feat: add delegated auth + tests

Author: paullatzelsperger

.github/workflows/deployment-test.yaml

@@ -86,7 +86,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - uses: ./.github/actions/run-deployment-test
-        name: "Run deployment test using KinD and Helm"
+        name: "Run deployment test using KinD and Helm - tokenbased auth"
         with:
           imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault"
           rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault"
@@ -101,8 +101,40 @@ jobs:
             kubectl rollout status deployment tx-prod-controlplane
             kubectl rollout status deployment tx-prod-dataplane
 
-            # execute the helm test
-            helm test tx-prod
+            # execute the helm test using token based auth in the Management API
+            helm test tx-prod --filter name=controlplane-with-token-auth-test
+
+      - uses: ./.github/actions/run-deployment-test
+        name: "Run deployment test using KinD and Helm - delegated auth"
+        with:
+          imagename: "edc-controlplane-postgresql-hashicorp-vault edc-dataplane-hashicorp-vault"
+          rootDir: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault edc-dataplane/edc-dataplane-hashicorp-vault"
+          k8sversion: ${{ matrix.k8s-version }}
+          helm_command: |-
+            helm install tx-prod charts/tractusx-connector \
+            -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml \
+            --set controlplane.endpoints.management.jwksUrl="http://foo-bar.com/.well-known/jwks.json" \
+            --dependency-update \
+            --wait-for-jobs --timeout=120s    
+
+            # wait for the pod to become ready
+            kubectl rollout status deployment tx-prod-controlplane
+            kubectl rollout status deployment tx-prod-dataplane
+
+            kubectl port-forward service/tx-prod-controlplane 8081:8081 &
+
+            code=$(curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer sdfasdfasdf" -d '{
+                    "@context": {
+                        "tx": "https://w3id.org/tractusx/v0.0.1/ns/"
+                    },
+                    "@id": "tx:BPN000001234",
+                    "tx:groups": ["group1", "group2", "group3"]
+                }' --silent -o /dev/null -w '%{http_code}' http://localhost:8081/management/v3/business-partner-groups)
+            
+            if [[ $code -ne 401 ]]; then
+              echo "Expected a HTTP 401, got $code"
+              exit 1;
+            fi
 
   test-azure-vault-postgres:
     runs-on: ubuntu-latest

charts/tractusx-connector/templates/deployment-controlplane.yaml

@@ -152,8 +152,14 @@ spec:
             #######
             # API #
             #######
+            {{- if .Values.controlplane.endpoints.management.jwksUrl }}
+            - name: "EDC_API_AUTH_DAC_KEY_URL"
+              value: {{ .Values.controlplane.endpoints.management.jwksUrl | quote}}
+            {{- else }}
             - name: "EDC_API_AUTH_KEY"
               value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }}
+            {{- end }}
+
             - name: "WEB_HTTP_DEFAULT_PORT"
               value: {{ .Values.controlplane.endpoints.default.port | quote }}
             - name: "WEB_HTTP_DEFAULT_PATH"

charts/tractusx-connector/templates/tests/test-controlplane.yaml renamed to charts/tractusx-connector/templates/tests/controlplane-with-token-auth.yaml

@@ -21,7 +21,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: "{{include "txdc.fullname" .}}-test-controlplane"
+  name: "controlplane-with-token-auth-test"
   labels:
     {{- include "txdc.controlplane.labels" . | nindent 4 }}
   annotations:

charts/tractusx-connector/values.yaml

@@ -124,6 +124,10 @@ controlplane:
       path: /management
       # -- authentication key, must be attached to each request as `X-Api-Key` header
       authKey: "password"
+
+      # -- if the JWKS url is set, the DelegatedAuth service will be engaged
+      jwksUrl:
+
     # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
     control:
       # -- port for incoming api calls

edc-controlplane/edc-controlplane-base/build.gradle.kts

@@ -57,6 +57,7 @@ dependencies {
     runtimeOnly(libs.edc.core.policy.monitor)
     runtimeOnly(libs.edc.config.filesystem)
     runtimeOnly(libs.edc.auth.tokenbased)
+    runtimeOnly(libs.edc.auth.delegated)
     runtimeOnly(libs.edc.auth.configuration)
     runtimeOnly(libs.edc.validator.data.address.http.data)
     runtimeOnly(libs.edc.aws.validator.data.address.s3)

gradle/libs.versions.toml

@@ -82,6 +82,7 @@ edc-api-controlplane = { module = "org.eclipse.edc:control-plane-api", version.r
 edc-dsp = { module = "org.eclipse.edc:dsp", version.ref = "edc" }
 edc-iam-mock = { module = "org.eclipse.edc:iam-mock", version.ref = "edc" }
 edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" }
+edc-auth-delegated = { module = "org.eclipse.edc:auth-delegated", version.ref = "edc" }
 edc-auth-oauth2-client = { module = "org.eclipse.edc:oauth2-client", version.ref = "edc" }
 edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" }
 edc-transaction-local = { module = "org.eclipse.edc:transaction-local", version.ref = "edc" }

samples/multi-tenancy/build.gradle.kts

@@ -47,7 +47,7 @@ application {
 
 tasks.withType<com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar> {
     mergeServiceFiles()
-    archiveFileName.set("multitenant.jar")
+    archiveFileName.set("multi-tenancy.jar")
 }
 
 // do not publish