Skip to content

Inform user of revoked credentials #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

Inform user of revoked credentials #765

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
300d3e2
Basic handling of revoked credentials error
May 9, 2025
91bd39b
Update the UI to alert the user of the revoked credential
May 12, 2025
9257d8a
Merge branch 'main' into errors-to-ui
May 12, 2025
e29a6ea
Added tests for is_revoked
May 13, 2025
b7f0e24
Changed logging types
May 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions html-templates/verified_credentials.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,6 @@ <h5 v-if="state.showScanned" class="fw-bolder mb-3">
<div class="text-start">
<b>We couldn't verify your credentials because they may be:</b>
<ul>
<li>revoked</li>
<li>expired</li>
<li>or missing</li>
</ul>
Expand Down Expand Up @@ -452,7 +451,8 @@ <h5 v-if="state.showScanned" class="fw-bolder mb-3">
- verified
- failed
- expired
*/
- revoked
*/
if (
["verified", "failed", "expired"].includes(data.proof_status)
) {
Expand Down Expand Up @@ -486,6 +486,13 @@ <h5 v-if="state.showScanned" class="fw-bolder mb-3">
title: "Success!",
text: "You will be redirected shortly.",
};
case "revoked":
return {
className: "alert-danger",
icon: "circle-x.svg",
title: "Credential is Revoked.",
link: "Use Another Credential.",
};
case "failed":
return {
className: "alert-danger",
Expand Down
1 change: 1 addition & 0 deletions oidc-controller/api/authSessions/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ class AuthSessionState(StrEnum):
EXPIRED = auto()
VERIFIED = auto()
FAILED = auto()
REVOKED = auto()
ABANDONED = auto()


Expand Down
22 changes: 22 additions & 0 deletions oidc-controller/api/core/acapy/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,28 @@ def get_presentation_request(self, presentation_exchange_id: UUID | str):
logger.debug(f"<<< get_presentation_request -> {resp}")
return resp

def is_revoked(self, rev_reg_id=str):
logger.debug(">>> is_revoked")
resp_raw = requests.get(
self.acapy_host + f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
headers=self.agent_config.get_headers(),
)

# TODO: Determine if this should assert it received a json object
assert (
resp_raw.status_code == 200
), f"{resp_raw.status_code}::{resp_raw.content}"

resp = json.loads(resp_raw.content)

try:
revoked = resp["rev_reg_delta"]["value"].get("revoked", None)
except KeyError:
return False

logger.debug(f"<<< is_revoked -> {revoked}")
return True if revoked else False

def get_wallet_did(self, public=False) -> WalletDid:
logger.debug(">>> get_wallet_did")
url = None
Expand Down
147 changes: 147 additions & 0 deletions oidc-controller/api/core/acapy/tests/test_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,3 +201,150 @@ async def test_get_wallet_did_not_public_returns_on_correct_url_and_processes_ar
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
wallet_resp = client.get_wallet_did(public=False)
assert wallet_resp is not None


@pytest.mark.asyncio
async def test_is_revoked_returns_true_when_revoked_list_is_present_and_not_empty(
requests_mock,
):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {
"rev_reg_delta": {"value": {"revoked": [123, 456]}}
} # Example: revoked list is not empty
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is True


@pytest.mark.asyncio
async def test_is_revoked_returns_false_when_revoked_list_is_empty(requests_mock):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {
"rev_reg_delta": {"value": {"revoked": []}}
} # Revoked list is empty
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is False


@pytest.mark.asyncio
async def test_is_revoked_returns_false_when_revoked_key_is_none(requests_mock):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {
"rev_reg_delta": {"value": {"revoked": None}}
} # Revoked key is None
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is False


@pytest.mark.asyncio
async def test_is_revoked_returns_false_when_revoked_key_is_missing(requests_mock):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {"rev_reg_delta": {"value": {}}} # "revoked" key missing
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is False


@pytest.mark.asyncio
async def test_is_revoked_returns_false_when_value_key_is_missing(requests_mock):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {"rev_reg_delta": {}} # "value" key missing
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is False


@pytest.mark.asyncio
async def test_is_revoked_returns_false_when_rev_reg_delta_key_is_missing(
requests_mock,
):
rev_reg_id = "test_rev_reg_id"
mock_response_json = {} # "rev_reg_delta" key missing
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json=mock_response_json,
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
result = client.is_revoked(rev_reg_id)
assert result is False


@pytest.mark.asyncio
async def test_is_revoked_throws_assertion_error_on_non_200_response(requests_mock):
rev_reg_id = "test_rev_reg_id"
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
json={"error": "something went wrong"},
status_code=500,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
with pytest.raises(AssertionError) as excinfo:
client.is_revoked(rev_reg_id)
assert "500::" in str(excinfo.value)


@pytest.mark.asyncio
async def test_is_revoked_throws_json_decode_error_on_invalid_json_response(
requests_mock,
):
rev_reg_id = "test_rev_reg_id"
requests_mock.get(
settings.ACAPY_ADMIN_URL
+ f"/revocation/registry/{rev_reg_id}/issued/indy_recs",
text="not a valid json",
status_code=200,
)

client = AcapyClient()
client.agent_config.get_headers = mock.MagicMock(return_value={"x-api-key": ""})
with pytest.raises(json.JSONDecodeError):
client.is_revoked(rev_reg_id)
23 changes: 19 additions & 4 deletions oidc-controller/api/routers/acapy_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
from ..db.session import get_db

from ..core.config import settings
from ..core.acapy.client import AcapyClient
from ..routers.socketio import sio, connections_reload

logger: structlog.typing.FilteringBoundLogger = structlog.getLogger(__name__)
Expand All @@ -32,7 +33,7 @@ async def post_topic(request: Request, topic: str, db: Database = Depends(get_db
case "present_proof_v2_0":
webhook_body = await _parse_webhook_body(request)
logger.info(f">>>> pres_exch_id: {webhook_body['pres_ex_id']}")
# logger.info(f">>>> web hook: {webhook_body}")
logger.info(f">>>> web hook: {webhook_body}")
auth_session: AuthSession = await AuthSessionCRUD(db).get_by_pres_exch_id(
webhook_body["pres_ex_id"]
)
Expand All @@ -42,7 +43,6 @@ async def post_topic(request: Request, topic: str, db: Database = Depends(get_db
connections = connections_reload()
sid = connections.get(pid)
logger.debug(f"sid: {sid} found for pid: {pid}")

if webhook_body["state"] == "presentation-received":
logger.info("presentation-received")

Expand All @@ -54,9 +54,24 @@ async def post_topic(request: Request, topic: str, db: Database = Depends(get_db
if sid:
await sio.emit("status", {"status": "verified"}, to=sid)
else:
auth_session.proof_status = AuthSessionState.FAILED
client = AcapyClient()
logger.info(
f"MY RESULT {webhook_body['by_format']['pres']['indy']['identifiers'][0]['rev_reg_id']}"
)
rev = client.is_revoked(
webhook_body["by_format"]["pres"]["indy"]["identifiers"][0][
"rev_reg_id"
]
)
logger.info(f"Credential was revoked {rev}")

auth_session.proof_status = (
AuthSessionState.REVOKED if rev else AuthSessionState.FAILED
)
if sid:
await sio.emit("status", {"status": "failed"}, to=sid)
await sio.emit(
"status", {"status": auth_session.proof_status}, to=sid
)

await AuthSessionCRUD(db).patch(
str(auth_session.id), AuthSessionPatch(**auth_session.model_dump())
Expand Down