From 7c268ea205774841ca690782b84f34a1778112bd Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 13 May 2024 10:53:51 +0200 Subject: [PATCH 1/4] chore(changelog): updated changelog --- CHANGELOG.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ea206444..98ad3e122 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,57 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e ## [Unreleased] + +## [released] +## [v3.0.0-rc1] - 13-05-2024 +### Added +- Added security assessment report in /docs for the threat modeling +- Added SingleApiRequest class for the requested data for the single API. +- Added SingleApiConfig class to had configurations related to the single API. +- Added Policy Check configuration in helm charts +- EDC Util methods for asserting the policy configuration against the actual constraints +- Methods for parsing the policy contraints +- Unit tests for testing the policy evaluation feature +- Policy configuration guide added +- EDC v0.7.0 models +- Optimization in the catalog query using `bpn` +- Updated EDR structure +- Added `lombok` dependency to speed the development +- Added security assessment documentation + + +### Updated +- Updated postman collection and tested end-to-end data exchange journey with EDC v0.7.0 +- Updated policy in testdata file +- Updated and renamed the following readme files in /docs + - docs/admin guide/ -> docs/admin/ + - docs/arch42/ -> docs/architecture/ + - docs/userManual/ -> docs/user/ + - docs/infrastcuture as code/ -> docs/security/infrastructure-as-code/ + - docs/secrets management/SECRET_MANAGEMENT.md -> docs/security/secrets-management/SecretsManagement.md + - docs/data retrieval guide/data-retrieval -> docs/data-retrieval/README.md + - docs/business statement/ -> docs/interoperability/Interoperability.md +- Updated all relevant references from the above files +- Updated dpp helm values +- Updated ApiController with the singleApi POST method. +- Updated ContractController by creating call methods (create, search, agree and status) without the authentication step to call in the Single API. +- Updated AuthenticationService by adding the isSingleApiAuthenticated method to authenticate the single API key. +- Updated application.yaml with the single api configurations. +- Updated deployment-backend.yaml with the oauth.apiKey. +- Updated values-int/beta/dev.yaml files with the oauth.apiKey. +- Updated spring boot to version `v3.2.5` from `v3.2.4` +- Updated EDR structure to match new EDC 0.7.0 one + + +## Deleted +- Deleted values-dev.yaml and values-beta.yaml from helm charts + + +## Issues Fixed +- Fixed issue with multiple contract and policies parsing +- Optimized data sovereignty checks removing spotted bugs + + ## [released] ## [v2.3.0] - 06-05-2024 ### Added From 940a693d2e5b25da985c6bbeb071bfc943dd55ca Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 13 May 2024 11:11:48 +0200 Subject: [PATCH 2/4] chore(helm-version): upadted helm chart versions to v3.0.0-rc1 --- charts/digital-product-pass/Chart.yaml | 4 +- charts/digital-product-pass/README.md | 22 +++++-- .../digital-product-pass-backend/Chart.yaml | 4 +- .../digital-product-pass-backend/README.md | 58 ++++++++++++++----- dpp-frontend/package-lock.json | 4 +- dpp-frontend/package.json | 2 +- 6 files changed, 66 insertions(+), 28 deletions(-) diff --git a/charts/digital-product-pass/Chart.yaml b/charts/digital-product-pass/Chart.yaml index e0822b687..40e9e29f7 100644 --- a/charts/digital-product-pass/Chart.yaml +++ b/charts/digital-product-pass/Chart.yaml @@ -42,10 +42,10 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.3.3 +version: 3.0.0-rc1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "2.3.0" +appVersion: "3.0.0-rc1" diff --git a/charts/digital-product-pass/README.md b/charts/digital-product-pass/README.md index ba7e2f81d..e616321ba 100644 --- a/charts/digital-product-pass/README.md +++ b/charts/digital-product-pass/README.md @@ -1,6 +1,6 @@ # digital-product-pass -![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) +![Version: 3.0.0-rc1](https://img.shields.io/badge/Version-3.0.0--rc1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-rc1](https://img.shields.io/badge/AppVersion-3.0.0--rc1-informational?style=flat-square) A Helm chart for Tractus-X Digital Product Pass Kubernetes @@ -31,7 +31,11 @@ helm install digital-product-pass tractusx/digital-product-pass | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | -| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"","xApiKey":""},"hostname":"localhost","image":{"pullPolicy":"Always","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"]},"podSecurityContext":{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":3000,"runAsNonRoot":true,"runAsUser":1000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration | +| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"","xApiKey":""},"hostname":"","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"],"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}},"podSecurityContext":{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":3000,"runAsNonRoot":true,"runAsUser":1000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"singleApi":{"delay":1000,"maxRetries":30},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration | +| backend.digitalTwinRegistry.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | policy configuration for the digital twin assets in the edc catalog | +| backend.digitalTwinRegistry.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | +| backend.digitalTwinRegistry.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | +| backend.digitalTwinRegistry.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value | | backend.digitalTwinRegistry.temporaryStorage | object | `{"enabled":true,"lifetime":12}` | temporary storage of dDTRs for optimization | | backend.digitalTwinRegistry.temporaryStorage.lifetime | int | `12` | lifetime of the temporaryStorage in hours | | backend.digitalTwinRegistry.timeouts | object | `{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}` | timeouts for the digital twin registry async negotiation | @@ -44,14 +48,18 @@ helm install digital-product-pass tractusx/digital-product-pass | backend.edc.hostname | string | `""` | edc consumer connection configuration | | backend.edc.participantId | string | `""` | BPN Number | | backend.edc.xApiKey | string | `""` | the secret for assesing the edc management API | -| backend.hostname | string | `"localhost"` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) | +| backend.hostname | string | `""` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) | | backend.imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| backend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service | +| backend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service | | backend.ingress.annotations.ingressClassName | string | `"nginx"` | ingress class name | | backend.irs | object | `{"enabled":false,"hostname":""}` | irs configuration | | backend.logging.level.root | string | `"INFO"` | general logging level | | backend.logging.level.utils | string | `"INFO"` | logging for the util components | | backend.maxRetries | int | `5` | max retries for the backend services | +| backend.passport.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | configuration for policies to filter in the digital product pass asset negotiation | +| backend.passport.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | +| backend.passport.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | +| backend.passport.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value | | backend.podSecurityContext | object | `{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | | backend.podSecurityContext.fsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid | | backend.podSecurityContext.runAsGroup | int | `3000` | Processes within a pod will belong to this guid | @@ -69,6 +77,7 @@ helm install digital-product-pass tractusx/digital-product-pass | backend.securityContext.runAsUser | int | `1000` | The container's process will run with the specified uid | | backend.serverPort | int | `8888` | configuration of the spring boot server | | backend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service | +| backend.singleApi | object | `{"delay":1000,"maxRetries":30}` | configuration to the single API endpoint | | backend.volumeMounts | list | `[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}]` | specifies the volume mounts for the backend deployment | | backend.volumeMounts[0] | object | `{"mountPath":"/app/config","name":"backend-config"}` | mounted path for the backend configuration added in the config maps | | backend.volumeMounts[1] | object | `{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"}` | contains the location for the process data directory | @@ -85,7 +94,7 @@ helm install digital-product-pass tractusx/digital-product-pass | frontend.api.max_retries | int | `30` | max retries for getting status | | frontend.api.timeout | object | `{"decline":20000,"negotiate":60000,"search":60000}` | default timeout - 90 seconds in milliseconds | | frontend.backend | object | `{"hostname":""}` | url of the digital product pass backend service | -| frontend.image.pullPolicy | string | `"Always"` | | +| frontend.image.pullPolicy | string | `"IfNotPresent"` | | | frontend.image.repository | string | `"docker.io/tractusx/digital-product-pass-frontend"` | | | frontend.imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | | frontend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[]}` | ingress declaration to expose the dpp-frontend service | @@ -116,7 +125,8 @@ helm install digital-product-pass tractusx/digital-product-pass | nameOverride | string | `""` | | | namespace | string | `""` | | | nodeSelector | object | `{}` | | -| oauth | object | `{"appId":"","bpnCheck":{"bpn":"","enabled":false},"hostname":"","onLoad":"login-required","realm":"","roleCheck":{"enabled":false},"techUser":{"clientId":"","clientSecret":""}}` | oauth configuration | +| oauth | object | `{"apiKey":{"header":"X-Api-Key","secret":""},"appId":"","bpnCheck":{"bpn":"","enabled":false},"hostname":"","onLoad":"login-required","realm":"","roleCheck":{"enabled":false},"techUser":{"clientId":"","clientSecret":""}}` | oauth configuration | +| oauth.apiKey | object | `{"header":"X-Api-Key","secret":""}` | to authenticate against single API | | oauth.bpnCheck | object | `{"bpn":"","enabled":false}` | configure here the bpn check for the application | | oauth.bpnCheck.bpn | string | `""` | this bpn needs to be included in the user login information when the check is enabled | | oauth.hostname | string | `""` | url of the identity provider service | diff --git a/dpp-backend/charts/digital-product-pass-backend/Chart.yaml b/dpp-backend/charts/digital-product-pass-backend/Chart.yaml index 0dcf2ea44..0ad058ea2 100644 --- a/dpp-backend/charts/digital-product-pass-backend/Chart.yaml +++ b/dpp-backend/charts/digital-product-pass-backend/Chart.yaml @@ -42,10 +42,10 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.3.0 +version: 3.0.0-rc1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "2.3.0" +appVersion: "3.0.0-rc1" diff --git a/dpp-backend/charts/digital-product-pass-backend/README.md b/dpp-backend/charts/digital-product-pass-backend/README.md index 779437aeb..51023d7e6 100644 --- a/dpp-backend/charts/digital-product-pass-backend/README.md +++ b/dpp-backend/charts/digital-product-pass-backend/README.md @@ -1,6 +1,6 @@ # digital-product-pass-backend -![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square) +![Version: 3.0.0-rc1](https://img.shields.io/badge/Version-3.0.0--rc1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-rc1](https://img.shields.io/badge/AppVersion-3.0.0--rc1-informational?style=flat-square) A Helm chart for Tractus-X Digital Product Pass Backend Kubernetes @@ -61,29 +61,36 @@ localhost:8888/health | digitalTwinRegistry.endpoints.digitalTwin | string | `"/shell-descriptors"` | | | digitalTwinRegistry.endpoints.search | string | `"/lookup/shells"` | | | digitalTwinRegistry.endpoints.subModel | string | `"/submodel-descriptors"` | | +| digitalTwinRegistry.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | policy configuration for the digital twin assets in the edc catalog | +| digitalTwinRegistry.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | +| digitalTwinRegistry.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | +| digitalTwinRegistry.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value | | digitalTwinRegistry.temporaryStorage | object | `{"enabled":true,"lifetime":12}` | temporary storage of dDTRs for optimization | -| digitalTwinRegistry.timeouts | object | `{"digitalTwin":20,"negotiation":40,"search":50,"transfer":10}` | timeouts for the digital twin registry async negotiation | +| digitalTwinRegistry.timeouts | object | `{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}` | timeouts for the digital twin registry async negotiation | | discovery | object | `{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""}` | discovery configuration | | discovery.bpnDiscovery | object | `{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"}` | bpn discovery configuration | | discovery.edcDiscovery | object | `{"key":"bpn"}` | edc discovery configuration | | discovery.hostname | string | `""` | discovery finder configuration | -| edc | object | `{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","transfer":"/transferprocesses"},"delay":100,"endpoint":"","participantId":"","xApiKey":""}` | in this section we configure the values that are inserted as secrets in the backend | -| edc.endpoint | string | `""` | edc consumer connection configuration | +| edc | object | `{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"","xApiKey":""}` | in this section we configure the values that are inserted as secrets in the backend | +| edc.hostname | string | `""` | edc consumer connection configuration | | edc.participantId | string | `""` | BPN Number | | edc.xApiKey | string | `""` | the secret for assesing the edc management API | -| hostname | string | `"localhost"` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) | -| image.pullPolicy | string | `"Always"` | | +| fullnameOverride | string | `""` | | +| hostname | string | `""` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) | +| image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"docker.io/tractusx/digital-product-pass-backend"` | | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| ingress | object | `{"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service | +| ingress | object | `{"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service | | irs | object | `{"enabled":false,"hostname":""}` | irs configuration | | logging.level.root | string | `"INFO"` | general logging level | | logging.level.utils | string | `"INFO"` | logging for the util components | | maxRetries | int | `5` | max retries for the backend services | | name | string | `"dpp-backend"` | | +| nameOverride | string | `""` | | | namespace | string | `""` | | | nodeSelector | object | `{}` | | -| oauth | object | `{"appId":"","bpnCheck":{"bpn":"","enabled":false},"hostname":"","onLoad":"login-required","realm":"","roleCheck":{"enabled":false},"techUser":{"clientId":"","clientSecret":""}}` | oauth configuration | +| oauth | object | `{"apiKey":{"header":"X-Api-Key","secret":""},"appId":"","bpnCheck":{"bpn":"","enabled":false},"hostname":"","onLoad":"login-required","realm":"","roleCheck":{"enabled":false},"techUser":{"clientId":"","clientSecret":""}}` | oauth configuration | +| oauth.apiKey | object | `{"header":"X-Api-Key","secret":""}` | to authenticate against single API | | oauth.bpnCheck | object | `{"bpn":"","enabled":false}` | configure here the bpn check for the application | | oauth.bpnCheck.bpn | string | `""` | this bpn needs to be included in the user login information when the check is enabled | | oauth.hostname | string | `""` | url of the identity provider service | @@ -93,9 +100,16 @@ localhost:8888/health | passport.aspects[1] | string | `"urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass"` | | | passport.aspects[2] | string | `"urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"` | | | passport.aspects[3] | string | `"urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"` | | +| passport.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | configuration for policies to filter in the digital product pass asset negotiation | +| passport.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | +| passport.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | +| passport.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value | | podAnnotations | object | `{}` | | -| podSecurityContext.fsGroup | int | `3000` | | -| podSecurityContext.runAsUser | int | `1000` | | +| podSecurityContext | object | `{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| podSecurityContext.fsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid | +| podSecurityContext.runAsGroup | int | `3000` | Processes within a pod will belong to this guid | +| podSecurityContext.runAsUser | int | `1000` | Runs all processes within a pod with a special uid | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | process | object | `{"encryptionKey":""}` | digital twin registry configuration | | process.encryptionKey | string | `""` | unique sha512 hash key used for the passport encryption | | replicaCount | int | `1` | | @@ -104,18 +118,32 @@ localhost:8888/health | resources.requests.cpu | string | `"250m"` | | | resources.requests.memory | string | `"512Mi"` | | | securityCheck | object | `{"bpn":false,"edc":false}` | security configuration | -| securityContext.allowPrivilegeEscalation | bool | `false` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| securityContext.runAsGroup | int | `3000` | | -| securityContext.runAsNonRoot | bool | `true` | | -| securityContext.runAsUser | int | `1000` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | +| securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | +| securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | +| securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | +| securityContext.runAsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid | +| securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | +| securityContext.runAsUser | int | `1000` | The container's process will run with the specified uid | | serverPort | int | `8888` | configuration of the spring boot server | | service.port | int | `8888` | | | service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | +| single-api | object | `{"delay":1000,"maxRetries":30}` | configuration to the single API endpoint | | tolerations | list | `[]` | | +| volumeMounts | list | `[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}]` | specifies the volume mounts for the backend deployment | +| volumeMounts[0] | object | `{"mountPath":"/app/config","name":"backend-config"}` | mounted path for the backend configuration added in the config maps | +| volumeMounts[1] | object | `{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"}` | contains the location for the process data directory | +| volumeMounts[2] | object | `{"mountPath":"/app/log","name":"tmpfs","subPath":"log"}` | contains the log directory uses by the backend | +| volumeMounts[3] | object | `{"mountPath":"/tmp","name":"tmpfs"}` | container tmp directory | +| volumeMounts[4] | object | `{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"}` | contains the vault configuration for the backend | +| volumeMounts[5] | object | `{"mountPath":"/app/tmp","name":"tmpfs"}` | contains the temporary directory used by the backend | +| volumes | list | `[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]` | volume claims for the containers | +| volumes[0] | object | `{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"}` | persist the backend configuration | +| volumes[1] | object | `{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}}` | persist the backend data directories | +| volumes[2] | object | `{"emptyDir":{},"name":"tmpfs"}` | temporary file system mount | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/dpp-frontend/package-lock.json b/dpp-frontend/package-lock.json index fb1ba1026..e0e5c78da 100644 --- a/dpp-frontend/package-lock.json +++ b/dpp-frontend/package-lock.json @@ -1,12 +1,12 @@ { "name": "digital-product-pass-frontend", - "version": "2.3.0", + "version": "3.0.0-rc1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "digital-product-pass-frontend", - "version": "2.3.0", + "version": "3.0.0-rc1", "dependencies": { "@mdi/font": "5.9.55", "@popperjs/core": "^2.11.2", diff --git a/dpp-frontend/package.json b/dpp-frontend/package.json index b4875803e..fbba6f587 100644 --- a/dpp-frontend/package.json +++ b/dpp-frontend/package.json @@ -1,6 +1,6 @@ { "name": "digital-product-pass-frontend", - "version": "2.3.0", + "version": "3.0.0-rc1", "private": true, "scripts": { "serve": "vite --host localhost", From 7fc5bb90b2470890faeedba56e5334d93a4e2ea7 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 13 May 2024 20:27:00 +0200 Subject: [PATCH 3/4] chore(changelog): updated changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98ad3e122..433974fce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e - Updated EDR structure - Added `lombok` dependency to speed the development - Added security assessment documentation +- Added Digital Product Pass Verification Concept initial documentation ### Updated @@ -78,6 +79,8 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e ## Issues Fixed - Fixed issue with multiple contract and policies parsing - Optimized data sovereignty checks removing spotted bugs +- Fixed issue when policy is selected in the frontend +- Fixed issue when backend is not available in the fronted ## [released] From 42cf05ce0611280d9906b6d622115bb9619abd39 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 13 May 2024 20:28:36 +0200 Subject: [PATCH 4/4] chore(readme): updated main readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5202ebcca..089206108 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ In particular, the appliction is used to access the battery passport data provid ### Software Version #### Helm Chart Version -
2.3.0
+
3.0.0-rc1
#### Application Version -
v2.3.0
+
v3.0.0-rc1