eclipse-tractusx · wolf4ood · Feb 19, 2024 · Dec 12, 2023 · Dec 12, 2023 · Dec 19, 2023
diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml
@@ -103,8 +103,8 @@ jobs:
   test-azure-vault-postgres:
     runs-on: ubuntu-latest
     needs: [ test-prepare, secret-presence ]
-    if: |
-      needs.secret-presence.outputs.AZURE_KV_CREDS
+    # disabled cause secret expired
+    if: false
     steps:
       - name: Checkout
         uses: actions/[email protected]

diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -79,18 +79,6 @@ jobs:
         run: |
           ./gradlew checkstyleMain checkstyleTest
 
-  markdown-lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/[email protected]
-
-      - name: Install mardkdownlint
-        run: npm install -g markdownlint-cli2
-
-      - name: Run markdownlint
-        run: |
-          markdownlint-cli2-config .markdownlint.yaml "**/*.md" "#.github" "#charts"
-
   unit-tests:
     runs-on: ubuntu-latest
     needs: [ verify-formatting, verify-license-headers ]

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -130,7 +130,7 @@ maven/mavencentral/io.opentelemetry.instrumentation/opentelemetry-instrumentatio
 maven/mavencentral/io.opentelemetry/opentelemetry-api/1.29.0, Apache-2.0, approved, #10088
 maven/mavencentral/io.opentelemetry/opentelemetry-context/1.29.0, Apache-2.0, approved, #10090
 maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.0.33, Apache-2.0, approved, #9687
-maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.0.33, Apache-2.0, approved, clearlydefined
+maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.0.33, Apache-2.0, approved, #11661
 maven/mavencentral/io.projectreactor/reactor-core/3.4.30, Apache-2.0, approved, #7517
 maven/mavencentral/io.rest-assured/json-path/5.3.1, Apache-2.0, approved, #9261
 maven/mavencentral/io.rest-assured/rest-assured-common/5.3.1, Apache-2.0, approved, #9264
@@ -207,7 +207,6 @@ maven/mavencentral/org.eclipse.edc/asset-api/0.2.1, Apache-2.0, approved, techno
 maven/mavencentral/org.eclipse.edc/asset-index-sql/0.2.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/asset-spi/0.2.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-spi/0.2.1, Apache-2.0, approved, technology.edc
-maven/mavencentral/org.eclipse.edc/auth-tokenbased/0.2.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/autodoc-processor/0.2.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/aws-s3-core/0.2.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/boot/0.2.1, Apache-2.0, approved, technology.edc

diff --git a/charts/tractusx-connector-azure-vault/Chart.yaml b/charts/tractusx-connector-azure-vault/Chart.yaml
@@ -40,12 +40,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.3
+version: 0.5.4
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.3"
+appVersion: "0.5.4"
 home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector
 sources:
   - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector

diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md
@@ -1,6 +1,6 @@
 # tractusx-connector-azure-vault
 
-![Version: 0.5.3](https://img.shields.io/badge/Version-0.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.3](https://img.shields.io/badge/AppVersion-0.5.3-informational?style=flat-square)
+![Version: 0.5.4](https://img.shields.io/badge/Version-0.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.4](https://img.shields.io/badge/AppVersion-0.5.4-informational?style=flat-square)
 
 A Helm chart for Tractus-X Eclipse Data Space Connector. The connector deployment consists of two runtime consists of a
 Control Plane and a Data Plane. Note that _no_ external dependencies such as a PostgreSQL database and Azure KeyVault are included.
@@ -45,7 +45,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
 
 ```shell
 helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev
-helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.5.3 \
+helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.5.4 \
      -f <path-to>/tractusx-connector-azure-vault-test.yaml \
      --set vault.azure.name=$AZURE_VAULT_NAME \
      --set vault.azure.client=$AZURE_CLIENT_ID \
@@ -78,6 +78,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.
 | controlplane.debug.enabled | bool | `false` |  |
 | controlplane.debug.port | int | `1044` |  |
 | controlplane.debug.suspendOnStart | bool | `false` |  |
+| controlplane.edr.transferProxyTokenValidity | string | `"2592000"` |  |
 | controlplane.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
 | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |
 | controlplane.endpoints.control.path | string | `"/control"` | path for incoming api calls |

diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml
@@ -296,6 +296,8 @@ spec:
             - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS"
               value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }}
             {{- end }}
+            - name: "EDC_TRANSFER_PROXY_TOKEN_VALIDITY_SECONDS"
+              value: {{ .Values.controlplane.edr.transferProxyTokenValidity | required ".Values.controlplane.edr.transferProxyTokenValidity is required" | quote }}
 
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver
 

diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml
@@ -117,7 +117,8 @@ controlplane:
   businessPartnerValidation:
     log:
       agreementValidation: true
-
+  edr:
+    transferProxyTokenValidity: "2592000"
   # SSI configuration
   ssi:
     miw:

diff --git a/charts/tractusx-connector-memory/Chart.yaml b/charts/tractusx-connector-memory/Chart.yaml
@@ -34,12 +34,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.3
+version: 0.5.4
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.3"
+appVersion: "0.5.4"
 home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory
 sources:
   - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory
diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md
@@ -1,6 +1,6 @@
 # tractusx-connector-memory
 
-![Version: 0.5.3](https://img.shields.io/badge/Version-0.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.3](https://img.shields.io/badge/AppVersion-0.5.3-informational?style=flat-square)
+![Version: 0.5.4](https://img.shields.io/badge/Version-0.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.4](https://img.shields.io/badge/AppVersion-0.5.4-informational?style=flat-square)
 
 A Helm chart for Tractus-X Eclipse Data Space Connector based on memory. Please only use this for development or testing purposes, never in production workloads!
 
@@ -39,7 +39,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
 
 ```shell
 helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev
-helm install my-release tractusx-edc/tractusx-connector-memory --version 0.5.3 \
+helm install my-release tractusx-edc/tractusx-connector-memory --version 0.5.4 \
      -f <path-to>/tractusx-connector-memory-test.yaml \
      --set vault.secrets="client-secret:$YOUR_CLIENT_SECRET"
 ```
@@ -77,6 +77,7 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.5.3 \
 | runtime.debug.enabled | bool | `false` |  |
 | runtime.debug.port | int | `1044` |  |
 | runtime.debug.suspendOnStart | bool | `false` |  |
+| runtime.edr.transferProxyTokenValidity | string | `"2592000"` |  |
 | runtime.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086},"validation":{"path":"/validation","port":8082}}` | endpoints of the control plane |
 | runtime.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |
 | runtime.endpoints.control.path | string | `"/control"` | path for incoming api calls |

diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml
@@ -244,6 +244,8 @@ spec:
             - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS"
               value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }}
             {{- end }}
+            - name: "EDC_TRANSFER_PROXY_TOKEN_VALIDITY_SECONDS"
+              value: {{ .Values.runtime.edr.transferProxyTokenValidity | required ".Values.runtime.edr.transferProxyTokenValidity is required" | quote }}
 
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/http-receiver
             - name: "EDC_RECEIVER_HTTP_ENDPOINT"

diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml
@@ -118,7 +118,8 @@ runtime:
   businessPartnerValidation:
     log:
       agreementValidation: true
-
+  edr:
+    transferProxyTokenValidity: "2592000"
   # SSI configuration
   ssi:
     miw:

diff --git a/charts/tractusx-connector/Chart.yaml b/charts/tractusx-connector/Chart.yaml
@@ -40,12 +40,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.3
+version: 0.5.4
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.3"
+appVersion: "0.5.4"
 home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector
 sources:
   - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector

diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md
@@ -1,6 +1,6 @@
 # tractusx-connector
 
-![Version: 0.5.3](https://img.shields.io/badge/Version-0.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.3](https://img.shields.io/badge/AppVersion-0.5.3-informational?style=flat-square)
+![Version: 0.5.4](https://img.shields.io/badge/Version-0.5.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.4](https://img.shields.io/badge/AppVersion-0.5.4-informational?style=flat-square)
 
 A Helm chart for Tractus-X Eclipse Data Space Connector. The connector deployment consists of two runtime consists of a
 Control Plane and a Data Plane. Note that _no_ external dependencies such as a PostgreSQL database and HashiCorp Vault are included.
@@ -42,7 +42,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
 
 ```shell
 helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev
-helm install my-release tractusx-edc/tractusx-connector --version 0.5.3 \
+helm install my-release tractusx-edc/tractusx-connector --version 0.5.4 \
      -f <path-to>/tractusx-connector-test.yaml
 ```
 
@@ -72,6 +72,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.5.3 \
 | controlplane.debug.enabled | bool | `false` |  |
 | controlplane.debug.port | int | `1044` |  |
 | controlplane.debug.suspendOnStart | bool | `false` |  |
+| controlplane.edr.transferProxyTokenValidity | string | `"2592000"` |  |
 | controlplane.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
 | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |
 | controlplane.endpoints.control.path | string | `"/control"` | path for incoming api calls |

diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml
@@ -296,6 +296,9 @@ spec:
             - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS"
               value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }}
             {{- end }}
+            - name: "EDC_TRANSFER_PROXY_TOKEN_VALIDITY_SECONDS"
+              value: {{ .Values.controlplane.edr.transferProxyTokenValidity | required ".Values.controlplane.edr.transferProxyTokenValidity is required" | quote }}
+
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver
 
             - name: "EDC_RECEIVER_HTTP_DYNAMIC_ENDPOINT"

diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml
@@ -117,7 +117,8 @@ controlplane:
   businessPartnerValidation:
     log:
       agreementValidation: true
-
+  edr:
+    transferProxyTokenValidity: "2592000"
   # SSI configuration
   ssi:
     miw:

diff --git a/edc-controlplane/edc-controlplane-base/build.gradle.kts b/edc-controlplane/edc-controlplane-base/build.gradle.kts
@@ -32,6 +32,7 @@ dependencies {
     runtimeOnly(project(":edc-extensions:edr:edr-api"))
     runtimeOnly(project(":edc-extensions:edr:edr-callback"))
 
+    runtimeOnly(project(":edc-extensions:auth-tokenbased"))
     // needed for BPN validation
     runtimeOnly(project(":edc-extensions:bpn-validation"))
 
@@ -44,7 +45,6 @@ dependencies {
 
     runtimeOnly(libs.edc.core.controlplane)
     runtimeOnly(libs.edc.config.filesystem)
-    runtimeOnly(libs.edc.auth.tokenbased)
 
     runtimeOnly(libs.edc.api.management)
     runtimeOnly(libs.edc.api.management.config)

diff --git a/edc-dataplane/edc-dataplane-base/build.gradle.kts b/edc-dataplane/edc-dataplane-base/build.gradle.kts
@@ -23,13 +23,13 @@ plugins {
 }
 
 dependencies {
+    runtimeOnly(project(":edc-extensions:auth-tokenbased"))
     runtimeOnly(project(":core:edr-cache-core"))
     runtimeOnly(project(":edc-extensions:dataplane-proxy:edc-dataplane-proxy-consumer-api"))
     runtimeOnly(project(":edc-extensions:dataplane-proxy:edc-dataplane-proxy-provider-api"))
     runtimeOnly(project(":edc-extensions:dataplane-proxy:edc-dataplane-proxy-provider-core"))
 
     runtimeOnly(libs.edc.config.filesystem)
-    runtimeOnly(libs.edc.auth.tokenbased)
     runtimeOnly(libs.edc.dpf.awss3)
     runtimeOnly(libs.edc.dpf.oauth2)
     runtimeOnly(libs.edc.dpf.http)

diff --git a/edc-extensions/auth-tokenbased/README.md b/edc-extensions/auth-tokenbased/README.md
@@ -0,0 +1,21 @@
+# Token Based Authentication Service
+
+The token based authentication service extension is used to secure connector APIs. These APIs are not protected by the `AuthenticationService` by default. To find out how a specific API is protected please consult its documentation.
+
+APIs, protected by this extension, require a client to authenticate by adding a authentication key to the request header.
+
+Authentication Header Example:
+```
+curl <url> --header "X-API-Key: <key>"
+```
+
+## Configuration
+
+| Key                    | Description                                                  | Required |
+|:-----------------------|:-------------------------------------------------------------|:---------|
+| edc.api.auth.key       | API Key Header Value                                         | false    |
+| edc.api.auth.key.alias | Secret name of the API Key Header Value, stored in the vault | false    |
+
+- If the API key is stored in the Vault _and_ in the configuration, the extension will take the key from the vault.
+
+- If no API key is defined, a random value is generated and printed out into the logs.
diff --git a/edc-extensions/auth-tokenbased/build.gradle.kts b/edc-extensions/auth-tokenbased/build.gradle.kts
@@ -0,0 +1,26 @@
+/*
+ *  Copyright (c) 2020 - 2022 Microsoft Corporation
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Microsoft Corporation - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+}
+
+dependencies {
+    implementation(libs.edc.spi.auth)
+    implementation(libs.jakarta.rsApi)
+
+    testImplementation(testFixtures(libs.edc.junit))
+}
+
+
diff --git a/.../main/java/org/eclipse/tractusx/edc/api/auth/token/TokenBasedAuthenticationExtension.java b/.../main/java/org/eclipse/tractusx/edc/api/auth/token/TokenBasedAuthenticationExtension.java
@@ -0,0 +1,65 @@
+/*
+ *  Copyright (c) 2020 - 2022 Microsoft Corporation
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Microsoft Corporation - initial API and implementation
+ *       Mercedes-Benz Tech Innovation GmbH - add README.md; authentication key can be retrieved from vault
+ *       Fraunhofer Institute for Software and Systems Engineering - update monitor info
+ *
+ */
+
+package org.eclipse.tractusx.edc.api.auth.token;
+
+import org.eclipse.edc.api.auth.spi.AuthenticationService;
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.runtime.metamodel.annotation.Provides;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.security.Vault;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+
+import java.util.UUID;
+
+/**
+ * Extension that registers an AuthenticationService that uses API Keys
+ */
+@Provides(AuthenticationService.class)
+@Extension(value = TokenBasedAuthenticationExtension.NAME)
+public class TokenBasedAuthenticationExtension implements ServiceExtension {
+
+    public static final String NAME = "Static token API Authentication";
+    @Setting
+    private static final String AUTH_SETTING_APIKEY = "edc.api.auth.key";
+    @Setting
+    private static final String AUTH_SETTING_APIKEY_ALIAS = "edc.api.auth.key.alias";
+    @Inject
+    private Vault vault;
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Override
+    public void initialize(ServiceExtensionContext context) {
+        String apiKey = null;
+
+        var apiKeyAlias = context.getSetting(AUTH_SETTING_APIKEY_ALIAS, null);
+        if (apiKeyAlias != null) {
+            apiKey = vault.resolveSecret(apiKeyAlias);
+        }
+
+        if (apiKey == null) {
+            apiKey = context.getSetting(AUTH_SETTING_APIKEY, UUID.randomUUID().toString());
+        }
+
+        context.registerService(AuthenticationService.class, new TokenBasedAuthenticationService(apiKey));
+    }
+}