feat(ssi): Issuer component re issuance of bpnl and membership credentials

.github/workflows/chart-test.yml

@@ -96,6 +96,15 @@ jobs:
           push: true
           tags: kind-registry:5000/credential-issuer-processes-worker:testing
 
+      - name: Build reissuance app
+        id: build-reissuance-app-image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/Dockerfile-credential-reissuance-app
+          push: true
+          tags: kind-registry:5000/credential-reissuance-app:testing
+
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
         with:

.github/workflows/credential-reissuance-app-docker.yml

@@ -0,0 +1,88 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+name: Build Credential Reissuance App Image
+
+on: 
+  push:
+    paths:
+      # service and transitive paths
+      - 'src/**'
+      # workflow file
+      - '.github/workflows/credential-reissuance-app-docker.yml'
+      # dockerfile
+      - 'docker/Dockerfile-credential-reissuance-app'
+
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+env:
+  IMAGE_NAMESPACE: "tractusx"
+  IMAGE_NAME: "ssi-credential-reissuance-app"
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=main
+            type=raw,value=${{ github.sha }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          context: .
+          file: ./docker/Dockerfile-credential-reissuance-app
+          platforms: linux/amd64, linux/arm64
+          pull: true
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # https://github.com/peter-evans/dockerhub-description
+      - name: Update Docker Hub description
+        if: github.event_name != 'pull_request'
+        uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
+          readme-filepath: ./docker/notice-credential-reissuance-app.md

.github/workflows/owasp-zap.yml

@@ -95,7 +95,16 @@ jobs:
           file: ./docker/Dockerfile-credential-expiry-app
           push: true
           tags: kind-registry:5000/credential-expiry-app:testing
-
+
+      - name: Build Reissuance image
+        id: build-reissuance-image
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          context: .
+          file: ./docker/Dockerfile-credential-reissuance-app
+          push: true
+          tags: kind-registry:5000/credential-reissuance-app:testing
+
       - name: Add bitnami repo
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami 

.github/workflows/release.yml

@@ -103,6 +103,9 @@ jobs:
           - image: tractusx/ssi-credential-expiry-app
             dockerfile: ./docker/Dockerfile-credential-expiry-app
             dockernotice: ./docker/notice-credential-expiry-app.md
+          - image: tractusx/ssi-credential-reissuance-app
+            dockerfile: ./docker/Dockerfile-credential-reissuance-app
+            dockernotice: ./docker/notice-credential-reissuance-app.md
     outputs:
       app-version: ${{ steps.app-version.outputs.current }}
       version-check: ${{ steps.version-check.outputs.exists }}

.github/workflows/release_candidate.yml

@@ -45,6 +45,9 @@ jobs:
           - image: tractusx/ssi-credential-expiry-app
             dockerfile: ./docker/Dockerfile-credential-expiry-app
             dockernotice: ./docker/notice-credential-expiry-app.md
+          - image: tractusx/ssi-credential-reissuance-app
+            dockerfile: ./docker/Dockerfile-credential-reissuance-app
+            dockernotice: ./docker/notice-credential-reissuance-app.md
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/trivy-main.yml

@@ -198,3 +198,36 @@ jobs:
         uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
           sarif_file: "trivy-results5.sarif"
+
+  analyze-ssi-credential-issuer-reissuance-app:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # It's also possible to scan your private registry with Trivy's built-in image scan.
+      # All you have to do is set ENV vars.
+      # Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD.
+      # You don't need to set ENV vars when downloading from a public repository.
+      # For public images, no ENV vars must be set.
+      - name: Run Trivy vulnerability scanner
+        if: always()
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        with:
+          # Path to Docker image
+          image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-reissuance-app:main"
+          format: "sarif"
+          output: "trivy-results6.sarif"
+          vuln-type: "os,library"
+          skip-dirs: "docs/"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          sarif_file: "trivy-results6.sarif"

.github/workflows/trivy.yml

@@ -196,3 +196,35 @@ jobs:
         uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
           sarif_file: "trivy-results5.sarif"
+
+  analyze-ssi-credential-reissuance-app:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # It's also possible to scan your private registry with Trivy's built-in image scan.
+      # All you have to do is set ENV vars.
+      # Docker Hub needs TRIVY_USERNAME and TRIVY_PASSWORD.
+      # You don't need to set ENV vars when downloading from a public repository.
+      # For public images, no ENV vars must be set.
+      - name: Run Trivy vulnerability scanner
+        if: always()
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        with:
+          # Path to Docker image
+          image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-reissuance-app:latest"
+          format: "sarif"
+          output: "trivy-results6.sarif"
+          vuln-type: "os,library"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          sarif_file: "trivy-results6.sarif"

README.md

@@ -36,6 +36,7 @@ See Docker notice files for more information:
 - [credential-issuer-service](./docker//notice-credential-issuer-service.md)
 - [credential-issuer-processes-worker](./docker/notice-credential-issuer-processes-worker.md)
 - [credential-expiry-app](./docker/notice-credential-expiry-app.md)
+- [credential-reissuance-app](./docker/notice-credential-reissuance-app.md)
 - [credential-issuer-migrations](./docker/notice-credential-issuer-migrations.md)
 
 ## Contributing

charts/ssi-credential-issuer/README.md

@@ -107,6 +107,14 @@ dependencies:
 | credentialExpiry.logging.default | string | `"Information"` |  |
 | credentialExpiry.expiry.expiredVcsToDeleteInMonth | int | `12` |  |
 | credentialExpiry.expiry.inactiveVcsToDeleteInWeeks | int | `12` |  |
+| credentialReissuance.name | string | `"reissuance"` |  |
+| credentialReissuance.image.name | string | `"docker.io/tractusx/ssi-credential-reissuance-app"` |  |
+| credentialReissuance.image.tag | string | `""` |  |
+| credentialReissuance.imagePullPolicy | string | `"IfNotPresent"` |  |
+| credentialReissuance.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
+| credentialReissuance.processIdentity.identityId | string | `"23db9ff3-20c7-476c-ba70-6bdfe5c97104"` |  |
+| credentialReissuance.logging.default | string | `"Information"` |  |
+| credentialReissuance.expiry.expiredVcsToReissueInDays | int | `1` |  |
 | existingSecret | string | `""` | Secret containing the client-secrets for the connection to portal and wallet as well as encryptionKeys for issuer.credential and processesworker.wallet |
 | dotnetEnvironment | string | `"Production"` |  |
 | dbConnection.schema | string | `"issuer"` |  |

charts/ssi-credential-issuer/templates/cronjob-reissuance-app.yaml

@@ -0,0 +1,78 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+spec:
+  schedule: "0 0 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+          - name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+            image: "{{ .Values.credentialReissuance.image.name }}:{{ .Values.credentialReissuance.image.tag | default .Chart.AppVersion }}"
+            imagePullPolicy: "{{ .Values.credentialReissuance.imagePullPolicy }}"
+            env:
+            - name: DOTNET_ENVIRONMENT
+              value: "{{ .Values.dotnetEnvironment }}"
+            {{- if .Values.postgresql.enabled }}
+            - name: "ISSUER_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "issuer.postgresSecretName" . }}"
+                  key: "password"
+            - name: "CONNECTIONSTRINGS__ISSUERDB"
+              value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
+            {{- end }}
+            {{- if not .Values.postgresql.enabled }}
+            - name: "ISSUER_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.externalDatabase.secret }}"
+                  key: "password"
+            - name: "CONNECTIONSTRINGS__ISSUERDB"
+              value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
+            {{- end }}
+            - name: "REISSUANCE__EXPIREDVCSTOREISSUEINDAYS"
+              value: "{{ .Values.credentialReissuance.expiry.expiredVcsToReissueInDays }}"
+            - name: "REISSUANCE__ISSUERBPN"
+              value: "{{ .Values.service.credential.issuerBpn }}"
+            ports:
+            - name: http
+              containerPort: {{ .Values.portContainer }}
+              protocol: TCP
+            resources:
+              {{- toYaml .Values.credentialReissuance.resources | nindent 14 }}

charts/ssi-credential-issuer/values.yaml

@@ -157,6 +157,27 @@ credentialExpiry:
     expiredVcsToDeleteInMonth: 12
     inactiveVcsToDeleteInWeeks: 12
 
+credentialReissuance:
+  name: "reissuance"
+  image:
+    name: "docker.io/tractusx/ssi-credential-reissuance-app"
+    tag: ""
+  imagePullPolicy: "IfNotPresent"
+  # -- We recommend to review the default resource limits as this should a conscious choice.
+  resources:
+    requests:
+      cpu: 15m
+      memory: 105M
+    limits:
+      cpu: 45m
+      memory: 105M
+  processIdentity:
+    identityId: 23db9ff3-20c7-476c-ba70-6bdfe5c97104
+  logging:
+    default: "Information"
+  expiry:
+    expiredVcsToReissueInDays: 1
+
 # -- Secret containing the client-secrets for the connection to portal and wallet
 # as well as encryptionKeys for issuer.credential and processesworker.wallet
 existingSecret: ""

docker/Dockerfile-credential-reissuance-app

@@ -0,0 +1,35 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS publish
+ARG TARGETARCH
+WORKDIR /
+COPY LICENSE NOTICE.md DEPENDENCIES /
+COPY src/ src/
+RUN dotnet restore "src/credentials/SsiCredentialIssuer.Reissuance.App/SsiCredentialIssuer.Reissuance.App.csproj"
+WORKDIR /src/credentials/SsiCredentialIssuer.Reissuance.App
+RUN dotnet publish "SsiCredentialIssuer.Reissuance.App.csproj" -c Release -o /app/publish
+
+FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine
+ENV COMPlus_EnableDiagnostics=0
+WORKDIR /app
+COPY --from=publish /app/publish .
+RUN chown -R 1000:3000 /app
+USER 1000:3000
+ENTRYPOINT ["dotnet", "Org.Eclipse.TractusX.SsiCredentialIssuer.Reissuance.App.dll"]