OSIRAA - Open Source Implementer's Reference Authorized Agent


Version 0.9.3 - Updated September 2024

How to Use this App:
OSIRAA (Open Source Implementer's Reference Authorized Agent) is test suite designed to simulate the role of an Authorized Agent in a Digital Rights Protocol (DRP) environment. The application tests for the availability, correctness and completeness of API endpoints of a Privacy Infrastructure Provider (PIP) or Covered Business (CB) partner application. See https://github.com/consumer-reports-innovation-lab/data-rights-protocol/blob/main/data-rights-protocol.md for more info on DRP system roles and API specification.

Admin Tool
A user may model a PIP or Covered Business in the Admin Tool, along with any number of users. This is a standard Python app, so you must first create an admin superuser in the usual way before you can administer data configurations. For version 0.9.3, the Discovery Endpoint for a Covered Business has been depricated; it has been replaced by a Service Directory. The Service Directory holds discoverable information for all DPR impelementers in a common place. This information is periodically queried and the database automatically updated.

Cert Tests Definitions
The Digital Rights Protocol is centered on a set of API calls between an Authorized Agent and a PIP or Covered Business, on behalf of a User exercising his or her digital rights.

Run Tests Against a PIP or Covered Business API Endpoint
First select a PIP or Covered Business from the dropdown. You can then test the API endpoints for that PIP/CB for the following calls: Discover, Exercise and Status. Some calls require additional parameters such as a User or Covered Regime. These can be set via dropdowns above the button in each section to trigger the call. Users (Identity Users) can be configured in the Admin Tool.

Once the call is made, the app presents an analysis of the response. It shows the request url, the response code, and the response payload. If the the response is valid json, it test for required fields, fields in the response specific to the request params, etc. Note that you must first call Exercise for a given PIP/User combination before you can call Status. This is because the Exercise call returns a request_id, which is used for subsequent Status calls.

Generate Agent Auth Keys
Every Auhorized Agent requires a pair of auth keys - the secret signing key and the public verify key - to function in the DRP ecosystem. For memebers of the DRP consortium, the public key is published in the Service Directory for Authorized Agents at https://discovery.datarightsprotocol.org/agents.json. This utility will generate a pair of secure keys in compliance with the technical requirements of the DRP spec for use in your app.