Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add anoncreds interface #2276

Conversation

dbluhm
Copy link
Contributor

@dbluhm dbluhm commented Jun 22, 2023

And use it in Issue Credential v2 and Present Proof v2.

This PR supersedes #2191. As compared to #2191, this PR includes the required changes to use revocation with the generic anoncreds interface. Additionally, I've cleaned up this branch quite a bit. We had some unsuccessful detours (led by me lol) that resulted in both a messy history and changes in places that didn't need changes in the end.

Due to the need to clean up history, the contributions of my collaborators have unfortunately been obscured. Thank you @burdettadam and @cjhowland for all of your work on this!

As discussed with @swcurran, the intent of this PR is to have it merged to a feature branch (as in not merged to main) and for work to continue on the feature branch. I will create a number of issues reflecting things we hadn't gotten to yet or explicitly set aside for later as well as calling out discoveries that warrant further discussion.

Here is a brief summary of the changes that are included in this PR:

Changes

Added AnonCreds Registry and plugin interface

  • This is a generic AnonCreds registry interface. It defines a registrar and resolver abstract base class which are to be implemented by plugins. The plugged in resolvers and registrars are then registered with the main registry interface which selects the appropriate resolver/registrar for a given identifier and operation.
  • Interface found in aries_cloudagent.anoncreds.registry
  • ABCs found in aries_cloudagent.anoncreds.base
  • Associated models for generic representations of schemas, cred defs, and revocation artifacts found in aries_cloudagent.anoncreds.models

Added default registry for "legacy indy"

  • Found in aries_cloudagent.anoncreds.default.legacy_indy
  • Uses the aries_cloudagent.ledger to send transactions to indy networks.
  • Does NOT support endorsement protocol flow.

Added stubs for did:web and did:indy

  • These reside alongside the legacy_indy registry but are just stubbed out for now.

Added AnonCreds Issuer, Verifier, and Holder interfaces

  • Found in aries_cloudagent.anoncreds.{issuer,verifier,holder}
  • These are very similar to but different from the original IndyIssuer, IndyVerifier and IndyHolder interfaces that existed previously.
  • The role of these interfaces has expanded slightly, especially for Issuer, to better abstract the details of credential artifact registration and creation when using the generic anoncreds interface.

Added AnonCreds Revocation interface

  • Found in aries_cloudagent.anoncreds.revocation
  • This is intended to replace several components: IssuerRevRegRecord, RevocationRegistry, and IndyRevocation.
  • The components it replaces remain in place until all responsibilities have been moved.
  • There was an unfortunate amount of conceptual overlap between these components. On top of this, their responsibilities were confused over time, resulting in models/records doing more than the probably should have.
  • Implements a create_credential method similar to AnonCredsIssuer.create_credential. The issuer version supports credentials for cred defs that do not support revocation. The revocation version supports credentials for cred defs that do support revocation. The separation results in a cleaner implementation on both sides and cleaner split in responsibilities.

Update Issue Credential v2 indy format handler to use AnonCreds interface

  • Generally only minor tweaks with the exception of a cleaned up issue_credential; previously, this method made calls directly to the ledger with Indy specific revocation details being handled at this layer. These details have been moved down the stack to AnonCredsRevocation.create_credential.

Update Present Proof v2 indy format handler to use AnonCreds interface

  • Generally minor tweaks.

Update Revocation Manager

  • This component bridges the gap between protocol records and IssuerCredRevRecords and AnonCreds details.
  • Updated revoke and publish methods to use the generic interface.
  • There remains some Indy-isms in update_rev_reg_revoked_state. I believe this can be translated to a more generic operation but I haven't had a chance to take a closer look at the revocation recovery pieces yet.

Added AnonCredsTailsServer and updated BaseTailsServer

Added Admin endpoints for AnonCreds operations

post /anoncreds/schema
get /anoncreds/schema/{schemaId}
get /anoncreds/schemas
post /anoncreds/credential-definition
get /anoncreds/credential-definition/{cred_def_id}
get /anoncreds/credential-definitions
post /anoncreds/revocation-registry-definition
post /anoncreds/revocation-list
put /anoncreds/registry/{rev_reg_id}/tails-file
put /anoncreds/registry/{rev_reg_id}/active
post /anoncreds/revoke
post /anoncreds/publish-revocations
  • These behave more or less as expected when compared to /schemas, /credential-definitions, /revocation/*, etc.
  • This is currently the only flow supported. Automated setup flow is in the works.

Updated BaseLedger to behave as needed for the legacy indy registry

  • The ledger implementation previously did some funky stuff with passed in IndyIssuer to both create and publish anoncreds artifacts. The responsibility of the ledger has been reduced to only publishing.
  • These changes were implemented destructively but don't have to be if we want to better support backwards compatibility of Indy specific components.
  • Some improvements were made to error handling to clean up the flow of some methods (see aries_cloudagent.ledger.error)

Updates to Dockerfiles, requirements, setup to add anoncreds dep

  • Currently pulling directly from git repo since no package is published to PyPI yet
  • Binary also pulled from github releases page

Notably missing changes

  • Issue Credential v1 and Present Proof v1 implementation has not been updated
  • Old endpoints are still present but are in various states of functional; these will either need to be deprecated or adapted
  • Removal of deprecated components like IssuerRevRegRecord; we need a migration plan here, too
  • There are some shortcomings in link secret handling as caused by the anoncreds library not accepting a memory view (see Zeroing the Link Secret hyperledger/anoncreds-rs#202 (comment))
  • Additional rearranging of components like aries_cloudagent.ledger; several should be moved to somewhere in anoncreds.default.indy or similar
  • Models for portions of AnonCreds credentials are still defined in aries_cloudagent.indy -- moving these components was omitted for a cleaner set of changes in this PR (not moving these reduced the number of lines changed by half)
  • In general, backwards compatibility with previously created anoncreds objects. Holder and verifier roles are likely fine but Issuer will need a migration plan.
  • Updates to tests. Sorry 😬 -- we have been testing using an integration style test that calls the added admin API endpoints. I have not included these tests in this PR for the sake of cleanliness. I uploaded the test as a gist here: https://gist.github.com/dbluhm/4d33d8946d23dbaced9be825c49a9d5c
  • Automated setup of revocation artifacts -- I have some WIP but opted to hurry up and open this PR rather than wait for me to finish.
  • did:indy and did:web implementations
  • Endorser support -- this can be implemented through a separate Indy registry plugin or through options to the existing registry
  • Revocation recovery is still Indy specific at the moment

And use it in Issue Credential v2 and Present Proof v2

Signed-off-by: Daniel Bluhm <[email protected]>
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@swcurran
Copy link
Contributor

FYI - @usingtechnology

@dbluhm — thanks for the documentation!

@swcurran
Copy link
Contributor

@usingtechnology — once you have looked at #2233, jump to this to get to a point we can merge it into a dev branch? We don’t have to worry right now about the tests passing. Don’t worry if you can’t do that today, and don’t let it interfere with your Friday. I’ll work on a meeting for (hopefully) Monday so we can go over this and plan next steps.

@swcurran swcurran changed the base branch from main to anoncreds-rs June 26, 2023 21:06
Copy link
Contributor

@usingtechnology usingtechnology left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of minor cleanup/tweaks, then let's get this into its own branch.


RUN mkdir aries_cloudagent && touch aries_cloudagent/__init__.py
ADD aries_cloudagent/version.py aries_cloudagent/version.py
ADD bin ./bin
ADD README.md ./
ADD setup.py ./
ADD healthcheck.py ./
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we remove this line? i think that's a file in the gist?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch; yes, this line needs to be removed

-r requirements.bbs.txt \
-r requirements.dev.txt \
-r requirements.anoncreds.txt
RUN curl -sL https://github.com/Indicio-tech/anoncreds-rs/releases/download/v0.1.0-dev.9/library-linux-x86_64.tar.gz | tar -xz -C /usr/local/lib/python3.9/site-packages/anoncreds/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we replace these Indicio-tech urls with hyperledger labs? https://github.com/hyperledger/anoncreds-rs/releases/download/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can point to the link you provided -- we needed to use a build we made early on due to incompatibilities in glibc version but those issues have been fixed on the main releases. We updated the other dockerfiles; looks like we just missed a reference.

@usingtechnology
Copy link
Contributor

i think we can merge and i can do those little touch ups.

@usingtechnology usingtechnology merged commit 5bcc0f0 into openwallet-foundation:anoncreds-rs Jun 26, 2023
@dbluhm dbluhm deleted the feature/anoncreds-squash branch July 7, 2023 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants