Implement RBAC-based authorization for Submodel Service (eclipse-basyx#682)

* Implement RBAC-based authorization for Submodel Service

This commit introduces support for rule-based (RBAC) authorization in the Submodel Service component, following the mechanism used in other parts of the BaSyx stack.

Key aspects:
- New module: basyx.submodelservice-feature-authorization
- Integration of Spring Security to evaluate access control using rbac_rule expressions
- Fine-grained access evaluation per submodel element (e.g., operations)
- Shared classes moved from Submodel Repository to Submodel Service for better reuse and separation
- Integration tests added to validate authorization behavior
- Example script (run-security-test.sh) included to demonstrate secured API usage with Keycloak

See also:
- Issue eclipse-basyx#505
- Design considerations in Issue eclipse-basyx#674

* Reset keycloak version

* Fix missing modules

* Add section to Readme.md

* Remove sm events test

events are fired before test start / sometimes on teststart. could be problematic for tests and break the ci process

* Update Readme.md

* Rename to submodelservice

* Remove decoration for submodelservice with id

* Update copyright year in header

* Update version in copyright header

Author: geso02

basyx.aasenvironment/basyx.aasenvironment-feature-authorization/pom.xml

@@ -63,6 +63,10 @@
 			<groupId>org.eclipse.digitaltwin.basyx</groupId>
 			<artifactId>basyx.aasenvironment-http</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-feature-authorization</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.eclipse.digitaltwin.basyx</groupId>
 			<artifactId>basyx.aasenvironment-http</artifactId>

basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/rbac/backend/submodel/AasEnvironmentTargetInformationAdapter.java

@@ -44,8 +44,8 @@
 import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.feature.authorization.ConceptDescriptionTargetInformation;
 import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.feature.authorization.rbac.backend.submodel.CDTargetInformationAdapter;
 import org.eclipse.digitaltwin.basyx.core.exceptions.InvalidTargetInformationException;
-import org.eclipse.digitaltwin.basyx.submodelrepository.feature.authorization.SubmodelTargetInformation;
-import org.eclipse.digitaltwin.basyx.submodelrepository.feature.authorization.rbac.backend.submodel.SubmodelTargetInformationAdapter;
+import org.eclipse.digitaltwin.basyx.submodelservice.feature.authorization.SubmodelTargetInformation;
+import org.eclipse.digitaltwin.basyx.submodelservice.feature.authorization.rbac.backend.submodel.SubmodelTargetInformationAdapter;
 
 /**
  * An implementation of the {@link TargetInformationAdapter} to adapt with Aas

basyx.submodelrepository/basyx.submodelrepository-feature-authorization/pom.xml

@@ -3,7 +3,7 @@
 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
-	<parent>
+	<parent> 
 		<groupId>org.eclipse.digitaltwin.basyx</groupId>
 		<artifactId>basyx.submodelrepository</artifactId>
 		<version>${revision}</version>
@@ -86,6 +86,10 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-feature-authorization</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.httpcomponents.client5</groupId>
 			<artifactId>httpclient5</artifactId>

basyx.submodelrepository/basyx.submodelrepository-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/feature/authorization/AuthorizedSubmodelRepository.java

@@ -49,6 +49,7 @@
 import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo;
 import org.eclipse.digitaltwin.basyx.core.pagination.PaginationSupport;
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository;
+import org.eclipse.digitaltwin.basyx.submodelservice.feature.authorization.SubmodelTargetInformation;
 import org.eclipse.digitaltwin.basyx.submodelservice.value.SubmodelElementValue;
 import org.eclipse.digitaltwin.basyx.submodelservice.value.SubmodelValueOnly;
 import org.slf4j.Logger;

basyx.submodelrepository/basyx.submodelrepository-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/feature/authorization/AuthorizedSubmodelRepositoryFactory.java

@@ -28,6 +28,7 @@
 import org.eclipse.digitaltwin.basyx.authorization.rbac.RbacPermissionResolver;
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository;
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepositoryFactory;
+import org.eclipse.digitaltwin.basyx.submodelservice.feature.authorization.SubmodelTargetInformation;
 
 /**
  * Factory for creating {@link AuthorizedSubmodelRepository}

basyx.submodelrepository/basyx.submodelrepository-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/feature/authorization/AuthorizedSubmodelRepositoryFeature.java

@@ -30,6 +30,7 @@
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository;
 import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepositoryFactory;
 import org.eclipse.digitaltwin.basyx.submodelrepository.feature.SubmodelRepositoryFeature;
+import org.eclipse.digitaltwin.basyx.submodelservice.feature.authorization.SubmodelTargetInformation;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;

basyx.submodelservice/basyx.submodelservice-feature-authorization/Readme.md

@@ -0,0 +1,109 @@
+# Submodel Service - Authorization
+This feature enables authorized access to the Submodel Service.
+
+To enable this feature, the following properties should be configured:
+
+```
+basyx.feature.authorization.enabled = true 
+basyx.feature.authorization.type = <The type of authorization to enable>
+basyx.feature.authorization.jwtBearerTokenProvider = <The Jwt token provider>
+basyx.feature.authorization.rbac.file = <Class path of the Rbac rules file if authorization type is rbac>
+spring.security.oauth2.resourceserver.jwt.issuer-uri= <URI of the resource server>
+```
+
+Note: Only Role Based Access Control (RBAC) is supported as authorization type as of now, also Keycloak is the only Jwt token provider supported now and it is also a default provider. 
+
+To know more about the RBAC, please refer [Authorization Services Guide](https://www.keycloak.org/docs/latest/authorization_services/index.html)
+To know more about the Keycloak server administration, please refer [Server Administration Guide](https://www.keycloak.org/docs/latest/server_admin/#keycloak-features-and-concepts)
+
+An example valid configuration:
+
+```
+basyx.feature.authorization.enabled = true
+basyx.feature.authorization.type = rbac
+basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+basyx.feature.authorization.rbac.file = classpath:rbac_rules.json
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://localhost:9096/realms/BaSyx
+```
+
+## RBAC rule configuration
+
+For configuring RBAC rules, all the rbac rules should be configured inside a json file, the rules are defined as below:
+
+```
+[
+  {
+    "role": "basyx-reader",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "submodel",
+      "submodelIds": "*",
+      "submodelElementIdShortPaths": "*"
+    }
+  },
+  {
+    "role": "admin",
+    "action": ["CREATE", "READ", "UPDATE", "DELETE", "EXECUTE"],
+    "targetInformation": {
+      "@type": "submodel",
+      "submodelIds": "*",
+      "submodelElementIdShortPaths": "*"
+    }
+  },
+  {
+    "role": "basyx-reader-two",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "submodel",
+      "submodelIds": "specificSubmodelId",
+      "submodelElementIdShortPaths": "*"
+    }
+  },
+  {
+    "role": "basyx-sme-reader",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "submodel",
+      "submodelIds": ["specificSubmodelId", "testSMId1", "testSMId2"],
+      "submodelElementIdShortPaths": ["testSMEIdShortPath1","smc2.specificSubmodelElementIdShort","testSMEIdShortPath2"]
+    }
+  }
+ ]
+```
+
+The role defines which role is allowed to perform the defined actions. The role is as per the configuration of identity providers or based on the organization. Action could be CREATE, READ, UPDATE, DELETE, and EXECUTE, there could be a single action or multiple actions as a list (cf. admin configuration above).
+
+The targetInformation defines coarse-grained control over the resource, you may define the submodelIds and submodelElementIdShortPaths with a wildcard (\*), it means the defined role x with action y can access any Submodel and any SubmodelElement on the repository. You can also define a specific Submodel Identifier in place of the wildcard (\*), then the role x with action y could be performed only on that particular Submodel. Similarly, you can define a specific SubmodelElement IdShort path, then you can only access the SubmodelElement corresponding to that IdShort path. It means that the whole Submodel GET request would not be possible if the IdShort path for a specific SubmodelElement is provided, because the requestor only has access for a specific SubmodelElement.
+There could be a single submodelId/submodelElementIdShortPath or multiple submodelIds/submodelElementIdShortPaths as a list (cf. basyx-sme-reader).
+
+Note: 
+* The Action are fixed as of now and limited to (CREATE, READ, UPDATE, DELETE and EXECUTE) but later user configurable mapping of these actions would be provided.
+* Each rule should be unique in combination of role + action + target information
+
+## Action table for RBAC
+
+Below is a reference table that shows which actions are used in what endpoints of the Submodel Repository:
+
+
+| Action        | Operation| Endpoint       |
+|---------------|----------|----------------|
+| READ          | GET      | /submodel  |
+|               | GET      | /submodel/$value | 
+|               | GET      | /submodel/$metadata | 
+|               | GET      | /submodel/submodel-elements        | 
+|               | GET      | /submodel/submodel-elements/{idShortPath} | 
+|               | GET      | /submodel/submodel-elements/{idShortPath}/$value | 
+|               | GET      | /submodel/submodel-elements/{idShortPath}/attachment |
+| CREATE        | POST     | /submodel/submodel-elements        | 
+|               | POST     | /submodel/submodel-elements/{idShortPath}        | 
+| UPDATE        | PATCH    | /submodel/submodel-elements/{idShortPath}/$value |
+|               | PATCH    | /submodel/$value |
+|               | PUT      | /submodel/submodel-elements/{idShortPath} |
+|               | PUT      | /submodel/submodel-elements/{idShortPath}/attachment |
+|               | DELETE   | /submodel/submodel-elements/{idShortPath}/attachment |
+| DELETE        | DELETE   | /submodel/submodel-elements/{idShortPath} |
+| EXECUTE       | POST     | /submodel/submodel-elements/{idShortPath}/invoke |
+
+
+
+

basyx.submodelservice/basyx.submodelservice-feature-authorization/pom.xml

@@ -0,0 +1,103 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.eclipse.digitaltwin.basyx</groupId>
+		<artifactId>basyx.submodelservice</artifactId>
+		<version>${revision}</version>
+	</parent>
+
+	<artifactId>basyx.submodelservice-feature-authorization</artifactId>
+
+	<name>BaSyx submodelservice-feature-authorization</name>
+	<description>BaSyx submodelservice-feature-authorization</description>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-core</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.http</artifactId>
+			<scope>test</scope>
+			<classifier>tests</classifier>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.authorization</artifactId>
+			<scope>test</scope>
+			<classifier>tests</classifier>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.http</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.authorization</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-http</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-backend</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.submodelservice-backend-inmemory</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.authorization.rules.rbac.backend.inmemory</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.digitaltwin.basyx</groupId>
+			<artifactId>basyx.authorization.rules.rbac.backend.submodel</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.eclipse.digitaltwin.basyx</groupId>
+					<artifactId>basyx.submodelservice-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.digitaltwin.basyx</groupId>
+					<artifactId>basyx.submodelrepository-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.digitaltwin.basyx</groupId>
+					<artifactId>basyx.submodelservice-client</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.digitaltwin.basyx</groupId>
+					<artifactId>basyx.submodelrepository-client</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.httpcomponents.client5</groupId>
+			<artifactId>httpclient5</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+</project>