LogoLogo
ProductsCommunityGitHubShare Feedback
SSI Kit
SSI Kit
  • General
    • Introduction
    • Transition To The Community Stack
    • SSI Kit | Basics
      • Overview
      • Functionality
      • Components
    • SSI Kit
      • SSI Flavors & Ecosystems
        • Trust Registries
        • Keys
        • Decentralized Identifiers (DIDs)
        • Verifiable Credentials (VCs)
        • Data Exchange Protocols
      • Architecture
        • Low-Level Service Abstraction
        • Ecosystem Abstraction
        • High-Level Interfaces / APIs
      • Use Cases
      • Self-Sovereign Identity (SSI)
        • SSI | Basics
        • Technologies & Concepts
          • Registries
          • Decentralised Identifiers (DIDs)
          • Verifiable Credentials (VCs)
          • Verifiable Presentations (VPs)
          • Data Exchange (Protocols)
  • Getting started
    • Quick Start
    • REST API
      • Signatory API - For Issuers
      • Custodian API - For Holders
        • Key management
        • Did management
        • Credentials management
      • Auditor API - For Verifiers
      • Core API
        • Cryptographic keys
        • Decentralised-Identifiers
        • Verifiable-Credentials
      • API Serving Configs
    • Dependency (JVM)
      • Java Examples
      • Kotlin Examples
    • CLI | Command Line Interface
      • Key Management
      • Decentralized Identifiers
      • Verifiable Credentials
      • OpenID Connect (OIDC)
    • Building the Project
      • Docker Build
      • Local Build
    • Project Configurations
    • Demo
  • Ecosystems
    • EBSI
      • Basics
      • Use Cases & Flow Diagrams
      • Command line interface
        • DID Registration
      • REST API
      • Usage / examples
        • Onboarding & DIDs
        • Build end-to-end use cases
    • IOTA
      • OIDC4VP profile for Login-with-IOTA
      • Login With IOTA Demo
    • Velocity
      • Basics
        • Onboarding
        • Issuing
        • Inspection
      • Integration with SSIKit
      • Command line interface
        • Onboarding
        • Issuing
        • Inspection
    • cheqd
      • Integration architecture
      • Create DID
      • Issue VC
      • Verify VC
  • Tutorials
    • My First VC
    • Advanced VC
  • Concepts
    • Credential Templates
    • Verification Policies
      • Static Policies
      • Parameterized Policies
      • Dynamic/Custom Policies
        • Creating Dynamic Policies
        • Using Dynamic Policies
        • Removing Dynamic Policies
        • Dynamic Policies | Data Classes
    • Selective Disclosure
      • Intro
      • Issuing a SD-JWT Credential
      • Verifying a SD-JWT Credential
    • Credential Statuses
      • StatusList2021Entry
      • SimpleCredentialStatus2022
      • Issue credentials with credentialStatus
      • REST API
        • Check the status of a credential
        • Revoke a credential
      • CLI
        • Check the status of a credential
        • Revoke a credential
    • DID Web
    • Open Policy Agent (OPA)
      • Setup
    • OpenID Connect (OIDC)
      • Credential Issuance
        • OIDC4CI | Example
      • Presentation Exchange
        • OIDC4VP | Example
    • Delegation and Mandates
  • Community
    • Discord
    • Twitter
    • Newsletter
    • GitHub Discussions
  • DEVELOPER RELATIONS
    • Contribute
    • Roadmap
    • Share Feedback
    • Contact
  • Product Editions
    • Open Source | Always Free
    • Enterprise | Self-Managed
    • Cloud Platform | Managed
Powered by GitBook
On this page
  • Creating a Sample Policy using Rego
  • Executing a Policy On-The-Fly
  • Saving a Dynamic Policy

Was this helpful?

Export as PDF
  1. Concepts
  2. Verification Policies
  3. Dynamic/Custom Policies

Creating Dynamic Policies

Example of a Rego policy

PreviousDynamic/Custom PoliciesNextUsing Dynamic Policies

Last updated 1 month ago

Was this helpful?

Creating a Sample Policy using

A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:

package system

default main = false

main {
    input.parameter.user == input.credentialData.credentialSubject.id
}

This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego

Executing a Policy On-The-Fly

Please refer to the to exectute the command successfully.

ssikit vc verify -p DynamicPolicy='{ "policy": "src/test/resources/rego/subject-policy.rego", \
  "input": { "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" } }' \
  src/test/resources/rego/VerifiableId.json

Saving a Dynamic Policy

You can save the policy by name, which simplifies its usage in future verifications.

ssikit vc policies create \
    -n "MyCustomPolicy" \
    -D "Verifies credential subject against a provided DID" \
    -p src/test/resources/rego/subject-policy.rego \
    -i '{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }'

Flags:

  • -n, --name: Policy name, must not conflict with existing policies

  • -D, --description: Optional policy description

  • -p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine

  • -i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file

  • -d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)

  • -s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL

  • -f, --force: Override existing policy with that name (static policies cannot be overridden!)

  • -e, --policy-engine: Policy engine type, default: OPA. Options, OPA

  • --vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)

  • --vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)

curl -X 'POST' \
  'http://127.0.0.1:7003/v1/create/{{policyName}}?update=true&downloadPolicy=true' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "MyCustomPolicy",
    "description": "Test",
    "input": {},
    "policy": "package system

default main = false

main {
    input.parameter.user == input.credentialData.credentialSubject.id
}
",
    "dataPath": "$",
    "policyQuery": "data.system.main",
    "policyEngine": "OPA",
    "applyToVC": true,
    "applyToVP": true
}'

Path parameters:

  • policyName: [string] Name of the policy, e.g. MyCustomPolicy

Query parameters:

  • update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)

  • downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL

Body

{
    "name": "MyCustomPolicy",
    "description": "Test",
    "input": {},
    "policy": "package system

               default main = false

               main {
                 input.parameter.user == input.credentialData.credentialSubject.id
               }",
    "dataPath": "$",
    "policyQuery": "data.system.main",
    "policyEngine": "OPA",
    "applyToVC": true,
    "applyToVP": true
}
  • name: [string] Policy name, must not conflict with existing policies

  • description: [string] Optional policy description

  • input: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file

  • policy: [URL, REGO] Whole Policy or URL to policy definition.

  • dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)

  • policyQuery: [string] The query string in the policy engine language. Defaults to "data.system.main".

  • policyEngine: [string] Policy engine type, default: OPA. Options, OPA

  • applyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)

  • applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)

Please refer to the to exectute the command successfully. Example

Please refer to the to serve the API.

R
ego
SSI-Kit setup section
SSI-Kit setup section
SSI-Kit setup section