@pagopa/io-react-native-wallet 1.7.0 → 2.0.0-next.0

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -1,33 +1,29 @@
-import { InputDescriptor, type EvaluatedDisclosure } from "./types";
-import { decode } from "../../sd-jwt";
+import { InputDescriptor, type LegacyRemotePresentation } from "./types";
 import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
+import { decode, prepareVpToken } from "../../sd-jwt";
+import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
-import { MissingDataError, CredentialNotFoundError } from "./errors";
+import { CredentialsNotFoundError, MissingDataError } from "./errors";
 import Ajv from "ajv";
-import { CBOR } from "@pagopa/io-react-native-cbor";
 
 const ajv = new Ajv({ allErrors: true });
+const INDEX_CLAIM_NAME = 1;
 
-type EvaluatedDisclosures = {
-  requiredDisclosures: EvaluatedDisclosure[];
-  optionalDisclosures: EvaluatedDisclosure[];
+export type EvaluatedDisclosures = {
+  requiredDisclosures: DisclosureWithEncoded[];
+  optionalDisclosures: DisclosureWithEncoded[];
+  unrequestedDisclosures: DisclosureWithEncoded[];
 };
 
-type EvaluateInputDescriptorSdJwt4VC = (
+export type EvaluateInputDescriptorSdJwt4VC = (
   inputDescriptor: InputDescriptor,
   payloadCredential: SdJwt4VC["payload"],
   disclosures: DisclosureWithEncoded[]
 ) => EvaluatedDisclosures;
 
-type EvaluateInputDescriptorMdoc = (
-  inputDescriptor: InputDescriptor,
-  issuerSigned: CBOR.IssuerSigned
-) => EvaluatedDisclosures;
-
 export type EvaluateInputDescriptors = (
   descriptors: InputDescriptor[],
-  credentialsSdJwt: [string, string /* keyTag */, string /* credential */][],
-  credentialsMdoc: [string, string /* keyTag */, string /* credential */][]
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][]
 ) => Promise<
   {
     evaluatedDisclosure: EvaluatedDisclosures;
@@ -37,28 +33,19 @@ export type EvaluateInputDescriptors = (
   }[]
 >;
 
-export const disclosureWithEncodedToEvaluatedDisclosure = (
-  disclosure: DisclosureWithEncoded
-): EvaluatedDisclosure => {
-  const [, claimName, claimValue] = disclosure.decoded;
-  return {
-    name: claimName,
-    value: claimValue,
-  };
-};
-
-type DecodedCredentialMdoc = {
-  keyTag: string;
-  credential: string;
-  issuerSigned: CBOR.IssuerSigned;
-};
-
-type DecodedCredentialSdJwt = {
-  keyTag: string;
-  credential: string;
-  sdJwt: SdJwt4VC;
-  disclosures: DisclosureWithEncoded[];
-};
+/**
+ * @deprecated Use `prepareRemotePresentations` from DCQL
+ */
+export type PrepareLegacyRemotePresentations = (
+  credentialAndDescriptors: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    credential: string;
+    keyTag: string;
+  }[],
+  nonce: string,
+  client_id: string
+) => Promise<LegacyRemotePresentation[]>;
 
 /**
  * Transforms an array of DisclosureWithEncoded objects into a key-value map.
@@ -78,31 +65,6 @@ const mapDisclosuresToObject = (
   );
 };
 
-/**
- * Transforms the issuer's namespaces from a CBOR structure into a plain JavaScript object.
- *
- * @param namespaces - The CBOR-based namespaces object where each key corresponds to a namespace,
- *                     and each value is an array of elements containing identifiers and values.
- * @returns A record (plain object) where each key is a namespace, and its value is another object
- *          mapping element identifiers to their corresponding element values.
- */
-const mapNamespacesToObject = (
-  namespaces: CBOR.IssuerSigned["nameSpaces"]
-): Record<string, unknown> => {
-  return Object.entries(namespaces).reduce(
-    (obj, [namespace, elements]) => {
-      obj[namespace] = Object.fromEntries(
-        elements.map((element) => [
-          element.elementIdentifier,
-          element.elementValue,
-        ])
-      );
-      return obj;
-    },
-    {} as Record<string, unknown>
-  );
-};
-
 /**
  * Finds a claim within the payload based on provided JSONPath expressions.
  * @param paths - An array of JSONPath expressions to search for in the payload.
@@ -155,109 +117,12 @@ const extractClaimName = (path: string): string | undefined => {
     return match[1] || match[2];
   }
 
-  throw new Error(
-    `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
-  );
-};
-
-/**
- * Extracts the namespace and claim name from a path in the following format:
- * $['nameSpace']['propertyName']
- *
- * @param path - The path string containing the claim reference.
- * @returns An object with the extracted namespace and claim name.
- * @throws An error if the input format is invalid.
- */
-const extractNamespaceAndClaimName = (
-  path: string
-): { nameSpace?: string; propertyName?: string } => {
-  const regex = /^\$\[(?:'|")([^'"\]]+)(?:'|")\]\[(?:'|")([^'"\]]+)(?:'|")\]$/;
-  const match = path.match(regex);
-  if (match) {
-    return { nameSpace: match[1], propertyName: match[2] };
-  }
+  // If the input doesn't match any of the expected formats, return null
 
   throw new Error(
-    `Invalid input format: "${path}". Expected format is "$['nameSpace']['propertyName']".`
+    `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
   );
 };
-/**
- * Evaluates the input descriptor for an mDoc by verifying that the issuerSigned claims meet
- * the constraints defined in the input descriptor. It categorizes disclosures as either required
- * or optional based on the field definitions.
- *
- * @param inputDescriptor - Contains constraints and field definitions specifying required/optional claims.
- * @param issuerSigned - Contains the issuerSigned with namespaces and their associated claims.
- * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
- * @throws MissingDataError - If a required field is missing or if a claim fails JSON Schema validation.
- */
-export const evaluateInputDescriptorForMdoc: EvaluateInputDescriptorMdoc = (
-  inputDescriptor,
-  issuerSigned
-) => {
-  if (!inputDescriptor?.constraints?.fields) {
-    // No validation, no field are required
-    return {
-      requiredDisclosures: [],
-      optionalDisclosures: [],
-    };
-  }
-
-  const requiredDisclosures: EvaluatedDisclosure[] = [];
-  const optionalDisclosures: EvaluatedDisclosure[] = [];
-
-  // Convert issuer's namespaces into an object for easier lookup of claim values.
-  const namespacesAsPayload = mapNamespacesToObject(issuerSigned.nameSpaces);
-
-  const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
-    const [matchedPath, matchedValue] = findMatchedClaim(
-      field.path,
-      namespacesAsPayload
-    );
-
-    // If no matching claim is found, the field is valid only if it's marked as optional.
-    if (matchedValue === undefined || !matchedPath) {
-      return field?.optional;
-    } else {
-      // Extract the namespace and property name from the matched path.
-      const { nameSpace, propertyName } =
-        extractNamespaceAndClaimName(matchedPath);
-      if (nameSpace && propertyName) {
-        (field?.optional ? optionalDisclosures : requiredDisclosures).push({
-          namespace: nameSpace,
-          name: propertyName,
-          value: matchedValue,
-        });
-      }
-    }
-
-    if (field.filter) {
-      try {
-        const validateSchema = ajv.compile(field.filter);
-        if (!validateSchema(matchedValue)) {
-          throw new MissingDataError(
-            `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
-          );
-        }
-      } catch (error) {
-        return false;
-      }
-    }
-
-    return true;
-  });
-
-  if (!allFieldsValid) {
-    throw new MissingDataError(
-      "Credential validation failed: Required fields are missing or do not match the input descriptor."
-    );
-  }
-
-  return {
-    requiredDisclosures,
-    optionalDisclosures,
-  };
-};
 
 /**
  * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
@@ -267,12 +132,14 @@ export const evaluateInputDescriptorForMdoc: EvaluateInputDescriptorMdoc = (
  * - Validates whether required fields are present (unless marked optional)
  *   and match any specified JSONPath.
  * - If a field includes a JSON Schema filter, validates the claim value against that schema.
+ * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
+ *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
  * - Throws an error if a required field is invalid or missing.
  *
  * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
  * @param payloadCredential - The credential payload to check against.
  * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
- * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
+ * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
  * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
  */
 export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
@@ -282,12 +149,13 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       return {
         requiredDisclosures: [],
         optionalDisclosures: [],
+        unrequestedDisclosures: disclosures,
       };
     }
-    const requiredDisclosures: EvaluatedDisclosure[] = [];
-    const optionalDisclosures: EvaluatedDisclosure[] = [];
+    const requiredClaimNames: string[] = [];
+    const optionalClaimNames: string[] = [];
 
-    // Transform disclosures into an object for easier lookup of claim values.
+    // Transform disclosures to find claim using JSONPath
     const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
 
     // For each field, we need at least one matching path
@@ -315,10 +183,9 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
         // if match a disclouse we save which is required or optional
         const claimName = extractClaimName(matchedPath);
         if (claimName) {
-          (field?.optional ? optionalDisclosures : requiredDisclosures).push({
-            value: matchedValue,
-            name: claimName,
-          });
+          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
+            claimName
+          );
         }
       }
 
@@ -348,12 +215,44 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       );
     }
 
+    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+
+    const requiredDisclosures = disclosures.filter((disclosure) =>
+      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const optionalDisclosures = disclosures.filter((disclosure) =>
+      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+    );
+
+    const isNotLimitDisclosure = !(
+      inputDescriptor.constraints.limit_disclosure === "required"
+    );
+
+    const unrequestedDisclosures = isNotLimitDisclosure
+      ? disclosures.filter(
+          (disclosure) =>
+            !optionalClaimNames.includes(
+              disclosure.decoded[INDEX_CLAIM_NAME]
+            ) &&
+            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
+        )
+      : [];
+
     return {
       requiredDisclosures,
       optionalDisclosures,
+      unrequestedDisclosures,
     };
   };
 
+type DecodedCredentialSdJwt = {
+  keyTag: string;
+  credential: string;
+  sdJwt: SdJwt4VC;
+  disclosures: DisclosureWithEncoded[];
+};
+
 /**
  * Finds the first credential that satisfies the input descriptor constraints.
  * @param inputDescriptor The input descriptor to evaluate.
@@ -392,46 +291,12 @@ export const findCredentialSdJwt = (
     }
   }
 
-  throw new CredentialNotFoundError(
-    "None of the vc+sd-jwt credentials satisfy the requirements."
-  );
-};
-
-/**
- * Finds the first credential that satisfies the input descriptor constraints.
- * @param inputDescriptor The input descriptor to evaluate.
- * @param decodedMdocCredentials An array of decoded MDOC credentials.
- * @returns An object containing the matched evaluation, keyTag, and credential.
- */
-export const findCredentialMDoc = (
-  inputDescriptor: InputDescriptor,
-  decodedMDocCredentials: DecodedCredentialMdoc[]
-): {
-  matchedEvaluation: EvaluatedDisclosures;
-  matchedKeyTag: string;
-  matchedCredential: string;
-} => {
-  for (const { keyTag, credential, issuerSigned } of decodedMDocCredentials) {
-    try {
-      const evaluatedDisclosure = evaluateInputDescriptorForMdoc(
-        inputDescriptor,
-        issuerSigned
-      );
-
-      return {
-        matchedEvaluation: evaluatedDisclosure,
-        matchedKeyTag: keyTag,
-        matchedCredential: credential,
-      };
-    } catch {
-      // skip to next credential
-      continue;
-    }
-  }
-
-  throw new CredentialNotFoundError(
-    "None of the mso_mdoc credentials satisfy the requirements."
-  );
+  throw new CredentialsNotFoundError([
+    {
+      id: "",
+      reason: "None of the vc+sd-jwt credentials satisfy the requirements.",
+    },
+  ]);
 };
 
 /**
@@ -444,62 +309,31 @@ export const findCredentialMDoc = (
  *
  * @param inputDescriptors - An array of input descriptors.
  * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
- * @param credentialsMdoc - An array of tuples containing keyTag and MDOC credential.
  * @returns An array of objects, each containing the evaluated disclosures,
  *          the input descriptor, the credential, and the keyTag.
  * @throws {CredentialNotFoundError} When the credential format is unsupported.
  */
 export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
   inputDescriptors,
-  credentialsSdJwt,
-  credentialsMdoc
+  credentialsSdJwt
 ) => {
   // We need decode SD-JWT credentials for evaluation
   const decodedSdJwtCredentials =
-    credentialsSdJwt?.map(([, keyTag, credential]) => {
+    credentialsSdJwt?.map(([keyTag, credential]) => {
       const { sdJwt, disclosures } = decode(credential);
       return { keyTag, credential, sdJwt, disclosures };
     }) || [];
 
-  // We need decode Mdoc credentials for evaluation
-  const decodedMdocCredentials =
-    (await Promise.all(
-      credentialsMdoc?.map(async ([, keyTag, credential]) => {
-        const issuerSigned = await CBOR.decodeIssuerSigned(credential);
-        if (!issuerSigned) {
-          throw new CredentialNotFoundError(
-            "mso_mdoc credential is not present."
-          );
-        }
-        return { keyTag, credential, issuerSigned };
-      })
-    )) || [];
-
-  const results = Promise.all(
+  return Promise.all(
     inputDescriptors.map(async (descriptor) => {
-      if (descriptor.format?.mso_mdoc) {
-        if (!credentialsMdoc.length) {
-          throw new CredentialNotFoundError(
-            "mso_mdoc credential is not supported."
-          );
-        }
-
-        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
-          findCredentialMDoc(descriptor, decodedMdocCredentials);
-
-        return {
-          evaluatedDisclosure: matchedEvaluation,
-          inputDescriptor: descriptor,
-          credential: matchedCredential,
-          keyTag: matchedKeyTag,
-        };
-      }
-
       if (descriptor.format?.["vc+sd-jwt"]) {
         if (!decodedSdJwtCredentials.length) {
-          throw new CredentialNotFoundError(
-            "vc+sd-jwt credential is not supported."
-          );
+          throw new CredentialsNotFoundError([
+            {
+              id: descriptor.id,
+              reason: "vc+sd-jwt credential is not supported.",
+            },
+          ]);
         }
 
         const { matchedEvaluation, matchedKeyTag, matchedCredential } =
@@ -513,11 +347,59 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
         };
       }
 
-      throw new CredentialNotFoundError(
-        `${descriptor.format} format is not supported.`
-      );
+      throw new CredentialsNotFoundError([
+        {
+          id: descriptor.id,
+          reason: `${descriptor.format} format is not supported.`,
+        },
+      ]);
     })
   );
-
-  return results;
 };
+
+/**
+ * Prepares remote presentations for a set of credentials based on input descriptors.
+ *
+ * For each credential and its corresponding input descriptor, this function:
+ * - Validates the credential format.
+ * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
+ *
+ * @deprecated Use `prepareRemotePresentations` from DCQL
+ *
+ * @param credentialAndDescriptors - An array containing objects with requested claims,
+ *                                   input descriptor, credential, and keyTag.
+ * @param nonce - A unique nonce for the verifiable presentation token.
+ * @param client_id - The client identifier.
+ * @returns A promise that resolves to an array of RemotePresentation objects.
+ * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ */
+export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations =
+  async (credentialAndDescriptors, nonce, client_id) => {
+    return Promise.all(
+      credentialAndDescriptors.map(async (item) => {
+        const descriptor = item.inputDescriptor;
+
+        if (descriptor.format?.["vc+sd-jwt"]) {
+          const { vp_token } = await prepareVpToken(nonce, client_id, [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]);
+
+          return {
+            requestedClaims: item.requestedClaims,
+            inputDescriptor: descriptor,
+            vpToken: vp_token,
+            format: "vc+sd-jwt",
+          };
+        }
+
+        throw new CredentialsNotFoundError([
+          {
+            id: descriptor.id,
+            reason: `${descriptor.format} format is not supported.`,
+          },
+        ]);
+      })
+    );
+  };