Fix the DCQL missing credential filtering (#349)

* use ValidMdoc in MDoc case

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* filter missing creds by tracking creds that are only alternatives

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* ensure filtering ONLY alternative credentials

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

---------

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

Author: JoTiTu

src/WalletFramework.Oid4Vc/Oid4Vp/Dcql/CredentialQueries/CredentialQuery.cs

@@ -138,7 +138,7 @@ public static Option<OneOf<Vct, DocType>> GetRequestedCredentialType(this Creden
                     : Option<OneOf<Vct, DocType>>.None;
             case Constants.MdocFormat:
                 return credentialQuery.Meta?.Doctype?.Any() == true
-                    ? Option<OneOf<Vct, DocType>>.Some(Vct.ValidVct(credentialQuery.Meta!.Doctype).UnwrapOrThrow())
+                    ? Option<OneOf<Vct, DocType>>.Some(DocType.ValidDoctype(credentialQuery.Meta!.Doctype).UnwrapOrThrow())
                     : Option<OneOf<Vct, DocType>>.None;
             default:
                 return Option<OneOf<Vct, DocType>>.None;

src/WalletFramework.Oid4Vc/Oid4Vp/Dcql/DcqlFun.cs

@@ -52,6 +52,10 @@ private static CandidateQueryResult BuildPresentationCandidateSets(
         List<CredentialRequirement> missing)
     {
         var sets = new List<PresentationCandidateSet>();
+        var alternativeCredentialIds = new List<string>();
+        var satisfiedCredentialSets = new List<CredentialSetQuery>();
+        
+        // First pass: identify satisfied credential sets and collect alternative credential IDs
         foreach (var setQuery in credentialSetQueries)
         {
             var firstMatchingOption = setQuery.Options
@@ -69,11 +73,62 @@ private static CandidateQueryResult BuildPresentationCandidateSets(
             if (firstMatchingOption != default)
             {
                 sets.Add(new PresentationCandidateSet(firstMatchingOption.SetCandidates, setQuery.Required));
+                satisfiedCredentialSets.Add(setQuery);
+                
+                // Mark credential IDs from alternative options in this set as alternatives
+                foreach (var option in setQuery.Options)
+                {
+                    if (option.Ids.Select(id => id.AsString()).SequenceEqual(firstMatchingOption.Option.Ids.Select(id => id.AsString())))
+                        continue;
+                        
+                    foreach (var id in option.Ids)
+                    {
+                        alternativeCredentialIds.Add(id.AsString());
+                    }
+                }
             }
         }
+        
+        // Second pass: identify credentials that are ONLY alternatives (not needed for any unsatisfied credential sets)
+        var onlyAlternativeCredentialIds = new List<string>();
+        foreach (var alternativeId in alternativeCredentialIds)
+        {
+            var isOnlyAlternative = true;
+            
+            // Check if this credential is needed for any unsatisfied credential sets
+            foreach (var setQuery in credentialSetQueries)
+            {
+                if (satisfiedCredentialSets.Contains(setQuery))
+                    continue; // Skip satisfied sets
+                    
+                // Check if this credential is needed in any option of this unsatisfied set
+                foreach (var option in setQuery.Options)
+                {
+                    if (option.Ids.Any(id => id.AsString() == alternativeId))
+                    {
+                        isOnlyAlternative = false;
+                        break;
+                    }
+                }
+                
+                if (!isOnlyAlternative)
+                    break;
+            }
+            
+            if (isOnlyAlternative)
+            {
+                onlyAlternativeCredentialIds.Add(alternativeId);
+            }
+        }
+        
+        // Filter out missing credentials that are ONLY alternatives
+        var filteredMissing = missing
+            .Where(requirement => !onlyAlternativeCredentialIds.Contains(requirement.GetIdentifier()))
+            .ToList();
+        
         return new CandidateQueryResult(
             sets.Count > 0 ? sets : Option<List<PresentationCandidateSet>>.None,
-            missing.Count > 0 ? missing : Option<List<CredentialRequirement>>.None
+            filteredMissing.Count > 0 ? filteredMissing : Option<List<CredentialRequirement>>.None
         );
     }
 }

test/WalletFramework.Oid4Vc.Tests/Oid4Vp/Dcql/CredentialSets/CredentialSetTests.cs

@@ -64,6 +64,29 @@ public void Candidate_Query_Result_Can_Be_Built_Correctly_From_Dcql_With_One_Cre
         candidatesList.Count.Should().Be(2, "should have a candidate for each credential query in the set");
         candidateSet.IsRequired.Should().BeTrue();
     }
+    
+    [Fact]
+    public void Candidate_Query_Result_Can_Be_Built_Correctly_From_Dcql_With_One_Credential_Set_And_Filter_Missing_Credentials_That_Are_Only_Alternatives()
+    {
+        // Arrange
+        var query = DcqlSamples.GetDcqlQueryWithOneCredentialSetAndMultipleSingleOptions;
+        var idCard = SdJwtSamples.GetIdCardCredential();
+        var credentials = new List<ICredential> { idCard };
+
+        // Act
+        var result = query.ProcessWith(credentials);
+
+        // Assert
+        result.MissingCredentials.IsNone.Should().BeTrue();
+        result.Candidates.IsSome.Should().BeTrue();
+        var sets = result.Candidates.IfNone([]);
+        var setsList = sets.ToList();
+        setsList.Count.Should().Be(1, "only one set should be satisfied by the provided credentials");
+        var candidateSet = setsList[0];
+        var candidatesList = candidateSet.Candidates.ToList();
+        candidatesList.Count.Should().Be(1, "should have a candidate for each credential query in the set");
+        candidateSet.IsRequired.Should().BeTrue();
+    }
 
     [Fact]
     public void Candidate_Set_Wont_Be_Built_When_A_Credential_is_Missing()

test/WalletFramework.Oid4Vc.Tests/Oid4Vp/Dcql/Samples/DcqlSamples.cs

@@ -106,6 +106,43 @@ public static class DcqlSamples
     }
   ]
 }";
+    
+    public const string DcqlQueryWithOneCredentialSetAndMultipleSingleOptionsJson = @"{
+  ""credentials"": [
+    {
+      ""id"": ""idcard"",
+      ""format"": ""dc+sd-jwt"",
+      ""meta"": {
+        ""vct_values"": [""ID-Card""]
+      },
+      ""claims"": [
+        {""path"": [""first_name""]},
+        {""path"": [""last_name""]},
+        {""path"": [""address"", ""street_address""]}
+      ]
+    },
+    {
+      ""id"": ""idcard2"",
+      ""format"": ""dc+sd-jwt"",
+      ""meta"": {
+        ""vct_values"": [""ID-Card-2""]
+      },
+      ""claims"": [
+        {""path"": [""first_name""]},
+        {""path"": [""last_name""]},
+        {""path"": [""address"", ""street_address""]}
+      ]
+    }
+  ],
+  ""credential_sets"": [
+    {
+      ""options"": [
+        [ ""idcard""],
+        [ ""idcard2""]
+      ]
+    }
+  ]
+}";
 
     public const string IdCardAndIdCard2NationalitiesSecondIndexQueryJson = @"{
             ""credentials"": [
@@ -194,7 +231,10 @@ public static class DcqlSamples
 
     public static DcqlQuery GetDcqlQueryWithNoClaims =>
         JsonConvert.DeserializeObject<DcqlQuery>(QueryStrWithNoClaims)!;
-
+    
+    public static DcqlQuery GetDcqlQueryWithOneCredentialSetAndMultipleSingleOptions =>
+        JsonConvert.DeserializeObject<DcqlQuery>(DcqlQueryWithOneCredentialSetAndMultipleSingleOptionsJson)!;
+    
     public static string GetDcqlQueryAsJsonStr() => GetJsonForTestCase("DcqlQuerySample");
 
     public static DcqlQuery GetIdCardAndIdCard2NationalitiesSecondIndexQuery() =>