Clearing pending revocations from a revocation registry clears all pending revocations from other registries.

[cl0ete]

Below I have 3 registries with pending publications. First two on the same credential definition, third one on a different credential definition.

GET /revocation/registry/NbLJt2RgxGFZLW55kkcuaz%3A4%3ANbLJt2RgxGFZLW55kkcuaz%3A3%3ACL%3A8%3AEpic%3ACL_ACCUM%3Aa077e29b-78b7-44d1-8f92-f9451ae20139'

Response body:

{
 "result": {
   "state": "active",
   "created_at": "2024-05-06T09:02:00.406414Z",
...
   "pending_pub": [
     "2",
     "3",
     "4",
     "5"
   ]
 }
}

GET /revocation/registry/NbLJt2RgxGFZLW55kkcuaz%3A4%3ANbLJt2RgxGFZLW55kkcuaz%3A3%3ACL%3A8%3AEpic%3ACL_ACCUM%3A657200c3-daa1-4619-b2d8-16353974433a'

Response body:

{
 "result": {
   "state": "full",
   "created_at": "2024-05-06T09:01:57.320175Z",
 ...
   "pending_pub": [
     "17",
     "2",
     "5"
   ]
 }
}

GET /revocation/registry/NbLJt2RgxGFZLW55kkcuaz%3A4%3ANbLJt2RgxGFZLW55kkcuaz%3A3%3ACL%3A18%3Alekker%3ACL_ACCUM%3A4edd4a62-0ed0-48ed-a66a-ff0008ff2419'

Response body:

{
 "result": {
   "state": "active",
   "created_at": "2024-05-06T09:32:26.444582Z",
   ...
   "pending_pub": [
     "1"
   ]
 }
}

I then clear one pending revocation from first registry above:

POST /revocation/clear-pending-revocations'

With body:

{
  "purge": {
    "NbLJt2RgxGFZLW55kkcuaz:4:NbLJt2RgxGFZLW55kkcuaz:3:CL:8:Epic:CL_ACCUM:a077e29b-78b7-44d1-8f92-f9451ae20139":["2"]
  }
}

Response body:

{
  "rrid2crid": {
    "NbLJt2RgxGFZLW55kkcuaz:4:NbLJt2RgxGFZLW55kkcuaz:3:CL:8:Epic:CL_ACCUM:a077e29b-78b7-44d1-8f92-f9451ae20139": [
      "3",
      "4",
      "5"
    ]
  }
}

I have cleared cred_rev_id: "2" from the pending list BUT when getting the other two registries we see:

GET /revocation/registry/NbLJt2RgxGFZLW55kkcuaz%3A4%3ANbLJt2RgxGFZLW55kkcuaz%3A3%3ACL%3A8%3AEpic%3ACL_ACCUM%3A657200c3-daa1-4619-b2d8-16353974433a'

Response body:

{
 "result": {
   "state": "full",
   "created_at": "2024-05-06T09:01:57.320175Z",
 ...
   "pending_pub": []
 }
}

GET /revocation/registry/NbLJt2RgxGFZLW55kkcuaz%3A4%3ANbLJt2RgxGFZLW55kkcuaz%3A3%3ACL%3A18%3Alekker%3ACL_ACCUM%3A4edd4a62-0ed0-48ed-a66a-ff0008ff2419'

Response body:

{
 "result": {
   "state": "active",
   "created_at": "2024-05-06T09:32:26.444582Z",
 ...
   "pending_pub": []
 }
}

All the pending revocations are gone.

Taking a look at the revocation code at line 335 to 351:

       result = {}
       notify = []

       async with self._profile.transaction() as txn:
           issuer_rr_recs = await IssuerRevRegRecord.query_by_pending(txn)
           for issuer_rr_rec in issuer_rr_recs:
               rrid = issuer_rr_rec.revoc_reg_id
               await issuer_rr_rec.clear_pending(txn, (purge or {}).get(rrid))
               if issuer_rr_rec.pending_pub:
                   result[rrid] = issuer_rr_rec.pending_pub
               notify.append(rrid)
           await txn.commit()

       for rrid in notify:
           await notify_pending_cleared_event(self._profile, rrid)

       return result

It looks like issuer_rr_recs should be filtered by the id's passed in the purge payload before clearing them, if I am reading this right...

[jamshale]

So this is actually how it was designed to work but it doesn't make much sense.

• If the body is left empty {} then it will clear all pending registries of all revocations. This must be used as an easy way to clear all pending revocations.
• If you declare the purge body with one revocation registries then it will clear any other pending revocations for all the other revocation registries.
• If you leave the purge list empty for any of the declared revocation registries, it will remove all pending revocations for that revocation registry.

I think this should probably be re-designed so it's more obvious what you are doing.

Also this endpoint is not available for anoncreds, but I think it should be.

@dbluhm @ianco Any thoughts on this?

[cl0ete]

• If you declare the purge body with one revocation registries then it will clear any other pending revocations for all the other revocation registries.

@jamshale I disagree with this statement. Yes that is what happens when you call the endpoint BUT the docstrings of the clear_pending_revocations functions states:

 ...
    {} - clear all pending revocations from all revocation registries

    {
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:0": [],
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:1": ["1", "2"]

    } - clear
             - all pending revocations from all revocation registry tagged 0
             - pending ["1", "2"] from revocation registry tagged 1
             - no pending revocations from any other revocation registries.

The last line clearly states that if a purge payload is given it will clear no pending revocations from any other revocation registries.

[swcurran]

Regarding if the endpoint is needed for anoncreds-rs. AFAIK (and I agree) — the controller should not be messing with RevRegs — only ACA-Py internally. When we first implemented Revocation, it was left to the controller to do the processing and it was far too complex. We then implemented ACA-Py handled revocation, but left in the endpoints for the controller. With the move to AnonCreds-RS, we want to get rid of the endpoints and prevent the controller from messing with revocation. The logic is clear enough that ACA-Py can handle it with just business input (using revocation or not, revreg size, when to revoke credentials, when to publish revocations) from the controller.

[jamshale]

• If you declare the purge body with one revocation registries then it will clear any other pending revocations for all the other revocation registries.

@jamshale I disagree with this statement. Yes that is what happens when you call the endpoint BUT the docstrings of the clear_pending_revocations functions states:

 ...
    {} - clear all pending revocations from all revocation registries

    {
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:0": [],
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:1": ["1", "2"]

    } - clear
             - all pending revocations from all revocation registry tagged 0
             - pending ["1", "2"] from revocation registry tagged 1
             - no pending revocations from any other revocation registries.

The last line clearly states that if a purge payload is given it will clear no pending revocations from any other revocation registries.

• If you declare the purge body with one revocation registries then it will clear any other pending revocations for all the other revocation registries.

@jamshale I disagree with this statement. Yes that is what happens when you call the endpoint BUT the docstrings of the clear_pending_revocations functions states:

 ...
    {} - clear all pending revocations from all revocation registries

    {
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:0": [],
       "R17v42T4pk...:4:R17v42T4pk...:3:CL:19:tag:CL_ACCUM:1": ["1", "2"]

    } - clear
             - all pending revocations from all revocation registry tagged 0
             - pending ["1", "2"] from revocation registry tagged 1
             - no pending revocations from any other revocation registries.

The last line clearly states that if a purge payload is given it will clear no pending revocations from any other revocation registries.

Yes. I meant more like this is the way the code was written. I don't think it really makes sense that having an empty list clears all the revocations either, but having revocation ids in the list only purges those revocations. It should be more obvious what you are doing.

Fixing it to match the docs description is easy. I was more looking for feedback if I should redefine the logic of this endpoint in general.

[jamshale]

I think I'll just fix it to match the docs description. I don't want to change the behaviour for any controllers currently using this endpoint.