feat(test): add integration tests for MIW

.github/workflows/verify.yaml

@@ -187,7 +187,7 @@ jobs:
       - name: Run Postgresql E2E tests
         run: ./gradlew test -DincludeTags="PostgresqlIntegrationTest"
 
-  ssi-integration-tests:
+  miw-integration-tests:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: [ verify-formatting, verify-license-headers ]
@@ -199,7 +199,30 @@ jobs:
       - uses: actions/checkout@v2
       - name: Starting MIW, Keycloak and Postgres Servers
         run: |
-          docker compose -f edc-tests/e2e-tests/src/test/resources/docker-compose.yml up -d 
+          cd edc-tests/miw-tests/src/test/resources/docker-environment
+          docker compose up --wait
 
-      - name: Run MIW E2E tests
-        run: ./gradlew test -DincludeTags="MiwIntegrationTest"
+      - uses: nick-fields/retry@v2
+        name: Wait for MIW
+        with:
+          timeout_minutes: 5
+          max_attempts: 3
+          command: |
+            code=$(curl -IL -sw "%{http_code}" http://localhost:8000/api/actuator/health -o /dev/null)
+            if [ "$code" -ne "401" ]; then
+              echo "MIW not ready yet, status = $code"
+              exit 1;
+            fi
+
+      - name: Seed test data
+        run: |
+          docker exec docker-environment-postgres-1 /opt/seed.sh
+
+      - name: Run MIW Integration tests
+        run: | 
+          ./gradlew -p edc-tests/miw-tests test -DincludeTags="MiwIntegrationTest" -PverboseTest=true
+      - name: Run SSI E2E tests
+        run: |
+          pwd
+          ./gradlew compileJava compileTestJava
+          ./gradlew -p edc-tests/e2e-tests test -DincludeTags="MiwIntegrationTest" -PverboseTest=true

.gitignore

@@ -109,3 +109,5 @@ buildNumber.properties
 ### Helm
 **/*.lock
 **/*.tgz
+
+edc-tests/miw-tests/src/test/resources/docker-environment/postgres_data/

edc-tests/e2e-tests/build.gradle.kts

@@ -44,6 +44,7 @@ dependencies {
     testCompileOnly(project(":edc-tests:runtime:runtime-memory"))
     testCompileOnly(project(":edc-tests:runtime:runtime-memory-ssi"))
     testCompileOnly(project(":edc-tests:runtime:runtime-postgresql"))
+    testImplementation(libs.edc.auth.oauth2.client)
 }
 
 // do not publish

edc-tests/e2e-tests/src/test/java/org/eclipse/tractusx/edc/tests/catalog/MiwSsiCatalogTest.java

@@ -37,8 +37,8 @@
 public class MiwSsiCatalogTest {
 
     protected static final Participant SOKRATES = new Participant(SOKRATES_NAME, SOKRATES_BPN, sokratesConfiguration());
-    static final String MIW_SOKRATES_URL = "http://localhost:8080";
-    static final String OAUTH_TOKEN_URL = "http://localhost:8081/realms/miw_test/protocol/openid-connect/token";
+    static final String MIW_SOKRATES_URL = "http://localhost:8000";
+    static final String OAUTH_TOKEN_URL = "http://localhost:8080/realms/miw_test/protocol/openid-connect/token";
 
     @RegisterExtension
     protected static final ParticipantRuntime SOKRATES_RUNTIME = new ParticipantRuntime(
@@ -56,7 +56,7 @@ public static Map<String, String> sokratesSsiMiwConfiguration() {
                 put("tx.ssi.oauth.client.id", "miw_private_client");
                 put("tx.ssi.oauth.client.secret.alias", "client_secret_alias");
                 put("tx.ssi.miw.authority.id", "BPNL000000000000");
-                put("tx.ssi.miw.authority.issuer", "did:web:localhost%3A8080:BPNL000000000000");
+                put("tx.ssi.miw.authority.issuer", "did:web:localhost%3A8000:BPNL000000000000");
                 put("tx.vault.seed.secrets", "client_secret_alias:miw_private_client");
                 put("tx.ssi.endpoint.audience", SOKRATES_DSP_CALLBACK);
             }

edc-tests/miw-tests/README.md

@@ -0,0 +1,3 @@
+# E2E-Tests
+
+This module contains JUnit tests that spin up multiple runtimes in one JVM.

edc-tests/miw-tests/build.gradle.kts

@@ -0,0 +1,57 @@
+/*
+ *  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+}
+
+dependencies {
+    testImplementation(project(":spi:edr-cache-spi"))
+    testImplementation(project(":edc-extensions:control-plane-adapter-api"))
+    testImplementation(libs.okhttp.mockwebserver)
+    testImplementation(libs.restAssured)
+    testImplementation(libs.nimbus.jwt)
+    testImplementation(libs.postgres)
+    testImplementation(libs.awaitility)
+    testImplementation(libs.aws.s3)
+    testImplementation(libs.edc.spi.core)
+    testImplementation(libs.edc.junit)
+    testImplementation(libs.edc.spi.policy)
+    testImplementation(libs.edc.spi.contract)
+    testImplementation(libs.edc.core.api)
+    testImplementation(libs.edc.spi.catalog)
+    testImplementation(libs.edc.api.catalog)
+    testImplementation(libs.edc.api.contractnegotiation)
+    testImplementation(libs.edc.api.transferprocess)
+    testImplementation(libs.edc.spi.dataplane.selector)
+    testImplementation(libs.edc.ext.jsonld)
+    testImplementation(libs.edc.dsp)
+    testImplementation(testFixtures(libs.edc.sql.core))
+
+
+    testCompileOnly(project(":edc-tests:runtime:extensions"))
+    testCompileOnly(project(":edc-tests:runtime:runtime-memory"))
+    testCompileOnly(project(":edc-tests:runtime:runtime-memory-ssi"))
+    testCompileOnly(project(":edc-tests:runtime:runtime-postgresql"))
+    testImplementation(project(":edc-extensions:ssi:ssi-miw-credential-client"))
+    testImplementation(libs.edc.auth.oauth2.client)
+
+    runtimeOnly(libs.tink)
+
+}
+
+// do not publish
+edcBuild {
+    publish.set(false)
+}

edc-tests/miw-tests/src/test/java/org/eclipse/tractusx/edc/tag/MiwIntegrationTest.java

@@ -0,0 +1,31 @@
+/*
+ *  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.tractusx.edc.tag;
+
+import org.eclipse.edc.junit.annotations.IntegrationTest;
+import org.junit.jupiter.api.Tag;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ ElementType.TYPE })
+@Retention(RetentionPolicy.RUNTIME)
+@IntegrationTest
+@Tag("MiwIntegrationTest")
+public @interface MiwIntegrationTest {
+}
+

edc-tests/miw-tests/src/test/java/org/eclipse/tractusx/edc/tests/miw/README.md

@@ -0,0 +1,72 @@
+# Function-testing the Managed-Identity-Wallet
+
+## Test setup
+
+As test subject we used a `docker-compose.yml` file located in `src/main/resources/`. From that directory, simply
+execute `docker compose up --wait`, and then, once everything is started,
+run `docker exec -i resources-postgres-1 /opt/seed.sh` to seed test data.
+
+## Test suite description
+
+### `t0001` Request and verify a VP
+
+### `t0002` Wrong audience
+
+This test asserts, that a verification request is rejected, if the wrong `audience=` query parameter is supplied.
+The `audience` query parameter must match the `aud` claim inside the token.
+
+### `t0003` A self-signed VP token is rejected
+
+This test asserts, that submitting a self-generated JWT (containing the original VP claim) should be rejected. The MIW
+should only accept JWTs that were signed by the requestor's private key, which is hosted in MIW. Currently, no JWT
+validation is done.
+
+A rejected flow would be:
+
+- request VC from MIW
+- request VP from MIW, returned in JWT format
+- decode the JWT, unpack the payload
+- generate a random keypair
+- re-use the original claims (payload) and header
+- sign with the random keypair
+
+### `t0004` A bogus JWT is rejected
+
+This test is an amendment to `t0003` in that it not only forges the JWT itself, but the JWT does not contain any of the
+required claims. For example, it does not even contain a `vp` claim, so there is no VerifiablePresentation.
+
+### `t0005` A forged VC proof (altered JWS) is rejected
+
+This test asserts, that an altered (and potentially even malformed) `jws` proof is rejected. This test specifically
+targets the use of JsonWebSignature2020, because there the `proof` object contains a `jws` field.
+
+Altering that `jws` value, here by replacing all "a" with "X" should cause the MIW to reject the verification request.
+
+### `t0006` A tampered VC proof (changed document) is rejected
+
+Similar to `t0005`, which alters the proof itself, this test alters the document, for which the proof was created.
+Technically this should alter the document hash, so the proof becomes invalid, and the MIW should reject the request.
+
+### `t0007` Forged `iss` claim is rejected
+
+In this test we construct an impersonation attack, which assumes there are at least two participants in the MIW.
+Participant 1 requests a VP, decodes it, replaces the `iss` claim with the ID of Participant 2 and - using again a
+randomly generated keypair - signs this forged VP token. This effectively gives any participant the possibility to mount
+impersonation attacks.
+
+> Note that Participant 2 was created in the database using the `src/test/resources/db.sh` script
+
+### `t0008` Invalid `iss` claim is rejected (non-existent user)
+
+This test attempts to have a JWT verified where the `iss` claim cannot be resolved.
+
+### `t0009` Invalid `iss` claim is rejected (not did:web format)
+
+This test asserts that a malformed `iss` claim is rejected by MIW. Specifically, the claim must be in `did:web:....`
+format.
+
+### `t0010` An altered `aud` claim is rejected
+
+Similar to `t0007`, and in extension to `t0003`, this test asserts, that a verification request is rejected by MIW, if
+the `aud` claim inside the JWT token was replaced.
+> Note that this attack is only possible if the integrity and provenance of the JWT is not checked, see `t0003`.