Creating Dynamic Policies
Example of a Rego policy
A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:
package system
default main = false
main {
input.parameter.user == input.credentialData.credentialSubject.id
}
Executing a Policy On-The-Fly
Please refer to the SSI-Kit setup section to exectute the command successfully.
ssikit vc verify -p DynamicPolicy='{ "policy": "src/test/resources/rego/subject-policy.rego", \
"input": { "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" } }' \
src/test/resources/rego/VerifiableId.json
Saving a Dynamic Policy
You can save the policy by name, which simplifies its usage in future verifications.
Please refer to the SSI-Kit setup section to exectute the command successfully. Example
ssikit vc policies create \
-n "MyCustomPolicy" \
-D "Verifies credential subject against a provided DID" \
-p src/test/resources/rego/subject-policy.rego \
-i '{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }'Flags:
-n, --name: Policy name, must not conflict with existing policies-D, --description: Optional policy description-p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine-i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file-d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)-s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL-f, --force: Override existing policy with that name (static policies cannot be overridden!)-e, --policy-engine: Policy engine type, default: OPA. Options, OPA--vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)--vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)
Please refer to the SSI-Kit setup section to serve the API.
curl -X 'POST' \
'http://127.0.0.1:7003/v1/create/{{policyName}}?update=true&downloadPolicy=true' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"name": "MyCustomPolicy",
"description": "Test",
"input": {},
"policy": "package system
default main = false
main {
input.parameter.user == input.credentialData.credentialSubject.id
}
",
"dataPath": "$",
"policyQuery": "data.system.main",
"policyEngine": "OPA",
"applyToVC": true,
"applyToVP": true
}'Path parameters:
policyName: [string] Name of the policy, e.g. MyCustomPolicy
Query parameters:
update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
Body
{
"name": "MyCustomPolicy",
"description": "Test",
"input": {},
"policy": "package system
default main = false
main {
input.parameter.user == input.credentialData.credentialSubject.id
}",
"dataPath": "$",
"policyQuery": "data.system.main",
"policyEngine": "OPA",
"applyToVC": true,
"applyToVP": true
}name: [string] Policy name, must not conflict with existing policiesdescription: [string] Optional policy descriptioninput: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON filepolicy: [URL, REGO] Whole Policy or URL to policy definition.dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)policyQuery: [string] The query string in the policy engine language. Defaults to "data.system.main".policyEngine: [string] Policy engine type, default: OPA. Options, OPAapplyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)
Last updated
Was this helpful?