Merge pull request #356 from catenax-ng/main

IRS release 4.4.0
eclipse-tractusx · Jan 15, 2024 · 03f8dd7 · 03f8dd7
2 parents bec8b7b + ad7bd27
commit 03f8dd7
Show file tree

Hide file tree

Showing 90 changed files with 2,154 additions and 1,790 deletions.
diff --git a/.config/spotbugs-excludes.xml b/.config/spotbugs-excludes.xml
@@ -25,13 +25,13 @@
  </Match>
  <Match>
  <!-- CSRF protection turned off on purpose. -->
- <Class name="org.eclipse.tractusx.irs.configuration.SecurityConfiguration"/>
+ <Class name="org.eclipse.tractusx.irs.configuration.security.SecurityConfiguration"/>
  <Method name="securityFilterChain"/>
  <Bug pattern="SPRING_CSRF_PROTECTION_DISABLED"/>
  </Match>
  <Match>
  <!-- We want to explicitly throw Exception in this method. -->
- <Class name="org.eclipse.tractusx.irs.configuration.SecurityConfiguration"/>
+ <Class name="org.eclipse.tractusx.irs.configuration.security.SecurityConfiguration"/>
  <Method name="securityFilterChain"/>
  <Bug pattern="THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION"/>
  </Match>

diff --git a/.github/workflows/publish-documentation.yaml b/.github/workflows/publish-documentation.yaml
@@ -36,7 +36,7 @@ jobs:
  - name: Setup Node
  uses: actions/setup-node@v4
  with:
- node-version: 16
+ node-version: 20
 
  - name: Cache maven packages
  uses: actions/cache@v3
@@ -105,8 +105,8 @@ jobs:
  - name: MD linting
  run: |
  npm install markdownlint-cli2
- npx markdownlint-cli2-config docs/.markdownlint.yaml docs/target/generated-docs/adminguide.md
- npx markdownlint-cli2-config docs/.markdownlint.yaml docs/target/generated-docs/arc42.md
+ npx markdownlint-cli2 --config docs/.markdownlint.yaml docs/target/generated-docs/adminguide.md
+ npx markdownlint-cli2 --config docs/.markdownlint.yaml docs/target/generated-docs/arc42.md
 
  - name: Move assets to target directory
  run: |

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,10 +6,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.4.0] - 2024-01-15
 ### Added
-
+- Added EDR token cache to reuse token after contract negotiation
 - Added cache mechanism in DiscoveryFinderClientImpl for findDiscoveryEndpoints
 
+### Changed
+- Authentication was redesigned to use API keys, instead of OAuth2 protocol. The api key has to be sent as a X-API-KEY request header. IRS is supporting two types of API keys - one for admin and one for regular/view usage. Use new ``apiKeyAdmin`` and ``apiKeyRegular`` config entries to set up API keys.
+
+### Removed
+- Removed ``oauth.resourceClaim``, ``oauth.irsNamespace``,``oauth.roles``,``oauth2.jwkSetUri`` config entries
+
 ## [4.3.0] - 2023-12-08
 ### Added
 - Added support for `hasAlternatives` property in SingleLevelBomAsBuilt aspect
@@ -481,7 +488,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Unresolved
 - **Select Aspects you need** You are able to select the needed aspects for which you want to collect the correct endpoint information.
 
-[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.3.0...HEAD
+[Unreleased]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.4.0...HEAD
+[4.4.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.3.0...4.4.0
 [4.3.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.2.0...4.3.0
 [4.2.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.1.0...4.2.0
 [4.1.0]: https://github.com/eclipse-tractusx/item-relationship-service/compare/4.0.2...4.1.0

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -161,13 +161,13 @@ maven/mavencentral/io.prometheus/simpleclient_common/0.16.0, Apache-2.0, approve
 maven/mavencentral/io.prometheus/simpleclient_tracer_common/0.16.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/io.prometheus/simpleclient_tracer_otel/0.16.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/io.prometheus/simpleclient_tracer_otel_agent/0.16.0, Apache-2.0, approved, clearlydefined
-maven/mavencentral/io.rest-assured/json-path/5.3.0, Apache-2.0, approved, #9261
 maven/mavencentral/io.rest-assured/json-path/5.3.2, Apache-2.0, approved, #9261
-maven/mavencentral/io.rest-assured/rest-assured-common/5.3.0, Apache-2.0, approved, #9264
+maven/mavencentral/io.rest-assured/json-path/5.4.0, Apache-2.0, approved, #12042
 maven/mavencentral/io.rest-assured/rest-assured-common/5.3.2, Apache-2.0, approved, #9264
-maven/mavencentral/io.rest-assured/rest-assured/5.3.0, Apache-2.0, approved, #9262
-maven/mavencentral/io.rest-assured/xml-path/5.3.0, Apache-2.0, approved, #9267
+maven/mavencentral/io.rest-assured/rest-assured-common/5.4.0, Apache-2.0, approved, #12039
+maven/mavencentral/io.rest-assured/rest-assured/5.4.0, Apache-2.0, approved, #12040
 maven/mavencentral/io.rest-assured/xml-path/5.3.2, Apache-2.0, approved, #9267
+maven/mavencentral/io.rest-assured/xml-path/5.4.0, Apache-2.0, approved, #12038
 maven/mavencentral/io.suzaku/boopickle_2.13/1.3.3, Apache-2.0, approved, clearlydefined
 maven/mavencentral/io.swagger.core.v3/swagger-annotations-jakarta/2.2.15, Apache-2.0, approved, #5947
 maven/mavencentral/io.swagger.core.v3/swagger-annotations/2.2.16, Apache-2.0, approved, #11362

diff --git a/charts/irs-helm/CHANGELOG.md b/charts/irs-helm/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.13.0] - 2024-01-15
+- Update IRS version to 4.4.0
+
 ## [6.12.0] - 2023-12-08
 ### Changed 
 - Changed configuration from `ess.managementPath` to options for each endpoint `ess.assetsPath` `ess.policydefinitionsPath` `ess.contractdefinitionsPath`. E.g. `ess.assetsPath: /management/v3/assets`

diff --git a/charts/irs-helm/Chart.yaml b/charts/irs-helm/Chart.yaml
@@ -35,12 +35,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 6.12.0
+version: 6.13.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "4.3.0"
+appVersion: "4.4.0"
 dependencies:
  - name: common
  repository: https://charts.bitnami.com/bitnami

diff --git a/charts/irs-helm/templates/configmap-spring-app-config.yaml b/charts/irs-helm/templates/configmap-spring-app-config.yaml
@@ -34,6 +34,11 @@ data:
 
  irs:
  apiUrl: {{ tpl (.Values.irsUrl | default "http://localhost") . | quote }}
+ security:
+ api:
+ keys:
+ admin: {{ tpl (.Values.apiKeyAdmin | default "") . | quote }}
+ regular: {{ tpl (.Values.apiKeyRegular | default "") . | quote }}
 
  blobstore:
  endpoint: {{ tpl (.Values.minioUrl | default "") . | quote }}
@@ -62,9 +67,6 @@ data:
  token-uri: {{ tpl (.Values.oauth2.clientTokenUri | default "http://localhost") . | quote }}
  portal:
  token-uri: {{ tpl (.Values.oauth2.clientTokenUri | default "http://localhost") . | quote }}
- resourceserver:
- jwt:
- jwk-set-uri: {{ tpl (.Values.oauth2.jwkSetUri | default "http://localhost") . | quote }}
 
  digitalTwinRegistry:
  descriptorEndpoint: {{ tpl (.Values.digitalTwinRegistry.descriptorEndpoint | default "") . | quote }}
@@ -147,11 +149,6 @@ data:
 
  apiAllowedBpn: {{ tpl (.Values.bpn | default "") . | quote }}
 
- oauth:
- resourceClaim: {{ tpl (.Values.oauth.resourceClaim | default "resource_access") . | quote }}
- irsNamespace: {{ tpl (.Values.oauth.irsNamespace | default "") . | quote }}
- roles: {{ tpl (.Values.oauth.roles | default "roles") . | quote }}
-
  {{- if .Values.config.content }}
  {{- tpl (toYaml .Values.config.content) . | nindent 4 }}
  {{- end }}
diff --git a/charts/irs-helm/values.yaml b/charts/irs-helm/values.yaml
@@ -106,6 +106,8 @@ readinessProbe:
 #####################
 irsUrl: # "https://<irs-url>"
 bpn: # BPN for this IRS instance; only users with this BPN are allowed to access the API
+apiKeyAdmin: "password" # <api-key-admin> Admin auth key, Should be changed!
+apiKeyRegular: "password" # <api-key-regular> View auth key, Should be changed!
 ingress:
  enabled: false
 
@@ -153,7 +155,6 @@ oauth2:
  clientId: # <oauth2-client-id>
  clientSecret: # <oauth2-client-secret>
  clientTokenUri: # <oauth2-token-uri>
- jwkSetUri: # <oauth2-jwkset-uri>
 portal:
  oauth2:
  clientId: # <portal-client-id>
@@ -217,11 +218,6 @@ ess:
  policydefinitionsPath: /management/v2/policydefinitions # EDC management API "policydefinitions" path - used for notification policy definition creation
  contractdefinitionsPath: /management/v2/contractdefinitions # EDC management API "contractdefinitions" path - used for notification contract definitions creation
 
-oauth:
- resourceClaim: "resource_access" # Name of the JWT claim for roles
- irsNamespace: "Cl20-CX-IRS" # Namespace for the IRS roles
- roles: "roles" # Name of the list of roles within the IRS namespace
-
 config:
  # If true, the config provided below will completely replace the configmap.
  # In this case, you need to provide all required config values defined above yourself!

diff --git a/docs/src/api/irs-api.yaml b/docs/src/api/irs-api.yaml
@@ -992,7 +992,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1043,7 +1042,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1166,7 +1164,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1317,7 +1314,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1355,7 +1351,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1470,7 +1465,6 @@ components:
  globalAssetId: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
  id: e5347c88-a921-11ec-b909-0242ac120002
  lastModifiedOn: 2022-02-03T14:48:54.709Z
- owner: ""
  parameter:
  aspects:
  - SerialPart
@@ -1918,9 +1912,6 @@ components:
  type: string
  format: date-time
  example: 2022-02-03T14:48:54.709Z
- owner:
- type: string
- description: The IRS api consumer.
  parameter:
  $ref: '#/components/schemas/JobParameter'
  startedOn:

diff --git a/docs/src/docs/administration/configuration.adoc b/docs/src/docs/administration/configuration.adoc
@@ -24,6 +24,12 @@ include::../../../../charts/irs-helm/values.yaml[lines=104..302]
 ==== <irs-url>
 The hostname where the IRS will be made available.
 
+==== <api-key-admin>
+Api key to access API with admin role.
+
+==== <api-key-regular>
+Api key to access API with regular/view role.
+
 === <ingress>
 To expose the IRS service, you need to add an ingress for the default port 8080.
 You can do this by adding this to ingress:
@@ -64,9 +70,6 @@ The URL of the BPDM service. The IRS uses this service to fetch business partner
 ==== <oauth2-token-uri>
 The URL of the OAuth2 token API. Used by the IRS for token creation to authenticate with other services.
 
-==== <oauth2-jwkset-uri>
-The URL of the OAuth2 JWK Set. Used by the IRS to validate tokens when the IRS API is called.
-
 ==== <grafana-url>
 The hostname where Grafana will be made available.
 
@@ -86,7 +89,7 @@ When IRS calls EDC Discovery Service to fetch connector endpoints for BPNLs, the
 This parameter define how long cache is maintained before it is cleared. Data is in ISO 8601.
 
 == OAuth2 Configuration
-OAuth2 protocol is used by IRS to protect the APIs and other resources. This means it is possible to configure and use any identity and access management tool that provides OAuth 2.0 functionality.
+Previously, OAuth2 protocol was used by IRS to protect the APIs and other resources. As a reference, latest IRS version that supported OAuth2 protocol was 4.3.0, which can be found here: https://github.com/eclipse-tractusx/item-relationship-service/releases/tag/4.3.0.
 
 === Semantic Model Provisioning
 The IRS can retrieve semantic models in two ways:

diff --git a/docs/src/docs/arc42/cross-cutting/safety-security.adoc b/docs/src/docs/arc42/cross-cutting/safety-security.adoc
@@ -4,15 +4,9 @@
 
 === IRS API
 
-The IRS is secured using OAuth2.0 / Open ID Connect.
-Every request to the IRS API requires a valid bearer token.
-JWT token should also contain two claims:
-
-- 'bpn' which is equal to the configuration value from `API_ALLOWED_BPN` property
-- 'resource_access' with the specific 'Cl20-CX-IRS' key for C-X environments. (The keys are configurable. For more details see chapter "IRS OAuth2 JWT Token").
-The list of values will be converted to roles by IRS.
-Currently, IRS API handles two roles: *'admin_irs'* and *'view_irs'.* A valid token with the *'admin_irs'* role can access any endpoint exposed by the IRS API, while a token with the *'view_irs'* role does not have access to policies endpoints and can operate only on resources it owns.
-That means that he only has access to the resources he has created, e.g. jobs and batches.
+The IRS API is secured using API Keys (tokens that a client provides when invoking API calls). IRS identifies API clients based on the provided token inside 'X-API-KEY' request header, and then checks the token with configuration. API Keys can be configured with helm configuration entries - check Administration Guide to know how to do this. Every request to the IRS API requires a valid 'X-API-KEY' header to be successfully authenticated.
+
+Currently, IRS API handles two roles: *'admin_irs'* and *'view_irs'.* A valid token with the *'admin_irs'* role can access any endpoint exposed by the IRS API, including Policies management API. A valid token with the *'view_irs'* role does not have access to policies endpoints.
 This behavior is shown in the table below.
 
 ==== Rights and Roles Matrix of IRS
@@ -24,56 +18,25 @@ This behavior is shown in the table below.
 | | Update policy | PUT /irs/policies/{policyId} | | x
 | | Delete policy | DELETE /irs/policies/{policyId} | | x
 | Aspect models | Get aspect models | GET /irs/aspectmodels | x | x
-| Job processing | Register job | POST /irs/jobs | (x) | x
-| | Get jobs | GET /irs/jobs | (x) | x
-| | Get job | GET /irs/jobs/{jobId} | (x) | x
-| | Cancel job | PUT /irs/jobs/{jobId} | (x) | x
-| Batch processing | Register order | POST /irs/orders | (x) | x
-| | Get order | GET /irs/orders/{orderId} | (x) | x
-| | Cancel order | PUT /irs/orders/{orderId} | (x) | x
-| | Get batch | GET /irs/orders/{orderId}/batches/{batchId} | (x) | x
+| Job processing | Register job | POST /irs/jobs |  x | x
+| | Get jobs | GET /irs/jobs |  x | x
+| | Get job | GET /irs/jobs/{jobId} |  x | x
+| | Cancel job | PUT /irs/jobs/{jobId} |  x | x
+| Batch processing | Register order | POST /irs/orders |  x | x
+| | Get order | GET /irs/orders/{orderId} |  x | x
+| | Cancel order | PUT /irs/orders/{orderId} |  x | x
+| | Get batch | GET /irs/orders/{orderId}/batches/{batchId} | x | x
 | Environmental- and
-Social Standards | Register investigation job | POST /ess/bpn/investigations | (x) | x
-| | Get investigation job | GET /ess/bpn/investigations{id} | (x) | x
+Social Standards | Register investigation job | POST /ess/bpn/investigations | x | x
+| | Get investigation job | GET /ess/bpn/investigations{id} | x | x
 | | Accept notifications | POST /ess/notification/receive | x | x
 |===
 
-Legend: x = full access to all resources, (x) = access to the resources he owns
-
-=== IRS OAuth2 JWT Token
-
-IRS expects the JWT access token to have the following structure to be able to extract role information:
-
-[source,json]
-----
-{
-...
- "resource_access": {
- "Cl20-CX-IRS": {
- "roles": [
- "view_irs",
- "admin_irs"
- ]
- }
- },
-...
-}
-----
-
-The field names can be configured via application.yaml:
-
-[source,yaml]
-----
-# OAuth2 JWT token parse config. This configures the structure IRS expects when parsing the IRS role of an access token.
-oauth:
- resourceClaim: "resource_access" # Name of the JWT claim for roles
- irsNamespace: "Cl20-CX-IRS" # Namespace for the IRS roles
- roles: "roles" # Name of the list of roles within the IRS namespace
-----
+Legend: x = full access to all resources
 
 === IRS as DTR client
 
-The IRS acts as a client for the Digital Twin Registry (DTR), which is also secured using OAuth2.0 / Open ID Connect.
+The IRS acts as a client for the Digital Twin Registry (DTR), which is secured using OAuth2.0 / Open ID Connect.
 The IRS uses client credentials to authenticate requests to the DTR.
 Due to this, the IRS account needs to have access to every item in the DTR, unrelated to the permissions of the account calling the IRS API.
 

diff --git a/docs/src/docs/arc42/cross-cutting/under-the-hood.adoc b/docs/src/docs/arc42/cross-cutting/under-the-hood.adoc
@@ -108,3 +108,46 @@ When the EDC Discovery is requested to return the EDC connector endpoint URLs fo
 The time to live for both caches can be configured separately as described in the Administration Guide.
 
 Further information on Discovery Service can be found in the chapter "System scope and context".
+
+=== EDC
+
+EndpointDataReferenceStorage is in-memory local storage that holds records (EndpointDataReferences) by either assetId or contractAgreementId.
+
+When EDC gets EndpointDataReference describing endpoint serving data it uses EndpointDataReferenceStorage and query it by assetId.
+This allows reuse of already existing EndpointDataReference if it is present, valid, and it's token is not expired,
+rather than starting whole new contract negotiation process.
+
+In case token is expired the process is also shortened. We don't have to start new contract negotiation process,
+since we can obtain required contractAgreementId from present authCode. This improves request processing time.
+
+[source, mermaid]
+....
+sequenceDiagram
+ autonumber
+ participant EdcSubmodelClient
+ participant ContractNegotiationService
+ participant EndpointDataReferenceStorage
+ participant EdcCallbackController
+ participant EdcDataPlaneClient
+ EdcSubmodelClient ->> EndpointDataReferenceStorage: Get EDR Token for EDC asset id
+ EndpointDataReferenceStorage ->> EdcSubmodelClient: Return Optional<EDR Token>
+ alt Token is present and not expired
+ EdcSubmodelClient ->> EdcSubmodelClient: Optional.get
+ else
+ alt Token is expired
+ EdcSubmodelClient ->> ContractNegotiationService: Renew EDR Token based on existing Token
+ else Token is not present
+ EdcSubmodelClient ->> ContractNegotiationService: Negotiate new EDR Token
+ end
+ ContractNegotiationService -->> EdcCallbackController: EDC flow
+ EdcCallbackController ->> EndpointDataReferenceStorage: Store EDR token by EDC asset id after EDC callback
+ loop While EDR Token is not present
+ EdcSubmodelClient ->> EndpointDataReferenceStorage: Poll for EDR Token
+ end
+ EndpointDataReferenceStorage ->> EdcSubmodelClient: Return EDR Token
+ end
+ EdcSubmodelClient ->> EdcDataPlaneClient: Get data(EDR Token, Dataplane URL)
+ EdcDataPlaneClient ->> EdcSubmodelClient: Return data
+....
+
+