Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
# Policy Development Extensions
The policy service extends the standard Rego runtime with custom
built-in functions and some custom functionalities described here.
### Pure Evaluation Results
In the Rego language there is a blank identifier variable which
can be used for assignments. If used like it's shown below, the
result from the policy evaluation will not be embedded in variable,
but will be returned as *pure* result.
> This is custom functionality developed in the policy service
> and is not standard behaviour of the OPA Rego runtime.
Below are two examples for what it means.
If the following policy is evaluated, the returned result will be
*embedded* in an attribute named `credential`:
```
package example.createProof
credential := proof.create(input)
```
Result:
```json
{
"credential": {
"@context": "...",
"type": "VerifiableCredential",
"credentialSubject": {...},
"proof": {...}
}
}
```
If however a blank identifier is used for the assignment, the result
of the policy evaluation won't be embedded in an attribute named
`credential` but will be returned directly:
```
package example.createProof
_ := proof.create(input)
```
Result:
```json
{
"@context": "...",
"type": "VerifiableCredential",
"credentialSubject": {...},
"proof": {...}
}
```
A policy developer can use the blank identifier assignment to skip the
mapping of a function call to a JSON attribute name. The result of the
function call will be returned directly as JSON.
This is useful in case you want to return a DID document or Verifiable Credential
from policy evaluation, and the document must not be mapped to an upper level attribute.
### Extension Functions
A number of Rego extension functions are developed and injected in the
policy service Rego runtime. Here is a list with brief description for
each one of them.
#### cache.get
The function retrieves JSON data from the Cache service. It accepts
three parameters used to identify the underlying Cache key. Only the
first one named `key` is required, the other two may be empty.
Example:
```
package example.cacheGet
data := cache.get("mykey", "", "")
```
#### cache.set
The function inserts JSON data into the Cache service. It accepts
four parameters. First three are used to identify/construct the
underlying Cache key. The last one is the data to be stored.
Example:
```
package example.cacheSet
result := cache.set("mykey", "", "", input.data)
```
#### did.resolve
Resolve DID using the [Universal DID Resolver](https://github.com/decentralized-identity/universal-resolver)
and return the resolved DID document.
Example:
```
package example.didResolve
result := did.resolve("did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6")
```
#### task.create
Start asynchronous task and pass the given data as task input. The function accepts two
parameters: task name and the input data.
Example:
```
package example.taskCreate
result := task.create("task-name", input.data)
```
#### tasklist.create
Start asynchronous task list and pass the given data as input. The function accepts two
parameters: task list name and the input data.
Example:
```
package example.tasklist
result := tasklist.create("task-list-name", input.data)
```
#### keys.get
Retrieve a specific public key from the signer service. The function accepts one
argument which is the name of the key. The key is returned in JWK format
wrapped in a DID verification method envelope.
Example:
```
package example.getkey
_ := keys.get("key1")
```
Result:
```json
{
"id": "key1",
"publicKeyJwk": {
"crv": "P-256",
"kid": "key1",
"kty": "EC",
"x": "RTx_2cyYcGVSIRP_826S32BiZxSgnzyXgRYmKP8N2l0",
"y": "unnPzMAnbByBMq2l9WWKsDFE-MDvX6hYhrESsjAaT50"
},
"type": "JsonWebKey2020"
}
```
#### keys.getAll
Retrieve all public keys from the signer service. The result is JSON array of
keys in JWK format wrapped in a DID verification method envelope.
Example:
```
package example.getAllKeys
_ := keys.getAll()
```
Result:
```json
[
{
"id": "key1",
"publicKeyJwk": {
"crv": "P-256",
"kid": "key1",
"kty": "EC",
"x": "RTx_2cyYcGVSIRP_826S32BiZxSgnzyXgRYmKP8N2l0",
"y": "unnPzMAnbByBMq2l9WWKsDFE-MDvX6hYhrESsjAaT50"
},
"type": "JsonWebKey2020"
},
{
...
}
]
```
#### issuer
Retrieve DID issuer value configured in the signer service.
Example:
```
package example.getIssuer
did := issuer().did
```
Result:
```json
{
"did": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6"
}
```
#### proof.create
Create a proof for Verifiable Credential or Verifiable Presentation.
The function accepts one argument which represents a VC or VP in JSON format.
It calls the signer service to generate a proof and returns the response,
which is the same VC/VP but with proof section.
Example Policy:
```
package example.createProof
_ := proof.create(input)
```
Example VC given to policy evaluation:
```json
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"credentialSubject": {
"allow": true,
"id": "example/examplePolicy/1.0"
},
"issuanceDate": "2022-07-12T13:59:35.246990412Z",
"issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
"type": "VerifiableCredential"
}
```
Example Response:
```json
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"credentialSubject": {
"allow": true,
"id": "example/examplePolicy/1.0"
},
"issuanceDate": "2022-07-12T13:59:35.246990412Z",
"issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
"proof": {
"created": "2022-07-21T09:57:37.761706653Z",
"jws": "eyJhbGciOiJKc29uV2ViU2lnbmF0dXJlMjAyMCIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEUCIQCOuTbwqembXOv2wjPhPkjR5Minf27DhO_KbNmXdxRxKQIgK3DTaucbir5SYNi_5Xwj8mpKoXxoKzF5_ZYUJB98IBE",
"proofPurpose": "assertionMethod",
"type": "JsonWebSignature2020",
"verificationMethod": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation#key1"
},
"type": "VerifiableCredential"
}
```
#### proof.verify
Verify a proof for Verifiable Credential or Verifiable Presentation.
The function accepts one argument which represents a VC or VP in JSON format.
It calls the signer service to validate the proof.
Example Policy:
```
package example.verifyProof
valid := proof.verify(input)
```
Example VC given to policy evaluation:
```json
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"credentialSubject": {
"allow": true,
"id": "example/examplePolicy/1.0"
},
"issuanceDate": "2022-07-12T13:59:35.246990412Z",
"issuer": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation",
"proof": {
"created": "2022-07-21T09:57:37.761706653Z",
"jws": "eyJhbGciOiJKc29uV2ViU2lnbmF0dXJlMjAyMCIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEUCIQCOuTbwqembXOv2wjPhPkjR5Minf27DhO_KbNmXdxRxKQIgK3DTaucbir5SYNi_5Xwj8mpKoXxoKzF5_ZYUJB98IBE",
"proofPurpose": "assertionMethod",
"type": "JsonWebSignature2020",
"verificationMethod": "did:web:gaiax.vereign.com:tsa:policy:policy:example:returnDID:1.0:evaluation#key1"
},
"type": "VerifiableCredential"
}
```
Result:
```json
{
"valid": true
}
```