Merged main.

agera-edc · Aug 2, 2022 · 618f40f · 618f40f
2 parents a3ca8c6 + 508dc29
commit 618f40f
Show file tree

Hide file tree

Showing 15 changed files with 194 additions and 37 deletions.
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -34,8 +34,21 @@ jobs:
         env:
            REGISTRATION_SERVICE_VERSION: 0.0.1-SNAPSHOT
 
+      - name: 'Copy Identity Hub CLI'
+        run: |
+          mvn dependency:copy -Dartifact=org.eclipse.dataspaceconnector.identityhub:identity-hub-cli:$IDENTITY_HUB_VERSION:jar:all -DoutputDirectory=.
+          mv identity-hub-cli-$IDENTITY_HUB_VERSION-all.jar identity-hub-cli.jar
+        working-directory: system-tests/resources/cli-tools
+        env:
+          IDENTITY_HUB_VERSION: 0.0.1-SNAPSHOT
+
+      - name: 'Upgrade docker-compose (for --wait option)'
+        run: |
+          sudo curl -L https://github.com/docker/compose/releases/download/v2.6.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
+          sudo chmod +x /usr/local/bin/docker-compose
+
       - name: 'Run MVD docker-compose'
-        run: docker-compose -f system-tests/docker-compose.yml up --build --detach
+        run: docker-compose -f system-tests/docker-compose.yml up --build --wait
         timeout-minutes: 10
         env:
           REGISTRATION_SERVICE_LAUNCHER_PATH: ${{ runner.temp }}/RegistrationService/launcher

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -226,6 +226,11 @@ jobs:
       - name: 'Verify Dataspace DID endpoint is available'
         run: curl https://${{ steps.runterraform.outputs.dataspace_did_host }}/.well-known/did.json | jq '.id'
 
+      - uses: actions/upload-artifact@v3
+        with:
+          name: gaiaxkey
+          path: deployment/terraform/dataspace/gaiaxkey.pem
+
   # Deploy dataspace participants in parallel.
   Deploy-Participants:
     needs:
@@ -263,12 +268,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
+
       - uses: ./.github/actions/gradle-setup
 
       - name: 'Generate Participant key'
         uses: ./.github/actions/generate-key
         with:
-          keyFileNamePrefix: key
+          keyFileNamePrefix: participantkey
           directory: deployment/terraform/participant
 
       - name: 'Create tfvars file'
@@ -285,7 +291,7 @@ jobs:
           dashboard_image = "mvd/data-dashboard:${{ env.RESOURCES_PREFIX }}"
           application_sp_object_id = "${{ secrets.APP_OBJECT_ID }}"
           application_sp_client_id = "${{ secrets.APP_CLIENT_ID }}"
-          registration_service_api_url = "${{ needs.Deploy-Dataspace.outputs.registration_service_url }}/authority"
+          registration_service_api_url = "${{ needs.Deploy-Dataspace.outputs.registration_service_url }}"
           EOF
 
       - name: 'Az CLI login'
@@ -347,7 +353,7 @@ jobs:
           ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
 
           # Terraform variables not included in terraform.tfvars.
-          TF_VAR_public_key_jwk_file: "key.public.jwk"
+          TF_VAR_public_key_jwk_file: "participantkey.public.jwk"
           TF_VAR_application_sp_client_secret: ${{ secrets.APP_CLIENT_SECRET }}
           TF_VAR_app_insights_connection_string: ${{ needs.Deploy-Dataspace.outputs.app_insights_connection_string }}
 
@@ -359,7 +365,7 @@ jobs:
           subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
 
       - name: 'Upload private key as vault secret'
-        run: az keyvault secret set --name "$CONNECTOR_NAME" --vault-name "$KEY_VAULT" --file key.pem -o none
+        run: az keyvault secret set --name "$CONNECTOR_NAME" --vault-name "$KEY_VAULT" --file participantkey.pem -o none
 
       - name: 'Upload asset storage account key as vault secret'
         run: az keyvault secret set --name "$ASSETS_STORAGE_ACCOUNT-key1" --vault-name "$KEY_VAULT" --value "$ASSETS_STORAGE_ACCOUNT_KEY" -o none
@@ -381,22 +387,48 @@ jobs:
         run: curl --retry 10 --retry-all-errors --fail http://${EDC_HOST}:8181/api/check/health
 
       - name: 'Seed data'
+        env:
+          PARTICIPANT_ID: ${{ matrix.participant }}
         run: |
           npm install -g newman
           deployment/seed-data.sh
         working-directory: .
 
+      - uses: actions/download-artifact@v3
+        with:
+          name: gaiaxkey
+          path: deployment/terraform/participant
+
+      - name: 'Push region verifiable credential'
+        run: |
+          mvn dependency:copy -Dartifact=org.eclipse.dataspaceconnector.identityhub:identity-hub-cli:$cli_version:jar:all -DoutputDirectory=.
+          
+          id=$(uuidgen)
+          
+          java -jar identity-hub-cli-$cli_version-all.jar -s=$identityHubUrl vc add \
+            -c='{"id":"'$id'","credentialSubject":{"region":"'$region'"}}' \
+            -b="did:web:$DID_HOST" \
+            -i="did:web:$issuer" \
+            -k="gaiaxkey.pem"
+          
+          java -jar identity-hub-cli-$cli_version-all.jar -s=$identityHubUrl vc list
+        env:
+          cli_version: 0.0.1-SNAPSHOT
+          region: ${{ matrix.region }}
+          issuer: ${{ needs.Deploy-Dataspace.outputs.gaiax_did_host }}
+          identityHubUrl: http://${{ env.EDC_HOST }}:8181/api/identity-hub
+
       - name: 'Register participant'
         run: |
           mvn dependency:copy -Dartifact=org.eclipse.dataspaceconnector.registrationservice:registration-service-cli:0.0.1-SNAPSHOT:jar:all -DoutputDirectory=.
           java -jar registration-service-cli-0.0.1-SNAPSHOT-all.jar \
             -s $REGISTRATION_SERVICE_API_URL \
             -d did:web:$DID_HOST \
-            -k key.pem \
+            -k participantkey.pem \
             participants add \
             --ids-url "http://${{ env.EDC_HOST }}:8282"
         env:
-          REGISTRATION_SERVICE_API_URL: ${{ needs.Deploy-Dataspace.outputs.registration_service_url }}/authority
+          REGISTRATION_SERVICE_API_URL: ${{ needs.Deploy-Dataspace.outputs.registration_service_url }}
 
   Verify:
     needs:

diff --git a/deployment/data/MVD.postman_collection.json b/deployment/data/MVD.postman_collection.json
@@ -29,7 +29,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n    \"asset\": {\n        \"properties\": {\n            \"asset:prop:name\": \"test-document\",\n            \"asset:prop:contenttype\": \"text/plain\",\n            \"asset:prop:version\": \"1.0\",\n            \"asset:prop:id\": \"test-document\",\n            \"type\": \"AzureStorage\"\n        }\n    },\n    \"dataAddress\": {\n        \"properties\": {\n            \"type\": \"AzureStorage\",\n            \"account\": \"{{storage_account}}\",\n            \"container\": \"src-container\",\n            \"blobname\": \"text-document.txt\",\n            \"keyName\": \"{{storage_account}}-key1\"\n        }\n    }\n}",
+							"raw": "{\n    \"asset\": {\n        \"properties\": {\n            \"asset:prop:name\": \"test-document_{{participant_id}}\",\n            \"asset:prop:contenttype\": \"text/plain\",\n            \"asset:prop:version\": \"1.0\",\n            \"asset:prop:id\": \"test-document_{{participant_id}}\",\n            \"type\": \"AzureStorage\"\n        }\n    },\n    \"dataAddress\": {\n        \"properties\": {\n            \"type\": \"AzureStorage\",\n            \"account\": \"{{storage_account}}\",\n            \"container\": \"src-container\",\n            \"blobname\": \"text-document.txt\",\n            \"keyName\": \"{{storage_account}}-key1\"\n        }\n    }\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -69,7 +69,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n    \"asset\": {\n        \"properties\": {\n            \"asset:prop:name\": \"test-document-2\",\n            \"asset:prop:contenttype\": \"text/plain\",\n            \"asset:prop:version\": \"1.0\",\n            \"asset:prop:id\": \"test-document-2\",\n            \"type\": \"AzureStorage\"\n        }\n    },\n    \"dataAddress\": {\n        \"properties\": {\n            \"type\": \"AzureStorage\",\n            \"account\": \"{{storage_account}}\",\n            \"container\": \"src-container\",\n            \"blobname\": \"text-document-2.txt\",\n            \"keyName\": \"{{storage_account}}-key1\"\n        }\n    }\n}",
+							"raw": "{\n    \"asset\": {\n        \"properties\": {\n            \"asset:prop:name\": \"test-document-2_{{participant_id}}\",\n            \"asset:prop:contenttype\": \"text/plain\",\n            \"asset:prop:version\": \"1.0\",\n            \"asset:prop:id\": \"test-document-2_{{participant_id}}\",\n            \"type\": \"AzureStorage\"\n        }\n    },\n    \"dataAddress\": {\n        \"properties\": {\n            \"type\": \"AzureStorage\",\n            \"account\": \"{{storage_account}}\",\n            \"container\": \"src-container\",\n            \"blobname\": \"text-document-2.txt\",\n            \"keyName\": \"{{storage_account}}-key1\"\n        }\n    }\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -109,7 +109,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n  \"uid\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n  \"policy\": {\n    \"permissions\": [\n      {\n        \"edctype\": \"dataspaceconnector:permission\",\n        \"uid\": null,\n        \"target\": \"test-document\",\n        \"action\": {\n          \"type\": \"USE\",\n          \"includedIn\": null,\n          \"constraint\": null\n        },\n        \"assignee\": null,\n        \"assigner\": null,\n        \"constraints\": [],\n        \"duties\": []\n      }\n    ],\n    \"prohibitions\": [],\n    \"obligations\": [],\n    \"extensibleProperties\": {},\n    \"inheritsFrom\": null,\n    \"assigner\": null,\n    \"assignee\": null,\n    \"target\": null,\n    \"@type\": {\n      \"@policytype\": \"set\"\n    }\n  }\n}",
+							"raw": "{\n  \"uid\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n  \"policy\": {\n    \"permissions\": [\n      {\n        \"edctype\": \"dataspaceconnector:permission\",\n        \"uid\": null,\n        \"target\": \"test-document_{{participant_id}}\",\n        \"action\": {\n          \"type\": \"USE\",\n          \"includedIn\": null,\n          \"constraint\": null\n        },\n        \"assignee\": null,\n        \"assigner\": null,\n        \"constraints\": [],\n        \"duties\": []\n      }\n    ],\n    \"prohibitions\": [],\n    \"obligations\": [],\n    \"extensibleProperties\": {},\n    \"inheritsFrom\": null,\n    \"assigner\": null,\n    \"assignee\": null,\n    \"target\": null,\n    \"@type\": {\n      \"@policytype\": \"set\"\n    }\n  }\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -189,7 +189,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n    \"id\": \"4a75736e-001d-4364-8bd4-9888490edb56\",\n    \"accessPolicyId\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n    \"contractPolicyId\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n        \"criteria\": [\n            {\n                \"operandLeft\": \"asset:prop:id\",\n                \"operator\": \"=\",\n                \"operandRight\": \"test-document\"\n            }\n        ]\n}",
+							"raw": "{\n    \"id\": \"4a75736e-001d-4364-8bd4-9888490edb56\",\n    \"accessPolicyId\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n    \"contractPolicyId\": \"956e172f-2de1-4501-8881-057a57fd0e69\",\n        \"criteria\": [\n            {\n                \"operandLeft\": \"asset:prop:id\",\n                \"operator\": \"=\",\n                \"operandRight\": \"test-document_{{participant_id}}\"\n            }\n        ]\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -229,7 +229,7 @@
 						"header": [],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n    \"id\": \"8dfd8f18-09ad-41f9-a2d8-368889d3e36e\",\n    \"accessPolicyId\": \"6a99c1bb-74ad-41a7-b73a-93233ffdbfb8\",\n    \"contractPolicyId\": \"6a99c1bb-74ad-41a7-b73a-93233ffdbfb8\",\n        \"criteria\": [\n            {\n                \"operandLeft\": \"asset:prop:id\",\n                \"operator\": \"=\",\n                \"operandRight\": \"test-document-2\"\n            }\n        ]\n}",
+							"raw": "{\n    \"id\": \"8dfd8f18-09ad-41f9-a2d8-368889d3e36e\",\n    \"accessPolicyId\": \"6a99c1bb-74ad-41a7-b73a-93233ffdbfb8\",\n    \"contractPolicyId\": \"6a99c1bb-74ad-41a7-b73a-93233ffdbfb8\",\n        \"criteria\": [\n            {\n                \"operandLeft\": \"asset:prop:id\",\n                \"operator\": \"=\",\n                \"operandRight\": \"test-document-2_{{participant_id}}\"\n            }\n        ]\n}",
 							"options": {
 								"raw": {
 									"language": "json"

diff --git a/deployment/seed-data.sh b/deployment/seed-data.sh
@@ -6,5 +6,6 @@ newman run \
   --folder "Publish Master Data" \
   --env-var data_management_url="http://$EDC_HOST:9191/api/v1/data" \
   --env-var storage_account="$ASSETS_STORAGE_ACCOUNT" \
+  --env-var participant_id="$PARTICIPANT_ID" \
   --env-var api_key="$API_KEY" \
   deployment/data/MVD.postman_collection.json
diff --git a/deployment/terraform/dataspace/main.tf b/deployment/terraform/dataspace/main.tf
@@ -41,10 +41,10 @@ locals {
   edc_default_port                 = 8181
   registration_service_port        = 8182
   registration_service_path_prefix = "/authority"
-  registration_service_url         = "http://${local.registration_service_dns_label}.${var.location}.azurecontainer.io:${local.registration_service_port}"
+  registration_service_url         = "http://${local.registration_service_dns_label}.${var.location}.azurecontainer.io:${local.registration_service_port}${local.registration_service_path_prefix}"
 
-  dataspace_did_url = "did:web:${azurerm_storage_account.dataspace_did.primary_web_host}"
-  gaiax_did_url     = "did:web:${azurerm_storage_account.gaiax_did.primary_web_host}"
+  dataspace_did_uri = "did:web:${azurerm_storage_account.dataspace_did.primary_web_host}"
+  gaiax_did_uri     = "did:web:${azurerm_storage_account.gaiax_did.primary_web_host}"
 }
 
 resource "azurerm_resource_group" "dataspace" {
@@ -86,7 +86,7 @@ resource "azurerm_container_group" "registration-service" {
 
     environment_variables = {
       EDC_CONNECTOR_NAME      = local.connector_name
-      JWT_AUDIENCE            = "${local.registration_service_url}${local.registration_service_path_prefix}"
+      JWT_AUDIENCE            = local.registration_service_url
       WEB_HTTP_AUTHORITY_PORT = local.registration_service_port
       WEB_HTTP_AUTHORITY_PATH = local.registration_service_path_prefix
     }
@@ -149,11 +149,18 @@ resource "azurerm_storage_blob" "dataspace_did" {
   storage_container_name = "$web" # container used to serve static files (see static_website property on storage account)
   type                   = "Block"
   source_content = jsonencode({
-    id = local.dataspace_did_url
+    id = local.dataspace_did_uri
     "@context" = [
       "https://www.w3.org/ns/did/v1",
       {
-        "@base" = local.dataspace_did_url
+        "@base" = local.dataspace_did_uri
+      }
+    ],
+    "service" : [
+      {
+        "id" : "#registration-url",
+        "type" : "RegistrationUrl",
+        "serviceEndpoint" : local.registration_service_url
       }
     ],
     "verificationMethod" = [
@@ -189,11 +196,11 @@ resource "azurerm_storage_blob" "gaiax_did" {
   storage_container_name = "$web" # container used to serve static files (see static_website property on storage account)
   type                   = "Block"
   source_content = jsonencode({
-    id = local.gaiax_did_url
+    id = local.gaiax_did_uri
     "@context" = [
       "https://www.w3.org/ns/did/v1",
       {
-        "@base" = local.gaiax_did_url
+        "@base" = local.gaiax_did_uri
       }
     ],
     "verificationMethod" = [

diff --git a/system-tests/README.md b/system-tests/README.md
@@ -126,6 +126,14 @@ From the `MVD` root folder, execute the following command:
 ./gradlew -DuseFsVault="true" :launcher:shadowJar
 ```
 
+From the `Identity Hub` root folder, execute the following command:
+
+```bash
+./gradlew :client-cli:shadowJar
+```
+
+Copy Identity Hub client-cli jar which should be located at `<Identity-Hub-root-folder>/client-cli/build/libs/identity-hub-cli.jar` into MVD at folder location `<MVD-root-folder>/system-tests/resources/cli-tools`. If required then update copied jar file name to `identity-hub-cli.jar`, full path will be `<MVD-root-folder>/system-tests/resources/cli-tools/identity-hub-cli.jar`. This `identity-hub-cli.jar` will be used by `cli-tools` docker container to execute the `Identity Hub` commands.
+
 From the `Registration Service` root folder, execute the following command:
 
 ```bash

diff --git a/system-tests/docker-compose.yml b/system-tests/docker-compose.yml
@@ -106,6 +106,7 @@ services:
       API_KEY: ApiKeyDefaultValue
       EDC_HOST: provider
       ASSETS_STORAGE_ACCOUNT: providerassets
+      PARTICIPANT_ID: provider
     depends_on:
       consumer-eu:
         condition: service_healthy

diff --git a/system-tests/resources/cli-tools/Dockerfile b/system-tests/resources/cli-tools/Dockerfile
@@ -1,9 +1,18 @@
 FROM openjdk:17-slim-buster
 
+# Install uuidgen, then delete apt indexes to save image space
+RUN apt update \
+    && apt install -y uuid-runtime \
+    && rm -rf /var/cache/apt/archives /var/lib/apt/lists
+
 WORKDIR /app
 
 # Copy Registration Service client jar
 COPY ./registration-service-cli.jar .
+
+# Copy Identity Hub client jar
+COPY ./identity-hub-cli.jar .
+
 COPY ./entrypoint.sh .
 
 ENTRYPOINT "/app/entrypoint.sh"
diff --git a/system-tests/resources/cli-tools/entrypoint.sh b/system-tests/resources/cli-tools/entrypoint.sh
@@ -1,9 +1,26 @@
 #!/bin/bash
 
-PARTICIPANTS=(provider consumer-eu consumer-us)
+# stop on error
+set -euo pipefail
+
+PARTICIPANTS=(provider:eu consumer-eu:eu consumer-us:us)
 
 # Register dataspace participants
-for i in "${PARTICIPANTS[@]}"; do
-    echo "Registering $i"
-    java -jar registration-service-cli.jar -d="did:web:did-server:$i" -k=/resources/vault/$i/private-key.pem -s='http://registration-service:8184/authority' participants add --ids-url "http://$i:8282"
+for participant in "${PARTICIPANTS[@]}"; do
+    participantArray=(${participant//:/ })
+
+    participantName=${participantArray[0]}
+    region=${participantArray[1]}
+    did="did:web:did-server:$participantName"
+
+    echo "Registering $participantName"
+    java -jar registration-service-cli.jar -d="$did" -k=/resources/vault/$participantName/private-key.pem -s='http://registration-service:8184/authority' participants add --ids-url "http://$participantName:8282"
+
+    echo "Seeding VC for $participantName"
+    vcId=$(uuidgen)
+    java -jar identity-hub-cli.jar -s="http://$participantName:8181/api/identity-hub" vc add \
+                -c='{"id":"'$vcId'","credentialSubject":{"region":"'$region'"}}' \
+                -b="$did" \
+                -i="did:web:did-server:gaia-x" \
+                -k="/resources/vault/gaia-x/private-key.pem"
 done
diff --git a/system-tests/resources/vault/gaia-x/private-key.pem b/system-tests/resources/vault/gaia-x/private-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKYUFAhvU3jHPxNPssAVVSbSRLFmKhX6o4Je7KjOqZwOoAoGCCqGSM49
+AwEHoUQDQgAELqW8A9NJSN7d+eLM7JqnxDpTzosTNaM8SZYOJLP7vgAhO/yPPSUa
+cJHHzIAVZVfpVsHnsNTMY0bab7QzE1WeKw==
+-----END EC PRIVATE KEY-----
diff --git a/system-tests/resources/vault/gaia-x/public-key.pem b/system-tests/resources/vault/gaia-x/public-key.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELqW8A9NJSN7d+eLM7JqnxDpTzosT
+NaM8SZYOJLP7vgAhO/yPPSUacJHHzIAVZVfpVsHnsNTMY0bab7QzE1WeKw==
+-----END PUBLIC KEY-----
diff --git a/system-tests/resources/vault/registration-service/private-key.pem b/system-tests/resources/vault/registration-service/private-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIz7bDfNIDyw0FtHEpzUwPVUX0O8gPr2EY7XyQmOV0Z/oAoGCCqGSM49
+AwEHoUQDQgAE91+yrni6ZryoL4w4xIKOGo70L0ExEnSeGtgXzGTHBcP49nTKHFGn
+eRJ9LRC+/pLT45E4YsuDVibvrHl9FOfS4w==
+-----END EC PRIVATE KEY-----
diff --git a/system-tests/resources/webdid/gaia-x/did.json b/system-tests/resources/webdid/gaia-x/did.json
@@ -0,0 +1,25 @@
+{
+	"id": "did:web:did-server:gaiax",
+	"@context": [
+		"https://www.w3.org/ns/did/v1",
+		{
+			"@base": "did:web:did-server:gaiax"
+		}
+	],
+	"service": [],
+	"verificationMethod": [{
+		"id": "#my-key-1",
+		"controller": "",
+		"type": "EcdsaSecp256k1VerificationKey2019",
+		"publicKeyJwk": {
+			"kty": "EC",
+			"kid": "r2vpmYH0Kn1urn6lrzPCzE_bVP6f4X9wb7qTT-IJODI",
+			"crv": "P-256",
+			"x": "LqW8A9NJSN7d-eLM7JqnxDpTzosTNaM8SZYOJLP7vgA",
+			"y": "ITv8jz0lGnCRx8yAFWVX6VbB57DUzGNG2m-0MxNVnis"
+		}
+	}],
+	"authentication": [
+		"#my-key-1"
+	]
+}