Release/v3.0.0 update helm version

CHANGELOG.md

@@ -29,6 +29,57 @@ The changelog format is based on [Keep a Changelog](https://keepachangelog.com/e
 
 ## [Unreleased]
 
+
+## [released]
+## [v3.0.0-rc1] - 13-05-2024
+### Added
+- Added security assessment report in /docs for the threat modeling
+- Added SingleApiRequest class for the requested data for the single API.
+- Added SingleApiConfig class to had configurations related to the single API.
+- Added Policy Check configuration in helm charts
+- EDC Util methods for asserting the policy configuration against the actual constraints
+- Methods for parsing the policy contraints
+- Unit tests for testing the policy evaluation feature
+- Policy configuration guide added
+- EDC v0.7.0 models
+- Optimization in the catalog query using `bpn`
+- Updated EDR structure
+- Added `lombok` dependency to speed the development
+- Added security assessment documentation
+
+
+### Updated
+- Updated postman collection and tested end-to-end data exchange journey with EDC v0.7.0
+- Updated policy in testdata file
+- Updated and renamed the following readme files in /docs
+    - docs/admin guide/ -> docs/admin/
+    - docs/arch42/ -> docs/architecture/
+    - docs/userManual/ -> docs/user/
+    - docs/infrastcuture as code/ -> docs/security/infrastructure-as-code/
+    - docs/secrets management/SECRET_MANAGEMENT.md -> docs/security/secrets-management/SecretsManagement.md
+    - docs/data retrieval guide/data-retrieval -> docs/data-retrieval/README.md
+    - docs/business statement/ -> docs/interoperability/Interoperability.md
+- Updated all relevant references from the above files
+- Updated dpp helm values
+- Updated ApiController with the singleApi POST method.
+- Updated ContractController by creating call methods (create, search, agree and status) without the authentication step to call in the Single API.
+- Updated AuthenticationService by adding the isSingleApiAuthenticated method to authenticate the single API key.
+- Updated application.yaml with the single api configurations.
+- Updated deployment-backend.yaml with the oauth.apiKey.
+- Updated values-int/beta/dev.yaml files with the oauth.apiKey.
+- Updated spring boot to version `v3.2.5` from `v3.2.4`
+- Updated EDR structure to match new EDC 0.7.0 one
+
+
+## Deleted
+- Deleted values-dev.yaml and values-beta.yaml from helm charts
+
+
+## Issues Fixed
+- Fixed issue with multiple contract and policies parsing
+- Optimized data sovereignty checks removing spotted bugs
+
+
 ## [released]
 ## [v2.3.0] - 06-05-2024
 ### Added

charts/digital-product-pass/Chart.yaml

@@ -42,10 +42,10 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 2.3.3
+version: 3.0.0-rc1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.3.0"
+appVersion: "3.0.0-rc1"

charts/digital-product-pass/README.md

@@ -1,6 +1,6 @@
 # digital-product-pass
 
-![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.0](https://img.shields.io/badge/AppVersion-2.3.0-informational?style=flat-square)
+![Version: 3.0.0-rc1](https://img.shields.io/badge/Version-3.0.0--rc1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-rc1](https://img.shields.io/badge/AppVersion-3.0.0--rc1-informational?style=flat-square)
 
 A Helm chart for Tractus-X Digital Product Pass Kubernetes
 
@@ -31,7 +31,11 @@ helm install digital-product-pass tractusx/digital-product-pass
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"<Add participant id here>","xApiKey":"<Add API key here>"},"hostname":"localhost","image":{"pullPolicy":"Always","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"]},"podSecurityContext":{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":3000,"runAsNonRoot":true,"runAsUser":1000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration |
+| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"<Add participant id here>","xApiKey":"<Add API key here>"},"hostname":"","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport"],"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}},"podSecurityContext":{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":3000,"runAsNonRoot":true,"runAsUser":1000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"singleApi":{"delay":1000,"maxRetries":30},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration |
+| backend.digitalTwinRegistry.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | policy configuration for the digital twin assets in the edc catalog |
+| backend.digitalTwinRegistry.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check |
+| backend.digitalTwinRegistry.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations |
+| backend.digitalTwinRegistry.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value |
 | backend.digitalTwinRegistry.temporaryStorage | object | `{"enabled":true,"lifetime":12}` | temporary storage of dDTRs for optimization |
 | backend.digitalTwinRegistry.temporaryStorage.lifetime | int | `12` | lifetime of the temporaryStorage in hours |
 | backend.digitalTwinRegistry.timeouts | object | `{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}` | timeouts for the digital twin registry async negotiation |
@@ -44,14 +48,18 @@ helm install digital-product-pass tractusx/digital-product-pass
 | backend.edc.hostname | string | `""` | edc consumer connection configuration |
 | backend.edc.participantId | string | `"<Add participant id here>"` | BPN Number |
 | backend.edc.xApiKey | string | `"<Add API key here>"` | the secret for assesing the edc management API |
-| backend.hostname | string | `"localhost"` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) |
+| backend.hostname | string | `""` | backend hostname (without protocol prefix [DEFAULT HTTPS] for security ) |
 | backend.imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) |
-| backend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service |
+| backend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]}` | ingress declaration to expose the dpp-backend service |
 | backend.ingress.annotations.ingressClassName | string | `"nginx"` | ingress class name |
 | backend.irs | object | `{"enabled":false,"hostname":""}` | irs configuration |
 | backend.logging.level.root | string | `"INFO"` | general logging level |
 | backend.logging.level.utils | string | `"INFO"` | logging for the util components |
 | backend.maxRetries | int | `5` | max retries for the backend services |
+| backend.passport.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | configuration for policies to filter in the digital product pass asset negotiation |
+| backend.passport.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check |
+| backend.passport.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"circulareconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations |
+| backend.passport.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value |
 | backend.podSecurityContext | object | `{"fsGroup":3000,"runAsGroup":3000,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment |
 | backend.podSecurityContext.fsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid |
 | backend.podSecurityContext.runAsGroup | int | `3000` | Processes within a pod will belong to this guid |
@@ -69,6 +77,7 @@ helm install digital-product-pass tractusx/digital-product-pass
 | backend.securityContext.runAsUser | int | `1000` | The container's process will run with the specified uid |
 | backend.serverPort | int | `8888` | configuration of the spring boot server |
 | backend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service |
+| backend.singleApi | object | `{"delay":1000,"maxRetries":30}` | configuration to the single API endpoint |
 | backend.volumeMounts | list | `[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}]` | specifies the volume mounts for the backend deployment |
 | backend.volumeMounts[0] | object | `{"mountPath":"/app/config","name":"backend-config"}` | mounted path for the backend configuration added in the config maps |
 | backend.volumeMounts[1] | object | `{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"}` | contains the location for the process data directory |
@@ -85,7 +94,7 @@ helm install digital-product-pass tractusx/digital-product-pass
 | frontend.api.max_retries | int | `30` | max retries for getting status |
 | frontend.api.timeout | object | `{"decline":20000,"negotiate":60000,"search":60000}` | default timeout  - 90 seconds in milliseconds |
 | frontend.backend | object | `{"hostname":""}` | url of the digital product pass backend service |
-| frontend.image.pullPolicy | string | `"Always"` |  |
+| frontend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | frontend.image.repository | string | `"docker.io/tractusx/digital-product-pass-frontend"` |  |
 | frontend.imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) |
 | frontend.ingress | object | `{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[]}` | ingress declaration to expose the dpp-frontend service |
@@ -116,7 +125,8 @@ helm install digital-product-pass tractusx/digital-product-pass
 | nameOverride | string | `""` |  |
 | namespace | string | `""` |  |
 | nodeSelector | object | `{}` |  |
-| oauth | object | `{"appId":"<app-id>","bpnCheck":{"bpn":"<Add participant id here>","enabled":false},"hostname":"","onLoad":"login-required","realm":"<realm>","roleCheck":{"enabled":false},"techUser":{"clientId":"<Add client id here>","clientSecret":"<Add client secret here>"}}` | oauth configuration |
+| oauth | object | `{"apiKey":{"header":"X-Api-Key","secret":"<api-key>"},"appId":"<app-id>","bpnCheck":{"bpn":"<Add participant id here>","enabled":false},"hostname":"","onLoad":"login-required","realm":"<realm>","roleCheck":{"enabled":false},"techUser":{"clientId":"<Add client id here>","clientSecret":"<Add client secret here>"}}` | oauth configuration |
+| oauth.apiKey | object | `{"header":"X-Api-Key","secret":"<api-key>"}` | to authenticate against single API |
 | oauth.bpnCheck | object | `{"bpn":"<Add participant id here>","enabled":false}` | configure here the bpn check for the application |
 | oauth.bpnCheck.bpn | string | `"<Add participant id here>"` | this bpn needs to be included in the user login information when the check is enabled |
 | oauth.hostname | string | `""` | url of the identity provider service |