Creating Dynamic Policies
Example of a Rego policy
A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:
package system
default main = false
main {
input.parameter.user == input.credentialData.credentialSubject.id
}
Executing a Policy On-The-Fly
Please refer to the SSI-Kit setup section to exectute the command successfully.
ssikit vc verify -p DynamicPolicy='{ "policy": "src/test/resources/rego/subject-policy.rego", \
"input": { "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" } }' \
src/test/resources/rego/VerifiableId.json
Saving a Dynamic Policy
You can save the policy by name, which simplifies its usage in future verifications.
Please refer to the SSI-Kit setup section to exectute the command successfully. Example
Flags:
-n, --name: Policy name, must not conflict with existing policies-D, --description: Optional policy description-p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine-i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file-d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)-s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL-f, --force: Override existing policy with that name (static policies cannot be overridden!)-e, --policy-engine: Policy engine type, default: OPA. Options, OPA--vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)--vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)
Please refer to the SSI-Kit setup section to serve the API.
Path parameters:
policyName: [string] Name of the policy, e.g. MyCustomPolicy
Query parameters:
update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
Body
name: [string] Policy name, must not conflict with existing policiesdescription: [string] Optional policy descriptioninput: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON filepolicy: [URL, REGO] Whole Policy or URL to policy definition.dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)policyQuery: [string] The query string in the policy engine language. Defaults to "data.system.main".policyEngine: [string] Policy engine type, default: OPA. Options, OPAapplyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)
Last updated
Was this helpful?