public static IEnumerable <JToken> GetDelegationProofs(JToken capability)
{
var cap = new CapabilityDelegation(capability as JObject);
// capability is root, it has no relevant delegation proofs
if (cap.ParentCapability == null)
{
return(Array.Empty <JToken>());
}
return(capability.Values("proof").Where(x =>
{
if (!(x["proofPurpose"]?.Value <string>() == "capabilityDelegation" &&
x["capabilityChain"] is JArray chain &&
chain.Any()))
{
return false;
}
var last = chain.Last();
if (last is JProperty lastProp)
{
return lastProp.Value <string>() == cap.ParentCapability;
}
return last["id"].Value <string>() == cap.ParentCapability;
}).ToArray());
}
/// <summary>
/// Returns true if the given verification method is a delegator or is
/// controlled by a delegator of the given capability.
/// </summary>
/// <param name="capability"></param>
/// <param name="verificationMethod"></param>
/// <returns></returns>
public static bool HasDelegator(this CapabilityDelegation capability, VerificationMethod verificationMethod)
{
var delegators = capability.GetDelegators();
return(delegators.Count() > 0 &&
(delegators.Contains(verificationMethod.Id) ||
(verificationMethod.Controller != null && delegators.Contains(verificationMethod.Controller))));
}
/// <summary>
/// Returns true if the given verification method is a invoker or is
/// controlled by an invoker of the given capability.
/// </summary>
/// <param name="capability"></param>
/// <param name="verificationMethod"></param>
/// <returns></returns>
public static bool HasInvoker(this CapabilityDelegation capability, VerificationMethod verificationMethod)
{
var invokers = capability.GetInvokers();
return(invokers.Count() > 0 &&
(invokers.Contains(verificationMethod.Id) ||
(verificationMethod.Controller != null && invokers.Contains(verificationMethod.Controller))));
}
/// <summary>
/// Retrieves the authorized invokers from a capability.
/// </summary>
/// <param name="capability">The JSON-LD document for the object capability
/// compacted to the security context.</param>
/// <returns>The invokers for the capability (empty for none).</returns>
public static IEnumerable <string> GetInvokers(this CapabilityDelegation capability)
{
// if neither a delegator, controller, nor id is found on the capability then
// the capability can not be delegated
if (capability.Invoker is null || capability.Id is null)
{
throw new Exception("Delegator not found for capability.");
}
// if there's a delegator present and not an invoker, then this capability
// was intentionally meant to not be invoked
if (capability.Delegator != null && capability.Invoker is null)
{
return(Array.Empty <string>());
}
return(new[] { capability.Invoker ?? capability.Id });
}
public override async Task <LinkedDataProofs.Purposes.ValidationResult> ValidateAsync(JToken proof, ProofOptions options)
{
if (proof["capability"] is null)
{
throw new Exception("'capability' was not found in the capability invocation proof.");
}
if (Options?.ExpectedTarget == null)
{
throw new ArgumentNullException("ExpectedTarget is required.");
}
// 1. get the capability in the security v2 context
var result = await Utils.FetchInSecurityContextAsync(proof["capability"], false, new JsonLdProcessorOptions
{
CompactToRelative = false,
DocumentLoader = options.DocumentLoader.Load
});
var capability = new CapabilityDelegation(result as JObject);
// 2. verify the capability delegation chain
await Utils.VerifyCapabilityChain(capability, Options);
// 3. verify the invoker...
// authorized invoker must match the verification method itself OR
// the controller of the verification method
if (!capability.HasInvoker(new VerificationMethod(Options.VerificationMethod)))
{
throw new Exception("The authorized invoker does not match the " +
"verification method or its controller.");
}
var validateResult = await base.ValidateAsync(proof, options);
validateResult.Invoker = validateResult.Controller;
validateResult.Controller = null;
return(validateResult);
}