Revocation hotfixes

aries_cloudagent/issuer/base.py

@@ -143,7 +143,7 @@ async def create_credential(
     @abstractmethod
     async def revoke_credentials(
         self, revoc_reg_id: str, tails_file_path: str, cred_revoc_ids: Sequence[str]
-    ) -> str:
+    ) -> (str, Sequence[str]):
         """
         Revoke a set of credentials in a revocation registry.
 
@@ -153,7 +153,7 @@ async def revoke_credentials(
             cred_revoc_ids: sequences of credential indexes in the revocation registry
 
         Returns:
-            the combined revocation delta
+            Tuple with the combined revocation delta, list of cred rev ids not revoked
 
         """
 

aries_cloudagent/issuer/indy.py

@@ -211,7 +211,7 @@ async def create_credential(
             (
                 credential_json,
                 credential_revocation_id,
-                revoc_reg_delta_json,
+                _,  # rev_reg_delta_json only figures if rev reg is ISSUANCE_ON_DEMAND
             ) = await indy.anoncreds.issuer_create_credential(
                 self.wallet.handle,
                 json.dumps(credential_offer),
@@ -236,7 +236,7 @@ async def create_credential(
 
     async def revoke_credentials(
         self, revoc_reg_id: str, tails_file_path: str, cred_revoc_ids: Sequence[str]
-    ) -> str:
+    ) -> (str, Sequence[str]):
         """
         Revoke a set of credentials in a revocation registry.
 
@@ -246,26 +246,46 @@ async def revoke_credentials(
             cred_revoc_ids: sequences of credential indexes in the revocation registry
 
         Returns:
-            the combined revocation delta
+            Tuple with the combined revocation delta, list of cred rev ids not revoked
 
         """
+        failed_crids = []
         tails_reader_handle = await create_tails_reader(tails_file_path)
 
         result_json = None
         for cred_revoc_id in cred_revoc_ids:
             with IndyErrorHandler("Exception when revoking credential", IssuerError):
-                # may throw AnoncredsInvalidUserRevocId if using ISSUANCE_ON_DEMAND
-                delta_json = await indy.anoncreds.issuer_revoke_credential(
-                    self.wallet.handle, tails_reader_handle, revoc_reg_id, cred_revoc_id
-                )
+                try:
+                    delta_json = await indy.anoncreds.issuer_revoke_credential(
+                        self.wallet.handle,
+                        tails_reader_handle,
+                        revoc_reg_id,
+                        cred_revoc_id,
+                    )
+                except IndyError as error:
+                    if error.error_code == ErrorCode.AnoncredsInvalidUserRevocId:
+                        self.logger.error(
+                            "Abstaining from revoking credential on "
+                            f"rev reg id {revoc_reg_id}, cred rev id={cred_revoc_id}: "
+                            "already revoked or not yet issued"
+                        )
+                    else:
+                        self.logger.error(
+                            IndyErrorHandler.wrap_error(
+                                error, "Revocation error", IssuerError
+                            ).roll_up
+                        )
+                    failed_crids.append(cred_revoc_id)
+                    continue
+
                 if result_json:
                     result_json = await self.merge_revocation_registry_deltas(
                         result_json, delta_json
                     )
                 else:
                     result_json = delta_json
 
-        return result_json
+        return (result_json, failed_crids)
 
     async def merge_revocation_registry_deltas(
         self, fro_delta: str, to_delta: str

aries_cloudagent/issuer/tests/test_indy.py

@@ -191,13 +191,99 @@ async def test_create_revoke_credentials(
 
         mock_indy_revoke_credential.return_value = json.dumps(TEST_RR_DELTA)
         mock_indy_merge_rr_deltas.return_value = json.dumps(TEST_RR_DELTA)
-        result = await self.issuer.revoke_credentials(
+        (result, failed) = await self.issuer.revoke_credentials(
             REV_REG_ID, tails_file_path="dummy", cred_revoc_ids=test_cred_rev_ids
         )
         assert json.loads(result) == TEST_RR_DELTA
+        assert not failed
         assert mock_indy_revoke_credential.call_count == 2
         mock_indy_merge_rr_deltas.assert_called_once()
 
+    @async_mock.patch("indy.anoncreds.issuer_create_credential")
+    @async_mock.patch("aries_cloudagent.issuer.indy.create_tails_reader")
+    @async_mock.patch("indy.anoncreds.issuer_revoke_credential")
+    @async_mock.patch("indy.anoncreds.issuer_merge_revocation_registry_deltas")
+    async def test_create_revoke_credentials_x(
+        self,
+        mock_indy_merge_rr_deltas,
+        mock_indy_revoke_credential,
+        mock_tails_reader,
+        mock_indy_create_credential,
+    ):
+        test_schema = {"attrNames": ["attr1"]}
+        test_offer = {
+            "schema_id": SCHEMA_ID,
+            "cred_def_id": CRED_DEF_ID,
+            "key_correctness_proof": {"c": "...", "xz_cap": "...", "xr_cap": ["..."]},
+            "nonce": "...",
+        }
+        test_request = {"test": "request"}
+        test_values = {"attr1": "value1"}
+        test_cred = {
+            "schema_id": SCHEMA_ID,
+            "cred_def_id": CRED_DEF_ID,
+            "rev_reg_id": REV_REG_ID,
+            "values": {"attr1": {"raw": "value1", "encoded": "123456123899216581404"}},
+            "signature": {"...": "..."},
+            "signature_correctness_proof": {"...": "..."},
+            "rev_reg": {"accum": "21 12E8..."},
+            "witness": {"omega": "21 1369..."},
+        }
+        test_cred_rev_ids = ["42", "54", "103"]
+        test_rr_delta = TEST_RR_DELTA
+        mock_indy_create_credential.side_effect = [
+            (json.dumps(test_cred), cr_id, test_rr_delta,)
+            for cr_id in test_cred_rev_ids
+        ]
+
+        with self.assertRaises(IssuerError):  # missing attribute
+            cred_json, revoc_id = await self.issuer.create_credential(
+                test_schema, test_offer, test_request, {}
+            )
+
+        (cred_json, cred_rev_id) = await self.issuer.create_credential(  # main line
+            test_schema,
+            test_offer,
+            test_request,
+            test_values,
+            REV_REG_ID,
+            "/tmp/tails/path/dummy",
+        )
+        mock_indy_create_credential.assert_called_once()
+        (
+            call_wallet,
+            call_offer,
+            call_request,
+            call_values,
+            call_etc1,
+            call_etc2,
+        ) = mock_indy_create_credential.call_args[0]
+        assert call_wallet is self.wallet.handle
+        assert json.loads(call_offer) == test_offer
+        assert json.loads(call_request) == test_request
+        values = json.loads(call_values)
+        assert "attr1" in values
+
+        mock_indy_revoke_credential.side_effect = [
+            json.dumps(TEST_RR_DELTA),
+            IndyError(
+                error_code=ErrorCode.AnoncredsInvalidUserRevocId,
+                error_details={"message": "already revoked"},
+            ),
+            IndyError(
+                error_code=ErrorCode.UnknownCryptoTypeError,
+                error_details={"message": "truly an outlier"},
+            ),
+        ]
+        mock_indy_merge_rr_deltas.return_value = json.dumps(TEST_RR_DELTA)
+        (result, failed) = await self.issuer.revoke_credentials(
+            REV_REG_ID, tails_file_path="dummy", cred_revoc_ids=test_cred_rev_ids
+        )
+        assert json.loads(result) == TEST_RR_DELTA
+        assert failed == ["54", "103"]
+        assert mock_indy_revoke_credential.call_count == 3
+        mock_indy_merge_rr_deltas.assert_not_called()
+
     @async_mock.patch("indy.anoncreds.issuer_create_credential")
     @async_mock.patch("aries_cloudagent.issuer.indy.create_tails_reader")
     async def test_create_credential_rr_full(

aries_cloudagent/messaging/tests/test_valid.py

@@ -13,8 +13,8 @@
     DID_KEY,
     ENDPOINT,
     INDY_CRED_DEF_ID,
+    INDY_CRED_REV_ID,
     INDY_DID,
-    INT_EPOCH,
     INDY_EXTRA_WQL,
     INDY_ISO8601_DATETIME,
     INDY_PREDICATE,
@@ -23,6 +23,7 @@
     INDY_SCHEMA_ID,
     INDY_VERSION,
     INDY_WQL,
+    INT_EPOCH,
     NATURAL_NUM,
     JWS_HEADER_KID,
     JWT,
@@ -200,6 +201,15 @@ def test_rev_reg_id(self):
             "Q4zqM7aXqm7gDQkUVLng9h:2:bc-reg:1.0:tag:CL_ACCUM:0"
         )  # long
 
+    def test_cred_rev_id(self):
+        non_cred_rev_ids = ["Wg", "0", "-5", "3.14"]
+        for non_cred_rev_id in non_cred_rev_ids:
+            with self.assertRaises(ValidationError):
+                INDY_CRED_REV_ID["validate"](non_cred_rev_id)
+
+        INDY_CRED_REV_ID["validate"]("1")
+        INDY_CRED_REV_ID["validate"]("99999999")
+
     def test_version(self):
         non_versions = ["-1", "", "3_5", "3.5a"]
         for non_version in non_versions:

aries_cloudagent/messaging/valid.py

@@ -212,6 +212,21 @@ def __init__(self):
         )
 
 
+class IndyCredRevId(Regexp):
+    """Validate value against indy credential revocation identifier specification."""
+
+    EXAMPLE = "12345"
+    PATTERN = rf"^[1-9][0-9]*$"
+
+    def __init__(self):
+        """Initializer."""
+
+        super().__init__(
+            IndyCredRevId.PATTERN,
+            error="Value {input} is not an indy credential revocation identifier",
+        )
+
+
 class IndyPredicate(OneOf):
     """Validate value against indy predicate."""
 
@@ -426,6 +441,7 @@ def __init__(self):
 INDY_SCHEMA_ID = {"validate": IndySchemaId(), "example": IndySchemaId.EXAMPLE}
 INDY_CRED_DEF_ID = {"validate": IndyCredDefId(), "example": IndyCredDefId.EXAMPLE}
 INDY_REV_REG_ID = {"validate": IndyRevRegId(), "example": IndyRevRegId.EXAMPLE}
+INDY_CRED_REV_ID = {"validate": IndyCredRevId(), "example": IndyCredRevId.EXAMPLE}
 INDY_VERSION = {"validate": IndyVersion(), "example": IndyVersion.EXAMPLE}
 INDY_PREDICATE = {"validate": IndyPredicate(), "example": IndyPredicate.EXAMPLE}
 INDY_ISO8601_DATETIME = {