Basic Implementation of Policy Constraints

Signed-off-by: Felix Hoops <9974641+jfelixh@users.noreply.github.com>
GAIA-X4PLC-AAD · Mar 15, 2024 · 286af54 · 286af54
1 parent 989d8ef
commit 286af54
Show file tree

Hide file tree

Showing 15 changed files with 356 additions and 129 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
 # vscode settings
-.vscode
+.vscode
+
+.DS_Store
diff --git a/test_client.sh b/test_client.sh
diff --git a/vclogin/__tests__/evaluateLoginPolicy.test.js b/vclogin/__tests__/evaluateLoginPolicy.test.js
@@ -3,17 +3,16 @@
  * SPDX-License-Identifier: MIT
  */
 
-import {
-  isTrustedPresentation,
-  exportedForTesting,
-} from "@/lib/evaluateLoginPolicy";
+import { isTrustedPresentation } from "@/lib/extractClaims";
 import vpEmployee from "@/testdata/presentations/VP_EmployeeCredential.json";
 import vpEmail from "@/testdata/presentations/VP_EmailPass.json";
 import vpTezos from "@/testdata/presentations/VP_TezosAssociatedAddress.json";
 import policyAcceptAnything from "@/testdata/policies/acceptAnything.json";
 import policyEmployeeFromAnyone from "@/testdata/policies/acceptEmployeeFromAnyone.json";
 import policyEmailFromAltme from "@/testdata/policies/acceptEmailFromAltme.json";
 import policyFromAltme from "@/testdata/policies/acceptFromAltme.json";
+import policyEmailFromAltmeConstr from "@/testdata/policies/acceptEmailFromAltmeConstr.json";
+import policyEmployeeFromAnyoneConstr from "@/testdata/policies/acceptEmployeeFromAnyoneConstr.json";
 
 describe("evaluateLoginPolicy", () => {
   it("defaults to false if no policy is available", () => {
@@ -54,34 +53,25 @@ describe("evaluateLoginPolicy", () => {
     trusted = isTrustedPresentation(vpEmployee, policyFromAltme);
     expect(trusted).toBe(false);
   });
-});
-
-describe("utility function for VP policy validation", () => {
-  let hasUniquePath = exportedForTesting.hasUniquePath;
 
-  it("should return true when there is a unique path", () => {
-    const patternFits = [
-      ["A", "B"],
-      ["C", "D"],
-      ["E", "F"],
-    ];
-    const usedCreds = ["A", "C", "E"];
-    expect(hasUniquePath(patternFits, usedCreds)).toBe(true);
-  });
-
-  it("should return false when there is no unique path", () => {
-    const patternFits = [
-      ["A", "B"],
-      ["C", "D"],
-      ["E", "F"],
-    ];
-    const usedCreds = ["A", "C", "E", "B"];
-    expect(hasUniquePath(patternFits, usedCreds)).toBe(false);
+  it("accepts only VP with credential(s) with simple constraint", () => {
+    var trusted = isTrustedPresentation(vpEmail, policyEmailFromAltmeConstr);
+    expect(trusted).toBe(true);
+    trusted = isTrustedPresentation(vpEmployee, policyEmailFromAltmeConstr);
+    expect(trusted).toBe(false);
+    trusted = isTrustedPresentation(vpTezos, policyEmailFromAltmeConstr);
+    expect(trusted).toBe(false);
   });
 
-  it("should return false when the patternFits array has only one subarray with no elements", () => {
-    const patternFits = [[]];
-    const usedCreds = [];
-    expect(hasUniquePath(patternFits, usedCreds)).toBe(false);
+  it("accepts only VP with credential(s) with complicated constraint", () => {
+    var trusted = isTrustedPresentation(
+      vpEmployee,
+      policyEmployeeFromAnyoneConstr,
+    );
+    expect(trusted).toBe(true);
+    trusted = isTrustedPresentation(vpEmail, policyEmployeeFromAnyoneConstr);
+    expect(trusted).toBe(false);
+    trusted = isTrustedPresentation(vpTezos, policyEmployeeFromAnyoneConstr);
+    expect(trusted).toBe(false);
   });
 });
diff --git a/vclogin/__tests__/extractClaims.test.js b/vclogin/__tests__/extractClaims.test.js
@@ -8,6 +8,7 @@ import vpEmployee from "@/testdata/presentations/VP_EmployeeCredential.json";
 import vpEmail from "@/testdata/presentations/VP_EmailPass.json";
 import policyAcceptAnything from "@/testdata/policies/acceptAnything.json";
 import policyEmailFromAltme from "@/testdata/policies/acceptEmailFromAltme.json";
+import policyEmailFromAltmeConstr from "@/testdata/policies/acceptEmailFromAltmeConstr.json";
 import policyEmployeeFromAnyone from "@/testdata/policies/acceptEmployeeFromAnyone.json";
 
 describe("extractClaims", () => {
@@ -47,6 +48,17 @@ describe("extractClaims", () => {
     expect(claims).toStrictEqual(expected);
   });
 
+  it("all designated claims from an EmailPass Credential are mapped (constrained)", () => {
+    var claims = extractClaims(vpEmail, policyEmailFromAltmeConstr);
+    var expected = {
+      tokenId: {
+        email: "felix.hoops@tum.de",
+      },
+      tokenAccess: {},
+    };
+    expect(claims).toStrictEqual(expected);
+  });
+
   it("all designated claims from an EmployeeCredential are extracted", () => {
     var claims = extractClaims(vpEmployee, policyEmployeeFromAnyone);
     var expected = {

diff --git a/vclogin/__tests__/testdata/policies/acceptAnything.json b/vclogin/__tests__/testdata/policies/acceptAnything.json
@@ -1,6 +1,6 @@
 [
   {
-    "credentialID": "credential1",
+    "credentialId": "credential1",
     "patterns": [
       {
         "issuer": "*",

diff --git a/vclogin/__tests__/testdata/policies/acceptEmailFromAltme.json b/vclogin/__tests__/testdata/policies/acceptEmailFromAltme.json
@@ -1,6 +1,6 @@
 [
   {
-    "credentialID": "one",
+    "credentialId": "one",
     "patterns": [
       {
         "issuer": "did:web:app.altme.io:issuer",

diff --git a/vclogin/__tests__/testdata/policies/acceptEmailFromAltmeConstr.json b/vclogin/__tests__/testdata/policies/acceptEmailFromAltmeConstr.json
@@ -0,0 +1,21 @@
+[
+  {
+    "credentialId": "one",
+    "patterns": [
+      {
+        "issuer": "did:web:app.altme.io:issuer",
+        "claims": [
+          {
+            "claimPath": "$.credentialSubject.email",
+            "token": "id_token"
+          }
+        ],
+        "constraint": {
+          "op": "equalsDID",
+          "a": "$VP.proof.verificationMethod",
+          "b": "$.credentialSubject.id"
+        }
+      }
+    ]
+  }
+]
diff --git a/vclogin/__tests__/testdata/policies/acceptEmployeeFromAnyone.json b/vclogin/__tests__/testdata/policies/acceptEmployeeFromAnyone.json
@@ -1,6 +1,6 @@
 [
   {
-    "credentialID": "one",
+    "credentialId": "one",
     "patterns": [
       {
         "issuer": "*",

diff --git a/vclogin/__tests__/testdata/policies/acceptEmployeeFromAnyoneConstr.json b/vclogin/__tests__/testdata/policies/acceptEmployeeFromAnyoneConstr.json
@@ -0,0 +1,53 @@
+[
+  {
+    "credentialId": "one",
+    "patterns": [
+      {
+        "issuer": "*",
+        "claims": [
+          {
+            "claimPath": "$.credentialSubject.hasLegallyBindingName",
+            "newPath": "$.companyName"
+          },
+          {
+            "claimPath": "$.credentialSubject.name",
+            "token": "id_token"
+          },
+          {
+            "claimPath": "$.credentialSubject.email",
+            "token": "id_token"
+          }
+        ],
+        "constraint": {
+          "op": "and",
+          "a": {
+            "op": "equalsDID",
+            "a": "$VP.proof.verificationMethod",
+            "b": "$.credentialSubject.id"
+          },
+          "b": {
+            "op": "and",
+            "a": {
+              "op": "endsWith",
+              "a": "$.credentialSubject.email",
+              "b": "@test.com"
+            },
+            "b": {
+              "op": "or",
+              "a": {
+                "op": "matches",
+                "a": "$.credentialSubject.title",
+                "b": "C[EOT]O"
+              },
+              "b": {
+                "op": "equals",
+                "a": "$.credentialSubject.hasJurisdiction",
+                "b": "GER"
+              }
+            }
+          }
+        }
+      }
+    ]
+  }
+]
diff --git a/vclogin/__tests__/testdata/policies/acceptFromAltme.json b/vclogin/__tests__/testdata/policies/acceptFromAltme.json
@@ -1,6 +1,6 @@
 [
   {
-    "credentialID": "one",
+    "credentialId": "one",
     "patterns": [
       {
         "issuer": "did:web:app.altme.io:issuer",

diff --git a/vclogin/lib/evaluateLoginPolicy.ts b/vclogin/lib/evaluateLoginPolicy.ts