JSON syntax documentation

Access Token

access_token -> {
    policy_object,
    context
}

Policy object

policy_object -> {
    (
        obligation_deny,
        obligation_grant,
        policy_doc,
        policy_goc
    )
    | HASH
}

Policy_GoC & Policy_DoC

"policy_goc" | "policy_doc": {
    LOGICAL_OPERATOR | CONDITION
}

Example

  • policy_goc/policy_doc must only have sub-logical_operators and sub-conditions, but no sub-conditional_operators or sub-oblg_lists
"policy_goc": {
    "operation": "and",
    "attribute_list": [
        {
            CONDITION_1
        },
        {
            CONDITION_2
        }
    ]
}

Obligation_Grant & Obligation_Deny

"obligation_grant" | "obligation_deny": {
    CONDITIONAL_OPERATOR | OBLG_LIST
}

Example

  • obligation_grant/obligation_deny might have sub-conditions and sub-logical_operators additional to sub-conditional_operators or sub-oblg_lists
"obligation_grant": {
    "operation": "if",
    "attribute_list": [
        {
            LOGICAL_OPERATOR : [
                CONDITION_1,
                CONDITION_2
            ]
        },
        {
            [
                "type": "obligation",
                "value": "log_event"
            ]
        },
        {
            [
                "type": "obligation",
                "value": ""
            ]
        }
    ]
}

Logical operator

LOGICAL_OPERATOR = "operation": "and", "attribute_list"
                 | "operation": "or", "attribute_list"
                 | "operation": "not", "attribute_list"
LOGICAL_OPERATOR -> [
    LOGICAL_OPERATOR | CONDITIONAL_OPERATOR | CONDITION
]

alternative

LOGICAL_OPERATOR = "$and" | "$or"  
LOGICAL_OPERATOR -> [ LOGICAL_OPERATOR | CONDITION ]
  • If the LOGICAL_OPERATOR has no conditions then … ?

Example

  • and and or might have up to n conditions
  • not usually has one condition (otherwise it should be understood as elementwise-not)
"operation": "and",
"attribute_list": [
    {
        CONDITION_1
    },
    {
        CONDITION_2
    }
]
"operation": "or",
"attribute_list": [
    {
        CONDITION_1
    },
    {
        CONDITION_2
    },
    {
        CONDITION_3
    }
]
"operation": "not",
"attribute_list": [
    {
        CONDITION_1
    }
]

alternative

POLICY: {
    LOGICAL_OPERATOR : [
        CONDITION_1,
        CONDITION_2,
        LOGICAL_OPERATOR  : [
            CONDITION_1,
            CONDITION_2
        ]
    ]
}
  • The conditions types “object”, “subject” and “action” are required within the POLICY.

Conditional operator

CONDITIONAL_OPERATOR = "operation": "if", "attribute_list"
                     | "operation": "case", "attribute_list"
CONDITIONAL_OPERATOR -> [
    {
        LOGICAL_OPERATOR | CONDITIONAL_OPERATOR | CONDITION 
    },
    [
        LOGICAL_OPERATOR | CONDITIONAL_OPERATOR | OBLG_LIST
    ]
]

Example

  • if usually has a non-empty oblg_list in the then arm and one empty oblg_list in the else arm
  • case might have up to n arms, last arm should be a catch-all arm
"operation": "if",
"attribute_list": [
    {
        CONDITION
    },
    {
        OBLG_LIST_1
    },
    {
        OBLG_LIST_2
    }
]
"operation": "case",
"attribute_list": [
    {
        CONDITION_1
    },
    {
        OBLG_LIST_1
    },
    {
        CONDITION_2
    },
    {
        OBLG_LIST_2
    },
    {
        CONDITION_3
    },
    {
        OBLG_LIST_3
    }
]

Condition

CONDITION = {
    METHOD,
    OPERATOR,
    TERM
}
CONDITION = {
    METHOD,
    OPERATOR,
    TERM_1,
    TERM_N
}

Special condition types

CONDITION = {
    CONSTANT,
    METHOD,
    OPERATOR,
    TERM
}
CONDITION = {
    CONSTANT,
    METHOD,
    OPERATOR,
    TERM_1,
    TERM_N
}

Constant

CONSTANT -> "object" | "subject" | "action"

Hash

HASH -> String

Method

METHOD -> "<reversed internet domain>_<package name>_<package version (v0.0.0)>_<sub package>.<sub package>. ..."

Example

METHOD : "org.ietf_crypto.conditions_v2.0.0_prefix.sha.256.validate"

Operator

OPERATOR -> "eq" | "le" | "ge" | "ne" | "lt" | "gt" | "true"

Term

TERM -> CONTEXT_REFERENCE | TERM_DESCRIPTION

Term_Description

TERM_DESCRIPTION = {
    DATA_TYPE,
    VALUE
}
TERM_DESCRIPTION = {
    DATA_TYPE,
    METHOD,
    PARAM
}
TERM_DESCRIPTION = {
    DATA_TYPE,
    METHOD
}
TERM_DESCRIPTION = {
    DATA_TYPE,
    METHOD,
    PARAM_1,
    PARAM_N
}

Example

DATA_TYPE : "io.xain_primitive_v1.0.0_int.8",
VALUE : 3
DATA_TYPE : "io.xain_primitive_v1.0.0_int.256",
METHOD : "io.eos_token_v1.0.0_get.balanceOf"
PARAM : "0x131...312"

Data_Type

DATA_TYPE -> "<reversed internet domain>_<package name>_<package version (v0.0.0)>_<sub package>.<sub package>. ..."

Example

DATA_TYPE : "org.ietf_crypto.conditions_v2.0.0_ed25519.condition.uri"

Value

VALUE -> String | Number | Bool

Param

PARAM -> String | Number | Bool

Context_Reference

CONTEXT_REFERENCE = "context.<IDENTITY>.references.ref_<Number>"

Identity

IDENTITY = "owner" | "delegator_1" | "delegator_N"

Decision

EVAL(POLICY) = DECISION
DECISION = "grant" | "deny"

Obligation

OBLIGATION -> {
    DECISION ("grant") -> [ FUNCTION ],
    DECISION ("deny") -> [ FUNCTION ]
}
OBLIGATION -> {}

Oblg_List

OBLG_LIST -> [
    String
]

Function

FUNCTION = {
    METHOD
}
FUNCTION = {
    METHOD,
    TERM
}
FUNCTION = {
    METHOD,
    TERM_1,
    TERM_N
}

Example

{
    method : "org.openvehicle_api_v1.23.1_vehicle.log",
    term : {
        type : "io.xain_primitive_v1.0.0_int.256",
        method : "io.eos_token_v1.0.0.get.balanceOf",
        param : "0x131...312"
    }
}
  • If we want to log the execution of the access token, we should provide a PDP API (e.g. pdp.getExecutedConditions)

Context

CONTEXT -> {
    IDENTITY ("owner") -> CONTEXT_OBJECT,
    IDENTITY ("delegator_1") -> CONTEXT_OBJECT
}
CONTEXT -> {
    IDENTITY ("owner") -> CONTEXT_OBJECT
}

Context_Object

CONTEXT_OBJECT = {
    REFERENCES,
    ENVELOPE,
    ENVELOPE_SIGNATURE
}

References

REFERENCES -> {
    "ref_<Number>" -> TERM_DESCRIPTION
}

Envelope

ENVELOPE -> [ ACCESS_TOKEN_OBJECTS ]

Example

ENVELOPE : ["policy", "obligation", "context.<IDENTITY>.references"]

Access_Token_Objects

ACCESS_TOKEN_OBJECTS = "policy" | "obligation" | "context.<IDENTITY>.references"

Envelope_Signature

ENVELOPE_SIGNATURE -> CONDITION