[7º] - Release/v2.0.0 authorization: Enabled BPN block and Role Authorization in the Digitla

charts/digital-product-pass/Chart.yaml

@@ -40,10 +40,10 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.4.0
+version: 1.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.4.0"
+appVersion: "1.5.0"

charts/digital-product-pass/templates/configmap-backend.yaml

@@ -54,7 +54,7 @@ data:
         userInfoUri: "https://{{ tpl (.Values.oauth.hostname | default "http://localhost") .  }}/auth/realms/{{ .Values.oauth.realm }}/protocol/openid-connect/userinfo"
       # -- edc consumer connection configuration
       edc:
-        endpoint: "https://{{ .Values.backend.edc.endpoint }}"
+        endpoint: "https://{{ .Values.backend.edc.hostname }}"
         management: {{ .Values.backend.edc.apis.management }}
         catalog: {{ .Values.backend.edc.apis.catalog }}
         negotiation: {{ .Values.backend.edc.apis.negotiation }}
@@ -63,10 +63,14 @@ data:
         delay:  {{ .Values.backend.edc.delay }} # -- Negotiation status Delay in milliseconds in between async requests [<= 500]
       # -- security configuration
       security:
-        check:
-          enabled: {{ .Values.backend.securityCheck.enabled }}
-          bpn: {{ .Values.backend.securityCheck.bpn }}
-          edc: {{ .Values.backend.securityCheck.edc }}
+        # -- authorization configuration about bpn and role checks
+        authorization: 
+          bpnAuth: {{ .Values.oauth.bpnCheck.enabled }}
+          roleAuth: {{ .Values.oauth.roleCheck.enabled }}
+        # -- checkups done in the startup  
+        startUpChecks:
+          bpnCheck: {{ .Values.backend.securityCheck.bpn }}
+          edcCheck: {{ .Values.backend.securityCheck.edc }}
       # -- irs configuration
       irs:
         enabled: {{ .Values.backend.irs.enabled }} # -- Enable search for children in the requests

charts/digital-product-pass/templates/deployment-backend.yaml

@@ -54,17 +54,22 @@ spec:
             allowPrivilegeEscalation: false
             runAsUser: 10000
             runAsGroup: 3000
-          env:          
+          env:
+            - name: "appId"
+              valueFrom:
+                secretKeyRef:
+                  key:  appId
+                  name: avp-consumer-backend-auth          
             - name: "client.id"
               valueFrom:
                 secretKeyRef:
                   key:  clientId
-                  name: avp-consumer-backend-cx-registry-auth
+                  name: avp-consumer-backend-auth
             - name: "client.secret"
               valueFrom:
                 secretKeyRef:
                   key:  clientSecret
-                  name: avp-consumer-backend-cx-registry-auth
+                  name: avp-consumer-backend-auth
             - name: "edc.apiKey"
               valueFrom:
                 secretKeyRef:

charts/digital-product-pass/templates/deployment-frontend.yaml

@@ -69,6 +69,21 @@ spec:
             - name: "KEYCLOAK_ONLOAD"
               value: "{{ .Values.oauth.onLoad }}"
 
+            - name: "AUTH_ROLE_CHECK"
+              value: "{{ .Values.oauth.roleCheck.enabled | default false }}"
+
+            - name: "AUTH_BPN_CHECK"
+              value: "{{ .Values.oauth.bpnCheck.enabled | default false }}"
+
+            - name: "AUTH_BPN_NUMBER"
+              value: "{{ .Values.oauth.bpnCheck.bpn }}"
+
+            - name: "APP_PORTAL_URL"
+              value: "https://{{ .Values.frontend.portal.hostname }}"
+
+            - name: "APP_ADMIN_EMAIL"
+              value: "{{ .Values.frontend.supportContact.adminEmail }}"
+
             - name: "BACKEND_URL"
               value: "https://{{ .Values.frontend.backend.hostname }}"
 

charts/digital-product-pass/templates/secret-backend.yaml

@@ -23,12 +23,13 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: avp-consumer-backend-cx-registry-auth
+  name: avp-consumer-backend-auth
   labels:
     {{- include "chart.labels" . | nindent 4 }}
   namespace: {{ .Values.namespace }}
 type: Opaque
 stringData:
+  appId: {{ .Values.oauth.appId }}
   clientId: {{ .Values.oauth.techUser.clientId }}
   clientSecret: {{ .Values.oauth.techUser.clientSecret }}
 ---

charts/digital-product-pass/values-beta.yaml

@@ -42,12 +42,11 @@ backend:
 
   edc:
     xApiKey: <path:material-pass/data/beta/edc/oauth#api.key>
-    participantId:  <path:material-pass/data/beta/edc/participant#bpnNumber>
-    endpoint: "materialpass.beta.demo.catena-x.net/consumer"
+    participantId: &bpn <path:material-pass/data/beta/edc/participant#bpnNumber>
+    hostname: "materialpass.beta.demo.catena-x.net/consumer"
 
   hostname: *hostname
   securityCheck:
-    enabled: true
     bpn: true
     edc: true
 
@@ -83,17 +82,25 @@ frontend:
         hosts:
           - materialpass.beta.demo.catena-x.net
 
-  edc:
-    xApiKey: <path:material-pass/data/beta/edc/oauth#api.key>
-
   # Product Passport UI Configuration
   backend:
     hostname: "materialpass.beta.demo.catena-x.net"
+
+  supportContact:
+    adminEmail: "[email protected]"
 
+  portal:
+    hostname: "portal.beta.demo.catena-x.net"
+
 oauth:
-  hostname: "centralidp.int.demo.catena-x.net"
+  hostname: "centralidp.data.demo.catena-x.net"
   techUser:
-    clientId: <path:material-pass/data/int/backend#clientId>
-    clientSecret: <path:material-pass/data/int/backend#clientSecret>
-  realm: <path:material-pass/data/int/oauth#realm>
-  appId: <path:material-pass/data/int/oauth#appId>
+    clientId: <path:material-pass/data/data/backend#clientId>
+    clientSecret: <path:material-pass/data/data/backend#clientSecret>
+  realm: <path:material-pass/data/data/oauth#realm>
+  appId: <path:material-pass/data/data/oauth#appId>
+  bpnCheck:
+    enabled: true
+    bpn: *bpn
+  roleCheck:
+    enabled: false  

charts/digital-product-pass/values-dev.yaml

@@ -42,13 +42,12 @@ backend:
 
   edc:
     xApiKey: <path:material-pass/data/dev/edc/oauth#api.key>
-    participantId:  <path:material-pass/data/dev/edc/participant#bpnNumber>
-    endpoint: "materialpass.dev.demo.catena-x.net/consumer"
+    participantId: &bpn <path:material-pass/data/dev/edc/participant#bpnNumber>
+    hostname: "materialpass.dev.demo.catena-x.net/consumer"
 
   hostname: *hostname   
 
   securityCheck:
-    enabled: true
     bpn: true
     edc: true
 
@@ -84,17 +83,26 @@ frontend:
         hosts:
           - materialpass.dev.demo.catena-x.net
 
-  edc:
-    xApiKey: <path:material-pass/data/dev/edc/oauth#api.key>
-
   # Product Passport UI Configuration
   backend:
     hostname: *hostname
 
+  supportContact:
+    adminEmail: "[email protected]"
+
+  portal:
+    hostname: "portal.dev.demo.catena-x.net"
+
 oauth:
   hostname: "centralidp.dev.demo.catena-x.net"
   techUser:
-    clientId: <path:material-pass/data/int/backend#clientId>
-    clientSecret: <path:material-pass/data/int/backend#clientSecret>
-  realm: <path:material-pass/data/int/oauth#realm>
-  appId: <path:material-pass/data/int/oauth#appId>
+    clientId: <path:material-pass/data/dev/backend#clientId>
+    clientSecret: <path:material-pass/data/dev/backend#clientSecret>
+  realm: <path:material-pass/data/dev/oauth#realm>
+  appId: <path:material-pass/data/dev/oauth#appId>
+  bpnCheck:
+    enabled: true
+    bpn: *bpn
+  roleCheck:
+    enabled: false  
+

charts/digital-product-pass/values-int.yaml

@@ -31,7 +31,7 @@ backend:
       nginx.ingress.kubernetes.io/ssl-passthrough: "false"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     hosts:
-      - host: &hostname "materialpass.int.demo.catena-x.net"
+      - host: &hostname "dpp.int.demo.catena-x.net"
         paths:
           - path: /
             pathType: Prefix
@@ -41,12 +41,11 @@ backend:
           - *hostname
   edc:
     xApiKey: <path:material-pass/data/int/edc/oauth#api.key>
-    participantId:  <path:material-pass/data/int/edc/participant#bpnNumber>
-    endpoint: "materialpass.int.demo.catena-x.net/consumer"
+    participantId: &bpn <path:material-pass/data/int/edc/participant#bpnNumber>
+    hostname: "materialpass.int.demo.catena-x.net/consumer"
 
   hostname: *hostname
   securityCheck:
-    enabled: true
     bpn: true
     edc: true
 
@@ -73,25 +72,34 @@ frontend:
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
       nginx.ingress.kubernetes.io/service-upstream: "true"
     hosts:
-      - host: materialpass.int.demo.catena-x.net
+      - host: dpp.int.demo.catena-x.net
         paths:
           - path: /passport(/|$)(.*)
             pathType: Prefix
     tls:
       - secretName: tls-secret
         hosts:
-          - materialpass.int.demo.catena-x.net
-
-  edc:
-    xApiKey: <path:material-pass/data/int/edc/oauth#api.key>
+          - dpp.int.demo.catena-x.net
 
   backend:
     hostname: *hostname
 
+  supportContact:
+    adminEmail: "[email protected]"
+
+  portal:
+    hostname: "portal.int.demo.catena-x.net"
+
+
 oauth:
   hostname: "centralidp.int.demo.catena-x.net"
   techUser:
     clientId: <path:material-pass/data/int/backend#clientId>
     clientSecret: <path:material-pass/data/int/backend#clientSecret>
   realm: <path:material-pass/data/int/oauth#realm>
   appId: <path:material-pass/data/int/oauth#appId>
+  bpnCheck:
+    enabled: true
+    bpn: *bpn
+  roleCheck:
+    enabled: false