From 5c72cbdb5f0a2995b307235ebcee717c0616eb6f Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 22 Apr 2024 22:29:12 -0700 Subject: [PATCH 01/19] chore(edc): version increase wip --- local/MIGRATION_NOTES.md | 218 +++++++++++++++++ .../credential/Membership_Credential.json | 19 ++ .../customer/verifieable-presentation.json | 14 ++ local/docker-compose-edc.yaml | 220 ++++++++++++++++++ local/docker-compose-infrastructure.yaml | 6 +- local/postgres/init-db.sql | 30 ++- .../config/customer/control-plane.properties | 72 +++--- .../config/supplier/control-plane.properties | 74 +++--- local/tractus-x-edc/docker-compose.yaml | 20 +- 9 files changed, 572 insertions(+), 101 deletions(-) create mode 100644 local/MIGRATION_NOTES.md create mode 100644 local/bdrs/credential/Membership_Credential.json create mode 100644 local/bdrs/customer/verifieable-presentation.json create mode 100644 local/docker-compose-edc.yaml diff --git a/local/MIGRATION_NOTES.md b/local/MIGRATION_NOTES.md new file mode 100644 index 00000000..674fdf37 --- /dev/null +++ b/local/MIGRATION_NOTES.md @@ -0,0 +1,218 @@ +# Policy Definition + +Old + +```json +{ + "@context": { + "@vocab": "https://w3id.org/edc/v0.0.1/ns/", + "odrl": "http://www.w3.org/ns/odrl/2/" + }, + "@type": "PolicyDefinitionRequestDto", + "@id": "{{POLICY_ID}}", + "policy": { + "@type": "Policy", + "odrl:permission": [ + { + "odrl:action": "USE", + "odrl:constraint": { + "@type": "LogicalConstraint", + "odrl:or": [ + { + "@type": "Constraint", + "odrl:leftOperand": "BusinessPartnerNumber", + "odrl:operator": { + "@id": "odrl:eq" + }, + "odrl:rightOperand": "{{SUPPLIER_BPNL}}" + } + ] + } + } + ] + } +} +``` + +error + +```json +[ + { + "message": "https://w3id.org/edc/v0.0.1/ns/policy/@type was expected to be http://www.w3.org/ns/odrl/2/Set but it was not", + "type": "ValidationFailure", + "path": "https://w3id.org/edc/v0.0.1/ns/policy/@type", + "invalidValue": [ + "https://w3id.org/edc/v0.0.1/ns/Policy" + ] + } +] +``` + +policy.@type = "odrl:Set" + +catalog request results in unexpected null pinter during membershipPresentation call + +SEVERE 2024-04-18T18:14:41.467647124 JerseyExtension: Unexpected exception caught +java.lang.NullPointerException +at java.base/java.util.Objects.requireNonNull(Unknown Source) +at java.base/java.util.ImmutableCollections$MapN.(Unknown Source) +at java.base/java.util.Map.of(Unknown Source) +at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.createMembershipPresentation(BdrsClientImpl.java:153) +at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.updateCache(BdrsClientImpl.java:121) +at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.resolve(BdrsClientImpl.java:101) +at org.eclipse.tractusx.edc.identity.mapper.BdrsClientAudienceMapper.resolve(BdrsClientAudienceMapper.java:39) +at org.eclipse.edc.protocol.dsp.http.dispatcher.DspHttpRemoteMessageDispatcherImpl.dispatch( +DspHttpRemoteMessageDispatcherImpl.java:121) +at org.eclipse.edc.connector.core.message.RemoteMessageDispatcherRegistryImpl.dispatch( +RemoteMessageDispatcherRegistryImpl.java:48) +at org.eclipse.edc.connector.controlplane.services.catalog.CatalogServiceImpl.requestCatalog(CatalogServiceImpl.java:44) +at org.eclipse.edc.connector.controlplane.api.management.catalog.CatalogApiController.requestCatalog( +CatalogApiController.java:64) +at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source) +at java.base/java.lang.reflect.Method.invoke(Unknown Source) +at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0( +ResourceMethodInvocationHandlerFactory.java:52) +at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run( +AbstractJavaResourceMethodDispatcher.java:146) +at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke( +AbstractJavaResourceMethodDispatcher.java:189) +at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$VoidOutInvoker.doDispatch( +JavaResourceMethodDispatcherProvider.java:159) +at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch( +AbstractJavaResourceMethodDispatcher.java:93) +at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) +at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) +at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) +at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:261) +at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) +at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) +at org.glassfish.jersey.internal.Errors.process(Errors.java:292) +at org.glassfish.jersey.internal.Errors.process(Errors.java:274) +at org.glassfish.jersey.internal.Errors.process(Errors.java:244) +at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) +at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:240) +at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:697) +at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) +at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) +at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:357) +at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311) +at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) +at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) +at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529) +at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) +at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381) +at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) +at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) +at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) +at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303) +at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) +at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) +at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) +at org.eclipse.jetty.server.Server.handle(Server.java:563) +at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598) +at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) +at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) +at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) +at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) +at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) +at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) +at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) +at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) +at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) +at java.base/java.lang.Thread.run(Unknown Source) + +--> bpdrs service needed + +# bdrs + +Calls needed: + +- management -> create bpn directory +- BPN-Directory -> map of bpn and did reachable + +bpn directory is securied by jwt containing: + +- vp holder key +- vp holder id +- null +- bdrs-server-audience +- map with + - vp following content example with holderId and vcJwt + +vcJwt inserted is build with + +- spoofedKey +- issuerId +- degreeSub +- holderId +- map with + - vc = membership_credential with holderId inserted + +DIDs are build following JsonWebKey2020 +DID-ID like did:web:name-to-use + +Credential Service +mock: https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImplComponentTest.java + +Update Cache -> why does it need a bearer token with the membershipCredToken sent to /bpn-directory? +https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImpl.java#L92 + +Dids seem to +be [dependent on the hosting companies' url](https://github.com/eclipse-tractusx/identity-trust/blob/main/specifications/tx.dataspace.topology.md) + +Seems like: + +- MIW / DIM are credential services +- Portal + DIM are issuer services + +A client uses a token during a request, to grant access to specific resources + +- verifier uses it to request the vp +- the CS endpoint is resolved using bdrs +- **What's the bearer access scope** + +access scopes + +- org.eclipse.tractusx.vc.type:Member:read +- org.eclipse.tractusx.vc.id:uuid:read -> give access to verifieable credential by id + +Endoints: + +- POST presentations/query + - uses OAuth2 scopes that need to be mapped to presentation definition +- storage api credentials + +https://github.com/eclipse-edc/Connector/blob/4fd16b8e34d685239ea40fc3d8e9b02cc8ccf323/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java#L54 + +- a key is somehow resolved. This may be from the did.json + +bdrs | WARNING 2024-04-21T19:34:23.497508523 Error validating BDRS client VP: Credential is not yet valid., Not all +credential subject IDs match the expected subject ID 'did:web:edr-service/trusted-issuer'. Violating subject +IDs: [did:web:edr-service/supplier] + +- I need to check on subjects - likely this is wrong +- not sure why the credential should not be valid + +Following +this [test](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImplComponentTest.java), + +- the VC is signed by the issuer +- the VP is signed by the holder + +Why does the catalog request on consumer side result in port 443 / ssl? + +Overall request is the dim request +-> check in dim test + +Following Tractus-X Connector Setup + +- DIM = your wallet that already contains VCs +- Credential Service = get your own VP to hand over. (something like the miw) +- SecureTokenService = get auth for something and then request presentation + +customer-control-plane | DEBUG 2024-04-22T17:49:36.200763912 DSP: Incoming CatalogRequestMessage for class +org.eclipse.edc.connector.controlplane.catalog.spi.Catalog process +customer-control-plane | DEBUG 2024-04-22T17:49:36.267334896 Unauthorized: No Service endpoint 'CredentialService' found +on DID Document. +customer-control-plane | DEBUG 2024-04-22T17:49:36.267812038 DSP: Service call failed: Unauthorized diff --git a/local/bdrs/credential/Membership_Credential.json b/local/bdrs/credential/Membership_Credential.json new file mode 100644 index 00000000..d77f14ee --- /dev/null +++ b/local/bdrs/credential/Membership_Credential.json @@ -0,0 +1,19 @@ +{ + "@context": [ + "https://www.w3.org/2018/credentials/v1", + "https://w3id.org/catenax/credentials/v1.0.0" + ], + "id": "1f36af58-0fc0-4b24-9b1c-e37d59668089", + "type": [ + "VerifiableCredential", + "MembershipCredential" + ], + "issuer": "did:web:com.example.issuer", + "issuanceDate": "2021-06-16T18:56:59Z", + "expirationDate": "2199-06-16T18:56:59Z", + "credentialSubject": { + "id": "%s", + "holderIdentifier": "BPNL000000001" + } +} +// https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/TestData.java#L22 diff --git a/local/bdrs/customer/verifieable-presentation.json b/local/bdrs/customer/verifieable-presentation.json new file mode 100644 index 00000000..70f76c01 --- /dev/null +++ b/local/bdrs/customer/verifieable-presentation.json @@ -0,0 +1,14 @@ +{ + "@context": [ + "https://www.w3.org/2018/credentials/v1", + "https://www.w3.org/2018/credentials/examples/v1" + ], + "id": "https://exapmle.com/test-vp", + "holder": "%s", + "type": [ + "VerifiablePresentation" + ], + "verifiableCredential": [ + %s +] +} diff --git a/local/docker-compose-edc.yaml b/local/docker-compose-edc.yaml new file mode 100644 index 00000000..895ad286 --- /dev/null +++ b/local/docker-compose-edc.yaml @@ -0,0 +1,220 @@ +# +# Copyright (c) 2023, 2024 Volkswagen AG +# Copyright (c) 2023, 2024 Fraunhofer-Gesellschaft zur Foerderung der angewandten Forschung e.V. (represented by Fraunhofer ISST) +# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# +version: "3" +services: + + bdrs: + image: tractusx/bdrs-server-memory + container_name: bdrs + environment: + EDC_API_AUTH_KEY: password + WEB_HTTP_PORT: 8580 + WEB_HTTP_PATH: /api + WEB_HTTP_MANAGEMENT_PORT: 8581 + WEB_HTTP_MANAGEMENT_PATH: /api/management + WEB_HTTP_DIRECTORY_PORT: 8582 + WEB_HTTP_DIRECTORY_PATH: /api/directory + EDC_IAM_DID_WEB_USE_HTTPS: false + EDC_IAM_TRUSTED-ISSUER_ISSUER_ID: did:web:edr-service/trusted-issuer + _LEVEL: DEBUG + ports: + - "127.0.0.1:8580:8580" + - "127.0.0.1:8581:8581" + - "127.0.0.1:8582:8582" + networks: + - miw-net + # TODO check cacerts need in deployment.yaml + + postgres-customer: + image: postgres:15.4-alpine + container_name: customer-postgres + environment: + POSTGRES_DB: edc + POSTGRES_USER: ${PG_USER} + POSTGRES_PASSWORD: ${PG_PW} + ports: + - "127.0.0.1:5433:5432" + healthcheck: + test: ["CMD-SHELL", "pg_isready -d edc -U ${PG_USER}"] + interval: 4s + timeout: 3s + retries: 15 + networks: + - miw-net + deploy: + resources: + limits: + memory: 512mb + cpus: "0.5" + security_opt: + - no-new-privileges:true + volumes: + - ./postgres/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql + + edc-customer-control-plane: + depends_on: + postgres-customer: + condition: service_healthy + # restart: on-failure + extends: + file: ./tractus-x-edc/docker-compose.yaml + service: control-plane + container_name: customer-control-plane + env_file: + - ./tractus-x-edc/config/customer/control-plane.properties + environment: + # bdrs client + TX_IAM_IATP_BDRS_SERVER_URL: http://brds:8582/api/directory + TX_IAM_IATP_BDRS_CACHE_VALIDITY: 600 + # iatp / dim + EDC_IAM_ISSUER_ID: did:web:edr-service/customer + EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token + EDC_IAM_STS_OAUTH_CLIENT_ID: ${CUSTOMER_OAUTH_CLIENT_ID} + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${CUSTOMER_OAUTH_SECRET_ALIAS} #TODO + EDC_IAM_STS_DIM_URL: http://edr-service:80 + EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer + # configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 + TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 + # don't use https during did resolving in catalog request + EDC_IAM_DID_WEB_USE_HTTPS: false + # environment: + # SPRING_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver + # SPRING_DATASOURCE_URL: jdbc:postgresql://supplier-postgres:5432/dtr_database + # SPRING_DATASOURCE_USERNAME: ${PG_USER} + # SPRING_DATASOURCE_PASSWORD: ${PG_PW} + ports: + - "127.0.0.1:8180:8180" + - "127.0.0.1:8181:8181" + - "127.0.0.1:8182:8182" + - "127.0.0.1:8183:8183" + - "127.0.0.1:8184:8184" + networks: + - miw-net + extra_hosts: + - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + + # edc-customer-data-plane: + # restart: on-failure + # extends: + # file: ./tractus-x-edc/docker-compose.yaml + # service: data-plane + # container_name: customer-data-plane + # ports: + # - "127.0.0.1:8280:8280" + # - "127.0.0.1:8285:8285" + # - "127.0.0.1:8299:8299" + # environment: + # edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} + # env_file: + # - ./tractus-x-edc/config/customer/data-plane.properties + # networks: + # - miw-net + # extra_hosts: + # - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + + # postgres-supplier: + # image: postgres:15.4-alpine + # container_name: supplier-postgres + # environment: + # POSTGRES_DB: puris-supplier + # POSTGRES_USER: ${PG_USER} + # POSTGRES_PASSWORD: ${PG_PW} + # ports: + # - "127.0.0.1:5435:5432" + # healthcheck: + # test: ["CMD-SHELL", "pg_isready -d puris-supplier -U ${PG_USER}"] + # interval: 4s + # timeout: 3s + # retries: 15 + # networks: + # - miw-net + # deploy: + # resources: + # limits: + # memory: 512mb + # cpus: "0.5" + # security_opt: + # - no-new-privileges:true + # volumes: + # - ./postgres/init-dtr.sql:/docker-entrypoint-initdb.d/init-dtr.sql + # + edc-supplier-control-plane: + depends_on: + postgres-customer: + condition: service_healthy + # restart: on-failure + extends: + file: ./tractus-x-edc/docker-compose.yaml + service: control-plane + container_name: supplier-control-plane + ports: + - "127.0.0.1:9180:9180" + - "127.0.0.1:9181:9181" + - "127.0.0.1:9182:9182" + - "127.0.0.1:9183:9183" + - "127.0.0.1:9184:9184" + - "127.0.0.1:1044:1044" + env_file: + - ./tractus-x-edc/config/supplier/control-plane.properties + environment: + TX_IAM_IATP_BDRS_SERVER_URL: http://bdrs:8582/api/directory + # TX_IAM_IATP_BDRS_SERVER_URL: http://brds:8582 + TX_IAM_IATP_BDRS_CACHE_VALIDITY: 600 + # iatp / dim + EDC_IAM_ISSUER_ID: did:web:edr-service/supplier + # locally we don't actually care, because our dim service will accept all + EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token + EDC_IAM_STS_OAUTH_CLIENT_ID: ${SUPPLIER_OAUTH_CLIENT_ID} + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${SUPPLIER_OAUTH_SECRET_ALIAS} #TODO + EDC_IAM_STS_DIM_URL: http://edr-service:80 + EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer + # configure one Credential service for all (else pulled from did) + TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 + # don't use https during did resolving + EDC_IAM_DID_WEB_USE_HTTPS: false + networks: + - miw-net + extra_hosts: + - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine +# +# +# edc-supplier-data-plane: +# restart: on-failure +# extends: +# file: ./tractus-x-edc/docker-compose.yaml +# service: data-plane +# container_name: supplier-data-plane +# ports: +# - "127.0.0.1:9280:9280" +# - "127.0.0.1:9285:9285" +# - "127.0.0.1:9299:9299" +# environment: +# edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} +# env_file: +# - ./tractus-x-edc/config/supplier/data-plane.properties +# networks: +# - miw-net +# extra_hosts: +# - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + +networks: + miw-net: + external: true diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 9cf87ecc..8449651e 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -35,13 +35,13 @@ services: image: postgres:15.4-alpine container_name: postgres-miw environment: - POSTGRES_DB: edc + POSTGRES_DB: miw POSTGRES_USER: ${PG_USER} POSTGRES_PASSWORD: ${PG_PW} - volumes: + # volumes: # use docker-compose down --volumes to kill db volume # only then, changes to the script are executed! - - ./postgres/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql + # - ./postgres/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql ports: - "127.0.0.1:5432:5432" networks: diff --git a/local/postgres/init-db.sql b/local/postgres/init-db.sql index 41256c84..41cf2e8a 100644 --- a/local/postgres/init-db.sql +++ b/local/postgres/init-db.sql @@ -22,14 +22,24 @@ CREATE DATABASE miw; -CREATE DATABASE "edc_customer_asset"; -CREATE DATABASE "edc_customer_contractdefinition"; -CREATE DATABASE "edc_customer_contractnegotiation"; -CREATE DATABASE "edc_customer_policy"; -CREATE DATABASE "edc_customer_transferprocess"; +CREATE DATABASE "edc_customer"; +CREATE DATABASE "edc_supplier"; -CREATE DATABASE "edc_supplier_asset"; -CREATE DATABASE "edc_supplier_contractdefinition"; -CREATE DATABASE "edc_supplier_contractnegotiation"; -CREATE DATABASE "edc_supplier_policy"; -CREATE DATABASE "edc_supplier_transferprocess"; +-- CREATE DATABASE "edc_customer_asset"; +-- CREATE DATABASE "edc_customer_contractdefinition"; +-- CREATE DATABASE "edc_customer_contractnegotiation"; +-- CREATE DATABASE "edc_customer_policy"; +-- CREATE DATABASE "edc_customer_transferprocess"; +-- +-- CREATE DATABASE "edc_customer_policy_monitor"; +-- CREATE DATABASE "edc_customer_bpn"; +-- CREATE DATABASE "edc_customer_edrs"; +-- +-- +-- CREATE DATABASE "edc_supplier_asset"; +-- CREATE DATABASE "edc_supplier_contractdefinition"; +-- CREATE DATABASE "edc_supplier_contractnegotiation"; +-- CREATE DATABASE "edc_supplier_policy"; +-- CREATE DATABASE "edc_supplier_transferprocess"; +-- +-- CREATE DATABASE "edc_supplier_policy_monitor"; diff --git a/local/tractus-x-edc/config/customer/control-plane.properties b/local/tractus-x-edc/config/customer/control-plane.properties index 0933b47c..a62e5ddc 100644 --- a/local/tractus-x-edc/config/customer/control-plane.properties +++ b/local/tractus-x-edc/config/customer/control-plane.properties @@ -1,91 +1,87 @@ # API web.http.default.port=8180 web.http.default.path=/api - # MANAGEMENT (replaced data in 0.3.0) web.http.management.port=8181 web.http.management.path=/management - # CONTROL (replaced validation in 0.3.0) web.http.control.port=8183 web.http.control.path=/api/controlplane/control - # PROTOCOL (replaced IDS in 0.3.0) web.http.protocol.port=8184 web.http.protocol.path=/api/v1/dsp - edc.participant.id=BPNL4444444444XX -edc.api.auth.key= ${EDC_API_PW} +edc.api.auth.key=${EDC_API_PW} edc.dsp.callback.address=http://customer-control-plane:8184/api/v1/dsp edc.hostname=customer-control-plane - tx.ssi.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token tx.ssi.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} tx.ssi.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} tx.ssi.miw.url=http://miw tx.ssi.miw.authority.id=BPNL000000000000 tx.ssi.endpoint.audience=http://customer-control-plane:8184/api/v1/dsp - # HashiCorp vault related configuration edc.vault.hashicorp.url=http://vault:8200 edc.vault.hashicorp.health.check.enabled=false -edc.vault.hashicorp.token= ${VAULT_DEV_ROOT_TOKEN_ID} - +edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} # Data-Plane configuration edc.transfer.proxy.endpoint=http://customer-data-plane:8285/api/public/ edc.transfer.proxy.token.signer.privatekey.alias=${CUSTOMER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${CUSTOMER_PUBLIC_KEY_ALIAS} - # Data-Plane selector configuration edc.dataplane.selector.edchttp.url=http://customer-data-plane:8299/control/transfer edc.dataplane.selector.edchttp.sourcetypes=HttpData edc.dataplane.selector.edchttp.destinationtypes=HttpData,HttpProxy edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://customer-data-plane:8285/api/public/"} - # backend receiver for static Endpoint Data References edc.receiver.http.dynamic.endpoint=http://customer-backend:8081/catena/edrendpoint edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${CUSTOMER_BACKEND_API_KEY} - # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres:5432/edc_customer_asset +edc.datasource.asset.url=jdbc:postgresql://postgres-customer:5432/edc_supplier # edc.datasource.asset.user and edc.datasource.asset.password are set via .env -edc.datasource.asset.user= ${PG_USER} -edc.datasource.asset.password= ${PG_PW} - +edc.datasource.asset.user=${PG_USER} +edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres:5432/edc_customer_contractdefinition - +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-customer:5432/edc_supplier # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env -edc.datasource.contractdefinition.user= ${PG_USER} -edc.datasource.contractdefinition.password= ${PG_PW} - +edc.datasource.contractdefinition.user=${PG_USER} +edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres:5432/edc_customer_contractnegotiation +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-customer:5432/edc_supplier # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env -edc.datasource.contractnegotiation.user= ${PG_USER} -edc.datasource.contractnegotiation.password= ${PG_PW} - +edc.datasource.contractnegotiation.user=${PG_USER} +edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres:5432/edc_customer_policy +edc.datasource.policy.url=jdbc:postgresql://postgres-customer:5432/edc_supplier # edc.datasource.policy.user and edc.datasource.policy.password are set via .env -edc.datasource.policy.user= ${PG_USER} -edc.datasource.policy.password= ${PG_PW} - +edc.datasource.policy.user=${PG_USER} +edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres:5432/edc_customer_transferprocess +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-customer:5432/edc_supplier # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env -edc.datasource.transferprocess.user= ${PG_USER} -edc.datasource.transferprocess.password= ${PG_PW} +edc.datasource.transferprocess.user=${PG_USER} +edc.datasource.transferprocess.password=${PG_PW} +edc.datasource.policy-monitor.name=policy-monitor +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +# edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env +edc.datasource.policy-monitor.user=${PG_USER} +edc.datasource.policy-monitor.password=${PG_PW} +# see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql +edc.datasource.bpn.name=policy-monitor +edc.datasource.bpn.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +# edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env +edc.datasource.bpn.user=${PG_USER} +edc.datasource.bpn.password=${PG_PW} # new in 0.4.x -#edc.datasource.edr.name=edr -#edc.datasource.edr.url=jdbc:postgresql://postgres:5432/edc_customer_edrs -# edc.datasource.edr.user and edc.datasource.edr.password are set via .env +# see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql +edc.datasource.edr.name=edr +edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +#edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false -#edc.datasource.edr.user= -#edc.datasource.edr.password= - +edc.datasource.edr.user=${PG_USER} +edc.datasource.edr.password=${PG_PW} # Data Encryption edc-extensions/data-encryption edc.data.encryption.keys.alias=${CUSTOMER_ENCRYPTION_KEYS_ALIAS} diff --git a/local/tractus-x-edc/config/supplier/control-plane.properties b/local/tractus-x-edc/config/supplier/control-plane.properties index 7ce00630..dfc3aa11 100644 --- a/local/tractus-x-edc/config/supplier/control-plane.properties +++ b/local/tractus-x-edc/config/supplier/control-plane.properties @@ -1,94 +1,88 @@ # API web.http.default.port=9180 web.http.default.path=/api - # MANAGEMENT (replaced data in 0.3.0) web.http.management.port=9181 web.http.management.path=/management - # CONTROL (replaced validation in 0.3.0) web.http.control.port=9183 web.http.control.path=/api/controlplane/control - # PROTOCOL (replaced IDS in 0.3.0) web.http.protocol.port=9184 web.http.protocol.path=/api/v1/dsp - JAVA_TOOL_OPTIONS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:1044 - edc.participant.id=BPNL1234567890ZZ -edc.api.auth.key= ${EDC_API_PW} +edc.api.auth.key=${EDC_API_PW} edc.dsp.callback.address=http://supplier-control-plane:9184/api/v1/dsp edc.hostname=supplier-control-plane - tx.ssi.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token tx.ssi.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} tx.ssi.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} tx.ssi.miw.url=http://miw tx.ssi.miw.authority.id=BPNL000000000000 tx.ssi.endpoint.audience=http://supplier-control-plane:9184/api/v1/dsp - # HashiCorp vault related configuration edc.vault.hashicorp.url=http://vault:8200 edc.vault.hashicorp.health.check.enabled=false -edc.vault.hashicorp.token= ${VAULT_DEV_ROOT_TOKEN_ID} - +edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} # Data-Plane configuration edc.transfer.proxy.endpoint=http://supplier-data-plane:9285/api/public/ edc.transfer.proxy.token.signer.privatekey.alias=${SUPPLIER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${SUPPLIER_PUBLIC_KEY_ALIAS} - # Data-Plane selector configuration edc.dataplane.selector.edchttp.url=http://supplier-data-plane:9299/control/transfer edc.dataplane.selector.edchttp.sourcetypes=HttpData edc.dataplane.selector.edchttp.destinationtypes=HttpData,HttpProxy edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://supplier-data-plane:9285/api/public/"} - # puris backend receiver for dynamic Endpoint Data References edc.receiver.http.dynamic.endpoint=http://supplier-backend:8082/catena/edrendpoint edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${SUPPLIER_BACKEND_API_KEY} - # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres:5432/edc_supplier_asset +edc.datasource.asset.url=jdbc:postgresql://postgres-customer:5432/edc_customer # edc.datasource.asset.user and edc.datasource.asset.password are set via .env -edc.datasource.asset.user= ${PG_USER} -edc.datasource.asset.password= ${PG_PW} - +edc.datasource.asset.user=${PG_USER} +edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres:5432/edc_supplier_contractdefinition - +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-customer:5432/edc_customer # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env -edc.datasource.contractdefinition.user= ${PG_USER} -edc.datasource.contractdefinition.password= ${PG_PW} - +edc.datasource.contractdefinition.user=${PG_USER} +edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres:5432/edc_supplier_contractnegotiation +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-customer:5432/edc_customer # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env -edc.datasource.contractnegotiation.user= ${PG_USER} -edc.datasource.contractnegotiation.password= ${PG_PW} - +edc.datasource.contractnegotiation.user=${PG_USER} +edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres:5432/edc_supplier_policy +edc.datasource.policy.url=jdbc:postgresql://postgres-customer:5432/edc_customer # edc.datasource.policy.user and edc.datasource.policy.password are set via .env -edc.datasource.policy.user= ${PG_USER} -edc.datasource.policy.password= ${PG_PW} - +edc.datasource.policy.user=${PG_USER} +edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres:5432/edc_supplier_transferprocess +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-customer:5432/edc_customer # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env -edc.datasource.transferprocess.user= ${PG_USER} -edc.datasource.transferprocess.password= ${PG_PW} - +edc.datasource.transferprocess.user=${PG_USER} +edc.datasource.transferprocess.password=${PG_PW} +edc.datasource.policy-monitor.name=policy-monitor +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-customer:5432/edc_customer +# edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env +edc.datasource.policy-monitor.user=${PG_USER} +edc.datasource.policy-monitor.password=${PG_PW} +# see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql +edc.datasource.bpn.name=policy-monitor +edc.datasource.bpn.url=jdbc:postgresql://postgres-customer:5432/edc_customer +# edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env +edc.datasource.bpn.user=${PG_USER} +edc.datasource.bpn.password=${PG_PW} # new in 0.4.x -#edc.datasource.edr.name=edr -#edc.datasource.edr.url=jdbc:postgresql://postgres:5432/edc_supplier_edrs -# edc.datasource.edr.user and edc.datasource.edr.password are set via .env +# see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql +edc.datasource.edr.name=edr +edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_customer +#edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false -#edc.datasource.edr.user= -#edc.datasource.edr.password= - +edc.datasource.edr.user=${PG_USER} +edc.datasource.edr.password=${PG_PW} # Data Encryption edc.data.encryption.keys.alias=${SUPPLIER_ENCRYPTION_KEYS_ALIAS} diff --git a/local/tractus-x-edc/docker-compose.yaml b/local/tractus-x-edc/docker-compose.yaml index 05c99088..afb927c3 100644 --- a/local/tractus-x-edc/docker-compose.yaml +++ b/local/tractus-x-edc/docker-compose.yaml @@ -20,14 +20,14 @@ # version: "3" services: - control-plane: - image : tractusx/edc-controlplane-memory-hashicorp-vault:0.5.3 - volumes: - - ./config/default/opentelemetry.properties:/app/opentelemetry.properties - - ./config/default/logging.properties:/app/logging.properties + control-plane: + image: tractusx/edc-controlplane-postgresql-hashicorp-vault:0.7.0 + volumes: + - ./config/default/opentelemetry.properties:/app/opentelemetry.properties + - ./config/default/logging.properties:/app/logging.properties - data-plane: - image: tractusx/edc-dataplane-hashicorp-vault:0.5.3 - volumes: - - ./config/default/opentelemetry.properties:/app/opentelemetry.properties - - ./config/default/logging.properties:/app/logging.properties + data-plane: + image: tractusx/edc-dataplane-hashicorp-vault:0.7.0 + volumes: + - ./config/default/opentelemetry.properties:/app/opentelemetry.properties + - ./config/default/logging.properties:/app/logging.properties From 14632d01ae8c616fd4eb8cc3b94f796076e71fa1 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Thu, 25 Apr 2024 02:21:28 -0700 Subject: [PATCH 02/19] refactor(bdrs): move to infrastructure docker --- local/docker-compose-edc.yaml | 28 +++------------------ local/docker-compose-infrastructure.yaml | 22 ++++++++++++++++ local/seed-bdrs.sh | 32 ++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 25 deletions(-) create mode 100644 local/seed-bdrs.sh diff --git a/local/docker-compose-edc.yaml b/local/docker-compose-edc.yaml index 895ad286..7b39ffe5 100644 --- a/local/docker-compose-edc.yaml +++ b/local/docker-compose-edc.yaml @@ -21,28 +21,6 @@ version: "3" services: - bdrs: - image: tractusx/bdrs-server-memory - container_name: bdrs - environment: - EDC_API_AUTH_KEY: password - WEB_HTTP_PORT: 8580 - WEB_HTTP_PATH: /api - WEB_HTTP_MANAGEMENT_PORT: 8581 - WEB_HTTP_MANAGEMENT_PATH: /api/management - WEB_HTTP_DIRECTORY_PORT: 8582 - WEB_HTTP_DIRECTORY_PATH: /api/directory - EDC_IAM_DID_WEB_USE_HTTPS: false - EDC_IAM_TRUSTED-ISSUER_ISSUER_ID: did:web:edr-service/trusted-issuer - _LEVEL: DEBUG - ports: - - "127.0.0.1:8580:8580" - - "127.0.0.1:8581:8581" - - "127.0.0.1:8582:8582" - networks: - - miw-net - # TODO check cacerts need in deployment.yaml - postgres-customer: image: postgres:15.4-alpine container_name: customer-postgres @@ -85,11 +63,11 @@ services: TX_IAM_IATP_BDRS_SERVER_URL: http://brds:8582/api/directory TX_IAM_IATP_BDRS_CACHE_VALIDITY: 600 # iatp / dim - EDC_IAM_ISSUER_ID: did:web:edr-service/customer + EDC_IAM_ISSUER_ID: did:web:edr-service/customer #TODO fehlconfig? EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token EDC_IAM_STS_OAUTH_CLIENT_ID: ${CUSTOMER_OAUTH_CLIENT_ID} EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${CUSTOMER_OAUTH_SECRET_ALIAS} #TODO - EDC_IAM_STS_DIM_URL: http://edr-service:80 + EDC_IAM_STS_DIM_URL: http://edr-service:80/sts EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer # configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 @@ -184,7 +162,7 @@ services: EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token EDC_IAM_STS_OAUTH_CLIENT_ID: ${SUPPLIER_OAUTH_CLIENT_ID} EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${SUPPLIER_OAUTH_SECRET_ALIAS} #TODO - EDC_IAM_STS_DIM_URL: http://edr-service:80 + EDC_IAM_STS_DIM_URL: http://edr-service:80/sts EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer # configure one Credential service for all (else pulled from did) TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 8449651e..35229641 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -81,6 +81,28 @@ services: - ./vault/secrets:${VAULT_SECRETS_DIR} networks: - miw-net + + bdrs: + image: tractusx/bdrs-server-memory + container_name: bdrs + environment: + EDC_API_AUTH_KEY: password + WEB_HTTP_PORT: 8580 + WEB_HTTP_PATH: /api + WEB_HTTP_MANAGEMENT_PORT: 8581 + WEB_HTTP_MANAGEMENT_PATH: /api/management + WEB_HTTP_DIRECTORY_PORT: 8582 + WEB_HTTP_DIRECTORY_PATH: /api/directory + EDC_IAM_DID_WEB_USE_HTTPS: false + EDC_IAM_TRUSTED-ISSUER_ISSUER_ID: did:web:edr-service/trusted-issuer + _LEVEL: DEBUG + ports: + - "127.0.0.1:8580:8580" + - "127.0.0.1:8581:8581" + - "127.0.0.1:8582:8582" + networks: + - miw-net + # TODO check cacerts need in deployment.yaml networks: miw-net: name: miw-net diff --git a/local/seed-bdrs.sh b/local/seed-bdrs.sh new file mode 100644 index 00000000..2f235915 --- /dev/null +++ b/local/seed-bdrs.sh @@ -0,0 +1,32 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +#!/bin/bash + +KEY=password + +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL4444444444XX", "did": "did:web:edr-service/customer" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" + +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL1234567890ZZ", "did": "did:web:edr-service/supplier" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" + +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL000000000000", "did": "did:web:edr-service/trusted-issuer" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" From e30b7a6a536f54c041dfd8b6d55f4bf686c59af6 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 02:36:59 -0700 Subject: [PATCH 03/19] refactor(docker-compose-edc): refactor to get to old state --- local/MIGRATION_NOTES.md | 183 ++++++++---------- local/bdrs/application.properties | 11 ++ .../credential/Membership_Credential.json | 19 -- .../customer/verifieable-presentation.json | 14 -- local/docker-compose-edc.yaml | 115 ++++------- local/docker-compose-infrastructure.yaml | 16 +- .../config/customer/control-plane.properties | 22 ++- .../config/customer/data-plane.properties | 53 +++-- .../config/supplier/control-plane.properties | 22 ++- .../config/supplier/data-plane.properties | 55 ++++-- 10 files changed, 250 insertions(+), 260 deletions(-) create mode 100644 local/bdrs/application.properties delete mode 100644 local/bdrs/credential/Membership_Credential.json delete mode 100644 local/bdrs/customer/verifieable-presentation.json diff --git a/local/MIGRATION_NOTES.md b/local/MIGRATION_NOTES.md index 674fdf37..4e0559bb 100644 --- a/local/MIGRATION_NOTES.md +++ b/local/MIGRATION_NOTES.md @@ -51,78 +51,7 @@ error policy.@type = "odrl:Set" -catalog request results in unexpected null pinter during membershipPresentation call - -SEVERE 2024-04-18T18:14:41.467647124 JerseyExtension: Unexpected exception caught -java.lang.NullPointerException -at java.base/java.util.Objects.requireNonNull(Unknown Source) -at java.base/java.util.ImmutableCollections$MapN.(Unknown Source) -at java.base/java.util.Map.of(Unknown Source) -at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.createMembershipPresentation(BdrsClientImpl.java:153) -at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.updateCache(BdrsClientImpl.java:121) -at org.eclipse.tractusx.edc.identity.mapper.BdrsClientImpl.resolve(BdrsClientImpl.java:101) -at org.eclipse.tractusx.edc.identity.mapper.BdrsClientAudienceMapper.resolve(BdrsClientAudienceMapper.java:39) -at org.eclipse.edc.protocol.dsp.http.dispatcher.DspHttpRemoteMessageDispatcherImpl.dispatch( -DspHttpRemoteMessageDispatcherImpl.java:121) -at org.eclipse.edc.connector.core.message.RemoteMessageDispatcherRegistryImpl.dispatch( -RemoteMessageDispatcherRegistryImpl.java:48) -at org.eclipse.edc.connector.controlplane.services.catalog.CatalogServiceImpl.requestCatalog(CatalogServiceImpl.java:44) -at org.eclipse.edc.connector.controlplane.api.management.catalog.CatalogApiController.requestCatalog( -CatalogApiController.java:64) -at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source) -at java.base/java.lang.reflect.Method.invoke(Unknown Source) -at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0( -ResourceMethodInvocationHandlerFactory.java:52) -at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run( -AbstractJavaResourceMethodDispatcher.java:146) -at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke( -AbstractJavaResourceMethodDispatcher.java:189) -at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$VoidOutInvoker.doDispatch( -JavaResourceMethodDispatcherProvider.java:159) -at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch( -AbstractJavaResourceMethodDispatcher.java:93) -at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) -at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) -at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) -at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:261) -at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) -at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) -at org.glassfish.jersey.internal.Errors.process(Errors.java:292) -at org.glassfish.jersey.internal.Errors.process(Errors.java:274) -at org.glassfish.jersey.internal.Errors.process(Errors.java:244) -at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) -at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:240) -at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:697) -at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) -at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) -at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:357) -at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311) -at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) -at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) -at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529) -at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) -at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381) -at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) -at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) -at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) -at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303) -at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) -at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) -at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) -at org.eclipse.jetty.server.Server.handle(Server.java:563) -at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598) -at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) -at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) -at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) -at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) -at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) -at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) -at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) -at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) -at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) -at java.base/java.lang.Thread.run(Unknown Source) - ---> bpdrs service needed +Catalog Request needs `counterPartyId` # bdrs @@ -131,23 +60,7 @@ Calls needed: - management -> create bpn directory - BPN-Directory -> map of bpn and did reachable -bpn directory is securied by jwt containing: - -- vp holder key -- vp holder id -- null -- bdrs-server-audience -- map with - - vp following content example with holderId and vcJwt - -vcJwt inserted is build with - -- spoofedKey -- issuerId -- degreeSub -- holderId -- map with - - vc = membership_credential with holderId inserted +The EDC needs to self-IATP to get a `MembershipCredential` to use the BDRS DIDs are build following JsonWebKey2020 DID-ID like did:web:name-to-use @@ -187,32 +100,88 @@ https://github.com/eclipse-edc/Connector/blob/4fd16b8e34d685239ea40fc3d8e9b02cc8 - a key is somehow resolved. This may be from the did.json -bdrs | WARNING 2024-04-21T19:34:23.497508523 Error validating BDRS client VP: Credential is not yet valid., Not all -credential subject IDs match the expected subject ID 'did:web:edr-service/trusted-issuer'. Violating subject -IDs: [did:web:edr-service/supplier] - -- I need to check on subjects - likely this is wrong -- not sure why the credential should not be valid - Following this [test](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImplComponentTest.java), - the VC is signed by the issuer - the VP is signed by the holder -Why does the catalog request on consumer side result in port 443 / ssl? - -Overall request is the dim request --> check in dim test - Following Tractus-X Connector Setup -- DIM = your wallet that already contains VCs +- DIM = your wallet that already contains VCs -> encapsulated STS and CS - Credential Service = get your own VP to hand over. (something like the miw) - SecureTokenService = get auth for something and then request presentation -customer-control-plane | DEBUG 2024-04-22T17:49:36.200763912 DSP: Incoming CatalogRequestMessage for class -org.eclipse.edc.connector.controlplane.catalog.spi.Catalog process -customer-control-plane | DEBUG 2024-04-22T17:49:36.267334896 Unauthorized: No Service endpoint 'CredentialService' found -on DID Document. -customer-control-plane | DEBUG 2024-04-22T17:49:36.267812038 DSP: Service call failed: Unauthorized +# Updates EDR + +edr callback payload + +```json +{ + "id": "3099e0f1-e255-4a00-8a8b-8ec5c16e8758", + "at": 1714325393313, + "payload": { + "transferProcessId": "07231854-112b-45bb-957b-4fb01dc2718f", + "callbackAddresses": [ + { + "uri": "http://edr-service:80/edr-log", + "events": [ + "transfer.process.started" + ], + "transactional": false, + "authKey": "None", + "authCodeId": "None" + } + ], + "assetId": "ASSET_1", + "type": "CONSUMER", + "contractId": "54dd6fe4-7a4e-4de6-b7b8-2f131fc99f79", + "dataAddress": { + "properties": { + "process_id": "6570b7a5-7df9-42be-9fd7-80f200427fc3", + "participant_id": "BPNL1234567890ZZ", + "asset_id": "ASSET_1", + "https://w3id.org/edc/v0.0.1/ns/endpointType": "https://w3id.org/idsa/v4.1/HTTP", + "https://w3id.org/tractusx/auth/refreshEndpoint": "http://customer-data-plane:8285/api/public", + "https://w3id.org/tractusx/auth/audience": "did:web:edr-service/supplier", + "agreement_id": "54dd6fe4-7a4e-4de6-b7b8-2f131fc99f79", + "flow_type": "PULL", + "https://w3id.org/edc/v0.0.1/ns/type": "https://w3id.org/idsa/v4.1/HTTP", + "https://w3id.org/edc/v0.0.1/ns/endpoint": "http://customer-data-plane:8285/api/public", + "https://w3id.org/tractusx/auth/refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", + "https://w3id.org/tractusx/auth/expiresIn": "300", + "https://w3id.org/edc/v0.0.1/ns/authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", + "https://w3id.org/tractusx/auth/refreshAudience": "did:web:edr-service/supplier" + } + } + }, + "type": "TransferProcessStarted" +} +``` + +Get against EDR API after Transfer Process: +`{{SUPPLIER_EDC}}/{{MANAGEMENT_PATH}}/v2/transferprocesses/{{TRANSFER_PROCESS_ID}}` + +```json +{ + "@type": "DataAddress", + "endpointType": "https://w3id.org/idsa/v4.1/HTTP", + "tx-auth:refreshEndpoint": "http://customer-data-plane:8285/api/public", + "tx-auth:audience": "did:web:edr-service/supplier", + "type": "https://w3id.org/idsa/v4.1/HTTP", + "endpoint": "http://customer-data-plane:8285/api/public", + "tx-auth:refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", + "tx-auth:expiresIn": "300", + // use Header Authorization + "authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", + "tx-auth:refreshAudience": "did:web:edr-service/supplier", + "@context": { + "@vocab": "https://w3id.org/edc/v0.0.1/ns/", + "edc": "https://w3id.org/edc/v0.0.1/ns/", + "tx": "https://w3id.org/tractusx/v0.0.1/ns/", + "tx-auth": "https://w3id.org/tractusx/auth/", + "cx-policy": "https://w3id.org/catenax/policy/", + "odrl": "http://www.w3.org/ns/odrl/2/" + } +} +``` diff --git a/local/bdrs/application.properties b/local/bdrs/application.properties new file mode 100644 index 00000000..69fb9587 --- /dev/null +++ b/local/bdrs/application.properties @@ -0,0 +1,11 @@ +edc.api.auth.key=password +web.http.port=8580 +web.http.path=/api +web.http.management.port=8581 +web.http.management.path=/api/management +web.http.directory.port=8582 +web.http.directory.path=/api/directory +# looking up DIDs should not use https +edc.iam.did.web.use.https=false +edc.iam.trusted-issuer.issuer.id=did:web:edr-service/trusted-issuer +_level=DEBUG diff --git a/local/bdrs/credential/Membership_Credential.json b/local/bdrs/credential/Membership_Credential.json deleted file mode 100644 index d77f14ee..00000000 --- a/local/bdrs/credential/Membership_Credential.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "@context": [ - "https://www.w3.org/2018/credentials/v1", - "https://w3id.org/catenax/credentials/v1.0.0" - ], - "id": "1f36af58-0fc0-4b24-9b1c-e37d59668089", - "type": [ - "VerifiableCredential", - "MembershipCredential" - ], - "issuer": "did:web:com.example.issuer", - "issuanceDate": "2021-06-16T18:56:59Z", - "expirationDate": "2199-06-16T18:56:59Z", - "credentialSubject": { - "id": "%s", - "holderIdentifier": "BPNL000000001" - } -} -// https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/TestData.java#L22 diff --git a/local/bdrs/customer/verifieable-presentation.json b/local/bdrs/customer/verifieable-presentation.json deleted file mode 100644 index 70f76c01..00000000 --- a/local/bdrs/customer/verifieable-presentation.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "@context": [ - "https://www.w3.org/2018/credentials/v1", - "https://www.w3.org/2018/credentials/examples/v1" - ], - "id": "https://exapmle.com/test-vp", - "holder": "%s", - "type": [ - "VerifiablePresentation" - ], - "verifiableCredential": [ - %s -] -} diff --git a/local/docker-compose-edc.yaml b/local/docker-compose-edc.yaml index 7b39ffe5..1a2ef87d 100644 --- a/local/docker-compose-edc.yaml +++ b/local/docker-compose-edc.yaml @@ -58,26 +58,6 @@ services: container_name: customer-control-plane env_file: - ./tractus-x-edc/config/customer/control-plane.properties - environment: - # bdrs client - TX_IAM_IATP_BDRS_SERVER_URL: http://brds:8582/api/directory - TX_IAM_IATP_BDRS_CACHE_VALIDITY: 600 - # iatp / dim - EDC_IAM_ISSUER_ID: did:web:edr-service/customer #TODO fehlconfig? - EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token - EDC_IAM_STS_OAUTH_CLIENT_ID: ${CUSTOMER_OAUTH_CLIENT_ID} - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${CUSTOMER_OAUTH_SECRET_ALIAS} #TODO - EDC_IAM_STS_DIM_URL: http://edr-service:80/sts - EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer - # configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 - TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 - # don't use https during did resolving in catalog request - EDC_IAM_DID_WEB_USE_HTTPS: false - # environment: - # SPRING_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver - # SPRING_DATASOURCE_URL: jdbc:postgresql://supplier-postgres:5432/dtr_database - # SPRING_DATASOURCE_USERNAME: ${PG_USER} - # SPRING_DATASOURCE_PASSWORD: ${PG_PW} ports: - "127.0.0.1:8180:8180" - "127.0.0.1:8181:8181" @@ -89,24 +69,26 @@ services: extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - # edc-customer-data-plane: - # restart: on-failure - # extends: - # file: ./tractus-x-edc/docker-compose.yaml - # service: data-plane - # container_name: customer-data-plane - # ports: - # - "127.0.0.1:8280:8280" - # - "127.0.0.1:8285:8285" - # - "127.0.0.1:8299:8299" - # environment: - # edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} - # env_file: - # - ./tractus-x-edc/config/customer/data-plane.properties - # networks: - # - miw-net - # extra_hosts: - # - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + edc-customer-data-plane: + depends_on: + postgres-customer: + condition: service_healthy + restart: on-failure + extends: + file: ./tractus-x-edc/docker-compose.yaml + service: data-plane + container_name: customer-data-plane + ports: + - "127.0.0.1:8280:8280" + - "127.0.0.1:8283:8283" + - "127.0.0.1:8285:8285" + - "127.0.0.1:8299:8299" + env_file: + - ./tractus-x-edc/config/customer/data-plane.properties + networks: + - miw-net + extra_hosts: + - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine # postgres-supplier: # image: postgres:15.4-alpine @@ -152,46 +134,31 @@ services: - "127.0.0.1:1044:1044" env_file: - ./tractus-x-edc/config/supplier/control-plane.properties - environment: - TX_IAM_IATP_BDRS_SERVER_URL: http://bdrs:8582/api/directory - # TX_IAM_IATP_BDRS_SERVER_URL: http://brds:8582 - TX_IAM_IATP_BDRS_CACHE_VALIDITY: 600 - # iatp / dim - EDC_IAM_ISSUER_ID: did:web:edr-service/supplier - # locally we don't actually care, because our dim service will accept all - EDC_IAM_STS_OAUTH_TOKEN_URL: http://keycloak:8080/realms/miw_test/protocol/openid-connect/token - EDC_IAM_STS_OAUTH_CLIENT_ID: ${SUPPLIER_OAUTH_CLIENT_ID} - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: ${SUPPLIER_OAUTH_SECRET_ALIAS} #TODO - EDC_IAM_STS_DIM_URL: http://edr-service:80/sts - EDC_IAM_TRUSTED-ISSUER_PORTAL-ISSUER-ID_ID: did:web:edr-service/trusted-issuer - # configure one Credential service for all (else pulled from did) - TX_IAM_IATP_CREDENTIALSERVICE_URL: http://edr-service:80 - # don't use https during did resolving - EDC_IAM_DID_WEB_USE_HTTPS: false networks: - miw-net extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine -# -# -# edc-supplier-data-plane: -# restart: on-failure -# extends: -# file: ./tractus-x-edc/docker-compose.yaml -# service: data-plane -# container_name: supplier-data-plane -# ports: -# - "127.0.0.1:9280:9280" -# - "127.0.0.1:9285:9285" -# - "127.0.0.1:9299:9299" -# environment: -# edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} -# env_file: -# - ./tractus-x-edc/config/supplier/data-plane.properties -# networks: -# - miw-net -# extra_hosts: -# - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + + edc-supplier-data-plane: + depends_on: + postgres-customer: + condition: service_healthy + restart: on-failure + extends: + file: ./tractus-x-edc/docker-compose.yaml + service: data-plane + container_name: supplier-data-plane + ports: + - "127.0.0.1:9280:9280" + - "127.0.0.1:9283:9283" + - "127.0.0.1:9285:9285" + - "127.0.0.1:9299:9299" + env_file: + - ./tractus-x-edc/config/supplier/data-plane.properties + networks: + - miw-net + extra_hosts: + - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine networks: miw-net: diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 35229641..77c94a48 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -83,26 +83,16 @@ services: - miw-net bdrs: - image: tractusx/bdrs-server-memory + image: tractusx/bdrs-server-memory:0.0.4 container_name: bdrs - environment: - EDC_API_AUTH_KEY: password - WEB_HTTP_PORT: 8580 - WEB_HTTP_PATH: /api - WEB_HTTP_MANAGEMENT_PORT: 8581 - WEB_HTTP_MANAGEMENT_PATH: /api/management - WEB_HTTP_DIRECTORY_PORT: 8582 - WEB_HTTP_DIRECTORY_PATH: /api/directory - EDC_IAM_DID_WEB_USE_HTTPS: false - EDC_IAM_TRUSTED-ISSUER_ISSUER_ID: did:web:edr-service/trusted-issuer - _LEVEL: DEBUG + env_file: + - ./bdrs/application.properties ports: - "127.0.0.1:8580:8580" - "127.0.0.1:8581:8581" - "127.0.0.1:8582:8582" networks: - miw-net - # TODO check cacerts need in deployment.yaml networks: miw-net: name: miw-net diff --git a/local/tractus-x-edc/config/customer/control-plane.properties b/local/tractus-x-edc/config/customer/control-plane.properties index a62e5ddc..e765e72c 100644 --- a/local/tractus-x-edc/config/customer/control-plane.properties +++ b/local/tractus-x-edc/config/customer/control-plane.properties @@ -14,6 +14,22 @@ edc.participant.id=BPNL4444444444XX edc.api.auth.key=${EDC_API_PW} edc.dsp.callback.address=http://customer-control-plane:8184/api/v1/dsp edc.hostname=customer-control-plane +# IATP +tx.iam.iatp.bdrs.server.url=http://bdrs:8582/api/directory +tx.iam.iatp.bdrs.validity=600 +# iatp / dim +edc.iam.issuer.id=did:web:edr-service/customer +# locally we don't actually care, because our dim service will accept all +edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token +edc.iam.sts.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} +edc.iam.sts.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} +edc.iam.sts.dim.url=http://edr-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +# configure one Credential service for all (else pulled from did, nevertheless done) +tx.iam.iatp.credentialservice.url=http://edr-service:80 +# don't use https during did resolving +edc.iam.did.web.use.https=false +# old MIW config, can be ignored TODO remove tx.ssi.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token tx.ssi.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} tx.ssi.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} @@ -29,10 +45,12 @@ edc.transfer.proxy.endpoint=http://customer-data-plane:8285/api/public/ edc.transfer.proxy.token.signer.privatekey.alias=${CUSTOMER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${CUSTOMER_PUBLIC_KEY_ALIAS} # Data-Plane selector configuration -edc.dataplane.selector.edchttp.url=http://customer-data-plane:8299/control/transfer +edc.dataplane.selector.edchttp.url=http://customer-data-plane:8283/api/signaling/v1/dataflows +# HttpData-PULL,HttpData-PUSH,AmazonS3-PUSH,AzureStorage-PUSH +edc.dataplane.selector.edchttp.transfertypes=HttpData-PULL,HttpData-PUSH edc.dataplane.selector.edchttp.sourcetypes=HttpData edc.dataplane.selector.edchttp.destinationtypes=HttpData,HttpProxy -edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://customer-data-plane:8285/api/public/"} +edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://customer-data-plane:8285/api/public"} # backend receiver for static Endpoint Data References edc.receiver.http.dynamic.endpoint=http://customer-backend:8081/catena/edrendpoint edc.receiver.http.dynamic.auth-key=X-API-KEY diff --git a/local/tractus-x-edc/config/customer/data-plane.properties b/local/tractus-x-edc/config/customer/data-plane.properties index aa008814..4e872eac 100644 --- a/local/tractus-x-edc/config/customer/data-plane.properties +++ b/local/tractus-x-edc/config/customer/data-plane.properties @@ -4,28 +4,53 @@ web.http.path=/api # Public web.http.public.port=8285 web.http.public.path=/api/public -# Control -web.http.control.port=8299 -web.http.control.path=/control - +# new in 0.7.0 data plane signalling, replaced control +web.http.signaling.port=8283 +web.http.signaling.path=/api/signaling # new in 0.3.3 - why do we need the management in a data plane? web.http.management.port=8293 web.http.management.path=/api/v1/data - # Validation endpoint of controlplane edc.dataplane.token.validation.endpoint=http://customer-control-plane:8183/api/controlplane/control/token - # EDC hostname edc.hostname=customer-data-plane - # HashiCorp vault related configuration edc.vault.hashicorp.url=http://vault:8200 edc.vault.hashicorp.health.check.enabled=false -edc.vault.hashicorp.token= ${VAULT_DEV_ROOT_TOKEN_ID} - -#edc.datasource.edr.name=edr -#edc.datasource.edr.url=jdbc:postgresql://postgres:5432/edc_customer_edrs -# edc.datasource.edr.user and edc.datasource.edr.password are set via .env +edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} +# EDCR exentions +edc.datasource.edr.name=edr +edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_customer +#edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false -#edc.datasource.edr.user=${PG_USER} -#edc.datasource.edr.password=${PG_PW} +edc.datasource.edr.user=${PG_USER} +edc.datasource.edr.password=${PG_PW} +# see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/data-plane-store-sql +edc.datasource.dataplane.name=edr +edc.datasource.dataplane.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.dataplane.user=${PG_USER} +edc.datasource.dataplane.password=${PG_PW} +# extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/accesstokendata-store-sql +edc.datasource.accesstokendata.name=edr +edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.accesstokendata.user=${PG_USER} +edc.datasource.accesstokendata.password=${PG_PW} +# token refresh +edc.dataplane.token.expiry=300 +edc.dataplane.token.expiry.tolerance=10 +# optional endpoint +#edc.dataplane.token.refresh.endpoint= +edc.transfer.proxy.token.signer.privatekey.alias=${CUSTOMER_PRIVATE_KEY_ALIAS} +edc.transfer.proxy.token.verifier.publickey.alias=${CUSTOMER_PUBLIC_KEY_ALIAS} +# IATP +edc.iam.issuer.id=did:web:edr-service/customer +edc.participant.id=BPNL4444444444XX +edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token +edc.iam.sts.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} +edc.iam.sts.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} +edc.iam.sts.dim.url=http://edr-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +# configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 +tx.iam.credentialservice.url=http://edr-service:80 +# don't use https during did resolving in catalog request +edc.iam.did.web.use.https=false diff --git a/local/tractus-x-edc/config/supplier/control-plane.properties b/local/tractus-x-edc/config/supplier/control-plane.properties index dfc3aa11..116f7ede 100644 --- a/local/tractus-x-edc/config/supplier/control-plane.properties +++ b/local/tractus-x-edc/config/supplier/control-plane.properties @@ -15,6 +15,22 @@ edc.participant.id=BPNL1234567890ZZ edc.api.auth.key=${EDC_API_PW} edc.dsp.callback.address=http://supplier-control-plane:9184/api/v1/dsp edc.hostname=supplier-control-plane +# IATP +tx.iam.iatp.bdrs.server.url=http://bdrs:8582/api/directory +tx.iam.iatp.bdrs.validity=600 +# iatp / dim +edc.iam.issuer.id=did:web:edr-service/supplier +# locally we don't actually care, because our dim service will accept all +edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token +edc.iam.sts.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} +edc.iam.sts.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} +edc.iam.sts.dim.url=http://edr-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +# configure one Credential service for all (else pulled from did, nevertheless done) +tx.iam.iatp.credentialservice.url=http://edr-service:80 +# don't use https during did resolving +edc.iam.did.web.use.https=false +# old MIW config, can be ignored TODO remove tx.ssi.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token tx.ssi.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} tx.ssi.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} @@ -30,10 +46,12 @@ edc.transfer.proxy.endpoint=http://supplier-data-plane:9285/api/public/ edc.transfer.proxy.token.signer.privatekey.alias=${SUPPLIER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${SUPPLIER_PUBLIC_KEY_ALIAS} # Data-Plane selector configuration -edc.dataplane.selector.edchttp.url=http://supplier-data-plane:9299/control/transfer +edc.dataplane.selector.edchttp.url=http://supplier-data-plane:9283/api/signaling/v1/dataflows +# HttpData-PULL,HttpData-PUSH,AmazonS3-PUSH,AzureStorage-PUSH +edc.dataplane.selector.edchttp.transfertypes=HttpData-PULL,HttpData-PUSH edc.dataplane.selector.edchttp.sourcetypes=HttpData edc.dataplane.selector.edchttp.destinationtypes=HttpData,HttpProxy -edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://supplier-data-plane:9285/api/public/"} +edc.dataplane.selector.edchttp.properties={"publicApiUrl" : "http://supplier-data-plane:9285/api/public"} # puris backend receiver for dynamic Endpoint Data References edc.receiver.http.dynamic.endpoint=http://supplier-backend:8082/catena/edrendpoint edc.receiver.http.dynamic.auth-key=X-API-KEY diff --git a/local/tractus-x-edc/config/supplier/data-plane.properties b/local/tractus-x-edc/config/supplier/data-plane.properties index d2c4669b..be8e2da2 100644 --- a/local/tractus-x-edc/config/supplier/data-plane.properties +++ b/local/tractus-x-edc/config/supplier/data-plane.properties @@ -4,29 +4,54 @@ web.http.path=/api # Public web.http.public.port=9285 web.http.public.path=/api/public -# Control -web.http.control.port=9299 -web.http.control.path=/control - -# new in 0.3.3 - why do we need the management in a data plane? +# new in 0.7.0 data plane signalling, replaced control +web.http.signaling.port=9283 +web.http.signaling.path=/api/signaling +# new in 0.3.3 - why do we need the management in a data plane? TODO removed? web.http.management.port=9293 web.http.management.path=/api/v1/data - # Validation endpoint of controlplane edc.dataplane.token.validation.endpoint=http://supplier-control-plane:9183/api/controlplane/control/token - # EDC hostname edc.hostname=supplier-data-plane - # HashiCorp vault related configuration edc.vault.hashicorp.url=http://vault:8200 # set via docker-compose .env edc.vault.hashicorp.health.check.enabled=false -edc.vault.hashicorp.token= ${VAULT_DEV_ROOT_TOKEN_ID} - -#edc.datasource.edr.name=edr -#edc.datasource.edr.url=jdbc:postgresql://postgres:5432/edc_customer_edrs -# edc.datasource.edr.user and edc.datasource.edr.password are set via .env +edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} +# EDR extensions +edc.datasource.edr.name=edr +edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +#edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false -#edc.datasource.edr.user=${PG_USER} -#edc.datasource.edr.password=${PG_PW} +edc.datasource.edr.user=${PG_USER} +edc.datasource.edr.password=${PG_PW} +# see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/data-plane-store-sql +edc.datasource.dataplane.name=edr +edc.datasource.dataplane.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.dataplane.user=${PG_USER} +edc.datasource.dataplane.password=${PG_PW} +# extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/accesstokendata-store-sql +edc.datasource.accesstokendata.name=edr +edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.accesstokendata.user=${PG_USER} +edc.datasource.accesstokendata.password=${PG_PW} +# token refresh +edc.dataplane.token.expiry=300 +edc.dataplane.token.expiry.tolerance=10 +# optional endpoint +#edc.dataplane.token.refresh.endpoint= +edc.transfer.proxy.token.signer.privatekey.alias=${SUPPLIER_PRIVATE_KEY_ALIAS} +edc.transfer.proxy.token.verifier.publickey.alias=${SUPPLIER_PUBLIC_KEY_ALIAS} +# IATP +edc.iam.issuer.id=did:web:edr-service/supplier +edc.participant.id=BPNL1234567890ZZ +edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token +edc.iam.sts.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} +edc.iam.sts.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} +edc.iam.sts.dim.url=http://edr-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +# configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 +tx.iam.credentialservice.url=http://edr-service:80 +# don't use https during did resolving in catalog request +edc.iam.did.web.use.https=false From 652e8761110edced2263dde1259d853a030340cf Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 09:08:31 -0700 Subject: [PATCH 04/19] refactor(local): cleanup bdrs and so on --- local/MIGRATION_NOTES.md | 13 +++++++------ local/bdrs/application.properties | 6 ++---- local/docker-compose-infrastructure.yaml | 4 ++++ local/seed-bdrs.sh | 13 +++++++++---- .../config/customer/control-plane.properties | 8 ++++---- .../config/customer/data-plane.properties | 8 ++++---- .../config/supplier/control-plane.properties | 8 ++++---- .../config/supplier/data-plane.properties | 8 ++++---- 8 files changed, 38 insertions(+), 30 deletions(-) diff --git a/local/MIGRATION_NOTES.md b/local/MIGRATION_NOTES.md index 4e0559bb..50efb47e 100644 --- a/local/MIGRATION_NOTES.md +++ b/local/MIGRATION_NOTES.md @@ -1,4 +1,4 @@ -# Policy Definition +# Policy Definition -> still in alignment Old @@ -124,7 +124,7 @@ edr callback payload "transferProcessId": "07231854-112b-45bb-957b-4fb01dc2718f", "callbackAddresses": [ { - "uri": "http://edr-service:80/edr-log", + "uri": "http://mock-util-service:80/edr-log", "events": [ "transfer.process.started" ], @@ -143,7 +143,7 @@ edr callback payload "asset_id": "ASSET_1", "https://w3id.org/edc/v0.0.1/ns/endpointType": "https://w3id.org/idsa/v4.1/HTTP", "https://w3id.org/tractusx/auth/refreshEndpoint": "http://customer-data-plane:8285/api/public", - "https://w3id.org/tractusx/auth/audience": "did:web:edr-service/supplier", + "https://w3id.org/tractusx/auth/audience": "did:web:mock-util-service/supplier", "agreement_id": "54dd6fe4-7a4e-4de6-b7b8-2f131fc99f79", "flow_type": "PULL", "https://w3id.org/edc/v0.0.1/ns/type": "https://w3id.org/idsa/v4.1/HTTP", @@ -151,7 +151,7 @@ edr callback payload "https://w3id.org/tractusx/auth/refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", "https://w3id.org/tractusx/auth/expiresIn": "300", "https://w3id.org/edc/v0.0.1/ns/authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", - "https://w3id.org/tractusx/auth/refreshAudience": "did:web:edr-service/supplier" + "https://w3id.org/tractusx/auth/refreshAudience": "did:web:mock-util-service/supplier" } } }, @@ -161,20 +161,21 @@ edr callback payload Get against EDR API after Transfer Process: `{{SUPPLIER_EDC}}/{{MANAGEMENT_PATH}}/v2/transferprocesses/{{TRANSFER_PROCESS_ID}}` +Will be loaded lazily ```json { "@type": "DataAddress", "endpointType": "https://w3id.org/idsa/v4.1/HTTP", "tx-auth:refreshEndpoint": "http://customer-data-plane:8285/api/public", - "tx-auth:audience": "did:web:edr-service/supplier", + "tx-auth:audience": "did:web:mock-util-service/supplier", "type": "https://w3id.org/idsa/v4.1/HTTP", "endpoint": "http://customer-data-plane:8285/api/public", "tx-auth:refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", "tx-auth:expiresIn": "300", // use Header Authorization "authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", - "tx-auth:refreshAudience": "did:web:edr-service/supplier", + "tx-auth:refreshAudience": "did:web:mock-util-service/supplier", "@context": { "@vocab": "https://w3id.org/edc/v0.0.1/ns/", "edc": "https://w3id.org/edc/v0.0.1/ns/", diff --git a/local/bdrs/application.properties b/local/bdrs/application.properties index 69fb9587..917fae8b 100644 --- a/local/bdrs/application.properties +++ b/local/bdrs/application.properties @@ -1,11 +1,9 @@ -edc.api.auth.key=password -web.http.port=8580 -web.http.path=/api +edc.api.auth.key=${EDC_API_PW} web.http.management.port=8581 web.http.management.path=/api/management web.http.directory.port=8582 web.http.directory.path=/api/directory # looking up DIDs should not use https edc.iam.did.web.use.https=false -edc.iam.trusted-issuer.issuer.id=did:web:edr-service/trusted-issuer +edc.iam.trusted-issuer.issuer.id=did:web:mock-util-service/trusted-issuer _level=DEBUG diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 77c94a48..6211b6a3 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -87,12 +87,16 @@ services: container_name: bdrs env_file: - ./bdrs/application.properties + environment: + WEB_HTTP_PORT: 8580 + WEB_HTTP_PATH: /api ports: - "127.0.0.1:8580:8580" - "127.0.0.1:8581:8581" - "127.0.0.1:8582:8582" networks: - miw-net + # TODO check cacerts need in deployment.yaml networks: miw-net: name: miw-net diff --git a/local/seed-bdrs.sh b/local/seed-bdrs.sh index 2f235915..947027ca 100644 --- a/local/seed-bdrs.sh +++ b/local/seed-bdrs.sh @@ -20,13 +20,18 @@ #!/bin/bash -KEY=password +KEY= -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL4444444444XX", "did": "did:web:edr-service/customer" }' http://localhost:8581/api/management/bpn-directory | jq +if [ -z "$KEY" ]; then + echo "KEY is not set. Please specify the key (see bdrs docker compose definition). Exiting..." + exit 1 +fi + +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL4444444444XX", "did": "did:web:mock-util-service/customer" }' http://localhost:8581/api/management/bpn-directory | jq echo "" -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL1234567890ZZ", "did": "did:web:edr-service/supplier" }' http://localhost:8581/api/management/bpn-directory | jq +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL1234567890ZZ", "did": "did:web:mock-util-service/supplier" }' http://localhost:8581/api/management/bpn-directory | jq echo "" -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL000000000000", "did": "did:web:edr-service/trusted-issuer" }' http://localhost:8581/api/management/bpn-directory | jq +curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL000000000000", "did": "did:web:mock-util-service/trusted-issuer" }' http://localhost:8581/api/management/bpn-directory | jq echo "" diff --git a/local/tractus-x-edc/config/customer/control-plane.properties b/local/tractus-x-edc/config/customer/control-plane.properties index e765e72c..d18f1c5d 100644 --- a/local/tractus-x-edc/config/customer/control-plane.properties +++ b/local/tractus-x-edc/config/customer/control-plane.properties @@ -18,15 +18,15 @@ edc.hostname=customer-control-plane tx.iam.iatp.bdrs.server.url=http://bdrs:8582/api/directory tx.iam.iatp.bdrs.validity=600 # iatp / dim -edc.iam.issuer.id=did:web:edr-service/customer +edc.iam.issuer.id=did:web:mock-util-service/customer # locally we don't actually care, because our dim service will accept all edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token edc.iam.sts.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} edc.iam.sts.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} -edc.iam.sts.dim.url=http://edr-service:80/sts -edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +edc.iam.sts.dim.url=http://mock-util-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:mock-util-service/trusted-issuer # configure one Credential service for all (else pulled from did, nevertheless done) -tx.iam.iatp.credentialservice.url=http://edr-service:80 +tx.iam.iatp.credentialservice.url=http://mock-util-service:80 # don't use https during did resolving edc.iam.did.web.use.https=false # old MIW config, can be ignored TODO remove diff --git a/local/tractus-x-edc/config/customer/data-plane.properties b/local/tractus-x-edc/config/customer/data-plane.properties index 4e872eac..b47b059c 100644 --- a/local/tractus-x-edc/config/customer/data-plane.properties +++ b/local/tractus-x-edc/config/customer/data-plane.properties @@ -43,14 +43,14 @@ edc.dataplane.token.expiry.tolerance=10 edc.transfer.proxy.token.signer.privatekey.alias=${CUSTOMER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${CUSTOMER_PUBLIC_KEY_ALIAS} # IATP -edc.iam.issuer.id=did:web:edr-service/customer +edc.iam.issuer.id=did:web:mock-util-service/customer edc.participant.id=BPNL4444444444XX edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token edc.iam.sts.oauth.client.id=${CUSTOMER_OAUTH_CLIENT_ID} edc.iam.sts.oauth.client.secret.alias=${CUSTOMER_OAUTH_SECRET_ALIAS} -edc.iam.sts.dim.url=http://edr-service:80/sts -edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +edc.iam.sts.dim.url=http://mock-util-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:mock-util-service/trusted-issuer # configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 -tx.iam.credentialservice.url=http://edr-service:80 +tx.iam.credentialservice.url=http://mock-util-service:80 # don't use https during did resolving in catalog request edc.iam.did.web.use.https=false diff --git a/local/tractus-x-edc/config/supplier/control-plane.properties b/local/tractus-x-edc/config/supplier/control-plane.properties index 116f7ede..6668ff10 100644 --- a/local/tractus-x-edc/config/supplier/control-plane.properties +++ b/local/tractus-x-edc/config/supplier/control-plane.properties @@ -19,15 +19,15 @@ edc.hostname=supplier-control-plane tx.iam.iatp.bdrs.server.url=http://bdrs:8582/api/directory tx.iam.iatp.bdrs.validity=600 # iatp / dim -edc.iam.issuer.id=did:web:edr-service/supplier +edc.iam.issuer.id=did:web:mock-util-service/supplier # locally we don't actually care, because our dim service will accept all edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token edc.iam.sts.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} edc.iam.sts.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} -edc.iam.sts.dim.url=http://edr-service:80/sts -edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +edc.iam.sts.dim.url=http://mock-util-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:mock-util-service/trusted-issuer # configure one Credential service for all (else pulled from did, nevertheless done) -tx.iam.iatp.credentialservice.url=http://edr-service:80 +tx.iam.iatp.credentialservice.url=http://mock-util-service:80 # don't use https during did resolving edc.iam.did.web.use.https=false # old MIW config, can be ignored TODO remove diff --git a/local/tractus-x-edc/config/supplier/data-plane.properties b/local/tractus-x-edc/config/supplier/data-plane.properties index be8e2da2..1c89ce23 100644 --- a/local/tractus-x-edc/config/supplier/data-plane.properties +++ b/local/tractus-x-edc/config/supplier/data-plane.properties @@ -44,14 +44,14 @@ edc.dataplane.token.expiry.tolerance=10 edc.transfer.proxy.token.signer.privatekey.alias=${SUPPLIER_PRIVATE_KEY_ALIAS} edc.transfer.proxy.token.verifier.publickey.alias=${SUPPLIER_PUBLIC_KEY_ALIAS} # IATP -edc.iam.issuer.id=did:web:edr-service/supplier +edc.iam.issuer.id=did:web:mock-util-service/supplier edc.participant.id=BPNL1234567890ZZ edc.iam.sts.oauth.token.url=http://keycloak:8080/realms/miw_test/protocol/openid-connect/token edc.iam.sts.oauth.client.id=${SUPPLIER_OAUTH_CLIENT_ID} edc.iam.sts.oauth.client.secret.alias=${SUPPLIER_OAUTH_SECRET_ALIAS} -edc.iam.sts.dim.url=http://edr-service:80/sts -edc.iam.trusted-issuer.portal.id=did:web:edr-service/trusted-issuer +edc.iam.sts.dim.url=http://mock-util-service:80/sts +edc.iam.trusted-issuer.portal.id=did:web:mock-util-service/trusted-issuer # configure one Credential service for all (else pulled from did): https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientExtension.java#L50 -tx.iam.credentialservice.url=http://edr-service:80 +tx.iam.credentialservice.url=http://mock-util-service:80 # don't use https during did resolving in catalog request edc.iam.did.web.use.https=false From ed119a224e152fd190141fc1231450be864ec129 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 09:32:56 -0700 Subject: [PATCH 05/19] feat(iam-mock): added iam-mock to infrastructure --- local/INSTALL.md | 72 ++++-- local/cleanup.sh | 2 + local/docker-compose-infrastructure.yaml | 10 + local/generate-keys.sh | 5 + local/iam-mock/Dockerfile | 28 +++ local/iam-mock/README.md | 44 ++++ local/iam-mock/constants.py | 63 +++++ local/iam-mock/credential_service.py | 114 +++++++++ local/iam-mock/docs/README_VP_FLOW.md | 48 ++++ local/iam-mock/docs/credential_requests.puml | 108 +++++++++ local/iam-mock/jwtUtils.py | 73 ++++++ local/iam-mock/mock_util.py | 236 +++++++++++++++++++ local/iam-mock/requirements.txt | 36 +++ local/seed-bdrs.sh | 3 +- 14 files changed, 818 insertions(+), 24 deletions(-) create mode 100644 local/iam-mock/Dockerfile create mode 100644 local/iam-mock/README.md create mode 100644 local/iam-mock/constants.py create mode 100644 local/iam-mock/credential_service.py create mode 100644 local/iam-mock/docs/README_VP_FLOW.md create mode 100644 local/iam-mock/docs/credential_requests.puml create mode 100644 local/iam-mock/jwtUtils.py create mode 100644 local/iam-mock/mock_util.py create mode 100644 local/iam-mock/requirements.txt diff --git a/local/INSTALL.md b/local/INSTALL.md index 4228351e..e12cd6e1 100644 --- a/local/INSTALL.md +++ b/local/INSTALL.md @@ -2,28 +2,34 @@ ## Additional information for Windows users -If you want to use the local setup on a Windows machine, it seems advisable to use the Windows subsystem for Linux (WSL). -An installation guide can be found [here](https://learn.microsoft.com/en-us/windows/wsl/install). +If you want to use the local setup on a Windows machine, it seems advisable to use the Windows subsystem for Linux ( +WSL). +An installation guide can be found [here](https://learn.microsoft.com/en-us/windows/wsl/install). Also see this [additional information about using Docker in combination with WSL2](https://docs.docker.com/desktop/wsl/) ## Initial Setup -In case you had any previous installations of this project on your machine, it is advisable to remove them via the script + +In case you had any previous installations of this project on your machine, it is advisable to remove them via the +script (see below in the Notes on debugging section). -Run the following script to generate the necessary keys. It will also create an .env file in the ./local folder. -Make sure to have `openssl` and `jq` installed in your shell. openssl is pre-installed on most operating systems. jq can be +Run the following script to generate the necessary keys. It will also create an .env file in the ./local folder. +Make sure to have `openssl` and `jq` installed in your shell. openssl is pre-installed on most operating systems. jq can +be installed via the usual installation repositories, see [here](https://jqlang.github.io/jq/download/) + ```shell cd local sh generate-keys.sh ``` ## Build -If you are doing a fresh install and everytime you edited the code of the PURIS frontend or backend you have to create a -new build of docker images for the PURIS frontend/backend. -For creating a docker image of the frontend, navigate your shell to the frontend folder and run +If you are doing a fresh install and everytime you edited the code of the PURIS frontend or backend you have to create a +new build of docker images for the PURIS frontend/backend. + +For creating a docker image of the frontend, navigate your shell to the frontend folder and run ``` docker build -t puris-frontend:dev . @@ -37,50 +43,72 @@ docker build -t puris-backend:dev . Please see the INSTALL.md documents in the [frontend](../frontend/INSTALL.md) and [backend](../backend/INSTALL.md) -The default image tag is 'dev'. Remember to also adjust the tag in the docker-compose.yaml if you want to use different -tags. +The default image tag is 'dev'. Remember to also adjust the tag in the docker-compose.yaml if you want to use different +tags. ## Start -First start the infrastructure by navigating your shell to the local folder and running + +First start the infrastructure by navigating your shell to the local folder and running ```shell docker compose -f docker-compose-infrastructure.yaml up ``` -After the MIW container has finished booting, use this script (also in the local folder) to initialise two wallets for customer and supplier: + +Note: sh init-wallets.sh is temporarily not needed +After the MIW container has finished booting, use this script (also in the local folder) to initialise two wallets for +customer and supplier: + ```shell sh init-wallets.sh ``` -Then start the PURIS demonstrator containers via: + +After starting the central infrastructure, initialize the bdrs-service. To do so, in file `seed-bdrs.sh` set the key +to the value of `EDC_API_PW` from `.env` file generated earlier. + +```shell +sh seed-brds.sh +``` + +Then start the PURIS demonstrator containers via: + ```shell docker compose up ``` -Wait for the startup and visit http://localhost:3000/ for the customer's frontend or http://localhost:3001/ for the supplier side. -Whenever you have edited the source code in the frontend or backend and you want to test these changes, we recommend that you -stop all the containers, which are not part of the infrastructure, by deleting the volumes, i.e. run +Wait for the startup and visit http://localhost:3000/ for the customer's frontend or http://localhost:3001/ for the +supplier side. + +Whenever you have edited the source code in the frontend or backend and you want to test these changes, we recommend +that you +stop all the containers, which are not part of the infrastructure, by deleting the volumes, i.e. run ``` docker compose down -v ``` -Then, build a new docker image for the respective component (frontend and/or backend) as described above and then restart via +Then, build a new docker image for the respective component (frontend and/or backend) as described above and then +restart via ```shell docker compose up ``` -In general, it is not necessary to restart the infrastructure, if you had to rebuild frontend or backend. -However, in rare cases there may be issues with the MIW. If this -happens, you should use the cleanup script as mentioned in the debugging section below and then repeat the above-mentioned -steps beginning with the Initial Setup section. +In general, it is not necessary to restart the infrastructure, if you had to rebuild frontend or backend. +However, in rare cases there may be issues with the MIW. If this +happens, you should use the cleanup script as mentioned in the debugging section below and then repeat the +above-mentioned +steps beginning with the Initial Setup section. ## Notes on debugging ### Vault & Certs + When having problems with the certs or the vault, one may need to delete the vault container. -The following script stops all infrastructure containers as well as the PURIS demonstrator containers: +The following script stops all infrastructure containers as well as the PURIS demonstrator containers: + ```shell cd local sh cleanup.sh ``` + Then start your containers again with the aforementioned commands. diff --git a/local/cleanup.sh b/local/cleanup.sh index c769c67d..9379d3b4 100644 --- a/local/cleanup.sh +++ b/local/cleanup.sh @@ -23,6 +23,8 @@ docker compose down -v docker compose -f docker-compose-infrastructure.yaml down -v docker image rm local-vault +docker image rm local-mock-util-service rm .env rm ./vault/secrets -r +rm ./iam-mock/keys -r echo "Deleted .env and vault/secrets" diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 6211b6a3..91908d4f 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -82,6 +82,16 @@ services: networks: - miw-net + mock-util-service: + build: ./iam-mock + container_name: mock-util-service + ports: + - "127.0.0.1:8888:80" + networks: + - miw-net + extra_hosts: + - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine + bdrs: image: tractusx/bdrs-server-memory:0.0.4 container_name: bdrs diff --git a/local/generate-keys.sh b/local/generate-keys.sh index 61c742f1..a3da0384 100644 --- a/local/generate-keys.sh +++ b/local/generate-keys.sh @@ -24,6 +24,7 @@ # create folders, if not existing mkdir -p ./vault/secrets +mkdir -p ./iam-mock/keys # generate .env echo "Creating .env" @@ -89,5 +90,9 @@ rm ./miw/keycloak-setup-temp.json SUPPLIER_CERT_SHA="$(openssl x509 -in "$SUPPLIER_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" +echo "Creating key pair for mock iam" +openssl ecparam -name prime256v1 -genkey -out ./iam-mock/keys/private_key.pem +openssl ec -in ./iam-mock/keys/private_key.pem -pubout -out ./iam-mock/keys/public_key.pem + # let everyone access the files so that the non-root user in vault container can put them chmod -R 755 ./vault/secrets diff --git a/local/iam-mock/Dockerfile b/local/iam-mock/Dockerfile new file mode 100644 index 00000000..1747cd04 --- /dev/null +++ b/local/iam-mock/Dockerfile @@ -0,0 +1,28 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# +FROM python:3.10 + +WORKDIR /code +COPY ./requirements.txt /code/requirements.txt +RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt +COPY ./ /code +COPY ./keys /code/keys + +CMD ["uvicorn", "mock_util:app", "--host", "0.0.0.0", "--port", "80"] diff --git a/local/iam-mock/README.md b/local/iam-mock/README.md new file mode 100644 index 00000000..b820b9bc --- /dev/null +++ b/local/iam-mock/README.md @@ -0,0 +1,44 @@ +This small project uses fast api to provide basic iam local deployment. + +`mock_util.py` -> provides cx util capabilities + +- /edr-log: log just the edr token for manual checks +- /sts: secure token service +- /presentations/query: credential service just returning VPs for the scopes in question +- /{did-name}: returns a valid DID pointing to the /sts endpoint for credential service + +The mock_util only is able to mock the MembershipCredential and the FrameworkAgreements in version 1.0 +NO DISMANTLER SUPPORT + +# Add to docker compose + +Pre-requisite: Create keys so that jwt tokens can be signed + +```sh +mkdir keys +cd keys +openssl ecparam -name prime256v1 -genkey -out private_key.pem +openssl ec -in private_key.pem -pubout -out public_key.pem +``` + +```shell +docker build -t mock-util-py . +``` + +Then start docker compose + +```shell +docker compose up +``` + +Following services are now reachable: + +| Service | address | reachable where | +|-------------------|-------------------------------------------------|--------------------------| +| mock-util-service | http://mock-util-service:80/edr-log | docker compose (miw net) | +| mock-util-service | http://mock-util-service:80/sts | docker compose (miw net) | +| mock-util-service | http://mock-util-service:80/presentations/query | docker compose (miw net) | +| mock-util-service | http://mock-util-service:80/{did-name} | docker compose (miw net) | +| mock-util-service | localhost:8888/* | host machine | + +Use the service to either simulate the central IAM or just to got some logging api diff --git a/local/iam-mock/constants.py b/local/iam-mock/constants.py new file mode 100644 index 00000000..f23bda96 --- /dev/null +++ b/local/iam-mock/constants.py @@ -0,0 +1,63 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +from pathlib import Path + +""" +Read key information +""" +def read_file(path: Path): + with path.open() as file: + file_content = file.read() + return file_content + + +# openssl ecparam -name prime256v1 -genkey -out private_key.pem +# openssl ec -in private_key.pem -pubout -out public_key.pem +ES256_PRIVATE_KEY = read_file(Path("keys/private_key.pem")) +ES256_PUBLIC_KEY = read_file(Path("keys/public_key.pem")) + +DID_CUSTOMER = "did:web:mock-util-service/customer" +DID_SUPPLIER = "did:web:mock-util-service/supplier" +DID_TRUSTED_ISSUER = "did:web:mock-util-service/trusted-issuer" + +DID_DICT = { + DID_TRUSTED_ISSUER: { + "bpnl": "NONE", + "did_resolve_name": "trusted-issuer", + }, + DID_SUPPLIER: { + "bpnl": "BPNL1234567890ZZ", + "did_resolve_name": "supplier", + }, + DID_CUSTOMER: { + "bpnl": "BPNL4444444444XX", + "did_resolve_name": "customer", + } +} + +""" +lookup bpnl by did +""" +def get_did_for_bpnl(did_resolve_name: str): + for key, value in DID_DICT.items(): + if value["did_resolve_name"] == did_resolve_name: + return key + return None diff --git a/local/iam-mock/credential_service.py b/local/iam-mock/credential_service.py new file mode 100644 index 00000000..041f49fd --- /dev/null +++ b/local/iam-mock/credential_service.py @@ -0,0 +1,114 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +from jwtUtils import create_token_from_payload, decode_token, create_jwt_from_claims +from constants import DID_TRUSTED_ISSUER, get_did_for_bpnl, DID_DICT + + +""" +embeds a VC in a JWT for the given information (mainly scope = vc) + +Differentiates self-IATP and vc for external partner +""" +def create_jwt_vc(did_issuer: str, did_subject: str, did_audience: str, bpnl_subject: str, scope: str): + + self_iatp_flag = did_subject == did_audience + payload = { + "iss": did_issuer, + "sub": did_issuer, # TODO: why no subject? + "aud": did_audience, #TODO: audience needed? Seems like not as this credential is pulled on behalf of the subject / RP + "nbf": 1541493724, + "iat": 1541493724, + "exp": 32481718133, + "vc": create_verifiable_credential(did_issuer=did_issuer, did_subject=did_subject, bpnl_subject=bpnl_subject, scope=scope, self_iatp_flag=self_iatp_flag), + } + + return create_token_from_payload(payload, did_issuer) + + +""" +creates a plain VC (no jwt) for a given scope + +For self-IATP case the subject will be the issuer / id of the credentialSubject +""" +def create_verifiable_credential(did_issuer: str, did_subject: str, bpnl_subject: str, scope: str, self_iatp_flag: bool): + credential_subject_did = did_subject if self_iatp_flag else did_issuer + + needs_version = False if scope.startswith("Membership") else True + + print(f"Create VC for scope {scope}") + vc = { + "@context": [ + "https://www.w3.org/2018/credentials/v1", + "https://w3id.org/security/suites/jws-2020/v1", + "https://w3id.org/catenax/credentials", + "https://w3id.org/vc/status-list/2021/v1" + ], + "id": "some-identifier", + "issuer": did_issuer, + "issuanceDate": "2021-06-16T18:56:59Z", + # "expirationDate": "2199-12-31T23:59:59Z", #seems to be only set if checked + "type": [ + "VerifiableCredential", + scope + ], + "credentialSubject": { + "id": credential_subject_did, + "holderIdentifier": bpnl_subject + }, + } + + if needs_version: + vc["credentialSubject"]["contractVersion"] = "1.0" + return vc + + +""" +creates a vp with n vcs where n = amount of scopes + +Note: only MembershipCredential and FrameworkAgreements in version 1.0 are supported +""" +def create_verifiable_presentation(did_subject: str, did_issuer: str, did_audience: str, scopes: [str] = ["MembershipCredential"]): + + bpnl = DID_DICT[did_subject]["bpnl"] + # Create a VC per scope + vcs = [create_jwt_vc(DID_TRUSTED_ISSUER, did_subject, did_audience, bpnl, scope) for scope in scopes] + + claims = { + "iss": did_issuer, + "sub": did_subject, + "aud": did_audience, # todo check + "nbf": 1541493724, + "iat": 1541493724, + "exp": 32481718133, + "vp": { + "@context": [ + "https://www.w3.org/2018/credentials/v1", + "https://www.w3.org/2018/credentials/examples/v1" + ], + "type": [ + "VerifiablePresentation", + "CredentialManagerPresentation" + ], + "verifiableCredential": vcs + } + } + + return create_token_from_payload(claims, did_issuer) diff --git a/local/iam-mock/docs/README_VP_FLOW.md b/local/iam-mock/docs/README_VP_FLOW.md new file mode 100644 index 00000000..a85cda63 --- /dev/null +++ b/local/iam-mock/docs/README_VP_FLOW.md @@ -0,0 +1,48 @@ +Basically, there are two types of IATP flows used by the connector in Catena-X Data Spaces: +- Self IATP (e.g. get MembershipCredential for BDRS) +- IATP (e.g. used for catalog request, see simplified in `./credential_requests.puml`) + +See [README.md](../README.md) for the different capabilities + +This document mainly gives some learnings regarding the [Tractus-X Verifiable Presentation flow](https://github.com/eclipse-tractusx/identity-trust/blob/main/specifications/verifiable.presentation.protocol.md) + +# Resolving DIDs + +Triggered via `bdrs` client of a party when `catalog` call is invoked to +- identify DID for Partner in Access Policy +- identify DID for Partner for Contract Policies (e.g. Membership) + +Additionally, DIDs may be resolved +- verify identities during data space protocol communication. +- to determine the Credential Service Endpoint who is responsible for a partner + +# Self-issued token +A participant may create a self-issued token that can be used to request VPs at the credential service. +The token follows this spec https://datatracker.ietf.org/doc/html/rfc9068 + +The relying party verifies the token https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#section-11.1 +The relying party may query additional information from the cs using token +- get did via `sub` claim +- resolve did +- extract `CredentialService` from `service` from did +- query for presentation + +Note: If a `bearer_access_scope` is given, this is added as a `token` claim so that a relying party can authenticate on +behalf of the holder at the credential service to get the VP for scopes in question. + +See more details for STS flow in https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#section-1.1 + +# Credential Service calls + +This is the real wallet allowing to store issued credentials and create verifiable presentations to proof the ownership +of a verifiable credential + +## Issue credential / Store credential + +Ignored in Mock. We always do a pass all. Normally some trusted issuer would hand over the credentials into a wallet. + +## Query for presentation + +In Tractus-X Data Spaces with DIM (what this service mocks) the query is done on behalf of the holder. + +One needs an access token for that an the relying party may get a vp as previously granted via the STS. diff --git a/local/iam-mock/docs/credential_requests.puml b/local/iam-mock/docs/credential_requests.puml new file mode 100644 index 00000000..b10a8efd --- /dev/null +++ b/local/iam-mock/docs/credential_requests.puml @@ -0,0 +1,108 @@ +@startuml +autonumber +skinparam sequenceMessageAlign center + +box "Data Consumer" +participant "Connector" as con_cons +end box + +box "De-/Central Services" +participant "BDRS" as bdrs +participant "Secure Token Service" as sts +participant "Credential Service" as cs +end box + +box "Data Provider" +participant "Connector" as con_prov +end box + +note over con_cons, cs +Issue credentials using "CredentialMessage" via POST /credentials +in a CredentialContainer +{ + "@context": [ + "https://w3id.org/tractusx-trust/v0.8" + ], + "@type": "CredentialMessage", + "credentials": [ + { + "@type": "CredentialContainer", + "payload": "" + } + ] +} +end note +-> cs: issue credentials for consumer and provider +-> con_cons: query catalog of supplier +note right +Catalog of provider has offer with restriction: +- access policy BPNL +- access policy Membership + +Note: I think it's only provider +end note + +con_cons -> bdrs: resolve DID for provider BPNL +activate bdrs +return DID + +con_cons -> sts: grant access to self-signed VP +activate sts +return self-signed token with access token (for cs) +note over con_cons, sts +self-issued token contains: +- iss, sub = consumer DID (bearer owner) +- aud = provider DID (relying party) +- token_id = id to map the sign_token request later +- token = bearer token providing access to + the VP via the credential service +end note + +con_cons -> con_prov: hand over SI token and request +activate con_prov + +con_prov -> sts: SIGN TOKEN REQUEST +activate sts +return jwt (no real content) +note over con_prov, sts +self-issued token contains: +- iss = trusted issuer +- sub = consumer DID (bearer owner) +- aud = provider DID (relying party) +end note + +note left: likely here the DID is resolved \nand the did's credential service is used + +con_prov -> cs: Query VP with access token +activate cs +note over con_prov, cs +Query a VP for a scope containing VCs via POST /presentation/query +{ + "@context": [ + "https://w3id.org/tractusx-trust/v0.8", + "https://identity.foundation/presentation-exchange/submission/v1" + ], + "@type": "PresentationQueryMessage", + "scope": [] +} +end note +return VP with requested scopes +note over con_prov, cs +Returns a "PresentationResponseMessage" containing a VP +including the requested VCs +{ + "@context": [ + "https://w3id.org/tractusx-trust/v0.8" + ], + "@type": "PresentationResponseMessage", + "presentation": ["dsJdh...UMetV"] +} +the presentation may contain multiple VC +end note + +con_prov -> con_prov: evaluate presentation (includes resolving \nissuer did resolving to check signature) + +con_prov --> con_cons: return catalog +deactivate con_prov + +@enduml diff --git a/local/iam-mock/jwtUtils.py b/local/iam-mock/jwtUtils.py new file mode 100644 index 00000000..995ec7de --- /dev/null +++ b/local/iam-mock/jwtUtils.py @@ -0,0 +1,73 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +import jwt +from constants import ES256_PRIVATE_KEY + + +""" +creates a jwt adding time information (nbf, iat, exp) to jwt + +claims: expects participant information (iss, aud, sub) to be present +issuer: to sign the jwt +scope: scope needed that will be added to the claims as "scope" and embeds the payload as jwt in "token" +""" +def create_jwt_from_claims(claims: dict, issuer: str, scope: str = None) -> dict: + + base_claims = { + "nbf": 1541493724, + "iat": 1541493724, + "exp": 32481718133, + } + claims.update(base_claims) + + if scope: + claims["scope"] = scope + claims["token"] = create_token_from_payload(claims, issuer) + else: + print("No scope given for self-issued token. No token claim created for it.") + + print(f"Created jwt for payload {claims} signed by {issuer}") + + return create_token_from_payload(claims, issuer) + + +""" +create a jwt for the payload, signed by did_signer +""" +def create_token_from_payload(payload: str, did_signer: str): + + header = { + "alg": "ES256", + "typ": "JWT", + "kid": did_signer+"#key1" + } + + jwt_token = jwt.encode(payload, ES256_PRIVATE_KEY, algorithm='ES256', headers=header) + + return jwt_token + + +""" +decode token without signature check (NON-PRODUCTION, MOCK!) +""" +def decode_token(jwt_token: str): + # don't check signature + return jwt.decode(jwt_token, options={"verify_signature": False}) diff --git a/local/iam-mock/mock_util.py b/local/iam-mock/mock_util.py new file mode 100644 index 00000000..e81d9bd6 --- /dev/null +++ b/local/iam-mock/mock_util.py @@ -0,0 +1,236 @@ +# +# Copyright (c) 2024 Volkswagen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +import socket +from cryptography.hazmat.backends import default_backend +from fastapi import FastAPI, Request +import logging +import base64 +from cryptography.hazmat.primitives import serialization +from jwtUtils import decode_token, create_jwt_from_claims +from constants import ES256_PUBLIC_KEY, DID_TRUSTED_ISSUER, get_did_for_bpnl +from credential_service import create_verifiable_presentation +import uuid +from pathlib import Path + +cwd = Path(".") +print(cwd.cwd()) +print([path.name for path in cwd.iterdir()]) + +app = FastAPI() + +logger = logging.getLogger("fastapi") + +""" +store STS GRANT ACCESS Request JWT token for uuid. + +Uuid is inserted into token as 'token_id' to use the token in SIGN TOKEN Request (remember request granted) +""" +id_token_map = {} + +@app.post("/edr-log") +async def log(request: Request): + hostname = socket.gethostbyaddr(request.client.host)[0] + print("CALLED /edr-log from ", hostname) + body = await request.json() + + # Log the data + print(body) + + return {"message": "Data logged successfully"} + + +""" +Returns self-issued credential token following the dim adjustments + +Follows more or less the DIM Dispatcher mock +see https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-tests/edc-controlplane/iatp-tests/src/test/java/org/eclipse/tractusx/edc/tests/transfer/iatp/dispatchers/DimDispatcher.java +""" +@app.post("/sts") +async def secure_token_service(request: Request): + + print("") + body = await request.json() + sign_token_flag = True if body.get("grantAccess", None) is None else False + hostname = socket.gethostbyaddr(request.client.host)[0] + print("CALLED sts /sts for ", "SIGN TOKEN REQUEST" if sign_token_flag else "GRANT ACCESS REQUEST", " from ", hostname) + + print("POST with body ", body) + print("bearer of requestor is set as auth header" if request.headers["authorization"] else "bearer of requestor is NOT set as auth header") + + # handle body similar to https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-tests/edc-controlplane/iatp-tests/src/test/java/org/eclipse/tractusx/edc/tests/transfer/iatp/dispatchers/DimDispatcher.java + grant_access = body.get("grantAccess", None) + if sign_token_flag: + sign_token = body["signToken"] + + # lookup existing token + token_id = decode_token(sign_token["token"])['token_id'] + token = id_token_map[token_id] + decoded_token = decode_token(token) + print(f"Identified matching token (decoded) {decoded_token}") + id_token_map.pop(token_id) + + claims = { + "iss": DID_TRUSTED_ISSUER, + "sub": decoded_token["sub"], + "aud": decoded_token["aud"] + } + print(f"Request contains issuer {claims['iss']}, subject {claims['sub']}, audience {claims['aud']}, token {token if token else '*no token*'}") + token = create_jwt_from_claims(claims, sign_token["issuer"], None) + vp = token + else: + token_id = str(uuid.uuid4()) + + claims = { + "iss": grant_access["consumerDid"], + "sub": grant_access["consumerDid"], + "aud": grant_access["providerDid"], + "token_id": token_id + } + + print(f"Request issuer {claims['iss']}, subject {claims['sub']}, audience {claims['aud']}") + print(f"Message contains bearer from {claims['iss']} oAuth Service") + scope = " ".join(grant_access["credentialTypes"]) if grant_access["credentialTypes"] is not None else None + + token = create_jwt_from_claims(claims, grant_access["consumerDid"], scope) + id_token_map[token_id] = token + vp = token + + return {"jwt": vp} + + +""" +provides the VP as soon as the connector asks for it. + +Creates a PresentationResponseMessage with a VP following this structure: +JWT enapsulating VP + vp: + { + ... + verifiableCredential: [ + vc jwt for scope 1, + vc jwt for scope 2 + ] + } +} +""" +@app.post("/presentations/query") +async def query_presentation(request: Request): + + print("") + hostname = socket.gethostbyaddr(request.client.host)[0] + print("CALLED /presentations/query from ", hostname) + + # consider subject to be holder & audience + jwt_requestor = extract_jwt_from_headers(request.headers) + + body = await request.json() + print("POST with body ", body) + print("JWT for query_presentation ", jwt_requestor) + print(f"Query for issuer {jwt_requestor['iss']}, sub {jwt_requestor['sub']}, audience {jwt_requestor['aud']} with scope {jwt_requestor.get('scope', '*no value set for scope*')}") + print("Request contains header for the issuer's oauth2 system") + + cx_scopes = [scope[1] for scope in extract_scopes(body["scope"])] + print(f"Will try to Mock CX Credential Scopes {cx_scopes}") + + response = { + "@context": [ + "https://w3id.org/tractusx-trust/v0.8" + ], + "@type": "PresentationResponseMessage", + "presentation": [create_verifiable_presentation(jwt_requestor['sub'], jwt_requestor['iss'], jwt_requestor['aud'], cx_scopes)], + } + + print("Response: ", response) + + return response + + +def get_bearer_from_headers(headers: [str]): + return headers["authorization"][len("Bearer "):] + + +def extract_jwt_from_headers(headers: [str]): + return decode_token(get_bearer_from_headers(headers)) + + +""" +Returns a DID document for the specified partner + +Mock: +- all DIDs use the same key pair for signing +- Credential Service is needed as fallback +""" +@app.get("/{partner_did}/{did_path:path}") +def return_did(request: Request, partner_did: str, did_path: str): + + print("") + hostname = socket.gethostbyaddr(request.client.host)[0] + print(f"CALLED /{partner_did}/{did_path} from ", hostname) + + # get DID constant for path used + did_id = get_did_for_bpnl(partner_did) + + # put elyptic curves accordingly + public_key = serialization.load_pem_public_key(ES256_PUBLIC_KEY.encode(), backend=default_backend()) + public_key_numbers = public_key.public_numbers() + + x = base64.urlsafe_b64encode(public_key_numbers.x.to_bytes(32, 'big')).rstrip(b'=').decode() + y = base64.urlsafe_b64encode(public_key_numbers.y.to_bytes(32, 'big')).rstrip(b'=').decode() + + did_to_return = { + "service": [ + { + "id": did_id, + "type": "CredentialService", + "serviceEndpoint": "http://mock-util-service:80" + } + ], + "verificationMethod": [ + { + "id": did_id + "#key1", # like "did:web:nginx:bdrs-client#key-1" + "type": "JsonWebKey2020", + "controller": did_id, + "publicKeyJwk": { + "kty": "EC", + "crv": "P-256", + "kid": did_id + "#key1", # like "did:web:nginx:bdrs-client#key-1" + "x": x, + "y": y + } + } + ], + "authentication": [], + "id": "http://tx-test.com/7bffc00d-3142-4cf2-a858-57c7493577f1", + "@context": [ + "https://w3id.org/did-resolution/v1" + ] + } + + print("RETURN DID: ", did_to_return) + + return did_to_return + + +""" +returns list of tuples in format (namespace: str, credential: str, access: str) +""" +def extract_scopes(scopes: [str]): + return [tuple(scope.split(":")) for scope in scopes] diff --git a/local/iam-mock/requirements.txt b/local/iam-mock/requirements.txt new file mode 100644 index 00000000..55e34034 --- /dev/null +++ b/local/iam-mock/requirements.txt @@ -0,0 +1,36 @@ +annotated-types==0.6.0 +anyio==4.2.0 +certifi==2023.11.17 +cffi==1.16.0 +click==8.1.7 +cryptography==42.0.5 +dnspython==2.5.0 +email-validator==2.1.0.post1 +exceptiongroup==1.2.0 +fastapi==0.109.0 +h11==0.14.0 +httpcore==1.0.2 +httptools==0.6.1 +httpx==0.26.0 +idna==3.6 +itsdangerous==2.1.2 +Jinja2==3.1.3 +MarkupSafe==2.1.4 +orjson==3.9.12 +pycparser==2.22 +pydantic==2.5.3 +pydantic-extra-types==2.4.1 +pydantic-settings==2.1.0 +pydantic_core==2.14.6 +PyJWT==2.8.0 +python-dotenv==1.0.1 +python-multipart==0.0.6 +PyYAML==6.0.1 +sniffio==1.3.0 +starlette==0.35.1 +typing_extensions==4.9.0 +ujson==5.9.0 +uvicorn==0.27.0 +uvloop==0.19.0 +watchfiles==0.21.0 +websockets==12.0 diff --git a/local/seed-bdrs.sh b/local/seed-bdrs.sh index 947027ca..3777598d 100644 --- a/local/seed-bdrs.sh +++ b/local/seed-bdrs.sh @@ -1,3 +1,4 @@ +#!/bin/bash # # Copyright (c) 2024 Volkswagen AG # Copyright (c) 2024 Contributors to the Eclipse Foundation @@ -18,8 +19,6 @@ # SPDX-License-Identifier: Apache-2.0 # -#!/bin/bash - KEY= if [ -z "$KEY" ]; then From 0041b973c2e31f59e1c705caf158e1f7ab0c32db Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 22:34:32 -0700 Subject: [PATCH 06/19] feat(iam-mock): added non-root user to dockerfile --- local/iam-mock/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/local/iam-mock/Dockerfile b/local/iam-mock/Dockerfile index 1747cd04..c3167bc1 100644 --- a/local/iam-mock/Dockerfile +++ b/local/iam-mock/Dockerfile @@ -24,5 +24,7 @@ COPY ./requirements.txt /code/requirements.txt RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt COPY ./ /code COPY ./keys /code/keys +RUN useradd -u 1000 nonroot +USER nonroot CMD ["uvicorn", "mock_util:app", "--host", "0.0.0.0", "--port", "80"] From 7ce02137f7b76eab8484f371895de91c64f88007 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 22:35:20 -0700 Subject: [PATCH 07/19] chore: updated frontend license file --- DEPENDENCIES_FRONTEND | 2 +- frontend/DEPENDENCIES | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/DEPENDENCIES_FRONTEND b/DEPENDENCIES_FRONTEND index dbc2562c..09e994b8 100644 --- a/DEPENDENCIES_FRONTEND +++ b/DEPENDENCIES_FRONTEND @@ -211,7 +211,7 @@ npm/npmjs/-/reusify/1.0.4, MIT, approved, clearlydefined npm/npmjs/-/rimraf/3.0.2, ISC, approved, clearlydefined npm/npmjs/-/rollup/4.9.5, MIT, approved, clearlydefined npm/npmjs/-/run-parallel/1.2.0, MIT, approved, clearlydefined -npm/npmjs/-/scheduler/0.23.0, MIT, approved, clearlydefined +npm/npmjs/-/scheduler/0.23.0, MIT, approved, #14589 npm/npmjs/-/semver/6.3.1, ISC, approved, clearlydefined npm/npmjs/-/semver/7.5.4, ISC, approved, clearlydefined npm/npmjs/-/shebang-command/2.0.0, MIT, approved, clearlydefined diff --git a/frontend/DEPENDENCIES b/frontend/DEPENDENCIES index dbc2562c..09e994b8 100644 --- a/frontend/DEPENDENCIES +++ b/frontend/DEPENDENCIES @@ -211,7 +211,7 @@ npm/npmjs/-/reusify/1.0.4, MIT, approved, clearlydefined npm/npmjs/-/rimraf/3.0.2, ISC, approved, clearlydefined npm/npmjs/-/rollup/4.9.5, MIT, approved, clearlydefined npm/npmjs/-/run-parallel/1.2.0, MIT, approved, clearlydefined -npm/npmjs/-/scheduler/0.23.0, MIT, approved, clearlydefined +npm/npmjs/-/scheduler/0.23.0, MIT, approved, #14589 npm/npmjs/-/semver/6.3.1, ISC, approved, clearlydefined npm/npmjs/-/semver/7.5.4, ISC, approved, clearlydefined npm/npmjs/-/shebang-command/2.0.0, MIT, approved, clearlydefined From 85b3a3a96799d0bb0dd9d0f245a79bb27c8176de Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 29 Apr 2024 23:22:26 -0700 Subject: [PATCH 08/19] refactor(local): made dtr and edc of customer / supplier share one db instance --- local/docker-compose-edc.yaml | 38 ++-------- local/docker-compose.yaml | 75 +++++++------------ local/postgres/init-db.sql | 12 +-- .../config/customer/control-plane.properties | 16 ++-- .../config/customer/data-plane.properties | 6 +- .../config/supplier/control-plane.properties | 16 ++-- .../config/supplier/data-plane.properties | 6 +- 7 files changed, 63 insertions(+), 106 deletions(-) diff --git a/local/docker-compose-edc.yaml b/local/docker-compose-edc.yaml index 1a2ef87d..348a074e 100644 --- a/local/docker-compose-edc.yaml +++ b/local/docker-compose-edc.yaml @@ -21,9 +21,9 @@ version: "3" services: - postgres-customer: + postgres-all: image: postgres:15.4-alpine - container_name: customer-postgres + container_name: postgres-all environment: POSTGRES_DB: edc POSTGRES_USER: ${PG_USER} @@ -49,7 +49,7 @@ services: edc-customer-control-plane: depends_on: - postgres-customer: + postgres-all: condition: service_healthy # restart: on-failure extends: @@ -71,7 +71,7 @@ services: edc-customer-data-plane: depends_on: - postgres-customer: + postgres-all: condition: service_healthy restart: on-failure extends: @@ -90,35 +90,9 @@ services: extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - # postgres-supplier: - # image: postgres:15.4-alpine - # container_name: supplier-postgres - # environment: - # POSTGRES_DB: puris-supplier - # POSTGRES_USER: ${PG_USER} - # POSTGRES_PASSWORD: ${PG_PW} - # ports: - # - "127.0.0.1:5435:5432" - # healthcheck: - # test: ["CMD-SHELL", "pg_isready -d puris-supplier -U ${PG_USER}"] - # interval: 4s - # timeout: 3s - # retries: 15 - # networks: - # - miw-net - # deploy: - # resources: - # limits: - # memory: 512mb - # cpus: "0.5" - # security_opt: - # - no-new-privileges:true - # volumes: - # - ./postgres/init-dtr.sql:/docker-entrypoint-initdb.d/init-dtr.sql - # edc-supplier-control-plane: depends_on: - postgres-customer: + postgres-all: condition: service_healthy # restart: on-failure extends: @@ -141,7 +115,7 @@ services: edc-supplier-data-plane: depends_on: - postgres-customer: + postgres-all: condition: service_healthy restart: on-failure extends: diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index b0accbcd..ee5be31a 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -59,7 +59,7 @@ services: depends_on: edc-customer-control-plane: condition: service_started #service_healthy - postgres-customer: + postgres-all: condition: service_healthy dtr-customer: condition: service_healthy @@ -68,7 +68,7 @@ services: env_file: - ./tractus-x-edc/config/customer/puris-backend.properties environment: - SPRING_DATASOURCE_URL: jdbc:postgresql://customer-postgres:5432/puris-customer + SPRING_DATASOURCE_URL: jdbc:postgresql://postgres-all:5432/puris_customer SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} networks: @@ -80,10 +80,10 @@ services: image: tractusx/sldt-digital-twin-registry:0.3.23 container_name: dtr-customer depends_on: - postgres-customer: + postgres-all: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] interval: 4s timeout: 3s retries: 15 @@ -91,7 +91,7 @@ services: - "127.0.0.1:4243:4243" environment: SPRING_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver - SPRING_DATASOURCE_URL: jdbc:postgresql://customer-postgres:5432/dtr_database + SPRING_DATASOURCE_URL: jdbc:postgresql://postgres-all:5432/dtr_customer SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} SPRING_PROFILES_ACTIVE: local @@ -101,17 +101,17 @@ services: extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - postgres-customer: + postgres-all: image: postgres:15.4-alpine - container_name: customer-postgres + container_name: postgres-all environment: - POSTGRES_DB: puris-customer + POSTGRES_DB: puris_customer # create puris db for customer, rest init script POSTGRES_USER: ${PG_USER} POSTGRES_PASSWORD: ${PG_PW} ports: - "127.0.0.1:5433:5432" healthcheck: - test: [ "CMD-SHELL", "pg_isready -d puris-customer -U ${PG_USER}" ] + test: ["CMD-SHELL", "pg_isready -d puris_customer -U ${PG_USER}"] interval: 4s timeout: 3s retries: 15 @@ -125,9 +125,12 @@ services: security_opt: - no-new-privileges:true volumes: - - ./postgres/init-dtr.sql:/docker-entrypoint-initdb.d/init-dtr.sql + - ./postgres/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql edc-customer-control-plane: + depends_on: + postgres-all: + condition: service_healthy restart: on-failure extends: file: ./tractus-x-edc/docker-compose.yaml @@ -147,6 +150,9 @@ services: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine edc-customer-data-plane: + depends_on: + postgres-all: + condition: service_healthy restart: on-failure extends: file: ./tractus-x-edc/docker-compose.yaml @@ -154,10 +160,9 @@ services: container_name: customer-data-plane ports: - "127.0.0.1:8280:8280" + - "127.0.0.1:8283:8283" - "127.0.0.1:8285:8285" - "127.0.0.1:8299:8299" - environment: - edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} env_file: - ./tractus-x-edc/config/customer/data-plane.properties networks: @@ -203,7 +208,7 @@ services: depends_on: edc-supplier-control-plane: condition: service_started #service_healthy - postgres-supplier: + postgres-all: condition: service_healthy dtr-supplier: condition: service_healthy @@ -212,7 +217,7 @@ services: env_file: - ./tractus-x-edc/config/supplier/puris-backend.properties environment: - SPRING_DATASOURCE_URL: jdbc:postgresql://supplier-postgres:5432/puris-supplier + SPRING_DATASOURCE_URL: jdbc:postgresql://postgres-all:5432/puris_supplier SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} networks: @@ -224,10 +229,10 @@ services: image: tractusx/sldt-digital-twin-registry:0.3.23 container_name: dtr-supplier depends_on: - postgres-supplier: + postgres-all: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] interval: 4s timeout: 3s retries: 15 @@ -235,7 +240,7 @@ services: - "127.0.0.1:4244:4243" environment: SPRING_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver - SPRING_DATASOURCE_URL: jdbc:postgresql://supplier-postgres:5432/dtr_database + SPRING_DATASOURCE_URL: jdbc:postgresql://postgres-all:5432/dtr_supplier SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} SPRING_PROFILES_ACTIVE: local @@ -245,33 +250,10 @@ services: extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - postgres-supplier: - image: postgres:15.4-alpine - container_name: supplier-postgres - environment: - POSTGRES_DB: puris-supplier - POSTGRES_USER: ${PG_USER} - POSTGRES_PASSWORD: ${PG_PW} - ports: - - "127.0.0.1:5435:5432" - healthcheck: - test: [ "CMD-SHELL", "pg_isready -d puris-supplier -U ${PG_USER}" ] - interval: 4s - timeout: 3s - retries: 15 - networks: - - miw-net - deploy: - resources: - limits: - memory: 512mb - cpus: "0.5" - security_opt: - - no-new-privileges:true - volumes: - - ./postgres/init-dtr.sql:/docker-entrypoint-initdb.d/init-dtr.sql - edc-supplier-control-plane: + depends_on: + postgres-all: + condition: service_healthy restart: on-failure extends: file: ./tractus-x-edc/docker-compose.yaml @@ -291,8 +273,10 @@ services: extra_hosts: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - edc-supplier-data-plane: + depends_on: + postgres-all: + condition: service_healthy restart: on-failure extends: file: ./tractus-x-edc/docker-compose.yaml @@ -300,10 +284,9 @@ services: container_name: supplier-data-plane ports: - "127.0.0.1:9280:9280" + - "127.0.0.1:9283:9283" - "127.0.0.1:9285:9285" - "127.0.0.1:9299:9299" - environment: - edc.vault.hashicorp.token: ${VAULT_DEV_ROOT_TOKEN_ID} env_file: - ./tractus-x-edc/config/supplier/data-plane.properties networks: diff --git a/local/postgres/init-db.sql b/local/postgres/init-db.sql index 41cf2e8a..06a9e997 100644 --- a/local/postgres/init-db.sql +++ b/local/postgres/init-db.sql @@ -20,15 +20,15 @@ * SPDX-License-Identifier: Apache-2.0 */ -CREATE DATABASE miw; - CREATE DATABASE "edc_customer"; CREATE DATABASE "edc_supplier"; --- CREATE DATABASE "edc_customer_asset"; --- CREATE DATABASE "edc_customer_contractdefinition"; --- CREATE DATABASE "edc_customer_contractnegotiation"; --- CREATE DATABASE "edc_customer_policy"; +CREATE DATABASE "dtr_customer"; +CREATE DATABASE "dtr_supplier"; +-- already created via docker init +-- CREATE DATABASE "puris_customer"; +CREATE DATABASE "puris_supplier"; + -- CREATE DATABASE "edc_customer_transferprocess"; -- -- CREATE DATABASE "edc_customer_policy_monitor"; diff --git a/local/tractus-x-edc/config/customer/control-plane.properties b/local/tractus-x-edc/config/customer/control-plane.properties index d18f1c5d..28840658 100644 --- a/local/tractus-x-edc/config/customer/control-plane.properties +++ b/local/tractus-x-edc/config/customer/control-plane.properties @@ -57,45 +57,45 @@ edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${CUSTOMER_BACKEND_API_KEY} # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.asset.user and edc.datasource.asset.password are set via .env edc.datasource.asset.user=${PG_USER} edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env edc.datasource.contractdefinition.user=${PG_USER} edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env edc.datasource.contractnegotiation.user=${PG_USER} edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy.user and edc.datasource.policy.password are set via .env edc.datasource.policy.user=${PG_USER} edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env edc.datasource.transferprocess.user=${PG_USER} edc.datasource.transferprocess.password=${PG_PW} edc.datasource.policy-monitor.name=policy-monitor -edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.policy-monitor.user=${PG_USER} edc.datasource.policy-monitor.password=${PG_PW} # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql edc.datasource.bpn.name=policy-monitor -edc.datasource.bpn.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.bpn.user=${PG_USER} edc.datasource.bpn.password=${PG_PW} # new in 0.4.x # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_supplier #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} diff --git a/local/tractus-x-edc/config/customer/data-plane.properties b/local/tractus-x-edc/config/customer/data-plane.properties index b47b059c..c6a17dfd 100644 --- a/local/tractus-x-edc/config/customer/data-plane.properties +++ b/local/tractus-x-edc/config/customer/data-plane.properties @@ -20,19 +20,19 @@ edc.vault.hashicorp.health.check.enabled=false edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} # EDCR exentions edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_customer #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} edc.datasource.edr.password=${PG_PW} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/data-plane-store-sql edc.datasource.dataplane.name=edr -edc.datasource.dataplane.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.dataplane.url=jdbc:postgresql://postgres-all:5432/edc_customer edc.datasource.dataplane.user=${PG_USER} edc.datasource.dataplane.password=${PG_PW} # extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/accesstokendata-store-sql edc.datasource.accesstokendata.name=edr -edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-all:5432/edc_customer edc.datasource.accesstokendata.user=${PG_USER} edc.datasource.accesstokendata.password=${PG_PW} # token refresh diff --git a/local/tractus-x-edc/config/supplier/control-plane.properties b/local/tractus-x-edc/config/supplier/control-plane.properties index 6668ff10..0820306b 100644 --- a/local/tractus-x-edc/config/supplier/control-plane.properties +++ b/local/tractus-x-edc/config/supplier/control-plane.properties @@ -58,45 +58,45 @@ edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${SUPPLIER_BACKEND_API_KEY} # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.asset.user and edc.datasource.asset.password are set via .env edc.datasource.asset.user=${PG_USER} edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env edc.datasource.contractdefinition.user=${PG_USER} edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env edc.datasource.contractnegotiation.user=${PG_USER} edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy.user and edc.datasource.policy.password are set via .env edc.datasource.policy.user=${PG_USER} edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env edc.datasource.transferprocess.user=${PG_USER} edc.datasource.transferprocess.password=${PG_PW} edc.datasource.policy-monitor.name=policy-monitor -edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.policy-monitor.user=${PG_USER} edc.datasource.policy-monitor.password=${PG_PW} # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql edc.datasource.bpn.name=policy-monitor -edc.datasource.bpn.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.bpn.user=${PG_USER} edc.datasource.bpn.password=${PG_PW} # new in 0.4.x # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_customer +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_customer #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} diff --git a/local/tractus-x-edc/config/supplier/data-plane.properties b/local/tractus-x-edc/config/supplier/data-plane.properties index 1c89ce23..ac8be2ff 100644 --- a/local/tractus-x-edc/config/supplier/data-plane.properties +++ b/local/tractus-x-edc/config/supplier/data-plane.properties @@ -21,19 +21,19 @@ edc.vault.hashicorp.health.check.enabled=false edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} # EDR extensions edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_supplier #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} edc.datasource.edr.password=${PG_PW} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/data-plane-store-sql edc.datasource.dataplane.name=edr -edc.datasource.dataplane.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.dataplane.url=jdbc:postgresql://postgres-all:5432/edc_supplier edc.datasource.dataplane.user=${PG_USER} edc.datasource.dataplane.password=${PG_PW} # extension https://github.com/eclipse-edc/Connector/tree/main/extensions/data-plane/store/sql/accesstokendata-store-sql edc.datasource.accesstokendata.name=edr -edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-customer:5432/edc_supplier +edc.datasource.accesstokendata.url=jdbc:postgresql://postgres-all:5432/edc_supplier edc.datasource.accesstokendata.user=${PG_USER} edc.datasource.accesstokendata.password=${PG_PW} # token refresh From 6f5db7fdc96cb04b21f9454b435fa0aad42645d1 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 3 May 2024 00:49:10 -0700 Subject: [PATCH 09/19] refactor(local): made dtr and edc of customer / supplier share one db instance --- .../config/customer/control-plane.properties | 16 ++++++++-------- .../config/supplier/control-plane.properties | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/local/tractus-x-edc/config/customer/control-plane.properties b/local/tractus-x-edc/config/customer/control-plane.properties index 28840658..d62e7a03 100644 --- a/local/tractus-x-edc/config/customer/control-plane.properties +++ b/local/tractus-x-edc/config/customer/control-plane.properties @@ -57,45 +57,45 @@ edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${CUSTOMER_BACKEND_API_KEY} # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.asset.user and edc.datasource.asset.password are set via .env edc.datasource.asset.user=${PG_USER} edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env edc.datasource.contractdefinition.user=${PG_USER} edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env edc.datasource.contractnegotiation.user=${PG_USER} edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy.user and edc.datasource.policy.password are set via .env edc.datasource.policy.user=${PG_USER} edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env edc.datasource.transferprocess.user=${PG_USER} edc.datasource.transferprocess.password=${PG_PW} edc.datasource.policy-monitor.name=policy-monitor -edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.policy-monitor.user=${PG_USER} edc.datasource.policy-monitor.password=${PG_PW} # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql edc.datasource.bpn.name=policy-monitor -edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_customer # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.bpn.user=${PG_USER} edc.datasource.bpn.password=${PG_PW} # new in 0.4.x # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_supplier +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_customer #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} diff --git a/local/tractus-x-edc/config/supplier/control-plane.properties b/local/tractus-x-edc/config/supplier/control-plane.properties index 0820306b..d8f54d67 100644 --- a/local/tractus-x-edc/config/supplier/control-plane.properties +++ b/local/tractus-x-edc/config/supplier/control-plane.properties @@ -58,45 +58,45 @@ edc.receiver.http.dynamic.auth-key=X-API-KEY edc.receiver.http.dynamic.auth-code=${SUPPLIER_BACKEND_API_KEY} # Postgresql related configuration edc.datasource.asset.name=asset -edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.asset.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.asset.user and edc.datasource.asset.password are set via .env edc.datasource.asset.user=${PG_USER} edc.datasource.asset.password=${PG_PW} edc.datasource.contractdefinition.name=contractdefinition -edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.contractdefinition.user and edc.datasource.contractdefinition.password are set via .env edc.datasource.contractdefinition.user=${PG_USER} edc.datasource.contractdefinition.password=${PG_PW} edc.datasource.contractnegotiation.name=contractnegotiation -edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.contractnegotiation.user and edc.datasource.contractnegotiation.password are set via .env edc.datasource.contractnegotiation.user=${PG_USER} edc.datasource.contractnegotiation.password=${PG_PW} edc.datasource.policy.name=policy -edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.policy.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy.user and edc.datasource.policy.password are set via .env edc.datasource.policy.user=${PG_USER} edc.datasource.policy.password=${PG_PW} edc.datasource.transferprocess.name=transferprocess -edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.transferprocess.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.transferprocess.user and edc.datasource.transferprocess.password are set via .env edc.datasource.transferprocess.user=${PG_USER} edc.datasource.transferprocess.password=${PG_PW} edc.datasource.policy-monitor.name=policy-monitor -edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.policy-monitor.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.policy-monitor.user=${PG_USER} edc.datasource.policy-monitor.password=${PG_PW} # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/bpn-validation/business-partner-store-sql edc.datasource.bpn.name=policy-monitor -edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.bpn.url=jdbc:postgresql://postgres-all:5432/edc_supplier # edc.datasource.policy-monitor.user and edc.datasource.policy-monitor.password are set via .env edc.datasource.bpn.user=${PG_USER} edc.datasource.bpn.password=${PG_PW} # new in 0.4.x # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/common/store/sql/edr-index-sql edc.datasource.edr.name=edr -edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_customer +edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_supplier #edc.datasource.edr.user and edc.datasource.edr.password are set via .env #org.eclipse.tractusx.edc.postgresql.migration.edr.enabled=false edc.datasource.edr.user=${PG_USER} From 19bdf5c1b11be030e7fe540e59b4e25b995801c1 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Sun, 5 May 2024 22:47:39 -0700 Subject: [PATCH 10/19] feat(iam-mock): added sts edr refresh workflow mock --- local/generate-keys.sh | 5 ++ local/iam-mock/constants.py | 31 +++++++++- ..._VP_FLOW.md => README_SERVICE_OVERVIEW.md} | 42 ++++++++++--- local/iam-mock/jwtUtils.py | 31 ++++++++-- local/iam-mock/mock_util.py | 60 +++++++++++++------ 5 files changed, 139 insertions(+), 30 deletions(-) rename local/iam-mock/docs/{README_VP_FLOW.md => README_SERVICE_OVERVIEW.md} (58%) diff --git a/local/generate-keys.sh b/local/generate-keys.sh index a3da0384..26204186 100644 --- a/local/generate-keys.sh +++ b/local/generate-keys.sh @@ -94,5 +94,10 @@ echo "Creating key pair for mock iam" openssl ecparam -name prime256v1 -genkey -out ./iam-mock/keys/private_key.pem openssl ec -in ./iam-mock/keys/private_key.pem -pubout -out ./iam-mock/keys/public_key.pem +echo "Copy private keys for supplier and customer edr refresh signing in mock iam" +cp $SUPPLIER_KEY ./iam-mock/keys/supplier.key +cp $CUSTOMER_KEY ./iam-mock/keys/customer.key + # let everyone access the files so that the non-root user in vault container can put them chmod -R 755 ./vault/secrets +chmod -R 755 ./iam-mock/keys diff --git a/local/iam-mock/constants.py b/local/iam-mock/constants.py index f23bda96..b073e747 100644 --- a/local/iam-mock/constants.py +++ b/local/iam-mock/constants.py @@ -34,10 +34,15 @@ def read_file(path: Path): ES256_PRIVATE_KEY = read_file(Path("keys/private_key.pem")) ES256_PUBLIC_KEY = read_file(Path("keys/public_key.pem")) +# must be same as used in edc for edc.transfer.proxy.signer.privatekey.alias +CUSTOMER_PRIVATE_KEY = read_file(Path("keys/customer.key")) +SUPPLIER_PRIVATE_KEY = read_file(Path("keys/supplier.key")) + DID_CUSTOMER = "did:web:mock-util-service/customer" DID_SUPPLIER = "did:web:mock-util-service/supplier" DID_TRUSTED_ISSUER = "did:web:mock-util-service/trusted-issuer" +# note: kid_vault = alias used for public key, set in edc.transer.proxy.token.verifier.publickey.alias DID_DICT = { DID_TRUSTED_ISSUER: { "bpnl": "NONE", @@ -46,18 +51,40 @@ def read_file(path: Path): DID_SUPPLIER: { "bpnl": "BPNL1234567890ZZ", "did_resolve_name": "supplier", + "kid_vault": "supplier-cert", + "private_key": SUPPLIER_PRIVATE_KEY, }, DID_CUSTOMER: { "bpnl": "BPNL4444444444XX", "did_resolve_name": "customer", + "kid_vault": "customer-cert", + "private_key": CUSTOMER_PRIVATE_KEY, } } """ -lookup bpnl by did +lookup did by did_resolve_name """ -def get_did_for_bpnl(did_resolve_name: str): +def get_did_for_resolve_name(did_resolve_name: str): for key, value in DID_DICT.items(): if value["did_resolve_name"] == did_resolve_name: return key return None + + +""" +lookup did by bpnl +""" +def get_did_for_bpnl(bpnl: str): + for key, value in DID_DICT.items(): + if value["bpnl"] == bpnl: + return key + return None + + +""" +lookup bpnl by did +""" +def get_bpnl_for_did(did: str): + entry = DID_DICT.get(did, None) + return entry["bpnl"] if entry else None diff --git a/local/iam-mock/docs/README_VP_FLOW.md b/local/iam-mock/docs/README_SERVICE_OVERVIEW.md similarity index 58% rename from local/iam-mock/docs/README_VP_FLOW.md rename to local/iam-mock/docs/README_SERVICE_OVERVIEW.md index a85cda63..0e3703f2 100644 --- a/local/iam-mock/docs/README_VP_FLOW.md +++ b/local/iam-mock/docs/README_SERVICE_OVERVIEW.md @@ -1,47 +1,75 @@ Basically, there are two types of IATP flows used by the connector in Catena-X Data Spaces: + - Self IATP (e.g. get MembershipCredential for BDRS) - IATP (e.g. used for catalog request, see simplified in `./credential_requests.puml`) See [README.md](../README.md) for the different capabilities -This document mainly gives some learnings regarding the [Tractus-X Verifiable Presentation flow](https://github.com/eclipse-tractusx/identity-trust/blob/main/specifications/verifiable.presentation.protocol.md) +This document mainly gives some learnings regarding +the [Tractus-X Verifiable Presentation flow](https://github.com/eclipse-tractusx/identity-trust/blob/main/specifications/verifiable.presentation.protocol.md) -# Resolving DIDs +# Resolving DIDs Triggered via `bdrs` client of a party when `catalog` call is invoked to + - identify DID for Partner in Access Policy - identify DID for Partner for Contract Policies (e.g. Membership) -Additionally, DIDs may be resolved +Additionally, DIDs may be resolved + - verify identities during data space protocol communication. -- to determine the Credential Service Endpoint who is responsible for a partner +- to determine the Credential Service Endpoint who is responsible for a partner # Self-issued token + A participant may create a self-issued token that can be used to request VPs at the credential service. The token follows this spec https://datatracker.ietf.org/doc/html/rfc9068 The relying party verifies the token https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#section-11.1 The relying party may query additional information from the cs using token + - get did via `sub` claim - resolve did - extract `CredentialService` from `service` from did - query for presentation -Note: If a `bearer_access_scope` is given, this is added as a `token` claim so that a relying party can authenticate on +Note: If a `bearer_access_scope` is given, this is added as a `token` claim so that a relying party can authenticate on behalf of the holder at the credential service to get the VP for scopes in question. See more details for STS flow in https://openid.net/specs/openid-connect-self-issued-v2-1_0.html#section-1.1 +## Special case for EDR token refresh + +docs: https://github.com/eclipse-tractusx/tractusx-profiles/blob/main/tx/refresh/refresh.token.grant.profile.md + +EDR use the local keys provided via edc config. When mocking the edr refresh, these private keys need to be used to sign +the jwt. Also, the kid in the jwt header needs to be the alias in vault. Both is hard coded in constants and +`generate-keys.sh`. + +EDR information are stored in the vault + +- `edr-{transfer-proccess-id}` = information returned from `edr/{transfer-process-id}/dataadress` +- `jti` = the internal id of the EDR token. It's also stored in the respective db (see data plane plugins) -> you can + still use one vault for several edc in testing + +Relevant for EDR content: + +- `iat` = now +- `exp` = now + seconds configured for refresh in provider data plane +- `jti` = see above +- `iss` = `aud` = consumer +- `sub` = provider + # Credential Service calls -This is the real wallet allowing to store issued credentials and create verifiable presentations to proof the ownership +This is the real wallet allowing to store issued credentials and create verifiable presentations to proof the ownership of a verifiable credential ## Issue credential / Store credential Ignored in Mock. We always do a pass all. Normally some trusted issuer would hand over the credentials into a wallet. -## Query for presentation +## Query for presentation In Tractus-X Data Spaces with DIM (what this service mocks) the query is done on behalf of the holder. diff --git a/local/iam-mock/jwtUtils.py b/local/iam-mock/jwtUtils.py index 995ec7de..099f2402 100644 --- a/local/iam-mock/jwtUtils.py +++ b/local/iam-mock/jwtUtils.py @@ -19,7 +19,7 @@ # import jwt -from constants import ES256_PRIVATE_KEY +from constants import ES256_PRIVATE_KEY, DID_DICT """ @@ -28,19 +28,22 @@ claims: expects participant information (iss, aud, sub) to be present issuer: to sign the jwt scope: scope needed that will be added to the claims as "scope" and embeds the payload as jwt in "token" +embed_token: put a representation of this token as "token" claim into the token """ -def create_jwt_from_claims(claims: dict, issuer: str, scope: str = None) -> dict: +def create_jwt_from_claims(claims: dict, issuer: str, scope: str = None, embed_token: bool = False) -> dict: base_claims = { - "nbf": 1541493724, "iat": 1541493724, "exp": 32481718133, } claims.update(base_claims) - if scope: + # TODO check for update + if scope: # GRANT ACCESS request includes scope and token representation claims["scope"] = scope claims["token"] = create_token_from_payload(claims, issuer) + elif embed_token: # refresh token needs access token representation + claims["token"] = create_token_from_payload_with_vault_key(claims, issuer, DID_DICT[issuer]["kid_vault"], DID_DICT[issuer]["private_key"]) else: print("No scope given for self-issued token. No token claim created for it.") @@ -49,8 +52,28 @@ def create_jwt_from_claims(claims: dict, issuer: str, scope: str = None) -> dict return create_token_from_payload(claims, issuer) +""" +create a jwt for the payload, signed by did_signer using information from the vault (preconfigured information) + +Creates a header with a kid for a key, that can be understood by LocalPublicKeyServiceImpl +https://github.com/eclipse-edc/Connector/blob/main/core/common/lib/keys-lib/src/main/java/org/eclipse/edc/keys/LocalPublicKeyServiceImpl.java#L44 +""" +def create_token_from_payload_with_vault_key(payload: str, did_signer: str, kid: str, private_key: str): + + header = { + "alg": "RS256", + "kid": kid + } + + jwt_token = jwt.encode(payload, private_key, algorithm='RS256', headers=header) + + return jwt_token + + """ create a jwt for the payload, signed by did_signer + +Creates a header with a kid that can be handeled by the did exposed by mock_util.py """ def create_token_from_payload(payload: str, did_signer: str): diff --git a/local/iam-mock/mock_util.py b/local/iam-mock/mock_util.py index e81d9bd6..5355a140 100644 --- a/local/iam-mock/mock_util.py +++ b/local/iam-mock/mock_util.py @@ -25,7 +25,7 @@ import base64 from cryptography.hazmat.primitives import serialization from jwtUtils import decode_token, create_jwt_from_claims -from constants import ES256_PUBLIC_KEY, DID_TRUSTED_ISSUER, get_did_for_bpnl +from constants import ES256_PUBLIC_KEY, DID_TRUSTED_ISSUER, get_did_for_resolve_name, get_did_for_bpnl from credential_service import create_verifiable_presentation import uuid from pathlib import Path @@ -39,7 +39,7 @@ logger = logging.getLogger("fastapi") """ -store STS GRANT ACCESS Request JWT token for uuid. +store STS GRANT ACCESS Request JWT token for uuid. Uuid is inserted into token as 'token_id' to use the token in SIGN TOKEN Request (remember request granted) """ @@ -74,27 +74,53 @@ async def secure_token_service(request: Request): print("POST with body ", body) print("bearer of requestor is set as auth header" if request.headers["authorization"] else "bearer of requestor is NOT set as auth header") + print(f"bearer: {request.headers['authorization']}") + print(f"Request params received: {request.query_params}") # handle body similar to https://github.com/eclipse-tractusx/tractusx-edc/blob/d7d3586ffc4ef03c858e38fde6bfa8687efa50c9/edc-tests/edc-controlplane/iatp-tests/src/test/java/org/eclipse/tractusx/edc/tests/transfer/iatp/dispatchers/DimDispatcher.java grant_access = body.get("grantAccess", None) if sign_token_flag: sign_token = body["signToken"] - # lookup existing token - token_id = decode_token(sign_token["token"])['token_id'] - token = id_token_map[token_id] - decoded_token = decode_token(token) - print(f"Identified matching token (decoded) {decoded_token}") - id_token_map.pop(token_id) + decoded_token = decode_token(sign_token["token"]) + + # try to lookup existing token, if found use it + # else we're in token refresh + token_id = decoded_token.get('token_id', None) + if token_id: + token = id_token_map[token_id] + decoded_token = decode_token(token) + print(f"Identified matching token (decoded) {decoded_token}") + id_token_map.pop(token_id) + + # common reqeust: issued by trusted issuer + claims = { + "iss": DID_TRUSTED_ISSUER, + "sub": decoded_token["sub"], + "aud": decoded_token["aud"] + } + + print(f"Request contains issuer {claims['iss']}, subject {claims['sub']}, audience {claims['aud']}, token {token}") + token = create_jwt_from_claims(claims, sign_token["issuer"], None) + print(f"Created jwt token: {token}") + vp = token + + else: + # refresh token request: iss, sub = client did + claims = { + "iss": get_did_for_bpnl(decoded_token["aud"]), + "sub": get_did_for_bpnl(decoded_token["aud"]), + "aud": get_did_for_bpnl(decoded_token["sub"]), + "jti": decoded_token["jti"], + "iat": decoded_token["iat"], + "exp": decoded_token["exp"], + } + + print(f"Request contains issuer {claims['iss']}, subject {claims['sub']}, audience {claims['aud']}, token {decoded_token}") + token = create_jwt_from_claims(claims, claims["iss"], None, True) + print(f"Created jwt token: {token}") + vp = token - claims = { - "iss": DID_TRUSTED_ISSUER, - "sub": decoded_token["sub"], - "aud": decoded_token["aud"] - } - print(f"Request contains issuer {claims['iss']}, subject {claims['sub']}, audience {claims['aud']}, token {token if token else '*no token*'}") - token = create_jwt_from_claims(claims, sign_token["issuer"], None) - vp = token else: token_id = str(uuid.uuid4()) @@ -186,7 +212,7 @@ def return_did(request: Request, partner_did: str, did_path: str): print(f"CALLED /{partner_did}/{did_path} from ", hostname) # get DID constant for path used - did_id = get_did_for_bpnl(partner_did) + did_id = get_did_for_resolve_name(partner_did) # put elyptic curves accordingly public_key = serialization.load_pem_public_key(ES256_PUBLIC_KEY.encode(), backend=default_backend()) From 057a2f05f9862fee45b4f8b1d18814a45288fbc1 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 7 May 2024 06:27:28 -0700 Subject: [PATCH 11/19] ci(.tractusx): exclude iam-mock Docker from qGate check as not distributed --- .tractusx | 1 + local/iam-mock/DEPENDENCIES | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 local/iam-mock/DEPENDENCIES diff --git a/.tractusx b/.tractusx index ff946e98..dd153fc6 100644 --- a/.tractusx +++ b/.tractusx @@ -26,3 +26,4 @@ repositories: skipReleaseChecks: alignedBaseImage: - "local/vault/Dockerfile" + - "local/iam-mock/Dockerfile" diff --git a/local/iam-mock/DEPENDENCIES b/local/iam-mock/DEPENDENCIES new file mode 100644 index 00000000..31fbbb1e --- /dev/null +++ b/local/iam-mock/DEPENDENCIES @@ -0,0 +1,36 @@ +pypi/pypi/-/Jinja2/3.1.3, BSD-3-Clause, approved, #7978 +pypi/pypi/-/MarkupSafe/2.1.4, BSD-3-Clause, approved, #4753 +pypi/pypi/-/PyJWT/2.8.0, MIT, approved, clearlydefined +pypi/pypi/-/PyYAML/6.0.1, MIT, approved, clearlydefined +pypi/pypi/-/annotated-types/0.6.0, MIT, approved, clearlydefined +pypi/pypi/-/anyio/4.2.0, MIT, approved, clearlydefined +pypi/pypi/-/certifi/2023.11.17, MPL-2.0, approved, clearlydefined +pypi/pypi/-/cffi/1.16.0, MIT, approved, #13062 +pypi/pypi/-/click/8.1.7, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/cryptography/42.0.5, Apache-2.0 AND BSD-3-Clause AND Apache-2.0 AND BSD-3-Clause, approved, #13076 +pypi/pypi/-/dnspython/2.5.0, ISC, restricted, clearlydefined +pypi/pypi/-/email-validator/2.1.0.post1, CC0-1.0, approved, clearlydefined +pypi/pypi/-/exceptiongroup/1.2.0, MIT AND PSF-2.0, approved, #12076 +pypi/pypi/-/fastapi/0.109.0, MIT, restricted, clearlydefined +pypi/pypi/-/h11/0.14.0, MIT AND BSD-3-Clause, approved, #13077 +pypi/pypi/-/httpcore/1.0.2, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/httptools/0.6.1, MIT, restricted, clearlydefined +pypi/pypi/-/httpx/0.26.0, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/idna/3.6, BSD-3-Clause AND Unicode-TOU, approved, #13089 +pypi/pypi/-/itsdangerous/2.1.2, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/orjson/3.9.12, Apache-2.0 AND MIT, restricted, clearlydefined +pypi/pypi/-/pycparser/2.22, BSD-2-Clause AND BSD-3-Clause, restricted, clearlydefined +pypi/pypi/-/pydantic-extra-types/2.4.1, MIT, approved, clearlydefined +pypi/pypi/-/pydantic-settings/2.1.0, MIT, approved, clearlydefined +pypi/pypi/-/pydantic/2.5.3, MIT, approved, clearlydefined +pypi/pypi/-/pydantic_core/2.14.6, MIT, approved, clearlydefined +pypi/pypi/-/python-dotenv/1.0.1, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/python-multipart/0.0.6, Apache-2.0, approved, clearlydefined +pypi/pypi/-/sniffio/1.3.0, (Apache-2.0 AND BSD-3-Clause) OR (Apache-2.0 AND MIT), approved, clearlydefined +pypi/pypi/-/starlette/0.35.1, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/typing_extensions/4.9.0, Python-2.0, approved, #12088 +pypi/pypi/-/ujson/5.9.0, BSD-2-Clause, restricted, clearlydefined +pypi/pypi/-/uvicorn/0.27.0, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined +pypi/pypi/-/uvloop/0.19.0, Apache-2.0 AND MIT, restricted, clearlydefined +pypi/pypi/-/watchfiles/0.21.0, MIT, approved, clearlydefined +pypi/pypi/-/websockets/12.0, BSD-3-Clause AND (Apache-2.0 AND PSF-2.0), approved, #12086 From fdfaf8feb21083808da3ba4e9b7e52b1c06568e3 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 13 May 2024 23:24:35 -0700 Subject: [PATCH 12/19] refactor(local deployment): removed comments and made mock-util only reachable in docker --- local/docker-compose-infrastructure.yaml | 2 -- local/postgres/init-db.sql | 15 --------------- .../config/customer/data-plane.properties | 2 +- 3 files changed, 1 insertion(+), 18 deletions(-) diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 91908d4f..93053d10 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -89,8 +89,6 @@ services: - "127.0.0.1:8888:80" networks: - miw-net - extra_hosts: - - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine bdrs: image: tractusx/bdrs-server-memory:0.0.4 diff --git a/local/postgres/init-db.sql b/local/postgres/init-db.sql index 06a9e997..d3e212a8 100644 --- a/local/postgres/init-db.sql +++ b/local/postgres/init-db.sql @@ -28,18 +28,3 @@ CREATE DATABASE "dtr_supplier"; -- already created via docker init -- CREATE DATABASE "puris_customer"; CREATE DATABASE "puris_supplier"; - --- CREATE DATABASE "edc_customer_transferprocess"; --- --- CREATE DATABASE "edc_customer_policy_monitor"; --- CREATE DATABASE "edc_customer_bpn"; --- CREATE DATABASE "edc_customer_edrs"; --- --- --- CREATE DATABASE "edc_supplier_asset"; --- CREATE DATABASE "edc_supplier_contractdefinition"; --- CREATE DATABASE "edc_supplier_contractnegotiation"; --- CREATE DATABASE "edc_supplier_policy"; --- CREATE DATABASE "edc_supplier_transferprocess"; --- --- CREATE DATABASE "edc_supplier_policy_monitor"; diff --git a/local/tractus-x-edc/config/customer/data-plane.properties b/local/tractus-x-edc/config/customer/data-plane.properties index c6a17dfd..0ce49736 100644 --- a/local/tractus-x-edc/config/customer/data-plane.properties +++ b/local/tractus-x-edc/config/customer/data-plane.properties @@ -18,7 +18,7 @@ edc.hostname=customer-data-plane edc.vault.hashicorp.url=http://vault:8200 edc.vault.hashicorp.health.check.enabled=false edc.vault.hashicorp.token=${VAULT_DEV_ROOT_TOKEN_ID} -# EDCR exentions +# EDR exentions edc.datasource.edr.name=edr edc.datasource.edr.url=jdbc:postgresql://postgres-all:5432/edc_customer #edc.datasource.edr.user and edc.datasource.edr.password are set via .env From 4e56c84f710b8e2f70c6379a78092198727d697c Mon Sep 17 00:00:00 2001 From: --show-origin Date: Mon, 13 May 2024 23:57:14 -0700 Subject: [PATCH 13/19] refactor(generate-keys.sh): generate file seed-bdrs.sh --- local/.gitignore | 1 + local/INSTALL.md | 4 ++-- local/cleanup.sh | 1 + local/generate-keys.sh | 26 ++++++++++++++++++++++++-- local/seed-bdrs.sh | 36 ------------------------------------ 5 files changed, 28 insertions(+), 40 deletions(-) delete mode 100644 local/seed-bdrs.sh diff --git a/local/.gitignore b/local/.gitignore index e07617b5..01985a44 100644 --- a/local/.gitignore +++ b/local/.gitignore @@ -3,3 +3,4 @@ *.keys *.secret .env +seed-bdrs.sh diff --git a/local/INSTALL.md b/local/INSTALL.md index e12cd6e1..0a0386f4 100644 --- a/local/INSTALL.md +++ b/local/INSTALL.md @@ -62,8 +62,8 @@ customer and supplier: sh init-wallets.sh ``` -After starting the central infrastructure, initialize the bdrs-service. To do so, in file `seed-bdrs.sh` set the key -to the value of `EDC_API_PW` from `.env` file generated earlier. +After starting the central infrastructure, initialize the bdrs-service. To do so, just run the script `seed-bdrs.sh` +created during the run of script `generate-keys.sh`. ```shell sh seed-brds.sh diff --git a/local/cleanup.sh b/local/cleanup.sh index 9379d3b4..9a4fb5a2 100644 --- a/local/cleanup.sh +++ b/local/cleanup.sh @@ -25,6 +25,7 @@ docker compose -f docker-compose-infrastructure.yaml down -v docker image rm local-vault docker image rm local-mock-util-service rm .env +rm seed-bdrs.sh rm ./vault/secrets -r rm ./iam-mock/keys -r echo "Deleted .env and vault/secrets" diff --git a/local/generate-keys.sh b/local/generate-keys.sh index 26204186..0e413152 100644 --- a/local/generate-keys.sh +++ b/local/generate-keys.sh @@ -20,7 +20,8 @@ # SPDX-License-Identifier: Apache-2.0 # -# generate .key .cert (asymmetric encryption) and .keys (data encryption edc) for customer and supplier +# generate EDC PW (used for both EDC and BDRS) +EDC_API_PW=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` # create folders, if not existing mkdir -p ./vault/secrets @@ -30,7 +31,7 @@ mkdir -p ./iam-mock/keys echo "Creating .env" cat << EOF > .env VAULT_DEV_ROOT_TOKEN_ID=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` -EDC_API_PW=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +EDC_API_PW=$EDC_API_PW PG_USER=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` PG_PW=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` VAULT_SECRETS_DIR=/vault/secrets/ @@ -98,6 +99,27 @@ echo "Copy private keys for supplier and customer edr refresh signing in mock ia cp $SUPPLIER_KEY ./iam-mock/keys/supplier.key cp $CUSTOMER_KEY ./iam-mock/keys/customer.key +echo "Generate seed-bdrs.sh" +cat << EOF > seed-bdrs.sh +#!/bin/bash + +KEY=$EDC_API_PW + +if [ -z "\$KEY" ]; then + echo "KEY is not set. Please specify the key (see bdrs docker compose definition). Exiting..." + exit 1 +fi + +curl -X POST -H "x-api-key: \$KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL4444444444XX", "did": "did:web:mock-util-service/customer" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" + +curl -X POST -H "x-api-key: \$KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL1234567890ZZ", "did": "did:web:mock-util-service/supplier" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" + +curl -X POST -H "x-api-key: \$KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL000000000000", "did": "did:web:mock-util-service/trusted-issuer" }' http://localhost:8581/api/management/bpn-directory | jq +echo "" +EOF + # let everyone access the files so that the non-root user in vault container can put them chmod -R 755 ./vault/secrets chmod -R 755 ./iam-mock/keys diff --git a/local/seed-bdrs.sh b/local/seed-bdrs.sh deleted file mode 100644 index 3777598d..00000000 --- a/local/seed-bdrs.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2024 Volkswagen AG -# Copyright (c) 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - -KEY= - -if [ -z "$KEY" ]; then - echo "KEY is not set. Please specify the key (see bdrs docker compose definition). Exiting..." - exit 1 -fi - -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL4444444444XX", "did": "did:web:mock-util-service/customer" }' http://localhost:8581/api/management/bpn-directory | jq -echo "" - -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL1234567890ZZ", "did": "did:web:mock-util-service/supplier" }' http://localhost:8581/api/management/bpn-directory | jq -echo "" - -curl -X POST -H "x-api-key: $KEY" -H "Content-Type: application/json" -d '{ "bpn": "BPNL000000000000", "did": "did:web:mock-util-service/trusted-issuer" }' http://localhost:8581/api/management/bpn-directory | jq -echo "" From 60fa49f8705e108b8be87c3f843fc4f148335f40 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 14 May 2024 05:11:40 -0700 Subject: [PATCH 14/19] chore(mock-util-service): updated dependencies --- docs/DEVELOPMENT.md | 55 +++++++++++++++++++++++++++++-------- local/iam-mock/DEPENDENCIES | 14 +++++----- 2 files changed, 50 insertions(+), 19 deletions(-) diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md index 593eeb10..b82b9f39 100644 --- a/docs/DEVELOPMENT.md +++ b/docs/DEVELOPMENT.md @@ -1,6 +1,6 @@ ## Setup development database -For local development a postgresql database is needed. The file local/docker-compose-dev-postgres.yaml provides a +For local development a postgresql database is needed. The file local/docker-compose-dev-postgres.yaml provides a postgres that can be started freshly for development: ```shell @@ -16,19 +16,23 @@ docker compose -f docker-compose-dev-postgres.yaml down _NOTE: For testing purposes HyperSql is still used but excluded for spring run._ ## Keeping dependencies-files up to date + ### Backend -Navigate to the `./backend` folder and run: +Navigate to the `./backend` folder and run: + ``` mvn org.eclipse.dash:license-tool-plugin:license-check cp DEPENDENCIES ../DEPENDENCIES_BACKEND ``` -The first line runs the maven license tool with the parameters specified in the + +The first line runs the maven license tool with the parameters specified in the `./backend/pom.xml` and produces a DEPENDENCIES file in the .`/backend` folder. -Then this file gets copied to the PURIS-project root folder under the name `DEPENDENCIES_BACKEND`. -Both files should be updated prior to any pull request. +Then this file gets copied to the PURIS-project root folder under the name `DEPENDENCIES_BACKEND`. +Both files should be updated prior to any pull request. ### Frontend + ``` # move to a persistent folder. Could also be ~/jars. mv org.eclipse.dash.licenses-1.0.2.jar ~/coding/org.eclipse.dash.licenses-1.0.2.jar @@ -42,22 +46,43 @@ cd frontend eclipseDashTool package-lock.json -project automotive.tractusx -summary ../DEPENDENCIES_FRONTEND ``` +### mock-util-service + +Temprorary also the mock-util-service needs to be kept up to date. First add the alias same as for frontend to your +`.bashrc` and then use the following command: + +```shell +cd local/iam-mock +cat requirements.txt | grep -v \# \ +| sed -E -e 's|([^= ]+)==([^= ]+)|pypi/pypi/-/\1/\2|' -e 's| ||g' \ +| sort | uniq \ +| eclipseDashTool -summary DEPENDENCIES - +``` + +Note: Dash action provided by eclipse-tractusx/sig-infra does not provide to opportunity for python. + ## Frontend container building workaround to use environment variables for vue ### The mechanism for docker is the following: + - `.env` has vite variables -- `.env.dockerbuild` has the vite variable that maps on an environment variable (`VITE_BACKEND_BASE_URL=$BACKEND_BASE_URL`) +- `.env.dockerbuild` has the vite variable that maps on an environment + variable (`VITE_BACKEND_BASE_URL=$BACKEND_BASE_URL`) - `src/config.json` has the environment variable names and the environment variable to substring in a json format. ### When building the container: + 1. `.env.dockerbuild` is used 2. vite / vue builds the application into a dest folder, that will be served by nginx -> Result for the .env:
VITE_BACKEND_BASE_URL won't write a variable value BUT a placeholder into the built files ($BACKEND_BASE_URL) +> Result for the .env:
VITE_BACKEND_BASE_URL won't write a variable value BUT a placeholder into the built files ( +> $BACKEND_BASE_URL) ### When building the container, there is a "start-nginx.sh" file that does the following + 1. Collects the environment variables (set for the docker container / set via helm as `BACKEND_BASE_URL`) -2. Looks-up the "to replace string" from `config.json` (e.g., for `BACKEND_BASE_URL`, it will search for `$BACKEND_BASE-URL` in the built files) +2. Looks-up the "to replace string" from `config.json` (e.g., for `BACKEND_BASE_URL`, it will search + for `$BACKEND_BASE-URL` in the built files) 3. Does the replacement in the built files 4. Starts nginx @@ -66,8 +91,9 @@ eclipseDashTool package-lock.json -project automotive.tractusx -summary ../DEPEN When changing the helm charts due to changes of e.g. environment variables, one should test locally whether the changes work. -First thing one should check is whether the templates may be resolved / substituted correctly and if your changes are +First thing one should check is whether the templates may be resolved / substituted correctly and if your changes are defaulted correctly: + ```shell cd charts/puris helm template . @@ -75,17 +101,20 @@ helm template . ``` Now build your images as explained in the respective install.mds. + - [backend](../backend/INSTALL.md) - [frontend](../frontend/INSTALL.md) Now you need to update your Chart.yml and values.yml: + - Chart.yml: change `appVersion` to your build tag (e.g., `dev`) - values.yml: for both frontend and backend change the image - - `repository` should be set to the image name used during docker build (e.g., `puris-backend`, `puris-frontend`) - - `pullPolicy` should be set to `Never` + - `repository` should be set to the image name used during docker build (e.g., `puris-backend`, `puris-frontend`) + - `pullPolicy` should be set to `Never` -Now depending on your runtime environment you need to load the images into it (we assume, you built puris-backend:dev +Now depending on your runtime environment you need to load the images into it (we assume, you built puris-backend:dev and (puris-frontend:dev): + ```shell # minikube minikube image load puris-backend:dev @@ -96,6 +125,7 @@ docker image ls | grep puris-backend minikube image ls --format table | grep puris-frontend docker image ls | grep puris-frontend ``` + ```shell # kind kind load puris-backend:dev @@ -108,6 +138,7 @@ docker image ls | grep puris-backend docker exec -it {container-id} crictl images | grep puris-frontend docker image ls | grep puris-frontend ``` + **ATTENTION: MAKE SURE THAT THE IMAGE ID IN YOUR KUBERNETES ENVIRONMENT IS THE SAME AS IN YOUR LOCAL DOCKER.** Else you can delete images as follows: diff --git a/local/iam-mock/DEPENDENCIES b/local/iam-mock/DEPENDENCIES index 31fbbb1e..5a8c41aa 100644 --- a/local/iam-mock/DEPENDENCIES +++ b/local/iam-mock/DEPENDENCIES @@ -8,18 +8,18 @@ pypi/pypi/-/certifi/2023.11.17, MPL-2.0, approved, clearlydefined pypi/pypi/-/cffi/1.16.0, MIT, approved, #13062 pypi/pypi/-/click/8.1.7, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined pypi/pypi/-/cryptography/42.0.5, Apache-2.0 AND BSD-3-Clause AND Apache-2.0 AND BSD-3-Clause, approved, #13076 -pypi/pypi/-/dnspython/2.5.0, ISC, restricted, clearlydefined +pypi/pypi/-/dnspython/2.5.0, ISC, approved, #14637 pypi/pypi/-/email-validator/2.1.0.post1, CC0-1.0, approved, clearlydefined pypi/pypi/-/exceptiongroup/1.2.0, MIT AND PSF-2.0, approved, #12076 -pypi/pypi/-/fastapi/0.109.0, MIT, restricted, clearlydefined +pypi/pypi/-/fastapi/0.109.0, MIT AND Apache-2.0, approved, #14632 pypi/pypi/-/h11/0.14.0, MIT AND BSD-3-Clause, approved, #13077 pypi/pypi/-/httpcore/1.0.2, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined -pypi/pypi/-/httptools/0.6.1, MIT, restricted, clearlydefined +pypi/pypi/-/httptools/0.6.1, MIT, approved, #14635 pypi/pypi/-/httpx/0.26.0, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined pypi/pypi/-/idna/3.6, BSD-3-Clause AND Unicode-TOU, approved, #13089 pypi/pypi/-/itsdangerous/2.1.2, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined -pypi/pypi/-/orjson/3.9.12, Apache-2.0 AND MIT, restricted, clearlydefined -pypi/pypi/-/pycparser/2.22, BSD-2-Clause AND BSD-3-Clause, restricted, clearlydefined +pypi/pypi/-/orjson/3.9.12, (Apache-2.0 OR MIT) AND Apache-2.0 AND MIT AND BSD-3-Clause AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND CC0-1.0 AND (Apache-2.0 WITH LLVM-exception) AND (Apache-2.0 OR BSL-1.0) AND BSD-2-Clause AND LicenseRef-Unicode-DFS, approved, +pypi/pypi/-/pycparser/2.22, LGPL-2.0-or-later AND BSD-3-Clause, approved, #14636 pypi/pypi/-/pydantic-extra-types/2.4.1, MIT, approved, clearlydefined pypi/pypi/-/pydantic-settings/2.1.0, MIT, approved, clearlydefined pypi/pypi/-/pydantic/2.5.3, MIT, approved, clearlydefined @@ -29,8 +29,8 @@ pypi/pypi/-/python-multipart/0.0.6, Apache-2.0, approved, clearlydefined pypi/pypi/-/sniffio/1.3.0, (Apache-2.0 AND BSD-3-Clause) OR (Apache-2.0 AND MIT), approved, clearlydefined pypi/pypi/-/starlette/0.35.1, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined pypi/pypi/-/typing_extensions/4.9.0, Python-2.0, approved, #12088 -pypi/pypi/-/ujson/5.9.0, BSD-2-Clause, restricted, clearlydefined +pypi/pypi/-/ujson/5.9.0, BSD-3-Clause AND TCL, approved, #14638 pypi/pypi/-/uvicorn/0.27.0, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined -pypi/pypi/-/uvloop/0.19.0, Apache-2.0 AND MIT, restricted, clearlydefined +pypi/pypi/-/uvloop/0.19.0, , approved, #14633 pypi/pypi/-/watchfiles/0.21.0, MIT, approved, clearlydefined pypi/pypi/-/websockets/12.0, BSD-3-Clause AND (Apache-2.0 AND PSF-2.0), approved, #12086 From 60c191d70018b5e8cb1e3d1c8969e2bd3f29a422 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Wed, 15 May 2024 06:58:52 -0700 Subject: [PATCH 15/19] chore: updated frontend dependencies --- DEPENDENCIES_FRONTEND | 2 +- frontend/DEPENDENCIES | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/DEPENDENCIES_FRONTEND b/DEPENDENCIES_FRONTEND index 09e994b8..cc86c023 100644 --- a/DEPENDENCIES_FRONTEND +++ b/DEPENDENCIES_FRONTEND @@ -172,7 +172,7 @@ npm/npmjs/-/path-key/3.1.1, MIT, approved, clearlydefined npm/npmjs/-/path-parse/1.0.7, MIT, approved, clearlydefined npm/npmjs/-/path-scurry/1.10.1, BlueOak-1.0.0, approved, #9370 npm/npmjs/-/path-type/4.0.0, MIT, approved, clearlydefined -npm/npmjs/-/picocolors/1.0.0, ISC, approved, clearlydefined +npm/npmjs/-/picocolors/1.0.0, ISC, approved, #14718 npm/npmjs/-/picomatch/2.3.1, MIT, approved, clearlydefined npm/npmjs/-/pify/2.3.0, MIT, approved, clearlydefined npm/npmjs/-/pirates/4.0.6, MIT, approved, #680 diff --git a/frontend/DEPENDENCIES b/frontend/DEPENDENCIES index 09e994b8..cc86c023 100644 --- a/frontend/DEPENDENCIES +++ b/frontend/DEPENDENCIES @@ -172,7 +172,7 @@ npm/npmjs/-/path-key/3.1.1, MIT, approved, clearlydefined npm/npmjs/-/path-parse/1.0.7, MIT, approved, clearlydefined npm/npmjs/-/path-scurry/1.10.1, BlueOak-1.0.0, approved, #9370 npm/npmjs/-/path-type/4.0.0, MIT, approved, clearlydefined -npm/npmjs/-/picocolors/1.0.0, ISC, approved, clearlydefined +npm/npmjs/-/picocolors/1.0.0, ISC, approved, #14718 npm/npmjs/-/picomatch/2.3.1, MIT, approved, clearlydefined npm/npmjs/-/pify/2.3.0, MIT, approved, clearlydefined npm/npmjs/-/pirates/4.0.6, MIT, approved, #680 From 815fd42e71ddab42e9a1a8c8ba41715e70a73489 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Wed, 15 May 2024 23:13:32 -0700 Subject: [PATCH 16/19] fix(iam-mock): corrected claims in credential flow --- local/iam-mock/credential_service.py | 9 +++------ local/iam-mock/mock_util.py | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/local/iam-mock/credential_service.py b/local/iam-mock/credential_service.py index 041f49fd..25fd9ce0 100644 --- a/local/iam-mock/credential_service.py +++ b/local/iam-mock/credential_service.py @@ -37,7 +37,7 @@ def create_jwt_vc(did_issuer: str, did_subject: str, did_audience: str, bpnl_sub "nbf": 1541493724, "iat": 1541493724, "exp": 32481718133, - "vc": create_verifiable_credential(did_issuer=did_issuer, did_subject=did_subject, bpnl_subject=bpnl_subject, scope=scope, self_iatp_flag=self_iatp_flag), + "vc": create_verifiable_credential(did_issuer=did_issuer, did_subject=did_subject, bpnl_subject=bpnl_subject, scope=scope), } return create_token_from_payload(payload, did_issuer) @@ -45,11 +45,8 @@ def create_jwt_vc(did_issuer: str, did_subject: str, did_audience: str, bpnl_sub """ creates a plain VC (no jwt) for a given scope - -For self-IATP case the subject will be the issuer / id of the credentialSubject """ -def create_verifiable_credential(did_issuer: str, did_subject: str, bpnl_subject: str, scope: str, self_iatp_flag: bool): - credential_subject_did = did_subject if self_iatp_flag else did_issuer +def create_verifiable_credential(did_issuer: str, did_subject: str, bpnl_subject: str, scope: str): needs_version = False if scope.startswith("Membership") else True @@ -70,7 +67,7 @@ def create_verifiable_credential(did_issuer: str, did_subject: str, bpnl_subject scope ], "credentialSubject": { - "id": credential_subject_did, + "id": did_subject, "holderIdentifier": bpnl_subject }, } diff --git a/local/iam-mock/mock_util.py b/local/iam-mock/mock_util.py index 5355a140..f7a8e48b 100644 --- a/local/iam-mock/mock_util.py +++ b/local/iam-mock/mock_util.py @@ -93,9 +93,9 @@ async def secure_token_service(request: Request): print(f"Identified matching token (decoded) {decoded_token}") id_token_map.pop(token_id) - # common reqeust: issued by trusted issuer + # common request: issued by trusted issuer claims = { - "iss": DID_TRUSTED_ISSUER, + "iss": decoded_token["iss"], "sub": decoded_token["sub"], "aud": decoded_token["aud"] } From b268dd728255de12f15698916b7d80d9a921a75f Mon Sep 17 00:00:00 2001 From: --show-origin Date: Wed, 15 May 2024 23:15:10 -0700 Subject: [PATCH 17/19] fix(local/docker-compose.yaml): corrected version of dtr-supplier (merge issue) --- local/docker-compose-infrastructure.yaml | 1 - local/docker-compose.yaml | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 93053d10..5a1766f5 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -104,7 +104,6 @@ services: - "127.0.0.1:8582:8582" networks: - miw-net - # TODO check cacerts need in deployment.yaml networks: miw-net: name: miw-net diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index a803098e..2ac735a4 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -83,7 +83,7 @@ services: postgres-all: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3/shell-descriptors"] interval: 4s timeout: 3s retries: 15 @@ -227,13 +227,13 @@ services: - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine dtr-supplier: - image: tractusx/sldt-digital-twin-registry:0.3.23 + image: tractusx/sldt-digital-twin-registry:0.4.3 container_name: dtr-supplier depends_on: postgres-all: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3/shell-descriptors"] interval: 4s timeout: 3s retries: 15 From 7f42181076e90fce19441511986c804882683f83 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Wed, 15 May 2024 23:16:11 -0700 Subject: [PATCH 18/19] chore(tractus-x-edc/docker-compose.yaml): bump version to 0.7.1 --- local/tractus-x-edc/docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local/tractus-x-edc/docker-compose.yaml b/local/tractus-x-edc/docker-compose.yaml index afb927c3..9f95a37a 100644 --- a/local/tractus-x-edc/docker-compose.yaml +++ b/local/tractus-x-edc/docker-compose.yaml @@ -21,13 +21,13 @@ version: "3" services: control-plane: - image: tractusx/edc-controlplane-postgresql-hashicorp-vault:0.7.0 + image: tractusx/edc-controlplane-postgresql-hashicorp-vault:0.7.1 volumes: - ./config/default/opentelemetry.properties:/app/opentelemetry.properties - ./config/default/logging.properties:/app/logging.properties data-plane: - image: tractusx/edc-dataplane-hashicorp-vault:0.7.0 + image: tractusx/edc-dataplane-hashicorp-vault:0.7.1 volumes: - ./config/default/opentelemetry.properties:/app/opentelemetry.properties - ./config/default/logging.properties:/app/logging.properties From ec0b456d754345a2e713213b4c2ecf91dd0e64c9 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 21 May 2024 01:15:50 -0700 Subject: [PATCH 19/19] chore: remove unused edc compose and notes during migration --- local/MIGRATION_NOTES.md | 188 ---------------------------------- local/docker-compose-edc.yaml | 139 ------------------------- 2 files changed, 327 deletions(-) delete mode 100644 local/MIGRATION_NOTES.md delete mode 100644 local/docker-compose-edc.yaml diff --git a/local/MIGRATION_NOTES.md b/local/MIGRATION_NOTES.md deleted file mode 100644 index 50efb47e..00000000 --- a/local/MIGRATION_NOTES.md +++ /dev/null @@ -1,188 +0,0 @@ -# Policy Definition -> still in alignment - -Old - -```json -{ - "@context": { - "@vocab": "https://w3id.org/edc/v0.0.1/ns/", - "odrl": "http://www.w3.org/ns/odrl/2/" - }, - "@type": "PolicyDefinitionRequestDto", - "@id": "{{POLICY_ID}}", - "policy": { - "@type": "Policy", - "odrl:permission": [ - { - "odrl:action": "USE", - "odrl:constraint": { - "@type": "LogicalConstraint", - "odrl:or": [ - { - "@type": "Constraint", - "odrl:leftOperand": "BusinessPartnerNumber", - "odrl:operator": { - "@id": "odrl:eq" - }, - "odrl:rightOperand": "{{SUPPLIER_BPNL}}" - } - ] - } - } - ] - } -} -``` - -error - -```json -[ - { - "message": "https://w3id.org/edc/v0.0.1/ns/policy/@type was expected to be http://www.w3.org/ns/odrl/2/Set but it was not", - "type": "ValidationFailure", - "path": "https://w3id.org/edc/v0.0.1/ns/policy/@type", - "invalidValue": [ - "https://w3id.org/edc/v0.0.1/ns/Policy" - ] - } -] -``` - -policy.@type = "odrl:Set" - -Catalog Request needs `counterPartyId` - -# bdrs - -Calls needed: - -- management -> create bpn directory -- BPN-Directory -> map of bpn and did reachable - -The EDC needs to self-IATP to get a `MembershipCredential` to use the BDRS - -DIDs are build following JsonWebKey2020 -DID-ID like did:web:name-to-use - -Credential Service -mock: https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImplComponentTest.java - -Update Cache -> why does it need a bearer token with the membershipCredToken sent to /bpn-directory? -https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/main/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImpl.java#L92 - -Dids seem to -be [dependent on the hosting companies' url](https://github.com/eclipse-tractusx/identity-trust/blob/main/specifications/tx.dataspace.topology.md) - -Seems like: - -- MIW / DIM are credential services -- Portal + DIM are issuer services - -A client uses a token during a request, to grant access to specific resources - -- verifier uses it to request the vp -- the CS endpoint is resolved using bdrs -- **What's the bearer access scope** - -access scopes - -- org.eclipse.tractusx.vc.type:Member:read -- org.eclipse.tractusx.vc.id:uuid:read -> give access to verifieable credential by id - -Endoints: - -- POST presentations/query - - uses OAuth2 scopes that need to be mapped to presentation definition -- storage api credentials - -https://github.com/eclipse-edc/Connector/blob/4fd16b8e34d685239ea40fc3d8e9b02cc8ccf323/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java#L54 - -- a key is somehow resolved. This may be from the did.json - -Following -this [test](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-extensions/bdrs-client/src/test/java/org/eclipse/tractusx/edc/identity/mapper/BdrsClientImplComponentTest.java), - -- the VC is signed by the issuer -- the VP is signed by the holder - -Following Tractus-X Connector Setup - -- DIM = your wallet that already contains VCs -> encapsulated STS and CS -- Credential Service = get your own VP to hand over. (something like the miw) -- SecureTokenService = get auth for something and then request presentation - -# Updates EDR - -edr callback payload - -```json -{ - "id": "3099e0f1-e255-4a00-8a8b-8ec5c16e8758", - "at": 1714325393313, - "payload": { - "transferProcessId": "07231854-112b-45bb-957b-4fb01dc2718f", - "callbackAddresses": [ - { - "uri": "http://mock-util-service:80/edr-log", - "events": [ - "transfer.process.started" - ], - "transactional": false, - "authKey": "None", - "authCodeId": "None" - } - ], - "assetId": "ASSET_1", - "type": "CONSUMER", - "contractId": "54dd6fe4-7a4e-4de6-b7b8-2f131fc99f79", - "dataAddress": { - "properties": { - "process_id": "6570b7a5-7df9-42be-9fd7-80f200427fc3", - "participant_id": "BPNL1234567890ZZ", - "asset_id": "ASSET_1", - "https://w3id.org/edc/v0.0.1/ns/endpointType": "https://w3id.org/idsa/v4.1/HTTP", - "https://w3id.org/tractusx/auth/refreshEndpoint": "http://customer-data-plane:8285/api/public", - "https://w3id.org/tractusx/auth/audience": "did:web:mock-util-service/supplier", - "agreement_id": "54dd6fe4-7a4e-4de6-b7b8-2f131fc99f79", - "flow_type": "PULL", - "https://w3id.org/edc/v0.0.1/ns/type": "https://w3id.org/idsa/v4.1/HTTP", - "https://w3id.org/edc/v0.0.1/ns/endpoint": "http://customer-data-plane:8285/api/public", - "https://w3id.org/tractusx/auth/refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", - "https://w3id.org/tractusx/auth/expiresIn": "300", - "https://w3id.org/edc/v0.0.1/ns/authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", - "https://w3id.org/tractusx/auth/refreshAudience": "did:web:mock-util-service/supplier" - } - } - }, - "type": "TransferProcessStarted" -} -``` - -Get against EDR API after Transfer Process: -`{{SUPPLIER_EDC}}/{{MANAGEMENT_PATH}}/v2/transferprocesses/{{TRANSFER_PROCESS_ID}}` -Will be loaded lazily - -```json -{ - "@type": "DataAddress", - "endpointType": "https://w3id.org/idsa/v4.1/HTTP", - "tx-auth:refreshEndpoint": "http://customer-data-plane:8285/api/public", - "tx-auth:audience": "did:web:mock-util-service/supplier", - "type": "https://w3id.org/idsa/v4.1/HTTP", - "endpoint": "http://customer-data-plane:8285/api/public", - "tx-auth:refreshToken": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMGY2YzM4NjItOGYxZS00YzU1LWIwMzEtNGMzM2NhZWIxMzY5In0.L_r5a_hZY3aFYw4SYOoV_Ct5yWuDJBRwPeujAPKv8aPVB_buRZHDPwwnrlYAIWa4j4QIiKjmMMFQN7NUi56tIYr3An3KGwfycekCAS5CSMMAx7x6In5JTRPyyBEi897gjXYGHDlfFa_j7G5bG4__InwDt5HF_2_BKTrPMGEEGL62pAm2cm9qfZJCNJx2R6tnkSymlR0E6Dju2FsCWiOIbYlPP6JHjDkU9aKRIv6l_n0HodRUELBLKBGi565O5zwkec9sNxYdv4mTwskU4IMOvGJPNgHE3QKpzyPCIl7CzVJICCaMszl698rAp9BYP0tokUNj8yNAKbR5ZutYFnAwSA", - "tx-auth:expiresIn": "300", - // use Header Authorization - "authorization": "eyJraWQiOiJjdXN0b21lci1jZXJ0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJCUE5MNDQ0NDQ0NDQ0NFhYIiwiYXVkIjoiQlBOTDEyMzQ1Njc4OTBaWiIsInN1YiI6IkJQTkw0NDQ0NDQ0NDQ0WFgiLCJleHAiOjE3MTQzMjU2OTMsImlhdCI6MTcxNDMyNTM5MywianRpIjoiMzMwMjhjZDEtMTVlZC00Njk1LWE0NjMtNDc2MTJlNmZhNDk5In0.AP8BY0gjnKFxeswCPRaalKPD-nyLtXqe8hpEQH_CcWoN48KLXLJzgyQXo04WtcCPe7QBU0dyOd9UBi71tmxPNNACLRg_HZVmAFfRZWSkCY9pr-sreChP0EJcTT7AXgHnBIT0mKZbcQ_8b8g9BI-nS43eAd52I_WAg6oTK5hvyMOha7H-HvPeyNDGPA5QQ2RKuf3JKEw-26RALZdgkLz0VDjHd9CMDJJC0nvkbzP928LvzmLs8r-e1YFJwFtZ-ipVlxb7OiFrg7UeAwwb46spi2epMj3Px1QLXrd-Fd9skV2Iw8PugPIUFm5ehyK2d5mQYB4waAm5kEmgVVLLvwVX8A", - "tx-auth:refreshAudience": "did:web:mock-util-service/supplier", - "@context": { - "@vocab": "https://w3id.org/edc/v0.0.1/ns/", - "edc": "https://w3id.org/edc/v0.0.1/ns/", - "tx": "https://w3id.org/tractusx/v0.0.1/ns/", - "tx-auth": "https://w3id.org/tractusx/auth/", - "cx-policy": "https://w3id.org/catenax/policy/", - "odrl": "http://www.w3.org/ns/odrl/2/" - } -} -``` diff --git a/local/docker-compose-edc.yaml b/local/docker-compose-edc.yaml deleted file mode 100644 index 348a074e..00000000 --- a/local/docker-compose-edc.yaml +++ /dev/null @@ -1,139 +0,0 @@ -# -# Copyright (c) 2023, 2024 Volkswagen AG -# Copyright (c) 2023, 2024 Fraunhofer-Gesellschaft zur Foerderung der angewandten Forschung e.V. (represented by Fraunhofer ISST) -# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# -version: "3" -services: - - postgres-all: - image: postgres:15.4-alpine - container_name: postgres-all - environment: - POSTGRES_DB: edc - POSTGRES_USER: ${PG_USER} - POSTGRES_PASSWORD: ${PG_PW} - ports: - - "127.0.0.1:5433:5432" - healthcheck: - test: ["CMD-SHELL", "pg_isready -d edc -U ${PG_USER}"] - interval: 4s - timeout: 3s - retries: 15 - networks: - - miw-net - deploy: - resources: - limits: - memory: 512mb - cpus: "0.5" - security_opt: - - no-new-privileges:true - volumes: - - ./postgres/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql - - edc-customer-control-plane: - depends_on: - postgres-all: - condition: service_healthy - # restart: on-failure - extends: - file: ./tractus-x-edc/docker-compose.yaml - service: control-plane - container_name: customer-control-plane - env_file: - - ./tractus-x-edc/config/customer/control-plane.properties - ports: - - "127.0.0.1:8180:8180" - - "127.0.0.1:8181:8181" - - "127.0.0.1:8182:8182" - - "127.0.0.1:8183:8183" - - "127.0.0.1:8184:8184" - networks: - - miw-net - extra_hosts: - - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - - edc-customer-data-plane: - depends_on: - postgres-all: - condition: service_healthy - restart: on-failure - extends: - file: ./tractus-x-edc/docker-compose.yaml - service: data-plane - container_name: customer-data-plane - ports: - - "127.0.0.1:8280:8280" - - "127.0.0.1:8283:8283" - - "127.0.0.1:8285:8285" - - "127.0.0.1:8299:8299" - env_file: - - ./tractus-x-edc/config/customer/data-plane.properties - networks: - - miw-net - extra_hosts: - - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - - edc-supplier-control-plane: - depends_on: - postgres-all: - condition: service_healthy - # restart: on-failure - extends: - file: ./tractus-x-edc/docker-compose.yaml - service: control-plane - container_name: supplier-control-plane - ports: - - "127.0.0.1:9180:9180" - - "127.0.0.1:9181:9181" - - "127.0.0.1:9182:9182" - - "127.0.0.1:9183:9183" - - "127.0.0.1:9184:9184" - - "127.0.0.1:1044:1044" - env_file: - - ./tractus-x-edc/config/supplier/control-plane.properties - networks: - - miw-net - extra_hosts: - - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - - edc-supplier-data-plane: - depends_on: - postgres-all: - condition: service_healthy - restart: on-failure - extends: - file: ./tractus-x-edc/docker-compose.yaml - service: data-plane - container_name: supplier-data-plane - ports: - - "127.0.0.1:9280:9280" - - "127.0.0.1:9283:9283" - - "127.0.0.1:9285:9285" - - "127.0.0.1:9299:9299" - env_file: - - ./tractus-x-edc/config/supplier/data-plane.properties - networks: - - miw-net - extra_hosts: - - "host.docker.internal:host-gateway" # Adjusts container's host file to allow for communication with docker-host machine - -networks: - miw-net: - external: true