feat: Token service

build.gradle

@@ -4,6 +4,7 @@ plugins {
     id 'io.spring.dependency-management' version "${springDependencyVersion}"
     id "jacoco"
     id 'project-report'
+    id 'org.openapi.generator' version '7.1.0'
 
     // used to download the 'dash.jar' for license checks
     // docs: https://github.com/michel-kraemer/gradle-download-task
@@ -14,6 +15,14 @@ group = "${groupName}"
 version = "${applicationVersion}"
 sourceCompatibility = JavaVersion.VERSION_17
 
+sourceSets {
+    main {
+        java {
+            srcDir "$buildDir/generated/src/main/java"
+        }
+    }
+}
+
 // alias for Project.getConfigurations()
 configurations {
     // add a custom config to avoid applying the dev-tools to a production app
@@ -245,6 +254,22 @@ jacoco {
     toolVersion = "${jacocoVersion}"
 }
 
+openApiGenerate {
+    generatorName.set('spring')
+    inputSpec.set("$rootDir/docs/secure-token-service-openapi.yml")
+    outputDir.set("$buildDir/generated")
+
+    apiPackage.set('org.eclipse.tractusx.managedidentitywallets.adapter.controller')
+    modelPackage.set('org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto')
+
+    configOptions.set([
+        interfaceOnly: "true",
+        requestMappingMode: "api_interface",
+        useSpringBoot3: "true",
+        skipDefaultInterface: "true",
+        openApiNullable: "false",
+    ])
+}
 
 // 'jacocoTestCoverageVerification' is provided by the 'jacoco' plugin
 // docs: https://docs.gradle.org/current/userguide/jacoco_plugin.html#sec:jacoco_report_violation_rules

docs/secure-token-service-openapi.yml

@@ -0,0 +1,94 @@
+openapi: 3.0.1
+info:
+  title: ""
+  version: ""
+  contact:
+    email: "[email protected]"
+paths:
+  /token:
+    post:
+      operationId: token
+      requestBody:
+        content:
+          application/x-www-form-urlencoded:
+            encoding:
+              access_token:
+                style: form
+              audience:
+                style: form
+              bearer_access_alias:
+                style: form
+              bearer_access_scope:
+                style: form
+              client_id:
+                style: form
+              client_secret:
+                style: form
+              grant_type:
+                style: form
+            schema:
+              type: object
+              properties:
+                access_token:
+                  type: string
+                  description: VP access token to be added as a claim in the SI token
+                audience:
+                  type: string
+                  description: Audience for the SI token
+                bearer_access_alias:
+                  type: string
+                  description: Alias to be use in the sub of the VP access token (default
+                    is audience)
+                bearer_access_scope:
+                  type: string
+                  description: Scope to be added in the VP access token
+                client_id:
+                  type: string
+                  description: Id of the client requesting an SI token
+                client_secret:
+                  type: string
+                  description: Secret of the client requesting an SI token
+                grant_type:
+                  type: string
+                  description: "Type of grant: must be set to client_credentials"
+              required:
+              - audience
+              - client_id
+              - client_secret
+              - grant_type
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/StsTokenResponse'
+          description: The Self-Issued ID token
+        "400":
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/StsTokenErrorResponse'
+          description: Invalid Request
+      tags:
+      - Secure Token Service Api
+components:
+  schemas:
+    StsTokenErrorResponse:
+      type: object
+      properties:
+        error:
+          type: string
+        error_description:
+          type: string
+    StsTokenResponse:
+      type: object
+      properties:
+        access_token:
+          type: string
+        expires_in:
+          type: integer
+          format: int64
+        token_type:
+          type: string

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/BaseController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/BaseController.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 import org.eclipse.tractusx.managedidentitywallets.constant.StringPool;
 import org.eclipse.tractusx.managedidentitywallets.exception.ForbiddenException;

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/DidDocumentController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/DidDocumentController.java

@@ -19,16 +19,17 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.DidDocumentControllerApiDocs.BpnParameterDoc;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.DidDocumentControllerApiDocs.DidOrBpnParameterDoc;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.DidDocumentControllerApiDocs.GetDidDocumentApiDocs;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.DidDocumentControllerApiDocs.GetDidResolveApiDocs;
+
+import org.eclipse.tractusx.managedidentitywallets.adapter.did.DidDocumentService;
 import org.eclipse.tractusx.managedidentitywallets.constant.RestURI;
-import org.eclipse.tractusx.managedidentitywallets.service.DidDocumentService;
 import org.eclipse.tractusx.ssi.lib.model.did.DidDocument;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/HoldersCredentialController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/HoldersCredentialController.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 
 import jakarta.validation.constraints.Max;

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/IssuersCredentialController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/IssuersCredentialController.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.media.ExampleObject;
@@ -35,10 +35,10 @@
 import org.eclipse.tractusx.managedidentitywallets.apidocs.IssuersCredentialControllerApiDocs.IssueFrameworkCredentialApiDocs;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.IssuersCredentialControllerApiDocs.IssueVerifiableCredentialUsingBaseWalletApiDocs;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.IssuersCredentialControllerApiDocs.ValidateVerifiableCredentialApiDocs;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.IssueDismantlerCredentialRequest;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.IssueFrameworkCredentialRequest;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.IssueMembershipCredentialRequest;
 import org.eclipse.tractusx.managedidentitywallets.constant.RestURI;
-import org.eclipse.tractusx.managedidentitywallets.dto.IssueDismantlerCredentialRequest;
-import org.eclipse.tractusx.managedidentitywallets.dto.IssueFrameworkCredentialRequest;
-import org.eclipse.tractusx.managedidentitywallets.dto.IssueMembershipCredentialRequest;
 import org.eclipse.tractusx.managedidentitywallets.service.IssuersCredentialService;
 import org.eclipse.tractusx.ssi.lib.model.verifiable.credential.VerifiableCredential;
 import org.springframework.data.domain.PageImpl;

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/PresentationController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/PresentationController.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 import io.swagger.v3.oas.annotations.Parameter;
 import lombok.RequiredArgsConstructor;

src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/SecureTokenController.java

@@ -0,0 +1,68 @@
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
+
+import java.util.Optional;
+import java.util.Set;
+
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.StsTokenErrorResponse;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.StsTokenResponse;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.exception.UnsupportedGrantTypeException;
+import org.eclipse.tractusx.managedidentitywallets.domain.DID;
+import org.eclipse.tractusx.managedidentitywallets.service.SecureTokenService;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import lombok.SneakyThrows;
+
+@RestController
+@RequiredArgsConstructor
+public class SecureTokenController implements TokenApi {
+
+  private static final String CLIENT_CREDENTIALS = "client_credentials";
+  private static final String TOKEN_TYPE_BEARER = "Bearer";
+
+  private final SecureTokenService tokenService;
+
+  @Override
+  @SneakyThrows
+  public ResponseEntity<StsTokenResponse> token(
+      @Valid String audience, @Valid String clientId, @Valid String clientSecret, @Valid String grantType,
+      @Valid String accessToken, @Valid String bearerAccessAlias, @Valid String bearerAccessScope) {
+    if (!grantType.equals(CLIENT_CREDENTIALS)) {
+      throw new UnsupportedGrantTypeException("Selected GrantType is not supported.");
+    }
+
+    // Authentication is handled in {@link
+    // org.eclipse.tractusx.managedidentitywallets.adapter.controller.filter.ClientCredentialsFilter}
+    // and {@link
+    // org.eclipse.tractusx.managedidentitywallets.adapter.controller.filter.FilterConfig}
+
+    JWT jwt;
+    if (accessToken != null && !accessToken.isBlank()) {
+      jwt = tokenService.issueToken(new DID(clientId), new DID(audience), JWTParser.parse(accessToken));
+    } else {
+      jwt = tokenService.issueToken(new DID(clientId), new DID(audience),
+          Optional.of(bearerAccessScope).map(scopes -> Set.of(scopes.split(" "))).orElse(Set.of()));
+    }
+
+    StsTokenResponse response = new StsTokenResponse();
+    response.setAccessToken(jwt.toString());
+    response.setExpiresIn(jwt.getJWTClaimsSet().getExpirationTime().getTime());
+    response.setTokenType(TOKEN_TYPE_BEARER);
+    return ResponseEntity.ok().build();
+  }
+
+  @ExceptionHandler(UnsupportedGrantTypeException.class)
+  public ResponseEntity<StsTokenErrorResponse> getErrorResponse(RuntimeException e) {
+    StsTokenErrorResponse response = new StsTokenErrorResponse();
+    response.setError("client_metadata_value_not_supported");
+    response.setErrorDescription(e.getMessage());
+    return ResponseEntity.badRequest().body(response);
+  }
+
+}

src/main/java/org/eclipse/tractusx/managedidentitywallets/controller/WalletController.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/WalletController.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.controller;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller;
 
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
@@ -35,9 +35,9 @@
 import org.eclipse.tractusx.managedidentitywallets.apidocs.WalletControllerApiDocs.SortColumnParameterDoc;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.WalletControllerApiDocs.SortTypeParameterDoc;
 import org.eclipse.tractusx.managedidentitywallets.apidocs.WalletControllerApiDocs.StoreVerifiableCredentialApiDoc;
+import org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto.CreateWalletRequest;
+import org.eclipse.tractusx.managedidentitywallets.adapter.persistence.dao.entity.Wallet;
 import org.eclipse.tractusx.managedidentitywallets.constant.RestURI;
-import org.eclipse.tractusx.managedidentitywallets.dao.entity.Wallet;
-import org.eclipse.tractusx.managedidentitywallets.dto.CreateWalletRequest;
 import org.eclipse.tractusx.managedidentitywallets.service.WalletService;
 import org.springframework.data.domain.Page;
 import org.springframework.http.HttpStatus;

src/main/java/org/eclipse/tractusx/managedidentitywallets/dto/CreateWalletRequest.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/dto/CreateWalletRequest.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.dto;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto;
 
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Pattern;

src/main/java/org/eclipse/tractusx/managedidentitywallets/dto/IssueDismantlerCredentialRequest.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/dto/IssueDismantlerCredentialRequest.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.dto;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto;
 
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Pattern;

src/main/java/org/eclipse/tractusx/managedidentitywallets/dto/IssueFrameworkCredentialRequest.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/dto/IssueFrameworkCredentialRequest.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.dto;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.validation.constraints.NotBlank;

src/main/java/org/eclipse/tractusx/managedidentitywallets/dto/IssueMembershipCredentialRequest.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/dto/IssueMembershipCredentialRequest.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.dto;
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller.dto;
 
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Pattern;

src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/controller/exception/UnsupportedGrantTypeException.java

@@ -0,0 +1,10 @@
+package org.eclipse.tractusx.managedidentitywallets.adapter.controller.exception;
+
+public class UnsupportedGrantTypeException extends RuntimeException {
+
+  public UnsupportedGrantTypeException(String message) {
+    super(message);
+  }
+
+}
+

src/main/java/org/eclipse/tractusx/managedidentitywallets/service/DidDocumentResolverService.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/did/DidDocumentResolverService.java

@@ -19,7 +19,7 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.service;
+package org.eclipse.tractusx.managedidentitywallets.adapter.did;
 
 import lombok.Getter;
 import org.eclipse.tractusx.managedidentitywallets.config.MIWSettings;

src/main/java/org/eclipse/tractusx/managedidentitywallets/service/DidDocumentService.java → src/main/java/org/eclipse/tractusx/managedidentitywallets/adapter/did/DidDocumentService.java

@@ -19,10 +19,12 @@
  * ******************************************************************************
  */
 
-package org.eclipse.tractusx.managedidentitywallets.service;
+package org.eclipse.tractusx.managedidentitywallets.adapter.did;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+
+import org.eclipse.tractusx.managedidentitywallets.service.CommonService;
 import org.eclipse.tractusx.ssi.lib.model.did.DidDocument;
 import org.springframework.stereotype.Service;