search

International-Data-Spaces-Association / DataspaceConnector

This is an IDS Connector reference implementation.
Apache License 2.0
32 stars 26 forks source link

Connector Restricted Usage Policy for multiple connectors #435

Open jfernandezsqs opened 1 year ago

jfernandezsqs commented 1 year ago

I have deployed three DSC connectors (one acting as provider with a catalog, offer, representation, artifact, contract and two usage policies rules of Connector Restricted Usage) and the other connectors acting as consumers (connector_B and connector_C).

The rules applied are the Connector Restricted Usage ones (URL https://connector_B and URL https://connector_C):

{"@type":"ids:Permission","@id":"https://connectora:8080/api/rules/492eb8bd-4a66-4be5-bf50-e54228dc347b","ids:description":[{"@value":"Restricted usage only for connector_b","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:constraint":[{"@type":"ids:Constraint","@id":"https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b","ids:operator":{"@id":"https://w3id.org/idsa/code/SAME_AS"},"ids:leftOperand":{"@id":"https://w3id.org/idsa/code/SYSTEM"},"ids:rightOperand":{"@value":"https://connector_B","@type":"http://www.w3.org/2001/XMLSchema#anyURI"}}],"ids:action":[{"@id":"https://w3id.org/idsa/code/USE"}],"ids:title":[{"@value":"Restricted usage connector B","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:target":"https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"}
{"@type":"ids:Permission","@id":"https://connectora:8080/api/rules/58579ab8-33ba-49dd-bf3c-13e2c0ca0b82","ids:description":[{"@value":"Restricted usage only for connector_c","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:constraint":[{"@type":"ids:Constraint","@id":"https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b","ids:operator":{"@id":"https://w3id.org/idsa/code/SAME_AS"},"ids:leftOperand":{"@id":"https://w3id.org/idsa/code/SYSTEM"},"ids:rightOperand":{"@value":"https://connector_C","@type":"http://www.w3.org/2001/XMLSchema#anyURI"}}],"ids:action":[{"@id":"https://w3id.org/idsa/code/USE"}],"ids:title":[{"@value":"Restricted usage connector C","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:target":"https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"}

When I try to stablish the negotiation contract POST /api/ids/contract

curl -X 'POST' \
  'https://localhost:8082/api/ids/contract?recipient=https%3A%2F%2Fconnectora%3A8080%2Fapi%2Fids%2Fdata&resourceIds=https%3A%2F%2Fconnectora%3A8080%2Fapi%2Foffers%2F61a33504-a4d0-4989-a767-01db66e374b6&artifactIds=https%3A%2F%2Fconnectora%3A8080%2Fapi%2Fartifacts%2Fbf435743-df13-42fc-bf92-f9fecf45d1a9&download=false' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '[
{"@type":"ids:Permission","@id":"https://connectora:8080/api/rules/492eb8bd-4a66-4be5-bf50-e54228dc347b","ids:description":[{"@value":"Restricted usage only for connector_b","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:constraint":[{"@type":"ids:Constraint","@id":"https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b","ids:operator":{"@id":"https://w3id.org/idsa/code/SAME_AS"},"ids:leftOperand":{"@id":"https://w3id.org/idsa/code/SYSTEM"},"ids:rightOperand":{"@value":"https://connector_B","@type":"http://www.w3.org/2001/XMLSchema#anyURI"}}],"ids:action":[{"@id":"https://w3id.org/idsa/code/USE"}],"ids:title":[{"@value":"Restricted usage connector B","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:target":"https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"},{"@type":"ids:Permission","@id":"https://connectora:8080/api/rules/58579ab8-33ba-49dd-bf3c-13e2c0ca0b82","ids:description":[{"@value":"Restricted usage only for connector_c","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:constraint":[{"@type":"ids:Constraint","@id":"https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b","ids:operator":{"@id":"https://w3id.org/idsa/code/SAME_AS"},"ids:leftOperand":{"@id":"https://w3id.org/idsa/code/SYSTEM"},"ids:rightOperand":{"@value":"https://connector_C","@type":"http://www.w3.org/2001/XMLSchema#anyURI"}}],"ids:action":[{"@id":"https://w3id.org/idsa/code/USE"}],"ids:title":[{"@value":"Restricted usage connector C","@type":"http://www.w3.org/2001/XMLSchema#string"}],"ids:target":"https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"}
]'

It is obtained the following error:

connectorc             | 2022-09-05T13:36:03,655 [https-jsse-nio-8082-exec-3] INFO - Using cached DAPS DAT. [expiration=(2022-09-05T14:05:10.000+0000)]
connectorc             | 2022-09-05T13:36:03,673 [https-jsse-nio-8082-exec-3] INFO - Using cached DAPS DAT. [expiration=(2022-09-05T14:05:10.000+0000)]
connectorc             | 2022-09-05T13:36:03,694 [https-jsse-nio-8082-exec-3] DEBUG - Built request message. [header=({\n  "@context" : {\n    "ids" : "https://w3id.org/idsa/core/",\n    "idsc" : "https://w3id.org/idsa/code/"\n  },\n  "@type" : "ids:ContractRequestMessage",\n  "@id" : "https://w3id.org/idsa/autogen/contractRequestMessage/8ed6aee0-5ff2-4dbb-bd27-767161d7fb72",\n  "ids:modelVersion" : "4.2.7",\n  "ids:issued" : {\n    "@value" : "2022-09-05T13:36:03.679Z",\n    "@type" : "http://www.w3.org/2001/XMLSchema#dateTimeStamp"\n  },\n  "ids:issuerConnector" : {\n    "@id" : "https://connector_C"\n  },\n  "ids:recipientConnector" : [ {\n    "@id" : "https://connectora:8080/api/ids/data"\n  } ],\n  "ids:senderAgent" : {\n    "@id" : "https://connector_C"\n  },\n  "ids:securityToken" : {\n    "@type" : "ids:DynamicAttributeToken",\n    "@id" : "https://w3id.org/idsa/autogen/dynamicAttributeToken/1b9b8df7-8079-4007-95b0-9c1db5c10241",\n    "ids:tokenValue" : "eyJ0eXAiOiJhdCtqd3QiLCJraWQiOiJiNWRhYzdkNjQ4MzEwNDdmNzM5NWQ4MzYyYWE1NzViMWU5MDhlZWRiZjFlNWM1MDBiZWUxODQ1NThjYWNiZDk3IiwiYWxnIjoiUlMyNTYifQ.eyJzY29wZSI6Imlkc2M6SURTX0NPTk5FQ1RPUl9BVFRSSUJVVEVTX0FMTCIsImF1ZCI6WyJpZHNjOklEU19DT05ORUNUT1JTX0FMTCJdLCJpc3MiOiJodHRwczovL29tZWpkbi9hdXRoIiwic3ViIjoiRkM6NTc6ODk6QTI6RDU6QzM6RTM6NjQ6QUM6MkE6NEY6RDY6RjE6MkE6OTE6MEQ6ODc6Qzg6NUU6MjM6a2V5aWQ6MDc6RkM6OTU6MTc6QzQ6OTU6Qjk6RTQ6QUQ6MDk6NUY6MDc6MUU6RDI6MjA6NzU6MkQ6ODk6NjY6ODUiLCJuYmYiOjE2NjIzODMxMTAsImlhdCI6MTY2MjM4MzExMCwianRpIjoiYWVlNTVhNmItYWU3NC00MmUyLTg3OWYtMWExODEwZWFmOGY2IiwiZXhwIjoxNjYyMzg2NzEwLCJjbGllbnRfaWQiOiJGQzo1Nzo4OTpBMjpENTpDMzpFMzo2NDpBQzoyQTo0RjpENjpGMToyQTo5MTowRDo4NzpDODo1RToyMzprZXlpZDowNzpGQzo5NToxNzpDNDo5NTpCOTpFNDpBRDowOTo1RjowNzoxRTpEMjoyMDo3NToyRDo4OTo2Njo4NSIsInNlY3VyaXR5UHJvZmlsZSI6Imlkc2M6QkFTRV9TRUNVUklUWV9QUk9GSUxFIiwicmVmZXJyaW5nQ29ubmVjdG9yIjoiaHR0cDovL3Rlc3RiZWQ1LmRlbW8iLCJAdHlwZSI6ImlkczpEYXRQYXlsb2FkIiwiQGNvbnRleHQiOiJodHRwczovL3czaWQub3JnL2lkc2EvY29udGV4dHMvY29udGV4dC5qc29ubGQiLCJ0cmFuc3BvcnRDZXJ0c1NoYTI1NiI6ImI3NThhZTRjMjAwYzA4OTI1YTIwZGVmODZjZjQ5MzU1ZWFiZTA5NTkzMDVkZjBmYjMyN2JmZTE1YzM0ZTMwMjkifQ.S8VpAaNQCrhmYcMp0zJM1u98G_b7KH7ElUDKb8zQKgEinNx8Fy6uW7mlB4NaX5N16iecAQj5j5UCsutAJRREkl-z2iCob6h0oOaICh_lKsEty9rW5_qmWyc9aymv2yGsTkoOXKhcFc1QsaS1_jlbsJr7TA96QthX8-4Fl7uKkmt93BKLQsdMDbCalxM2rmKP8rlA5wFZQfAfBV18Dkl2YNOG_xIfIe0hRmnR8cZM4wfGB0w-O2Za5ENwNfWNnagGACfPynp0zOgA5pxy-4Y7ZwCMeZxyeg2tLR9tsf79KS9UHc4LV9C9fz3sWw3E3HY2IVCCc2JXns9F3yyPKeMDaA",\n    "ids:tokenFormat" : {\n      "@id" : "https://w3id.org/idsa/code/JWT"\n    }\n  },\n  "ids:transferContract" : {\n    "@id" : "https://w3id.org/idsa/autogen/contractRequest/2d7fe457-7a1f-40f4-931f-6ad80332ca42"\n  }\n}), payload=({\n  "@context" : {\n    "ids" : "https://w3id.org/idsa/core/",\n    "idsc" : "https://w3id.org/idsa/code/"\n  },\n  "@type" : "ids:ContractRequest",\n  "@id" : "https://w3id.org/idsa/autogen/contractRequest/2d7fe457-7a1f-40f4-931f-6ad80332ca42",\n  "ids:permission" : [ {\n    "@type" : "ids:Permission",\n    "@id" : "https://connectora:8080/api/rules/492eb8bd-4a66-4be5-bf50-e54228dc347b",\n    "ids:description" : [ {\n      "@value" : "Restricted usage only for connector_b",\n      "@type" : "http://www.w3.org/2001/XMLSchema#string"\n    } ],\n    "ids:title" : [ {\n      "@value" : "Restricted usage connector B",\n      "@type" : "http://www.w3.org/2001/XMLSchema#string"\n    } ],\n    "ids:assignee" : [ {\n      "@id" : "https://connector_C"\n    } ],\n    "ids:constraint" : [ {\n      "@type" : "ids:Constraint",\n      "@id" : "https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b",\n      "ids:operator" : {\n        "@id" : "https://w3id.org/idsa/code/SAME_AS"\n      },\n      "ids:leftOperand" : {\n        "@id" : "https://w3id.org/idsa/code/SYSTEM"\n      },\n      "ids:rightOperand" : {\n        "@value" : "https://connector_B",\n        "@type" : "http://www.w3.org/2001/XMLSchema#anyURI"\n      }\n    } ],\n    "ids:action" : [ {\n      "@id" : "https://w3id.org/idsa/code/USE"\n    } ],\n    "ids:target" : {\n      "@id" : "https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"\n    }\n  }, {\n    "@type" : "ids:Permission",\n    "@id" : "https://connectora:8080/api/rules/58579ab8-33ba-49dd-bf3c-13e2c0ca0b82",\n    "ids:description" : [ {\n      "@value" : "Restricted usage only for connector_c",\n      "@type" : "http://www.w3.org/2001/XMLSchema#string"\n    } ],\n    "ids:title" : [ {\n      "@value" : "Restricted usage connector C",\n      "@type" : "http://www.w3.org/2001/XMLSchema#string"\n    } ],\n    "ids:assignee" : [ {\n      "@id" : "https://connector_C"\n    } ],\n    "ids:constraint" : [ {\n      "@type" : "ids:Constraint",\n      "@id" : "https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b",\n      "ids:operator" : {\n        "@id" : "https://w3id.org/idsa/code/SAME_AS"\n      },\n      "ids:leftOperand" : {\n        "@id" : "https://w3id.org/idsa/code/SYSTEM"\n      },\n      "ids:rightOperand" : {\n        "@value" : "https://connector_C",\n        "@type" : "http://www.w3.org/2001/XMLSchema#anyURI"\n      }\n    } ],\n    "ids:action" : [ {\n      "@id" : "https://w3id.org/idsa/code/USE"\n    } ],\n    "ids:target" : {\n      "@id" : "https://connectora:8080/api/artifacts/bf435743-df13-42fc-bf92-f9fecf45d1a9"\n    }\n  } ],\n  "ids:consumer" : {\n    "@id" : "https://connector_C"\n  }\n})]
connectorc             | 2022-09-05T13:36:03,696 [https-jsse-nio-8082-exec-3] INFO - Sending request to https://connectora:8080/api/ids/data ...
connectora             | 2022-09-05T13:36:03,714 [https-jsse-nio-8080-exec-4] INFO - Received incoming message.
connectora             | 2022-09-05T13:36:03,738 [https-jsse-nio-8080-exec-4] INFO - Requesting public key of token issuer. [url=(https://omejdn/auth/jwks.json), kid=(b5dac7d64831047f7395d8362aa575b1e908eedbf1e5c500bee184558cacbd97)]
omejdn                 | 172.18.0.11 - - [05/Sep/2022:13:36:03 +0000] "GET /auth/jwks.json HTTP/1.1" 200 469 "-" "okhttp/4.9.3" "-"
omejdn-server          | 172.18.0.8 - - [05/Sep/2022:13:36:03 +0000] "GET /jwks.json HTTP/1.1" 200 469 0.0017
connectora             | 2022-09-05T13:36:03,760 [https-jsse-nio-8080-exec-4] INFO - Successfully validated DAPS whitelisting.
connectora             | 2022-09-05T13:36:03,760 [https-jsse-nio-8080-exec-4] INFO - Successfully verified DAT claims.
connectora             | 2022-09-05T13:36:03,781 [https-jsse-nio-8080-exec-4] WARN - Could not deserialize request. [exception=(https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b has multiple values for rightOperand, which is not allowed. Values are: https://connector_C^^http://www.w3.org/2001/XMLSchema#anyURI and https://connector_B^^http://www.w3.org/2001/XMLSchema#anyURI)]
connectora             | java.io.IOException: https://w3id.org/idsa/autogen/constraint/a5b50075-89d5-4940-90ac-9b35a397894b has multiple values for rightOperand, which is not allowed. Values are: https://connector_C^^http://www.w3.org/2001/XMLSchema#anyURI and https://connector_B^^http://www.w3.org/2001/XMLSchema#anyURI
connectora             |    at de.fraunhofer.iais.eis.ids.jsonld.Parser.handleObject(Parser.java:577) ~[infomodel-serializer-4.2.8.jar:?]
connectora             |    at de.fraunhofer.iais.eis.ids.jsonld.Parser.parseMessage(Parser.java:1071) ~[infomodel-serializer-4.2.8.jar:?]
connectora             |    at de.fraunhofer.iais.eis.ids.jsonld.Parser.parseMessage(Parser.java:1086) ~[infomodel-serializer-4.2.8.jar:?]
.
.
.
connectora             |        ... 147 more
connectora             | 2022-09-05T13:36:03,808 [https-jsse-nio-8080-exec-4] WARN - Transaction rollback (0x11ae16d8) redelivered(false) for (MessageId: 33E3F4A049F98E2-000000000000000F on ExchangeId: 33E3F4A049F98E2-000000000000000F) caught: java.io.IOException: mark/reset not supported
connectora             | 2022-09-05T13:36:04,020 [https-jsse-nio-8080-exec-4] INFO - Sending response with status OK (200).
connectorc             | 2022-09-05T13:36:04,022 [https-jsse-nio-8082-exec-3] INFO - Successfully received response to request.
connectorc             | 2022-09-05T13:36:04,030 [https-jsse-nio-8082-exec-3] INFO - Successfully passed SHACL-Validation.
connectorc             | 2022-09-05T13:36:04,104 [https-jsse-nio-8082-exec-3] DEBUG - Received unexpected response message. [response=({reason=https://w3id.org/idsa/code/INTERNAL_RECIPIENT_ERROR, payload=Could not process request., type=class de.fraunhofer.iais.eis.RejectionMessageImpl})]

Is it possible to stablish a contract agreement with an offer that has a contract containing multiple Connector Restricted Usage rules? This is allowing data access to more than one specific consumer connector using the Resticted Connector Usage policy.

SebastianOpriel commented 1 year ago

Hi @jfernandezsqs Unfortunately the DSC does not support multiple connectors to be whitelisted. See implementation here: https://github.com/International-Data-Spaces-Association/DataspaceConnector/blob/main/src/main/java/io/dataspaceconnector/service/usagecontrol/RuleValidator.java which assumes that each policy must be valid. Thus, for the moment no OR condition is applicable.