@pagopa/io-react-native-wallet 1.4.0 → 1.6.0

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -1,23 +1,88 @@
-import { InputDescriptor } from "./types";
+import { InputDescriptor, type RemotePresentation } from "./types";
+import { decode, prepareVpToken } from "../../sd-jwt";
 import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
+import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
-import { MissingDataError } from "./errors";
+import { MissingDataError, CredentialNotFoundError } from "./errors";
 import Ajv from "ajv";
+import { CBOR } from "@pagopa/io-react-native-cbor";
+import { prepareVpTokenMdoc } from "../../mdoc";
+import { generateRandomAlphaNumericString } from "../../utils/misc";
+
 const ajv = new Ajv({ allErrors: true });
-const INDEX_CLAIM_NAME = 1;
 
-export type EvaluatedDisclosures = {
-  requiredDisclosures: DisclosureWithEncoded[];
-  optionalDisclosures: DisclosureWithEncoded[];
-  unrequestedDisclosures: DisclosureWithEncoded[];
+type EvaluatedDisclosures = {
+  requiredDisclosures: EvaluatedDisclosure[];
+  optionalDisclosures: EvaluatedDisclosure[];
+};
+
+export type EvaluatedDisclosure = {
+  namespace?: string;
+  name: string;
+  value: unknown;
 };
 
-export type EvaluateInputDescriptorSdJwt4VC = (
+type EvaluateInputDescriptorSdJwt4VC = (
   inputDescriptor: InputDescriptor,
   payloadCredential: SdJwt4VC["payload"],
   disclosures: DisclosureWithEncoded[]
 ) => EvaluatedDisclosures;
 
+type EvaluateInputDescriptorMdoc = (
+  inputDescriptor: InputDescriptor,
+  issuerSigned: CBOR.IssuerSigned
+) => EvaluatedDisclosures;
+
+export type EvaluateInputDescriptors = (
+  descriptors: InputDescriptor[],
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
+  credentialsMdoc: [string /* keyTag */, string /* credential */][]
+) => Promise<
+  {
+    evaluatedDisclosure: EvaluatedDisclosures;
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[]
+>;
+
+export type PrepareRemotePresentations = (
+  credentialAndDescriptors: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[],
+  authRequestObject: {
+    nonce: string;
+    clientId: string;
+    responseUri: string;
+  }
+) => Promise<RemotePresentation>;
+
+export const disclosureWithEncodedToEvaluatedDisclosure = (
+  disclosure: DisclosureWithEncoded
+): EvaluatedDisclosure => {
+  const [, claimName, claimValue] = disclosure.decoded;
+  return {
+    name: claimName,
+    value: claimValue,
+  };
+};
+
+type DecodedCredentialMdoc = {
+  keyTag: string;
+  credential: string;
+  issuerSigned: CBOR.IssuerSigned;
+};
+
+type DecodedCredentialSdJwt = {
+  keyTag: string;
+  credential: string;
+  sdJwt: SdJwt4VC;
+  disclosures: DisclosureWithEncoded[];
+};
+
 /**
  * Transforms an array of DisclosureWithEncoded objects into a key-value map.
  * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
@@ -26,11 +91,39 @@ export type EvaluateInputDescriptorSdJwt4VC = (
 const mapDisclosuresToObject = (
   disclosures: DisclosureWithEncoded[]
 ): Record<string, unknown> => {
-  return disclosures.reduce((obj, { decoded }) => {
-    const [, claimName, claimValue] = decoded;
-    obj[claimName] = claimValue;
-    return obj;
-  }, {} as Record<string, unknown>);
+  return disclosures.reduce(
+    (obj, { decoded }) => {
+      const [, claimName, claimValue] = decoded;
+      obj[claimName] = claimValue;
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
+};
+
+/**
+ * Transforms the issuer's namespaces from a CBOR structure into a plain JavaScript object.
+ *
+ * @param namespaces - The CBOR-based namespaces object where each key corresponds to a namespace,
+ *                     and each value is an array of elements containing identifiers and values.
+ * @returns A record (plain object) where each key is a namespace, and its value is another object
+ *          mapping element identifiers to their corresponding element values.
+ */
+const mapNamespacesToObject = (
+  namespaces: CBOR.IssuerSigned["nameSpaces"]
+): Record<string, unknown> => {
+  return Object.entries(namespaces).reduce(
+    (obj, [namespace, elements]) => {
+      obj[namespace] = Object.fromEntries(
+        elements.map((element) => [
+          element.elementIdentifier,
+          element.elementValue,
+        ])
+      );
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
 };
 
 /**
@@ -85,13 +178,110 @@ const extractClaimName = (path: string): string | undefined => {
     return match[1] || match[2];
   }
 
-  // If the input doesn't match any of the expected formats, return null
-
   throw new Error(
     `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
   );
 };
 
+/**
+ * Extracts the namespace and claim name from a path in the following format:
+ * $['nameSpace']['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns An object with the extracted namespace and claim name.
+ * @throws An error if the input format is invalid.
+ */
+const extractNamespaceAndClaimName = (
+  path: string
+): { nameSpace?: string; propertyName?: string } => {
+  const regex = /^\$\[(?:'|")([^'"\]]+)(?:'|")\]\[(?:'|")([^'"\]]+)(?:'|")\]$/;
+  const match = path.match(regex);
+  if (match) {
+    return { nameSpace: match[1], propertyName: match[2] };
+  }
+
+  throw new Error(
+    `Invalid input format: "${path}". Expected format is "$['nameSpace']['propertyName']".`
+  );
+};
+/**
+ * Evaluates the input descriptor for an mDoc by verifying that the issuerSigned claims meet
+ * the constraints defined in the input descriptor. It categorizes disclosures as either required
+ * or optional based on the field definitions.
+ *
+ * @param inputDescriptor - Contains constraints and field definitions specifying required/optional claims.
+ * @param issuerSigned - Contains the issuerSigned with namespaces and their associated claims.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
+ * @throws MissingDataError - If a required field is missing or if a claim fails JSON Schema validation.
+ */
+export const evaluateInputDescriptorForMdoc: EvaluateInputDescriptorMdoc = (
+  inputDescriptor,
+  issuerSigned
+) => {
+  if (!inputDescriptor?.constraints?.fields) {
+    // No validation, no field are required
+    return {
+      requiredDisclosures: [],
+      optionalDisclosures: [],
+    };
+  }
+
+  const requiredDisclosures: EvaluatedDisclosure[] = [];
+  const optionalDisclosures: EvaluatedDisclosure[] = [];
+
+  // Convert issuer's namespaces into an object for easier lookup of claim values.
+  const namespacesAsPayload = mapNamespacesToObject(issuerSigned.nameSpaces);
+
+  const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
+    const [matchedPath, matchedValue] = findMatchedClaim(
+      field.path,
+      namespacesAsPayload
+    );
+
+    // If no matching claim is found, the field is valid only if it's marked as optional.
+    if (matchedValue === undefined || !matchedPath) {
+      return field?.optional;
+    } else {
+      // Extract the namespace and property name from the matched path.
+      const { nameSpace, propertyName } =
+        extractNamespaceAndClaimName(matchedPath);
+      if (nameSpace && propertyName) {
+        (field?.optional ? optionalDisclosures : requiredDisclosures).push({
+          namespace: nameSpace,
+          name: propertyName,
+          value: matchedValue,
+        });
+      }
+    }
+
+    if (field.filter) {
+      try {
+        const validateSchema = ajv.compile(field.filter);
+        if (!validateSchema(matchedValue)) {
+          throw new MissingDataError(
+            `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
+          );
+        }
+      } catch (error) {
+        return false;
+      }
+    }
+
+    return true;
+  });
+
+  if (!allFieldsValid) {
+    throw new MissingDataError(
+      "Credential validation failed: Required fields are missing or do not match the input descriptor."
+    );
+  }
+
+  return {
+    requiredDisclosures,
+    optionalDisclosures,
+  };
+};
+
 /**
  * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
  *
@@ -100,14 +290,12 @@ const extractClaimName = (path: string): string | undefined => {
  * - Validates whether required fields are present (unless marked optional)
  *   and match any specified JSONPath.
  * - If a field includes a JSON Schema filter, validates the claim value against that schema.
- * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
- *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
  * - Throws an error if a required field is invalid or missing.
  *
  * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
  * @param payloadCredential - The credential payload to check against.
  * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
- * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
  * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
  */
 export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
@@ -117,13 +305,12 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       return {
         requiredDisclosures: [],
         optionalDisclosures: [],
-        unrequestedDisclosures: disclosures,
       };
     }
-    const requiredClaimNames: string[] = [];
-    const optionalClaimNames: string[] = [];
+    const requiredDisclosures: EvaluatedDisclosure[] = [];
+    const optionalDisclosures: EvaluatedDisclosure[] = [];
 
-    // Transform disclosures to find claim using JSONPath
+    // Transform disclosures into an object for easier lookup of claim values.
     const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
 
     // For each field, we need at least one matching path
@@ -151,9 +338,10 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
         // if match a disclouse we save which is required or optional
         const claimName = extractClaimName(matchedPath);
         if (claimName) {
-          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
-            claimName
-          );
+          (field?.optional ? optionalDisclosures : requiredDisclosures).push({
+            value: matchedValue,
+            name: claimName,
+          });
         }
       }
 
@@ -183,33 +371,255 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       );
     }
 
-    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+    return {
+      requiredDisclosures,
+      optionalDisclosures,
+    };
+  };
 
-    const requiredDisclosures = disclosures.filter((disclosure) =>
-      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialSdJwt = (
+  inputDescriptor: InputDescriptor,
+  decodedSdJwtCredentials: DecodedCredentialSdJwt[]
+): {
+  matchedEvaluation: EvaluatedDisclosures;
+  matchedKeyTag: string;
+  matchedCredential: string;
+} => {
+  for (const {
+    keyTag,
+    credential,
+    sdJwt,
+    disclosures,
+  } of decodedSdJwtCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(
+        inputDescriptor,
+        sdJwt.payload,
+        disclosures
+      );
 
-    const optionalDisclosures = disclosures.filter((disclosure) =>
-      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential,
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
 
-    const isNotLimitDisclosure = !(
-      inputDescriptor.constraints.limit_disclosure === "required"
-    );
+  throw new CredentialNotFoundError(
+    "None of the vc+sd-jwt credentials satisfy the requirements."
+  );
+};
 
-    const unrequestedDisclosures = isNotLimitDisclosure
-      ? disclosures.filter(
-          (disclosure) =>
-            !optionalClaimNames.includes(
-              disclosure.decoded[INDEX_CLAIM_NAME]
-            ) &&
-            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-        )
-      : [];
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedMdocCredentials An array of decoded MDOC credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialMDoc = (
+  inputDescriptor: InputDescriptor,
+  decodedMDocCredentials: DecodedCredentialMdoc[]
+): {
+  matchedEvaluation: EvaluatedDisclosures;
+  matchedKeyTag: string;
+  matchedCredential: string;
+} => {
+  for (const { keyTag, credential, issuerSigned } of decodedMDocCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForMdoc(
+        inputDescriptor,
+        issuerSigned
+      );
 
-    return {
-      requiredDisclosures,
-      optionalDisclosures,
-      unrequestedDisclosures,
-    };
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential,
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+
+  throw new CredentialNotFoundError(
+    "None of the mso_mdoc credentials satisfy the requirements."
+  );
+};
+
+/**
+ * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
+ *
+ * For each input descriptor, this function:
+ * - Checks the credential format.
+ * - Decodes the credential.
+ * - Evaluates the descriptor using the associated disclosures.
+ *
+ * @param inputDescriptors - An array of input descriptors.
+ * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
+ * @param credentialsMdoc - An array of tuples containing keyTag and MDOC credential.
+ * @returns An array of objects, each containing the evaluated disclosures,
+ *          the input descriptor, the credential, and the keyTag.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
+  inputDescriptors,
+  credentialsSdJwt,
+  credentialsMdoc
+) => {
+  // We need decode SD-JWT credentials for evaluation
+  const decodedSdJwtCredentials =
+    credentialsSdJwt?.map(([keyTag, credential]) => {
+      const { sdJwt, disclosures } = decode(credential);
+      return { keyTag, credential, sdJwt, disclosures };
+    }) || [];
+
+  // We need decode Mdoc credentials for evaluation
+  const decodedMdocCredentials =
+    (await Promise.all(
+      credentialsMdoc?.map(async ([keyTag, credential]) => {
+        const issuerSigned = await CBOR.decodeIssuerSigned(credential);
+        if (!issuerSigned) {
+          throw new CredentialNotFoundError(
+            "mso_mdoc credential is not present."
+          );
+        }
+        return { keyTag, credential, issuerSigned };
+      })
+    )) || [];
+
+  const results = Promise.all(
+    inputDescriptors.map(async (descriptor) => {
+      if (descriptor.format?.mso_mdoc) {
+        if (!credentialsMdoc.length) {
+          throw new CredentialNotFoundError(
+            "mso_mdoc credential is not supported."
+          );
+        }
+
+        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+          findCredentialMDoc(descriptor, decodedMdocCredentials);
+
+        return {
+          evaluatedDisclosure: matchedEvaluation,
+          inputDescriptor: descriptor,
+          credential: matchedCredential,
+          keyTag: matchedKeyTag,
+        };
+      }
+
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        if (!decodedSdJwtCredentials.length) {
+          throw new CredentialNotFoundError(
+            "vc+sd-jwt credential is not supported."
+          );
+        }
+
+        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+          findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
+
+        return {
+          evaluatedDisclosure: matchedEvaluation,
+          inputDescriptor: descriptor,
+          credential: matchedCredential,
+          keyTag: matchedKeyTag,
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+
+  return results;
+};
+
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentialAndDescriptors,
+  authRequestObject
+) => {
+  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
+  const generatedNonce = generateRandomAlphaNumericString(16);
+
+  const presentations = await Promise.all(
+    credentialAndDescriptors.map(async (item) => {
+      const descriptor = item.inputDescriptor;
+
+      if (descriptor.format?.mso_mdoc) {
+        const { vp_token } = await prepareVpTokenMdoc(
+          authRequestObject.nonce,
+          generatedNonce,
+          authRequestObject.clientId,
+          authRequestObject.responseUri,
+          descriptor.id,
+          item.keyTag,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
+
+        return {
+          requestedClaims: item.requestedClaims,
+          inputDescriptor: descriptor,
+          vpToken: vp_token,
+          format: "mso_mdoc",
+        };
+      }
+
+      if (descriptor.format?.["vc+sd-jwt"]) {
+        const { vp_token } = await prepareVpToken(
+          authRequestObject.nonce,
+          authRequestObject.clientId,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
+
+        return {
+          requestedClaims: item.requestedClaims,
+          inputDescriptor: descriptor,
+          vpToken: vp_token,
+          format: "vc+sd-jwt",
+        };
+      }
+
+      throw new CredentialNotFoundError(
+        `${descriptor.format} format is not supported.`
+      );
+    })
+  );
+
+  return {
+    presentations,
+    generatedNonce,
   };
+};