-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: ensure request matches offer, if sent #2341
fix: ensure request matches offer, if sent #2341
Conversation
Relevant holder did override PR from a while back: #1235 |
062f8c6
to
1cb957d
Compare
Side note on this: The I’ll add that this is a change in my thinking from the early days of ACA-Py when I thought that we should write “default" controllers that implemented |
@swcurran I'm interested in discussing that further. I don't think I disagree; this aligns with other discussions we've had about the revocation endpoints as well. But, given that it is a change from earlier days, I think it would be beneficial to tease out some of the nuances of this controller evolution. |
This change implements checking that ld proof credential requests match their corresponding offer, if an offer was sent. If using the `--auto-*` flags for issuance, it was possible for the receiver of the credential offer to change values in the request and ACA-Py would accept this and issue based off of the request values. The `--auto-*` flags are debug flags and should not be used in production which would mean that a controller should have been able to catch this discrepancy. However, it is still expedient for ACA-Py to check that the offer and request match to avoid this slipping past the controller as well. There is a side affect of this check. We were permitting late binding of the credential subject ID to the holder in the request. Meaning, on request, the holder will automatically (when using auto flags) insert a DID key as the credential subject ID to ensure the holder can actually present proof of possession later. These changes modify this behavior such that it only applies iff the credential subject id is not set already (e.g. in the credential offer). This enables the issuer to bind the credential to a DID other than the holder's pairwise DID if an alternate is known to the issuer. If the issuer wants to permit late binding by the holder still, the credential subject ID should be omitted in the offer. So, to summarize, the two modifications implemented here: - Ensure the request doesn't change the credential unless the offer explicitly omits a credential subject ID - Only override with holder did if the credential subject ID is omitted Signed-off-by: Daniel Bluhm <[email protected]>
3ca1542
to
214a89e
Compare
Kudos, SonarCloud Quality Gate passed! |
Can we get someone to review this change? @usingtechnology @swcurran? Being perfectly frank, I'm a bit annoyed this was dropped from the 0.10.0 milestone without warning when it's just waiting on a review. |
Thanks @dbluhm — sorry about the lack of communication. We won’t nail down the final 0.10.0 until tomorrow at the Maintainers meeting. We needed to get an Note that we did a successful “dev0” release, which likely would have been good enough, other than putting the wrong tag on it ( |
@dbluhm - I will review it this morning. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Appreciate the comments in the code and the pytests.
This change implements checking that ld proof credential requests match their corresponding offer, if an offer was sent.
If using the
--auto-*
flags for issuance, it was possible for the receiver of the credential offer to change values in the request and ACA-Py would accept this and issue based off of the request values. The--auto-*
flags are debug flags and should not be used in production which would mean that a controller should have been able to catch this discrepancy. However, it is still expedient for ACA-Py to check that the offer and request match to avoid this slipping past the controller as well.There is a side affect of this check. We were permitting late binding of the credential subject ID to the holder in the request. Meaning, on request, the holder will automatically (when using auto flags) insert a DID key as the credential subject ID to ensure the holder can actually present proof of possession later. These changes modify this behavior such that it only applies iff the credential subject id is not set already (e.g. in the credential offer). This enables the issuer to bind the credential to a DID other than the holder's pairwise DID if an alternate is known to the issuer. If the issuer wants to permit late binding by the holder still, the credential subject ID should be omitted in the offer.
So, to summarize, the two modifications implemented here: