EDC extension

- Creates new library for the granular access control extension
- Adds extension configuration
- Implements OAuth2 token client

Updates #352

Signed-off-by: Istvan Zoltan Nagy <[email protected]>

libraries/edc-extension/pom.xml

@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--~
+  ~ Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH and others
+  ~ Copyright (c) 2024 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Apache License, Version 2.0 which is available at
+  ~ https://www.apache.org/licenses/LICENSE-2.0.
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  ~ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+  ~ License for the specific language governing permissions and limitations
+  ~ under the License.
+  ~
+  ~ SPDX-License-Identifier: Apache-2.0
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+   <parent>
+      <groupId>org.eclipse.tractusx</groupId>
+      <artifactId>digital-twin-registry</artifactId>
+      <version>DEV-SNAPSHOT</version>
+      <relativePath>../../pom.xml</relativePath>
+   </parent>
+
+   <groupId>org.eclipse.tractusx.digital_twin_registry</groupId>
+   <artifactId>dtr-edc-access-control-extension</artifactId>
+   <name>Tractus-X Semantic Layer Digital Twin Registry Access Control Extension for Eclipse Dataspace Connector Dataplane</name>
+   <description>Module contains the EDC extension triggering access control calls to the Semantic Layer Digital Twin Registry Service's relevant API endpoint.</description>
+   <packaging>jar</packaging>
+
+   <organization>
+      <name>${organization}</name>
+      <url>${url}</url>
+   </organization>
+
+   <licenses>
+      <license>
+         <name>${licence_name}</name>
+         <url>${licence_url}</url>
+         <distribution>${licence_distribution}</distribution>
+         <comments>${licence_comments}</comments>
+      </license>
+   </licenses>
+
+   <dependencies>
+      <dependency>
+         <groupId>org.eclipse.edc</groupId>
+         <artifactId>connector-core</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>org.eclipse.edc</groupId>
+         <artifactId>data-plane-spi</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>org.eclipse.edc</groupId>
+         <artifactId>data-plane-http-spi</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>org.apache.commons</groupId>
+         <artifactId>commons-lang3</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>com.github.ben-manes.caffeine</groupId>
+         <artifactId>caffeine</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>org.junit.jupiter</groupId>
+         <artifactId>junit-jupiter</artifactId>
+      </dependency>
+      <dependency>
+         <groupId>org.mockito</groupId>
+         <artifactId>mockito-core</artifactId>
+         <scope>test</scope>
+      </dependency>
+      <dependency>
+         <groupId>org.assertj</groupId>
+         <artifactId>assertj-core</artifactId>
+      </dependency>
+   </dependencies>
+
+   <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-compiler-plugin</artifactId>
+         </plugin>
+
+         <plugin>
+            <groupId>io.github.git-commit-id</groupId>
+            <artifactId>git-commit-id-maven-plugin</artifactId>
+         </plugin>
+
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-surefire-plugin</artifactId>
+         </plugin>
+
+         <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-deploy-plugin</artifactId>
+         </plugin>
+      </plugins>
+   </build>
+</project>

libraries/edc-extension/src/main/java/org/eclipse/tractusx/semantics/edc/dataplane/http/accesscontrol/AccessControlServiceException.java

@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH and others
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ******************************************************************************/
+
+package org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol;
+
+public class AccessControlServiceException extends RuntimeException {
+
+   public AccessControlServiceException( final String message ) {
+      super( message );
+   }
+
+   public AccessControlServiceException( final Throwable cause ) {
+      super( cause );
+   }
+}

libraries/edc-extension/src/main/java/org/eclipse/tractusx/semantics/edc/dataplane/http/accesscontrol/DtrDataPlaneAccessControlServiceExtension.java

@@ -0,0 +1,97 @@
+/*******************************************************************************
+ * Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH and others
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ******************************************************************************/
+
+package org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol;
+
+import org.eclipse.edc.connector.dataplane.spi.iam.DataPlaneAccessTokenService;
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.http.EdcHttpClient;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.security.Vault;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.spi.types.TypeManager;
+
+@Extension( value = "Data Plane HTTP Access Control" )
+public class DtrDataPlaneAccessControlServiceExtension implements ServiceExtension {
+
+   @Setting( value = "Contains the base URL of the EDC data plane endpoint where the data plane requests are sent by the end users." )
+   public static final String EDC_DATA_PLANE_BASE_URL = "edc.granular.access.verification.edc.data.plane.baseUrl";
+   @Setting( value = "Comma separated list of DTR configuration names used as keys for DTR clients." )
+   public static final String EDC_DTR_CONFIG_NAMES = "edc.granular.access.verification.dtr.names";
+   /**
+    * Prefix for individual DTR configurations.
+    */
+   public static final String EDC_DTR_CONFIG_PREFIX = "edc.granular.access.verification.dtr.config.";
+   /**
+    * Configuration property suffix for the configuration of DTR decision cache. The cache is turned off if set to 0.
+    */
+   public static final String DTR_DECISION_CACHE_MINUTES = "dtr.decision.cache.duration.minutes";
+   /**
+    * Configuration property suffix for the pattern to allow for the recognition of aspect model requests which need
+    * to be handled by DTR access control.
+    */
+   public static final String ASPECT_MODEL_URL_PATTERN = "aspect.model.url.pattern";
+   /**
+    * Configuration property suffix for the URL where DTR can be reached.
+    */
+   public static final String DTR_ACCESS_VERIFICATION_URL = "dtr.access.verification.endpoint.url";
+   /**
+    * Configuration property suffix for the URL where OAUTH2 tokens can be obtained for the DTR requests.
+    */
+   public static final String OAUTH2_TOKEN_ENDPOINT_URL = "oauth2.token.endpoint.url";
+   /**
+    * Configuration property suffix for the scope we need to use for OAUTH2 token requests when we need to access DTR.
+    */
+   public static final String OAUTH2_TOKEN_SCOPE = "oauth2.token.scope";
+   /**
+    * Configuration property suffix for the client id we need to use for OAUTH2 token requests when we need to access DTR.
+    */
+   public static final String OAUTH2_TOKEN_CLIENT_ID = "oauth2.token.clientId";
+
+   /**
+    * Configuration property suffix for the path where we can find the client secret in vault for the OAUTH2 token requests when we need to access DTR.
+    */
+   public static final String OAUTH2_TOKEN_CLIENT_SECRET_PATH = "oauth2.token.clientSecret.path";
+   @Inject
+   private Monitor monitor;
+   @Inject
+   private EdcHttpClient httpClient;
+   @Inject
+   private TypeManager typeManager;
+   @Inject
+   private Vault vault;
+   @Inject
+   private DataPlaneAccessTokenService dataPlaneAccessTokenService;
+   private HttpAccessControlCheckClientConfig config;
+
+   @Override
+   public String name() {
+      return "DTR Data Plane Access Control Service";
+   }
+
+   @Override
+   public void initialize( final ServiceExtensionContext context ) {
+      monitor.info( "Initializing " + name() );
+      config = new HttpAccessControlCheckClientConfig( context );
+   }
+}

libraries/edc-extension/src/main/java/org/eclipse/tractusx/semantics/edc/dataplane/http/accesscontrol/HttpAccessControlCheckClientConfig.java

@@ -0,0 +1,54 @@
+/*******************************************************************************
+ * Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH and others
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ******************************************************************************/
+
+package org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol;
+
+import static org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol.DtrDataPlaneAccessControlServiceExtension.*;
+
+import java.util.Arrays;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import org.apache.commons.lang3.StringUtils;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+
+public class HttpAccessControlCheckClientConfig {
+
+   private final Map<String, HttpAccessControlCheckDtrClientConfig> dtrClientConfigMap;
+   private final String edcDataPlaneBaseUrl;
+
+   public HttpAccessControlCheckClientConfig( final ServiceExtensionContext context ) {
+      dtrClientConfigMap = Arrays.stream( context.getSetting( EDC_DTR_CONFIG_NAMES, "" ).split( "," ) )
+            .filter( StringUtils::isNotBlank )
+            .collect( Collectors.toUnmodifiableMap( Function.identity(),
+                  name -> new HttpAccessControlCheckDtrClientConfig(
+                        context.getConfig( EDC_DTR_CONFIG_PREFIX + name ) ) ) );
+      edcDataPlaneBaseUrl = context.getSetting( EDC_DATA_PLANE_BASE_URL, null );
+   }
+
+   public Map<String, HttpAccessControlCheckDtrClientConfig> getDtrClientConfigMap() {
+      return dtrClientConfigMap;
+   }
+
+   public String getEdcDataPlaneBaseUrl() {
+      return edcDataPlaneBaseUrl;
+   }
+}

libraries/edc-extension/src/main/java/org/eclipse/tractusx/semantics/edc/dataplane/http/accesscontrol/HttpAccessControlCheckDtrClientConfig.java

@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH and others
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ******************************************************************************/
+
+package org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol;
+
+import static org.eclipse.tractusx.semantics.edc.dataplane.http.accesscontrol.DtrDataPlaneAccessControlServiceExtension.*;
+
+import org.eclipse.edc.spi.system.configuration.Config;
+
+public class HttpAccessControlCheckDtrClientConfig {
+
+   private final String aspectModelUrlPattern;
+   private final String dtrAccessVerificationUrl;
+   private final String oauth2TokenEndpointUrl;
+   private final String oauth2TokenScope;
+   private final String oauth2ClientId;
+   private final String oauth2ClientSecretPath;
+   private final int decisionCacheDurationMinutes;
+
+   public HttpAccessControlCheckDtrClientConfig( final Config context ) {
+      aspectModelUrlPattern = context.getString( ASPECT_MODEL_URL_PATTERN, null );
+      dtrAccessVerificationUrl = context.getString( DTR_ACCESS_VERIFICATION_URL, null );
+      oauth2TokenEndpointUrl = context.getString( OAUTH2_TOKEN_ENDPOINT_URL, null );
+      oauth2TokenScope = context.getString( OAUTH2_TOKEN_SCOPE, null );
+      oauth2ClientId = context.getString( OAUTH2_TOKEN_CLIENT_ID, null );
+      oauth2ClientSecretPath = context.getString( OAUTH2_TOKEN_CLIENT_SECRET_PATH, null );
+      decisionCacheDurationMinutes = context.getInteger( DTR_DECISION_CACHE_MINUTES, 0 );
+   }
+
+   public String getAspectModelUrlPattern() {
+      return aspectModelUrlPattern;
+   }
+
+   public String getDtrAccessVerificationUrl() {
+      return dtrAccessVerificationUrl;
+   }
+
+   public String getOauth2TokenEndpointUrl() {
+      return oauth2TokenEndpointUrl;
+   }
+
+   public String getOauth2TokenScope() {
+      return oauth2TokenScope;
+   }
+
+   public String getOauth2ClientId() {
+      return oauth2ClientId;
+   }
+
+   public String getOauth2ClientSecretPath() {
+      return oauth2ClientSecretPath;
+   }
+
+   public int getDecisionCacheDurationMinutes() {
+      return decisionCacheDurationMinutes;
+   }
+}