chore: configured policy selection configuration in the helm charts

catenax-ng · Apr 22, 2024 · a137222 · a137222
1 parent 4b8fb9d
commit a137222
Show file tree

Hide file tree

Showing 6 changed files with 149 additions and 72 deletions.
diff --git a/charts/digital-product-pass/templates/configmap-backend.yaml b/charts/digital-product-pass/templates/configmap-backend.yaml
@@ -24,8 +24,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Release.Name }}-backend-config
-  namespace: {{ .Values.namespace }}
+  name: { { .Release.Name } }-backend-config
+  namespace: { { .Values.namespace } }
 data:
   application.yaml: |-
     spring:
@@ -43,7 +43,7 @@ data:
         root: {{ tpl (.Values.backend.logging.level.root | default "INFO") . | quote }}
         # -- logging for the util components
         utils: {{ tpl (.Values.backend.logging.level.utils | default "INFO") . | quote }}
-        
+    
     configuration:
       # -- max retries for the backend services
       maxRetries: {{ .Values.backend.maxRetries }}
@@ -63,19 +63,6 @@ data:
         transfer: {{ .Values.backend.edc.apis.transfer }}
         receiverEndpoint: "https://{{ .Values.backend.hostname }}/endpoint"
         delay:  {{ .Values.backend.edc.delay }} # -- Negotiation status Delay in milliseconds in between async requests [<= 500]
-        policies:
-          usagePolicies:
-            {{- range .Values.backend.edc.acceptedPolicies.usagePolicies}}
-            - leftOperand: {{ .leftOperand | quote }}
-              operator: {{ .operator | quote }}
-              rightOperand: {{ .rightOperand | quote }}
-            {{- end }}
-          accessPolicies:
-            {{- range .Values.backend.edc.acceptedPolicies.accessPolicies}}
-            - leftOperand: {{ .leftOperand | quote }}
-              operator: {{ .operator | quote }}
-              rightOperand: {{ .rightOperand | quote }}
-            {{- end }}
       # -- security configuration
       security:
         # -- authorization configuration about bpn and role checks
@@ -119,6 +106,11 @@ data:
         temporaryStorage:
           enabled: {{ .Values.backend.digitalTwinRegistry.temporaryStorage.enabled }}
           lifetime: {{ .Values.backend.digitalTwinRegistry.temporaryStorage.lifetime }}
+        # -- policy configuration for the digital twin registries negotiation
+        policyCheck:
+          enabled: {{ .Values.backend.digitalTwinRegistry.policyCheck.enabled }}
+          strictMode: {{ .Values.backend.digitalTwinRegistry.policyCheck.strictMode }}
+          policies: {{- toYaml .Values.backend.digitalTwinRegistry.policyCheck.policies | nindent 10 }}
       # -- discovery configuration
       discovery:
         # -- discovery finder configuration
@@ -150,6 +142,11 @@ data:
           dir: "data/transfer"
         # -- passport versions and aspects allowed
         aspects: {{- toYaml .Values.backend.passport.aspects | nindent 10 }}
+        # -- policy configuration for passport retrieval (for auto-signing only)
+        policyCheck:
+          enabled: {{ .Values.backend.passport.policyCheck.enabled }}
+          strictMode: {{ .Values.backend.passport.policyCheck.strictMode }}
+          policies: {{- toYaml .Values.backend.passport.policyCheck.policies | nindent 10 }}
     # -- configuration of the spring boot server
     server:
       # -- configuration of backend errors

diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml
@@ -145,28 +145,6 @@ backend:
       transfer: "/transferprocesses"
     # -- Negotiation status Delay in milliseconds in between async requests [<= 500]
     delay: 100
-    acceptedPolicies:
-      # -- the data contracts are only negotiated for the offers against the defined policies.
-      usagePolicies:
-        - leftOperand: "cx-policy:FrameworkAgreement"
-          operator: "eq"
-          rightOperand: "circulareconomy:1.0"
-        - leftOperand: "cx-policy:UsagePurpose"
-          operator: "eq"
-          rightOperand: "cx.circular.dpp:1"
-        - leftOperand: "Membership"
-          operator: "eq"
-          rightOperand: "active"
-      accessPolicies:
-        - leftOperand: "BusinessPartnerNumber"
-          operator: "eq"
-          rightOperand: *bpn
-        - leftOperand: "cx-policy:UsagePurpose"
-          operator: "eq"
-          rightOperand: "cx.core.digitalTwinRegistry:1"
-        - leftOperand: "Membership"
-          operator: "eq"
-          rightOperand: "active"
 
   # -- backend hostname (without protocol prefix [DEFAULT HTTPS] for security )
   hostname: *hostname
@@ -205,7 +183,29 @@ backend:
       - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"
       - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"
       - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"
-
+    # -- configuration for policies to filter in the digital product pass asset negotiation
+    policyCheck:
+      # -- condition to enable and disable the policy check
+      enabled: true
+      # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value
+      strictMode: false
+      # -- list of allowed policies that can be selected from the edc catalog in negotiations
+      policies:
+        - permission:
+            - action: "USE"
+              logicalConstraint: "odrl:and"
+              constraints:
+                - leftOperand: "cx-policy:Membership"
+                  operator: "odrl:eq"
+                  rightOperand: "active"
+                - leftOperand: "cx-policy:FrameworkAgreement"
+                  operator: "odrl:eq"
+                  rightOperand: "circulareconomy:1.0"
+                - leftOperand: "cx-policy:UsagePurpose"
+                  operator: "odrl:eq"
+                  rightOperand: "cx.circular.dpp:1"
+          prohibition: [ ]
+          obligation: [ ]
   digitalTwinRegistry:
     endpoints:
       search: "/lookup/shells"
@@ -222,6 +222,26 @@ backend:
       enabled: true
       # -- lifetime of the temporaryStorage in hours
       lifetime: 12
+    # -- policy configuration for the digital twin assets in the edc catalog
+    policyCheck:
+      # -- condition to enable and disable the policy check
+      enabled: true
+      # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value
+      strictMode: false
+      # -- list of allowed policies that can be selected from the edc catalog in negotiations
+      policies:
+        - permission:
+            - action: "USE"
+              logicalConstraint: "odrl:and"
+              constraints:
+                - leftOperand: "cx-policy:Membership"
+                  operator: "odrl:eq"
+                  rightOperand: "active"
+                - leftOperand: "cx-policy:UsagePurpose"
+                  operator: "odrl:eq"
+                  rightOperand: "cx.core.digitalTwinRegistry:1"
+          prohibition: [ ]
+          obligation: [ ]
   # -- discovery configuration
   discovery:
     # -- discovery finder configuration

diff --git a/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml b/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml
@@ -105,6 +105,12 @@ data:
         temporaryStorage:
           enabled: {{ .Values.digitalTwinRegistry.temporaryStorage.enabled }}
           lifetime: {{ .Values.digitalTwinRegistry.temporaryStorage.lifetime }}
+        # -- policy configuration for the digital twin registries negotiation
+        policyCheck:
+          enabled: {{ .Values.digitalTwinRegistry.policyCheck.enabled }}
+          strictMode: {{ .Values.digitalTwinRegistry.policyCheck.strictMode }}
+          policies: {{- toYaml .Values.digitalTwinRegistry.policyCheck.policies | nindent 10 }}
+    
       # -- discovery configuration
       discovery:
         # -- discovery finder configuration
@@ -136,6 +142,11 @@ data:
           dir: "data/transfer"
         # -- passport versions and aspects allowed
         aspects: {{- toYaml .Values.passport.aspects | nindent 10 }}
+        # -- policy configuration for the digital product pass aspect models negotiation
+        policyCheck:
+          enabled: {{ .Values.passport.policyCheck.enabled }}
+          strictMode: {{ .Values.passport.policyCheck.strictMode }}
+          policies: {{- toYaml .Values.passport.policyCheck.policies | nindent 10 }}
     # -- configuration of the spring boot server
     server:
       # -- configuration of backend errors

diff --git a/dpp-backend/charts/digital-product-pass-backend/values.yaml b/dpp-backend/charts/digital-product-pass-backend/values.yaml
@@ -102,7 +102,29 @@ passport:
     - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"
     - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"
     - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"
-
+  # -- configuration for policies to filter in the digital product pass asset negotiation
+  policyCheck:
+    # -- condition to enable and disable the policy check
+    enabled: true
+    # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value
+    strictMode: false
+    # -- list of allowed policies that can be selected from the edc catalog in negotiations
+    policies:
+      - permission:
+          - action: "USE"
+            logicalConstraint: "odrl:and"
+            constraints:
+              - leftOperand: "cx-policy:Membership"
+                operator: "odrl:eq"
+                rightOperand: "active"
+              - leftOperand: "cx-policy:FrameworkAgreement"
+                operator: "odrl:eq"
+                rightOperand: "circulareconomy:1.0"
+              - leftOperand: "cx-policy:UsagePurpose"
+                operator: "odrl:eq"
+                rightOperand: "cx.circular.dpp:1"
+        prohibition: [ ]
+        obligation: [ ]
 digitalTwinRegistry:
   endpoints:
     search: "/lookup/shells"
@@ -118,7 +140,26 @@ digitalTwinRegistry:
   temporaryStorage:
     enabled: true
     lifetime: 12 # -- Hours
-
+  # -- policy configuration for the digital twin assets in the edc catalog
+  policyCheck:
+    # -- condition to enable and disable the policy check
+    enabled: true
+    # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value
+    strictMode: false
+    # -- list of allowed policies that can be selected from the edc catalog in negotiations
+    policies:
+      - permission:
+          - action: "USE"
+            logicalConstraint: "odrl:and"
+            constraints:
+              - leftOperand: "cx-policy:Membership"
+                operator: "odrl:eq"
+                rightOperand: "active"
+              - leftOperand: "cx-policy:UsagePurpose"
+                operator: "odrl:eq"
+                rightOperand: "cx.core.digitalTwinRegistry:1"
+        prohibition: [ ]
+        obligation: [ ]
 # -- discovery configuration
 discovery:
   # -- discovery finder configuration

diff --git a/dpp-backend/digitalproductpass/src/main/resources/application.yml b/dpp-backend/digitalproductpass/src/main/resources/application.yml
@@ -134,28 +134,33 @@ configuration:
 
   passport:
     searchIdSchema: "CX:<manufacturerPartId>:<partInstanceId>"
-    policyCheck:
-      enabled: true
-      permission:
-        prefix: "cx-policy"
-        any: true
-        constraints:
-          - leftOperand: "FrameworkAgreement"
-            operator: "eq"
-            rightOperand: "circulareconomy:1.0"
-          - leftOperand: "UsagePurpose"
-            operator: "eq"
-            rightOperand: "cx.circular.dpp:1"
-          - leftOperand: "Membership"
-            operator: "eq"
-            rightOperand: "active"
     dataTransfer:
       encrypt: true
       indent: true
       dir: "data/transfer"
     aspects:
       - "urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport"
       - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"
+      - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"
+      - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"
+    policyCheck:
+      enabled: true
+      policies:
+        - permission:
+            - action: "USE"
+              logicalConstraint: "odrl:and"
+              constraints:
+                - leftOperand: "cx-policy:Membership"
+                  operator: "odrl:eq"
+                  rightOperand: "active"
+                - leftOperand: "cx-policy:FrameworkAgreement"
+                  operator: "odrl:eq"
+                  rightOperand: "circulareconomy:1.0"
+                - leftOperand: "cx-policy:UsagePurpose"
+                  operator: "odrl:eq"
+                  rightOperand: "cx.circular.dpp:1"
+          prohibition: [ ]
+          obligation: [ ]
 
   vault:
     type: 'local'

diff --git a/dpp-backend/digitalproductpass/src/test/resources/application-test.yml b/dpp-backend/digitalproductpass/src/test/resources/application-test.yml
@@ -85,7 +85,7 @@ configuration:
     semanticIdTypeKey: 'Submodel'
     policyCheck:
       enabled: true
-      strictMode: false
+      strictMode: false # The strict mode is quicker and requires less computation complexity, the default mode is comparing against every single object value
       # List of allowed permissions policies
       policies:
         - permission:
@@ -134,28 +134,31 @@ configuration:
 
   passport:
     searchIdSchema: "CX:<manufacturerPartId>:<partInstanceId>"
-    policyCheck:
-      enabled: true
-      permission:
-        prefix: "cx-policy"
-        any: true
-        constraints:
-          - leftOperand: "FrameworkAgreement"
-            operator: "eq"
-            rightOperand: "circulareconomy:1.0"
-          - leftOperand: "UsagePurpose"
-            operator: "eq"
-            rightOperand: "cx.circular.dpp:1"
-          - leftOperand: "Membership"
-            operator: "eq"
-            rightOperand: "active"
     dataTransfer:
       encrypt: true
       indent: true
       dir: "data/transfer"
     aspects:
       - "urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport"
       - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"
+    policyCheck:
+      enabled: true
+      policies:
+        - permission:
+            - action: "USE"
+              logicalConstraint: "odrl:and"
+              constraints:
+                - leftOperand: "cx-policy:Membership"
+                  operator: "odrl:eq"
+                  rightOperand: "active"
+                - leftOperand: "cx-policy:FrameworkAgreement"
+                  operator: "odrl:eq"
+                  rightOperand: "circulareconomy:1.0"
+                - leftOperand: "cx-policy:UsagePurpose"
+                  operator: "odrl:eq"
+                  rightOperand: "cx.circular.dpp:1"
+          prohibition: [ ]
+          obligation: [ ]
 
   vault:
     type: 'local'