Custom Policy Evaluation Function Not Triggered in EDC MVD Setup

[Zhipeng-lin1]

Hi, I'm experimenting with how PolicyEnforcement works in EDC (using the MVD base project) by creating a custom policy evaluation function tied to a new constraint (ParticipantCredential). Here's a breakdown of what I’ve done:

---

🔧 Modifications in PolicyEvaluationExtension.java

I removed unnecessary default bindings and replaced them with my own:

@Override
public void initialize(ServiceExtensionContext context) {
    // Removed default permission functions:
    // bindPermissionFunction(... MembershipCredential ...)
    
    ruleBindingRegistry.bind(ODRL_USE_ACTION_ATTRIBUTE, ALL_SCOPES);
    ruleBindingRegistry.bind(EDC_NAMESPACE + PARTICIPANT_CONSTRAINT_KEY, CatalogPolicyContext.CATALOG_SCOPE);
    
    policyEngine.registerFunction(
        CatalogPolicyContext.class,
        Permission.class,
        PARTICIPANT_CONSTRAINT_KEY,
        ParticipantCredentialEvaluationFunction.create()
    );
}

🧩 Adjustments in DcpPatchExtension.java

I registered my trusted issuers and set the default scope mapping:

trustedIssuerRegistry.register(new Issuer("did:web:dataspace-issuer", Map.of()), WILDCARD);
trustedIssuerRegistry.register(new Issuer("did:web:localhost:9876", Map.of()), WILDCARD);
trustedIssuerRegistry.register(new Issuer("did:web:localhost:10100", Map.of()), WILDCARD);
trustedIssuerRegistry.register(new Issuer("did:web:example-issuer.com", Map.of()), WILDCARD);

var contextMappingFunction = new DefaultScopeMappingFunction(
    Set.of("org.eclipse.edc.vc.type:ParticipantCredential:read")
);

🧠 Custom Evaluation Function

I implemented a custom evaluation function as follows:

public class ParticipantCredentialEvaluationFunction<C extends ParticipantAgentPolicyContext>
        extends AbstractCredentialEvaluationFunction
        implements AtomicConstraintRuleFunction<Permission, C> {

    public static final String PARTICIPANT_CONSTRAINT_KEY = "ParticipantCredential";

    private ParticipantCredentialEvaluationFunction() {}

    public static <C extends ParticipantAgentPolicyContext> ParticipantCredentialEvaluationFunction<C> create() {
        return new ParticipantCredentialEvaluationFunction<>();
    }

    @Override
    public boolean evaluate(Operator operator, Object rightOperand, Permission permission, C policyContext) {
        return true; // For testing, always allow
    }
}

📜 Verifiable Credential (VC) Sample

Here's an example of the ParticipantCredential I used:

{
  "@context": [...],
  "type": ["VerifiableCredential", "ParticipantCredential"],
  "issuer": "did:web:example-issuer.com",
  "credentialSubject": {
    "id": "did:web:localhost:7083",
    "type": "gx:LegalParticipant",
    "gx:legalName": "Example Org",
    ...
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:example-issuer.com#key-1",
    "jws": "eyJhbGciOiJQUzI1NiIsIm..."
  }
}

❗ Problem

After defining assets, a policy, and a contract definition using this constraint key, the evaluation function is never triggered. I confirmed this by running the project locally in IntelliJ with breakpoints.

Assets:

{
    "@context": [
        "https://w3id.org/edc/connector/management/v0.0.1"
    ],
    "@id": "asset-3",
    "@type": "Asset",
    "properties": {
        "description": "This asset requires Participant to view and negotiate."
    },
    "dataAddress": {
        "@type": "DataAddress",
        "type": "HttpData",
        "baseUrl": "https://jsonplaceholder.typicode.com/todos",
        "proxyPath": "true",
        "proxyQueryParams": "true"
    }
}

Policy:

{
    "@context": [
        "https://w3id.org/edc/connector/management/v0.0.1"
    ],
    "@type": "PolicyDefinition",
    "@id": "require-participant",
    "policy": {
        "@type": "Set",
        "permission": [
            {
                "action": "use",
                "constraint": {
                    "leftOperand": "ParticipantCredential",
                    "operator": "eq",
                    "rightOperand": "active"
                }
            }
        ]
    }
}

Contract Definition:

{
    "@context": [
        "https://w3id.org/edc/connector/management/v0.0.1"
    ],
    "@id": "participant-contract-def",
    "@type": "ContractDefinition",
    "accessPolicyId": "require-participant",
    "contractPolicyId": "require-participant",
    "assetsSelector": {
        "@type": "Criterion",
        "operandLeft": "https://w3id.org/edc/v0.0.1/ns/id",
        "operator": "=",
        "operandRight": "asset-3"
    }
}

Even when the consumer does not have the ParticipantCredential VC seeded into the Identity Hub, the asset still appears in the catalog and no evaluation occurs.

Questions

1. Is there a step or config I’m missing ?