feat: Add support for referenced_assertions and roles (#1032)

(Q&D implementation: Will work on better testing in a day or three.)

Author: scouten-adobe

cawg_identity/src/builder/identity_assertion_builder.rs

@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use std::collections::HashSet;
+
 use async_trait::async_trait;
 use c2pa::dynamic_assertion::{
     AsyncDynamicAssertion, DynamicAssertion, DynamicAssertionContent, PartialClaim,
@@ -34,7 +36,8 @@ use crate::{builder::AsyncCredentialHolder, IdentityAssertion, SignerPayload};
 /// [`IdentityAssertionSigner`]: crate::builder::IdentityAssertionSigner
 pub struct IdentityAssertionBuilder {
     credential_holder: Box<dyn CredentialHolder>,
-    // referenced_assertions: Vec<MumbleSomething>,
+    referenced_assertions: HashSet<String>,
+    roles: Vec<String>,
 }
 
 impl IdentityAssertionBuilder {
@@ -43,6 +46,30 @@ impl IdentityAssertionBuilder {
     pub fn for_credential_holder<CH: CredentialHolder + 'static>(credential_holder: CH) -> Self {
         Self {
             credential_holder: Box::new(credential_holder),
+            referenced_assertions: HashSet::new(),
+            roles: vec![],
+        }
+    }
+
+    /// Add assertion labels to consider as referenced_assertions.
+    ///
+    /// If any of these labels match assertions that are present in the partial
+    /// claim submitted during signing, they will be added to the
+    /// `referenced_assertions` list for this identity assertion.
+    pub fn add_referenced_assertions(&mut self, labels: &[&str]) {
+        for label in labels {
+            self.referenced_assertions.insert(label.to_string());
+        }
+    }
+
+    /// Add roles to attach to the named actor for this identity assertion.
+    ///
+    /// See [§5.1.2, “Named actor roles,”] for more information.
+    ///
+    /// [§5.1.2, “Named actor roles,”]: https://cawg.io/identity/1.1-draft/#_named_actor_roles
+    pub fn add_roles(&mut self, roles: &[&str]) {
+        for role in roles {
+            self.roles.push(role.to_string());
         }
     }
 }
@@ -64,20 +91,31 @@ impl DynamicAssertion for IdentityAssertionBuilder {
         size: Option<usize>,
         claim: &PartialClaim,
     ) -> c2pa::Result<DynamicAssertionContent> {
-        // TO DO: Better filter for referenced assertions.
-        // For now, just require hard binding.
-
         // TO DO: Update to respond correctly when identity assertions refer to each
         // other.
         let referenced_assertions = claim
             .assertions()
-            .filter(|a| a.url().contains("c2pa.assertions/c2pa.hash."))
+            .filter(|a| {
+                // Always accept the hard binding assertion.
+                if a.url().contains("c2pa.assertions/c2pa.hash.") {
+                    return true;
+                }
+
+                let label = if let Some((_, label)) = a.url().rsplit_once('/') {
+                    label.to_string()
+                } else {
+                    a.url()
+                };
+
+                self.referenced_assertions.contains(&label)
+            })
             .cloned()
             .collect();
 
         let signer_payload = SignerPayload {
             referenced_assertions,
             sig_type: self.credential_holder.sig_type().to_owned(),
+            roles: self.roles.clone(),
         };
 
         let signature_result = self.credential_holder.sign(&signer_payload);
@@ -100,7 +138,9 @@ pub struct AsyncIdentityAssertionBuilder {
 
     #[cfg(target_arch = "wasm32")]
     credential_holder: Box<dyn AsyncCredentialHolder>,
-    // referenced_assertions: Vec<MumbleSomething>,
+
+    referenced_assertions: HashSet<String>,
+    roles: Vec<String>,
 }
 
 impl AsyncIdentityAssertionBuilder {
@@ -111,6 +151,30 @@ impl AsyncIdentityAssertionBuilder {
     ) -> Self {
         Self {
             credential_holder: Box::new(credential_holder),
+            referenced_assertions: HashSet::new(),
+            roles: vec![],
+        }
+    }
+
+    /// Add assertion labels to consider as referenced_assertions.
+    ///
+    /// If any of these labels match assertions that are present in the partial
+    /// claim submitted during signing, they will be added to the
+    /// `referenced_assertions` list for this identity assertion.
+    pub fn add_referenced_assertions(&mut self, labels: &[&str]) {
+        for label in labels {
+            self.referenced_assertions.insert(label.to_string());
+        }
+    }
+
+    /// Add roles to attach to the named actor for this identity assertion.
+    ///
+    /// See [§5.1.2, “Named actor roles,”] for more information.
+    ///
+    /// [§5.1.2, “Named actor roles,”]: https://cawg.io/identity/1.1-draft/#_named_actor_roles
+    pub fn add_roles(&mut self, roles: &[&str]) {
+        for role in roles {
+            self.roles.push(role.to_string());
         }
     }
 }
@@ -134,20 +198,31 @@ impl AsyncDynamicAssertion for AsyncIdentityAssertionBuilder {
         size: Option<usize>,
         claim: &PartialClaim,
     ) -> c2pa::Result<DynamicAssertionContent> {
-        // TO DO: Better filter for referenced assertions.
-        // For now, just require hard binding.
-
         // TO DO: Update to respond correctly when identity assertions refer to each
         // other.
         let referenced_assertions = claim
             .assertions()
-            .filter(|a| a.url().contains("c2pa.assertions/c2pa.hash."))
+            .filter(|a| {
+                // Always accept the hard binding assertion.
+                if a.url().contains("c2pa.assertions/c2pa.hash.") {
+                    return true;
+                }
+
+                let label = if let Some((_, label)) = a.url().rsplit_once('/') {
+                    label.to_string()
+                } else {
+                    a.url()
+                };
+
+                self.referenced_assertions.contains(&label)
+            })
             .cloned()
             .collect();
 
         let signer_payload = SignerPayload {
             referenced_assertions,
             sig_type: self.credential_holder.sig_type().to_owned(),
+            roles: self.roles.clone(),
         };
 
         let signature_result = self.credential_holder.sign(&signer_payload).await;

cawg_identity/src/identity_assertion/signer_payload.rs

@@ -37,7 +37,12 @@ pub struct SignerPayload {
 
     /// A string identifying the data type of the `signature` field
     pub sig_type: String,
-    // TO DO: Add role and expected_* fields.
+
+    /// Roles associated with the named actor
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    #[serde(rename = "role")]
+    pub roles: Vec<String>,
+    // TO DO: Add expected_* fields.
     // (https://github.com/contentauth/c2pa-rs/issues/816)
 }
 

cawg_identity/src/tests/claim_aggregation/interop.rs

@@ -85,6 +85,7 @@ async fn adobe_connected_identities() {
                 None,
                 &hex_literal::hex!("58514c7072376d453164794f783477317a716e4f63716159325a594d686a5031526c7a552f7877614259383d")
             )],
+            roles: vec!(),
             sig_type: "cawg.identity_claims_aggregation".to_owned(),
         }
     );

cawg_identity/src/tests/identity_assertion/built_in_signature_verifier.rs

@@ -179,6 +179,7 @@ async fn adobe_connected_identities() {
                 None,
                 &hex_literal::hex!("58514c7072376d453164794f783477317a716e4f63716159325a594d686a5031526c7a552f7877614259383d")
             )],
+            roles: vec!(),
             sig_type: "cawg.identity_claims_aggregation".to_owned(),
         }
     );

cawg_identity/src/tests/identity_assertion/signer_payload.rs

@@ -33,6 +33,7 @@ fn impl_clone() {
 
     let signer_payload = SignerPayload {
         referenced_assertions: vec![{ data_hash_ref }],
+        roles: vec![],
         sig_type: "NONSENSE".to_owned(),
     };