feat: fully-qualified credential type (#949)

* FQCT on presentation query

* add tests for multiple scope variants

* fix some tests, add new ones

* clean up code

* fix tests

* source doc

Author: paullatzelsperger

core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/CredentialResourceLookup.java

@@ -33,6 +33,9 @@
 public class CredentialResourceLookup extends ReflectionPropertyLookup {
     @Override
     public Object getProperty(String key, Object object) {
+        if (key.endsWith("@context")) {
+            key = key.replace("@context", "context");
+        }
         var fieldValue = super.getProperty(key, object);
         if (fieldValue instanceof Instant) {
             fieldValue = fieldValue.toString();
@@ -43,6 +46,7 @@ public Object getProperty(String key, Object object) {
             return fieldValue.toString().replace("\n", "");
         }
 
+
         // the VerifiableCredential has some dynamic types, such as the CredentialSubject
         if (fieldValue == null && key.contains("credentialSubject") && object instanceof VerifiableCredentialResource credentialResource) {
             fieldValue = handleCredentialSubject(key, credentialResource);

core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/EdcScopeToCriterionTransformer.java

@@ -18,6 +18,7 @@
 import org.eclipse.edc.spi.query.Criterion;
 import org.eclipse.edc.spi.result.Result;
 
+import java.util.ArrayList;
 import java.util.List;
 
 import static org.eclipse.edc.spi.result.Result.failure;
@@ -39,29 +40,39 @@
  */
 public class EdcScopeToCriterionTransformer implements ScopeToCriterionTransformer {
     public static final String TYPE_OPERAND = "verifiableCredential.credential.type";
+    // this has to include the "@" for Postgres queries to work because they operate on JSON
+    public static final String CONTEXT_OPERAND = "verifiableCredential.credential.@context";
     public static final String ALIAS_LITERAL = "org.eclipse.edc.vc.type";
-    public static final String LIKE_OPERATOR = "like";
     public static final String CONTAINS_OPERATOR = "contains";
     private static final String SCOPE_SEPARATOR = ":";
     private final List<String> allowedOperations = List.of("read", "*", "all");
 
     @Override
-    public Result<Criterion> transform(String scope) {
+    public Result<List<Criterion>> transformScope(String scope) {
         var tokens = tokenize(scope);
         if (tokens.failed()) {
             return failure("Scope string cannot be converted: %s".formatted(tokens.getFailureDetail()));
         }
-        var credentialType = tokens.getContent()[1];
-        return success(new Criterion(TYPE_OPERAND, CONTAINS_OPERATOR, credentialType));
+        var discriminator = tokens.getContent()[1];
+
+        return convertDiscriminator(discriminator);
     }
 
     protected Result<String[]> tokenize(String scope) {
         if (scope == null) return failure("Scope was null");
 
-        var tokens = scope.split(SCOPE_SEPARATOR);
-        if (tokens.length != 3) {
+        var firstSeparatorIndex = scope.indexOf(SCOPE_SEPARATOR);
+        var lastSeparatorIndex = scope.lastIndexOf(SCOPE_SEPARATOR);
+
+        if (firstSeparatorIndex == -1 || lastSeparatorIndex == -1 || firstSeparatorIndex == lastSeparatorIndex) {
             return failure("Scope string has invalid format.");
         }
+
+        var tokens = new String[3];
+        tokens[0] = scope.substring(0, firstSeparatorIndex);
+        tokens[1] = scope.substring(firstSeparatorIndex + 1, lastSeparatorIndex);
+        tokens[2] = scope.substring(lastSeparatorIndex + 1);
+
         if (!ALIAS_LITERAL.equalsIgnoreCase(tokens[0])) {
             return failure("Scope alias MUST be %s but was %s".formatted(ALIAS_LITERAL, tokens[0]));
         }
@@ -71,4 +82,33 @@ protected Result<String[]> tokenize(String scope) {
 
         return success(tokens);
     }
+
+    private Result<List<Criterion>> convertDiscriminator(String discriminator) {
+        if (discriminator == null) {
+            return failure("discriminator was null");
+        }
+
+        var lastHashIndex = discriminator.lastIndexOf("#");
+
+        if (lastHashIndex == -1) {
+            // No hash found, treat entire string as type
+            var typeCriterion = new Criterion(TYPE_OPERAND, CONTAINS_OPERATOR, discriminator);
+            return success(List.of(typeCriterion));
+        }
+
+        var list = new ArrayList<Criterion>();
+        var contextPart = discriminator.substring(0, lastHashIndex);
+        if (!contextPart.isEmpty()) {
+            var contextCriterion = new Criterion(CONTEXT_OPERAND, CONTAINS_OPERATOR, contextPart);
+            list.add(contextCriterion);
+        }
+
+        var typePart = discriminator.substring(lastHashIndex + 1);
+        if (!typePart.isEmpty()) {
+            var typeCriterion = new Criterion(TYPE_OPERAND, CONTAINS_OPERATOR, typePart);
+            list.add(typeCriterion);
+        }
+
+        return success(list);
+    }
 }

core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/CredentialResourceLookupTest.java

@@ -0,0 +1,210 @@
+/*
+ *  Copyright (c) 2026 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.defaults;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.eclipse.edc.iam.verifiablecredentials.spi.model.CredentialFormat;
+import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential;
+import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredentialContainer;
+import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VcStatus;
+import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
+import org.eclipse.edc.jsonld.util.JacksonJsonLd;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.time.Instant;
+import java.util.List;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class CredentialResourceLookupTest {
+
+    private static final String VC_JSON = """
+            {
+              "@context": [
+                "https://www.w3.org/2018/credentials/v1",
+                "https://www.w3.org/2018/credentials/examples/v1",
+                "https://example.org/2026/foo/bar"
+              ],
+              "id": "http://example.edu/credentials/1872",
+              "type": [
+                "VerifiableCredential",
+                "AlumniCredential"
+              ],
+              "issuer": "https://example.edu/issuers/565049",
+              "issuanceDate": "2010-01-01T19:23:24Z",
+              "expirationDate": "2999-01-01T19:23:24Z",
+              "credentialSubject": {
+                "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
+                "alumniOf": {
+                  "id": "did:example:c276e12ec21ebfeb1f712ebc6f1",
+                  "name": "Example University"
+                }
+              },
+              "proof": {
+                "type": "RsaSignature2018",
+                "created": "2017-06-18T21:19:10Z",
+                "proofPurpose": "assertionMethod",
+                "verificationMethod": "https://example.edu/issuers/565049#key-1",
+                "jws": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..TCYt5X"
+              }
+            }
+            """;
+
+    private final ObjectMapper objectMapper = JacksonJsonLd.createObjectMapper();
+    private CredentialResourceLookup lookup;
+
+    @BeforeEach
+    void setUp() {
+        lookup = new CredentialResourceLookup();
+    }
+
+    @Test
+    void getProperty_whenContextFieldRequested_shouldReplaceAtSymbol() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.@context", resource);
+
+        assertThat(result).isNotNull();
+    }
+
+    @Test
+    void getProperty_whenInstantField_shouldReturnString() {
+        var timestamp = Instant.parse("2024-01-01T10:00:00Z");
+        var resource = VerifiableCredentialResource.Builder.newHolder()
+                .id("test-id")
+                .issuerId("test-issuer")
+                .holderId("test-holder")
+                .build();
+        resource.setCredentialStatus(VcStatus.INITIAL);
+
+        var result = lookup.getProperty("timeOfLastStatusUpdate", resource);
+
+        assertThat(result).isInstanceOf(String.class);
+    }
+
+    @Test
+    void getProperty_whenRawVcField_shouldRemoveNewlines() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.rawVc", resource);
+
+        assertThat(result).isInstanceOf(String.class);
+        assertThat((String) result).doesNotContain("\n");
+    }
+
+    @Test
+    void getProperty_whenCredentialSubjectClaim_shouldExtractFromClaims() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.credentialSubject.alumniOf", resource);
+
+        assertThat(result).isNotNull();
+        assertThat(result).isInstanceOf(Map.class);
+        @SuppressWarnings("unchecked")
+        var alumniOf = (Map<String, Object>) result;
+        assertThat(alumniOf).containsEntry("name", "Example University");
+    }
+
+    @Test
+    void getProperty_whenCredentialSubjectNestedClaim_shouldExtractNestedValue() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.credentialSubject.alumniOf.name", resource);
+
+        assertThat(result).isEqualTo("Example University");
+    }
+
+    @Test
+    void getProperty_whenCredentialSubjectClaimNotFound_shouldReturnNull() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.credentialSubject.nonExistentField", resource);
+
+        assertThat(result).isNull();
+    }
+
+    @Test
+    void getProperty_whenCredentialSubjectId_shouldExtractId() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.credentialSubject.id", resource);
+
+        assertThat(result).isInstanceOf(List.class);
+        assertThat((List<String>) result).contains("did:example:ebfeb1f712ebc6f1c276e12ec21");
+    }
+
+    @Test
+    void getProperty_whenStandardField_shouldReturnValue() {
+        var resource = VerifiableCredentialResource.Builder.newHolder()
+                .id("test-resource-id")
+                .issuerId("test-issuer")
+                .holderId("test-holder")
+                .build();
+
+        var result = lookup.getProperty("id", resource);
+
+        assertThat(result).isEqualTo("test-resource-id");
+    }
+
+    @Test
+    void getProperty_whenNestedCredentialField_shouldReturnValue() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.issuer", resource);
+
+        assertThat(result).isNotNull();
+    }
+
+    @Test
+    void getProperty_whenNonExistentField_shouldReturnNull() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("nonExistentField", resource);
+
+        assertThat(result).isNull();
+    }
+
+    @Test
+    void getProperty_whenCredentialType_shouldReturnTypeList() {
+        var resource = createTestResource();
+
+        var result = lookup.getProperty("verifiableCredential.credential.type", resource);
+
+        assertThat(result).isInstanceOf(List.class);
+        @SuppressWarnings("unchecked")
+        var types = (List<String>) result;
+        assertThat(types).containsExactlyInAnyOrder("VerifiableCredential", "AlumniCredential");
+    }
+
+    private VerifiableCredentialResource createTestResource() {
+        try {
+            var credential = objectMapper.readValue(VC_JSON, VerifiableCredential.class);
+            var container = new VerifiableCredentialContainer(VC_JSON, CredentialFormat.VC1_0_LD, credential);
+
+            return VerifiableCredentialResource.Builder.newHolder()
+                    .id("test-id")
+                    .credential(container)
+                    .state(VcStatus.INITIAL)
+                    .issuerId("test-issuer")
+                    .holderId("test-holder")
+                    .build();
+        } catch (JsonProcessingException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}

core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/EdcScopeToCriterionTransformerTest.java

@@ -28,9 +28,11 @@ class EdcScopeToCriterionTransformerTest {
             "org.eclipse.edc.vc.type:TestCredential:*",
             "org.eclipse.edc.vc.type:TestCredential:all",
             "org.eclipse.edc.vc.type:foo:all",
+            "org.eclipse.edc.vc.type:https://example.com/contexts/v1#TestCredential:read",
+            "org.eclipse.edc.vc.type:https://example.com/contexts/v1/#TestCredential:read",
     })
     void transform_validScope(String scope) {
-        assertThat(transformer.transform(scope)).isSucceeded();
+        assertThat(transformer.transformScope(scope)).isSucceeded();
     }
 
     @ParameterizedTest
@@ -40,8 +42,9 @@ void transform_validScope(String scope) {
             "org.eclipse.edc.vc.type:TestCredential:foo",
             "org.eclipse.edc::foo",
             "org.eclipse.edc:foo",
+            "org.eclipse.edc:https://example.com/contexts/v1#:foo",
     })
     void transform_invalidScope(String scope) {
-        assertThat(transformer.transform(scope)).isFailed();
+        assertThat(transformer.transformScope(scope)).isFailed();
     }
 }

core/identity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/services/query/CredentialQueryResolverImpl.java

@@ -148,9 +148,9 @@ private boolean filterInvalidCredentials(VerifiableCredentialResource verifiable
      * @param scopes The list of scope strings to parse and convert.
      * @return A {@link Result} containing the list of converted {@link Criterion} objects.
      */
-    private Result<List<Criterion>> parseScopes(List<String> scopes) {
+    private Result<List<List<Criterion>>> parseScopes(List<String> scopes) {
         var transformResult = scopes.stream()
-                .map(scopeTransformer::transform)
+                .map(scopeTransformer::transformScope)
                 .toList();
 
         if (transformResult.stream().anyMatch(AbstractResult::failed)) {
@@ -159,7 +159,7 @@ private Result<List<Criterion>> parseScopes(List<String> scopes) {
         return success(transformResult.stream().map(AbstractResult::getContent).toList());
     }
 
-    private Result<Collection<VerifiableCredentialResource>> queryCredentials(List<Criterion> criteria, String participantContextId) {
+    private Result<Collection<VerifiableCredentialResource>> queryCredentials(List<List<Criterion>> criteria, String participantContextId) {
         var results = criteria.stream()
                 .map(criterion -> convertToQuerySpec(criterion, participantContextId))
                 .map(credentialStore::query)
@@ -173,13 +173,17 @@ private Result<Collection<VerifiableCredentialResource>> queryCredentials(List<C
                 .collect(Collectors.toList()));
     }
 
-    private QuerySpec convertToQuerySpec(Criterion criteria, String participantContextId) {
+    private QuerySpec convertToQuerySpec(List<Criterion> criteria, String participantContextId) {
         var filterByParticipant = new Criterion("participantContextId", "=", participantContextId);
         var filterNotRevoked = new Criterion("state", "!=", VcStatus.REVOKED.code());
         var filterNotExpired = new Criterion("state", "!=", VcStatus.EXPIRED.code());
         var filterUsageHolder = new Criterion("usage", "=", CredentialUsage.Holder.toString());
+
+        var allCriteria = Stream.concat(criteria.stream(),
+                Stream.of(filterByParticipant, filterNotRevoked, filterNotExpired, filterUsageHolder)).toList();
+
         return QuerySpec.Builder.newInstance()
-                .filter(List.of(criteria, filterByParticipant, filterNotRevoked, filterNotExpired, filterUsageHolder))
+                .filter(allCriteria)
                 .build();
     }