Merge pull request #99 from catenax-ng/feature/cmp-668/backend-infra-…

…dependencies

Feature/cmp-668/backend-infra-dependencies: Updated charts and documentation

.github/workflows/veracode-pipeline.yml

@@ -33,9 +33,35 @@ on:
 permissions:
   contents: read
 
+env:
+  VID: '${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}'
+  VKEY: '${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}'
+
+
 jobs:
+  check-secrets:
+    runs-on: ubuntu-latest
+    outputs:
+      secrets-available: ${{ steps.secrets-exists.outputs.available }}
+    steps:
+      - name: Check for Secrets availability
+        id: secrets-exists
+        shell: bash
+        ## Check if the secrets are available in the environment
+        ## Check if the secrets are available in the environment
+        run: |
+          if [ "${{ env.VID }}" != '' ] && [ "${{ env.VKEY }}" != '' ]; then 
+            echo "available=true" >> $GITHUB_OUTPUT;
+            echo "Secrets are available at this environment!"
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+            echo "No secrets are available at this environment!"
+          fi
+
   # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
   build-and-pipeline-scan:
+    needs: [ check-secrets ]
+    if: needs.check-secrets.outputs.secrets-available == 'true' ## Require that the secrets are available
     permissions:
       contents: read
       security-events: write
@@ -66,7 +92,7 @@ jobs:
       with:
         java-version: 8
         distribution: 'temurin'
-    - run: java -Dpipeline.debug=true -jar pipeline-scan.jar -p "Product-Passport-Consumer-App" --veracode_api_id "${{ secrets.VERACODE_API_ID || secrets.ORG_VERACODE_API_ID }}" --veracode_api_key "${{ secrets.VERACODE_API_KEY || secrets.ORG_VERACODE_API_KEY }}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
+    - run: java -Dpipeline.debug=true -jar pipeline-scan.jar -p "Product-Passport-Consumer-App" --veracode_api_id "${{ env.VID }}" --veracode_api_key "${{ env.VKEY }}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
       continue-on-error: true
     - name: Convert pipeline scan output to SARIF format
       id: convert

.nginx/nginx.conf

@@ -20,12 +20,11 @@
 # SPDX-License-Identifier: Apache-2.0
 ##################################################################################
 
-    server {
-		listen 8080;
-		listen [::]:8080;
-		root /usr/share/nginx/html;
-        location / {
-			index index.html
-            try_files $uri /index.html;
-        }
-    }
+server {
+    listen 8080;
+    listen [::]:8080;
+    root /usr/share/nginx/html;
+    location / {
+        try_files $uri /index.html;
+    }
+}

CHANGELOG.md

@@ -24,6 +24,49 @@
 
 The changelog format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [in  preparation]
+## [1.0.0] - xxxx-xx-xx
+
+## Deleted
+- Deleted the cx-backend-service from the EDC Consumer and Provider deployments 
+- Removed inrelevant infrastructure files 
+- Remove not necesarry logs that affected the performance
+
+## Added
+- Added new `/endpoint` api to store the payload incomming from the EDC data plane
+- Added the encryption and decryption in AES from passport payload.
+- Added AES unit tests
+- Added the DataPlane service in the backend to comunicate with the data plane.
+- Added process manager to manage the asyncronous processes executing in parallel.
+- Added process dataModel in session.
+- Added new passport util. 
+- Added new models to negotiate  and transfer with the new EDC `v0.4.1`
+- Added new utils methods like to delete files.
+- Added contract controller apis
+   - Added contract search  `/api/contract/search`
+   - Added contract decline `/api/contract/decline`
+   - Added contract sign `/api/contract/sign`
+   - Added contract cancel `/api/contract/cancel`
+   - Added contract status `/api/contract/status`
+- Added new Backend configuration
+- Integrated the EDC Data Plane retrieval logic
+- Added `.tractusx` metafile
+- Align chart version with app version.
+- Added file system logging of the negotiation and transfer.
+
+## Updated
+- Updated charts configurations related to the backend.
+- Updated the EDC test charts to remote the cx-backend-service configurations
+- Updated payloads
+- Update the backend chart configuration
+- Refactor secrets structure
+- Updated postman collection
+
+## Security Improvements
+- Added logic to create and authenticate with  unique session tokens the sign and other methods.
+- Added Encryption of passport payload when coming from Data Plane endpoint, until it is retrieved to the  user which is authenticated and is using the unique  session token as decryption key.
+- Added unique signKey to backend, which is used to the unique session key.
+
 ## [released]
 ## [0.9.0] - 2023-06-20
 

Dockerfile

@@ -57,8 +57,8 @@ RUN chmod +x /entrypoint.sh
 # Install bash for env variables inject script
 RUN apk update && apk add --no-cache bash
 # Make nginx owner of /usr/share/nginx/html/ and change to nginx user
-RUN chown -R 101:101 /usr/share/nginx/html/
-USER 101
+RUN chown -R 1001:1001 /usr/share/nginx/html/
+USER 1001
 
 EXPOSE 8080
 

charts/digital-product-pass/Chart.yaml

@@ -37,10 +37,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.5
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.9.0"
+appVersion: "1.0.0"

charts/digital-product-pass/templates/deployment-backend.yaml

@@ -58,11 +58,18 @@ spec:
                 secretKeyRef:
                   key:  clientSecret
                   name: avp-consumer-backend-cx-registry-auth
-            - name: "apiKey"
+            - name: "edc.apiKey"
               valueFrom:
                 secretKeyRef:
                   key:  xApiKey
                   name: avp-consumer-backend-edc-oauth
+            - name: "edc.participantId"
+              valueFrom:
+                secretKeyRef:
+                  key:  participantId
+                  name: avp-consumer-backend-edc-oauth
+
+
           volumeMounts:
             - name: backend-config
               mountPath: /app/config

charts/digital-product-pass/templates/secret-backend.yaml

@@ -43,3 +43,4 @@ metadata:
 type: Opaque
 stringData:
   xApiKey: {{ .Values.backend.avp.helm.xApiKey }}
+  participantId: {{ .Values.backend.avp.helm.participantId }}

charts/digital-product-pass/values-beta.yaml

@@ -79,19 +79,25 @@ backend:
       clientId: <path:material-pass/data/beta/aasregistry#client.id>
       clientSecret: <path:material-pass/data/beta/aasregistry#client.secret>
       xApiKey: <path:material-pass/data/beta/edc/oauth#api.key>
+      participantId:  <path:material-pass/data/beta/edc/participant#bpnNumber>
 
   application:
     yml: |-
       spring:
-        application:
-          name: 'Catena-X Product Passport Consumer Backend'
+        name: 'Catena-X Product Passport Consumer Backend'
         main:
           allow-bean-definition-overriding: true
         devtools:
           add-properties: false
         jackson:
           serialization:
             indent_output: true
+
+      logging:
+        level:
+          root: INFO
+          utils: INFO
+
       configuration:
         maxRetries: 5
 
@@ -101,9 +107,21 @@ backend:
           tokenUri: 'https://centralidp.beta.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/token'
           userInfoUri: 'https://centralidp.beta.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/userinfo'
 
+        edc:
+          endpoint: 'https://materialpass.beta.demo.catena-x.net/consumer'
+          management: '/management/v2'
+          catalog: '/catalog/request'
+          negotiation: '/contractnegotiations'
+          transfer: '/transferprocesses'
+          receiverEndpoint: 'https://materialpass.beta.demo.catena-x.net/endpoint'
+
+        process:
+          store: true
+          dir: 'process'
+          indent: true
+          signKey: '<path:material-pass/data/beta/backend/#signKey>'
+
         endpoints:
-          providerUrl: 'https://materialpass.beta.demo.catena-x.net/BPNL000000000000'
-          serverUrl: 'https://materialpass.beta.demo.catena-x.net'
           registryUrl: 'https://semantics.beta.demo.catena-x.net'
 
         passport:
@@ -122,10 +140,11 @@ backend:
           indent: 2
           defaultValue: '<Add secret value here>'
           attributes:
-            - "token"
             - "client.id"
             - "client.secret"
-            - "apiKey"
+            - "edc.apiKey"
+            - "edc.participantId"
+
       server:
         error:
           include-message: ALWAYS
@@ -134,5 +153,4 @@ backend:
           include-exception: false
         port: 8888
         tomcat:
-          max-connections: 10000
-
+          max-connections: 10000

charts/digital-product-pass/values-dev.yaml

@@ -79,19 +79,25 @@ backend:
       clientId: <path:material-pass/data/dev/aasregistry#client.id>
       clientSecret: <path:material-pass/data/dev/aasregistry#client.secret>
       xApiKey: <path:material-pass/data/dev/edc/oauth#api.key>
+      participantId:  <path:material-pass/data/dev/edc/participant#bpnNumber>
 
   application:
     yml: |-
       spring:
-        application:
-          name: 'Catena-X Product Passport Consumer Backend'
+        name: 'Catena-X Product Passport Consumer Backend'
         main:
           allow-bean-definition-overriding: true
         devtools:
           add-properties: false
         jackson:
           serialization:
             indent_output: true
+
+      logging:
+        level:
+          root: INFO
+          utils: INFO
+
       configuration:
         maxRetries: 5
 
@@ -101,9 +107,21 @@ backend:
           tokenUri: 'https://centralidp.dev.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/token'
           userInfoUri: 'https://centralidp.dev.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/userinfo'
 
+        edc:
+          endpoint: 'https://materialpass.dev.demo.catena-x.net/consumer'
+          management: '/management/v2'
+          catalog: '/catalog/request'
+          negotiation: '/contractnegotiations'
+          transfer: '/transferprocesses'
+          receiverEndpoint: 'https://materialpass.dev.demo.catena-x.net/endpoint'
+
+        process:
+          store: true
+          dir: 'process'
+          indent: true
+          signKey: '<path:material-pass/data/dev/backend/#signKey>'
+
         endpoints:
-          providerUrl: 'https://materialpass.dev.demo.catena-x.net/BPNL000000000000'
-          serverUrl: 'https://materialpass.dev.demo.catena-x.net'
           registryUrl: 'https://semantics.dev.demo.catena-x.net'
 
         passport:
@@ -122,10 +140,11 @@ backend:
           indent: 2
           defaultValue: '<Add secret value here>'
           attributes:
-            - "token"
             - "client.id"
             - "client.secret"
-            - "apiKey"
+            - "edc.apiKey"
+            - "edc.participantId"
+
       server:
         error:
           include-message: ALWAYS
@@ -134,4 +153,4 @@ backend:
           include-exception: false
         port: 8888
         tomcat:
-          max-connections: 10000
+          max-connections: 10000

charts/digital-product-pass/values-int.yaml

@@ -79,19 +79,25 @@ backend:
       clientId: <path:material-pass/data/int/aasregistry#client.id>
       clientSecret: <path:material-pass/data/int/aasregistry#client.secret>
       xApiKey: <path:material-pass/data/int/edc/oauth#api.key>
+      participantId:  <path:material-pass/data/int/edc/participant#bpnNumber>
 
   application:
     yml: |-
       spring:
-        application:
-          name: 'Catena-X Product Passport Consumer Backend'
+        name: 'Catena-X Product Passport Consumer Backend'
         main:
           allow-bean-definition-overriding: true
         devtools:
           add-properties: false
         jackson:
           serialization:
             indent_output: true
+
+      logging:
+        level:
+          root: INFO
+          utils: INFO
+
       configuration:
         maxRetries: 5
 
@@ -101,9 +107,21 @@ backend:
           tokenUri: 'https://centralidp.int.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/token'
           userInfoUri: 'https://centralidp.int.demo.catena-x.net/auth/realms/CX-Central/protocol/openid-connect/userinfo'
 
+        edc:
+          endpoint: 'https://materialpass.int.demo.catena-x.net/consumer'
+          management: '/management/v2'
+          catalog: '/catalog/request'
+          negotiation: '/contractnegotiations'
+          transfer: '/transferprocesses'
+          receiverEndpoint: 'https://materialpass.int.demo.catena-x.net/endpoint'
+
+        process:
+          store: true
+          dir: 'process'
+          indent: true
+          signKey: '<path:material-pass/data/int/backend/#signKey>'
+
         endpoints:
-          providerUrl: 'https://materialpass.int.demo.catena-x.net/BPNL000000000000'
-          serverUrl: 'https://materialpass.int.demo.catena-x.net'
           registryUrl: 'https://semantics.int.demo.catena-x.net'
 
         passport:
@@ -122,10 +140,11 @@ backend:
           indent: 2
           defaultValue: '<Add secret value here>'
           attributes:
-            - "token"
             - "client.id"
             - "client.secret"
-            - "apiKey"
+            - "edc.apiKey"
+            - "edc.participantId"
+
       server:
         error:
           include-message: ALWAYS