import { RoleCredentialSubject } from '@energyweb/credential-governance'; import { VerifiableCredential } from '@ew-did-registry/credentials-interface'; import { Algorithms } from '@ew-did-registry/jwt'; import { IServiceEndpoint } from '@ew-did-registry/did-resolver-interface'; import { CacheClient } from '../cache-client/cache-client.service'; import { DomainsService } from '../domains/domains.service'; import { SignerService } from '../signer/signer.service'; import { Claim, GetClaimsByRequesterOptions, GetClaimsByIssuerOptions, GetClaimsBySubjectOptions, CreateClaimRequestOptions, IssueClaimRequestOptions, RegisterOnchainOptions, RejectClaimRequestOptions, DeleteClaimOptions, IssueClaimOptions, PublishPublicClaimOptions, CreateSelfSignedClaimOptions, GetUserClaimsOptions, RevokeClaimOptions, RevokeMultipleClaimOptions, IsClaimRevokedOptions, ClaimRevocationDetailsOptions, ClaimRevocationDetailsResult, GetClaimsByRevokerOptions, CredentialVerificationResult } from './claims.types'; import { RoleEIP191JWT, IssuerResolver } from '@energyweb/vc-verification'; import { DidRegistry } from '../did-registry/did-registry.service'; import { ClaimData } from '../did-registry/did.types'; import { VerifiableCredentialsServiceBase } from '../verifiable-credentials'; /** * Service responsible for handling the request and issuance of claims. * See more information about claims in IAM stack [here](../../../docs/guides/claim.md). * * ```typescript * const { connectToCacheServer } = await initWithPrivateKeySigner(privateKey, rpcUrl); * const { connectToDidRegistry } = await connectToCacheServer(); * const { claimsService } = await connectToDidRegistry(); * claimsService.getClaimById(claim.id); * ``` */ export declare class ClaimsService { private _signerService; private _domainsService; private _cacheClient; private _didRegistry; private _verifiableCredentialService; private _claimManager; private _claimManagerInterface; private _claimRevocation; private _issuerVerification; private _issuerResolver?; private _credentialResolver; private _statusVerifier; constructor(_signerService: SignerService, _domainsService: DomainsService, _cacheClient: CacheClient, _didRegistry: DidRegistry, _verifiableCredentialService: VerifiableCredentialsServiceBase); static create(signerService: SignerService, domainsService: DomainsService, cacheClient: CacheClient, didRegistry: DidRegistry, verifiableCredentialService: VerifiableCredentialsServiceBase): Promise; init(): Promise; setIssuerResolver(issuerResolver: IssuerResolver): void; /** * A utility function to check the blockchain directly if a DID has a role. * * ```typescript * claimsService.hasOnChainRole('did:ethr:ewc:0x00...0', 'email.roles.iam.ewc', 1); * ``` * * @param {string} did The ethr DID to check * @param {string} role The role to check (the full namespace) * @param {number} version The version to check * @return `true` if DID has role at the version. `false` if not. */ hasOnChainRole(did: string, role: string, version: number): Promise; /** * Retrieve claims related to a given subjects. * * ```typescript * claimsService.getClaimsBySubjects(['did:ethr:0x00...0', 'did:ethr:0x00...1', ...]); * ``` * * @param {Array} subjects list of subjects * @returns list of claims */ getClaimsBySubjects(subjects: string[]): Promise; /** * Retrieve claims requested by a given requester with allowing filter by status and parent namespace. * * ```typescript * claimsService.getClaimsByRequester({ * did: 'did:ethr:0x00...0', * isAccepted: false, * namespace: 'energyweb.iam.ewc', * }); * ``` * * @param {GetClaimsByRequesterOptions} options object containing options * @returns list of claims */ getClaimsByRequester({ did, isAccepted, namespace, }: GetClaimsByRequesterOptions): Promise; /** * Retrieve claims issued by a given issuer with allowing filter by status and parent namespace. * * ```typescript * claimsService.getClaimsByIssuer({ * did: 'did:ethr:0x00...0', * isAccepted: false, * namespace: 'energyweb.iam.ewc', * }); * ``` * * @param {GetClaimsByIssuerOptions} options object containing options * @returns list of claims */ getClaimsByIssuer({ did, isAccepted, namespace, }: GetClaimsByIssuerOptions): Promise; /** * Retrieve claims for given subject with allowing filter by status and parent namespace. * * ```typescript * claimsService.getClaimsBySubject({ * did: 'did:ethr:0x00...0', * isAccepted: false, * namespace: 'energyweb.iam.ewc', * }); * ``` * * @param {GetClaimsBySubjectOptions} options object containing options * @returns list of claims */ getClaimsBySubject({ did, isAccepted, namespace, }: GetClaimsBySubjectOptions): Promise; /** * Retrieve all claims that a user can revoke. Allow to filter by namespace * * ```typescript * claimsService.getClaimsByRevoker({ * did: 'did:ethr:0x00...0', * namespace: 'energyweb.iam.ewc', * }); * ``` * * @param {GetClaimsByRevokerOptions} options * @return list of claims */ getClaimsByRevoker({ did, namespace, }: GetClaimsByRevokerOptions): Promise; /** * Retrieve claim with given id. * * ```typescript * const claimId = '7281a130-e2b1-430d-8c14-201010eae901'; * claimsService.getClaimById(claimId); * ``` * * @param {string} claimId claim id * @return claim with given id */ getClaimById(claimId: string): Promise; /** * Allows subject to request for credential by creating and sending a claim request to claim issuer. * * ```typescript * claimsService.createClaimRequest({ * claim: { * claimType: 'email.roles.energyweb.iam.ewc', * claimTypeVersion: 1, * requestorFields: [{key: 'foo', value: 'bar'}], * }; * subject: 'did:ethr:0x00...0', * registrationTypes: [RegistrationTypes.OnChain, RegistrationTypes.OffChain] * }); * ``` * * @param {CreateClaimRequestOptions} options object containing options */ createClaimRequest({ claim, subject, registrationTypes, }: CreateClaimRequestOptions): Promise; /** * Issue a claim request by signing both off-chain and on-chain request and persisting result to the cache-server. * Optionally, issue on-chain role can be submitted to the ClaimManager contract as well. * If `credentialStatus` is not overridden then status from ssi-hub will be set. * * ```typescript * const claim: Claim = await claimsService.getClaimById('7281a130-e2b1-430d-8c14-201010eae901'); * claimsService.issueClaimRequest({ * requester: claim.requester, * token: claim.token, * id: claim.id, * subjectAgreement: claim.subjectAgreement, * registrationTypes: claim.registrationTypes; * issuerFields: [{key: 'foo', value: 'bar'}], * publishOnChain: false, * }); * ``` * * @param {IssueClaimRequestOptions} options object containing options */ issueClaimRequest({ requester, token, id: requestId, subjectAgreement, registrationTypes, issuerFields, publishOnChain, credentialStatusOverride, expirationTimestamp, }: IssueClaimRequestOptions): Promise; /** * Register issued on-chain claim on Claim Manager contract Can be used by asset owners to register credentials on-chain for their assets. * * ```typescript * const claim: Claim = await claimsService.getClaimById('7281a130-e2b1-430d-8c14-201010eae901'); * claimsService.registerOnchain({ * claimType: claim.claimType, * claimTypeVersion: claim.claimTypeVersion, * subjectAgreement: claim.subjectAgreement, * onChainProof: claim.onChainProof, * acceptedBy: claim.acceptedBy; * subject: claim.subject, * }); * ``` * * @param {RegisterOnchainOptions} claim object containing options */ registerOnchain(claim: RegisterOnchainOptions): Promise; /** * Reject claim request. * * ```typescript * const claim: Claim = await claimsService.getClaimById('7281a130-e2b1-430d-8c14-201010eae901'); * claimsService.rejectClaimRequest({ * id: claim.id, * requesterDID: claim.requester, * rejectionReason: 'some reason', * }); * ``` * * @param {RejectClaimRequestOptions} options object containing options */ rejectClaimRequest({ id: rejectClaimRequestId, requesterDID, rejectionReason, }: RejectClaimRequestOptions): Promise; /** * Delete claim request. Works only for pending claims (not issued or rejected). * * ```typescript * claimsService.deleteClaim({ * id: '7281a130-e2b1-430d-8c14-201010eae901', * }); * ``` * * @param {DeleteClaimOptions} options object containing options */ deleteClaim({ id: deleteClaimId }: DeleteClaimOptions): Promise; /** * Issue claim without previous request. Option available for issuers only. * If `credentialStatus` is not overridden then status from ssi-hub will be set. * * ```typescript * claimsService.issueClaim({ * claim: { * claimType: 'email.roles.energyweb.iam.ewc', * claimTypeVersion: 1, * issuerFields: [{key: 'foo', value: 'bar'}], * }; * subject: 'did:ethr:0x00...0', * registrationTypes: [RegistrationTypes.OnChain, RegistrationTypes.OffChain] * }); * ``` * * @param {IssueClaimOptions} options object containing options * @return Issued token if registrationTypes includes RegistrationTypes.OffChain */ issueClaim({ subject, registrationTypes, claim, credentialStatusOverride, expirationTimestamp, }: IssueClaimOptions): Promise; /** * Generates claim id or returns id of existing claim with same data * @param {ClaimData} param.claimData - claim data * @returns claim identifier */ getClaimId({ claimData }: { claimData: ClaimData; }): Promise; /** * Register role to claim manager contract if registrationTypes includes RegistrationTypes.OnChain * Publish role to IPFS and add DID document service if registrationTypes includes RegistrationTypes.OffChain * * ```typescript * const claim: Claim = await claimsService.getClaimById('7281a130-e2b1-430d-8c14-201010eae901'); * claimsService.publishPublicClaim({ * claim: { * token: claim.token, * claimType: claim.claimType, * }; * registrationTypes: claim.registrationTypes, * }); * ``` * * @param {PublishPublicClaimOptions} options object containing options * @return URl to IPFS if registrationTypes includes RegistrationTypes.OffChain */ publishPublicClaim({ token, // backward compatibility registrationTypes, claim, }: PublishPublicClaimOptions): Promise; /** * Creates self signed off-chain claim with `data` and adds it to `subject` document. Signer must own or control subject. * * ```typescript * claimsService.createSelfSignedClaim({ * data: { * claimType: 'email.roles.energyweb.iam.ewc', * claimTypeVersion: 1, * issuerFields: [{key: 'foo', value: 'bar'}], * profile: { * name: 'John Doe', * birthdate: '1990-01-01', * address: '123 Main St', * }, * }, * subject: 'did:ethr:volta:0x00...0', * }); * ``` * * @param {CreateSelfSignedClaimOptions} options object containing options * @return URl to IPFS */ createSelfSignedClaim({ data, subject, }: CreateSelfSignedClaimOptions): Promise; /** * Get published off-chain claims of the given subject. * * ```typescript * claimsService.getUserClaims({ * did: 'did:ethr:0x00...0', * }); * ``` * * @param {GetUserClaimsOptions} options object containing options * @returns Claims containing DID document service endpoints */ getUserClaims({ did, }: GetUserClaimsOptions): Promise<(IServiceEndpoint & Pick)[]>; /** * Create a public claim to prove identity. * * ```typescript * claimsService.createIdentityProof(); * ``` * * @return JWT token of created identity */ createIdentityProof(): Promise; /** * Create a public claim to prove identity. * * ```typescript * claimsService.createDelegateProof( * '245a40a9...776071ca57cec', * 'did:ethr:0x00...0', * Algorithms.EIP191, * ); * ``` * * @param {String} delegateKey Private key of the delegate in hexadecimal format * @param {String} identity DID of the delegate * @param {String} algorithm Algorithm used to sign the delegate (EIP191 and ES256 available) * * @return JWT token of delegate */ createDelegateProof(delegateKey: string, identity: string, algorithm?: Algorithms): Promise; /** * Get `namespace` from claim type. * * ```typescript * claimsService.getNamespaceFromClaimType( * 'email.roles.energyweb.iam.ewc' * ); * ``` * * @param {String} claimType Private key of the delegate in hexadecimal format * * @return Namespace of given claim type */ getNamespaceFromClaimType(claimType: string): string; /** * Revoke On-Chain issued claim by `claimId` or given `namespace` and `subject`. Required `claimId` or `claim` parameters. * * ```typescript * claimsService.revokeClaim({ * claim: { * namespace: 'root.roles.energyweb.iam.ewc', * subject: 'did:ethr:volta:0x00...0', * }, * registrationTypes = [RegistrationTypes.OnChain, RegistrationTypes.OffChain], * }); * ``` * or * ```typescript * claimsService.revokeClaim({ * claimId: claim.id, * registrationTypes = [RegistrationTypes.OnChain, RegistrationTypes.OffChain], * }); * ``` * * @param {RevokeClaimOptions} options object containing options * @return true if claim was revoked */ revokeClaim(options: RevokeClaimOptions): Promise; /** * Revoke On-Chain issued claims of the given namespace for multiple subjects. Namespace must be the same for all subjects. * Specify `claims` or `claimIds` parameters. * * ```typescript * claimsService.revokeMultipleClaim({ * claims: [{ * namespace: 'root.roles.energyweb.iam.ewc', * subject: 'did:ethr:volta:0x00...0', * registrationTypes = [RegistrationTypes.OnChain, RegistrationTypes.OffChain], * }, * { * namespace: 'root.roles.energyweb.iam.ewc', * subject: 'did:ethr:volta:0x00...1', * registrationTypes = [RegistrationTypes.OnChain], * }], * }); * ``` * or * ```typescript * claimsService.revokeMultipleClaim({ * claimIds: ['245a40a9...776071ca57cec', '245a40a9...776071ca57cec'], * }); * ``` * * @param {RevokeMultipleClaimOptions} options object containing options */ revokeMultipleClaim({ claimIds, claims, }: RevokeMultipleClaimOptions): Promise; /** * Check if On-Chain claim is revoked. * * ```typescript * claimsService.isClaimRevoked({ * claim: { * namespace: 'root.roles.energyweb.iam.ewc', * subject: 'did:ethr:volta:0x00...0', * }, * }); * ``` * or * ```typescript * claimsService.isClaimRevoked({ * claimId: claim.id, * }); * ``` * * @param {IsClaimRevokedOptions} options object containing options * @return true if claim is revoked */ isClaimRevoked(options: IsClaimRevokedOptions): Promise; /** * Get the revocation details for a subject's On-Chain claim. Returns the revoker and revocationTimeStamp for the revocation. * * ```typescript * claimsService.claimRevocationDetails({ * claim: { * namespace: 'root.roles.energyweb.iam.ewc', * subject: 'did:ethr:volta:0x00...0', * }, * }); * ``` * or * ```typescript * claimsService.claimRevocationDetails({ * claimId: claim.id, * }); * ``` * * @param {ClaimRevocationDetailsOptions} options object containing options * @return revocation details */ claimRevocationDetails(options: ClaimRevocationDetailsOptions): Promise; /** * Pick up the claim from the params and return the claim data. * Choose `claimId` first, then `claim`. Throw an error if both are missing. * * @param {GetRevocationClaimDetailsOptions} data claim data or claim id * @return claim data */ private getRevocationClaimDetails; /** * Remove `fields` from claim data. * * @param {ClaimData} data Claim data to remove fields from * @return Claim data without fields */ private stripClaimData; /** * Validates publish public claim parameters depending on off-chain or on-chain registration type. Throws relevant error on invalid data. * * @param {Array} registrationTypes Registration types of the claim * @param {Object} claim `token` and `claimType` of the claim */ private validatePublishPublicClaimRequest; /** * Verify if the user is an authorized issuer of a role * * @param {String} role Registration types of the claim */ private verifyIssuer; /** * Verify claim request prerequisites for given role and subject. Throws relevant error on invalid data. * * @param {VerifyEnrolmentPrerequisitesOptions} options object containing options */ private verifyEnrolmentPrerequisites; /** * Create verifiable credential and wrap it into verifiable presentation. * * @param {VerifyEnrolmentPrerequisitesOptions} options object containing options * @return JSON representation of verifiable presentation */ private issueVerifiablePresentation; /** * Extract data from claim token. * * @param {String} token JWT token containing claimType, version and subject * @return Claim data */ private extractClaimRequest; /** * Create subject agreement signature. * * @param {ApproveRolePublishingOptions} options object containing options * @return subject agreement signature */ private approveRolePublishing; /** * Create on-chain proof signature. * * @param {String} role role claim type * @param {Number} version role version * @param {Number} expiry time in seconds when the claim expires * @param {String} subject DID of the subject * * @return on-chain proof signature */ private createOnChainProof; /** * Verifies: * - That credential proof is valid * - That credential was issued by authorized issuer * - That credential was not revoked * * @param {VerifiableCredential): Promise; /** * Verifies: * - That off-chain claim was issued by authorized issuer * - That off-chain claim proof is valid * * @param {OffChainClaim} off chain claim to verify * @return Boolean indicating if verified and array of error messages */ verifyRoleEIP191JWT(roleEIP191JWT: RoleEIP191JWT): Promise; /** * Fetch a credential from storage * * @param subjectDID The DID to try to resolve a credential for * @param roleNamesapce The role to try to get a credential for. Should be a full role namespace (for example, "myrole.roles.myorg.auth.ewc") * @return credential if available or undefined if not */ fetchCredential(subjectDID: string, roleNamespace: string): Promise | RoleEIP191JWT | undefined>; /** * Resolve a credential from storage and verify its proof/signature and its issuer's authority * * @param subjectDID The DID to try to resolve a credential for * @param roleNamesapce The role to try to get a credential for. Should be a full role namespace (for example, "myrole.roles.myorg.auth.ewc") * @return void. Returns "Proof Not Verified" error if VC not verified. Returns error if issuer not verified */ resolveCredentialAndVerify(subjectDID: string, roleNamespace: string): Promise; /** * * Set the Verifier for Claim Issuance. * */ private _setIssuerVerifier; private _setStatusVerifier; private _getDefaultIssuerResolver; }