Skip to content

Commit

Permalink
Merge pull request #366 from bci-oss/feature/352-edc-extension_3
Browse files Browse the repository at this point in the history
feat: EDC extension - Configure/init the extension
  • Loading branch information
tunacicek authored Apr 8, 2024
2 parents 47d0177 + 381da60 commit 7f1937d
Show file tree
Hide file tree
Showing 16 changed files with 937 additions and 58 deletions.
29 changes: 29 additions & 0 deletions DEPENDENCIES
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,24 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jdk8/2.15.4,
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.4, Apache-2.0, approved, #7930
maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.4, Apache-2.0, approved, #8803
maven/mavencentral/com.fasterxml/classmate/1.6.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.github.ben-manes.caffeine/caffeine/3.1.8, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0, approved, CQ21949
maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.18.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.21.1, Apache-2.0, approved, #9834
maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
maven/mavencentral/com.google.guava/guava/32.1.1-jre, Apache-2.0 AND CC0-1.0 AND LicenseRef-Public-Domain, approved, #9229
maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
maven/mavencentral/com.google.j2objc/j2objc-annotations/2.8, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.h2database/h2/2.2.220, (EPL-1.0 OR MPL-2.0) AND (LGPL-3.0-or-later OR EPL-1.0 OR MPL-2.0), approved, #9322
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.24.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.opencsv/opencsv/5.7.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156
maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158
maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155
maven/mavencentral/com.zaxxer/HikariCP/5.0.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/dev.failsafe/failsafe-okhttp/3.3.2, Apache-2.0, approved, #9178
maven/mavencentral/dev.failsafe/failsafe/3.3.2, Apache-2.0, approved, #9268
maven/mavencentral/io.github.classgraph/classgraph/4.8.149, MIT, approved, CQ22530
maven/mavencentral/io.micrometer/micrometer-commons/1.12.4, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #11679
maven/mavencentral/io.micrometer/micrometer-core/1.12.4, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #11678
Expand All @@ -38,6 +45,7 @@ maven/mavencentral/jakarta.transaction/jakarta.transaction-api/2.0.1, EPL-2.0 OR
maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation
maven/mavencentral/jakarta.websocket/jakarta.websocket-api/2.1.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.websocket
maven/mavencentral/jakarta.websocket/jakarta.websocket-client-api/2.1.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.websocket
maven/mavencentral/jakarta.ws.rs/jakarta.ws.rs-api/3.1.0, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.rest
maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.2, BSD-3-Clause, approved, ee4j.jaxb
maven/mavencentral/javax.activation/javax.activation-api/1.2.0, (CDDL-1.1 OR GPL-2.0 WITH Classpath-exception-2.0) AND Apache-2.0, approved, CQ18740
maven/mavencentral/javax.xml.bind/jaxb-api/2.3.1, CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0, approved, CQ16911
Expand All @@ -48,7 +56,22 @@ maven/mavencentral/org.apache.commons/commons-text/1.10.0, Apache-2.0, approved,
maven/mavencentral/org.apache.logging.log4j/log4j-api/2.21.1, Apache-2.0 AND (Apache-2.0 AND LGPL-2.0-or-later), approved, #11079
maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.21.1, Apache-2.0, approved, #11919
maven/mavencentral/org.aspectj/aspectjweaver/1.9.21, Apache-2.0 AND BSD-3-Clause AND EPL-1.0 AND BSD-3-Clause AND Apache-1.1, approved, #7695
maven/mavencentral/org.checkerframework/checker-qual/3.37.0, MIT, approved, clearlydefined
maven/mavencentral/org.checkerframework/checker-qual/3.42.0, MIT, approved, clearlydefined
maven/mavencentral/org.eclipse.edc/connector-core/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/core-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/data-address-http-data-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/data-plane-http-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/data-plane-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/http-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/keys-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/policy-engine-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/policy-model/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/runtime-metamodel/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transaction-datasource-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transaction-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transform-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/validator-spi/0.6.0, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.jetty.ee10.websocket/jetty-ee10-websocket-jakarta-client/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.ee10.websocket/jetty-ee10-websocket-jakarta-common/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty.ee10.websocket/jetty-ee10-websocket-jakarta-server/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
Expand All @@ -75,10 +98,16 @@ maven/mavencentral/org.eclipse.jetty/jetty-server/12.0.7, EPL-2.0 OR Apache-2.0,
maven/mavencentral/org.eclipse.jetty/jetty-session/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-util/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.eclipse.jetty/jetty-xml/12.0.7, EPL-2.0 OR Apache-2.0, approved, rt.jetty
maven/mavencentral/org.glassfish.jersey.core/jersey-server/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey
maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
maven/mavencentral/org.hibernate.orm/hibernate-core/6.4.4.Final, LGPL-2.1-or-later AND (EPL-2.0 OR BSD-3-Clause) AND MIT, approved, #12490
maven/mavencentral/org.hibernate.validator/hibernate-validator/8.0.1.Final, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jboss.logging/jboss-logging/3.5.3.Final, Apache-2.0, approved, #9471
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-common/1.9.23, Apache-2.0, approved, #14186
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.9.23, Apache-2.0, approved, #14188
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.9.23, Apache-2.0, approved, #14185
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib/1.9.23, Apache-2.0, approved, #11827
maven/mavencentral/org.jetbrains/annotations/24.1.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.liquibase/liquibase-core/4.19.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.mapstruct/mapstruct/1.5.3.Final, Apache-2.0, approved, #6277
maven/mavencentral/org.openapitools/jackson-databind-nullable/0.1.0, Apache-2.0, approved, clearlydefined
Expand Down
220 changes: 220 additions & 0 deletions docs/EDC-extension-configuration.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
# Digital Twin Registry Data Plane HTTP Access Control Eclipse Dataspace Connector extension

## 1 Introduction and goals

The *Eclipse Dataspace Connector (EDC)* can provide access to many different backend services. These services have different security capabilities.

### High level requirement
The *Eclipse Dataspace Connector* extension can provide a granular access control solution for authorization of *Submodel* backend requests based on the registered
*Submodel* endpoints of the *Shells* which are available for the Data Consumer through the *Digital Twin Registry (DTR)*.

### Requirements

- *Submodel* backends cannot be accessed through *Eclipse Dataspace Connector* unless:
- their __exact URL__ is registered in the *Digital Twin Registry* as a *Submodel* endpoint `href`; AND
- both the *Shell* containing the *Submodel* endpoint and the Submodels are visible to the Data Consumer.
- Multiple *Digital Twin Registry* instances might be registered for the same *Eclipse Dataspace Connector Data Plane* instance and *Eclipse Dataspace Connector* extension.
- The access control solution uses the already existing `Edc-Bpn` HTTP header, containing the *BPN* of the Data Consumer.
- The extension requires at least one registered *Digital Twin Registry* using granular access control ([as defined here](README.md#granular-access-control-implementation))

### Assumptions

- The provider *Control Plane EDC* includes the `Edc-Bpn` header in the `DataAddress`.

### Stakeholders

| Role | Description | Goal, Intention |
|---------------|---------------------------------------------------------|--------------------------------------|
| Data Consumer | uses the DTR | wants to find endpoints for Shells |
| Data Provider | runs its own DTR and provides endpoints to his Shells | wants to provide Shells |

## 2 Architecture and constraints

### System context (Logical view)

```mermaid
C4Context
System_Ext(client, "Client", "Client application")
System_Ext(edcCP, "Consumer EDC", "EDC Control Plane")
System(edcDP, "Provider EDC", "Provider EDC Data Plane with the extension ")
System_Ext(idp, "OAuth2 IDM", "Provides tokens for DTR access")
System_Ext(dtr, "Digital Twin Registry", "DTR instance registered with EDC")
System_Ext(backend, "Submodel backend", "System of record for submodel data")
Rel(client, edcCP, "Get EDR")
Rel(client, edcDP, "Call with EDR")
Rel(edcDP, idp, "Get token")
Rel(edcDP, dtr, "Call for access verification")
Rel(edcDP, backend, "Proxy HTTP call if access granted")
UpdateLayoutConfig($c4ShapeInRow="2", $c4BoundaryInRow="1")
```

### Constraints
- The Data Provider must configure at least one *Digital Twin Registry* instance in order to use the *DTR Data Plane HTTP Access Control EDC extension*.
- The extension depends on the EDC Signaling API (no backport for legacy data access APIs)

## 3 Runtime-view

### Call sequences (Runtime view)

#### Prerequisites

In order to perform any of the following actions, we must assume that:

1. The *Digital Twin Registry* and the *Submodel* backend are both registered in *EDC* as assets
2. The *Submodel* backend asset configured to proxy the request path and query parameters
3. The client knows how to access the *Digital Twin Registry* through *EDC*
4. The client received the *Submodel* backend endpoint address from the *Digital Twin Registry* containing:
1. The full *EDC Data Plane* URL including the proxied path and query parameters (if any) in `href`
2. The Id of the *EDC* asset referencing the *Submodel* backend
3. The provider *EDC control Plane's* URL
5. The *DTR Data Plane HTTP Access Control* extension is properly configured to call the *Digital Twin Registry* when the
`DataAddress` URL points to an endpoint of the *Submodel* backend
6. The provider *Control Plane EDC* includes the `Edc-Bpn` header in the `DataAddress`


#### Happy case - The client has access to the protected *Submodel* resource

When the client has access to the protected *Submodel* details (based on the BPN and the *EDC Data Plane* request URL), then
the extension obtains an `OAuth2` access token for accessing the *Digital Twin Registry* to perform the additional access
verification step. The request is allowed through to the *Submodel* backend when the confirmation arrives from the *Digital
Twin Registry*. This flow can be seen below.

```mermaid
sequenceDiagram
autonumber
participant CLI as Client app
participant CCP as Consumer EDC<br/>(Control Plane)
participant PCP as Provider EDC<br/>(Control Plane)
participant PDP as Provider EDC<br/>(Data Plane)
participant IDP as OAuth2 IDM
participant DTR as Digital Twin Registry
participant SMB as Submodel backend
CLI ->> CCP : Get EDR for Submodel backend
CCP -->> PCP : Negotiate for EDR
PCP -->> CCP : Return EDR
CCP -->> CLI : Return EDR
CLI ->> PDP : Request Submodel backend data
PDP ->> PDP : Evaluate whether DTR check<br/>is needed based on config
PDP ->> IDP : Get OAuth2 token for DTR
IDP -->> PDP : Return token
PDP ->> DTR : Verify Submodel endpoint access using Edc-Bpn and<br/>the EDC Provider Data Plane URL of the client request
DTR -->> PDP : Grant access
PDP ->> SMB : Proxy Submodel call
SMB -->> PDP : Return Submodel data
PDP -->> CLI : Return Submodel data
```

#### Exceptional case - The client has no access to the protected *Submodel* resource

When the client has NO access to the protected *Submodel* details (based on the *BPN* and the *EDC Data Plane* request URL),
then using the same flow, the extension will receive an error response form the *Digital Twin Registry* and as a result it
will not allow the *Submodel* request through by triggering a `HTTP 403` response from the *EDC*.

```mermaid
sequenceDiagram
autonumber
participant CLI as Client app
participant CCP as Consumer EDC<br/>(Control Plane)
participant PCP as Provider EDC<br/>(Control Plane)
participant PDP as Provider EDC<br/>(Data Plane)
participant IDP as OAuth2 IDM
participant DTR as Digital Twin Registry
CLI ->> CCP : Get EDR for Submodel backend
CCP -->> PCP : Negotiate for EDR
PCP -->> CCP : Return EDR
CCP -->> CLI : Return EDR
CLI ->> PDP : Request Submodel backend data
PDP ->> PDP : Evaluate whether DTR check<br/>is needed based on config
PDP ->> IDP : Get OAuth2 token for DTR
IDP -->> PDP : Return token
PDP ->> DTR : Verify Submodel endpoint access using Edc-Bpn and<br/>the EDC Provider Data Plane URL of the client request
DTR -->> PDP : Deny access
PDP ->> PDP : Return HTTP 403 error response instead of Submodel data
PDP -->> CLI : Return error response
```

#### Happy case - The requested resource does not require *DTR* verification

Thanks to the configurable RegExp pattern controlling the access control mechanism, we can continue to use backends
which do not require additional granular access control measures. In this case, the request URL won't match the pattern
and the extension will neither obtain an `OAuth2` token nor call the *Digital Twin Registry* as seen below.

```mermaid
sequenceDiagram
autonumber
participant CLI as Client app
participant CCP as Consumer EDC<br/>(Control Plane)
participant PCP as Provider EDC<br/>(Control Plane)
participant PDP as Provider EDC<br/>(Data Plane)
participant SMB as Submodel backend
CLI ->> CCP : Get EDR for Submodel backend
CCP -->> PCP : Negotiate for EDR
PCP -->> CCP : Return EDR
CCP -->> CLI : Return EDR
CLI ->> PDP : Request Submodel backend data
PDP ->> PDP : Evaluate whether DTR check<br/>is needed based on config
PDP ->> SMB : Proxy Submodel call
SMB -->> PDP : Return Submodel data
PDP -->> CLI : Return Submodel data
```

## 4 Configuration

### Prerequisites

1. A *Digital Twin Registry* configured to be using granular access control
2. Access to the *IDM* to create/configure a new user
3. The ability to add secrets to the Vault used by provider *EDC Data Plane*

### Required roles to access the *Digital Twin Registry* from the extension

The *Digital Twin Registry's* Submodel authorization API endpoint requires the `submodel_access_control` `OAuth2` role. The credentials used by *EDC* must be
configured in the *IDM* to have this role.

> [!WARNING]
> It is recommended to use a set of credentials which are created specifically for this extension and only add the aforementioned `submodel_access_control` `OAuth2` role to limit the associated risk in case the credentials become compromised.
### Adding the credentials to the Vault

The client secret of the credentials must be added to the secrets manager (Vault) used by the *EDC Data Plane* instance using the extension. The alias/path of the
secret will be required during the configuration.

### Extension configuration

```properties
# Configure the URL which is used when the clients are reaching the EDC Data Plane's /public/v2/ endpoint
edc.granular.access.verification.edc.data.plane.baseUrl=http://edc-data-plane:9051/public/v2/

# List the names of each DTR instance we intend to configure (comma separated list)
edc.granular.access.verification.dtr.names=default

# Configure each DTR instance using the following properties.
# "use the edc.granular.access.verification.dtr.config.<dtr_name>." prefix with each name listed above

# How long should we cache the response we have received from DTR?
edc.granular.access.verification.dtr.config.default.dtr.decision.cache.duration.minutes=1
# A RegExp pattern that can match the submodel endpoints in scope for DTR access control
edc.granular.access.verification.dtr.config.default.aspect.model.url.pattern=http:\/\/submodel:8080\/path\/.*
# The full URL of the access control verification endpoint of the DTR instance
edc.granular.access.verification.dtr.config.default.dtr.access.verification.endpoint.url=http://dtr:8080/aas-registry-api/v3.0/submodel-descriptor/authorized
# The OAuth2 configuration for accessing the DTR
# Token endpoint URL
edc.granular.access.verification.dtr.config.default.oauth2.token.endpoint.url=http://oauth2-iam:8080/iam/access-management/v1/tenants/00000000-0000-0000-0000-000000000000/openid-connect/token
# Scope (audience) of the token we want to obtain
edc.granular.access.verification.dtr.config.default.oauth2.token.scope=aud:dtr
# OAuth2 client Id
edc.granular.access.verification.dtr.config.default.oauth2.token.clientId=dtr_client
# The name (path) of the secret where the OAuth2 client secret is stored in the Vault
edc.granular.access.verification.dtr.config.default.oauth2.token.clientSecret.path=dtrsecret
```

> [!NOTE]
> If none of these properties are configured, the extension is turned off.
3 changes: 3 additions & 0 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -679,6 +679,9 @@ The granular access control implementation is provided as an alternative option
4. Restricting access to *Digital Twin* details which are `"PUBLIC_READABLE"`
(only showing the `id`, the public readable `specificAssetId` names and values, the `createdDate` and the filtered `submodelDescriptors` )

> [!NOTE]
> We have created an EDC extension to let you leverage the benefits of granular access control to the full extent. Please read the related details [here](EDC-extension-configuration.md)!
##### Configuring granular access control

To enable granular access control (instead of the classic implementation), the `registry.useGranularAccessControl` configuration HELM chart property must be set to `"true"`.
Expand Down
Loading

0 comments on commit 7f1937d

Please sign in to comment.