Continuation Q&A: Policy Evaluation and Rule Binding

[joelweihrauch]

As a continuation of the Q&A Session from today i would like to describe my problem. @paullatzelsperger

1. I have defined the following Asset in my provider connector with a typo in the policy constraint:

{
  "assetId" : "test-document-1",
  "description" : null,
  "negotiationInitiateRequestDto" : {
    "connectorAddress" : "http://localhost:8282/api/v1/ids/data",
    "protocol" : "ids-multipart",
    "connectorId" : "urn:connector:provider",
    "offer" : {
      "offerId" : "1:4fc850e6-c0f9-493f-95f3-c3aef191cca1",
      "assetId" : "test-document-1",
      "policy" : {
        "permissions" : [ {
          "edctype" : "dataspaceconnector:permission",
          "uid" : null,
          "target" : "test-document-1",
          "action" : {
            "type" : "USE",
            "includedIn" : null,
            "constraint" : null
          },
          "assignee" : "assignee",
          "assigner" : "assigner",
          "constraints" : [ {
            "edctype" : "AtomicConstraint",
            "leftExpression" : {
              "edctype" : "dataspaceconnector:literalexpression",
              "value" : "gax:registrationNumber.gax:registrationNumbre" -> TYPO
            },
            "rightExpression" : {
              "edctype" : "dataspaceconnector:literalexpression",
              "value" : "123"
            },
            "operator" : "EQ"
          } ],
          "duties" : [ ]
        } ],
        "prohibitions" : [ ],
        "obligations" : [ ],
        "extensibleProperties" : { },
        "inheritsFrom" : null,
        "assigner" : null,
        "assignee" : null,
        "target" : "test-document-1",
        "@type" : {
          "@policytype" : "set"
        }
      },
      "validity" : 31536000
    }
  }
}

2. I have binded the ruleType and key to the Scope '*' without the typo from above:

ruleBindingRegistry.bind("gax:registrationNumber.gax:registrationNumber", "*");

policyEngine.registerFunction("*", Permission.class,"gax:registrationNumber.gax:registrationNumber",
      new PolicyVCAuthorizationFunction(context.getMonitor(), context.getTypeManager().getMapper()));

When i try to negotiate the asset it's resulting in a confirmed state. There is no binding to the leftExpression of the policy and the PolicyEngine will filter this policy. So the Policy can not be satisfied. Why is it then only filtered but not "automatically" rejected?

The claims i have used:

{
  "@context" : [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/gaia-x/context.jsonld" ],
  "type" : "VerifiablePresentation",
  "verifiableCredential" : [ {
    "@context" : [ "https://www.w3.org/2018/credentials/v1" ],
    "type" : "VerifiableCredential",
    "id" : "",
    "issuer" : "",
    "issuanceDate" : "2022-09-23T23:23:23.235Z",
    "credentialSubject" : {
      "id" : "",
      "type" : "gax:Participant",
      "gax:name" : "",
      "gax:legalName" : "",
      "gax:registrationNumber" : {
        "gax:registrationNumberType" : "DEID",
        "gax:registrationNumberNumber" : "123"
      },
      "gax:legalAddress" : {
        "gax:addressCountryCode" : "DE",
        "gax:addressCode" : "",
        "gax:street-address" : "Teststraße 95",
        "gax:postal-code" : ""
      },
      "gax:termsAndConditions" : ""
    }
  } ]
}

[paullatzelsperger]

The problem is that (due to the typo), the constraint type is different from the binding, which means, you are binding to a non-existent constraint, thus I'm pretty sure your evaluation function (PolicyVCAuthorizationFunction) won't get executed.

You are effectively attempting to evaluate a policy with no function to evaluate it, which of course returns true. That is by design, because not every rule of every policy is relevant in every context (otherwise every policy would always have to be evaluated by every function).

Making sure that a policy is formulated correctly, and that it gets properly evaluated etc. should be handled through testing.

[joelweihrauch]

I totally agree with the design of filtering the functions by scope/context. I would also agreeing with filtering the typo policy.
Because the policies with a non-existing function should not be evaluated but from my understanding a policy with non-existing function should always return a false.
Is there a way to "check" the policy before the evaluation for a function? I was wondering if that place could be the pre-validators and check there if a policy has a function or not.
Or should that be handled by an external application which creates the policy in the connector?

[paullatzelsperger]

the EDC project doesn't provide a checker out-of-the-box, but as I said before, the best and recommended way to do this is through (JUnit) testing. Simply write a test that utilizes the EDC policy modules, and your (presumably custom-written) evaluation function, and run your policy through that. That could (and should!) even be automated through CI.

In addition, you may be able to whip something up with a preValidator in the PolicyEngine, where you can "pre-validate" a policy, but you'd have to come up with the logic for that pre-validation yourself.

As of recently, there is also the possibility to update policies at runtime, in case you detect a typo or syntactic error after the fact.

[paullatzelsperger]

@joelweihrauch lacking of any new information I will mark this as answered. If you have further questions, feel free to open another discussion.