baseid_wallet_core/

wallet.rs

//! Wallet orchestrator — composes storage, matching, and presentation.

use baseid_core::credential::CredentialSummary;
use baseid_core::types::CredentialId;

use crate::holder::WalletStore;
use crate::matcher::{self, PresentationRequest};
use crate::presenter::CredentialMatch;
use crate::receive;
use crate::{AnyCredential, CredentialFilter, CredentialRecord};

/// A digital identity wallet that manages credentials.
///
/// Generic over the store implementation — use `InMemoryStore` for testing,
/// encrypted stores for production.
pub struct Wallet<S: WalletStore> {
    store: S,
    holder_did: String,
}

impl<S: WalletStore> Wallet<S> {
    /// Create a new wallet with the given store and holder DID.
    pub fn new(store: S, holder_did: String) -> Self {
        Self { store, holder_did }
    }

    /// Receive credentials from an OID4VCI response and store them.
    pub async fn receive_credential(
        &self,
        response: &baseid_oid4vci::credential::CredentialResponse,
        format_hint: &str,
    ) -> baseid_core::Result<Vec<CredentialId>> {
        receive::receive_oid4vci_credential(&self.store, response, format_hint).await
    }

    /// Find credentials matching a presentation request (PE or DCQL).
    pub async fn find_matching_credentials(
        &self,
        request: &serde_json::Value,
    ) -> baseid_core::Result<Vec<CredentialMatch>> {
        let pr = PresentationRequest::from_value(request)?;
        // Get all credentials as CredentialRecords for the matcher
        let summaries = self
            .store
            .list_credentials(CredentialFilter::default())
            .await?;
        let mut records = Vec::new();
        for summary in &summaries {
            let cred = self.store.get_credential(&summary.metadata.id).await?;
            records.push(CredentialRecord {
                id: summary.metadata.id.clone(),
                credential: cred,
                raw: None,
            });
        }
        Ok(match pr {
            PresentationRequest::PresentationExchange(pd) => {
                matcher::match_credentials_pe(&records, &pd)
            }
            PresentationRequest::Dcql(dcql) => matcher::match_credentials_dcql(&records, &dcql),
        })
    }

    /// List all stored credentials with optional filtering.
    pub async fn list_credentials(
        &self,
        filter: CredentialFilter,
    ) -> baseid_core::Result<Vec<CredentialSummary>> {
        self.store.list_credentials(filter).await
    }

    /// Get a credential by ID.
    pub async fn get_credential(&self, id: &CredentialId) -> baseid_core::Result<AnyCredential> {
        self.store.get_credential(id).await
    }

    /// Delete a credential.
    pub async fn delete_credential(&self, id: &CredentialId) -> baseid_core::Result<()> {
        self.store.delete_credential(id).await
    }

    /// Get the holder DID.
    pub fn holder_did(&self) -> &str {
        &self.holder_did
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::store::InMemoryStore;
    use baseid_core::types::{CredentialFormat, KeyType};
    use baseid_crypto::KeyPair;
    use baseid_did::DidKeyResolver;
    use baseid_oid4vci::credential::{CredentialEntry, CredentialResponse};
    use baseid_vc::credential::Issuer;
    use baseid_vc::VerifiableCredential;

    /// Create a signed JWT VC for testing.
    fn make_signed_vc(type_name: &str, subject: serde_json::Value) -> (String, KeyPair, String) {
        let kp = KeyPair::generate(KeyType::Ed25519).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();
        let kid = doc.verification_method[0].id.clone();

        let vc = VerifiableCredential {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            id: None,
            r#type: vec!["VerifiableCredential".to_string(), type_name.to_string()],
            issuer: Issuer::Uri(doc.id.clone()),
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: None,
            credential_subject: subject,
            credential_status: None,
            proof: None,
        };
        let jwt = baseid_vc::sign_credential_jwt(&vc, &kp, &kid).unwrap();
        (jwt, kp, doc.id)
    }

    /// Build a mock OID4VCI CredentialResponse containing a JWT string.
    fn mock_credential_response(jwt: &str) -> CredentialResponse {
        CredentialResponse {
            credentials: Some(vec![CredentialEntry {
                credential: serde_json::Value::String(jwt.to_string()),
            }]),
            transaction_id: None,
            notification_id: None,
            interval: None,
        }
    }

    /// Build a deferred OID4VCI CredentialResponse (no credentials).
    fn mock_deferred_response() -> CredentialResponse {
        CredentialResponse {
            credentials: None,
            transaction_id: Some("txn-deferred-1".to_string()),
            notification_id: None,
            interval: Some(5),
        }
    }

    /// Helper: create a wallet, sign a VC, receive it, return the wallet and credential IDs.
    async fn wallet_with_vc(
        type_name: &str,
        subject: serde_json::Value,
    ) -> (Wallet<InMemoryStore>, Vec<CredentialId>) {
        let (jwt, _kp, holder_did) = make_signed_vc(type_name, subject);
        let wallet = Wallet::new(InMemoryStore::new(), holder_did);
        let response = mock_credential_response(&jwt);
        let ids = wallet
            .receive_credential(&response, "jwt_vc_json")
            .await
            .unwrap();
        (wallet, ids)
    }

    // ------------------------------------------------------------------
    // Phase 4: Wallet orchestrator tests
    // ------------------------------------------------------------------

    #[tokio::test]
    async fn wallet_new() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        assert_eq!(wallet.holder_did(), "did:key:holder");
    }

    #[tokio::test]
    async fn wallet_list_empty() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let list = wallet
            .list_credentials(CredentialFilter::default())
            .await
            .unwrap();
        assert!(list.is_empty());
    }

    #[tokio::test]
    async fn wallet_receive_and_list() {
        let (wallet, ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder", "degree": {"type": "BachelorDegree"}}),
        )
        .await;

        assert_eq!(ids.len(), 1);
        let list = wallet
            .list_credentials(CredentialFilter::default())
            .await
            .unwrap();
        assert_eq!(list.len(), 1);
    }

    #[tokio::test]
    async fn wallet_receive_and_get() {
        let (wallet, ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder", "degree": {"type": "BachelorDegree"}}),
        )
        .await;

        let cred = wallet.get_credential(&ids[0]).await.unwrap();
        assert_eq!(cred.credential_format(), CredentialFormat::W3cVc);
        match &cred {
            AnyCredential::W3cVc(vc) => {
                assert!(vc
                    .r#type
                    .contains(&"UniversityDegreeCredential".to_string()));
            }
            _ => panic!("Expected W3cVc variant"),
        }
    }

    #[tokio::test]
    async fn wallet_delete() {
        let (wallet, ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder"}),
        )
        .await;

        wallet.delete_credential(&ids[0]).await.unwrap();
        let list = wallet
            .list_credentials(CredentialFilter::default())
            .await
            .unwrap();
        assert!(list.is_empty());
    }

    #[tokio::test]
    async fn wallet_find_matching_pe() {
        let (wallet, _ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder", "degree": {"type": "BachelorDegree"}}),
        )
        .await;

        let pe_request = serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "degree",
                "constraints": {
                    "fields": [{
                        "path": ["$.credentialSubject.degree"]
                    }]
                },
                "format": {"jwt_vc_json": {}}
            }]
        });

        let matches = wallet.find_matching_credentials(&pe_request).await.unwrap();
        assert_eq!(matches.len(), 1);
        assert_eq!(matches[0].format, CredentialFormat::W3cVc);
        assert!(matches[0]
            .matching_fields
            .contains(&"$.credentialSubject.degree".to_string()));
    }

    #[tokio::test]
    async fn wallet_find_matching_dcql() {
        let (wallet, _ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder", "degree": {"type": "BachelorDegree"}}),
        )
        .await;

        let dcql_request = serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "jwt_vc_json",
                "meta": {
                    "type_values": [["UniversityDegreeCredential"]]
                },
                "claims": [
                    {"path": ["degree"]}
                ]
            }]
        });

        let matches = wallet
            .find_matching_credentials(&dcql_request)
            .await
            .unwrap();
        assert_eq!(matches.len(), 1);
        assert_eq!(matches[0].format, CredentialFormat::W3cVc);
        assert_eq!(matches[0].matching_fields, vec!["degree"]);
    }

    #[tokio::test]
    async fn wallet_find_no_match() {
        let (wallet, _ids) = wallet_with_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder"}),
        )
        .await;

        // Request mDL format — the stored VC won't match
        let dcql_request = serde_json::json!({
            "credentials": [{
                "id": "req-1",
                "format": "mso_mdoc"
            }]
        });

        let matches = wallet
            .find_matching_credentials(&dcql_request)
            .await
            .unwrap();
        assert!(matches.is_empty());
    }

    #[tokio::test]
    async fn e2e_issue_store_match() {
        // Full flow: sign VC -> wrap as OID4VCI response -> receive -> match against PD
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let doc = DidKeyResolver::create(&kp.public).unwrap();
        let kid = doc.verification_method[0].id.clone();

        let vc = VerifiableCredential {
            context: vec!["https://www.w3.org/ns/credentials/v2".to_string()],
            id: None,
            r#type: vec![
                "VerifiableCredential".to_string(),
                "UniversityDegreeCredential".to_string(),
            ],
            issuer: Issuer::Uri(doc.id.clone()),
            valid_from: Some("2024-01-01T00:00:00Z".to_string()),
            valid_until: None,
            credential_subject: serde_json::json!({
                "id": "did:key:holder",
                "degree": {"type": "BachelorDegree"}
            }),
            credential_status: None,
            proof: None,
        };
        let jwt = baseid_vc::sign_credential_jwt(&vc, &kp, &kid).unwrap();

        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let response = mock_credential_response(&jwt);
        let ids = wallet
            .receive_credential(&response, "jwt_vc_json")
            .await
            .unwrap();
        assert_eq!(ids.len(), 1);

        // Match with a PE definition
        let pe = serde_json::json!({
            "id": "pd-e2e",
            "input_descriptors": [{
                "id": "degree",
                "constraints": {
                    "fields": [{
                        "path": ["$.credentialSubject.degree"]
                    }]
                },
                "format": {"jwt_vc_json": {}}
            }]
        });

        let matches = wallet.find_matching_credentials(&pe).await.unwrap();
        assert_eq!(matches.len(), 1);
        assert_eq!(matches[0].credential_id, ids[0]);
        assert_eq!(matches[0].format, CredentialFormat::W3cVc);
        assert!(matches[0]
            .matching_fields
            .contains(&"$.credentialSubject.degree".to_string()));

        // Verify we can get the stored credential back
        let cred = wallet.get_credential(&ids[0]).await.unwrap();
        match &cred {
            AnyCredential::W3cVc(stored_vc) => {
                assert!(stored_vc
                    .r#type
                    .contains(&"UniversityDegreeCredential".to_string()));
                assert_eq!(
                    stored_vc.credential_subject["degree"]["type"],
                    "BachelorDegree"
                );
            }
            _ => panic!("Expected W3cVc variant"),
        }
    }

    #[tokio::test]
    async fn wallet_receive_multiple_formats() {
        let (jwt_vc, _kp, holder_did) = make_signed_vc(
            "UniversityDegreeCredential",
            serde_json::json!({"id": "did:key:holder"}),
        );

        let wallet = Wallet::new(InMemoryStore::new(), holder_did);

        // Receive a JWT VC
        let vc_response = mock_credential_response(&jwt_vc);
        let vc_ids = wallet
            .receive_credential(&vc_response, "jwt_vc_json")
            .await
            .unwrap();
        assert_eq!(vc_ids.len(), 1);

        // Receive an SD-JWT credential
        let sd_jwt = baseid_sd_jwt::SdJwt {
            jwt: "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJ0ZXN0In0.c2ln"
                .to_string(),
            disclosures: vec![],
            key_binding_jwt: None,
        };
        let compact = sd_jwt.serialize();
        let sd_response = CredentialResponse {
            credentials: Some(vec![CredentialEntry {
                credential: serde_json::Value::String(compact),
            }]),
            transaction_id: None,
            notification_id: None,
            interval: None,
        };
        let sd_ids = wallet
            .receive_credential(&sd_response, "dc+sd-jwt")
            .await
            .unwrap();
        assert_eq!(sd_ids.len(), 1);

        // List all — should be 2
        let all = wallet
            .list_credentials(CredentialFilter::default())
            .await
            .unwrap();
        assert_eq!(all.len(), 2);

        // Filter by W3C VC format
        let vc_only = wallet
            .list_credentials(CredentialFilter {
                format: Some(CredentialFormat::W3cVc),
                issuer: None,
            })
            .await
            .unwrap();
        assert_eq!(vc_only.len(), 1);
        assert_eq!(vc_only[0].metadata.format, CredentialFormat::W3cVc);

        // Filter by SD-JWT format
        let sd_only = wallet
            .list_credentials(CredentialFilter {
                format: Some(CredentialFormat::SdJwtVc),
                issuer: None,
            })
            .await
            .unwrap();
        assert_eq!(sd_only.len(), 1);
        assert_eq!(sd_only[0].metadata.format, CredentialFormat::SdJwtVc);
    }

    // ------------------------------------------------------------------
    // Phase 5: Hardening edge case tests
    // ------------------------------------------------------------------

    #[tokio::test]
    async fn wallet_get_nonexistent() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let result = wallet
            .get_credential(&CredentialId("nonexistent".to_string()))
            .await;
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn wallet_delete_nonexistent() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let result = wallet
            .delete_credential(&CredentialId("nonexistent".to_string()))
            .await;
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn wallet_find_matching_empty_store() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let pe_request = serde_json::json!({
            "id": "pd-1",
            "input_descriptors": [{
                "id": "desc-1",
                "constraints": { "fields": [] },
                "format": {"jwt_vc_json": {}}
            }]
        });

        let matches = wallet.find_matching_credentials(&pe_request).await.unwrap();
        assert!(matches.is_empty());
    }

    #[tokio::test]
    async fn wallet_receive_deferred() {
        let wallet = Wallet::new(InMemoryStore::new(), "did:key:holder".to_string());
        let response = mock_deferred_response();
        let ids = wallet
            .receive_credential(&response, "jwt_vc_json")
            .await
            .unwrap();
        assert!(ids.is_empty());
        let list = wallet
            .list_credentials(CredentialFilter::default())
            .await
            .unwrap();
        assert!(list.is_empty());
    }
}