From 9d472cf7ae2a111d498dcc1ef136f4db35ae3d14 Mon Sep 17 00:00:00 2001 From: Benjamin Scholtes <88310985+bscholtes1A@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:31:05 +0100 Subject: [PATCH] feat: get rid of `cid` claim in `EndpointDataReference` auth token (#3541) feat: get rid of cid claim in EDR auth token --- .../TransferDataPlaneCoreExtension.java | 8 +- .../ConsumerPullDataPlaneProxyResolver.java | 2 +- ...sumerPullDataPlaneProxyTokenDecorator.java | 6 +- .../validation/ContractValidationRule.java | 58 ------------ ...onsumerPullDataPlaneProxyResolverTest.java | 2 - ...rPullDataPlaneProxyTokenDecoratorTest.java | 4 +- .../ContractValidationRuleTest.java | 89 ------------------- .../spi/TransferDataPlaneConstants.java | 12 --- 8 files changed, 4 insertions(+), 177 deletions(-) delete mode 100644 extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRule.java delete mode 100644 extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRuleTest.java diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/TransferDataPlaneCoreExtension.java b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/TransferDataPlaneCoreExtension.java index 8e76ff777e2..caccfc03155 100644 --- a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/TransferDataPlaneCoreExtension.java +++ b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/TransferDataPlaneCoreExtension.java @@ -16,7 +16,6 @@ package org.eclipse.edc.connector.transfer.dataplane; import org.eclipse.edc.connector.api.control.configuration.ControlApiConfiguration; -import org.eclipse.edc.connector.contract.spi.negotiation.store.ContractNegotiationStore; import org.eclipse.edc.connector.dataplane.selector.spi.client.DataPlaneSelectorClient; import org.eclipse.edc.connector.dataplane.spi.client.DataPlaneClient; import org.eclipse.edc.connector.transfer.dataplane.api.ConsumerPullTransferTokenValidationApiController; @@ -25,7 +24,6 @@ import org.eclipse.edc.connector.transfer.dataplane.proxy.ConsumerPullDataPlaneProxyResolver; import org.eclipse.edc.connector.transfer.dataplane.spi.security.DataEncrypter; import org.eclipse.edc.connector.transfer.dataplane.spi.token.ConsumerPullTokenExpirationDateFunction; -import org.eclipse.edc.connector.transfer.dataplane.validation.ContractValidationRule; import org.eclipse.edc.connector.transfer.dataplane.validation.ExpirationDateValidationRule; import org.eclipse.edc.connector.transfer.spi.callback.ControlApiUrl; import org.eclipse.edc.connector.transfer.spi.flow.DataFlowManager; @@ -59,9 +57,6 @@ public class TransferDataPlaneCoreExtension implements ServiceExtension { public static final String NAME = "Transfer Data Plane Core"; - @Inject - private ContractNegotiationStore contractNegotiationStore; - @Inject private Vault vault; @@ -114,7 +109,7 @@ public void initialize(ServiceExtensionContext context) { var keyPair = keyPairFromConfig(context); var controller = new ConsumerPullTransferTokenValidationApiController(tokenValidationService(keyPair.getPublic()), dataEncrypter, typeManager); webService.registerResource(controlApiConfiguration.getContextAlias(), controller); - + var resolver = new ConsumerPullDataPlaneProxyResolver(dataEncrypter, typeManager, new TokenGenerationServiceImpl(keyPair.getPrivate()), tokenExpirationDateFunction); dataFlowManager.register(new ConsumerPullTransferDataFlowController(selectorClient, resolver)); dataFlowManager.register(new ProviderPushTransferDataFlowController(callbackUrl, dataPlaneClient)); @@ -137,7 +132,6 @@ private KeyPair keyPairFromConfig(ServiceExtensionContext context) { private TokenValidationService tokenValidationService(PublicKey publicKey) { var registry = new TokenValidationRulesRegistryImpl(); - registry.addRule(new ContractValidationRule(contractNegotiationStore, clock)); registry.addRule(new ExpirationDateValidationRule(clock)); return new TokenValidationServiceImpl(id -> publicKey, registry); } diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolver.java b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolver.java index 79c98d59a1a..c58ad59efde 100644 --- a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolver.java +++ b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolver.java @@ -74,7 +74,7 @@ private Result resolveProxyUrl(DataPlaneInstance instance) { private Result generateAccessToken(DataAddress source, String contractId) { var encryptedDataAddress = dataEncrypter.encrypt(typeManager.writeValueAsString(source)); return tokenExpirationDateFunction.expiresAt(source, contractId) - .compose(expiration -> tokenGenerationService.generate(new ConsumerPullDataPlaneProxyTokenDecorator(expiration, contractId, encryptedDataAddress))) + .compose(expiration -> tokenGenerationService.generate(new ConsumerPullDataPlaneProxyTokenDecorator(expiration, encryptedDataAddress))) .map(TokenRepresentation::getToken); } } diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecorator.java b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecorator.java index 21dc2ddfda2..e4c0fd5b156 100644 --- a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecorator.java +++ b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecorator.java @@ -20,7 +20,6 @@ import java.util.Map; import static java.util.Collections.emptyMap; -import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.CONTRACT_ID; import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.DATA_ADDRESS; import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.EXPIRATION_TIME; @@ -32,12 +31,10 @@ class ConsumerPullDataPlaneProxyTokenDecorator implements JwtDecorator { private final Date expirationDate; - private final String contractId; private final String encryptedDataAddress; - ConsumerPullDataPlaneProxyTokenDecorator(Date expirationDate, String contractId, String encryptedDataAddress) { + ConsumerPullDataPlaneProxyTokenDecorator(Date expirationDate, String encryptedDataAddress) { this.expirationDate = expirationDate; - this.contractId = contractId; this.encryptedDataAddress = encryptedDataAddress; } @@ -45,7 +42,6 @@ class ConsumerPullDataPlaneProxyTokenDecorator implements JwtDecorator { public Map claims() { return Map.of( EXPIRATION_TIME, expirationDate, - CONTRACT_ID, contractId, DATA_ADDRESS, encryptedDataAddress ); } diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRule.java b/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRule.java deleted file mode 100644 index 1da01da1048..00000000000 --- a/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRule.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 2022 Amadeus - * - * This program and the accompanying materials are made available under the - * terms of the Apache License, Version 2.0 which is available at - * https://www.apache.org/licenses/LICENSE-2.0 - * - * SPDX-License-Identifier: Apache-2.0 - * - * Contributors: - * Amadeus - initial API and implementation - * Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - improvements - * - */ - -package org.eclipse.edc.connector.transfer.dataplane.validation; - -import org.eclipse.edc.connector.contract.spi.negotiation.store.ContractNegotiationStore; -import org.eclipse.edc.jwt.spi.TokenValidationRule; -import org.eclipse.edc.spi.iam.ClaimToken; -import org.eclipse.edc.spi.result.Result; -import org.jetbrains.annotations.NotNull; -import org.jetbrains.annotations.Nullable; - -import java.time.Clock; -import java.util.Map; - -import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.CONTRACT_ID; - -/** - * Assert that contract still allows access to the data. As of current implementation it only validates the contract end date. - */ -public class ContractValidationRule implements TokenValidationRule { - - private final ContractNegotiationStore contractNegotiationStore; - private final Clock clock; - - public ContractValidationRule(ContractNegotiationStore contractNegotiationStore, Clock clock) { - this.contractNegotiationStore = contractNegotiationStore; - this.clock = clock; - } - - @Override - public Result checkRule(@NotNull ClaimToken toVerify, @Nullable Map additional) { - var contractId = toVerify.getStringClaim(CONTRACT_ID); - - if (contractId == null) { - return Result.failure(String.format("Missing contract id claim `%s`", CONTRACT_ID)); - } - - var contractAgreement = contractNegotiationStore.findContractAgreement(contractId); - if (contractAgreement == null) { - return Result.failure("No contract agreement found for id: " + contractId); - } - - return Result.success(); - } -} diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolverTest.java b/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolverTest.java index b28de06e438..2a82204e2da 100644 --- a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolverTest.java +++ b/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolverTest.java @@ -33,7 +33,6 @@ import java.util.UUID; import static org.assertj.core.api.Assertions.assertThat; -import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.CONTRACT_ID; import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.DATA_ADDRESS; import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.HTTP_PROXY; import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.EXPIRATION_TIME; @@ -89,7 +88,6 @@ void verifyToDataAddressSuccess() { var decorator = captor.getValue(); assertThat(decorator.claims()) - .containsEntry(CONTRACT_ID, request.getContractId()) .containsEntry(DATA_ADDRESS, encryptedAddress) .containsEntry(EXPIRATION_TIME, expiration); } diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecoratorTest.java b/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecoratorTest.java index 4d54ac58ed2..ec2e8aa86d8 100644 --- a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecoratorTest.java +++ b/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyTokenDecoratorTest.java @@ -23,7 +23,6 @@ import java.util.concurrent.ThreadLocalRandom; import static org.assertj.core.api.Assertions.assertThat; -import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.CONTRACT_ID; import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.DATA_ADDRESS; import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.EXPIRATION_TIME; @@ -40,7 +39,7 @@ public void setUp() { expiration = Date.from(Instant.now().plusSeconds(ThreadLocalRandom.current().nextInt(1, 10))); contractId = UUID.randomUUID().toString(); encryptedDataAddress = UUID.randomUUID().toString(); - decorator = new ConsumerPullDataPlaneProxyTokenDecorator(expiration, contractId, encryptedDataAddress); + decorator = new ConsumerPullDataPlaneProxyTokenDecorator(expiration, encryptedDataAddress); } @Test @@ -48,7 +47,6 @@ void claims() { var result = decorator.claims(); assertThat(result) - .containsEntry(CONTRACT_ID, contractId) .containsEntry(DATA_ADDRESS, encryptedDataAddress) .containsEntry(EXPIRATION_TIME, expiration); } diff --git a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRuleTest.java b/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRuleTest.java deleted file mode 100644 index a0a74c48b50..00000000000 --- a/extensions/control-plane/transfer/transfer-data-plane/src/test/java/org/eclipse/edc/connector/transfer/dataplane/validation/ContractValidationRuleTest.java +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (c) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - * - * This program and the accompanying materials are made available under the - * terms of the Apache License, Version 2.0 which is available at - * https://www.apache.org/licenses/LICENSE-2.0 - * - * SPDX-License-Identifier: Apache-2.0 - * - * Contributors: - * Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation - * - */ - -package org.eclipse.edc.connector.transfer.dataplane.validation; - -import org.eclipse.edc.connector.contract.spi.negotiation.store.ContractNegotiationStore; -import org.eclipse.edc.policy.model.Policy; -import org.eclipse.edc.spi.iam.ClaimToken; -import org.eclipse.edc.spi.types.domain.agreement.ContractAgreement; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -import java.time.Clock; -import java.time.Instant; -import java.util.UUID; - -import static java.time.ZoneOffset.UTC; -import static java.util.Collections.emptyMap; -import static org.assertj.core.api.Assertions.assertThat; -import static org.eclipse.edc.connector.transfer.dataplane.spi.TransferDataPlaneConstants.CONTRACT_ID; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -class ContractValidationRuleTest { - - private final Instant now = Instant.now(); - private final Clock clock = Clock.fixed(now, UTC); - private final ContractNegotiationStore contractNegotiationStore = mock(ContractNegotiationStore.class); - - private ContractValidationRule rule; - - @BeforeEach - public void setUp() { - rule = new ContractValidationRule(contractNegotiationStore, clock); - } - - @Test - void shouldSucceedIfContractIsStillValid() { - var contractId = UUID.randomUUID().toString(); - var contractAgreement = createContractAgreement(contractId); - when(contractNegotiationStore.findContractAgreement(contractId)).thenReturn(contractAgreement); - var claimToken = ClaimToken.Builder.newInstance().claim(CONTRACT_ID, contractId).build(); - - var result = rule.checkRule(claimToken, emptyMap()); - - assertThat(result.succeeded()).isTrue(); - } - - @Test - void shouldFailIfContractIdClaimIsMissing() { - var claimToken = ClaimToken.Builder.newInstance().build(); - - var result = rule.checkRule(claimToken, emptyMap()); - - assertThat(result.succeeded()).isFalse(); - } - - @Test - void shouldFailIfContractIdContractDoesNotExist() { - when(contractNegotiationStore.findContractAgreement(any())).thenReturn(null); - var claimToken = ClaimToken.Builder.newInstance().claim(CONTRACT_ID, "unknownContractId").build(); - - var result = rule.checkRule(claimToken, emptyMap()); - - assertThat(result.succeeded()).isFalse(); - } - - private ContractAgreement createContractAgreement(String contractId) { - return ContractAgreement.Builder.newInstance() - .id(contractId) - .assetId(UUID.randomUUID().toString()) - .policy(Policy.Builder.newInstance().build()) - .consumerId("consumer-agent-id") - .providerId("provider-agent-id") - .build(); - } -} diff --git a/spi/control-plane/transfer-data-plane-spi/src/main/java/org/eclipse/edc/connector/transfer/dataplane/spi/TransferDataPlaneConstants.java b/spi/control-plane/transfer-data-plane-spi/src/main/java/org/eclipse/edc/connector/transfer/dataplane/spi/TransferDataPlaneConstants.java index 4735b10c761..f4a45b87196 100644 --- a/spi/control-plane/transfer-data-plane-spi/src/main/java/org/eclipse/edc/connector/transfer/dataplane/spi/TransferDataPlaneConstants.java +++ b/spi/control-plane/transfer-data-plane-spi/src/main/java/org/eclipse/edc/connector/transfer/dataplane/spi/TransferDataPlaneConstants.java @@ -16,8 +16,6 @@ import org.eclipse.edc.spi.types.domain.transfer.DataFlowRequest; -import static org.eclipse.edc.spi.CoreConstants.EDC_NAMESPACE; - /** * Type of Data Plane transfer. */ @@ -32,14 +30,4 @@ public interface TransferDataPlaneConstants { * data source as an encrypted string. */ String DATA_ADDRESS = "dad"; - - /** - * Claim of the token used in input of Data Plane public API containing the contract id. - */ - String CONTRACT_ID = "cid"; - - /** - * Claim of the token used in input of Data Plane public API containing the contract id with namespace. - */ - String EDC_CONTRACT_ID = EDC_NAMESPACE + "cid"; }