feat: add delegated auth module (#1473)

* feat: add delegated auth + tests * update all charts * helm docs * DEPENDENCIES
eclipse-tractusx · Jul 30, 2024 · 33383aa · 33383aa
1 parent e255142
commit 33383aa
Show file tree

Hide file tree

Showing 15 changed files with 62 additions and 12 deletions.
diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml
@@ -86,7 +86,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - uses: ./.github/actions/run-deployment-test
-        name: "Run deployment test using KinD and Helm"
+        name: "Run deployment test using KinD and Helm - tokenbased auth"
         with:
           imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault"
           rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault"
@@ -101,9 +101,28 @@ jobs:
             kubectl rollout status deployment tx-prod-controlplane
             kubectl rollout status deployment tx-prod-dataplane
 
-            # execute the helm test
+            # execute the helm test using token based auth in the Management API
             helm test tx-prod
 
+      - uses: ./.github/actions/run-deployment-test
+        name: "Run deployment test using KinD and Helm - delegated auth"
+        with:
+          imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault"
+          rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault"
+          k8sversion: ${{ matrix.k8s-version }}
+          helm_command: |-
+            helm install tx-prod charts/tractusx-connector \
+            -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml \
+            --set controlplane.endpoints.management.jwksUrl="http://foo-bar.com/.well-known/jwks.json" \
+            --dependency-update \
+            --wait-for-jobs --timeout=120s    
+
+            # wait for the pod to become ready
+            kubectl rollout status deployment tx-prod-controlplane
+            kubectl rollout status deployment tx-prod-dataplane
+            
+            # no helm test here, because the delegated auth won't work without an actual IdP
+
   test-azure-vault-postgres:
     runs-on: ubuntu-latest
     needs: [ test-prepare, secret-presence ]

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -357,6 +357,7 @@ maven/mavencentral/org.eclipse.edc/asset-index-sql/0.8.1, Apache-2.0, approved,
 maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-configuration/0.8.1, Apache-2.0, approved, technology.edc
+maven/mavencentral/org.eclipse.edc/auth-delegated/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-spi/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-tokenbased/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/autodoc-processor/0.8.1, Apache-2.0, approved, technology.edc
@@ -652,7 +653,7 @@ maven/mavencentral/org.testcontainers/database-commons/1.20.0, MIT, approved, cl
 maven/mavencentral/org.testcontainers/jdbc/1.20.0, MIT, approved, clearlydefined
 maven/mavencentral/org.testcontainers/junit-jupiter/1.20.0, MIT, approved, clearlydefined
 maven/mavencentral/org.testcontainers/postgresql/1.20.0, MIT, approved, clearlydefined
-maven/mavencentral/org.testcontainers/testcontainers/1.20.0, None, restricted, #15747
+maven/mavencentral/org.testcontainers/testcontainers/1.20.0, MIT, approved, #15747
 maven/mavencentral/org.xmlresolver/xmlresolver/5.2.2, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272
 maven/mavencentral/org.xmlunit/xmlunit-placeholders/2.9.1, Apache-2.0, approved, clearlydefined

diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md
@@ -83,7 +83,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.
 | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. |
 | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
 | controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
@@ -93,8 +93,9 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.
 | controlplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress |
 | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls |
 | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls |
-| controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
+| controlplane.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
 | controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
+| controlplane.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged |
 | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls |
 | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls |
 | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing |

diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml
@@ -152,8 +152,14 @@ spec:
             #######
             # API #
             #######
+            {{- if .Values.controlplane.endpoints.management.jwksUrl }}
+            - name: "EDC_API_AUTH_DAC_KEY_URL"
+              value: {{ .Values.controlplane.endpoints.management.jwksUrl | quote}}
+            {{- else }}
             - name: "EDC_API_AUTH_KEY"
               value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }}
+            {{- end }}
+
             - name: "WEB_HTTP_DEFAULT_PORT"
               value: {{ .Values.controlplane.endpoints.default.port | quote }}
             - name: "WEB_HTTP_DEFAULT_PATH"

diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml
@@ -122,6 +122,8 @@ controlplane:
       path: /management
       # -- authentication key, must be attached to each request as `X-Api-Key` header
       authKey: "password"
+      # -- if the JWKS url is set, the DelegatedAuth service will be engaged
+      jwksUrl:
     # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
     control:
       # -- port for incoming api calls

diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md
@@ -83,7 +83,7 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.8.0-r
 | runtime.debug.enabled | bool | `false` | Enables java debugging mode. |
 | runtime.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | runtime.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| runtime.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane |
+| runtime.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane |
 | runtime.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | runtime.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | runtime.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
@@ -93,8 +93,9 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.8.0-r
 | runtime.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress |
 | runtime.endpoints.default.path | string | `"/api"` | path for incoming api calls |
 | runtime.endpoints.default.port | int | `8080` | port for incoming api calls |
-| runtime.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
+| runtime.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
 | runtime.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
+| runtime.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged |
 | runtime.endpoints.management.path | string | `"/management"` | path for incoming api calls |
 | runtime.endpoints.management.port | int | `8081` | port for incoming api calls |
 | runtime.endpoints.protocol | object | `{"path":"/api/v1/dsp","port":8084}` | dsp api, used for inter connector communication and must be internet facing |

diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml
@@ -152,8 +152,14 @@ spec:
             #######
             # API #
             #######
+            {{- if .Values.runtime.endpoints.management.jwksUrl }}
+            - name: "EDC_API_AUTH_DAC_KEY_URL"
+              value: {{ .Values.runtime.endpoints.management.jwksUrl | quote}}
+            {{- else }}
             - name: "EDC_API_AUTH_KEY"
-              value: {{ .Values.runtime.endpoints.management.authKey | required ".Values.runtime.endpoints.management.authKey is required" | quote }}
+              value: {{ .Values.runtime.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }}
+            {{- end }}
+
             - name: "TX_EDC_DPF_CONSUMER_PROXY_AUTH_APIKEY"
               value: {{ .Values.runtime.endpoints.proxy.authKey | required ".Values.runtime.endpoints.proxy.authKey is required" | quote }}
             - name: "WEB_HTTP_DEFAULT_PORT"

diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml
@@ -117,6 +117,8 @@ runtime:
       path: /management
       # -- authentication key, must be attached to each request as `X-Api-Key` header
       authKey: "password"
+      # -- if the JWKS url is set, the DelegatedAuth service will be engaged
+      jwksUrl:
     # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
     control:
       # -- port for incoming api calls

diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md
@@ -80,7 +80,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.8.0-rc1 \
 | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. |
 | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
 | controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
@@ -90,8 +90,9 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.8.0-rc1 \
 | controlplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress |
 | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls |
 | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls |
-| controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
+| controlplane.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing |
 | controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
+| controlplane.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged |
 | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls |
 | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls |
 | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing |

diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml
@@ -152,8 +152,14 @@ spec:
             #######
             # API #
             #######
+            {{- if .Values.controlplane.endpoints.management.jwksUrl }}
+            - name: "EDC_API_AUTH_DAC_KEY_URL"
+              value: {{ .Values.controlplane.endpoints.management.jwksUrl | quote}}
+            {{- else }}
             - name: "EDC_API_AUTH_KEY"
               value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }}
+            {{- end }}
+
             - name: "WEB_HTTP_DEFAULT_PORT"
               value: {{ .Values.controlplane.endpoints.default.port | quote }}
             - name: "WEB_HTTP_DEFAULT_PATH"

diff --git a/...or/templates/tests/test-controlplane.yaml → .../tests/test-mgmt-api-with-token-auth.yaml b/...or/templates/tests/test-controlplane.yaml → .../tests/test-mgmt-api-with-token-auth.yaml
@@ -21,7 +21,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: "{{include "txdc.fullname" .}}-test-controlplane"
+  name: "controlplane-with-token-auth-test"
   labels:
     {{- include "txdc.controlplane.labels" . | nindent 4 }}
   annotations:

diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml
@@ -124,6 +124,9 @@ controlplane:
       path: /management
       # -- authentication key, must be attached to each request as `X-Api-Key` header
       authKey: "password"
+      # -- if the JWKS url is set, the DelegatedAuth service will be engaged
+      jwksUrl:
+
     # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
     control:
       # -- port for incoming api calls

diff --git a/edc-controlplane/edc-controlplane-base/build.gradle.kts b/edc-controlplane/edc-controlplane-base/build.gradle.kts
@@ -57,6 +57,7 @@ dependencies {
     runtimeOnly(libs.edc.core.policy.monitor)
     runtimeOnly(libs.edc.config.filesystem)
     runtimeOnly(libs.edc.auth.tokenbased)
+    runtimeOnly(libs.edc.auth.delegated)
     runtimeOnly(libs.edc.auth.configuration)
     runtimeOnly(libs.edc.validator.data.address.http.data)
     runtimeOnly(libs.edc.aws.validator.data.address.s3)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -82,6 +82,7 @@ edc-api-controlplane = { module = "org.eclipse.edc:control-plane-api", version.r
 edc-dsp = { module = "org.eclipse.edc:dsp", version.ref = "edc" }
 edc-iam-mock = { module = "org.eclipse.edc:iam-mock", version.ref = "edc" }
 edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" }
+edc-auth-delegated = { module = "org.eclipse.edc:auth-delegated", version.ref = "edc" }
 edc-auth-oauth2-client = { module = "org.eclipse.edc:oauth2-client", version.ref = "edc" }
 edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" }
 edc-transaction-local = { module = "org.eclipse.edc:transaction-local", version.ref = "edc" }

diff --git a/samples/multi-tenancy/build.gradle.kts b/samples/multi-tenancy/build.gradle.kts
@@ -47,7 +47,7 @@ application {
 
 tasks.withType<com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar> {
     mergeServiceFiles()
-    archiveFileName.set("multitenant.jar")
+    archiveFileName.set("multi-tenancy.jar")
 }
 
 // do not publish