id, or by issuer DID.
:param request: Sanic request structure
:param ident: 'all' for no filter; rev reg id, cred def id, or issuer DID to filter by any such identifier
:param epoch: current EPOCH time, must be within 5 minutes of current server time
:return: empty text response
"""
if not await is_current(int(epoch)):
LOGGER.error('DELETE epoch %s in too far from current server time', epoch)
return response.text('DELETE epoch {} is too far from current server time'.format(epoch), status=400)
signature = request.body
plain = '{}||{}'.format(epoch, ident)
tsan = await MEM_CACHE.get('tsan')
if not tsan.verify(plain, signature, tsan.did):
LOGGER.error('DELETE signature failed to verify')
return response.text('DELETE signature failed to verify', status=400)
dir_tails = join(dirname(dirname(realpath(__file__))), 'tails')
if ident == 'all': # delete everything -- note that 'all' is not valid base58 so no case below can apply
if isdir(dir_tails):
rmtree(dir_tails)
makedirs(dir_tails, exist_ok=True)
elif ok_rev_reg_id(ident): # it's a rev reg id
path_tails = Tails.linked(dir_tails, ident)
if path_tails and isfile(path_tails):
unlink(path_tails)
LOGGER.info('Deleted %s', path_tails)
path_link = join(Tails.dir(dir_tails, ident), ident)
if path_link and islink(path_link):
unlink(path_link)
LOGGER.info('Deleted %s', path_link)
elif ok_cred_def_id(ident): # it's a cred def id (starts with issuer DID)
dir_cd_id = join(dir_tails, ident)
if isdir(dir_cd_id):
rmtree(dir_cd_id)
LOGGER.info('Deleted %s', dir_cd_id)
elif exists(dir_cd_id): # non-dir is squatting on name reserved for dir: it's corrupt; remove it
unlink(dir_cd_id)
LOGGER.info('Deleted spurious non-directory %s', dir_cd_id)
elif ok_did(ident): # it's an issuer DID
dirs_cd_id = {dirname(link) for link in Tails.links(dir_tails, ident)}
for dir_cd_id in dirs_cd_id:
if ok_cred_def_id(basename(dir_cd_id)):
if isdir(dir_cd_id):
rmtree(dir_cd_id)
LOGGER.info('Deleted %s', dir_cd_id)
elif exists(dir_cd_id): # non-dir is squatting on name reserved for dir: it's corrupt; remove it
unlink(dir_cd_id)
LOGGER.info('Deleted spurious non-directory %s', dir_cd_id)
else:
LOGGER.error('Token %s is not a valid specifier for tails files', ident)
return response.text('Token {} is not a valid specifier for tails files'.format(ident), status=400)
LOGGER.info('Fulfilled DELETE request deleting tails files on filter %s', ident)
return response.text('')
async def build_proof_req_json(self, cd_id2spec: dict) -> str:
"""
Build and return indy-sdk proof request for input attributes and non-revocation intervals by cred def id.
:param cd_id2spec: dict mapping cred def ids to:
- (optionally) 'attrs': lists of names of attributes of interest (omit for all, empty list or None for none)
- (optionally) '>=': (pred) inclusive int lower-bounds of interest (omit, empty list, or None for none)
- (optionally) '>': (pred) exclusive int lower-bounds of interest (omit, empty list, or None for none)
- (optionally) '<=': (pred) inclusive int upper-bounds of interest (omit, empty list, or None for none)
- (optionally) '<': (pred) exclusive int upper-bounds of interest (omit, empty list, or None for none)
- (optionally), 'interval': either
- (2-tuple) pair of epoch second counts marking 'from' and 'to' timestamps, or
- | single epoch second count to set 'from' and 'to' the same; default
| (now, now) for cred defs supporting revocation or None otherwise; e.g.,
::
{
'Vx4E82R17q...:3:CL:16:tag': {
'attrs': [ # request attrs 'name' and 'favouriteDrink' from this cred def's schema
'name',
'favouriteDrink'
],
'>=': { # request predicate score>=80 from this cred def
'score': 80
}
'<=': { # request ranking <=10 from this cred def
'ranking': 10
}
'interval': 1528116008 # same instant for all attrs and preds of corresponding schema
},
'R17v42T4pk...:3:CL:19:tag': None, # request all attrs, no preds, default intervals on all attrs
'e3vc5K168n...:3:CL:23:tag': {}, # request all attrs, no preds, default intervals on all attrs
'Z9ccax812j...:3:CL:27:tag': { # request all attrs, no preds, this interval on all attrs
'interval': (1528112408, 1528116008)
},
'9cHbp54C8n...:3:CL:37:tag': { # request no attrs and some predicates; specify interval
'attrs': [], # or equivalently, 'attrs': None
'>=': {
'employees': '50' # nicety: implementation converts to int for caller
},
'>=': {
'revenue': '10000000' # nicety: implementation converts to int for caller
'ebidta': 0
}
'interval': (1528029608, 1528116008)
},
'6caBcmLi33...:3:CL:41:tag': { # all attrs, one pred, default intervals to now on attrs & pred
'>': {
'regEpoch': 1514782800
}
},
...
}
:return: indy-sdk proof request json
"""
LOGGER.debug('Verifier.build_proof_req_json >>> cd_id2spec: %s',
cd_id2spec)
cd_id2schema = {}
now = int(time())
rv = {
'nonce': str(int(time())),
'name': 'proof_req',
'version': '0.0',
'requested_attributes': {},
'requested_predicates': {}
}
for cd_id in cd_id2spec:
if not ok_cred_def_id(cd_id):
LOGGER.debug(
'Verifier.build_proof_req_json <!< Bad cred def id %s',
cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
interval = None
cred_def = json.loads(await self.get_cred_def(cd_id))
seq_no = cred_def_id2seq_no(cd_id)
cd_id2schema[cd_id] = json.loads(await self.get_schema(seq_no))
if 'revocation' in cred_def['value']:
fro_to = cd_id2spec[cd_id].get(
'interval',
(now, now)) if cd_id2spec[cd_id] else (now, now)
interval = {
'from': fro_to if isinstance(fro_to, int) else min(fro_to),
'to': fro_to if isinstance(fro_to, int) else max(fro_to)
}
for attr in (cd_id2spec[cd_id].get(
'attrs', cd_id2schema[cd_id]['attrNames']) or []
if cd_id2spec[cd_id] else
cd_id2schema[cd_id]['attrNames']):
attr_uuid = '{}_{}_uuid'.format(seq_no, canon(attr))
rv['requested_attributes'][attr_uuid] = {
'name': attr,
'restrictions': [{
'cred_def_id': cd_id
}]
}
if interval:
rv['requested_attributes'][attr_uuid][
'non_revoked'] = interval
for pred in Predicate:
for attr in (cd_id2spec[cd_id].get(pred.value.math, {}) or {}
if cd_id2spec[cd_id] else {}):
pred_uuid = '{}_{}_{}_uuid'.format(seq_no, canon(attr),
pred.value.fortran)
try:
rv['requested_predicates'][pred_uuid] = {
'name':
attr,
'p_type':
pred.value.math,
'p_value':
Predicate.to_int(
cd_id2spec[cd_id][pred.value.math][attr]),
'restrictions': [{
'cred_def_id': cd_id
}]
}
except ValueError:
LOGGER.info(
'cannot build %s predicate on non-int bound %s for %s',
pred.value.fortran,
cd_id2spec[cd_id][pred.value.math][attr], attr)
continue # int conversion failed - reject candidate
if interval:
rv['requested_predicates'][pred_uuid][
'non_revoked'] = interval
LOGGER.debug('Verifier.build_proof_req_json <<< %s', json.dumps(rv))
return json.dumps(rv)
def parse(base_dir: str, timestamp: int = None) -> int:
"""
Parse and update from archived cache files. Only accept new content;
do not overwrite any existing cache content.
:param base_dir: archive base directory
:param timestamp: epoch time of cache serving as subdirectory, default most recent
:return: epoch time of cache serving as subdirectory, None if there is no such archive.
"""
LOGGER.debug('parse >>> base_dir: %s, timestamp: %s', base_dir,
timestamp)
if not isdir(base_dir):
LOGGER.info('No cache archives available: not feeding cache')
LOGGER.debug('parse <<< None')
return None
if not timestamp:
timestamps = [int(t) for t in listdir(base_dir) if t.isdigit()]
if timestamps:
timestamp = max(timestamps)
else:
LOGGER.info('No cache archives available: not feeding cache')
LOGGER.debug('parse <<< None')
return None
timestamp_dir = join(base_dir, str(timestamp))
if not isdir(timestamp_dir):
LOGGER.error('No such archived cache directory: %s', timestamp_dir)
LOGGER.debug('parse <<< None')
return None
with SCHEMA_CACHE.lock:
with open(join(timestamp_dir, 'schema'), 'r') as archive:
schemata = json.loads(archive.read())
SCHEMA_CACHE.feed(schemata)
with CRED_DEF_CACHE.lock:
with open(join(timestamp_dir, 'cred_def'), 'r') as archive:
cred_defs = json.loads(archive.read())
for cd_id in cred_defs:
if not ok_cred_def_id(cd_id):
LOGGER.warning(
'Abstaining feeding cache cred def on bad id %s',
cd_id)
elif cd_id in CRED_DEF_CACHE:
LOGGER.warning(
'Cred def cache already has cred def on %s: skipping',
cd_id)
else:
CRED_DEF_CACHE[cd_id] = cred_defs[cd_id]
LOGGER.info(
'Cred def cache imported cred def for cred def id %s',
cd_id)
with REVO_CACHE.lock:
with open(join(timestamp_dir, 'revocation'), 'r') as archive:
rr_cache_entries = json.loads(archive.read())
for (rr_id, entry) in rr_cache_entries.items():
if not ok_rev_reg_id(rr_id):
LOGGER.warning(
'Abstaining from feeding revocation cache rev reg on bad id %s',
rr_id)
elif rr_id in REVO_CACHE:
LOGGER.warning(
'Revocation cache already has entry on %s: skipping',
rr_id)
else:
rr_cache_entry = RevoCacheEntry(entry['rev_reg_def'])
rr_cache_entry.rr_delta_frames = [
RevRegUpdateFrame(f['_to'], f['_timestamp'],
f['_rr_update'])
for f in entry['rr_delta_frames']
]
rr_cache_entry.cull(True)
rr_cache_entry.rr_state_frames = [
RevRegUpdateFrame(f['_to'], f['_timestamp'],
f['_rr_update'])
for f in entry['rr_state_frames']
]
rr_cache_entry.cull(False)
REVO_CACHE[rr_id] = rr_cache_entry
LOGGER.info(
'Revocation cache imported entry for rev reg id %s',
rr_id)
LOGGER.debug('parse <<< %s', timestamp)
return timestamp
async def verify_proof(self, proof_req: dict, proof: dict) -> str:
"""
Verify proof as Verifier. Raise AbsentRevReg if a proof cites a revocation registry
that does not exist on the distributed ledger.
:param proof_req: proof request as Verifier creates, as per proof_req_json above
:param proof: proof as HolderProver creates
:return: json encoded True if proof is valid; False if not
"""
LOGGER.debug('Verifier.verify_proof >>> proof_req: %s, proof: %s',
proof_req, proof)
s_id2schema = {}
cd_id2cred_def = {}
rr_id2rr_def = {}
rr_id2rr = {}
proof_ids = proof['identifiers']
for proof_id in proof_ids:
# schema
s_id = proof_id['schema_id']
if not ok_schema_id(s_id):
LOGGER.debug('Verifier.verify_proof: <!< Bad schema id %s',
s_id)
raise BadIdentifier('Bad schema id {}'.format(s_id))
if s_id not in s_id2schema:
schema = json.loads(
await self.get_schema(s_id)) # add to cache en passant
if not schema:
LOGGER.debug(
'Verifier.verify_proof: <!< absent schema %s, proof req may be for another ledger',
s_id)
raise AbsentSchema(
'Absent schema {}, proof req may be for another ledger'
.format(s_id))
s_id2schema[s_id] = schema
# cred def
cd_id = proof_id['cred_def_id']
if not ok_cred_def_id(cd_id):
LOGGER.debug('Verifier.verify_proof: <!< Bad cred def id %s',
cd_id)
raise BadIdentifier('Bad cred def id {}'.format(cd_id))
if cd_id not in cd_id2cred_def:
cred_def = json.loads(
await self.get_cred_def(cd_id)) # add to cache en passant
cd_id2cred_def[cd_id] = cred_def
# rev reg def
rr_id = proof_id['rev_reg_id']
if not rr_id:
continue
if not ok_rev_reg_id(rr_id):
LOGGER.debug('Verifier.verify_proof: <!< Bad rev reg id %s',
rr_id)
raise BadIdentifier('Bad rev reg id {}'.format(rr_id))
rr_def_json = await self._get_rev_reg_def(rr_id)
rr_id2rr_def[rr_id] = json.loads(rr_def_json)
# timestamp
timestamp = proof_id['timestamp']
with REVO_CACHE.lock:
revo_cache_entry = REVO_CACHE.get(rr_id, None)
(rr_json, _) = await revo_cache_entry.get_state_json(
self._build_rr_state_json, timestamp, timestamp)
if rr_id not in rr_id2rr:
rr_id2rr[rr_id] = {}
rr_id2rr[rr_id][timestamp] = json.loads(rr_json)
rv = json.dumps(await anoncreds.verifier_verify_proof(
json.dumps(proof_req), json.dumps(proof), json.dumps(s_id2schema),
json.dumps(cd_id2cred_def), json.dumps(rr_id2rr_def),
json.dumps(rr_id2rr)))
LOGGER.debug('Verifier.verify_proof <<< %s', rv)
return rv
async def test_ids():
print(Ink.YELLOW('\n\n== Testing Identifier Checks =='))
assert ok_wallet_reft('49ad0727-8663-45ae-a115-12b09860f9c6')
assert not ok_wallet_reft('Q4zqM7aXqm7gDQkUVLng9I')
assert not ok_wallet_reft('49ad0727-45ae-a115-12b09860f9c6')
print('\n\n== 1 == Wallet referent identifier checks pass OK')
assert ok_did('Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_did('Q4zqM7aXqm7gDQkUVLng9I') # 'I' not a base58 char
assert not ok_did('Q4zqM7aXqm7gDQkUVLng') # too short
print('\n\n== 2 == Distributed identifier checks pass OK')
for value in (None, 'TRUSTEE', 'STEWARD', 'TRUST_ANCHOR', ''):
assert ok_role(value)
for value in (123, 'TRUSTY', 'STEW', 'ANCHOR', ' '):
assert not ok_role(value)
print('\n\n== 3 == Role identifier checks pass OK')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9h')
assert Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9h')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng9hx')
assert not Tails.ok_hash('Q4zqM7aXqm7gDQkUVLng9hQ4zqM7aXqm7gDQkUVLng90')
print('\n\n== 4 == Tails hash identifier checks pass OK')
assert ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:3:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h::bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:bc-reg:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2::1.0')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:')
assert not ok_schema_id('Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0a')
assert not ok_schema_id(
'Q4zqM7aXqm7gDQkUVLng9I:2:bc-reg:1.0') # I is not in base58
print('\n\n== 5 == Schema identifier checks pass OK')
assert ok_cred_def_id(
'Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag') # protocol >= 1.4
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18:tag',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:4:CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h::CL:18:0')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9I:3:CL:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3::18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:18:tag')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18z:tag')
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18') # protocol == 1.3
assert ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Q4zqM7aXqm7gDQkUVLng9h')
assert not ok_cred_def_id('Q4zqM7aXqm7gDQkUVLng9h:3:CL:18',
'Xxxxxxxxxxxxxxxxxxxxxx')
print('\n\n== 6 == Credential definition identifier checks pass OK')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
) # protocol >= 1.4
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:5:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:4:CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL::CL:20:0:CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:NOT_CL:20:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20z:tag:CL_ACCUM:1'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20::CL_ACCUM:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag::1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:1')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM:'
)
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:tag:CL_ACCUM')
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1'
) # protocol == 1.3
assert ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'LjgpST2rjsoxYegQDRm7EL')
assert not ok_rev_reg_id(
'LjgpST2rjsoxYegQDRm7EL:4:LjgpST2rjsoxYegQDRm7EL:3:CL:20:CL_ACCUM:1',
'Xxxxxxxxxxxxxxxxxxxxxx')
print('\n\n== 7 == Revocation registry identifier checks pass OK')
assert ok_endpoint('10.0.0.2:9702')
assert ok_endpoint('0.0.0.0:0')
assert not ok_endpoint('canada.gc.ca:8088')
assert not ok_endpoint(':37')
assert not ok_endpoint('http://url-wrong')
assert not ok_endpoint('2.3.4.5')
assert not ok_endpoint('2.3.4:8080')
assert not ok_endpoint('1.2.3.4:abc')
assert not ok_endpoint('1.2.3.4:1234.56')
print('\n\n== 8 == Endpoint checks pass OK')
