Merge pull request #361 from FraunhoferISST/feat/dtr-security

Feat: add identity provider to DTR

.github/workflows/helm-test.yml

@@ -112,18 +112,21 @@ jobs:
                     ct install --charts charts/puris --helm-extra-set-args "--set backend.image.repository=${{ env.REGISTRY }}/${{ env.APP_BACKEND_NAME}} --set backend.image.tag=${{ env.TAG }} --set frontend.image.repository=${{ env.REGISTRY }}/${{ env.APP_FRONTEND_NAME }} --set frontend.image.tag=${{ env.TAG }}"
                 if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'
 
-            -   name: Generate random password (This password is only a placeholder for the next step and will not used). The postgresPassword/password will be set via postgres-init.yaml.
+            -   name: Generate random password (This password is only a placeholder for the next step and will not used).
                 id: generate-password
                 run: |
                     echo "PASSWORD=PLACEHOLDER_PW" >> $GITHUB_ENV
 
             # Upgrade the released chart version with the locally available chart
             # default value for event_name != workflow_dispatch
+            # Setting passwords during upgrade:
+            # - The postgresPassword/password will be set via postgres-init.yaml.
+            # - The dtr.idp.clients.edc.puris.secret is new and needs to be set during upgrade as not set in previous version
             -   name: Run helm upgrade
                 run: |
                     helm repo add bitnami https://charts.bitnami.com/bitnami
                     helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
                     helm install puris tractusx-dev/puris --version ${{ github.event.inputs.upgrade_from || '1.0.0' }}
                     helm dependency update charts/puris
-                    helm upgrade puris charts/puris --set backend.puris.datasource.password=$PASSWORD
+                    helm upgrade puris charts/puris --set backend.puris.datasource.password=$PASSWORD --set backend.puris.dtr.idp.clients.puris.secret=$PASSWORD
                 if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

DEPENDENCIES_BACKEND

@@ -9,6 +9,7 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.3
 maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.3, Apache-2.0, approved, #8803
 maven/mavencentral/com.fasterxml/classmate/1.6.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.jayway.jsonpath/json-path/2.8.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/com.squareup.okhttp3/mockwebserver/4.12.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156
 maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158
 maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155
@@ -28,6 +29,7 @@ maven/mavencentral/jakarta.persistence/jakarta.persistence-api/3.1.0, EPL-2.0 OR
 maven/mavencentral/jakarta.transaction/jakarta.transaction-api/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jta
 maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation
 maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, approved, ee4j.jaxb
+maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636
 maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.11, Apache-2.0, approved, #7164
 maven/mavencentral/net.bytebuddy/byte-buddy/1.14.11, Apache-2.0 AND BSD-3-Clause, approved, #7163
 maven/mavencentral/net.minidev/accessors-smart/2.5.0, Apache-2.0, approved, clearlydefined
@@ -48,6 +50,7 @@ maven/mavencentral/org.eclipse.angus/angus-activation/2.0.1, EPL-2.0 OR GPL-2.0-
 maven/mavencentral/org.glassfish.jaxb/jaxb-core/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
 maven/mavencentral/org.glassfish.jaxb/jaxb-runtime/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
 maven/mavencentral/org.glassfish.jaxb/txw2/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
+maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962
 maven/mavencentral/org.hibernate.orm/hibernate-core/6.4.1.Final, LGPL-2.1-or-later AND (EPL-2.0 OR BSD-3-Clause) AND MIT, approved, #12490

backend/DEPENDENCIES

@@ -9,6 +9,7 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.3
 maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.3, Apache-2.0, approved, #8803
 maven/mavencentral/com.fasterxml/classmate/1.6.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.jayway.jsonpath/json-path/2.8.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/com.squareup.okhttp3/mockwebserver/4.12.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156
 maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158
 maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155
@@ -28,6 +29,7 @@ maven/mavencentral/jakarta.persistence/jakarta.persistence-api/3.1.0, EPL-2.0 OR
 maven/mavencentral/jakarta.transaction/jakarta.transaction-api/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jta
 maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation
 maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, approved, ee4j.jaxb
+maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636
 maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.11, Apache-2.0, approved, #7164
 maven/mavencentral/net.bytebuddy/byte-buddy/1.14.11, Apache-2.0 AND BSD-3-Clause, approved, #7163
 maven/mavencentral/net.minidev/accessors-smart/2.5.0, Apache-2.0, approved, clearlydefined
@@ -48,6 +50,7 @@ maven/mavencentral/org.eclipse.angus/angus-activation/2.0.1, EPL-2.0 OR GPL-2.0-
 maven/mavencentral/org.glassfish.jaxb/jaxb-core/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
 maven/mavencentral/org.glassfish.jaxb/jaxb-runtime/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
 maven/mavencentral/org.glassfish.jaxb/txw2/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl
+maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962
 maven/mavencentral/org.hibernate.orm/hibernate-core/6.4.1.Final, LGPL-2.1-or-later AND (EPL-2.0 OR BSD-3-Clause) AND MIT, approved, #12490

backend/pom.xml

@@ -41,6 +41,7 @@
         <springdoc.version>2.3.0</springdoc.version>
         <hibernate-validator.version>8.0.1.Final</hibernate-validator.version>
         <snakeyaml.version>2.2</snakeyaml.version>
+        <okhttp.version>4.12.0</okhttp.version>
     </properties>
     <dependencies>
         <dependency>
@@ -99,7 +100,13 @@
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>okhttp</artifactId>
-            <version>4.12.0</version>
+            <version>${okhttp.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>mockwebserver</artifactId>
+            <version>${okhttp.version}</version>
+            <scope>test</scope>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.hibernate/hibernate-validator -->
         <dependency>
@@ -113,7 +120,6 @@
             <artifactId>modelmapper</artifactId>
             <version>3.2.0</version>
         </dependency>
-
     </dependencies>
 
     <pluginRepositories>

backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java

@@ -21,9 +21,11 @@
 package org.eclipse.tractusx.puris.backend.common.ddtr.logic;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import jakarta.annotation.Nullable;
 import lombok.extern.slf4j.Slf4j;
 import okhttp3.*;
 import org.eclipse.tractusx.puris.backend.common.ddtr.logic.util.DtrRequestBodyBuilder;
+import org.eclipse.tractusx.puris.backend.common.security.OAuth2ClientInterceptor;
 import org.eclipse.tractusx.puris.backend.common.util.VariablesService;
 import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Material;
 import org.eclipse.tractusx.puris.backend.masterdata.domain.model.MaterialPartnerRelation;
@@ -42,7 +44,7 @@
 @Service
 @Slf4j
 public class DtrAdapterService {
-    private static final OkHttpClient CLIENT = new OkHttpClient();
+    private OkHttpClient CLIENT;
 
     @Autowired
     private VariablesService variablesService;
@@ -53,6 +55,18 @@ public class DtrAdapterService {
     @Autowired
     private DigitalTwinMappingService digitalTwinMappingService;
 
+    @Autowired(required = false)
+    public DtrAdapterService(@Nullable OAuth2ClientInterceptor oAuth2ClientInterceptor) {
+        OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder();
+
+        // add client interceptor if enabled by property
+        if (oAuth2ClientInterceptor != null) {
+            clientBuilder.addInterceptor(oAuth2ClientInterceptor);
+        }
+
+        this.CLIENT = clientBuilder.build();
+    }
+
     private Response sendDtrPostRequest(JsonNode requestBody, List<String> pathSegments) throws IOException {
         HttpUrl.Builder urlBuilder = HttpUrl.parse(variablesService.getDtrUrl()).newBuilder();
         for (var pathSegment : pathSegments) {

backend/src/main/java/org/eclipse/tractusx/puris/backend/common/edc/logic/util/EdcRequestBodyBuilder.java

@@ -26,6 +26,7 @@
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import lombok.extern.slf4j.Slf4j;
+import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration;
 import org.eclipse.tractusx.puris.backend.common.util.VariablesService;
 import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Partner;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -42,6 +43,8 @@
 @Slf4j
 public class EdcRequestBodyBuilder {
 
+    @Autowired
+    private DtrSecurityConfiguration dtrSecurityConfig;
     @Autowired
     private VariablesService variablesService;
     @Autowired
@@ -388,6 +391,12 @@ public JsonNode buildDtrRegistrationBody() {
         dataAddress.put("proxyMethod", "false");
         dataAddress.put("type", "HttpData");
         dataAddress.put("baseUrl", url);
+        // if IDP is configured, grant only read-access via idp
+        if (dtrSecurityConfig.isOauth2InterceptorEnabled()) {
+            dataAddress.put("oauth2:clientId", dtrSecurityConfig.getEdcClientId());
+            dataAddress.put("oauth2:clientSecretKey", dtrSecurityConfig.getEdcClientSecretAlias());
+            dataAddress.put("oauth2:tokenUrl", dtrSecurityConfig.getTokenUrl());
+        }
         body.set("dataAddress", dataAddress);
 
         return body;

backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2024 Volkswagen AG
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.eclipse.tractusx.puris.backend.common.security;
+
+import lombok.Getter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Configuration for the DTR clients:
+ * <ul>
+ * <li>PURIS client using the DTR directly with write access</li>
+ * <li>EDC client allowing read access</li>
+ * </ul>
+ */
+@Getter
+@Configuration
+public class DtrSecurityConfiguration {
+
+    /**
+     * if true, then DTR is configured with IDP
+     **/
+    @Value("${puris.dtr.idp.enabled:false}")
+    private boolean oauth2InterceptorEnabled;
+    /**
+     * token url of the OAuth2 identity provider
+     **/
+    @Value("${puris.dtr.idp.tokenurl}")
+    private String tokenUrl;
+    /**
+     * client id of the puris client with write access for DTR
+     **/
+    @Value("${puris.dtr.idp.puris-client.id}")
+    private String purisClientId;
+    /**
+     * client secret of the puris client with write access for DTR
+     **/
+    @Value("${puris.dtr.idp.puris-client.secret}")
+    private String purisClientSecret;
+    /**
+     * grant_type. Currently only client_credentials is supported
+     **/
+    private final String grant_type = "client_credentials";
+
+    /**
+     * client id of the edc client with read access for DTR
+     **/
+    @Value("${puris.dtr.idp.edc-client.id}")
+    private String edcClientId;
+    /**
+     * vault alias for the client secret of the edc client with read access for DTR
+     **/
+    @Value("${puris.dtr.idp.edc-client.secret.alias}")
+    private String edcClientSecretAlias;
+}