Example of a Rego policy
A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:
This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego
Please refer to the SSI-Kit setup section to exectute the command successfully.
You can save the policy by name, which simplifies its usage in future verifications.
Please refer to the SSI-Kit setup section to exectute the command successfully. Example
Flags:
-n, --name
: Policy name, must not conflict with existing policies
-D, --description
: Optional policy description
-p, --policy
: Path or URL to policy definition. e.g.: rego file for OPA policy engine
-i, --input
: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
-d, --data-path
: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
-s, --save-policy
: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
-f, --force
: Override existing policy with that name (static policies cannot be overridden!)
-e, --policy-engine
: Policy engine type, default: OPA. Options, OPA
--vc / --no-vc
: Apply/Don't apply to verifiable credentials (default: apply)
--vp / --no-vp
: Apply/Don't apply to verifiable presentations (default: don't apply)
Please refer to the SSI-Kit setup section to serve the API.
Path parameters:
policyName
: [string] Name of the policy, e.g. MyCustomPolicy
Query parameters:
update
: [boolean] Specifies if existing policy with same name should be overridden (if mutable)
downloadPolicy
: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
Body
name
: [string] Policy name, must not conflict with existing policies
description
: [string] Optional policy description
input
: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
policy
: [URL, REGO] Whole Policy or URL to policy definition.
dataPath
: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
policyQuery
: [string] The query string in the policy engine language. Defaults to
"data.system.main".
policyEngine
: [string] Policy engine type, default: OPA. Options, OPA
applyToVC
: [boolean] Apply/Don't apply to verifiable credentials (default: apply)
applyToVP
: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)
Note: To use dynamic policies with Open Policy Agent, setup of the OPA Engine is required. Refer to the for more details.
- Learn how to create a dynamic policy via CLI or REST
- Learn how to verify a VC using a dynamic policy via CLI or REST
- Learn how to remove a dynamic policy via CLI or REST
- Examine data classes used internally.
A dynamic policy requires an argument of the DynamicPolicyArg
type, defined as follows:
The properties are as follows:
name
: The policy name. Defaults to "DynamicPolicy".
description
: An optional description of the policy.
input
: A generic map (JSON object) holding the input data required by the policy. If no input is required, this can be an empty map.
policy
: The policy definition. Can be a file path, URL, JSON Path (if policy is defined in a credential property), or the policy script directly.
dataPath
: The path to the credential data to be verified. Defaults to the entire credential object ($). If you want to use only the credential subject as verification data, specify the JSON path like this: $.credentialSubject
.
policyQuery
: The query string in the policy engine language. Defaults to "data.system.main".
policyEngine
: The engine used for policy execution. Defaults to OPA (Open Policy Agent).
applyToVC
: Determines whether this policy should apply to verifiable credentials. Defaults to true.
applyToVP
: Determines whether this policy should apply to verifiable presentations. Defaults to false.
The policy is executed by the specified policy engine, with the Open Policy Agent currently being the only supported engine. OPA receives an input object containing the dynamic policy's input parameter and the credential data configured in the policy argument.
The input object for the policy engine is structured as follows:
This structure allows the REGO policy definition to access the input
properties as follows:
input.parameter
: The input object defined in the DynamicPolicyArg
's input property.
input.credentialData
: The credential data selected by the JSON path provided in the DynamicPolicyArg
's dataPath
property.
Once a dynamic policy has been saved with a specific name, as explained in the previous section, you can use it to verify Verifiable Credentials.
Please refer to the SSI-Kit setup section to exectute the command successfully.
-p, --policy
: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.
We can verify a credential with the SubjectPolicy
and VerifiableId located in src/test/resources/rego/VerifiableId.json
, which are provided when cloning the project, so no setup is needed.
Please refer to the SSI-Kit setup section to serve the API.
Body
policies
: [array] A list of policy definitions to verify against
policy
: [string] The name/id of the policy
argument
: [JSON] The argument needed by the policy (optional)
credentials
: [array] An array of credentials in JWT, or LD_PROOF format
Please refer to the SSI-Kit setup section to exectute the command successfully.
-n, --name
: name of the dynamic policy to remove
Please refer to the SSI-Kit setup section to serve the API.
Path parameters:
policyName
: [string] Name of the policy to delete