Creating Dynamic Policies

Example of a Rego policy

Creating a Sample Policy using R ego

A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:

package system

default main = false

main {
    input.parameter.user == input.credentialData.credentialSubject.id
}

This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego

Executing a Policy On-The-Fly

Please refer to the SSI-Kit setup section to exectute the command successfully.

ssikit vc verify -p DynamicPolicy='{ "policy": "src/test/resources/rego/subject-policy.rego", \
  "input": { "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" } }' \
  src/test/resources/rego/VerifiableId.json

Saving a Dynamic Policy

You can save the policy by name, which simplifies its usage in future verifications.

Please refer to the SSI-Kit setup section to exectute the command successfully. Example

ssikit vc policies create \
    -n "MyCustomPolicy" \
    -D "Verifies credential subject against a provided DID" \
    -p src/test/resources/rego/subject-policy.rego \
    -i '{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }'

Flags:

-n, --name: Policy name, must not conflict with existing policies
-D, --description: Optional policy description
-p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine
-i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
-d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
-s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
-f, --force: Override existing policy with that name (static policies cannot be overridden!)
-e, --policy-engine: Policy engine type, default: OPA. Options, OPA
--vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)
--vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)

Please refer to the SSI-Kit setup section to serve the API.

curl -X 'POST' \
  'http://127.0.0.1:7003/v1/create/{{policyName}}?update=true&downloadPolicy=true' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "MyCustomPolicy",
    "description": "Test",
    "input": {},
    "policy": "package system

default main = false

main {
    input.parameter.user == input.credentialData.credentialSubject.id
}
",
    "dataPath": "$",
    "policyQuery": "data.system.main",
    "policyEngine": "OPA",
    "applyToVC": true,
    "applyToVP": true
}'

Path parameters:

policyName: [string] Name of the policy, e.g. MyCustomPolicy

Query parameters:

update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)
downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL

Body

{
    "name": "MyCustomPolicy",
    "description": "Test",
    "input": {},
    "policy": "package system

               default main = false

               main {
                 input.parameter.user == input.credentialData.credentialSubject.id
               }",
    "dataPath": "$",
    "policyQuery": "data.system.main",
    "policyEngine": "OPA",
    "applyToVC": true,
    "applyToVP": true
}

name: [string] Policy name, must not conflict with existing policies
description: [string] Optional policy description
input: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
policy: [URL, REGO] Whole Policy or URL to policy definition.
dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
policyQuery: [string] The query string in the policy engine language. Defaults to "data.system.main".
policyEngine: [string] Policy engine type, default: OPA. Options, OPA
applyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)
applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)

PreviousDynamic/Custom Policies NextUsing Dynamic Policies

Last updated 1 year ago

Creating a Sample Policy using Rego

Executing a Policy On-The-Fly

Saving a Dynamic Policy

Creating a Sample Policy using R ego