Open Jsyro opened 3 years ago
I tried different variations of restrictions and Cred Def id restriction also failed.
Schema id is redundant as it's added automatically anyways.
More testing results will be posted later.
Thanks for reporting. Could you provide the raw data from the presentation exchange dialog? If there's no matching credential in this data it would be helpful if you'd try the matching credentials endpoint of the BPA API directly.
I reconstructed the above and aca-py returns an empty array for the wallet matches in this case
I played around some more and it seems that upper case characters in a schema attribute will cause this none match. The following example works:
"proofRequest": {
"name": "Permit dash underscore",
"version": "1.0",
"nonce": "1034732971840382951225191",
"requestedAttributes": {
"EraYCDJUPsChbkw7S1vV96:2:mines_act-permit:3.0": {
"names": [
"permitee",
"permit-number"
],
"nonRevoked": {
"from": 1630486421,
"to": 1630486421,
"set": true
},
"restrictions": [
{
"schema_id": "EraYCDJUPsChbkw7S1vV96:2:mines_act-permit:3.0",
"attr::permit-number::value": "p-100"
}
]
}
},
"requestedPredicates": {}
}
I guess the easiest solution to this is to sanitize all attribute names when we create the schema. Meaning allowing only a-z,0-9,_-
Looking at https://github.com/hyperledger/indy-sdk/blob/113b79cd64a238130d20e19b972326f72047c550/libindy/src/api/anoncreds.rs#L1529 it should not matter.
It might be a bug in ACA-Py. The normalize method here should probably include making the names lowercase.
I think validation and attribute names should follow the spec, if the spec allows it upper case attributes should not be normalized. This looks like there is some normalization going on during request matching and then the wallet value is not found because permit != Permit
I was never certain whether the normalization was happening in ACA-Py (seems wrong), or because the Indy-SDK required it (also seems wrong). Unfortunately, the developer that knew about this (@sklump) is not with the project anymore and so not available to answer. @ianco or @andrewwhitehead -- any ideas?
I did a small test.
MyAttrib
and issued a credential based on this.GET: /credentials
endpoint using a WQL query
{ "attr::MyAttrib::marker": "1"}
provides an empty result{ "attr::myattrib::marker": "1"}
provides the credentialBased on this I think we should change ACA-Py's normalize function to include making the attributes lowercase.
@domwoe I see some issues with that. 1. The normalize function also gets called when a credential gets loaded, which seems odd. 2. I think that this does not fix the root cause. According to your description the root issue seems to be in the wallet query. 3. Any change needs to happen in a backwards compatible way, and then you need indeed normalize when loading credentials.
I got confused...
We have different behavior depending on usage of indy-sdk or askar/credx:
pub fn attr_common_view(attr: &str) -> String {
attr.replace(" ", "").to_lowercase()
}
Result: attr::{attribute}::marker
and attr::{attribute}::value
restrictions do not work for attributes containing upper case letters or spaces.
Result: attr::{attribute}::marker
and attr::{attribute}::value
restrictions do not work for attributes containing spaces.
Another thing we noticed. The get_credentials function is not implemented in askar/credx. Hence, ACA-Py'sGET: /credentials
endpoint will always return null in this case.
If normalization is necessary, normalize the restrictions/WQL query accoding to the implemented normalization function which differs between indy-sdk and askar.
Thanks for pushing on this. @andrewwhitehead -- FYI on this.
What is the right handling at the storage level, lower(), strip_spaces(), nothing, both, something else?
Presumably, the corresponding handling should be at the lowest level possible in using the attributes. Ideally at the WQL level, but if we don't want to change the indy-sdk, then at the ACA-Py level, at least for when Indy is the backend.
I recommend making the change in aca-py, so we can ensure the behaviour is consistent across the underlying sdk's. (Also it is a challenge to release a new indy-sdk version.)
Yep, sounds like we need to do more processing on the WQL to normalize the attribute names. For the record Indy uses this method to normalize them (not sure why it's not applied to the WQL): https://github.com/hyperledger/indy-sdk/blob/dbd89cf94a73e7a62611c4150a874c38b810ff8d/libindy/src/services/anoncreds/helpers.rs#L20
This proof request
Is saying it cannot be fulfilled, here is the matching credential in my wallet that should satisfy it.
if i manually enable the button and click it. I get
cannot get credentialInfo of undefined, PresentationExList.vue line 283.
This is the JSON of the proof request template that made the presentaitonRequest.
Possibly related is that i cannot inspect the details of the proof template (picture below is of the verifier) same screen as the above json blob.