From c557d65c6c6e10406e13a7c8b6d6ef918da8c52e Mon Sep 17 00:00:00 2001 From: Enrico Risa Date: Wed, 27 Mar 2024 18:08:53 +0100 Subject: [PATCH] fix: use local key resolver for data plane token verification --- .../core/DataPlaneTokenRefreshServiceExtension.java | 5 ++++- .../tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java | 6 +++++- .../core/DataPlaneTokenRefreshServiceImplComponentTest.java | 6 ++++++ .../core/DataPlaneTokenRefreshServiceImplTest.java | 6 +++++- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceExtension.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceExtension.java index ab4de2587..3dd2b5421 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceExtension.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceExtension.java @@ -22,6 +22,7 @@ import org.eclipse.edc.connector.dataplane.spi.iam.DataPlaneAccessTokenService; import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore; import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver; +import org.eclipse.edc.keys.spi.LocalPublicKeyService; import org.eclipse.edc.keys.spi.PrivateKeyResolver; import org.eclipse.edc.runtime.metamodel.annotation.Extension; import org.eclipse.edc.runtime.metamodel.annotation.Inject; @@ -64,6 +65,8 @@ public class DataPlaneTokenRefreshServiceExtension implements ServiceExtension { @Inject private DidPublicKeyResolver didPkResolver; @Inject + private LocalPublicKeyService localPublicKeyService; + @Inject private AccessTokenDataStore accessTokenDataStore; @Inject private PrivateKeyResolver privateKeyResolver; @@ -108,7 +111,7 @@ private DataPlaneTokenRefreshServiceImpl getTokenRefreshService(ServiceExtension var tokenExpiry = getExpiryConfig(context); monitor.debug("Token refresh endpoint: %s".formatted(refreshEndpoint)); monitor.debug("Token refresh time tolerance: %d s".formatted(expiryTolerance)); - tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(clock, tokenValidationService, didPkResolver, accessTokenDataStore, new JwtGenerationService(), + tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(clock, tokenValidationService, didPkResolver, localPublicKeyService, accessTokenDataStore, new JwtGenerationService(), getPrivateKeySupplier(context), context.getMonitor(), refreshEndpoint, expiryTolerance, tokenExpiry, () -> context.getConfig().getString(TOKEN_VERIFIER_PUBLIC_KEY_ALIAS), vault, typeManager.getMapper()); } diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java index 44f851cd6..9a179e945 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java @@ -27,6 +27,7 @@ import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore; import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver; import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames; +import org.eclipse.edc.keys.spi.LocalPublicKeyService; import org.eclipse.edc.spi.iam.ClaimToken; import org.eclipse.edc.spi.iam.TokenParameters; import org.eclipse.edc.spi.iam.TokenRepresentation; @@ -77,6 +78,7 @@ public class DataPlaneTokenRefreshServiceImpl implements DataPlaneTokenRefreshSe private final List accessTokenAuthorizationRules; private final TokenValidationService tokenValidationService; private final DidPublicKeyResolver publicKeyResolver; + private final LocalPublicKeyService localPublicKeyService; private final AccessTokenDataStore accessTokenDataStore; private final TokenGenerationService tokenGenerationService; private final Supplier privateKeySupplier; @@ -90,6 +92,7 @@ public class DataPlaneTokenRefreshServiceImpl implements DataPlaneTokenRefreshSe public DataPlaneTokenRefreshServiceImpl(Clock clock, TokenValidationService tokenValidationService, DidPublicKeyResolver publicKeyResolver, + LocalPublicKeyService localPublicKeyService, AccessTokenDataStore accessTokenDataStore, TokenGenerationService tokenGenerationService, Supplier privateKeySupplier, @@ -102,6 +105,7 @@ public DataPlaneTokenRefreshServiceImpl(Clock clock, ObjectMapper objectMapper) { this.tokenValidationService = tokenValidationService; this.publicKeyResolver = publicKeyResolver; + this.localPublicKeyService = localPublicKeyService; this.accessTokenDataStore = accessTokenDataStore; this.tokenGenerationService = tokenGenerationService; this.privateKeySupplier = privateKeySupplier; @@ -235,7 +239,7 @@ public Result obtainToken(TokenParameters tokenParameters, @Override public Result resolve(String token) { - return tokenValidationService.validate(token, publicKeyResolver, accessTokenAuthorizationRules) + return tokenValidationService.validate(token, localPublicKeyService, accessTokenAuthorizationRules) .compose(claimToken -> { var id = claimToken.getStringClaim(JWTClaimNames.JWT_ID); var tokenData = accessTokenDataStore.getById(id); diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java index 6d511b525..1fff7c112 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java @@ -34,6 +34,7 @@ import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver; import org.eclipse.edc.junit.annotations.ComponentTest; import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames; +import org.eclipse.edc.keys.spi.LocalPublicKeyService; import org.eclipse.edc.query.CriterionOperatorRegistryImpl; import org.eclipse.edc.security.token.jwt.CryptoConverter; import org.eclipse.edc.spi.iam.TokenParameters; @@ -69,6 +70,7 @@ class DataPlaneTokenRefreshServiceImplComponentTest { public static final String CONSUMER_DID = "did:web:bob"; public static final String PROVIDER_DID = "did:web:alice"; private final DidPublicKeyResolver didPkResolverMock = mock(); + private final LocalPublicKeyService localPublicKeyService = mock(); private DataPlaneTokenRefreshServiceImpl tokenRefreshService; private InMemoryAccessTokenDataStore tokenDataStore; private ECKey consumerKey; @@ -86,6 +88,7 @@ void setup() throws JOSEException { tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(), new TokenValidationServiceImpl(), didPkResolverMock, + localPublicKeyService, tokenDataStore, new JwtGenerationService(), () -> privateKey, @@ -97,6 +100,9 @@ void setup() throws JOSEException { new InMemoryVault(mock()), new ObjectMapper()); + when(localPublicKeyService.resolveKey(eq(consumerKey.getKeyID()))).thenReturn(Result.success(consumerKey.toPublicKey())); + when(localPublicKeyService.resolveKey(eq(providerKey.getKeyID()))).thenReturn(Result.success(providerKey.toPublicKey())); + when(didPkResolverMock.resolveKey(eq(consumerKey.getKeyID()))).thenReturn(Result.success(consumerKey.toPublicKey())); when(didPkResolverMock.resolveKey(eq(providerKey.getKeyID()))).thenReturn(Result.success(providerKey.toPublicKey())); } diff --git a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplTest.java b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplTest.java index 64c92f65b..173b981ef 100644 --- a/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplTest.java +++ b/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplTest.java @@ -23,6 +23,7 @@ import org.eclipse.edc.connector.dataplane.spi.AccessTokenData; import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore; import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver; +import org.eclipse.edc.keys.spi.LocalPublicKeyService; import org.eclipse.edc.spi.iam.ClaimToken; import org.eclipse.edc.spi.iam.TokenParameters; import org.eclipse.edc.spi.iam.TokenRepresentation; @@ -65,7 +66,10 @@ class DataPlaneTokenRefreshServiceImplTest { private final TokenValidationService tokenValidationService = mock(); private final DidPublicKeyResolver didPublicKeyResolver = mock(); - private final DataPlaneTokenRefreshServiceImpl accessTokenService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(), tokenValidationService, didPublicKeyResolver, accessTokenDataStore, tokenGenService, mock(), mock(), + private final LocalPublicKeyService localPublicKeyService = mock(); + + private final DataPlaneTokenRefreshServiceImpl accessTokenService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(), + tokenValidationService, didPublicKeyResolver, localPublicKeyService, accessTokenDataStore, tokenGenService, mock(), mock(), "https://example.com", 1, 300L, () -> "keyid", mock(), new ObjectMapper());