Merge branch 'main' into feat/public-did-multi-use

Author: dbluhm

.github/workflows/pr-tests.yml

@@ -0,0 +1,20 @@
+name: PR Tests
+
+on:
+  pull_request:
+
+jobs:
+  tests:
+    name: Tests
+    uses: ./.github/workflows/tests.yml
+    with:
+      python-version: "3.6"
+      os: "ubuntu-20.04"
+
+  tests-indy:
+    name: Tests (Indy)
+    uses: ./.github/workflows/tests-indy.yml
+    with:
+      python-version: "3.6"
+      indy-version: "1.16.0"
+      os: "ubuntu-20.04"

.github/workflows/tests-indy.yml

@@ -0,0 +1,58 @@
+name: Tests (Indy)
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        required: true
+        type: string
+      indy-version:
+        required: true
+        type: string
+      os:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    name: Test Python ${{ inputs.python-version }} on Indy ${{ inputs.indy-version }}
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache image layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache-test
+          key: ${{ runner.os }}-buildx-test-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-test-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build test image
+        uses: docker/build-push-action@v3
+        with:
+          load: true
+          context: .
+          file: docker/Dockerfile.indy
+          target: acapy-test
+          tags: acapy-test:latest
+          build-args: |
+            python_version=${{ inputs.python-version }}
+            indy_version=${{ inputs.indy-version }}
+          cache-from: type=local,src=/tmp/.buildx-cache-test
+          cache-to: type=local,dest=/tmp/.buildx-cache-test-new,mode=max
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache-test
+          mv /tmp/.buildx-cache-test-new /tmp/.buildx-cache-test
+
+      - name: Run pytest
+        run: |
+          docker run --rm acapy-test:latest

.github/workflows/tests.yml

@@ -0,0 +1,35 @@
+name: Tests
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        required: true
+        type: string
+      os:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    name: Test Python ${{ inputs.python-version }}
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ inputs.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ inputs.python-version }}
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install --no-cache-dir \
+            -r requirements.txt \
+            -r requirements.askar.txt \
+            -r requirements.bbs.txt \
+            -r requirements.dev.txt
+      - name: Tests
+        run: |
+          pytest

Multicredentials.md

@@ -0,0 +1,9 @@
+# Multi-Credentials
+
+It is a known fact that multiple AnonCreds can be combined to present a presentation proof with an "and" logical operator: For instance, a verifier can ask for the "name" claim from an eID and the "address" claim from a bank statement to have a single proof that is either valid or invalid. With the Present Proof Protocol v2, it is possible to have "and" and "or" logical operators for AnonCreds and/or W3C Verifiable Credentials.
+
+With the Present Proof Protocol v2, verifiers can ask for a combination of credentials as proof. For instance, a Verifier can ask a claim from an AnonCreds **and** a verifiable presentation from a W3C Verifiable Credential, which would open the possibilities of Aries Cloud Agent Python being used for rather complex presentation proof requests that wouldn't be possible without the support of AnonCreds or W3C Verifiable Credentials.
+
+Moreover, it is possible to make similar presentation proof requests using the or logical operator. For instance, a verifier can ask for either an eID in AnonCreds format or an eID in W3C Verifiable Credential format. This has the potential to solve the interoperability problem of different credential formats and ecosystems from a user point of view by shifting the requirement of holding/accepting different credential formats from identity holders to verifiers. Here again, using Aries Cloud Agent Python as the underlying verifier agent can tackle such complex presentation proof requests since the agent is capable of verifying both type of credential formats and proof types.
+
+In the future, it would be even possible to put mDoc as an attachment with an and or or logical operation, along with AnonCreds and/or W3C Verifiable Credentials. For this to happen, Aca-Py either needs the capabilities to validate mDocs internally or to connect third-party endpoints to validate and get a response.

aries_cloudagent/messaging/decorators/attach_decorator.py

@@ -30,6 +30,7 @@
 from ..valid import (
     BASE64,
     BASE64URL_NO_PAD,
+    DictOrDictListField,
     INDY_ISO8601_DATETIME,
     JWS_HEADER_KID,
     SHA256,
@@ -228,7 +229,7 @@ def __init__(
         sha256_: str = None,
         links_: Union[Sequence[str], str] = None,
         base64_: str = None,
-        json_: dict = None,
+        json_: Union[Sequence[dict], dict] = None,
     ):
         """
         Initialize decorator data.
@@ -488,7 +489,7 @@ def validate_data_spec(self, data: Mapping, **kwargs):
         required=False,
         data_key="jws",
     )
-    json_ = fields.Dict(
+    json_ = DictOrDictListField(
         description="JSON-serialized data",
         required=False,
         example='{"sample": "content"}',
@@ -615,7 +616,7 @@ def data_base64(
     @classmethod
     def data_json(
         cls,
-        mapping: dict,
+        mapping: Union[Sequence[dict], dict],
         *,
         ident: str = None,
         description: str = None,

aries_cloudagent/protocols/issue_credential/v1_0/routes.py

@@ -382,7 +382,10 @@ async def credential_exchange_retrieve(request: web.BaseRequest):
 
 @docs(
     tags=["issue-credential v1.0"],
-    summary="Send holder a credential, automating entire flow",
+    summary=(
+        "Create a credential record without "
+        "sending (generally for use with Out-Of-Band)"
+    ),
 )
 @request_schema(V10CredentialCreateSchema())
 @response_schema(V10CredentialExchangeSchema(), 200, description="")

aries_cloudagent/protocols/issue_credential/v2_0/routes.py

@@ -521,7 +521,10 @@ async def credential_exchange_retrieve(request: web.BaseRequest):
 
 @docs(
     tags=["issue-credential v2.0"],
-    summary="Create credential from attribute values",
+    summary=(
+        "Create a credential record without "
+        "sending (generally for use with Out-Of-Band)"
+    ),
 )
 @request_schema(V20IssueCredSchemaCore())
 @response_schema(V20CredExRecordSchema(), 200, description="")

aries_cloudagent/protocols/present_proof/dif/pres_exch_handler.py

@@ -1230,7 +1230,7 @@ async def create_vp(
         challenge: str = None,
         domain: str = None,
         records_filter: dict = None,
-    ) -> dict:
+    ) -> Union[Sequence[dict], dict]:
         """
         Create VerifiablePresentation.
 
@@ -1244,78 +1244,99 @@ async def create_vp(
         req = await self.make_requirement(
             srs=pd.submission_requirements, descriptors=pd.input_descriptors
         )
-        result = await self.apply_requirements(
-            req=req, credentials=credentials, records_filter=records_filter
-        )
-        applicable_creds, descriptor_maps = await self.merge(result)
-        applicable_creds_list = []
-        for credential in applicable_creds:
-            applicable_creds_list.append(credential.cred_value)
-        if (
-            not self.profile.settings.get("debug.auto_respond_presentation_request")
-            and not records_filter
-            and len(applicable_creds_list) > 1
-        ):
-            raise DIFPresExchError(
-                "Multiple credentials are applicable for presentation_definition "
-                f"{pd.id} and --auto-respond-presentation-request setting is not "
-                "enabled. Please specify which credentials should be applied to "
-                "which input_descriptors using record_ids filter."
+        result = []
+        if req.nested_req:
+            for nested_req in req.nested_req:
+                res = await self.apply_requirements(
+                    req=nested_req,
+                    credentials=credentials,
+                    records_filter=records_filter,
+                )
+                result.append(res)
+        else:
+            res = await self.apply_requirements(
+                req=req, credentials=credentials, records_filter=records_filter
             )
-        # submission_property
-        submission_property = PresentationSubmission(
-            id=str(uuid4()), definition_id=pd.id, descriptor_maps=descriptor_maps
-        )
-        if self.is_holder:
-            (
-                issuer_id,
-                filtered_creds_list,
-            ) = await self.get_sign_key_credential_subject_id(
-                applicable_creds=applicable_creds
+            result.append(res)
+
+        result_vp = []
+        for res in result:
+            applicable_creds, descriptor_maps = await self.merge(res)
+            applicable_creds_list = []
+            for credential in applicable_creds:
+                applicable_creds_list.append(credential.cred_value)
+            if (
+                not self.profile.settings.get("debug.auto_respond_presentation_request")
+                and not records_filter
+                and len(applicable_creds_list) > 1
+            ):
+                raise DIFPresExchError(
+                    "Multiple credentials are applicable for presentation_definition "
+                    f"{pd.id} and --auto-respond-presentation-request setting is not "
+                    "enabled. Please specify which credentials should be applied to "
+                    "which input_descriptors using record_ids filter."
+                )
+            # submission_property
+            submission_property = PresentationSubmission(
+                id=str(uuid4()), definition_id=pd.id, descriptor_maps=descriptor_maps
             )
-            if not issuer_id and len(filtered_creds_list) == 0:
-                vp = await create_presentation(credentials=applicable_creds_list)
-                vp["presentation_submission"] = submission_property.serialize()
-                if self.proof_type is BbsBlsSignature2020.signature_type:
-                    vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-                return vp
-            else:
-                vp = await create_presentation(credentials=filtered_creds_list)
-        else:
-            if not self.pres_signing_did:
+            if self.is_holder:
                 (
                     issuer_id,
                     filtered_creds_list,
                 ) = await self.get_sign_key_credential_subject_id(
                     applicable_creds=applicable_creds
                 )
-                if not issuer_id:
+                if not issuer_id and len(filtered_creds_list) == 0:
                     vp = await create_presentation(credentials=applicable_creds_list)
                     vp["presentation_submission"] = submission_property.serialize()
                     if self.proof_type is BbsBlsSignature2020.signature_type:
                         vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-                    return vp
+                    result_vp.append(vp)
+                    continue
                 else:
                     vp = await create_presentation(credentials=filtered_creds_list)
             else:
-                issuer_id = self.pres_signing_did
-                vp = await create_presentation(credentials=applicable_creds_list)
-        vp["presentation_submission"] = submission_property.serialize()
-        if self.proof_type is BbsBlsSignature2020.signature_type:
-            vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-        async with self.profile.session() as session:
-            wallet = session.inject(BaseWallet)
-            issue_suite = await self._get_issue_suite(
-                wallet=wallet,
-                issuer_id=issuer_id,
-            )
-            signed_vp = await sign_presentation(
-                presentation=vp,
-                suite=issue_suite,
-                challenge=challenge,
-                document_loader=document_loader,
-            )
-            return signed_vp
+                if not self.pres_signing_did:
+                    (
+                        issuer_id,
+                        filtered_creds_list,
+                    ) = await self.get_sign_key_credential_subject_id(
+                        applicable_creds=applicable_creds
+                    )
+                    if not issuer_id:
+                        vp = await create_presentation(
+                            credentials=applicable_creds_list
+                        )
+                        vp["presentation_submission"] = submission_property.serialize()
+                        if self.proof_type is BbsBlsSignature2020.signature_type:
+                            vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
+                        result_vp.append(vp)
+                        continue
+                    else:
+                        vp = await create_presentation(credentials=filtered_creds_list)
+                else:
+                    issuer_id = self.pres_signing_did
+                    vp = await create_presentation(credentials=applicable_creds_list)
+            vp["presentation_submission"] = submission_property.serialize()
+            if self.proof_type is BbsBlsSignature2020.signature_type:
+                vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
+            async with self.profile.session() as session:
+                wallet = session.inject(BaseWallet)
+                issue_suite = await self._get_issue_suite(
+                    wallet=wallet,
+                    issuer_id=issuer_id,
+                )
+                signed_vp = await sign_presentation(
+                    presentation=vp,
+                    suite=issue_suite,
+                    challenge=challenge,
+                    document_loader=document_loader,
+                )
+            result_vp.append(signed_vp)
+        if len(result_vp) == 1:
+            return result_vp[0]
+        return result_vp
 
     def check_if_cred_id_derived(self, id: str) -> bool:
         """Check if credential or credentialSubjet id is derived."""
@@ -1367,7 +1388,7 @@ async def merge(
     async def verify_received_pres(
         self,
         pd: PresentationDefinition,
-        pres: dict,
+        pres: Union[Sequence[dict], dict],
     ):
         """
         Verify credentials received in presentation.
@@ -1376,8 +1397,24 @@ async def verify_received_pres(
             pres: received VerifiablePresentation
             pd: PresentationDefinition
         """
-        descriptor_map_list = pres["presentation_submission"].get("descriptor_map")
         input_descriptors = pd.input_descriptors
+        if isinstance(pres, Sequence):
+            for pr in pres:
+                descriptor_map_list = pr["presentation_submission"].get(
+                    "descriptor_map"
+                )
+                await self.__verify_desc_map_list(
+                    descriptor_map_list, pr, input_descriptors
+                )
+        else:
+            descriptor_map_list = pres["presentation_submission"].get("descriptor_map")
+            await self.__verify_desc_map_list(
+                descriptor_map_list, pres, input_descriptors
+            )
+
+    async def __verify_desc_map_list(
+        self, descriptor_map_list, pres, input_descriptors
+    ):
         inp_desc_id_contraint_map = {}
         inp_desc_id_schema_one_of_filter = set()
         inp_desc_id_schemas_map = {}