@pagopa/io-react-native-wallet 2.5.0 → 3.0.0

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -1,198 +0,0 @@
-import { DcqlQuery, DcqlError, DcqlQueryResult } from "dcql";
-import { isValiError } from "valibot";
-import type { CryptoContext } from "@pagopa/io-react-native-jwt";
-import { decode, prepareVpToken } from "../../sd-jwt";
-import { LEGACY_SD_JWT, type Disclosure } from "../../sd-jwt/types";
-import type { RemotePresentation } from "./types";
-import { CredentialsNotFoundError, type NotFoundDetail } from "./errors";
-
-/**
- * The purpose for the credential request by the RP.
- */
-type CredentialPurpose = {
-  required: boolean;
-  description?: string;
-};
-
-export type EvaluateDcqlQuery = (
-  credentialsSdJwt: [CryptoContext, string /* credential */][],
-  query: DcqlQuery.Input
-) => {
-  id: string;
-  vct: string;
-  credential: string;
-  cryptoContext: CryptoContext;
-  requiredDisclosures: Disclosure[];
-  purposes: CredentialPurpose[];
-}[];
-
-export type PrepareRemotePresentations = (
-  credentials: {
-    id: string;
-    credential: string;
-    cryptoContext: CryptoContext;
-    requestedClaims: string[];
-  }[],
-  nonce: string,
-  clientId: string
-) => Promise<RemotePresentation[]>;
-
-type DcqlMatchSuccess = Extract<
-  DcqlQueryResult.CredentialMatch,
-  { success: true }
->;
-
-type DcqlMatchFailure = Extract<
-  DcqlQueryResult.CredentialMatch,
-  { success: false }
->;
-
-/**
- * Convert a credential in JWT format to an object with claims
- * for correct parsing by the `dcql` library.
- */
-const mapCredentialToObject = (jwt: string) => {
-  const { sdJwt, disclosures } = decode(jwt);
-  const credentialFormat = sdJwt.header.typ;
-
-  return {
-    vct: sdJwt.payload.vct,
-    credential_format: credentialFormat,
-    claims: disclosures.reduce(
-      (acc, disclosure) => ({
-        ...acc,
-        [disclosure.decoded[1]]: disclosure.decoded,
-      }),
-      {} as Record<string, Disclosure>
-    ),
-  };
-};
-
-/**
- * Extract only successful matches from the DCQL query result.
- */
-const getDcqlQueryMatches = (result: DcqlQueryResult) =>
-  Object.entries(result.credential_matches).filter(
-    ([, match]) => match.success === true
-  ) as [string, DcqlMatchSuccess][];
-
-/**
- * Extract only failed matches from the DCQL query result.
- */
-const getDcqlQueryFailedMatches = (result: DcqlQueryResult) =>
-  Object.entries(result.credential_matches).filter(
-    ([, match]) => match.success === false
-  ) as [string, DcqlMatchFailure][];
-
-/**
- * Extract missing credentials from the DCQL query result.
- * Note: here we are assuming a failed match is a missing credential,
- * but there might be other reasons for its failure.
- */
-const extractMissingCredentials = (
-  queryResult: DcqlQueryResult,
-  originalQuery: DcqlQuery
-): NotFoundDetail[] => {
-  return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
-    const credential = originalQuery.credentials.find((c) => c.id === id);
-    if (
-      credential?.format !== "dc+sd-jwt" &&
-      credential?.format !== LEGACY_SD_JWT
-    ) {
-      throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
-    }
-    return { id, vctValues: credential.meta?.vct_values };
-  });
-};
-
-export const evaluateDcqlQuery: EvaluateDcqlQuery = (
-  credentialsSdJwt,
-  query
-) => {
-  const credentials = credentialsSdJwt.map(([, credential]) =>
-    mapCredentialToObject(credential)
-  );
-  try {
-    // Validate the query
-    const parsedQuery = DcqlQuery.parse(query);
-    DcqlQuery.validate(parsedQuery);
-
-    const queryResult = DcqlQuery.query(parsedQuery, credentials);
-
-    if (!queryResult.canBeSatisfied) {
-      throw new CredentialsNotFoundError(
-        extractMissingCredentials(queryResult, parsedQuery)
-      );
-    }
-
-    // Build an object vct:credentialJwt to map matched credentials to their JWT
-    const credentialsSdJwtByVct = credentials.reduce(
-      (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),
-      {} as Record<string, [CryptoContext, string /* credential */]>
-    );
-
-    return getDcqlQueryMatches(queryResult).map(([id, match]) => {
-      if (
-        match.output.credential_format !== "dc+sd-jwt" &&
-        match.output.credential_format !== LEGACY_SD_JWT
-      ) {
-        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
-      }
-      const { vct, claims } = match.output;
-
-      const purposes = queryResult.credential_sets
-        ?.filter((set) => set.matching_options?.flat().includes(id))
-        ?.map<CredentialPurpose>((credentialSet) => ({
-          description: credentialSet.purpose?.toString(),
-          required: Boolean(credentialSet.required),
-        }));
-
-      const [cryptoContext, credential] = credentialsSdJwtByVct[vct]!;
-      const requiredDisclosures = Object.values(claims) as Disclosure[];
-      return {
-        id,
-        vct,
-        cryptoContext,
-        credential,
-        requiredDisclosures,
-        // When it is a match but no credential_sets are found, the credential is required by default
-        // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
-        purposes: purposes ?? [{ required: true }],
-      };
-    });
-  } catch (error) {
-    // Invalid DCQL query structure. Remap to `DcqlError` for consistency.
-    if (isValiError(error)) {
-      throw new DcqlError({
-        message: "Failed to parse the provided DCQL query",
-        code: "PARSE_ERROR",
-        cause: error.issues,
-      });
-    }
-
-    // Let other errors propagate so they can be caught with `err instanceof DcqlError`
-    throw error;
-  }
-};
-
-export const prepareRemotePresentations: PrepareRemotePresentations = async (
-  credentials,
-  nonce,
-  clientId
-) => {
-  return Promise.all(
-    credentials.map(async (item) => {
-      const { vp_token } = await prepareVpToken(nonce, clientId, [
-        item.credential,
-        item.requestedClaims,
-        item.cryptoContext,
-      ]);
-
-      return {
-        credentialId: item.id,
-        requestedClaims: item.requestedClaims,
-        vpToken: vp_token,
-      };
-    })
-  );
-};

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -1,408 +0,0 @@
-import { InputDescriptor, type LegacyRemotePresentation } from "./types";
-import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
-import { decode, prepareVpToken } from "../../sd-jwt";
-import { JSONPath } from "jsonpath-plus";
-import { CredentialsNotFoundError, MissingDataError } from "./errors";
-import Ajv from "ajv";
-import type { CryptoContext } from "@pagopa/io-react-native-jwt";
-
-const ajv = new Ajv({ allErrors: true });
-const INDEX_CLAIM_NAME = 1;
-
-export type EvaluatedDisclosures = {
-  requiredDisclosures: DisclosureWithEncoded[];
-  optionalDisclosures: DisclosureWithEncoded[];
-  unrequestedDisclosures: DisclosureWithEncoded[];
-};
-
-export type EvaluateInputDescriptorSdJwt4VC = (
-  inputDescriptor: InputDescriptor,
-  payloadCredential: SdJwt4VC["payload"],
-  disclosures: DisclosureWithEncoded[]
-) => EvaluatedDisclosures;
-
-export type EvaluateInputDescriptors = (
-  descriptors: InputDescriptor[],
-  credentialsSdJwt: [
-    CryptoContext /* cryptoContext */,
-    string /* credential */,
-  ][]
-) => Promise<
-  {
-    evaluatedDisclosure: EvaluatedDisclosures;
-    inputDescriptor: InputDescriptor;
-    credential: string;
-    cryptoContext: CryptoContext;
-  }[]
->;
-
-/**
- * @deprecated Use `prepareRemotePresentations` from DCQL
- */
-export type PrepareLegacyRemotePresentations = (
-  credentialAndDescriptors: {
-    requestedClaims: string[];
-    inputDescriptor: InputDescriptor;
-    credential: string;
-    cryptoContext: CryptoContext;
-  }[],
-  nonce: string,
-  client_id: string
-) => Promise<LegacyRemotePresentation[]>;
-
-/**
- * Transforms an array of DisclosureWithEncoded objects into a key-value map.
- * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
- * @returns An object mapping claim names to their corresponding values.
- */
-const mapDisclosuresToObject = (
-  disclosures: DisclosureWithEncoded[]
-): Record<string, unknown> => {
-  return disclosures.reduce(
-    (obj, { decoded }) => {
-      const [, claimName, claimValue] = decoded;
-      obj[claimName] = claimValue;
-      return obj;
-    },
-    {} as Record<string, unknown>
-  );
-};
-
-/**
- * Finds a claim within the payload based on provided JSONPath expressions.
- * @param paths - An array of JSONPath expressions to search for in the payload.
- * @param payload - The object to search within using JSONPath.
- * @returns A tuple with the first matched JSONPath and its corresponding value, or [undefined, undefined] if not found.
- */
-const findMatchedClaim = (
-  paths: string[],
-  payload: any
-): [string?, string?] => {
-  let matchedPath;
-  let matchedValue;
-  paths.some((singlePath) => {
-    try {
-      const result = JSONPath({ path: singlePath, json: payload });
-      if (result.length > 0) {
-        matchedPath = singlePath;
-        matchedValue = result[0];
-        return true;
-      }
-    } catch (error) {
-      throw new MissingDataError(
-        `JSONPath for "${singlePath}" does not match the provided payload.`
-      );
-    }
-    return false;
-  });
-
-  return [matchedPath, matchedValue];
-};
-
-/**
- * Extracts the claim name from a path that can be in one of the following formats:
- * 1. $.propertyName
- * 2. $["propertyName"] or $['propertyName']
- *
- * @param path - The path string containing the claim reference.
- * @returns The extracted claim name if matched; otherwise, throws an exception.
- */
-const extractClaimName = (path: string): string | undefined => {
-  // Define a regular expression that matches both formats:
-  // 1. $.propertyName
-  // 2. $["propertyName"] or $['propertyName']
-  const regex = /^\$\.(\w+)$|^\$\[(?:'|")(\w+)(?:'|")\]$/;
-
-  const match = path.match(regex);
-  if (match) {
-    // match[1] corresponds to the first capture group (\w+) after $.
-    // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
-    return match[1] || match[2];
-  }
-
-  // If the input doesn't match any of the expected formats, return null
-
-  throw new Error(
-    `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
-  );
-};
-
-/**
- * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
- *
- * - Checks each field in the InputDescriptor against the provided `payloadCredential`
- *   and `disclosures` (selectively disclosed claims).
- * - Validates whether required fields are present (unless marked optional)
- *   and match any specified JSONPath.
- * - If a field includes a JSON Schema filter, validates the claim value against that schema.
- * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
- *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
- * - Throws an error if a required field is invalid or missing.
- *
- * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
- * @param payloadCredential - The credential payload to check against.
- * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
- * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
- * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
- */
-export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
-  (inputDescriptor, payloadCredential, disclosures) => {
-    if (!inputDescriptor?.constraints?.fields) {
-      // No validation, all field are optional
-      return {
-        requiredDisclosures: [],
-        optionalDisclosures: [],
-        unrequestedDisclosures: disclosures,
-      };
-    }
-    const requiredClaimNames: string[] = [];
-    const optionalClaimNames: string[] = [];
-
-    // Transform disclosures to find claim using JSONPath
-    const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
-
-    // For each field, we need at least one matching path
-    // If we succeed, we push the matched disclosure in matchedDisclosures and stop checking further paths
-    const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
-      // For Potential profile, selectively disclosed claims will always be built as an individual object property, by using a name-value pair.
-      // Hence that selective claim for array element and recursive disclosures are not supported by Potential for the first iteration of Piloting.
-      // We need to check inside disclosures or inside credential payload. Example path: "$.given_name"
-      let [matchedPath, matchedValue] = findMatchedClaim(
-        field.path,
-        disclosuresAsPayload
-      );
-
-      if (!matchedPath) {
-        [matchedPath, matchedValue] = findMatchedClaim(
-          field.path,
-          payloadCredential
-        );
-
-        if (!matchedPath) {
-          // Path could be optional, in this case no need to validate! continue to next field
-          return field?.optional;
-        }
-      } else {
-        // if match a disclouse we save which is required or optional
-        const claimName = extractClaimName(matchedPath);
-        if (claimName) {
-          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
-            claimName
-          );
-        }
-      }
-
-      // FILTER validation
-      // If this field has a "filter" (JSON Schema), validate the claimValue
-      if (field.filter) {
-        try {
-          const validateSchema = ajv.compile(field.filter);
-          if (!validateSchema(matchedValue)) {
-            throw new MissingDataError(
-              `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
-            );
-          }
-        } catch (error) {
-          return false;
-        }
-      }
-      // Submission Requirements validation
-      // TODO: [EUDIW-216] Read rule value if “all” o “pick” and validate
-
-      return true;
-    });
-
-    if (!allFieldsValid) {
-      throw new MissingDataError(
-        "Credential validation failed: Required fields are missing or do not match the input descriptor."
-      );
-    }
-
-    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
-
-    const requiredDisclosures = disclosures.filter((disclosure) =>
-      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
-
-    const optionalDisclosures = disclosures.filter((disclosure) =>
-      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
-
-    const isNotLimitDisclosure = !(
-      inputDescriptor.constraints.limit_disclosure === "required"
-    );
-
-    const unrequestedDisclosures = isNotLimitDisclosure
-      ? disclosures.filter(
-          (disclosure) =>
-            !optionalClaimNames.includes(
-              disclosure.decoded[INDEX_CLAIM_NAME]
-            ) &&
-            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-        )
-      : [];
-
-    return {
-      requiredDisclosures,
-      optionalDisclosures,
-      unrequestedDisclosures,
-    };
-  };
-
-type DecodedCredentialSdJwt = {
-  cryptoContext: CryptoContext;
-  credential: string;
-  sdJwt: SdJwt4VC;
-  disclosures: DisclosureWithEncoded[];
-};
-
-/**
- * Finds the first credential that satisfies the input descriptor constraints.
- * @param inputDescriptor The input descriptor to evaluate.
- * @param decodedSdJwtCredentials An array of decoded SD-JWT credentials.
- * @returns An object containing the matched evaluation, keyTag, and credential.
- */
-export const findCredentialSdJwt = (
-  inputDescriptor: InputDescriptor,
-  decodedSdJwtCredentials: DecodedCredentialSdJwt[]
-): {
-  matchedEvaluation: EvaluatedDisclosures;
-  matchedCredential: string;
-  cryptoContext: CryptoContext;
-} => {
-  for (const {
-    cryptoContext,
-    credential,
-    sdJwt,
-    disclosures,
-  } of decodedSdJwtCredentials) {
-    try {
-      const evaluatedDisclosure = evaluateInputDescriptorForSdJwt4VC(
-        inputDescriptor,
-        sdJwt.payload,
-        disclosures
-      );
-
-      return {
-        matchedEvaluation: evaluatedDisclosure,
-        cryptoContext,
-        matchedCredential: credential,
-      };
-    } catch {
-      // skip to next credential
-      continue;
-    }
-  }
-
-  throw new CredentialsNotFoundError([
-    {
-      id: "",
-      reason: "None of the vc+sd-jwt credentials satisfy the requirements.",
-    },
-  ]);
-};
-
-/**
- * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
- *
- * For each input descriptor, this function:
- * - Checks the credential format.
- * - Decodes the credential.
- * - Evaluates the descriptor using the associated disclosures.
- *
- * @param inputDescriptors - An array of input descriptors.
- * @param credentialsSdJwt - An array of tuples containing keyTag and SD-JWT credential.
- * @returns An array of objects, each containing the evaluated disclosures,
- *          the input descriptor, the credential, and the keyTag.
- * @throws {CredentialNotFoundError} When the credential format is unsupported.
- */
-export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
-  inputDescriptors,
-  credentialsSdJwt
-) => {
-  // We need decode SD-JWT credentials for evaluation
-  const decodedSdJwtCredentials =
-    credentialsSdJwt?.map(([cryptoContext, credential]) => {
-      const { sdJwt, disclosures } = decode(credential);
-      return { cryptoContext, credential, sdJwt, disclosures };
-    }) || [];
-
-  return Promise.all(
-    inputDescriptors.map(async (descriptor) => {
-      if (descriptor.format?.["dc+sd-jwt"]) {
-        if (!decodedSdJwtCredentials.length) {
-          throw new CredentialsNotFoundError([
-            {
-              id: descriptor.id,
-              reason: "vc+sd-jwt credential is not supported.",
-            },
-          ]);
-        }
-
-        const { matchedEvaluation, cryptoContext, matchedCredential } =
-          findCredentialSdJwt(descriptor, decodedSdJwtCredentials);
-
-        return {
-          evaluatedDisclosure: matchedEvaluation,
-          inputDescriptor: descriptor,
-          credential: matchedCredential,
-          cryptoContext,
-        };
-      }
-
-      throw new CredentialsNotFoundError([
-        {
-          id: descriptor.id,
-          reason: `${descriptor.format} format is not supported.`,
-        },
-      ]);
-    })
-  );
-};
-
-/**
- * Prepares remote presentations for a set of credentials based on input descriptors.
- *
- * For each credential and its corresponding input descriptor, this function:
- * - Validates the credential format.
- * - Generates a verifiable presentation token (vpToken) using the provided nonce and client identifier.
- *
- * @deprecated Use `prepareRemotePresentations` from DCQL
- *
- * @param credentialAndDescriptors - An array containing objects with requested claims,
- *                                   input descriptor, credential, and keyTag.
- * @param nonce - A unique nonce for the verifiable presentation token.
- * @param client_id - The client identifier.
- * @returns A promise that resolves to an array of RemotePresentation objects.
- * @throws {CredentialNotFoundError} When the credential format is unsupported.
- */
-export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations =
-  async (credentialAndDescriptors, nonce, client_id) => {
-    return Promise.all(
-      credentialAndDescriptors.map(async (item) => {
-        const descriptor = item.inputDescriptor;
-
-        if (descriptor.format?.["dc+sd-jwt"]) {
-          const { vp_token } = await prepareVpToken(nonce, client_id, [
-            item.credential,
-            item.requestedClaims,
-            item.cryptoContext,
-          ]);
-
-          return {
-            requestedClaims: item.requestedClaims,
-            inputDescriptor: descriptor,
-            vpToken: vp_token,
-            format: "dc+sd-jwt",
-          };
-        }
-
-        throw new CredentialsNotFoundError([
-          {
-            id: descriptor.id,
-            reason: `${descriptor.format} format is not supported.`,
-          },
-        ]);
-      })
-    );
-  };