Merge branch 'main' into fix/public-did-mediator-routing-keys

Author: dbluhm

Multicredentials.md

@@ -0,0 +1,9 @@
+# Multi-Credentials
+
+It is a known fact that multiple AnonCreds can be combined to present a presentation proof with an "and" logical operator: For instance, a verifier can ask for the "name" claim from an eID and the "address" claim from a bank statement to have a single proof that is either valid or invalid. With the Present Proof Protocol v2, it is possible to have "and" and "or" logical operators for AnonCreds and/or W3C Verifiable Credentials.
+
+With the Present Proof Protocol v2, verifiers can ask for a combination of credentials as proof. For instance, a Verifier can ask a claim from an AnonCreds **and** a verifiable presentation from a W3C Verifiable Credential, which would open the possibilities of Aries Cloud Agent Python being used for rather complex presentation proof requests that wouldn't be possible without the support of AnonCreds or W3C Verifiable Credentials.
+
+Moreover, it is possible to make similar presentation proof requests using the or logical operator. For instance, a verifier can ask for either an eID in AnonCreds format or an eID in W3C Verifiable Credential format. This has the potential to solve the interoperability problem of different credential formats and ecosystems from a user point of view by shifting the requirement of holding/accepting different credential formats from identity holders to verifiers. Here again, using Aries Cloud Agent Python as the underlying verifier agent can tackle such complex presentation proof requests since the agent is capable of verifying both type of credential formats and proof types.
+
+In the future, it would be even possible to put mDoc as an attachment with an and or or logical operation, along with AnonCreds and/or W3C Verifiable Credentials. For this to happen, Aca-Py either needs the capabilities to validate mDocs internally or to connect third-party endpoints to validate and get a response.

aries_cloudagent/admin/server.py

@@ -370,6 +370,7 @@ async def check_multitenant_authorization(request: web.Request, handler):
                     and not is_server_path
                     and not is_unprotected_path(path)
                     and not base_limited_access_path
+                    and not (request.method == "OPTIONS")  # CORS fix
                 ):
                     raise web.HTTPUnauthorized()
 

aries_cloudagent/config/argparse.py

@@ -74,7 +74,8 @@ def create_argument_parser(*, prog: str = None):
 
 
 def load_argument_groups(parser: ArgumentParser, *groups: Type[ArgumentGroup]):
-    """Log a set of argument groups into a parser.
+    """
+    Log a set of argument groups into a parser.
 
     Returns:
         A callable to convert loaded arguments into a settings dictionary
@@ -872,32 +873,56 @@ def get_settings(self, args: Namespace) -> dict:
         if args.no_ledger:
             settings["ledger.disabled"] = True
         else:
-            configured = False
+            single_configured = False
+            multi_configured = False
+            update_pool_name = False
             if args.genesis_url:
                 settings["ledger.genesis_url"] = args.genesis_url
-                configured = True
+                single_configured = True
             elif args.genesis_file:
                 settings["ledger.genesis_file"] = args.genesis_file
-                configured = True
+                single_configured = True
             elif args.genesis_transactions:
                 settings["ledger.genesis_transactions"] = args.genesis_transactions
-                configured = True
+                single_configured = True
             if args.genesis_transactions_list:
                 with open(args.genesis_transactions_list, "r") as stream:
                     txn_config_list = yaml.safe_load(stream)
                     ledger_config_list = []
                     for txn_config in txn_config_list:
                         ledger_config_list.append(txn_config)
+                        if "is_write" in txn_config and txn_config["is_write"]:
+                            if "genesis_url" in txn_config:
+                                settings["ledger.genesis_url"] = txn_config[
+                                    "genesis_url"
+                                ]
+                            elif "genesis_file" in txn_config:
+                                settings["ledger.genesis_file"] = txn_config[
+                                    "genesis_file"
+                                ]
+                            elif "genesis_transactions" in txn_config:
+                                settings["ledger.genesis_transactions"] = txn_config[
+                                    "genesis_transactions"
+                                ]
+                            else:
+                                raise ArgsParseError(
+                                    "No genesis information provided for write ledger"
+                                )
+                            if "id" in txn_config:
+                                settings["ledger.pool_name"] = txn_config["id"]
+                                update_pool_name = True
                     settings["ledger.ledger_config_list"] = ledger_config_list
-                    configured = True
-            if not configured:
+                    multi_configured = True
+            if not (single_configured or multi_configured):
                 raise ArgsParseError(
                     "One of --genesis-url --genesis-file, --genesis-transactions "
                     "or --genesis-transactions-list must be specified (unless "
                     "--no-ledger is specified to explicitly configure aca-py to"
                     " run with no ledger)."
                 )
-            if args.ledger_pool_name:
+            if single_configured and multi_configured:
+                raise ArgsParseError("Cannot configure both single- and multi-ledger.")
+            if args.ledger_pool_name and not update_pool_name:
                 settings["ledger.pool_name"] = args.ledger_pool_name
             if args.ledger_keepalive:
                 settings["ledger.keepalive"] = args.ledger_keepalive

aries_cloudagent/core/conductor.py

@@ -28,7 +28,7 @@
 from ..config.wallet import wallet_config
 from ..core.profile import Profile
 from ..indy.verifier import IndyVerifier
-from ..ledger.base import BaseLedger
+
 from ..ledger.error import LedgerConfigError, LedgerTransactionError
 from ..ledger.multiple_ledger.base_manager import (
     BaseMultipleLedgerManager,
@@ -144,7 +144,6 @@ async def setup(self):
                     self.root_profile.BACKEND_NAME == "askar"
                     and ledger.BACKEND_NAME == "indy-vdr"
                 ):
-                    context.injector.bind_instance(BaseLedger, ledger)
                     context.injector.bind_provider(
                         IndyVerifier,
                         ClassProvider(
@@ -156,7 +155,6 @@ async def setup(self):
                     self.root_profile.BACKEND_NAME == "indy"
                     and ledger.BACKEND_NAME == "indy"
                 ):
-                    context.injector.bind_instance(BaseLedger, ledger)
                     context.injector.bind_provider(
                         IndyVerifier,
                         ClassProvider(

aries_cloudagent/indy/models/cred_request.py

@@ -44,7 +44,7 @@ class Meta:
         unknown = EXCLUDE
 
     prover_did = fields.Str(
-        requred=True,
+        required=True,
         description="Prover DID",
         **INDY_DID,
     )

aries_cloudagent/messaging/decorators/attach_decorator.py

@@ -30,6 +30,7 @@
 from ..valid import (
     BASE64,
     BASE64URL_NO_PAD,
+    DictOrDictListField,
     INDY_ISO8601_DATETIME,
     JWS_HEADER_KID,
     SHA256,
@@ -228,7 +229,7 @@ def __init__(
         sha256_: str = None,
         links_: Union[Sequence[str], str] = None,
         base64_: str = None,
-        json_: dict = None,
+        json_: Union[Sequence[dict], dict] = None,
     ):
         """
         Initialize decorator data.
@@ -488,7 +489,7 @@ def validate_data_spec(self, data: Mapping, **kwargs):
         required=False,
         data_key="jws",
     )
-    json_ = fields.Dict(
+    json_ = DictOrDictListField(
         description="JSON-serialized data",
         required=False,
         example='{"sample": "content"}',
@@ -615,7 +616,7 @@ def data_base64(
     @classmethod
     def data_json(
         cls,
-        mapping: dict,
+        mapping: Union[Sequence[dict], dict],
         *,
         ident: str = None,
         description: str = None,

aries_cloudagent/protocols/issue_credential/v1_0/routes.py

@@ -382,7 +382,8 @@ async def credential_exchange_retrieve(request: web.BaseRequest):
 
 @docs(
     tags=["issue-credential v1.0"],
-    summary="Send holder a credential, automating entire flow",
+    summary=("Create a credential record without "
+             "sending (generally for use with Out-Of-Band)"),
 )
 @request_schema(V10CredentialCreateSchema())
 @response_schema(V10CredentialExchangeSchema(), 200, description="")

aries_cloudagent/protocols/issue_credential/v2_0/routes.py

@@ -521,7 +521,8 @@ async def credential_exchange_retrieve(request: web.BaseRequest):
 
 @docs(
     tags=["issue-credential v2.0"],
-    summary="Create credential from attribute values",
+    summary=("Create a credential record without "
+             "sending (generally for use with Out-Of-Band)"),
 )
 @request_schema(V20IssueCredSchemaCore())
 @response_schema(V20CredExRecordSchema(), 200, description="")

aries_cloudagent/protocols/present_proof/dif/pres_exch_handler.py

@@ -1230,7 +1230,7 @@ async def create_vp(
         challenge: str = None,
         domain: str = None,
         records_filter: dict = None,
-    ) -> dict:
+    ) -> Union[Sequence[dict], dict]:
         """
         Create VerifiablePresentation.
 
@@ -1244,78 +1244,99 @@ async def create_vp(
         req = await self.make_requirement(
             srs=pd.submission_requirements, descriptors=pd.input_descriptors
         )
-        result = await self.apply_requirements(
-            req=req, credentials=credentials, records_filter=records_filter
-        )
-        applicable_creds, descriptor_maps = await self.merge(result)
-        applicable_creds_list = []
-        for credential in applicable_creds:
-            applicable_creds_list.append(credential.cred_value)
-        if (
-            not self.profile.settings.get("debug.auto_respond_presentation_request")
-            and not records_filter
-            and len(applicable_creds_list) > 1
-        ):
-            raise DIFPresExchError(
-                "Multiple credentials are applicable for presentation_definition "
-                f"{pd.id} and --auto-respond-presentation-request setting is not "
-                "enabled. Please specify which credentials should be applied to "
-                "which input_descriptors using record_ids filter."
+        result = []
+        if req.nested_req:
+            for nested_req in req.nested_req:
+                res = await self.apply_requirements(
+                    req=nested_req,
+                    credentials=credentials,
+                    records_filter=records_filter,
+                )
+                result.append(res)
+        else:
+            res = await self.apply_requirements(
+                req=req, credentials=credentials, records_filter=records_filter
             )
-        # submission_property
-        submission_property = PresentationSubmission(
-            id=str(uuid4()), definition_id=pd.id, descriptor_maps=descriptor_maps
-        )
-        if self.is_holder:
-            (
-                issuer_id,
-                filtered_creds_list,
-            ) = await self.get_sign_key_credential_subject_id(
-                applicable_creds=applicable_creds
+            result.append(res)
+
+        result_vp = []
+        for res in result:
+            applicable_creds, descriptor_maps = await self.merge(res)
+            applicable_creds_list = []
+            for credential in applicable_creds:
+                applicable_creds_list.append(credential.cred_value)
+            if (
+                not self.profile.settings.get("debug.auto_respond_presentation_request")
+                and not records_filter
+                and len(applicable_creds_list) > 1
+            ):
+                raise DIFPresExchError(
+                    "Multiple credentials are applicable for presentation_definition "
+                    f"{pd.id} and --auto-respond-presentation-request setting is not "
+                    "enabled. Please specify which credentials should be applied to "
+                    "which input_descriptors using record_ids filter."
+                )
+            # submission_property
+            submission_property = PresentationSubmission(
+                id=str(uuid4()), definition_id=pd.id, descriptor_maps=descriptor_maps
             )
-            if not issuer_id and len(filtered_creds_list) == 0:
-                vp = await create_presentation(credentials=applicable_creds_list)
-                vp["presentation_submission"] = submission_property.serialize()
-                if self.proof_type is BbsBlsSignature2020.signature_type:
-                    vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-                return vp
-            else:
-                vp = await create_presentation(credentials=filtered_creds_list)
-        else:
-            if not self.pres_signing_did:
+            if self.is_holder:
                 (
                     issuer_id,
                     filtered_creds_list,
                 ) = await self.get_sign_key_credential_subject_id(
                     applicable_creds=applicable_creds
                 )
-                if not issuer_id:
+                if not issuer_id and len(filtered_creds_list) == 0:
                     vp = await create_presentation(credentials=applicable_creds_list)
                     vp["presentation_submission"] = submission_property.serialize()
                     if self.proof_type is BbsBlsSignature2020.signature_type:
                         vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-                    return vp
+                    result_vp.append(vp)
+                    continue
                 else:
                     vp = await create_presentation(credentials=filtered_creds_list)
             else:
-                issuer_id = self.pres_signing_did
-                vp = await create_presentation(credentials=applicable_creds_list)
-        vp["presentation_submission"] = submission_property.serialize()
-        if self.proof_type is BbsBlsSignature2020.signature_type:
-            vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
-        async with self.profile.session() as session:
-            wallet = session.inject(BaseWallet)
-            issue_suite = await self._get_issue_suite(
-                wallet=wallet,
-                issuer_id=issuer_id,
-            )
-            signed_vp = await sign_presentation(
-                presentation=vp,
-                suite=issue_suite,
-                challenge=challenge,
-                document_loader=document_loader,
-            )
-            return signed_vp
+                if not self.pres_signing_did:
+                    (
+                        issuer_id,
+                        filtered_creds_list,
+                    ) = await self.get_sign_key_credential_subject_id(
+                        applicable_creds=applicable_creds
+                    )
+                    if not issuer_id:
+                        vp = await create_presentation(
+                            credentials=applicable_creds_list
+                        )
+                        vp["presentation_submission"] = submission_property.serialize()
+                        if self.proof_type is BbsBlsSignature2020.signature_type:
+                            vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
+                        result_vp.append(vp)
+                        continue
+                    else:
+                        vp = await create_presentation(credentials=filtered_creds_list)
+                else:
+                    issuer_id = self.pres_signing_did
+                    vp = await create_presentation(credentials=applicable_creds_list)
+            vp["presentation_submission"] = submission_property.serialize()
+            if self.proof_type is BbsBlsSignature2020.signature_type:
+                vp["@context"].append(SECURITY_CONTEXT_BBS_URL)
+            async with self.profile.session() as session:
+                wallet = session.inject(BaseWallet)
+                issue_suite = await self._get_issue_suite(
+                    wallet=wallet,
+                    issuer_id=issuer_id,
+                )
+                signed_vp = await sign_presentation(
+                    presentation=vp,
+                    suite=issue_suite,
+                    challenge=challenge,
+                    document_loader=document_loader,
+                )
+            result_vp.append(signed_vp)
+        if len(result_vp) == 1:
+            return result_vp[0]
+        return result_vp
 
     def check_if_cred_id_derived(self, id: str) -> bool:
         """Check if credential or credentialSubjet id is derived."""
@@ -1367,7 +1388,7 @@ async def merge(
     async def verify_received_pres(
         self,
         pd: PresentationDefinition,
-        pres: dict,
+        pres: Union[Sequence[dict], dict],
     ):
         """
         Verify credentials received in presentation.
@@ -1376,8 +1397,24 @@ async def verify_received_pres(
             pres: received VerifiablePresentation
             pd: PresentationDefinition
         """
-        descriptor_map_list = pres["presentation_submission"].get("descriptor_map")
         input_descriptors = pd.input_descriptors
+        if isinstance(pres, Sequence):
+            for pr in pres:
+                descriptor_map_list = pr["presentation_submission"].get(
+                    "descriptor_map"
+                )
+                await self.__verify_desc_map_list(
+                    descriptor_map_list, pr, input_descriptors
+                )
+        else:
+            descriptor_map_list = pres["presentation_submission"].get("descriptor_map")
+            await self.__verify_desc_map_list(
+                descriptor_map_list, pres, input_descriptors
+            )
+
+    async def __verify_desc_map_list(
+        self, descriptor_map_list, pres, input_descriptors
+    ):
         inp_desc_id_contraint_map = {}
         inp_desc_id_schema_one_of_filter = set()
         inp_desc_id_schemas_map = {}