feat(Ssi): add credential issuer and credential subject id validation…

… rules
eclipse-tractusx · Jul 3, 2023 · 33c76d1 · 33c76d1
1 parent 7819b9d
commit 33c76d1
Show file tree

Hide file tree

Showing 36 changed files with 811 additions and 135 deletions.
diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md
@@ -33,6 +33,7 @@ This chart is intended for use with an _existing_ PostgreSQL database and an _ex
 Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart:
 - `controlplane.ssi.miw.url`: the URL
 - `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority
+- `controlplane.ssi.miw.authorityIssuer`: the DID URL of the issuer authority
 - `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained
 - `controlplane.ssi.oauth.client.id`: client ID for KeyCloak
 - `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`.
@@ -162,6 +163,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.
 | controlplane.service.annotations | object | `{}` |  |
 | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. |
 | controlplane.ssi.miw.authorityId | string | `""` |  |
+| controlplane.ssi.miw.authorityIssuer | string | `""` |  |
 | controlplane.ssi.miw.url | string | `""` |  |
 | controlplane.ssi.oauth.client.id | string | `""` |  |
 | controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` |  |

diff --git a/charts/tractusx-connector-azure-vault/README.md.gotmpl b/charts/tractusx-connector-azure-vault/README.md.gotmpl
@@ -33,6 +33,7 @@
 Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart:
 - `controlplane.ssi.miw.url`: the URL
 - `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority
+- `controlplane.ssi.miw.authorityIssuer`: the DID URL of the issuer authority
 - `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained
 - `controlplane.ssi.oauth.client.id`: client ID for KeyCloak
 - `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`.

diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml
@@ -122,6 +122,8 @@ spec:
               value: {{ .Values.controlplane.ssi.miw.url }}
             - name: "TX_SSI_MIW_AUTHORITY_ID"
               value: {{ .Values.controlplane.ssi.miw.authorityId }}
+            - name: "TX_SSI_MIW_AUTHORITY_ISSUER"
+              value: {{ .Values.controlplane.ssi.miw.authorityIssuer }}
             - name: "TX_SSI_OAUTH_TOKEN_URL"
               value: {{ .Values.controlplane.ssi.oauth.tokenurl }}
             - name: "TX_SSI_OAUTH_CLIENT_ID"

diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml
@@ -127,6 +127,7 @@ controlplane:
     miw:
       url: ""
       authorityId: ""
+      authorityIssuer: ""
     oauth:
       tokenurl: ""
       client:

diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md
@@ -159,6 +159,7 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.5.0-r
 | runtime.service.annotations | object | `{}` |  |
 | runtime.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. |
 | runtime.ssi.miw.authorityId | string | `""` |  |
+| runtime.ssi.miw.authorityIssuer | string | `""` |  |
 | runtime.ssi.miw.url | string | `""` |  |
 | runtime.ssi.oauth.client.id | string | `""` |  |
 | runtime.ssi.oauth.client.secretAlias | string | `"client-secret"` |  |

diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml
@@ -122,6 +122,8 @@ spec:
               value: {{ .Values.runtime.ssi.miw.url }}
             - name: "TX_SSI_MIW_AUTHORITY_ID"
               value: {{ .Values.runtime.ssi.miw.authorityId }}
+            - name: "TX_SSI_MIW_AUTHORITY_ISSUER"
+              value: {{ .Values.runtime.ssi.miw.authorityIssuer }}
             - name: "TX_SSI_OAUTH_TOKEN_URL"
               value: {{ .Values.runtime.ssi.oauth.tokenurl }}
             - name: "TX_SSI_OAUTH_CLIENT_ID"

diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml
@@ -125,6 +125,7 @@ runtime:
     miw:
       url: ""
       authorityId: ""
+      authorityIssuer: ""
     oauth:
       tokenurl: ""
       client:

diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md
@@ -30,6 +30,7 @@ This chart is intended for use with an _existing_ PostgreSQL database and an _ex
 Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart:
 - `controlplane.ssi.miw.url`: the URL
 - `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority
+- `controlplane.ssi.miw.authorityIssuer`: the DID URL of the issuer authority
 - `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained
 - `controlplane.ssi.oauth.client.id`: client ID for KeyCloak
 - `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`.
@@ -156,6 +157,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.5.0-rc3 \
 | controlplane.service.annotations | object | `{}` |  |
 | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. |
 | controlplane.ssi.miw.authorityId | string | `""` |  |
+| controlplane.ssi.miw.authorityIssuer | string | `""` |  |
 | controlplane.ssi.miw.url | string | `""` |  |
 | controlplane.ssi.oauth.client.id | string | `""` |  |
 | controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` |  |

diff --git a/charts/tractusx-connector/README.md.gotmpl b/charts/tractusx-connector/README.md.gotmpl
@@ -30,6 +30,7 @@
 Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart:
 - `controlplane.ssi.miw.url`: the URL
 - `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority
+- `controlplane.ssi.miw.authorityIssuer`: the DID URL of the issuer authority
 - `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained
 - `controlplane.ssi.oauth.client.id`: client ID for KeyCloak
 - `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`.

diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml
@@ -122,6 +122,8 @@ spec:
               value: {{ .Values.controlplane.ssi.miw.url }}
             - name: "TX_SSI_MIW_AUTHORITY_ID"
               value: {{ .Values.controlplane.ssi.miw.authorityId }}
+            - name: "TX_SSI_MIW_AUTHORITY_ISSUER"
+              value: {{ .Values.controlplane.ssi.miw.authorityIssuer }}
             - name: "TX_SSI_OAUTH_TOKEN_URL"
               value: {{ .Values.controlplane.ssi.oauth.tokenurl }}
             - name: "TX_SSI_OAUTH_CLIENT_ID"

diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml
@@ -128,6 +128,7 @@ controlplane:
     miw:
       url: ""
       authorityId: ""
+      authorityIssuer: ""
     oauth:
       tokenurl: ""
       client:

diff --git a/docs/samples/example-dataspace/plato-values.yaml b/docs/samples/example-dataspace/plato-values.yaml
@@ -44,6 +44,7 @@ controlplane:
       miw:
         url: ""
         authorityId: ""
+        authorityIssuer: ""
       oauth:
         tokenurl: ""
         client:

diff --git a/docs/samples/example-dataspace/sokrates-values.yaml b/docs/samples/example-dataspace/sokrates-values.yaml
@@ -43,6 +43,7 @@ controlplane:
     miw:
       url: ""
       authorityId: ""
+      authorityIssuer: ""
     oauth:
       tokenurl: ""
       client:

diff --git a/.../org/eclipse/tractusx/edc/iam/ssi/identity/extractor/CredentialIdentityExtractorTest.java b/.../org/eclipse/tractusx/edc/iam/ssi/identity/extractor/CredentialIdentityExtractorTest.java
@@ -26,14 +26,14 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.eclipse.edc.spi.agent.ParticipantAgent.PARTICIPANT_IDENTITY;
-import static org.eclipse.tractusx.edc.iam.ssi.identity.extractor.fixtures.Credentials.SIMPLE_VP;
-import static org.eclipse.tractusx.edc.iam.ssi.identity.extractor.fixtures.Credentials.SUMMARY_VP_NO_HOLDER;
-import static org.eclipse.tractusx.edc.iam.ssi.identity.extractor.fixtures.Credentials.SUMMARY_VP_NO_SUBJECT;
 import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.CredentialsNamespaces.CX_SUMMARY_NS_V1;
 import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.CredentialsNamespaces.VP_PROPERTY;
 import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.JsonLdTextFixtures.createObjectMapper;
 import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.JsonLdTextFixtures.expand;
+import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.SummaryCredential.SIMPLE_VP;
 import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.SummaryCredential.SUMMARY_VP;
+import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.SummaryCredential.SUMMARY_VP_NO_HOLDER;
+import static org.eclipse.tractusx.edc.iam.ssi.spi.jsonld.SummaryCredential.SUMMARY_VP_NO_SUBJECT;
 
 public class CredentialIdentityExtractorTest {
 

diff --git a/...c/test/java/org/eclipse/tractusx/edc/iam/ssi/identity/extractor/fixtures/Credentials.java b/...c/test/java/org/eclipse/tractusx/edc/iam/ssi/identity/extractor/fixtures/Credentials.java
diff --git a/edc-extensions/ssi/ssi-miw-credential-client/build.gradle.kts b/edc-extensions/ssi/ssi-miw-credential-client/build.gradle.kts
@@ -27,5 +27,6 @@ dependencies {
     implementation(libs.jakartaJson)
     implementation(libs.nimbus.jwt)
 
+    testImplementation(testFixtures(project(":spi:ssi-spi")))
     testImplementation(testFixtures(libs.edc.junit))
 }
diff --git a/...l-client/src/main/java/org/eclipse/tractusx/edc/iam/ssi/miw/SsiMiwApiClientExtension.java b/...l-client/src/main/java/org/eclipse/tractusx/edc/iam/ssi/miw/SsiMiwApiClientExtension.java
@@ -17,14 +17,14 @@
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Provider;
-import org.eclipse.edc.runtime.metamodel.annotation.Setting;
 import org.eclipse.edc.spi.http.EdcHttpClient;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 import org.eclipse.edc.spi.types.TypeManager;
 import org.eclipse.tractusx.edc.iam.ssi.miw.api.MiwApiClient;
 import org.eclipse.tractusx.edc.iam.ssi.miw.api.MiwApiClientImpl;
+import org.eclipse.tractusx.edc.iam.ssi.miw.config.SsiMiwConfiguration;
 import org.eclipse.tractusx.edc.iam.ssi.miw.oauth2.MiwOauth2Client;
 
 
@@ -33,12 +33,6 @@ public class SsiMiwApiClientExtension implements ServiceExtension {
 
     public static final String EXTENSION_NAME = "SSI MIW Api Client";
 
-    @Setting(value = "MIW API base url")
-    public static final String MIW_BASE_URL = "tx.ssi.miw.url";
-
-    @Setting(value = "MIW Authority ID")
-    public static final String MIW_AUTHORITY_ID = "tx.ssi.miw.authority.id";
-
     @Inject
     private MiwOauth2Client oauth2Client;
 
@@ -51,18 +45,17 @@ public class SsiMiwApiClientExtension implements ServiceExtension {
     @Inject
     private Monitor monitor;
 
+    @Inject
+    private SsiMiwConfiguration miwConfiguration;
+
     @Override
     public String name() {
         return EXTENSION_NAME;
     }
 
     @Provider
     public MiwApiClient apiClient(ServiceExtensionContext context) {
-        var baseUrl = context.getConfig().getString(MIW_BASE_URL);
-        var authorityId = context.getConfig().getString(MIW_AUTHORITY_ID);
-
-
-        return new MiwApiClientImpl(httpClient, baseUrl, oauth2Client, context.getParticipantId(), authorityId, typeManager.getMapper(), monitor);
+        return new MiwApiClientImpl(httpClient, miwConfiguration.getUrl(), oauth2Client, context.getParticipantId(), miwConfiguration.getAuthorityId(), typeManager.getMapper(), monitor);
     }
 
 }
diff --git a/...ient/src/main/java/org/eclipse/tractusx/edc/iam/ssi/miw/SsiMiwConfigurationExtension.java b/...ient/src/main/java/org/eclipse/tractusx/edc/iam/ssi/miw/SsiMiwConfigurationExtension.java
@@ -0,0 +1,63 @@
+/*
+ *  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.tractusx.edc.iam.ssi.miw;
+
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Provider;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.tractusx.edc.iam.ssi.miw.config.SsiMiwConfiguration;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+import static java.lang.String.format;
+
+
+@Extension(SsiMiwConfigurationExtension.EXTENSION_NAME)
+public class SsiMiwConfigurationExtension implements ServiceExtension {
+
+
+    @Setting(value = "MIW API base url")
+    public static final String MIW_BASE_URL = "tx.ssi.miw.url";
+    @Setting(value = "MIW Authority ID")
+    public static final String MIW_AUTHORITY_ID = "tx.ssi.miw.authority.id";
+    @Setting(value = "MIW Authority Issuer")
+    public static final String MIW_AUTHORITY_ISSUER = "tx.ssi.miw.authority.issuer";
+    public static final String AUTHORITY_ID_TEMPLATE = "did:web:%s:%s";
+    protected static final String EXTENSION_NAME = "SSI Miw configuration extension";
+
+    @Provider
+    public SsiMiwConfiguration miwConfiguration(ServiceExtensionContext context) {
+        var baseUrl = context.getConfig().getString(MIW_BASE_URL);
+        var authorityId = context.getConfig().getString(MIW_AUTHORITY_ID);
+        var authorityIssuer = authorityIssuer(context, baseUrl, authorityId);
+
+        return SsiMiwConfiguration.Builder.newInstance()
+                .url(baseUrl)
+                .authorityId(authorityId)
+                .authorityIssuer(authorityIssuer)
+                .build();
+    }
+
+
+    private String authorityIssuer(ServiceExtensionContext context, String baseUrl, String authorityId) {
+        var uri = URI.create(baseUrl);
+        var defaultAuthorityIssuer = format(AUTHORITY_ID_TEMPLATE, URLEncoder.encode(uri.getAuthority(), StandardCharsets.UTF_8), authorityId);
+        return context.getConfig().getString(MIW_AUTHORITY_ISSUER, defaultAuthorityIssuer);
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -127,6 +127,7 @@ controlplane: @@
         miw:
           url: ""
           authorityId: ""
+          authorityIssuer: ""
         oauth:
           tokenurl: ""
           client:
@@ Expand Down @@