-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathrevocation_registry.py
534 lines (450 loc) · 18.1 KB
/
revocation_registry.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
import asyncio
from typing import Dict, List, Optional
from aries_cloudcontroller import (
AcaPyClient,
ClearPendingRevocationsRequest,
CredRevRecordResult,
IssuerCredRevRecord,
IssuerRevRegRecord,
PublishRevocations,
RevokeRequest,
RevRegResult,
TxnOrPublishRevocationsResult,
)
from app.exceptions import (
CloudApiException,
handle_acapy_call,
handle_model_with_validation,
)
from app.models.issuer import ClearPendingRevocationsResult, RevokedResponse
from app.util.credentials import strip_protocol_prefix
from app.util.retry_method import coroutine_with_retry
from shared.log_config import get_logger
logger = get_logger(__name__)
async def get_active_revocation_registry_for_credential(
controller: AcaPyClient, credential_definition_id: str
) -> IssuerRevRegRecord:
"""
Get the active revocation registry for a credential
Args:
controller (AcaPyClient): aca-py client
credential_definition_id (str): The credential definition ID.
Raises:
Exception: When the active revocation registry cannot be retrieved.
Returns:
result (IssuerRevRegRecord): The revocation registry record.
"""
bound_logger = logger.bind(
body={"credential_definition_id": credential_definition_id}
)
bound_logger.debug("Fetching activate revocation registry for a credential")
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_active_registry_for_cred_def,
cred_def_id=credential_definition_id,
)
if not isinstance(result, RevRegResult):
bound_logger.error(
"Unexpected type returned from get_active_registry_for_cred_def: `{}`.",
result,
)
raise CloudApiException(
"Error retrieving revocation registry for credential with ID "
f"`{credential_definition_id}`."
)
bound_logger.debug(
"Successfully retrieved revocation registry for credential definition."
)
return result.result
async def revoke_credential(
controller: AcaPyClient,
credential_exchange_id: str,
auto_publish_to_ledger: bool = False,
) -> RevokedResponse:
"""
Revoke an issued credential
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
auto_publish_to_ledger (bool): (True) publish revocation to ledger immediately,
or (default, False) mark it pending
Raises:
Exception: When the credential could not be revoked
Returns:
result (None): Successful execution returns None.
"""
bound_logger = logger.bind(
body={
"credential_exchange_id": credential_exchange_id,
"auto_publish_to_ledger": auto_publish_to_ledger,
}
)
bound_logger.debug("Revoking an issued credential")
request_body = handle_model_with_validation(
logger=bound_logger,
model_class=RevokeRequest,
cred_ex_id=strip_protocol_prefix(credential_exchange_id),
publish=auto_publish_to_ledger,
)
try:
revoke_result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.revoke_credential,
body=request_body,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to revoke credential: {e.detail}", e.status_code
) from e
if auto_publish_to_ledger:
bound_logger.debug("Wait for publish complete")
revoked = False
max_tries = 5
retry_delay = 1
n_try = 0
while not revoked and n_try < max_tries:
n_try += 1
# Safely fetch revocation record and check if change reflected
record = await coroutine_with_retry(
coroutine_func=controller.revocation.get_revocation_status,
args=(strip_protocol_prefix(credential_exchange_id),),
logger=bound_logger,
max_attempts=5,
retry_delay=0.5,
)
# Todo: this record state can be "revoked" before it's been endorsed
if record.result:
revoked = record.result.state == "revoked"
if not revoked and n_try < max_tries:
bound_logger.debug("Not yet revoked, waiting ...")
await asyncio.sleep(retry_delay)
if not revoked:
raise CloudApiException(
"Could not assert that revocation was published within timeout. "
"Please check the revocation record state and retry if not revoked."
)
if not revoke_result:
raise CloudApiException(
"Revocation was published but no result was returned. "
"Has this credential been revoked before?"
)
if (
revoke_result
and revoke_result["txn"]
and revoke_result["txn"]["messages_attach"][0]
):
bound_logger.debug("Successfully revoked credential.")
return RevokedResponse.model_validate({"txn": [revoke_result["txn"]]})
bound_logger.debug("Successfully revoked credential.")
return RevokedResponse()
async def publish_pending_revocations(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> TxnOrPublishRevocationsResult:
"""
Publish pending revocations
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the pending revocations could not be published
Returns:
result (str): Successful execution returns the endorser transaction id.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
await validate_rev_reg_ids(
controller=controller,
revocation_registry_credential_map=revocation_registry_credential_map,
)
try:
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.publish_revocations,
body=PublishRevocations(rrid2crid=revocation_registry_credential_map),
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to publish pending revocations: {e.detail}", e.status_code
) from e
if not result.txn or not result.txn[0].transaction_id:
bound_logger.warning(
"Published pending revocations but received no endorser transaction id. Got result: {}",
result,
)
return
endorse_transaction_ids = [txn.transaction_id for txn in result.txn]
bound_logger.debug(
"Successfully published pending revocations. Endorser transaction ids: {}.",
endorse_transaction_ids,
)
return result
async def clear_pending_revocations(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> ClearPendingRevocationsResult:
"""
Clear pending revocations
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the pending revocations could not be cleared
Returns:
ClearPendingRevocationsResult: The outstanding revocations after completing the clear request.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
bound_logger.debug("Validating revocation registry ids")
await validate_rev_reg_ids(
controller=controller,
revocation_registry_credential_map=revocation_registry_credential_map,
)
request_body = ClearPendingRevocationsRequest(
purge=revocation_registry_credential_map
)
try:
clear_result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.clear_pending_revocations,
body=request_body,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to clear pending revocations: {e.detail}", e.status_code
) from e
result = ClearPendingRevocationsResult(
revocation_registry_credential_map=clear_result.rrid2crid
)
bound_logger.debug("Successfully cleared pending revocations.")
return result
async def get_credential_revocation_record(
controller: AcaPyClient,
credential_exchange_id: Optional[str] = None,
credential_revocation_id: Optional[str] = None,
revocation_registry_id: Optional[str] = None,
) -> IssuerCredRevRecord:
"""
Get the revocation status for a credential
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
credential_revocation_id (str): The credential revocation ID.
revocation_registry_id (str): The revocation registry ID.
Raises:
Exception: When failed to get revocation status.
Returns:
IssuerCredRevRecord: The requested credential revocation record.
"""
bound_logger = logger.bind(
body={
"credential_exchange_id": credential_exchange_id,
"credential_revocation_id": credential_revocation_id,
"revocation_registry_id": revocation_registry_id,
}
)
bound_logger.debug("Fetching the revocation status for a credential exchange")
try:
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_revocation_status,
cred_ex_id=strip_protocol_prefix(credential_exchange_id),
cred_rev_id=credential_revocation_id,
rev_reg_id=revocation_registry_id,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to get revocation status: {e.detail}", e.status_code
) from e
if not isinstance(result, CredRevRecordResult):
bound_logger.error(
"Unexpected type returned from get_revocation_status: `{}`.", result
)
raise CloudApiException(
"Error retrieving revocation status for credential exchange ID "
f"`{credential_exchange_id}`."
)
result = result.result
bound_logger.debug("Successfully retrieved revocation status.")
return result
async def get_credential_definition_id_from_exchange_id(
controller: AcaPyClient, credential_exchange_id: str
) -> Optional[str]:
"""
Get the credential definition id from the credential exchange id.
Args:
controller (AcaPyClient): aca-py client
credential_exchange_id (str): The credential exchange ID.
Returns:
credential_definition_id (Optional[str]): The credential definition ID or None.
"""
bound_logger = logger.bind(body={"credential_exchange_id": credential_exchange_id})
bound_logger.debug("Fetching credential definition id from exchange id")
cred_ex_id = strip_protocol_prefix(credential_exchange_id)
try:
cred_ex_record = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.issue_credential_v2_0.get_record,
cred_ex_id=cred_ex_id,
)
rev_reg_id = cred_ex_record.indy.rev_reg_id
rev_reg_parts = rev_reg_id.split(":")
credential_definition_id = ":".join(
[
rev_reg_parts[2],
"3",
"CL", # NOTE: update this with other signature types in future
rev_reg_parts[-4],
rev_reg_parts[-1],
]
)
except CloudApiException as err:
bound_logger.info(
"An Exception was caught while getting v2 record: '{}'",
err.detail,
)
return
except Exception: # pylint: disable=W0718
bound_logger.exception(
"Exception caught while constructing cred def id from record."
)
return
bound_logger.debug(
"Successfully obtained cred definition id from the cred exchange id."
)
return credential_definition_id
async def validate_rev_reg_ids(
controller: AcaPyClient, revocation_registry_credential_map: Dict[str, List[str]]
) -> None:
"""
Validate revocation registry ids
Args:
controller (AcaPyClient): aca-py client
revocation_registry_credential_map (Dict[str, List[str]]): A dictionary where each key is a
revocation registry ID and its value is a list of credential revocation IDs to be cleared.
Raises:
Exception: When the revocation registry ids are invalid.
"""
bound_logger = logger.bind(body=revocation_registry_credential_map)
rev_reg_id_list = list(revocation_registry_credential_map.keys())
if not rev_reg_id_list:
return
bound_logger.debug("Validating revocation registry ids")
for rev_reg_id in rev_reg_id_list:
try:
rev_reg_result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_registry,
rev_reg_id=rev_reg_id,
)
if rev_reg_result.result is None:
message = (
"Bad request: Failed to retrieve revocation registry "
f"'{rev_reg_id}'."
)
bound_logger.info(message)
raise CloudApiException(message, status_code=404)
pending_pub = rev_reg_result.result.pending_pub
if pending_pub is None:
message = (
"Bad request: No pending publications found for "
f"revocation registry '{rev_reg_id}'."
)
bound_logger.info(message)
raise CloudApiException(message, status_code=404)
bound_logger.debug(
"Got the following pending publications for rev registry '{}': {}",
rev_reg_id,
pending_pub,
)
requested_cred_rev_ids = revocation_registry_credential_map[rev_reg_id]
for cred_rev_id in requested_cred_rev_ids:
if cred_rev_id not in pending_pub:
message = (
f"Bad request: the cred_rev_id: '{cred_rev_id}' "
f"is not pending publication for rev_reg_id: '{rev_reg_id}'."
)
bound_logger.info(message)
raise CloudApiException(message, 404)
except CloudApiException as e:
if e.status_code == 404:
message = f"The rev_reg_id `{rev_reg_id}` does not exist: '{e.detail}'."
bound_logger.info(message)
raise CloudApiException(message, e.status_code) from e
else:
bound_logger.error(
"An Exception was caught while validating rev_reg_id: '{}'.",
e.detail,
)
raise CloudApiException(
(
"An error occurred while validating requested "
f"revocation registry credential map: '{e.detail}'."
),
e.status_code,
) from e
bound_logger.debug("Successfully validated revocation registry ids.")
async def get_created_active_registries(
controller: AcaPyClient, cred_def_id: str
) -> List[str]:
"""
Get the active revocation registries for a credential definition with state active.
"""
bound_logger = logger.bind(body={"cred_def_id": cred_def_id})
try:
# Both will be in active state when created
reg = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_created_registries,
cred_def_id=cred_def_id,
state="active",
)
return reg.rev_reg_ids
except CloudApiException as e:
detail = (
"Error while creating credential definition: "
+ f"Could not retrieve active revocation registries `{e.detail}`."
)
raise CloudApiException(detail=detail, status_code=e.status_code) from e
async def wait_for_active_registry(
controller: AcaPyClient, cred_def_id: str
) -> List[str]:
active_registries = []
sleep_duration = 0 # First sleep should be 0
# we want both active registries ready before trying to publish revocations to it
while len(active_registries) < 2:
await asyncio.sleep(sleep_duration)
active_registries = await get_created_active_registries(controller, cred_def_id)
sleep_duration = 0.5 # Following sleeps should wait 0.5s before retry
return active_registries
async def get_pending_revocations(
controller: AcaPyClient, rev_reg_id: str
) -> List[int]:
"""
Get the pending revocations for a revocation registry.
Args:
controller (AcaPyClient): aca-py client
rev_reg_id (str): The revocation registry ID.
Raises:
Exception: When the pending revocations could not be retrieved.
Returns:
pending_revocations (List[int]): The pending revocations.
"""
bound_logger = logger.bind(body={"rev_reg_id": rev_reg_id})
bound_logger.debug("Fetching pending revocations for a revocation registry")
try:
result = await handle_acapy_call(
logger=bound_logger,
acapy_call=controller.revocation.get_registry,
rev_reg_id=rev_reg_id,
)
except CloudApiException as e:
raise CloudApiException(
f"Failed to get pending revocations: {e.detail}", e.status_code
) from e
if not result.result:
bound_logger.error("Unexpected type returned from get_registry: `{}`.", result)
raise CloudApiException(
f"Error retrieving pending revocations for revocation registry with ID `{rev_reg_id}`."
)
pending_revocations = result.result.pending_pub
bound_logger.debug("Successfully retrieved pending revocations.")
return pending_revocations