feat(provisioning)!: change to the new div provisioning api (#93)

* change to the new div provisioning api
* adjust service account to new provisioning api
* add new delete logic
* add documentation for the new process
* adjust int values for v2
-----------
Refs: #79
Reviewed-by: Evelyn Gurschler <evelyn.gurschler@bmw.de>

charts/dim/README.md

@@ -50,7 +50,6 @@ dependencies:
 | dim.healthChecks.liveness.path | string | `"/healthz"` |  |
 | dim.healthChecks.readyness.path | string | `"/ready"` |  |
 | dim.swaggerEnabled | bool | `false` |  |
-| dim.rootDirectoryId | string | `"00000000-0000-0000-0000-000000000000"` |  |
 | dim.operatorId | string | `"00000000-0000-0000-0000-000000000000"` |  |
 | migrations.name | string | `"migrations"` |  |
 | migrations.image.name | string | `"ghcr.io/sap/ssi-dim-middle-layer_dim-migrations"` |  |
@@ -65,17 +64,17 @@ dependencies:
 | processesworker.image.tag | string | `""` |  |
 | processesworker.imagePullPolicy | string | `"IfNotPresent"` |  |
 | processesworker.resources | object | `{"limits":{"cpu":"45m","memory":"300M"},"requests":{"cpu":"15m","memory":"300M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
-| processesworker.dim.adminMail | string | `"mail@example.org"` |  |
-| processesworker.dim.clientIdCisCentral | string | `""` |  |
-| processesworker.dim.clientSecretCisCentral | string | `""` |  |
-| processesworker.dim.authUrl | string | `""` |  |
-| processesworker.subaccount.baseUrl | string | `""` | Url to the subaccount service api |
-| processesworker.entitlement.baseUrl | string | `""` | Url to the entitlement service api |
-| processesworker.cf.clientId | string | `""` |  |
-| processesworker.cf.clientSecret | string | `""` |  |
-| processesworker.cf.tokenAddress | string | `""` |  |
-| processesworker.cf.baseUrl | string | `""` | Url to the cf service api |
-| processesworker.cf.grantType | string | `"client_credentials"` |  |
+| processesworker.dim.applicationName | string | `""` |  |
+| processesworker.provisioning.clientId | string | `""` |  |
+| processesworker.provisioning.clientSecret | string | `""` |  |
+| processesworker.provisioning.tokenAddress | string | `""` |  |
+| processesworker.provisioning.baseUrl | string | `""` | Url to the cf service api |
+| processesworker.provisioning.grantType | string | `"client_credentials"` |  |
+| processesworker.provisioning.encryptionConfigIndex | int | `0` |  |
+| processesworker.provisioning.encryptionConfigs.index0.index | int | `0` |  |
+| processesworker.provisioning.encryptionConfigs.index0.cipherMode | string | `"CBC"` |  |
+| processesworker.provisioning.encryptionConfigs.index0.paddingMode | string | `"PKCS7"` |  |
+| processesworker.provisioning.encryptionConfigs.index0.encryptionKey | string | `""` | EncryptionKey to encrypt the provisioning client-secret. Secret-key 'provisioning-encryption-key0'. Expected format is 256 bit (64 digits) hex. |
 | processesworker.callback.scope | string | `"openid"` |  |
 | processesworker.callback.grantType | string | `"client_credentials"` |  |
 | processesworker.callback.clientId | string | `""` | Provide client-id for callback. |

charts/dim/templates/cronjob-processes.yaml

@@ -67,36 +67,34 @@ spec:
             - name: "CONNECTIONSTRINGS__DIMDB"
               value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.username }};Password=$(DIM_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
             {{- end }}
-            - name: "DIM__ADMINMAIL"
-              value: "{{ .Values.processesworker.dim.adminMail }}"
-            - name: "DIM__ROOTDIRECTORYID"
-              value: "{{ .Values.dim.rootDirectoryId }}"
-            - name: "DIM__CLIENTIDCISCENTRAL"
-              value: "{{ .Values.processesworker.dim.clientIdCisCentral }}"
-            - name: "DIM__CLIENTSECRETCISCENTRAL"
+            - name: "DIM__APPLICATIONNAME"
+              value: "{{ .Values.processesworker.dim.applicationName }}"
+            - name: "DIM__ENCRYPTIONCONFIGINDEX"
+              value: "{{ .Values.processesworker.provisioning.encryptionConfigIndex }}"
+            - name: "DIM__ENCRYPTIONCONFIGS__0__INDEX"
+              value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.index }}"
+            - name: "DIM__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY"
               valueFrom:
                 secretKeyRef:
                   name: "{{ template "dim.secretName" . }}"
-                  key: "client-secret-cis-central"
-            - name: "DIM__AUTHURL"
-              value: "{{ .Values.processesworker.dim.authUrl }}"
-            - name: "SUBACCOUNT__BASEURL"
-              value: "{{ .Values.processesworker.subaccount.baseUrl }}"
-            - name: "ENTITLEMENT__BASEURL"
-              value: "{{ .Values.processesworker.entitlement.baseUrl }}"
-            - name: "CF__CLIENTID"
-              value: "{{ .Values.processesworker.cf.clientId }}"
-            - name: "CF__CLIENTSECRET"
+                  key: "provisioning-encryption-key0"
+            - name: "DIM__ENCRYPTIONCONFIGS__0__CIPHERMODE"
+              value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.cipherMode }}"
+            - name: "DIM__ENCRYPTIONCONFIGS__0__PADDINGMODE"
+              value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.paddingMode }}"
+            - name: "PROVISIONING__CLIENTID"
+              value: "{{ .Values.processesworker.provisioning.clientId }}"
+            - name: "PROVISIONING__CLIENTSECRET"
               valueFrom:
                 secretKeyRef:
                   name: "{{ template "dim.secretName" . }}"
-                  key: "client-secret-cf"
-            - name: "CF__TOKENADDRESS"
-              value: "{{ .Values.processesworker.cf.tokenAddress }}"
-            - name: "CF__BASEURL"
-              value: "{{ .Values.processesworker.cf.baseUrl }}"
-            - name: "CF__GRANTTYPE"
-              value: "{{ .Values.processesworker.cf.grantType }}"
+                  key: "client-secret-provisioning"
+            - name: "PROVISIONING__TOKENADDRESS"
+              value: "{{ .Values.processesworker.provisioning.tokenAddress }}"
+            - name: "PROVISIONING__BASEURL"
+              value: "{{ .Values.processesworker.provisioning.baseUrl }}"
+            - name: "PROVISIONING__GRANTTYPE"
+              value: "{{ .Values.processesworker.provisioning.grantType }}"
             - name: "CALLBACK__USERNAME"
               value: "empty"
             - name: "CALLBACK__PASSWORD"

charts/dim/templates/deployment.yaml

@@ -80,10 +80,21 @@ spec:
           value: "{{ .Values.dim.healthChecks.liveness.path}}"
         - name: "SWAGGERENABLED"
           value: "{{ .Values.dim.swaggerEnabled }}"
-        - name: "DIM__ROOTDIRECTORYID"
-          value: "{{ .Values.dim.rootDirectoryId }}"
         - name: "DIM__OPERATORID"
           value: "{{ .Values.dim.operatorId }}"
+        - name: "DIM__ENCRYPTIONCONFIGINDEX"
+          value: "{{ .Values.processesworker.provisioning.encryptionConfigIndex }}"
+        - name: "DIM__ENCRYPTIONCONFIGS__0__INDEX"
+          value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.index }}"
+        - name: "DIM__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY"
+          valueFrom:
+            secretKeyRef:
+              name: "{{ template "dim.secretName" . }}"
+              key: "provisioning-encryption-key0"
+        - name: "DIM__ENCRYPTIONCONFIGS__0__CIPHERMODE"
+          value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.cipherMode }}"
+        - name: "DIM__ENCRYPTIONCONFIGS__0__PADDINGMODE"
+          value: "{{ .Values.processesworker.provisioning.encryptionConfigs.index0.paddingMode }}"
         - name: "JWTBEAREROPTIONS__METADATAADDRESS"
           value: "{{ .Values.idp.address }}{{ .Values.idp.jwtBearerOptions.metadataPath }}"
         - name: "JWTBEAREROPTIONS__REQUIREHTTPSMETADATA"
@@ -94,19 +105,6 @@ spec:
           value: "{{ .Values.idp.address }}{{ .Values.idp.jwtBearerOptions.tokenValidationParameters.validIssuerPath }}"
         - name: "JWTBEAREROPTIONS__REFRESHINTERVAL"
           value: "{{ .Values.idp.jwtBearerOptions.refreshInterval }}"
-        - name: "CF__CLIENTID"
-          value: "{{ .Values.processesworker.cf.clientId }}"
-        - name: "CF__CLIENTSECRET"
-          valueFrom:
-            secretKeyRef:
-              name: "{{ template "dim.secretName" . }}"
-              key: "client-secret-cf"
-        - name: "CF__TOKENADDRESS"
-          value: "{{ .Values.processesworker.cf.tokenAddress }}"
-        - name: "CF__BASEURL"
-          value: "{{ .Values.processesworker.cf.baseUrl }}"
-        - name: "CF__GRANTTYPE"
-          value: "{{ .Values.processesworker.cf.grantType }}"
         ports:
         - name: http
           containerPort: {{ .Values.portContainer }}

charts/dim/templates/secret.yaml

@@ -36,15 +36,17 @@ data:
   # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
   # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
   client-secret-cis-central: {{ coalesce ( .Values.processesworker.dim.clientSecretCisCentral | b64enc ) ( index $secret.data "client-secret-cis-central" ) | default ( randAlphaNum 32 ) | quote }}
-  client-secret-cf: {{ coalesce ( .Values.processesworker.cf.clientSecret | b64enc ) ( index $secret.data "client-secret-cf" ) | default ( randAlphaNum 32 ) | quote }}
+  client-secret-provisioning: {{ coalesce ( .Values.processesworker.provisioning.clientSecret | b64enc ) ( index $secret.data "client-secret-provisioning" ) | default ( randAlphaNum 32 ) | quote }}
   client-secret-callback: {{ coalesce ( .Values.processesworker.callback.clientSecret | b64enc ) ( index $secret.data "client-secret-callback" ) | default ( randAlphaNum 32 ) | quote }}
+  provisioning-encryption-key0: {{ coalesce ( .Values.processesworker.provisioning.encryptionConfigs.index0.encryptionKey | b64enc ) ( index $secret.data "provisioning-encryption-key0" ) | default ( randAlphaNum 32 ) | quote }}
   technicalusercreation-encryption-key0: {{ coalesce ( .Values.processesworker.technicalUserCreation.encryptionConfigs.index0.encryptionKey | b64enc ) ( index $secret.data "technicalusercreation-encryption-key0" ) | default ( randAlphaNum 32 ) | quote }}
 {{ else -}}
 stringData:
   # if secret doesn't exist, use provided value from values file or generate a random one
   client-secret-cis-central: {{ .Values.processesworker.dim.clientSecretCisCentral | default ( randAlphaNum 32 ) | quote }}
-  client-secret-cf: {{ .Values.processesworker.cf.clientSecret | default ( randAlphaNum 32 ) | quote }}
+  client-secret-provisioning: {{ .Values.processesworker.provisioning.clientSecret | default ( randAlphaNum 32 ) | quote }}
   client-secret-callback: {{ .Values.processesworker.callback.clientSecret | default ( randAlphaNum 32 ) | quote }}
+  provisioning-encryption-key0: {{ .Values.processesworker.provisioning.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }}
   technicalusercreation-encryption-key0: {{ .Values.processesworker.technicalUserCreation.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }}
 {{ end }}
 {{- end -}}

charts/dim/values.yaml

@@ -42,7 +42,6 @@ dim:
     readyness:
       path: "/ready"
   swaggerEnabled: false
-  rootDirectoryId: "00000000-0000-0000-0000-000000000000"
   operatorId: "00000000-0000-0000-0000-000000000000"
 
 migrations:
@@ -80,23 +79,23 @@ processesworker:
       cpu: 45m
       memory: 300M
   dim:
-    adminMail: "mail@example.org"
-    clientIdCisCentral: ""
-    clientSecretCisCentral: ""
-    authUrl: ""
-  subaccount:
-    # -- Url to the subaccount service api
-    baseUrl: ""
-  entitlement:
-    # -- Url to the entitlement service api
-    baseUrl: ""
-  cf:
+    applicationName: ""
+  provisioning:
     clientId: ""
     clientSecret: ""
     tokenAddress: ""
     # -- Url to the cf service api
     baseUrl: ""
     grantType: "client_credentials"
+    encryptionConfigIndex: 0
+    encryptionConfigs:
+      index0:
+        index: 0
+        cipherMode: "CBC"
+        paddingMode: "PKCS7"
+        # -- EncryptionKey to encrypt the provisioning client-secret. Secret-key 'provisioning-encryption-key0'.
+        # Expected format is 256 bit (64 digits) hex.
+        encryptionKey: ""
   callback:
     scope: "openid"
     grantType: "client_credentials"

docs/admin/database/db-view.md

@@ -59,6 +59,8 @@ erDiagram
         bytea initialization_vector
         integer encryption_mode
         uuid process_id FK
+        uuid operation_id
+        uuid service_key_id
     }
     TENANTS {
         uuid id PK
@@ -67,17 +69,18 @@ erDiagram
         text did_document_location
         bool is_issuer
         uuid process_id FK
-        uuid sub_account_id
-        text service_instance_id
-        text service_binding_name
-        uuid space_id
-        uuid dim_instance_id
+        uuid wallet_id
+        text token_address
+        text client_id
+        uuid operation_id
         text did_download_url
         text did
-        text application_id
         uuid company_id
-        text application_key
+        text base_url
         uuid operator_id
+        bytea client_secret
+        int encryption_mode
+        bytea initialization_vector
     }
 ```
 
@@ -105,29 +108,30 @@ label (TEXT): The label of the process step type.
 
 #### Possible Values
 
-- `CREATE_SUBACCOUNT`: Creates the sub account in sap
-- `CREATE_SERVICEMANAGER_BINDINGS`: Creates the service manager binding for the created subaccount
-- `ASSIGN_ENTITLEMENTS`: Assigns the entitlements
-- `CREATE_SERVICE_INSTANCE`: Creates the service instance
-- `CREATE_SERVICE_BINDING`: Creates the service binding for the created service instance
-- `SUBSCRIBE_APPLICATION`: Subscribes to the `decentralized-identity-management-app` application
-- `CREATE_CLOUD_FOUNDRY_ENVIRONMENT`: Creates the cloud foundry environment
-- `CREATE_CLOUD_FOUNDRY_SPACE`: Creates the cloud foundry space for the created environment
-- `ADD_SPACE_MANAGER_ROLE`: Adds the space manager role for the created subaccount
-- `ADD_SPACE_DEVELOPER_ROLE`: Adds the space developer role for the created subaccount
-- `CREATE_DIM_SERVICE_INSTANCE`: Creates the dim instance
-- `CREATE_SERVICE_INSTANCE_BINDING`: Creates the binding for to the created dim instance
-- `GET_DIM_DETAILS`: Retrieves the dim details from SAP Dim
-- `CREATE_APPLICATION`: Creates the application in the wallet
-- `CREATE_COMPANY_IDENTITY`: Creates a company identity for the wallet
-- `ASSIGN_COMPANY_APPLICATION`: Assigns the company identity to the application
-- `CREATE_STATUS_LIST`: Creates a statuslist for a company
-- `SEND_CALLBACK`: Sends the callback to the portal to transmit the data of the created wallet and did
-- `CREATE_TECHNICAL_USER`: Creates a new technical user for a wallet
-- `GET_TECHNICAL_USER_DATA`: Retrieves the technical user data from the SAP Dim
-- `SEND_TECHNICAL_USER_CREATION_CALLBACK`: Sends the technical user data back to the portal
-- `DELETE_TECHNICAL_USER`: Deletes the technical user from the database and from the SAP Dim
-- `SEND_TECHNICAL_USER_DELETION_CALLBACK`: Sends a status to the portal if the deletion was successful
+- `CREATE_WALLET`: Sends the wallet creation process to the SAP Dim
+- `CHECK_OPERATION`: Checks the wallet creation operation to be completed
+- `GET_COMPANY`: Gets the company and wallet information
+- `GET_DID_DOCUMENT`: Gets the did document and the did for the wallet
+- `CREATE_STATUS_LIST`: Only if the tenant is an issuer - Creates the status list
+- `SEND_CALLBACK`: Sends the wallet data back to the portal backend
+- `RETRIGGER_CREATE_WALLET`: Retriggers the `CREATE_WALLET` step
+- `RETRIGGER_CHECK_OPERATION`: Retriggers the `CHECK_OPERATION` step
+- `RETRIGGER_GET_COMPANY`: Retriggers the `GET_COMPANY` step
+- `RETRIGGER_GET_DID_DOCUMENT`: Retriggers the `GET_DID_DOCUMENT` step
+- `RETRIGGER_CREATE_STATUS_LIST`: Retriggers the `CREATE_STATUS_LIST` step
+- `RETRIGGER_SEND_CALLBACK`: Retriggers the `SEND_CALLBACK` step
+- `CREATE_TECHNICAL_USER`: Sends a technical user creation request to the SAP Dim
+- `GET_TECHNICAL_USER_DATA`: Gets the technical user data (clientId, clientSecret and tokenUrl)
+- `GET_TECHNICAL_USER_SERVICE_KEY`: Gets the service key id which is needed to delete the technical user later on
+- `SEND_TECHNICAL_USER_CREATION_CALLBACK`: Sends all information of the technical user to the portal backend
+- `RETRIGGER_CREATE_TECHNICAL_USER`: Retriggers the `CREATE_TECHNICAL_USER` step
+- `RETRIGGER_GET_TECHNICAL_USER_DATA`: Retriggers the `GET_TECHNICAL_USER_DATA` step
+- `RETRIGGER_GET_TECHNICAL_USER_SERVICE_KEY`: Retriggers the `GET_TECHNICAL_USER_SERVICE_KEY` step
+- `RETRIGGER_SEND_TECHNICAL_USER_CREATION_CALLBACK`: Retriggers the `SEND_TECHNICAL_USER_CREATION_CALLBACK` step
+- `DELETE_TECHNICAL_USER`: Deletes the technical user from the SAP Dim
+- `SEND_TECHNICAL_USER_DELETION_CALLBACK`: Sends a status of whether the deletion was successful to the portal and deletes the technical user from the database
+- `RETRIGGER_DELETE_TECHNICAL_USER`: Retriggers the `DELETE_TECHNICAL_USER` step
+- `RETRIGGER_SEND_TECHNICAL_USER_DELETION_CALLBACK`: Retriggers the `SEND_TECHNICAL_USER_DELETION_CALLBACK` step
 
 ### PROCESS_STEPS
 
@@ -160,14 +164,16 @@ version (UUID): The version of the process.
 
 id (UUID): A unique identifier for the technical user. This is the primary key of the table
 tenant_id (UUID): A unique identifier for the tenant. This is a foreign key referencing id in the TENANT table
-external_id (UUID): the id of the technical user in the dim
+external_id (UUID): the id of the technical user in the DIM
 technical_user_name (TEXT): The name of the technical user
 token_address (TEXT): The address for the authentication of the technical user
 client_id (TEXT): The client id which is needed for authentication
 client_secret (BYTEA): The encrypted client secret
 initialization_vector (BYTEA): The used initialization vector which is needed for decrypting the secret
 encryption_mode (INTEGER): The used encryption mode for the secret
 process_id (UUID): A unique identifier for the process. This is a foreign key referencing id in the PROCESS table
+operation_id (UUID): A unique identifier of the operation which is created on SAP DIM side
+service_key_id (UUID): A unique identifier of the technical user on SAP DIM side
 
 ### TENANTS
 
@@ -177,17 +183,18 @@ bpn (TEXT): Bpn of the company must be unique in combination with the name
 did_document_location (TEXT): The location of the did document (url)
 is_issuer (BOOL): Defines if the requesting tenant is an issuer
 process_id (UUID): A unique identifier for the process. This is a foreign key referencing id in the PROCESS table
-sub_account_id (UUID): A unique identifier of the sub account in the SAP DIM
-service_instance_id (TEXT): A unique identifier of the service instance id in the SAP DIM
-service_binding_name (TEXT): The service binding name in the SAP DIM
-space_id (UUID): A unique identifier of the space id in the SAP DIM
-dim_instance_id (UUID): A unique identifier of the dim instance in the SAP DIM
+operator_id (UUID): A unique identifier of the operator which is used for the wallet creation
 did_download_url (TEXT): The url of the did document.
 did (TEXT): The did of the wallet
-application_id (TEXT): A unique identifier of the application in the SAP DIM
+base_url (TEXT): The address of the wallet
+token_address (TEXT): The address for the authentication of the wallet
+client_id (TEXT): The client id which is needed for authentication
+client_secret (BYTEA): The encrypted client secret
+initialization_vector (BYTEA): The used initialization vector which is needed for decrypting the secret
+encryption_mode (INTEGER): The used encryption mode for the secret
 company_id (UUID): A unique identifier of the company in the SAP DIM
-application_key (TEXT): The key of the application in the SAP DIM
-operator_id (UUID): A unique identifier of the operator which is used for the wallet creation
+operation_id (UUID): A unique identifier of the operation which is created in the SAP DIM
+wallet_id (UUID): A unique identifier of the wallet in the SAP DIM
 
 ### Enum Value Tables