Skip to content

Commit

Permalink
Merge branch 'main' into chore/edc-0.7.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@tom-rm-meyer-ISST
tom-rm-meyer-ISST committed May 16, 2024
2 parents a646855 + 39d1045 commit 1764ce4
Show file tree
Hide file tree
Showing 6 changed files with 3,325 additions and 1,840 deletions.
6 changes: 5 additions & 1 deletion ...in/java/org/eclipse/tractusx/puris/backend/delivery/logic/service/OwnDeliveryService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

package org.eclipse.tractusx.puris.backend.delivery.logic.service;

import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
Expand Down Expand Up @@ -139,13 +140,16 @@ public boolean validate(OwnDelivery delivery) {
}

private boolean validateTransitEvent(OwnDelivery delivery) {
var now = new Date().getTime();
return
delivery.getDepartureType() != null &&
(delivery.getDepartureType() == EventTypeEnumeration.ESTIMATED_DEPARTURE || delivery.getDepartureType() == EventTypeEnumeration.ACTUAL_DEPARTURE) &&
delivery.getArrivalType() != null &&
(delivery.getArrivalType() == EventTypeEnumeration.ESTIMATED_ARRIVAL || delivery.getArrivalType() == EventTypeEnumeration.ACTUAL_ARRIVAL) &&
!(delivery.getDepartureType() == EventTypeEnumeration.ESTIMATED_DEPARTURE && delivery.getArrivalType() == EventTypeEnumeration.ACTUAL_ARRIVAL) &&
delivery.getDateOfDeparture().getTime() < delivery.getDateOfArrival().getTime();
delivery.getDateOfDeparture().getTime() < delivery.getDateOfArrival().getTime() &&
(delivery.getArrivalType() != EventTypeEnumeration.ACTUAL_ARRIVAL || delivery.getDateOfArrival().getTime() < now) &&
(delivery.getDepartureType() != EventTypeEnumeration.ACTUAL_DEPARTURE || delivery.getDateOfDeparture().getTime() < now);
}

private boolean validateResponsibility(OwnDelivery delivery) {
Expand Down
6 changes: 5 additions & 1 deletion ...va/org/eclipse/tractusx/puris/backend/delivery/logic/service/ReportedDeliveryService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

package org.eclipse.tractusx.puris.backend.delivery.logic.service;

import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
Expand Down Expand Up @@ -128,13 +129,16 @@ public boolean validate(ReportedDelivery delivery) {
}

private boolean validateTransitEvent(ReportedDelivery delivery) {
var now = new Date().getTime();
return
delivery.getDepartureType() != null &&
(delivery.getDepartureType() == EventTypeEnumeration.ESTIMATED_DEPARTURE || delivery.getDepartureType() == EventTypeEnumeration.ACTUAL_DEPARTURE) &&
delivery.getArrivalType() != null &&
(delivery.getArrivalType() == EventTypeEnumeration.ESTIMATED_ARRIVAL || delivery.getArrivalType() == EventTypeEnumeration.ACTUAL_ARRIVAL) &&
!(delivery.getDepartureType() == EventTypeEnumeration.ESTIMATED_DEPARTURE && delivery.getArrivalType() == EventTypeEnumeration.ACTUAL_ARRIVAL) &&
delivery.getDateOfDeparture().getTime() < delivery.getDateOfArrival().getTime();
delivery.getDateOfDeparture().getTime() < delivery.getDateOfArrival().getTime() &&
(delivery.getArrivalType() != EventTypeEnumeration.ACTUAL_ARRIVAL || delivery.getDateOfArrival().getTime() < now) &&
(delivery.getDepartureType() != EventTypeEnumeration.ACTUAL_DEPARTURE || delivery.getDateOfDeparture().getTime() < now);
}

private boolean validateResponsibility(ReportedDelivery delivery) {
Expand Down
4 changes: 1 addition & 3 deletions .../src/main/java/org/eclipse/tractusx/puris/backend/demand/controller/DemandController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,9 +199,7 @@ public ResponseEntity<List<PartnerDto>> refreshReportedProductions(@RequestParam

private DemandDto convertToDto(OwnDemand entity) {
DemandDto dto = modelMapper.map(entity, DemandDto.class);
var materialPartnerRelation = mprService.find(entity.getMaterial().getOwnMaterialNumber(),
entity.getPartner().getUuid());
dto.setOwnMaterialNumber(materialPartnerRelation.getPartnerMaterialNumber());
dto.setOwnMaterialNumber(entity.getMaterial().getOwnMaterialNumber());
dto.setPartnerBpnl(entity.getPartner().getBpnl());

return dto;
Expand Down
64 changes: 47 additions & 17 deletions docs/security-assessment.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
| ------------------------- | ---------------------------------------------------------------------------------------------- |
| Contact for product | [@tom-rm-meyer-ISST](https://github.com/tom-rm-meyer-ISST) |
| Security responsible | [@SSIRKC](https://github.com/SSIRKC) <br> [@szymonkowalczykzf](https://github.com/szymonkowalczykzf) |
| Version number of product | 23.12 |
| Version number of product | 24.05 |
| Dates of assessment | 2023-12-11: Assessment |
| Dates of last re-assessment| 2024-02-16: Re-Assessment |
| Status of assessment | RE-ASSESSMENT DONE |
| Dates of last re-assessment| 2024-05-13: Re-Assessment |
| Status of assessment | RE-ASSESSMENT DONE & APPROVED |

## Product Description
Application Security review provides information about application design, architecture and current security state.
Expand Down Expand Up @@ -46,38 +46,49 @@ flowchart TD
A(Customer \n Human User)
A2(Puris Endpoint App \n Data Provider \n Out of Scope)
A3(EDC \n Eclipse Data Space Components Connector \n C-X Member \n Out of Scope)
A4(Digital Twin Registry)
B(EDC \n ECLIPSE DataSpace Components Connector \n C-X Operator \n Out of Scope)
C(Vue User Interface)
C(React User Interface)
D6(Master Data Controller \n Exposed for external system based on API Keys \n Out of scope)
D7(Product Measures Visualization \n Just visualization of the data \n Out of scope - Not yet developped)
D(Stock View Controller)
D2(EDC View Controller)
D3(Data Request Controller)
D3(Data Request Controller - Separtate \n Instance for each controller like \n Stock / Demand / Production / Delivery)
D4(Data Response Controller)
D5[(PostgreSQL DB \n Main Database)]
D8(Digital Twin Registry)
D9(DTR Adapter Service)
D10(Production Controller)
D11(Delivery Controller)
D12(Demand Controller)
A-->|Main functionality is possibility to view & manage stocks with Business Partners. \n Enter stock information manually. \n View the Supply Dashboard to check a supply situation between Partner & Customer \n for Partner and Supplier. \n HTTPS Protocol|C
A-->|Main functionality is possibility to view and manage stocks with Business Partners. \n Enter stock information, production, demand and delivery information manually. \n View the Supply Dashboard - check a supply situation between Partner & Customer or \n Partner and Supplier and manage its data. \n HTTPS|C
A2-->|Providing Customer data on stocks & supplies \n HTTPS Protocol|A3
C-->|Read & Write access|D
C-->|Read access|D2
C-->|Read & Write access \n HTTPS|D
C-->|Read access \n HTTPS|D2
C-->|Read & Write access \n HTTPS|D10
C-->|Read & Write access \n HTTPS|D11
C-->|Read & Write access \n HTTPS|D12
A3-->|View Data \n Negotiate Contracts \n Initialize & Perform Data Transfers \n HTTPS Protocol|B
A3-->|Read Data - Looking up for dsigital twins. \n HTTPS|A4
B-->|Read Data - Looking up for dsigital twins. \n HTTPS|D8
D-->|Data Read & Write \n TCP9092|D5
D3-->|Data Read & Write \n TCP9092|D5
D4-->|Data Read & Write \n TCP9092|D5
D3-->|Forwarding Data Response \n HTTPS Protocol|B
D9-->|Update & Read Data \n HTTPS|D8
B-->|Forwarding Data Requests \n HTTPS Protocol|D3
B-->|List catalog, negotiations \n and transfers, \n Read Access \n HTTPS Protocol|D2
D10-->|Data Read & Write \n TCP 9092|D5
D11-->|Data Read & Write \n TCP 9092|D5
D12-->|Data Read & Write \n TCP 9092|D5
B<-->|Forwarding Data Response \n HTTPS Protocol|D4
Expand All @@ -88,15 +99,17 @@ flowchart TD
A2
A3
A4
end
end
subgraph Catena - X Environment
D8
B
subgraph PURIS Product
subgraph PURIS Product - View Frontend
Expand All @@ -105,12 +118,15 @@ B
subgraph PURIS Product - Java Backend
D6
D7
D2
D3
D
D5
D4
D10
D11
D12
D9
end
Expand Down Expand Up @@ -148,11 +164,25 @@ B
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
| Mitigation | Product Team currently working on SSL. Team already implemented and enforce HTTPS for the front end of the product. Additionally, the admin guide explains how to serve the backend with spring configuration. It also includes configuration of HTTPS with docker. Guide was created on how to configure HTTPS with docker. There are currently some Cores issues that were detected and are being investigated, probably needs spring reconfiguration. It was fixed. Issues happened cause of self signed certificates. The issue is already solved. SSL was also already integrated to the Product. |

| V005 | Lack of rate limiting on API level, that make API vulnerable for denial of service |
| ------------------------- | ------------------------- |
| Element | PURIS Product |
| Before Mitigation | Impact: Medium, Likelihood: Medium, Risk: Medium |
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
| Mitigation | Enable rate limiting that will allow to setup a maximum number of request that may be handled by the application at once which will allow to secure it from denial of service type of attacks generated by too large number of requests flooding the application. |

| V006 | Lack of logging and monitoring solution in place, that can hinder the detection of security incidents, performance issues and operational anomalies. |
| ------------------------- | ------------------------- |
| Element | PURIS Product |
| Before Mitigation | Impact: Low, Likelihood: Medium, Risk: Medium |
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
| Mitigation | Properly identify confidential data that requires encryption. Allow possibility for configuration of use of strong encryption algorithm, like for example AES 256 bit or others. Make sure to store and manage encryption keys in secure storage, separately from the data they encrypt. |

| V007 | Encryption of confidential data at rest. |
| ------------------------- | ------------------------- |
| Element | PURIS Product |
| Before Mitigation | Impact: High, Likelihood: Low, Risk: Medium |
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
| Mitigation | Application is already logging every information about : every call to the respective EDC's, actions related to the exchange of data between partners, all authentication & authorization data Logging enchantments were completed. |

| V008 | Confirmed vulnerabilities with high severity for H2 Database. |
Expand Down
33 changes: 33 additions & 0 deletions local/postman/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,39 @@ The following table shows the differences.
| now +3 day | 500 pieces | Series (SR99) | yes |
| now +4 day | 400 pieces | Series (SR99) | no |

### Delivery

There are 5 Deliveries created for each collection. They all share the same

- originBpns (SUPPLIER_BPNS)
- destinationBpns (CUSTOMER_BPNS)

#### Supplier deliveries

- ownMaterialNumber (MATERIAL_NUMBER_SUPPLIER)
- partnerBpnl (CUSTOMER_BPNL)

| Departure | Type | Arrival | Type | Quantity | Incoterm | Origin BPNA set | Destination BPNA set | Customer Order Number | Customer Position Number | Supplier Order Number |
|-------------|------------|--------------|------------|------------|----------------|-----------------|----------------------|-----------------------|--------------------------|-----------------------|
| now -1 day | actual | now | actual | 50 pieces | FAS | yes | yes | null | null | null |
| now | actual | now + 1 days | estimated | 100 pieces | DAP | yes | yes | null | null | null |
| now +1 day | estimated | now + 2 days | estimated | 200 pieces | DPU | yes | no | C-Nbr-1 | C-Position-01 | null |
| now +2 days | estimated | now + 3 days | estimated | 300 pieces | CPT | no | yes | C-Nbr-1 | C-Position-01 | S-Nbr-1 |
| now +3 days | estimated | now + 4 days | estimated | 400 pieces | CIP | no | no | null | null | null |

#### Customer deliveries

- ownMaterialNumber (MATERIAL_NUMBER_CUSTOMER)
- partnerBpnl (SUPPLIER_BPNL)

| Departure | Type | Arrival | Type | Quantity | Incoterm | Origin BPNA set | Destination BPNA set | Customer Order Number | Customer Position Number | Supplier Order Number |
|-------------|------------|--------------|------------|------------|----------------|-----------------|----------------------|-----------------------|--------------------------|-----------------------|
| now -1 day | actual | now | actual | 50 pieces | CIF | yes | yes | null | null | null |
| now | actual | now + 1 days | estimated | 100 pieces | EXW | yes | yes | null | null | null |
| now +1 day | estimated | now + 2 days | estimated | 200 pieces | FAS | yes | no | C-Nbr-1 | C-Position-01 | null |
| now +2 days | estimated | now + 3 days | estimated | 300 pieces | FOB | no | yes | C-Nbr-1 | C-Position-01 | S-Nbr-1 |
| now +3 days | estimated | now + 4 days | estimated | 400 pieces | CFR | no | no | null | null | null |

### Supplier

Overall the supplier has the following information:
Expand Down
Loading

0 comments on commit 1764ce4

Please sign in to comment.