Merge pull request #184 from catenax-ng/main

Introducing ESS-Batch, better configuration, Spring Boot update
eclipse-tractusx · Oct 12, 2023 · ff2348c · ff2348c
2 parents 1e5713a + 9198633
commit ff2348c
Show file tree

Hide file tree

Showing 45 changed files with 958 additions and 479 deletions.
diff --git a/.config/owasp-suppressions.xml b/.config/owasp-suppressions.xml
@@ -1,26 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Transitive dependency of OkHttp. CVE is only relevant for Gradle builds, not relevant for IRS.
-        ]]></notes>
-        <gav regex="true">org\.jetbrains\.kotlin:.*</gav>
-        <vulnerabilityName>CVE-2022-24329</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2020-8908</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability method not in IRS codebase (Files.createTempDir from guava).
-        ]]></notes>
-        <gav regex="true">com\.google\.guava:guava.*</gav>
-        <vulnerabilityName>CVE-2023-2976</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Vulnerability is a false positive.
@@ -42,4 +21,11 @@
         <gav regex="true">org\.eclipse\.jetty\.toolchain:jetty\-jakarta\-websocket\-api.*</gav>
         <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. This is not exploitable in IRS.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.graalvm\.sdk/graal\-sdk@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-22006</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Introduced new API endpoint to register ESS Jobs in Batch - POST {{IRS_HOST}}/irs/ess/orders
+
+### Changed
+- Deprecated query parameter 'jobStates' was removed from GET {{IRS_HOST}}/irs/jobs endpoint
+- Moved OAuth2 JWT token claim to configuration. The fields can be configured with `oauth.resourceClaim`, `oauth.irsNamespace`, `oauth.roles`.
 
 ## [3.5.3] - 2023-10-09
 ### Fixed

diff --git a/DEPENDENCIES b/DEPENDENCIES
diff --git a/charts/irs-helm/CHANGELOG.md b/charts/irs-helm/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added configuration for IRS OAuth2 JWT token claim
 
 ## [6.8.0] - 2023-10-09
 ### Changed

diff --git a/charts/irs-helm/templates/configmap-spring-app-config.yaml b/charts/irs-helm/templates/configmap-spring-app-config.yaml
@@ -133,6 +133,11 @@ data:
 
     apiAllowedBpn: {{ tpl (.Values.bpn | default "") . | quote }}
 
+    oauth:
+      resourceClaim: {{ tpl (.Values.oauth.resourceClaim | default "resource_access") . | quote }}
+      irsNamespace: {{ tpl (.Values.oauth.irsNamespace | default "") . | quote }}
+      roles: {{ tpl (.Values.oauth.roles | default "roles") . | quote }}
+
     {{- if .Values.config.content }}
     {{- tpl (toYaml .Values.config.content) . | nindent 4 }}
     {{- end }}
diff --git a/charts/irs-helm/values.yaml b/charts/irs-helm/values.yaml
@@ -205,6 +205,11 @@ ess:
   mockRecursiveEdcAsset:  # List of BPNs for which the special, mocked notification asset should be used
   managementPath: "/management/v2"  # EDC management API path - used for notification asset creation
 
+oauth:
+  resourceClaim: "resource_access"  # Name of the JWT claim for roles
+  irsNamespace: "Cl20-CX-IRS"  # Namespace for the IRS roles
+  roles: "roles"  # Name of the list of roles within the IRS namespace
+
 config:
   # If true, the config provided below will completely replace the configmap.
   # In this case, you need to provide all required config values defined above yourself!

diff --git a/docs/src/api/irs-api.yaml b/docs/src/api/irs-api.yaml
@@ -156,6 +156,61 @@ paths:
       summary: Accepts notifications sent via EDC.
       tags:
         - Environmental- and Social Standards
+  /irs/ess/orders:
+    post:
+      description: "Registers an order for an ESS investigation with an array of 
+      {globalAssetIds}. Each globalAssetId will be processed in an separate job, grouped in batches."
+      operationId: registerESSInvestigationOrder
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RegisterBpnInvestigationBatchOrder'
+        required: true
+      responses:
+        "201":
+          content:
+            application/json:
+              examples:
+                complete:
+                  $ref: '#/components/examples/job-handle'
+              schema:
+                $ref: '#/components/schemas/BatchOrderCreated'
+          description: Returns orderId of registered Batch order.
+        "400":
+          content:
+            application/json:
+              examples:
+                error:
+                  $ref: '#/components/examples/error-response-400'
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+          description: Batch Order registration failed.
+        "401":
+          content:
+            application/json:
+              examples:
+                error:
+                  $ref: '#/components/examples/error-response-401'
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+          description: No valid authentication credentials.
+        "403":
+          content:
+            application/json:
+              examples:
+                error:
+                  $ref: '#/components/examples/error-response-403'
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+          description: Authorization refused by server.
+      security:
+        - oAuth2:
+            - profile email
+      summary: "Registers an order for an ESS investigation with an array of {globalAssetIds}. 
+      Each globalAssetId will be processed in an separate job, grouped in batches."
+      tags:
+        - Environmental- and Social Standards
   /irs/jobs:
     get:
       description: Returns paginated jobs with state and execution times.
@@ -759,7 +814,7 @@ paths:
       responses:
         "200":
           content:
-            'application/json':
+            application/json:
               schema:
                 type: array
                 items:
@@ -1155,8 +1210,8 @@ components:
               - language: en
                 text: The shell for a vehicle
             globalAssetId: urn:uuid:a45a2246-f6e1-42da-b47d-5c3b58ed62e9
-            idShort: future concept x
             id: 882fc530-b69b-4707-95f6-5dbc5e9baaa8
+            idShort: future concept x
             specificAssetIds:
               - name: engineserialid
                 value: "12309481209312"
@@ -1186,13 +1241,13 @@ components:
                       href: https://catena-x.net/vehicle/partdetails/
                       endpointProtocol: HTTPS
                       endpointProtocolVersion: ["1.0"]
-                idShort: vehicle part details
                 id: dae4d249-6d66-4818-b576-bf52f3b9ae90
+                idShort: vehicle part details
                 semanticId:
-                  type: ModelReference
                   keys:
                     - type: Submodel
                       value: urn:bamm:com.catenax.vehicle:0.1.1#PartDetails
+                  type: ModelReference
         submodels:
           - aspectType: urn:bamm:io.catenax.single_level_bom_as_built:1.0.0
             identification: urn:uuid:fc784d2a-5506-4e61-8e34-21600f8cdeff
@@ -1335,8 +1390,8 @@ components:
               - language: en
                 text: The shell for a vehicle
             globalAssetId: urn:uuid:a45a2246-f6e1-42da-b47d-5c3b58ed62e9
-            idShort: future concept x
             id: 882fc530-b69b-4707-95f6-5dbc5e9baaa8
+            idShort: future concept x
             specificAssetIds:
               - name: engineserialid
                 value: "12309481209312"
@@ -1350,8 +1405,8 @@ components:
                       href: https://catena-x.net/vehicle/basedetails/
                       endpointProtocol: HTTPS
                       endpointProtocolVersion: ["1.0"]
-                idShort: vehicle base details
                 id: 4a738a24-b7d8-4989-9cd6-387772f40565
+                idShort: vehicle base details
                 semanticId:
                   type: ModelReference
                   keys:
@@ -1366,8 +1421,8 @@ components:
                       href: https://catena-x.net/vehicle/partdetails/
                       endpointProtocol: HTTPS
                       endpointProtocolVersion: ["1.0"]
-                idShort: vehicle part details
                 id: dae4d249-6d66-4818-b576-bf52f3b9ae90
+                idShort: vehicle part details
                 semanticId:
                   type: ModelReference
                   keys:
@@ -1468,10 +1523,10 @@ components:
           type: string
           description: Id of global asset.
           example: urn:uuid:6c311d29-5753-46d4-b32c-19b918ea93b0
-        idShort:
-          type: string
         id:
           type: string
+        idShort:
+          type: string
         specificAssetIds:
           type: array
           items:
@@ -1507,8 +1562,8 @@ components:
           minimum: 0
     BatchOrderCreated:
       type: object
-      description: Id of the created Batch order.
       additionalProperties: false
+      description: Id of the created Batch order.
       properties:
         id:
           type: string
@@ -2258,6 +2313,69 @@ components:
           minimum: 60
       required:
         - keys
+    RegisterBpnInvestigationBatchOrder:
+      type: object
+      additionalProperties: false
+      description: Request body for registering a new Batch Order for ESS Investigation
+        Job.
+      properties:
+        batchSize:
+          type: integer
+          format: int32
+          default: 20
+          description: Size of the batch.
+          maximum: 100
+          minimum: 10
+        batchStrategy:
+          type: string
+          description: The strategy how the batch is processed internally in IRS.
+          enum:
+            - PRESERVE_BATCH_JOB_ORDER
+            - PRESERVE_JOB_ORDER
+            - PRESERVE_BATCH_ORDER
+        bomLifecycle:
+          type: string
+          description: The lifecycle context in which the child part was assembled
+            into the parent part.
+          enum:
+            - asBuilt
+            - asPlanned
+            - asSpecified
+        callbackUrl:
+          type: string
+          description: "Callback url to notify requestor when job processing is finished.\
+                \ There are four uri variable placeholders that can be used: orderId,\
+                \ batchId, orderState and batchState."
+          example: "https://hostname.com/callback?orderId={orderId}&batchId={batchId}&orderState={orderState}&batchState={batchState}"
+        incidentBPNSs:
+          type: array
+          items:
+            type: string
+            pattern: "(BPN)[LSA][\\w\\d]{10}[\\w\\d]{2}"
+          maxItems: 2147483647
+        jobTimeout:
+          type: integer
+          format: int32
+          default: 3600
+          description: Timeout in seconds for each job processing inside the complete
+            order.
+          maximum: 7200
+          minimum: 60
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/PartChainIdentificationKey'
+          maxItems: 2147483647
+        timeout:
+          type: integer
+          format: int32
+          default: 43200
+          description: Timeout in seconds for the complete batch order processing.
+          maximum: 86400
+          minimum: 60
+      required:
+        - incidentBPNSs
+        - keys
     RegisterBpnInvestigationJob:
       type: object
       additionalProperties: false

diff --git a/docs/src/docs/arc42/building-block-view/level-2.adoc b/docs/src/docs/arc42/building-block-view/level-2.adoc
@@ -85,7 +85,7 @@ include::../../../uml-diagrams/building-block-view/level-2-int-transfer-process-
 |The DigitalTwinRegistryFacade calls the DigitalTwinRegistry to retrieve data form the AAS registry and transforms the response to internal data models.
 
 |SubmodelFacade
-|The SubmodelFacade calls the EDC to retrieve data from the submodel server and transforms the response to internal data models.
+|The SubmodelFacade handles EDC contract negotiations and is responsible for the EDC dataplane requests to retrieve data from the submodel servers.
 
 |BlobStore
 |The BlobStore is the database where the relationships and tombstones are stored for a requested item.