feat: Validate issuer claims against JSON schema (#1381)

Added a JSON schema field to the credentialTemplate profile element. If the "jsonSchema" field is not empty then the issuer claims are validated against the schema. Signed-off-by: Bob Stasyszyn <[email protected]>
trustbloc · Aug 18, 2023 · f3207e9 · f3207e9
1 parent 6421291
commit f3207e9
Show file tree

Hide file tree

Showing 10 changed files with 366 additions and 14 deletions.
diff --git a/pkg/profile/api.go b/pkg/profile/api.go
@@ -62,6 +62,7 @@ type CredentialTemplate struct {
 	CredentialDefaultExpirationDuration *time.Duration               `json:"credentialDefaultExpirationDuration"`
 	Checks                              CredentialTemplateChecks     `json:"checks"`
 	SdJWT                               *SelectiveDisclosureTemplate `json:"sdJWT"`
+	JSONSchema                          string                       `json:"jsonSchema,omitempty"`
 }
 
 type SelectiveDisclosureTemplate struct {

diff --git a/pkg/restapi/v1/issuer/controller.go b/pkg/restapi/v1/issuer/controller.go
@@ -23,6 +23,7 @@ import (
 	"github.com/labstack/echo/v4"
 	"github.com/piprate/json-gold/ld"
 	"github.com/samber/lo"
+	"github.com/xeipuuv/gojsonschema"
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/hyperledger/aries-framework-go/component/models/ld/validator"
@@ -651,7 +652,7 @@ func (c *Controller) PrepareCredential(e echo.Context) error {
 			errors.New("credentials should not be nil"))
 	}
 
-	if err = c.validateClaims(result.Credential, result.EnforceStrictValidation); err != nil {
+	if err = c.validateClaims(result.Credential, result.CredentialTemplate, result.EnforceStrictValidation); err != nil {
 		return err
 	}
 
@@ -672,6 +673,7 @@ func (c *Controller) PrepareCredential(e echo.Context) error {
 
 func (c *Controller) validateClaims( //nolint:gocognit
 	cred *verifiable.Credential,
+	credentialTemplate *profileapi.CredentialTemplate,
 	strictValidation bool,
 ) error {
 	if !strictValidation {
@@ -690,7 +692,13 @@ func (c *Controller) validateClaims( //nolint:gocognit
 		types = append(types, t)
 	}
 
-	if sub, ok := cred.Subject.(verifiable.Subject); ok { //nolint:nestif
+	validate := func(sub verifiable.Subject) error {
+		if credentialTemplate != nil && credentialTemplate.JSONSchema != "" {
+			if err := validateJSONSchema(sub.CustomFields, credentialTemplate.JSONSchema); err != nil {
+				return fmt.Errorf("validate claims: %w", err)
+			}
+		}
+
 		for k, v := range sub.CustomFields {
 			if k == "type" || k == "@type" {
 				if v1, ok1 := v.(string); ok1 {
@@ -711,6 +719,19 @@ func (c *Controller) validateClaims( //nolint:gocognit
 
 			data[k] = v
 		}
+
+		return nil
+	}
+
+	subjects, err := getCredentialSubjects(cred.Subject)
+	if err != nil {
+		return err
+	}
+
+	for _, sub := range subjects {
+		if err := validate(sub); err != nil {
+			return err
+		}
 	}
 
 	data["@context"] = ctx
@@ -722,6 +743,53 @@ func (c *Controller) validateClaims( //nolint:gocognit
 	)
 }
 
+func getCredentialSubjects(subject interface{}) ([]verifiable.Subject, error) {
+	if subject == nil {
+		return nil, nil
+	}
+
+	if sub, ok := subject.(verifiable.Subject); ok {
+		return []verifiable.Subject{sub}, nil
+	}
+
+	if subs, ok := subject.([]verifiable.Subject); ok {
+		return subs, nil
+	}
+
+	return nil, fmt.Errorf("invalid type for credential subject: %T", subject)
+}
+
+type JSONSchemaValidationErrors []gojsonschema.ResultError
+
+func (e JSONSchemaValidationErrors) Error() string {
+	var errMsg string
+
+	for i, msg := range e {
+		errMsg += msg.String()
+		if i+1 < len(e) {
+			errMsg += "; "
+		}
+	}
+
+	return fmt.Sprintf("[%s]", errMsg)
+}
+
+func validateJSONSchema(data interface{}, schema string) error {
+	result, err := gojsonschema.Validate(
+		gojsonschema.NewStringLoader(schema),
+		gojsonschema.NewGoLoader(data),
+	)
+	if err != nil {
+		return fmt.Errorf("schema error: %w", err)
+	}
+
+	if !result.Valid() {
+		return fmt.Errorf("validation error: %w", JSONSchemaValidationErrors(result.Errors()))
+	}
+
+	return nil
+}
+
 // OpenidConfig request openid configuration for issuer.
 // GET /issuer/{profileID}/{profileVersion}/.well-known/openid-configuration.
 func (c *Controller) OpenidConfig(ctx echo.Context, profileID, profileVersion string) error {

diff --git a/pkg/restapi/v1/issuer/controller_test.go b/pkg/restapi/v1/issuer/controller_test.go
@@ -53,6 +53,10 @@ var (
 	sampleVCJWT string
 	//go:embed testdata/sample_vc_university_degree.jsonld
 	sampleVCUniversityDegree []byte
+	//go:embed testdata/sample_vc_invalid_university_degree.jsonld
+	sampleVCInvalidUniversityDegree []byte
+	//go:embed testdata/universitydegree.schema.json
+	universityDegreeSchema string
 )
 
 // nolint:gochecknoglobals
@@ -1293,11 +1297,18 @@ func TestController_PrepareCredential(t *testing.T) {
 				assert.Equal(t, oidc4ci.TxID("123"), req.TxID)
 
 				return &oidc4ci.PrepareCredentialResult{
-					ProfileID:      profileID,
-					ProfileVersion: profileVersion,
-					Credential:     sampleVC,
-					Format:         vcsverifiable.Ldp,
-					Retry:          false,
+					ProfileID:               profileID,
+					ProfileVersion:          profileVersion,
+					Credential:              sampleVC,
+					Format:                  vcsverifiable.Ldp,
+					Retry:                   false,
+					EnforceStrictValidation: true,
+					CredentialTemplate: &profileapi.CredentialTemplate{
+						JSONSchema: universityDegreeSchema,
+						Checks: profileapi.CredentialTemplateChecks{
+							Strict: true,
+						},
+					},
 				}, nil
 			},
 		)
@@ -1433,6 +1444,62 @@ func TestController_PrepareCredential(t *testing.T) {
 		ctx := echoContext(withRequestBody([]byte(req)))
 		assert.ErrorContains(t, c.PrepareCredential(ctx), "rand-code[]: rand")
 	})
+
+	t.Run("claims schema validation error", func(t *testing.T) {
+		invalidVC, err := verifiable.ParseCredential(
+			sampleVCInvalidUniversityDegree,
+			verifiable.WithDisabledProofCheck(),
+			verifiable.WithJSONLDDocumentLoader(testutil.DocumentLoader(t)),
+		)
+		require.NoError(t, err)
+
+		mockProfileSvc := NewMockProfileService(gomock.NewController(t))
+		mockProfileSvc.EXPECT().GetProfile(profileID, profileVersion).Times(1).Return(
+			&profileapi.Issuer{
+				OrganizationID: orgID,
+				ID:             profileID,
+				VCConfig: &profileapi.VCConfig{
+					Format: vcsverifiable.Ldp,
+				},
+			}, nil)
+
+		mockIssueCredentialSvc := NewMockIssueCredentialService(gomock.NewController(t))
+		mockOIDC4CIService := NewMockOIDC4CIService(gomock.NewController(t))
+		mockOIDC4CIService.EXPECT().PrepareCredential(gomock.Any(), gomock.Any()).DoAndReturn(
+			func(
+				ctx context.Context,
+				req *oidc4ci.PrepareCredential,
+			) (*oidc4ci.PrepareCredentialResult, error) {
+				assert.Equal(t, oidc4ci.TxID("123"), req.TxID)
+
+				return &oidc4ci.PrepareCredentialResult{
+					ProfileID:               profileID,
+					ProfileVersion:          profileVersion,
+					Credential:              invalidVC,
+					Format:                  vcsverifiable.Ldp,
+					Retry:                   false,
+					EnforceStrictValidation: true,
+					CredentialTemplate: &profileapi.CredentialTemplate{
+						JSONSchema: universityDegreeSchema,
+						Checks: profileapi.CredentialTemplateChecks{
+							Strict: true,
+						},
+					},
+				}, nil
+			},
+		)
+
+		c := NewController(&Config{
+			ProfileSvc:             mockProfileSvc,
+			IssueCredentialService: mockIssueCredentialSvc,
+			OIDC4CIService:         mockOIDC4CIService,
+			DocumentLoader:         testutil.DocumentLoader(t),
+		})
+
+		req := `{"tx_id":"123","type":"UniversityDegreeCredential","format":"ldp_vc"}`
+		ctx := echoContext(withRequestBody([]byte(req)))
+		assert.EqualError(t, c.PrepareCredential(ctx), "validate claims: validation error: [alumniOf: name is required]")
+	})
 }
 
 func TestOpenIDConfigurationController(t *testing.T) {
@@ -1700,6 +1767,102 @@ func TestOpenIdConfiguration_GrantTypesSupportedAndScopesSupported(t *testing.T)
 	assert.Equal(t, config.ScopesSupported, s)
 }
 
+func Test_validateJSONSchema(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		data := map[string]interface{}{
+			"alumniOf": map[string]interface{}{
+				"id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
+				"name": []map[string]interface{}{
+					{
+						"value": "Example University",
+						"lang":  "en",
+					},
+					{
+						"value": "Exemple d'Université",
+						"lang":  "fr",
+					},
+				},
+			},
+			"degree": map[string]interface{}{
+				"type": "BachelorDegree",
+				"name": "Bachelor of Science and Arts",
+			},
+		}
+
+		err := validateJSONSchema(data, universityDegreeSchema)
+		require.NoError(t, err)
+	})
+
+	t.Run("validation error", func(t *testing.T) {
+		data := map[string]interface{}{
+			"alumniOf": map[string]interface{}{
+				"id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
+				"name": []map[string]interface{}{
+					{
+						"value": "Example University",
+						"lang":  0,
+					},
+					{
+						"value": "Exemple d'Université",
+					},
+				},
+			},
+		}
+
+		err := validateJSONSchema(data, universityDegreeSchema)
+		require.EqualError(t, err,
+			"validation error: [(root): degree is required; alumniOf.name.0.lang: Invalid type. "+
+				"Expected: string, given: integer; alumniOf.name.1: lang is required]")
+	})
+
+	t.Run("schema error", func(t *testing.T) {
+		data := map[string]interface{}{
+			"alumniOf": map[string]interface{}{
+				"id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
+				"name": []map[string]interface{}{
+					{
+						"value": "Example University",
+						"lang":  0,
+					},
+					{
+						"value": "Exemple d'Université",
+					},
+				},
+			},
+		}
+
+		err := validateJSONSchema(data, `{"type":"invalid"}`)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "schema error")
+	})
+}
+
+func Test_getCredentialSubjects(t *testing.T) {
+	t.Run("subject", func(t *testing.T) {
+		subjects, err := getCredentialSubjects(verifiable.Subject{ID: "id1"})
+		require.NoError(t, err)
+		require.Len(t, subjects, 1)
+	})
+
+	t.Run("slice of subjects", func(t *testing.T) {
+		subjects, err := getCredentialSubjects([]verifiable.Subject{{ID: "id1"}, {ID: "id2"}})
+		require.NoError(t, err)
+		require.Len(t, subjects, 2)
+	})
+
+	t.Run("invalid subject", func(t *testing.T) {
+		subjects, err := getCredentialSubjects("id2")
+		require.EqualError(t, err, "invalid type for credential subject: string")
+		require.Len(t, subjects, 0)
+	})
+
+	t.Run("nil subject", func(t *testing.T) {
+		subjects, err := getCredentialSubjects(nil)
+		require.NoError(t, err)
+		require.Len(t, subjects, 0)
+	})
+}
+
 type options struct {
 	tenantID    string
 	requestBody []byte

diff --git a/pkg/restapi/v1/issuer/testdata/sample_vc_invalid_university_degree.jsonld b/pkg/restapi/v1/issuer/testdata/sample_vc_invalid_university_degree.jsonld
@@ -0,0 +1,29 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://www.w3.org/2018/credentials/examples/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "credentialSchema": [],
+  "credentialSubject": {
+      "alumniOf": {
+        "id": "did:example:c276e12ec21ebfeb1f712ebc6f1"
+      },
+      "degree": {
+        "type": "BachelorDegree",
+        "name": "Bachelor of Science and Arts"
+      }
+  },
+  "expirationDate": "2038-01-19T03:14:00Z",
+  "id": "http://example.edu/credentials/1872",
+  "issuanceDate": "2010-01-01T19:23:24Z",
+  "issuer": {
+    "id": "did:example:76e12ec712ebc6f1c221ebfeb1f",
+    "name": "Example University"
+  },
+  "referenceNumber": 83294847,
+  "type": [
+    "VerifiableCredential",
+    "UniversityDegreeCredential"
+  ]
+}
diff --git a/pkg/restapi/v1/issuer/testdata/sample_vc_university_degree.jsonld b/pkg/restapi/v1/issuer/testdata/sample_vc_university_degree.jsonld
@@ -6,13 +6,23 @@
   ],
   "credentialSchema": [],
   "credentialSubject": {
-    "degree": {
-      "type": "BachelorDegree",
-      "university": "MIT"
-    },
-    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
-    "name": "Jayden Doe",
-    "spouse": "did:example:c276e12ec21ebfeb1f712ebc6f1"
+      "alumniOf": {
+        "id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
+        "name": [
+            {
+              "value": "Example University",
+              "lang": "en"
+            },
+            {
+              "value": "Exemple d'Université",
+              "lang": "fr"
+            }
+        ]
+      },
+      "degree": {
+        "type": "BachelorDegree",
+        "name": "Bachelor of Science and Arts"
+      }
   },
   "expirationDate": "2038-01-19T03:14:00Z",
   "id": "http://example.edu/credentials/1872",