From 10efb588d5474f2100338d26f1b890a3b7661ce6 Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com>
Date: Thu, 24 Oct 2024 14:19:45 +0200
Subject: [PATCH] feat: activate JTI Validation (#366)

---
 deployment/modules/identity-hub/main.tf |  1 +
 deployment/provider.tf                  | 33 +++++++------------------
 gradle/libs.versions.toml               |  8 +++---
 launchers/controlplane/build.gradle.kts |  1 +
 4 files changed, 16 insertions(+), 27 deletions(-)

diff --git a/deployment/modules/identity-hub/main.tf b/deployment/modules/identity-hub/main.tf
index 191326bb..dea2868e 100644
--- a/deployment/modules/identity-hub/main.tf
+++ b/deployment/modules/identity-hub/main.tf
@@ -163,6 +163,7 @@ resource "kubernetes_config_map" "identityhub-config" {
     EDC_SQL_SCHEMA_AUTOCREATE              = true
     EDC_STS_ACCOUNT_API_URL                = var.sts-accounts-api-url
     EDC_STS_ACCOUNTS_API_AUTH_HEADER_VALUE = "password"
+    EDC_IAM_ACCESSTOKEN_JTI_VALIDATION     = true
   }
 }
 
diff --git a/deployment/provider.tf b/deployment/provider.tf
index f9c5d19e..f04d6aaa 100644
--- a/deployment/provider.tf
+++ b/deployment/provider.tf
@@ -56,9 +56,9 @@ module "provider-identityhub" {
   namespace         = kubernetes_namespace.ns.metadata.0.name
 
   database = {
-    user     = "identityhub"
-    password = "identityhub"
-    url      = "jdbc:postgresql://${module.provider-postgres.database-url}/identityhub"
+    user     = "identity"
+    password = "identity"
+    url      = "jdbc:postgresql://${module.provider-postgres.database-url}/identity"
   }
   sts-accounts-api-url = module.provider-sts.sts-accounts-url
 }
@@ -70,9 +70,9 @@ module "provider-sts" {
   humanReadableName = "provider-sts"
   namespace         = kubernetes_namespace.ns.metadata.0.name
   database = {
-    user     = "sts"
-    password = "sts"
-    url      = "jdbc:postgresql://${module.provider-postgres.database-url}/sts"
+    user     = "identity"
+    password = "identity"
+    url      = "jdbc:postgresql://${module.provider-postgres.database-url}/identity"
   }
   vault-url = "http://provider-vault:8200"
 }
@@ -109,7 +109,6 @@ module "provider-postgres" {
     kubernetes_config_map.postgres-initdb-config-pqna.metadata[0].name,
     kubernetes_config_map.postgres-initdb-config-pm.metadata[0].name,
     kubernetes_config_map.postgres-initdb-config-ih.metadata[0].name,
-    kubernetes_config_map.postgres-initdb-config-sts.metadata[0].name
   ]
   namespace = kubernetes_namespace.ns.metadata.0.name
 }
@@ -166,23 +165,9 @@ resource "kubernetes_config_map" "postgres-initdb-config-ih" {
   }
   data = {
     "ih-initdb-config.sql" = <<-EOT
-        CREATE USER identityhub WITH ENCRYPTED PASSWORD 'identityhub' SUPERUSER;
-        CREATE DATABASE identityhub;
-        \c identityhub
-      EOT
-  }
-}
-
-resource "kubernetes_config_map" "postgres-initdb-config-sts" {
-  metadata {
-    name      = "sts-initdb-config"
-    namespace = kubernetes_namespace.ns.metadata.0.name
-  }
-  data = {
-    "sts-initdb-config.sql" = <<-EOT
-        CREATE USER sts WITH ENCRYPTED PASSWORD 'sts' SUPERUSER;
-        CREATE DATABASE sts;
-        \c sts
+        CREATE USER identity WITH ENCRYPTED PASSWORD 'identity' SUPERUSER;
+        CREATE DATABASE identity;
+        \c identity
       EOT
   }
 }
\ No newline at end of file
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 94b75a0c..9e1b5fed 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -26,6 +26,7 @@ edc-did-core = { module = "org.eclipse.edc:identity-did-core", version.ref = "ed
 edc-did-web = { module = "org.eclipse.edc:identity-did-web", version.ref = "edc" }
 edc-core-connector = { module = "org.eclipse.edc:connector-core", version.ref = "edc" }
 edc-core-crypto = { module = "org.eclipse.edc:crypto-core", version.ref = "edc" }
+edc-core-token = { module = "org.eclipse.edc:token-core", version.ref = "edc" }
 edc-core-edrstore = { module = "org.eclipse.edc:edr-store-core", version.ref = "edc" }
 edc-ext-http = { module = "org.eclipse.edc:http", version.ref = "edc" }
 edc-ext-jsonld = { module = "org.eclipse.edc:json-ld", version.ref = "edc" }
@@ -109,6 +110,7 @@ edc-sql-transactionlocal = { module = "org.eclipse.edc:transaction-local", versi
 edc-sql-accesstokendata = { module = "org.eclipse.edc:accesstokendata-store-sql", version.ref = "edc" }
 edc-sql-dataplane = { module = "org.eclipse.edc:data-plane-store-sql", version.ref = "edc" }
 edc-sql-dataplane-instancestore = { module = "org.eclipse.edc:data-plane-instance-store-sql", version.ref = "edc" }
+edc-sql-jtivdalidation = { module = "org.eclipse.edc:jti-validation-store-sql", version.ref = "edc" }
 
 
 # identity hub SQL implementations
@@ -176,7 +178,7 @@ parsson = { module = "org.eclipse.parsson:parsson", version.ref = "parsson" }
 [bundles]
 dpf = ["edc-dpf-selector-core", "edc-spi-dataplane-selector", "edc-dpf-selector-control-api", "edc-dpf-signaling-client", "edc-dpf-transfer-signaling"]
 
-connector = ["edc-boot", "edc-core-connector", "edc-ext-http", "edc-api-observability", "edc-ext-jsonld"]
+connector = ["edc-boot", "edc-core-connector", "edc-ext-http", "edc-api-observability", "edc-ext-jsonld", "edc-core-token"]
 
 controlplane = ["edc-controlplane-core", "edc-config-filesystem", "edc-auth-tokenbased", "edc-auth-configuration", "edc-api-management",
     "edc-api-management-config", "edc-api-management-edr", "edc-api-management-dataplaneselector",
@@ -196,9 +198,9 @@ dcp = ["edc-dcp", "edc-did-core", "edc-did-web", "edc-oauth2-client", "edc-dcp-c
 sql-edc = ["edc-sql-assetindex", "edc-sql-contractdef", "edc-sql-contractneg", "edc-sql-policydef", "edc-sql-edrcache", "edc-sql-transferprocess", "edc-sql-dataplane-instancestore", "edc-sql-core", "edc-sql-lease", "edc-sql-pool", "edc-sql-transactionlocal", "postgres"]
 sql-edc-dataplane = ["edc-sql-accesstokendata", "edc-sql-dataplane", "edc-sql-core", "edc-sql-lease", "edc-sql-pool", "edc-sql-transactionlocal", "edc-sql-dataplane-instancestore", "postgres"]
 
-sql-ih = ["edc-sql-ih-credstore-sql", "edc-sql-ih-didstore-sql", "edc-sql-ih-keypairstore-sql", "edc-sql-ih-pcstore-sql", "edc-sql-ih-stsstore-sql", "edc-sql-core", "edc-sql-pool", "edc-sql-transactionlocal", "postgres"]
+sql-ih = ["edc-sql-ih-credstore-sql","edc-sql-jtivdalidation", "edc-sql-ih-didstore-sql", "edc-sql-ih-keypairstore-sql", "edc-sql-ih-pcstore-sql", "edc-sql-ih-stsstore-sql", "edc-sql-core", "edc-sql-pool", "edc-sql-transactionlocal", "postgres"]
 
-sql-sts = [ "edc-sql-ih-stsstore-sql", "edc-sql-core", "edc-sql-pool", "edc-sql-transactionlocal", "postgres"]
+sql-sts = ["edc-sql-ih-stsstore-sql", "edc-sql-jtivdalidation", "edc-sql-core", "edc-sql-pool", "edc-sql-transactionlocal", "postgres"]
 
 sts = ["edc-sts-core", "edc-sts-api", "edc-sts-spi", "edc-sts"]
 
diff --git a/launchers/controlplane/build.gradle.kts b/launchers/controlplane/build.gradle.kts
index d6b75f23..16bc476a 100644
--- a/launchers/controlplane/build.gradle.kts
+++ b/launchers/controlplane/build.gradle.kts
@@ -27,6 +27,7 @@ dependencies {
     implementation(libs.bundles.controlplane)
     implementation(libs.bundles.dcp)
     implementation(libs.edc.core.connector)
+    implementation(libs.edc.core.token)
 
     if (project.properties.getOrDefault("persistence", "false") == "true") {
         runtimeOnly(libs.edc.vault.hashicorp)