FIWARE-Ops · wistefan · Jun 14, 2024 · Jul 2, 2024 · Jul 5, 2024 · Jul 5, 2024
diff --git a/argocd/applications/trusted-issuers-list/values.yaml b/argocd/applications/trusted-issuers-list/values.yaml
@@ -3,7 +3,7 @@ trusted-issuers-list:
   # Image
   deployment:
     image:  
-      tag: 0.0.3
+      tag: 0.2.0
 
   # Configure an Ingress or OpenShift Route
   ingress:

diff --git a/charts/data-space-connector/Chart.yaml b/charts/data-space-connector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: data-space-connector
 description: Umbrella Chart for the FIWARE Data Space Connector, combining all essential parts to be used by a participant.
 type: application
-version: 5.0.0
+version: 5.2.0
 dependencies:
   - name: postgresql
     condition: postgresql.enabled
@@ -11,15 +11,15 @@ dependencies:
   # authentication
   - name: vcverifier
     condition: vcverifier.enabled
-    version: 2.9.0
+    version: 2.9.2
     repository: https://fiware.github.io/helm-charts
   - name: credentials-config-service
     condition: credentials-config-service.enabled
     version: 0.1.5
     repository: https://fiware.github.io/helm-charts
   - name: trusted-issuers-list
     condition: trusted-issuers-list.enabled
-    version: 0.6.2
+    version: 0.7.0
     repository: https://fiware.github.io/helm-charts
   - name: mysql
     condition: mysql.enabled
@@ -50,3 +50,12 @@ dependencies:
     condition: keycloak.enabled
     version: 21.1.1
     repository: https://charts.bitnami.com/bitnami
+  # contract management
+  - name: tm-forum-api
+    condition: tm-forum-api.enabled
+    version: 0.9.4
+    repository: https://fiware.github.io/helm-charts
+  - name: contract-management
+    condition: contract-management.enabled
+    version: 0.6.4
+    repository: https://fiware.github.io/helm-charts
diff --git a/charts/data-space-connector/templates/opa.yaml b/charts/data-space-connector/templates/opa.yaml
@@ -0,0 +1,286 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-lua
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{ include "dsc.labels" . | nindent 4 }}
+data:
+  # extends the apisix opa-plugin to forward the http-body as part of the decision request.
+  opa.lua: |-
+    --
+    -- Licensed to the Apache Software Foundation (ASF) under one or more
+    -- contributor license agreements.  See the NOTICE file distributed with
+    -- this work for additional information regarding copyright ownership.
+    -- The ASF licenses this file to You under the Apache License, Version 2.0
+    -- (the "License"); you may not use this file except in compliance with
+    -- the License.  You may obtain a copy of the License at
+    --
+    --     http://www.apache.org/licenses/LICENSE-2.0
+    --
+    -- Unless required by applicable law or agreed to in writing, software
+    -- distributed under the License is distributed on an "AS IS" BASIS,
+    -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    -- See the License for the specific language governing permissions and
+    -- limitations under the License.
+    --
+
+    local core   = require("apisix.core")
+    local http   = require("resty.http")
+    local helper = require("apisix.plugins.opa.helper")
+    local type   = type
+    local ipairs = ipairs
+
+    local schema = {
+        type = "object",
+        properties = {
+            host = {type = "string"},
+            ssl_verify = {
+                type = "boolean",
+                default = true,
+            },
+            policy = {type = "string"},
+            timeout = {
+                type = "integer",
+                minimum = 1,
+                maximum = 60000,
+                default = 3000,
+                description = "timeout in milliseconds",
+            },
+            keepalive = {type = "boolean", default = true},
+            send_headers_upstream = {
+                type = "array",
+                minItems = 1,
+                items = {
+                    type = "string"
+                },
+                description = "list of headers to pass to upstream in request"
+            },
+            keepalive_timeout = {type = "integer", minimum = 1000, default = 60000},
+            keepalive_pool = {type = "integer", minimum = 1, default = 5},
+            with_route = {type = "boolean", default = false},
+            with_service = {type = "boolean", default = false},
+            with_consumer = {type = "boolean", default = false},
+            with_body = {type = "boolean", default = false},
+        },
+        required = {"host", "policy"}
+    }
+
+
+    local _M = {
+        version = 0.1,
+        priority = 2001,
+        name = "opa",
+        schema = schema,
+    }
+
+
+    function _M.check_schema(conf)
+        return core.schema.check(schema, conf)
+    end
+
+
+    function _M.access(conf, ctx)
+        local body = helper.build_opa_input(conf, ctx, "http")
+
+        local params = {
+            method = "POST",
+            body = core.json.encode(body),
+            headers = {
+                ["Content-Type"] = "application/json",
+            },
+            keepalive = conf.keepalive,
+            ssl_verify = conf.ssl_verify
+        }
+
+        if conf.keepalive then
+            params.keepalive_timeout = conf.keepalive_timeout
+            params.keepalive_pool = conf.keepalive_pool
+        end
+
+        local endpoint = conf.host .. "/v1/data/" .. conf.policy
+
+        local httpc = http.new()
+        httpc:set_timeout(conf.timeout)
+
+        local res, err = httpc:request_uri(endpoint, params)
+
+        -- block by default when decision is unavailable
+        if not res then
+            core.log.error("failed to process OPA decision, err: ", err)
+            return 403
+        end
+
+        -- parse the results of the decision
+        local data, err = core.json.decode(res.body)
+
+        if not data then
+            core.log.error("invalid response body: ", res.body, " err: ", err)
+            return 503
+        end
+
+        if not data.result then
+            core.log.error("invalid OPA decision format: ", res.body,
+                           " err: `result` field does not exist")
+            return 503
+        end
+
+        local result = data.result
+
+        if not result.allow then
+            if result.headers then
+                core.response.set_header(result.headers)
+            end
+
+            local status_code = 403
+            if result.status_code then
+                status_code = result.status_code
+            end
+
+            local reason = nil
+            if result.reason then
+                reason = type(result.reason) == "table"
+                    and core.json.encode(result.reason)
+                    or result.reason
+            end
+
+            return status_code, reason
+        else if result.headers and conf.send_headers_upstream then
+            for _, name in ipairs(conf.send_headers_upstream) do
+                local value = result.headers[name]
+                if value then
+                    core.request.set_header(ctx, name, value)
+                end
+            end
+            end
+        end
+    end
+
+
+    return _M
+
+  helper.lua: |-
+    --
+    -- Licensed to the Apache Software Foundation (ASF) under one or more
+    -- contributor license agreements.  See the NOTICE file distributed with
+    -- this work for additional information regarding copyright ownership.
+    -- The ASF licenses this file to You under the Apache License, Version 2.0
+    -- (the "License"); you may not use this file except in compliance with
+    -- the License.  You may obtain a copy of the License at
+    --
+    --     http://www.apache.org/licenses/LICENSE-2.0
+    --
+    -- Unless required by applicable law or agreed to in writing, software
+    -- distributed under the License is distributed on an "AS IS" BASIS,
+    -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    -- See the License for the specific language governing permissions and
+    -- limitations under the License.
+    --
+
+    local core        = require("apisix.core")
+    local get_service = require("apisix.http.service").get
+    local ngx_time    = ngx.time
+
+    local _M = {}
+
+
+    -- build a table of Nginx variables with some generality
+    -- between http subsystem and stream subsystem
+    local function build_var(conf, ctx)
+      return {
+        server_addr = ctx.var.server_addr,
+        server_port = ctx.var.server_port,
+        remote_addr = ctx.var.remote_addr,
+        remote_port = ctx.var.remote_port,
+        timestamp   = ngx_time(),
+      }
+    end
+
+
+    local function build_http_request(conf, ctx)
+
+      local http = {
+        scheme  = core.request.get_scheme(ctx),
+        method  = core.request.get_method(),
+        host    = core.request.get_host(ctx),
+        port    = core.request.get_port(ctx),
+        path    = ctx.var.uri,
+        headers = core.request.headers(ctx),
+        query   = core.request.get_uri_args(ctx),
+      }
+
+      if conf.with_body then
+        http.body = core.json.decode(core.request.get_body())
+      end
+
+      return http
+    end
+
+
+    local function build_http_route(conf, ctx, remove_upstream)
+      local route = core.table.deepcopy(ctx.matched_route).value
+
+      if remove_upstream and route and route.upstream then
+        -- unimportant to send upstream info to OPA
+        route.upstream = nil
+      end
+
+      return route
+    end
+
+
+    local function build_http_service(conf, ctx)
+      local service_id = ctx.service_id
+
+      -- possible that there is no service bound to the route
+      if service_id then
+        local service = core.table.clone(get_service(service_id)).value
+
+        if service then
+          if service.upstream then
+            service.upstream = nil
+          end
+          return service
+        end
+      end
+
+      return nil
+    end
+
+
+    local function build_http_consumer(conf, ctx)
+      -- possible that there is no consumer bound to the route
+      if ctx.consumer then
+        return core.table.clone(ctx.consumer)
+      end
+
+      return nil
+    end
+
+
+    function _M.build_opa_input(conf, ctx, subsystem)
+      local data = {
+        type    = subsystem,
+        request = build_http_request(conf, ctx),
+        var     = build_var(conf, ctx)
+      }
+
+      if conf.with_route then
+        data.route = build_http_route(conf, ctx, true)
+      end
+
+      if conf.with_consumer then
+        data.consumer = build_http_consumer(conf, ctx)
+      end
+
+      if conf.with_service then
+        data.service = build_http_service(conf, ctx)
+      end
+
+      return {
+        input = data,
+      }
+    end
+
+
+    return _M
diff --git a/charts/data-space-connector/templates/tmf-registration-cm.yaml b/charts/data-space-connector/templates/tmf-registration-cm.yaml
@@ -0,0 +1,40 @@
+{{- $tmf := index .Values "tm-forum-api" }}
+{{- if and (eq $tmf.registration.enabled true) (eq $tmf.enabled true) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $tmf.registration.name  }}
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{- include "dsc.labels" . | nindent 4 }}
+data:
+  init.sh: |-
+    # credentials config service registration
+    curl -X 'POST' \
+      '{{ $tmf.registration.ccs.endpoint }}/service' \
+      -H 'accept: */*' \
+      -H 'Content-Type: application/json' \
+      -d '{
+      "id": {{ $tmf.registration.ccs.id | quote }},
+      "defaultOidcScope": {{ $tmf.registration.ccs.defaultOidcScope.name | quote }},
+      {{- if and ($tmf.registration.ccs.defaultOidcScope.credentialType) ($tmf.registration.ccs.defaultOidcScope.trustedParticipantsLists) ($tmf.registration.ccs.defaultOidcScope.trustedIssuersLists) -}}
+      "oidcScopes": {
+        {{ $tmf.registration.ccs.defaultOidcScope.name | quote }}: [
+          {
+            "type": {{ $tmf.registration.ccs.defaultOidcScope.credentialType | quote }},
+            "trustedParticipantsLists": [
+              {{ $tmf.registration.ccs.defaultOidcScope.trustedParticipantsLists | quote }}
+            ],
+            "trustedIssuersLists": [
+              {{ $tmf.registration.ccs.defaultOidcScope.trustedIssuersLists | quote }}
+            ]
+          }
+        ]
+      }
+      {{- end }}
+      {{- if $tmf.registration.ccs.oidcScopes -}}
+      "oidcScopes": {{- toJson $tmf.registration.ccs.oidcScopes }}
+      {{- end }}
+    }'
+
+{{- end }}