baseid_wallet_core/

matcher.rs

//! Credential matching against presentation requests.
//!
//! Provides matching logic for finding stored credentials that satisfy a
//! presentation request, supporting both DIF Presentation Exchange and DCQL
//! (Digital Credentials Query Language) query formats.

use crate::error::WalletError;
use crate::presenter::CredentialMatch;
use crate::{AnyCredential, CredentialRecord};
use baseid_core::types::CredentialFormat;

/// A presentation request — either DIF Presentation Exchange or DCQL.
#[derive(Debug, Clone)]
pub enum PresentationRequest {
    /// DIF Presentation Exchange definition.
    PresentationExchange(baseid_oid4vp::PresentationDefinition),
    /// Digital Credentials Query Language query.
    Dcql(baseid_oid4vp::DcqlQuery),
}

impl PresentationRequest {
    /// Try to parse a presentation request from a JSON value.
    ///
    /// If the value has an `"input_descriptors"` field, it is treated as a
    /// Presentation Exchange definition. If it has a `"credentials"` field,
    /// it is treated as a DCQL query. Otherwise, returns an error.
    pub fn from_value(value: &serde_json::Value) -> baseid_core::Result<Self> {
        if value.get("input_descriptors").is_some() {
            let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(value.clone())
                .map_err(|e| {
                WalletError::MatchingFailed(format!("failed to parse PresentationDefinition: {e}"))
            })?;
            Ok(PresentationRequest::PresentationExchange(pd))
        } else if value.get("credentials").is_some() {
            let query: baseid_oid4vp::DcqlQuery =
                serde_json::from_value(value.clone()).map_err(|e| {
                    WalletError::MatchingFailed(format!("failed to parse DcqlQuery: {e}"))
                })?;
            Ok(PresentationRequest::Dcql(query))
        } else {
            Err(WalletError::MatchingFailed("unknown request format".to_string()).into())
        }
    }
}

/// Check whether a descriptor format map is compatible with the given credential format.
///
/// The format field in a PE InputDescriptor is a JSON object where keys are format
/// identifiers (e.g. `"jwt_vc_json"`, `"mso_mdoc"`, `"dc+sd-jwt"`).
fn format_matches_pe(format_value: &serde_json::Value, cred_format: CredentialFormat) -> bool {
    let obj = match format_value.as_object() {
        Some(o) => o,
        None => return false,
    };
    for key in obj.keys() {
        let compatible = match key.as_str() {
            "jwt_vc" | "jwt_vc_json" | "ldp_vc" => cred_format == CredentialFormat::W3cVc,
            "mso_mdoc" => cred_format == CredentialFormat::Mdl,
            "dc+sd-jwt" | "vc+sd-jwt" => cred_format == CredentialFormat::SdJwtVc,
            _ => false,
        };
        if compatible {
            return true;
        }
    }
    false
}

/// Extract the last segment of a JSONPath-like path string.
///
/// For example, `"$.credentialSubject.degree"` returns `"degree"`,
/// and `"$.vc.type"` returns `"type"`.
fn path_last_segment(path: &str) -> &str {
    path.rsplit('.').next().unwrap_or(path)
}

/// Check whether a field path plausibly matches a W3C VC credential.
///
/// This performs simplified matching — it does not implement full JSONPath
/// evaluation. Instead, it checks whether the path references known VC fields
/// (type, credentialSubject keys) and whether those fields exist.
fn field_matches_w3c_vc(vc: &baseid_vc::VerifiableCredential, path: &str) -> bool {
    let lower = path.to_lowercase();

    // Paths referencing credential type
    if lower.contains("type") {
        return !vc.r#type.is_empty();
    }

    // Paths referencing credentialSubject fields
    if lower.contains("credentialsubject") {
        let segment = path_last_segment(path);
        if segment.eq_ignore_ascii_case("credentialSubject") {
            // Path is just "$.credentialSubject" — match if subject exists
            return true;
        }
        // Check if the credential_subject has the referenced key
        if let Some(obj) = vc.credential_subject.as_object() {
            return obj.contains_key(segment);
        }
        return false;
    }

    // For any other path, optimistically match — the credential could plausibly
    // contain the field (we lack full JSONPath support).
    true
}

/// Match stored credentials against a Presentation Exchange definition.
///
/// For each input descriptor, iterates over stored credentials and returns
/// a [`CredentialMatch`] for each credential that satisfies the descriptor's
/// format and field constraints.
pub fn match_credentials_pe(
    credentials: &[CredentialRecord],
    definition: &baseid_oid4vp::PresentationDefinition,
) -> Vec<CredentialMatch> {
    let mut matches = Vec::new();

    for descriptor in &definition.input_descriptors {
        for record in credentials {
            // Check format compatibility
            if let Some(ref fmt) = descriptor.format {
                if !format_matches_pe(fmt, record.credential.credential_format()) {
                    continue;
                }
            }

            // Check field constraints
            let mut matching_fields = Vec::new();
            let mut any_field_matched = descriptor.constraints.fields.is_empty();

            for field in &descriptor.constraints.fields {
                let field_matched = field.path.iter().any(|path| match &record.credential {
                    AnyCredential::W3cVc(vc) => field_matches_w3c_vc(vc, path),
                    AnyCredential::Mdoc(_) => {
                        // For mDocs, optimistically match any path
                        true
                    }
                    AnyCredential::SdJwtVc(_) => {
                        // For SD-JWT, optimistically match any path
                        true
                    }
                    AnyCredential::Bbs(_) => {
                        // For BBS+, optimistically match any path
                        true
                    }
                    AnyCredential::AnonCreds(cred) => {
                        // For AnonCreds, check if the path references a known attribute
                        let segment = path_last_segment(path);
                        cred.values.contains_key(segment)
                    }
                });

                if field_matched {
                    any_field_matched = true;
                    // Add all path variants for this field to matching_fields
                    for path in &field.path {
                        matching_fields.push(path.clone());
                    }
                }
            }

            if any_field_matched {
                matches.push(CredentialMatch {
                    credential_id: record.id.clone(),
                    format: record.credential.credential_format(),
                    matching_fields,
                });
            }
        }
    }

    matches
}

/// Check whether a DCQL format string is compatible with the given credential format.
fn format_matches_dcql(dcql_format: &str, cred_format: CredentialFormat) -> bool {
    match dcql_format {
        "dc+sd-jwt" | "vc+sd-jwt" => cred_format == CredentialFormat::SdJwtVc,
        "mso_mdoc" => cred_format == CredentialFormat::Mdl,
        "jwt_vc_json" | "ldp_vc" => cred_format == CredentialFormat::W3cVc,
        _ => false,
    }
}

/// Check whether a W3C VC's type array contains any of the required type arrays.
///
/// `type_values` is a list of acceptable type arrays. The credential matches if
/// its type array contains all elements of at least one of the acceptable arrays.
fn vc_type_matches(vc: &baseid_vc::VerifiableCredential, type_values: &[Vec<String>]) -> bool {
    type_values.iter().any(|required_types| {
        required_types
            .iter()
            .all(|required| vc.r#type.iter().any(|t| t == required))
    })
}

/// Match stored credentials against a DCQL query.
///
/// For each credential request in the query, iterates over stored credentials
/// and returns a [`CredentialMatch`] for each credential that satisfies the
/// format, metadata, and claim constraints.
pub fn match_credentials_dcql(
    credentials: &[CredentialRecord],
    query: &baseid_oid4vp::DcqlQuery,
) -> Vec<CredentialMatch> {
    let mut matches = Vec::new();

    for dcql_cred in &query.credentials {
        for record in credentials {
            // Step 1: Filter by format
            if !format_matches_dcql(&dcql_cred.format, record.credential.credential_format()) {
                continue;
            }

            // Step 2: Apply metadata filters if present
            if let Some(ref meta) = dcql_cred.meta {
                match &record.credential {
                    AnyCredential::W3cVc(vc) => {
                        // Check type_values for W3C VC
                        if let Some(ref type_values) = meta.type_values {
                            if !vc_type_matches(vc, type_values) {
                                continue;
                            }
                        }
                    }
                    AnyCredential::Mdoc(_mdoc) => {
                        // For mDocs, doctype_value would check doc_type.
                        // Simplified: format already matched, so we accept it.
                    }
                    AnyCredential::SdJwtVc(_) => {
                        // For SD-JWT, vct_values would check the vct claim.
                        // Simplified: format already matched, so we accept it.
                    }
                    AnyCredential::Bbs(_) => {
                        // For BBS+, metadata matching not yet implemented.
                        // Simplified: format already matched, so we accept it.
                    }
                    AnyCredential::AnonCreds(_) => {
                        // For AnonCreds, metadata matching not yet implemented.
                        // Simplified: format already matched, so we accept it.
                    }
                }
            }

            // Step 3: Collect claim paths as matching_fields
            let matching_fields: Vec<String> = dcql_cred
                .claims
                .iter()
                .map(|claim| claim.path.join("."))
                .collect();

            matches.push(CredentialMatch {
                credential_id: record.id.clone(),
                format: record.credential.credential_format(),
                matching_fields,
            });
        }
    }

    matches
}

#[cfg(test)]
mod tests {
    use super::*;
    use baseid_core::types::CredentialId;
    use baseid_vc::credential::Issuer;
    use baseid_vc::VerifiableCredential;

    /// Helper to create a W3C VC with given types and credential_subject.
    fn make_vc(types: &[&str], subject: serde_json::Value) -> CredentialRecord {
        let vc = VerifiableCredential {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            id: None,
            r#type: types.iter().map(|s| s.to_string()).collect(),
            issuer: Issuer::Uri("did:key:z6Mk-test-issuer".to_string()),
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: None,
            credential_subject: subject,
            credential_status: None,
            proof: None,
        };
        CredentialRecord {
            id: CredentialId(format!("vc-{}", types.last().unwrap_or(&"unknown"))),
            credential: AnyCredential::W3cVc(vc),
            raw: None,
        }
    }

    /// Helper to create an SD-JWT credential record.
    fn make_sd_jwt(id: &str) -> CredentialRecord {
        let sd_jwt = baseid_sd_jwt::SdJwt {
            jwt: "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJkaWQ6a2V5OnRlc3QifQ.sig"
                .to_string(),
            disclosures: vec![],
            key_binding_jwt: None,
        };
        CredentialRecord {
            id: CredentialId(id.to_string()),
            credential: AnyCredential::SdJwtVc(sd_jwt),
            raw: None,
        }
    }

    /// Helper to create an mDL credential record.
    fn make_mdoc(id: &str) -> CredentialRecord {
        let mdoc = baseid_mdl::MobileDocument {
            doc_type: "org.iso.18013.5.1.mDL".to_string(),
            namespaces: std::collections::BTreeMap::new(),
        };
        CredentialRecord {
            id: CredentialId(id.to_string()),
            credential: AnyCredential::Mdoc(mdoc),
            raw: None,
        }
    }

    // ---------------------------------------------------------------
    // PresentationRequest::from_value tests
    // ---------------------------------------------------------------

    #[test]
    fn parse_pe_request() {
        let value = serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": { "fields": [] }
            }]
        });
        let req = PresentationRequest::from_value(&value).unwrap();
        assert!(matches!(req, PresentationRequest::PresentationExchange(_)));
    }

    #[test]
    fn parse_dcql_request() {
        let value = serde_json::json!({
            "credentials": [{
                "id": "cred-1",
                "format": "dc+sd-jwt"
            }]
        });
        let req = PresentationRequest::from_value(&value).unwrap();
        assert!(matches!(req, PresentationRequest::Dcql(_)));
    }

    #[test]
    fn parse_unknown_request() {
        let value = serde_json::json!({ "foo": "bar" });
        let result = PresentationRequest::from_value(&value);
        assert!(result.is_err());
    }

    // ---------------------------------------------------------------
    // match_credentials_pe tests
    // ---------------------------------------------------------------

    #[test]
    fn pe_match_by_format() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "UniversityDegreeCredential"],
            serde_json::json!({"id": "did:key:holder"}),
        )];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": { "fields": [] },
                "format": { "jwt_vc_json": {} }
            }]
        }))
        .unwrap();

        let results = match_credentials_pe(&creds, &pd);
        assert_eq!(results.len(), 1);
        assert_eq!(results[0].format, CredentialFormat::W3cVc);
    }

    #[test]
    fn pe_match_by_field_path() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "UniversityDegreeCredential"],
            serde_json::json!({"degree": {"type": "BachelorDegree"}}),
        )];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": {
                    "fields": [{
                        "path": ["$.credentialSubject.degree"]
                    }]
                }
            }]
        }))
        .unwrap();

        let results = match_credentials_pe(&creds, &pd);
        assert_eq!(results.len(), 1);
        assert!(results[0]
            .matching_fields
            .contains(&"$.credentialSubject.degree".to_string()));
    }

    #[test]
    fn pe_no_match_wrong_format() {
        let creds = vec![make_vc(
            &["VerifiableCredential"],
            serde_json::json!({"id": "did:key:holder"}),
        )];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": { "fields": [] },
                "format": { "mso_mdoc": {} }
            }]
        }))
        .unwrap();

        let results = match_credentials_pe(&creds, &pd);
        assert!(results.is_empty());
    }

    #[test]
    fn pe_multiple_descriptors() {
        let creds = vec![
            make_vc(
                &["VerifiableCredential", "UniversityDegreeCredential"],
                serde_json::json!({"degree": "BSc"}),
            ),
            make_sd_jwt("sd-jwt-1"),
        ];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [
                {
                    "id": "desc-vc",
                    "constraints": { "fields": [] },
                    "format": { "jwt_vc_json": {} }
                },
                {
                    "id": "desc-sd",
                    "constraints": { "fields": [] },
                    "format": { "dc+sd-jwt": {} }
                }
            ]
        }))
        .unwrap();

        let results = match_credentials_pe(&creds, &pd);
        assert_eq!(results.len(), 2);

        let formats: Vec<CredentialFormat> = results.iter().map(|m| m.format).collect();
        assert!(formats.contains(&CredentialFormat::W3cVc));
        assert!(formats.contains(&CredentialFormat::SdJwtVc));
    }

    // ---------------------------------------------------------------
    // match_credentials_dcql tests
    // ---------------------------------------------------------------

    #[test]
    fn dcql_match_by_format() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "IDCredential"],
            serde_json::json!({"id": "did:key:holder"}),
        )];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "jwt_vc_json"
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert_eq!(results.len(), 1);
        assert_eq!(results[0].format, CredentialFormat::W3cVc);
    }

    #[test]
    fn dcql_match_sd_jwt_format() {
        let creds = vec![make_sd_jwt("sd-1")];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "dc+sd-jwt",
                "claims": [
                    {"path": ["family_name"]},
                    {"path": ["given_name"]}
                ]
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert_eq!(results.len(), 1);
        assert_eq!(results[0].format, CredentialFormat::SdJwtVc);
        assert_eq!(
            results[0].matching_fields,
            vec!["family_name", "given_name"]
        );
    }

    #[test]
    fn dcql_no_match() {
        let creds = vec![make_vc(&["VerifiableCredential"], serde_json::json!({}))];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "mso_mdoc"
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert!(results.is_empty());
    }

    #[test]
    fn dcql_match_vc_type() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "IDCredential"],
            serde_json::json!({"name": "Alice"}),
        )];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "jwt_vc_json",
                "meta": {
                    "type_values": [["IDCredential"]]
                },
                "claims": [
                    {"path": ["name"]}
                ]
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert_eq!(results.len(), 1);
        assert_eq!(results[0].matching_fields, vec!["name"]);
    }

    #[test]
    fn dcql_no_match_wrong_vc_type() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "UniversityDegreeCredential"],
            serde_json::json!({}),
        )];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "jwt_vc_json",
                "meta": {
                    "type_values": [["IDCredential"]]
                }
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert!(results.is_empty());
    }

    #[test]
    fn dcql_match_mdoc_format() {
        let creds = vec![make_mdoc("mdoc-1")];
        let query: baseid_oid4vp::DcqlQuery = serde_json::from_value(serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "mso_mdoc",
                "meta": {
                    "doctype_value": "org.iso.18013.5.1.mDL"
                },
                "claims": [
                    {"path": ["org.iso.18013.5.1", "given_name"]}
                ]
            }]
        }))
        .unwrap();

        let results = match_credentials_dcql(&creds, &query);
        assert_eq!(results.len(), 1);
        assert_eq!(results[0].format, CredentialFormat::Mdl);
        assert_eq!(
            results[0].matching_fields,
            vec!["org.iso.18013.5.1.given_name"]
        );
    }

    #[test]
    fn pe_field_path_credential_subject_missing_key() {
        let creds = vec![make_vc(
            &["VerifiableCredential"],
            serde_json::json!({"name": "Alice"}),
        )];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": {
                    "fields": [{
                        "path": ["$.credentialSubject.degree"]
                    }]
                }
            }]
        }))
        .unwrap();

        // "degree" is not in credential_subject, so no match
        let results = match_credentials_pe(&creds, &pd);
        assert!(results.is_empty());
    }

    #[test]
    fn pe_field_path_type_matches() {
        let creds = vec![make_vc(
            &["VerifiableCredential", "IDCredential"],
            serde_json::json!({}),
        )];
        let pd: baseid_oid4vp::PresentationDefinition = serde_json::from_value(serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": {
                    "fields": [{
                        "path": ["$.vc.type"]
                    }]
                }
            }]
        }))
        .unwrap();

        let results = match_credentials_pe(&creds, &pd);
        assert_eq!(results.len(), 1);
        assert!(results[0]
            .matching_fields
            .contains(&"$.vc.type".to_string()));
    }
}