feat: secure FC query API with token based auth (#1471)

* feat: secure FC query API with token based auth

* chore: deps file

* feat: secure FC api in tests

Author: wolf4ood

DEPENDENCIES

@@ -356,6 +356,7 @@ maven/mavencentral/org.eclipse.edc/asset-api/0.8.1, Apache-2.0, approved, techno
 maven/mavencentral/org.eclipse.edc/asset-index-sql/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/asset-spi/0.8.1-SNAPSHOT, Apache-2.0, approved, technology.edc
+maven/mavencentral/org.eclipse.edc/auth-configuration/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-spi/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-tokenbased/0.8.1, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/autodoc-processor/0.8.1, Apache-2.0, approved, technology.edc

charts/tractusx-connector-azure-vault/README.md

@@ -83,7 +83,8 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.
 | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. |
 | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| controlplane.endpoints | object | `{"catalog":{"path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
 | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |

charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml

@@ -176,6 +176,10 @@ spec:
               value: {{ .Values.controlplane.endpoints.catalog.port | quote }}
             - name: "WEB_HTTP_CATALOG_PATH"
               value: {{ .Values.controlplane.endpoints.catalog.path | quote }}
+            - name: "WEB_HTTP_CATALOG_AUTH_TYPE"
+              value: "tokenbased"
+            - name: "WEB_HTTP_CATALOG_AUTH_KEY"
+              value: {{ .Values.controlplane.endpoints.catalog.authKey | required ".Values.controlplane.endpoints.catalog.authKey is required" | quote }}
 
 
             #########

charts/tractusx-connector-azure-vault/values.yaml

@@ -146,6 +146,8 @@ controlplane:
       port: 8085
       # -- path for incoming catalog cache query requests
       path: /catalog
+      # -- authentication key, must be attached to each request as `X-Api-Key` header
+      authKey: "password"
 
   bdrs:
     # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min)

charts/tractusx-connector-memory/README.md

@@ -83,7 +83,8 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.8.0-r
 | runtime.debug.enabled | bool | `false` | Enables java debugging mode. |
 | runtime.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | runtime.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| runtime.endpoints | object | `{"catalog":{"path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane |
+| runtime.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane |
+| runtime.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | runtime.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | runtime.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
 | runtime.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |

charts/tractusx-connector-memory/templates/deployment-runtime.yaml

@@ -191,6 +191,10 @@ spec:
               value: {{ .Values.runtime.endpoints.catalog.port | quote }}
             - name: "WEB_HTTP_CATALOG_PATH"
               value: {{ .Values.runtime.endpoints.catalog.path | quote }}
+            - name: "WEB_HTTP_CATALOG_AUTH_TYPE"
+              value: "tokenbased"
+            - name: "WEB_HTTP_CATALOG_AUTH_KEY"
+              value: {{ .Values.runtime.endpoints.catalog.authKey | required ".Values.runtime.endpoints.catalog.authKey is required" | quote }}
 
             #########
             ## DSP ##

charts/tractusx-connector-memory/values.yaml

@@ -149,6 +149,8 @@ runtime:
       port: 8085
       # -- path for incoming catalog cache query requests
       path: /catalog
+      # -- authentication key, must be attached to each request as `X-Api-Key` header
+      authKey: "password"
 
   token:
     refresh:

charts/tractusx-connector/README.md

@@ -80,7 +80,8 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.8.0-rc1 \
 | controlplane.debug.enabled | bool | `false` | Enables java debugging mode. |
 | controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. |
 | controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. |
-| controlplane.endpoints | object | `{"catalog":{"path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints | object | `{"catalog":{"authKey":"password","path":"/catalog","port":8085},"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane |
+| controlplane.endpoints.catalog.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header |
 | controlplane.endpoints.catalog.path | string | `"/catalog"` | path for incoming catalog cache query requests |
 | controlplane.endpoints.catalog.port | int | `8085` | port for incoming catalog cache query requests |
 | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not |

charts/tractusx-connector/templates/deployment-controlplane.yaml

@@ -176,6 +176,11 @@ spec:
               value: {{ .Values.controlplane.endpoints.catalog.port | quote }}
             - name: "WEB_HTTP_CATALOG_PATH"
               value: {{ .Values.controlplane.endpoints.catalog.path | quote }}
+            - name: "WEB_HTTP_CATALOG_AUTH_TYPE"
+              value: "tokenbased"
+            - name: "WEB_HTTP_CATALOG_AUTH_KEY"
+              value: {{ .Values.controlplane.endpoints.catalog.authKey | required ".Values.controlplane.endpoints.catalog.authKey is required" | quote }}
+
 
             #########
             ## DSP ##

charts/tractusx-connector/values.yaml

@@ -147,6 +147,8 @@ controlplane:
       port: 8085
       # -- path for incoming catalog cache query requests
       path: /catalog
+      # -- authentication key, must be attached to each request as `X-Api-Key` header
+      authKey: "password"
 
   bdrs:
     # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min)

edc-controlplane/edc-controlplane-base/build.gradle.kts

@@ -57,6 +57,7 @@ dependencies {
     runtimeOnly(libs.edc.core.policy.monitor)
     runtimeOnly(libs.edc.config.filesystem)
     runtimeOnly(libs.edc.auth.tokenbased)
+    runtimeOnly(libs.edc.auth.configuration)
     runtimeOnly(libs.edc.validator.data.address.http.data)
     runtimeOnly(libs.edc.aws.validator.data.address.s3)
     runtimeOnly(libs.edc.data.plane.selector.control.api)

edc-tests/edc-controlplane/fixtures/src/testFixtures/java/org/eclipse/tractusx/edc/tests/participant/TractusxParticipantBase.java

@@ -95,6 +95,8 @@ public Map<String, String> getConfiguration() {
                 put("web.http.control.path", controlPlaneControl.getPath());
                 put("web.http.catalog.port", String.valueOf(federatedCatalog.getUrl().getPort()));
                 put("web.http.catalog.path", federatedCatalog.getUrl().getPath());
+                put("web.http.catalog.auth.type", "tokenbased");
+                put("web.http.catalog.auth.key", MANAGEMENT_API_KEY);
                 put("edc.dsp.callback.address", protocolEndpoint.getUrl().toString());
                 put("edc.api.auth.key", MANAGEMENT_API_KEY);
                 put("web.http.public.path", "/api/public");

gradle/libs.versions.toml

@@ -83,6 +83,7 @@ edc-dsp = { module = "org.eclipse.edc:dsp", version.ref = "edc" }
 edc-iam-mock = { module = "org.eclipse.edc:iam-mock", version.ref = "edc" }
 edc-auth-tokenbased = { module = "org.eclipse.edc:auth-tokenbased", version.ref = "edc" }
 edc-auth-oauth2-client = { module = "org.eclipse.edc:oauth2-client", version.ref = "edc" }
+edc-auth-configuration = { module = "org.eclipse.edc:auth-configuration", version.ref = "edc" }
 edc-transaction-local = { module = "org.eclipse.edc:transaction-local", version.ref = "edc" }
 edc-ext-http = { module = "org.eclipse.edc:http", version.ref = "edc" }
 edc-ext-azure-cosmos-core = { module = "org.eclipse.edc:azure-cosmos-core", version.ref = "edc" }