diff --git a/charts/digital-product-pass/templates/configmap-backend.yaml b/charts/digital-product-pass/templates/configmap-backend.yaml index 9c16e518a..fa8d9a0bf 100644 --- a/charts/digital-product-pass/templates/configmap-backend.yaml +++ b/charts/digital-product-pass/templates/configmap-backend.yaml @@ -24,8 +24,8 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Release.Name }}-backend-config - namespace: {{ .Values.namespace }} + name: { { .Release.Name } }-backend-config + namespace: { { .Values.namespace } } data: application.yaml: |- spring: @@ -43,7 +43,7 @@ data: root: {{ tpl (.Values.backend.logging.level.root | default "INFO") . | quote }} # -- logging for the util components utils: {{ tpl (.Values.backend.logging.level.utils | default "INFO") . | quote }} - + configuration: # -- max retries for the backend services maxRetries: {{ .Values.backend.maxRetries }} @@ -63,19 +63,6 @@ data: transfer: {{ .Values.backend.edc.apis.transfer }} receiverEndpoint: "https://{{ .Values.backend.hostname }}/endpoint" delay: {{ .Values.backend.edc.delay }} # -- Negotiation status Delay in milliseconds in between async requests [<= 500] - policies: - usagePolicies: - {{- range .Values.backend.edc.acceptedPolicies.usagePolicies}} - - leftOperand: {{ .leftOperand | quote }} - operator: {{ .operator | quote }} - rightOperand: {{ .rightOperand | quote }} - {{- end }} - accessPolicies: - {{- range .Values.backend.edc.acceptedPolicies.accessPolicies}} - - leftOperand: {{ .leftOperand | quote }} - operator: {{ .operator | quote }} - rightOperand: {{ .rightOperand | quote }} - {{- end }} # -- security configuration security: # -- authorization configuration about bpn and role checks @@ -119,6 +106,11 @@ data: temporaryStorage: enabled: {{ .Values.backend.digitalTwinRegistry.temporaryStorage.enabled }} lifetime: {{ .Values.backend.digitalTwinRegistry.temporaryStorage.lifetime }} + # -- policy configuration for the digital twin registries negotiation + policyCheck: + enabled: {{ .Values.backend.digitalTwinRegistry.policyCheck.enabled }} + strictMode: {{ .Values.backend.digitalTwinRegistry.policyCheck.strictMode }} + policies: {{- toYaml .Values.backend.digitalTwinRegistry.policyCheck.policies | nindent 10 }} # -- discovery configuration discovery: # -- discovery finder configuration @@ -150,6 +142,11 @@ data: dir: "data/transfer" # -- passport versions and aspects allowed aspects: {{- toYaml .Values.backend.passport.aspects | nindent 10 }} + # -- policy configuration for passport retrieval (for auto-signing only) + policyCheck: + enabled: {{ .Values.backend.passport.policyCheck.enabled }} + strictMode: {{ .Values.backend.passport.policyCheck.strictMode }} + policies: {{- toYaml .Values.backend.passport.policyCheck.policies | nindent 10 }} # -- configuration of the spring boot server server: # -- configuration of backend errors diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml index 528b58afe..a06543203 100644 --- a/charts/digital-product-pass/values.yaml +++ b/charts/digital-product-pass/values.yaml @@ -145,28 +145,6 @@ backend: transfer: "/transferprocesses" # -- Negotiation status Delay in milliseconds in between async requests [<= 500] delay: 100 - acceptedPolicies: - # -- the data contracts are only negotiated for the offers against the defined policies. - usagePolicies: - - leftOperand: "cx-policy:FrameworkAgreement" - operator: "eq" - rightOperand: "circulareconomy:1.0" - - leftOperand: "cx-policy:UsagePurpose" - operator: "eq" - rightOperand: "cx.circular.dpp:1" - - leftOperand: "Membership" - operator: "eq" - rightOperand: "active" - accessPolicies: - - leftOperand: "BusinessPartnerNumber" - operator: "eq" - rightOperand: *bpn - - leftOperand: "cx-policy:UsagePurpose" - operator: "eq" - rightOperand: "cx.core.digitalTwinRegistry:1" - - leftOperand: "Membership" - operator: "eq" - rightOperand: "active" # -- backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) hostname: *hostname @@ -205,7 +183,29 @@ backend: - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass" - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass" - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport" - + # -- configuration for policies to filter in the digital product pass asset negotiation + policyCheck: + # -- condition to enable and disable the policy check + enabled: true + # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value + strictMode: false + # -- list of allowed policies that can be selected from the edc catalog in negotiations + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:FrameworkAgreement" + operator: "odrl:eq" + rightOperand: "circulareconomy:1.0" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.circular.dpp:1" + prohibition: [ ] + obligation: [ ] digitalTwinRegistry: endpoints: search: "/lookup/shells" @@ -222,6 +222,26 @@ backend: enabled: true # -- lifetime of the temporaryStorage in hours lifetime: 12 + # -- policy configuration for the digital twin assets in the edc catalog + policyCheck: + # -- condition to enable and disable the policy check + enabled: true + # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value + strictMode: false + # -- list of allowed policies that can be selected from the edc catalog in negotiations + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.core.digitalTwinRegistry:1" + prohibition: [ ] + obligation: [ ] # -- discovery configuration discovery: # -- discovery finder configuration diff --git a/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml b/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml index bed65ec8a..aa5b8e792 100644 --- a/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml +++ b/dpp-backend/charts/digital-product-pass-backend/templates/configmap.yaml @@ -105,6 +105,12 @@ data: temporaryStorage: enabled: {{ .Values.digitalTwinRegistry.temporaryStorage.enabled }} lifetime: {{ .Values.digitalTwinRegistry.temporaryStorage.lifetime }} + # -- policy configuration for the digital twin registries negotiation + policyCheck: + enabled: {{ .Values.digitalTwinRegistry.policyCheck.enabled }} + strictMode: {{ .Values.digitalTwinRegistry.policyCheck.strictMode }} + policies: {{- toYaml .Values.digitalTwinRegistry.policyCheck.policies | nindent 10 }} + # -- discovery configuration discovery: # -- discovery finder configuration @@ -136,6 +142,11 @@ data: dir: "data/transfer" # -- passport versions and aspects allowed aspects: {{- toYaml .Values.passport.aspects | nindent 10 }} + # -- policy configuration for the digital product pass aspect models negotiation + policyCheck: + enabled: {{ .Values.passport.policyCheck.enabled }} + strictMode: {{ .Values.passport.policyCheck.strictMode }} + policies: {{- toYaml .Values.passport.policyCheck.policies | nindent 10 }} # -- configuration of the spring boot server server: # -- configuration of backend errors diff --git a/dpp-backend/charts/digital-product-pass-backend/values.yaml b/dpp-backend/charts/digital-product-pass-backend/values.yaml index 2bdc25d06..c73bbd75f 100644 --- a/dpp-backend/charts/digital-product-pass-backend/values.yaml +++ b/dpp-backend/charts/digital-product-pass-backend/values.yaml @@ -102,7 +102,29 @@ passport: - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass" - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass" - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport" - + # -- configuration for policies to filter in the digital product pass asset negotiation + policyCheck: + # -- condition to enable and disable the policy check + enabled: true + # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value + strictMode: false + # -- list of allowed policies that can be selected from the edc catalog in negotiations + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:FrameworkAgreement" + operator: "odrl:eq" + rightOperand: "circulareconomy:1.0" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.circular.dpp:1" + prohibition: [ ] + obligation: [ ] digitalTwinRegistry: endpoints: search: "/lookup/shells" @@ -118,7 +140,26 @@ digitalTwinRegistry: temporaryStorage: enabled: true lifetime: 12 # -- Hours - + # -- policy configuration for the digital twin assets in the edc catalog + policyCheck: + # -- condition to enable and disable the policy check + enabled: true + # -- the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value + strictMode: false + # -- list of allowed policies that can be selected from the edc catalog in negotiations + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.core.digitalTwinRegistry:1" + prohibition: [ ] + obligation: [ ] # -- discovery configuration discovery: # -- discovery finder configuration diff --git a/dpp-backend/digitalproductpass/src/main/resources/application.yml b/dpp-backend/digitalproductpass/src/main/resources/application.yml index a76835bf9..bdbb88bf4 100644 --- a/dpp-backend/digitalproductpass/src/main/resources/application.yml +++ b/dpp-backend/digitalproductpass/src/main/resources/application.yml @@ -134,21 +134,6 @@ configuration: passport: searchIdSchema: "CX::" - policyCheck: - enabled: true - permission: - prefix: "cx-policy" - any: true - constraints: - - leftOperand: "FrameworkAgreement" - operator: "eq" - rightOperand: "circulareconomy:1.0" - - leftOperand: "UsagePurpose" - operator: "eq" - rightOperand: "cx.circular.dpp:1" - - leftOperand: "Membership" - operator: "eq" - rightOperand: "active" dataTransfer: encrypt: true indent: true @@ -156,6 +141,26 @@ configuration: aspects: - "urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport" - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass" + - "urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass" + - "urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport" + policyCheck: + enabled: true + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:FrameworkAgreement" + operator: "odrl:eq" + rightOperand: "circulareconomy:1.0" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.circular.dpp:1" + prohibition: [ ] + obligation: [ ] vault: type: 'local' diff --git a/dpp-backend/digitalproductpass/src/test/resources/application-test.yml b/dpp-backend/digitalproductpass/src/test/resources/application-test.yml index 6c7454194..a432b4950 100644 --- a/dpp-backend/digitalproductpass/src/test/resources/application-test.yml +++ b/dpp-backend/digitalproductpass/src/test/resources/application-test.yml @@ -85,7 +85,7 @@ configuration: semanticIdTypeKey: 'Submodel' policyCheck: enabled: true - strictMode: false + strictMode: false # The strict mode is quicker and requires less computation complexity, the default mode is comparing against every single object value # List of allowed permissions policies policies: - permission: @@ -134,21 +134,6 @@ configuration: passport: searchIdSchema: "CX::" - policyCheck: - enabled: true - permission: - prefix: "cx-policy" - any: true - constraints: - - leftOperand: "FrameworkAgreement" - operator: "eq" - rightOperand: "circulareconomy:1.0" - - leftOperand: "UsagePurpose" - operator: "eq" - rightOperand: "cx.circular.dpp:1" - - leftOperand: "Membership" - operator: "eq" - rightOperand: "active" dataTransfer: encrypt: true indent: true @@ -156,6 +141,24 @@ configuration: aspects: - "urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport" - "urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass" + policyCheck: + enabled: true + policies: + - permission: + - action: "USE" + logicalConstraint: "odrl:and" + constraints: + - leftOperand: "cx-policy:Membership" + operator: "odrl:eq" + rightOperand: "active" + - leftOperand: "cx-policy:FrameworkAgreement" + operator: "odrl:eq" + rightOperand: "circulareconomy:1.0" + - leftOperand: "cx-policy:UsagePurpose" + operator: "odrl:eq" + rightOperand: "cx.circular.dpp:1" + prohibition: [ ] + obligation: [ ] vault: type: 'local'