From 33383aa61b54848089b163bc19eb105d9f8562cd Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com> Date: Tue, 30 Jul 2024 13:07:52 +0200 Subject: [PATCH] feat: add delegated auth module (#1473) * feat: add delegated auth + tests * update all charts * helm docs * DEPENDENCIES --- .github/workflows/deployment-test.yaml | 23 +++++++++++++++++-- DEPENDENCIES | 3 ++- .../tractusx-connector-azure-vault/README.md | 5 ++-- .../templates/deployment-controlplane.yaml | 6 +++++ .../values.yaml | 2 ++ charts/tractusx-connector-memory/README.md | 5 ++-- .../templates/deployment-runtime.yaml | 8 ++++++- charts/tractusx-connector-memory/values.yaml | 2 ++ charts/tractusx-connector/README.md | 5 ++-- .../templates/deployment-controlplane.yaml | 6 +++++ ...aml => test-mgmt-api-with-token-auth.yaml} | 2 +- charts/tractusx-connector/values.yaml | 3 +++ .../edc-controlplane-base/build.gradle.kts | 1 + gradle/libs.versions.toml | 1 + samples/multi-tenancy/build.gradle.kts | 2 +- 15 files changed, 62 insertions(+), 12 deletions(-) rename charts/tractusx-connector/templates/tests/{test-controlplane.yaml => test-mgmt-api-with-token-auth.yaml} (97%) diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml index d3da08f7a..cdb4975db 100644 --- a/.github/workflows/deployment-test.yaml +++ b/.github/workflows/deployment-test.yaml @@ -86,7 +86,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - uses: ./.github/actions/run-deployment-test - name: "Run deployment test using KinD and Helm" + name: "Run deployment test using KinD and Helm - tokenbased auth" with: imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault" rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault" @@ -101,9 +101,28 @@ jobs: kubectl rollout status deployment tx-prod-controlplane kubectl rollout status deployment tx-prod-dataplane - # execute the helm test + # execute the helm test using token based auth in the Management API helm test tx-prod + - uses: ./.github/actions/run-deployment-test + name: "Run deployment test using KinD and Helm - delegated auth" + with: + imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault" + rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault" + k8sversion: ${{ matrix.k8s-version }} + helm_command: |- + helm install tx-prod charts/tractusx-connector \ + -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml \ + --set controlplane.endpoints.management.jwksUrl="http://foo-bar.com/.well-known/jwks.json" \ + --dependency-update \ + --wait-for-jobs --timeout=120s + + # wait for the pod to become ready + kubectl rollout status deployment tx-prod-controlplane + kubectl rollout status deployment tx-prod-dataplane + + # no helm test here, because the delegated auth won't work without an actual IdP + test-azure-vault-postgres: runs-on: ubuntu-latest needs: [ test-prepare, secret-presence ] diff --git a/DEPENDENCIES b/DEPENDENCIES index 3a948680f..508328e8f 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -357,6 +357,7 @@ maven/mavencentral/org.eclipse.edc/asset-index-sql/0.8.1, Apache-2.0, approved, maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1, Apache-2.0, approved, technology.edc maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1-SNAPSHOT, Apache-2.0, approved, technology.edc maven/mavencentral/org.eclipse.edc/auth-configuration/0.8.1, Apache-2.0, approved, technology.edc +maven/mavencentral/org.eclipse.edc/auth-delegated/0.8.1, Apache-2.0, approved, technology.edc maven/mavencentral/org.eclipse.edc/auth-spi/0.8.1, Apache-2.0, approved, technology.edc maven/mavencentral/org.eclipse.edc/auth-tokenbased/0.8.1, Apache-2.0, approved, technology.edc maven/mavencentral/org.eclipse.edc/autodoc-processor/0.8.1, Apache-2.0, approved, technology.edc @@ -652,7 +653,7 @@ maven/mavencentral/org.testcontainers/database-commons/1.20.0, MIT, approved, cl maven/mavencentral/org.testcontainers/jdbc/1.20.0, MIT, approved, clearlydefined maven/mavencentral/org.testcontainers/junit-jupiter/1.20.0, MIT, approved, clearlydefined maven/mavencentral/org.testcontainers/postgresql/1.20.0, MIT, approved, clearlydefined -maven/mavencentral/org.testcontainers/testcontainers/1.20.0, None, restricted, #15747 +maven/mavencentral/org.testcontainers/testcontainers/1.20.0, MIT, approved, #15747 maven/mavencentral/org.xmlresolver/xmlresolver/5.2.2, Apache-2.0, approved, clearlydefined maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272 maven/mavencentral/org.xmlunit/xmlunit-placeholders/2.9.1, Apache-2.0, approved, clearlydefined diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md index db530bc7c..44bc4916f 100644 --- a/charts/tractusx-connector-azure-vault/README.md +++ b/charts/tractusx-connector-azure-vault/README.md @@ -83,7 +83,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. | | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. | | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | -| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | +| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | | controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests | | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests | @@ -93,8 +93,9 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls | -| controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | +| controlplane.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | | controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| controlplane.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged | | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls | | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls | | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml index 7b5760755..09ac2f1c5 100644 --- a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml @@ -152,8 +152,14 @@ spec: ####### # API # ####### + {{- if .Values.controlplane.endpoints.management.jwksUrl }} + - name: "EDC_API_AUTH_DAC_KEY_URL" + value: {{ .Values.controlplane.endpoints.management.jwksUrl | quote}} + {{- else }} - name: "EDC_API_AUTH_KEY" value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }} + {{- end }} + - name: "WEB_HTTP_DEFAULT_PORT" value: {{ .Values.controlplane.endpoints.default.port | quote }} - name: "WEB_HTTP_DEFAULT_PATH" diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml index 3dc4c6ea3..a5f538ea3 100644 --- a/charts/tractusx-connector-azure-vault/values.yaml +++ b/charts/tractusx-connector-azure-vault/values.yaml @@ -122,6 +122,8 @@ controlplane: path: /management # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: # -- port for incoming api calls diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md index 3c57cc9e4..676edcabd 100644 --- a/charts/tractusx-connector-memory/README.md +++ b/charts/tractusx-connector-memory/README.md @@ -83,7 +83,7 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.8.0-r | runtime.debug.enabled | bool | `false` | Enables java debugging mode. | | runtime.debug.port | int | `1044` | Port where the debuggee can connect to. | | runtime.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | -| runtime.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane | +| runtime.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane | | runtime.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | runtime.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests | | runtime.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests | @@ -93,8 +93,9 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.8.0-r | runtime.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | | runtime.endpoints.default.path | string | `"/api"` | path for incoming api calls | | runtime.endpoints.default.port | int | `8080` | port for incoming api calls | -| runtime.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | +| runtime.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | | runtime.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| runtime.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged | | runtime.endpoints.management.path | string | `"/management"` | path for incoming api calls | | runtime.endpoints.management.port | int | `8081` | port for incoming api calls | | runtime.endpoints.protocol | object | `{"path":"/api/v1/dsp","port":8084}` | dsp api, used for inter connector communication and must be internet facing | diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml index 72ba3a48c..439f865e1 100644 --- a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml +++ b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml @@ -152,8 +152,14 @@ spec: ####### # API # ####### + {{- if .Values.runtime.endpoints.management.jwksUrl }} + - name: "EDC_API_AUTH_DAC_KEY_URL" + value: {{ .Values.runtime.endpoints.management.jwksUrl | quote}} + {{- else }} - name: "EDC_API_AUTH_KEY" - value: {{ .Values.runtime.endpoints.management.authKey | required ".Values.runtime.endpoints.management.authKey is required" | quote }} + value: {{ .Values.runtime.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }} + {{- end }} + - name: "TX_EDC_DPF_CONSUMER_PROXY_AUTH_APIKEY" value: {{ .Values.runtime.endpoints.proxy.authKey | required ".Values.runtime.endpoints.proxy.authKey is required" | quote }} - name: "WEB_HTTP_DEFAULT_PORT" diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index c95750175..27360fc3d 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -117,6 +117,8 @@ runtime: path: /management # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: # -- port for incoming api calls diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md index ddf5108c0..b43c9bc6f 100644 --- a/charts/tractusx-connector/README.md +++ b/charts/tractusx-connector/README.md @@ -80,7 +80,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.8.0-rc1 \ | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. | | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. | | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | -| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | +| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","jwksUrl":null,"path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | | controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests | | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests | @@ -90,8 +90,9 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.8.0-rc1 \ | controlplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls | -| controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | +| controlplane.endpoints.management | object | `{"authKey":"password","jwksUrl":null,"path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | | controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| controlplane.endpoints.management.jwksUrl | string | `nil` | if the JWKS url is set, the DelegatedAuth service will be engaged | | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls | | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls | | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index bd33124e4..e633c1973 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -152,8 +152,14 @@ spec: ####### # API # ####### + {{- if .Values.controlplane.endpoints.management.jwksUrl }} + - name: "EDC_API_AUTH_DAC_KEY_URL" + value: {{ .Values.controlplane.endpoints.management.jwksUrl | quote}} + {{- else }} - name: "EDC_API_AUTH_KEY" value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }} + {{- end }} + - name: "WEB_HTTP_DEFAULT_PORT" value: {{ .Values.controlplane.endpoints.default.port | quote }} - name: "WEB_HTTP_DEFAULT_PATH" diff --git a/charts/tractusx-connector/templates/tests/test-controlplane.yaml b/charts/tractusx-connector/templates/tests/test-mgmt-api-with-token-auth.yaml similarity index 97% rename from charts/tractusx-connector/templates/tests/test-controlplane.yaml rename to charts/tractusx-connector/templates/tests/test-mgmt-api-with-token-auth.yaml index 8d7145b20..7ee31cd9c 100644 --- a/charts/tractusx-connector/templates/tests/test-controlplane.yaml +++ b/charts/tractusx-connector/templates/tests/test-mgmt-api-with-token-auth.yaml @@ -21,7 +21,7 @@ apiVersion: v1 kind: Pod metadata: - name: "{{include "txdc.fullname" .}}-test-controlplane" + name: "controlplane-with-token-auth-test" labels: {{- include "txdc.controlplane.labels" . | nindent 4 }} annotations: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index c727114b1..2706434a0 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -124,6 +124,9 @@ controlplane: path: /management # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: # -- port for incoming api calls diff --git a/edc-controlplane/edc-controlplane-base/build.gradle.kts b/edc-controlplane/edc-controlplane-base/build.gradle.kts index a84153ebf..62c9d388f 100644 --- a/edc-controlplane/edc-controlplane-base/build.gradle.kts +++ b/edc-controlplane/edc-controlplane-base/build.gradle.kts @@ -57,6 +57,7 @@ dependencies { runtimeOnly(libs.edc.core.policy.monitor) runtimeOnly(libs.edc.config.filesystem) runtimeOnly(libs.edc.auth.tokenbased) + runtimeOnly(libs.edc.auth.delegated) runtimeOnly(libs.edc.auth.configuration) runtimeOnly(libs.edc.validator.data.address.http.data) runtimeOnly(libs.edc.aws.validator.data.address.s3) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 918ce2a63..c38831c59 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -82,6 +82,7 @@ edc-api-controlplane = { module = "org.eclipse.edc:control-plane-api", version.r edc-dsp = { module = "org.eclipse.edc:dsp", version.ref = "edc" } edc-iam-mock = { module = "org.eclipse.edc:iam-mock", version.ref = "edc" } edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" } +edc-auth-delegated = { module = "org.eclipse.edc:auth-delegated", version.ref = "edc" } edc-auth-oauth2-client = { module = "org.eclipse.edc:oauth2-client", version.ref = "edc" } edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" } edc-transaction-local = { module = "org.eclipse.edc:transaction-local", version.ref = "edc" } diff --git a/samples/multi-tenancy/build.gradle.kts b/samples/multi-tenancy/build.gradle.kts index 908a275c2..b56772f52 100644 --- a/samples/multi-tenancy/build.gradle.kts +++ b/samples/multi-tenancy/build.gradle.kts @@ -47,7 +47,7 @@ application { tasks.withType { mergeServiceFiles() - archiveFileName.set("multitenant.jar") + archiveFileName.set("multi-tenancy.jar") } // do not publish