-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathrevocation_registry.py
439 lines (369 loc) · 15.2 KB
/
revocation_registry.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
import asyncio
from typing import Dict, List, Optional
from aries_cloudcontroller import (
AcaPyClient,
ClearPendingRevocationsRequest,
CredRevRecordResult,
IssuerCredRevRecord,
IssuerRevRegRecord,
PublishRevocations,
RevokeRequest,
RevRegResult,
)
from app.exceptions import CloudApiException, handle_acapy_call
from app.models.issuer import ClearPendingRevocationsResult
from shared.log_config import get_logger
logger = get_logger(__name__)
async def get_active_revocation_registry_for_credential(
controller: AcaPyClient, credential_definition_id: str
) -> IssuerRevRegRecord:
"""
Get the active revocation registry for a credential
Args:
controller (AcaPyClient): aca-py client
credential_definition_id (str): The credential definition ID.
Raises:
Exception: When the active revocation registry cannot be retrieved.
Returns:
result (IssuerRevRegRecord): The revocation registry record.
"""
bound_logger = logger.bind(
body={"credential_definition_id": credential_definition_id}
)
bound_logger.info("Fetching activate revocation registry for a credential")
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_active_registry_for_cred_def,
cred_def_id=credential_definition_id,
)
if not isinstance(result, RevRegResult):
bound_logger.error(
"Unexpected type returned from get_active_registry_for_cred_def: `{}`.",
result,
)
raise CloudApiException(
f"Error retrieving revocation registry for credential with ID `{credential_definition_id}`."
)
bound_logger.info(
"Successfully retrieved revocation registry for credential definition."
)
return result.result
async def revoke_credential(
controller: AcaPyClient,
credential_exchange_id: str,
credential_definition_id: str = None,
auto_publish_to_ledger: bool = False,
) -> None:
"""
Revoke an issued credential
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
credential_definition_id (str): The credential definition ID.
auto_publish_to_ledger (bool): Whether to directly publish the revocation to the ledger.
This should only be true when invoked by an endorser.
Default is False
Raises:
Exception: When the credential could not be revoked
Returns:
result (None): Successful execution returns None.
"""
bound_logger = logger.bind(
body={
"credential_exchange_id": credential_exchange_id,
"credential_definition_id": credential_definition_id,
"auto_publish_to_ledger": auto_publish_to_ledger,
}
)
bound_logger.info("Revoking an issued credential")
request_body = RevokeRequest(
cred_ex_id=credential_exchange_id,
publish=auto_publish_to_ledger,
)
try:
await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.revoke_credential,
body=request_body,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to revoke credential: {e.detail}.", e.status_code
) from e
bound_logger.info("Successfully revoked credential.")
async def publish_pending_revocations(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> str:
"""
Publish pending revocations
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the pending revocations could not be published
Returns:
result (str): Successful execution returns the endorser transaction id.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
bound_logger.info("Validating revocation registry ids")
await validate_rev_reg_ids(
controller=controller,
revocation_registry_credential_map=revocation_registry_credential_map,
)
try:
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.publish_revocations,
body=PublishRevocations(rrid2crid=revocation_registry_credential_map),
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to publish pending revocations: {e.detail}.", e.status_code
) from e
if not result.txn or not result.txn.transaction_id:
raise CloudApiException(f"Failed to publish pending revocations.", 500)
endorse_transaction_id = result.txn.transaction_id
bound_logger.info(
"Successfully published pending revocations. Endorser transaction id: {}.",
endorse_transaction_id,
)
return endorse_transaction_id
async def clear_pending_revocations(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> ClearPendingRevocationsResult:
"""
Clear pending revocations
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the pending revocations could not be cleared
Returns:
ClearPendingRevocationsResult: The outstanding revocations after completing the clear request.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
bound_logger.info("Validating revocation registry ids")
await validate_rev_reg_ids(
controller=controller,
revocation_registry_credential_map=revocation_registry_credential_map,
)
request_body = ClearPendingRevocationsRequest(
purge=revocation_registry_credential_map
)
try:
clear_result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.clear_pending_revocations,
body=request_body,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to clear pending revocations: {e.detail}.", e.status_code
) from e
result = ClearPendingRevocationsResult(
revocation_registry_credential_map=clear_result.rrid2crid
)
bound_logger.info("Successfully cleared pending revocations.")
return result
async def get_credential_revocation_record(
controller: AcaPyClient,
credential_exchange_id: Optional[str] = None,
credential_revocation_id: Optional[str] = None,
revocation_registry_id: Optional[str] = None,
) -> IssuerCredRevRecord:
"""
Get the revocation status for a credential
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
credential_revocation_id (str): The credential revocation ID.
revocation_registry_id (str): The revocation registry ID.
Raises:
Exception: When failed to get revocation status.
Returns:
IssuerCredRevRecord: The requested credential revocation record.
"""
bound_logger = logger.bind(
body={
"credential_exchange_id": credential_exchange_id,
"credential_revocation_id": credential_revocation_id,
"revocation_registry_id": revocation_registry_id,
}
)
bound_logger.info("Fetching the revocation status for a credential exchange")
try:
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_revocation_status,
cred_ex_id=credential_exchange_id,
cred_rev_id=credential_revocation_id,
rev_reg_id=revocation_registry_id,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to get revocation status: {e.detail}.", e.status_code
) from e
if not isinstance(result, CredRevRecordResult):
bound_logger.error(
"Unexpected type returned from get_revocation_status: `{}`.", result
)
raise CloudApiException(
f"Error retrieving revocation status for credential exchange ID `{credential_exchange_id}`."
)
result = result.result
bound_logger.info("Successfully retrieved revocation status.")
return result
async def get_credential_definition_id_from_exchange_id(
controller: AcaPyClient, credential_exchange_id: str
) -> Optional[str]:
"""
Get the credential definition id from the credential exchange id.
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
Returns:
credential_definition_id (Optional[str]): The credential definition ID or None.
"""
bound_logger = logger.bind(body={"credential_exchange_id": credential_exchange_id})
bound_logger.info("Fetching credential definition id from exchange id")
try:
cred_ex_record = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.issue_credential_v1_0.get_record,
cred_ex_id=credential_exchange_id,
)
credential_definition_id = cred_ex_record.credential_definition_id
except CloudApiException as err1:
bound_logger.info(
"An Exception was caught while getting v1 record. The error message is: '{}'",
err1.detail,
)
try:
bound_logger.info("Trying to get v2 records")
cred_ex_record = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.issue_credential_v2_0.get_record,
cred_ex_id=credential_exchange_id,
)
rev_reg_id = cred_ex_record.indy.rev_reg_id
rev_reg_parts = rev_reg_id.split(":")
credential_definition_id = ":".join(
[
rev_reg_parts[2],
"3",
"CL", # NOTE: Potentially replace this with other possible signature type in future
rev_reg_parts[-4],
rev_reg_parts[-1],
]
)
except CloudApiException as err2:
bound_logger.info(
"An Exception was caught while getting v2 record. The error message is: '{}'",
err2.detail,
)
return
except Exception:
bound_logger.exception(
"Exception caught while constructing credential_definition_id from record."
)
return
bound_logger.info(
"Successfully obtained cred definition id from the cred exchange id."
)
return credential_definition_id
async def validate_rev_reg_ids(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> None:
"""
Validate revocation registry ids
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the revocation registry ids are invalid.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
bound_logger.info("Validating revocation registry ids")
rev_reg_id_list = list(revocation_registry_credential_map.keys())
if not rev_reg_id_list:
return
for rev_reg_id in rev_reg_id_list:
try:
rev_reg_result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_registry,
rev_reg_id=rev_reg_id,
)
if rev_reg_result.result is None:
message = f"Bad request: Failed to retrieve revocation registry '{rev_reg_id}'."
bound_logger.info(message)
raise CloudApiException(message, status_code=404)
pending_pub = rev_reg_result.result.pending_pub
if pending_pub is None:
message = f"Bad request: No pending publications found for revocation registry '{rev_reg_id}'."
bound_logger.info(message)
raise CloudApiException(message, status_code=404)
bound_logger.debug(
"Got the following pending publications for revocation registry '{}': {}",
rev_reg_id,
pending_pub,
)
requested_cred_rev_ids = revocation_registry_credential_map[rev_reg_id]
for cred_rev_id in requested_cred_rev_ids:
if cred_rev_id not in pending_pub:
message = (
f"Bad request: the cred_rev_id: '{cred_rev_id}' "
f"is not pending publication for rev_reg_id: '{rev_reg_id}'."
)
bound_logger.info(message)
raise CloudApiException(message, 404)
except CloudApiException as e:
if e.status_code == 404:
message = f"The rev_reg_id `{rev_reg_id}` does not exist: '{e.detail}'."
bound_logger.info(message)
raise CloudApiException(message, e.status_code) from e
else:
bound_logger.error(
"An Exception was caught while validating rev_reg_id. The error message is: '{}'.",
e.detail,
)
raise CloudApiException(
f"An error occurred while validating requested revocation registry credential map: '{e.detail}'.",
e.status_code,
) from e
bound_logger.info("Successfully validated revocation registry ids.")
async def get_created_active_registries(
controller: AcaPyClient, cred_def_id: str
) -> List[str]:
"""
Get the active revocation registries for a credential definition with state active.
"""
bound_logger = logger.bind(body={"cred_def_id": cred_def_id})
try:
# Both will be in active state when created
reg = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_created_registries,
cred_def_id=cred_def_id,
state="active",
)
return reg.rev_reg_ids
except CloudApiException as e:
detail = (
"Error while creating credential definition: "
+ f"Could not retrieve active revocation registries `{e.detail}`."
)
raise CloudApiException(detail=detail, status_code=e.status_code) from e
async def wait_for_active_registry(
controller: AcaPyClient, cred_def_id: str
) -> List[str]:
active_registries = []
sleep_duration = 0 # First sleep should be 0
while len(active_registries) < 2:
await asyncio.sleep(sleep_duration)
active_registries = await get_created_active_registries(controller, cred_def_id)
sleep_duration = 0.5 # Following sleeps should wait 0.5s before retry
return active_registries