-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add DataPlane Token Refresh API
- Loading branch information
1 parent
e008e75
commit 71408db
Showing
15 changed files
with
726 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
edc-extensions/dataplane/dataplane-token-refresh/token-refresh-api/build.gradle.kts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
plugins { | ||
`java-library` | ||
`maven-publish` | ||
id("io.swagger.core.v3.swagger-gradle-plugin") | ||
} | ||
|
||
dependencies { | ||
api(project(":spi:tokenrefresh-spi")) | ||
implementation(libs.edc.spi.core) | ||
implementation(libs.edc.spi.web) | ||
implementation(libs.jakarta.rsApi) | ||
|
||
testImplementation(libs.edc.junit) | ||
testImplementation(libs.restAssured) | ||
testImplementation(testFixtures(libs.edc.core.jersey)) | ||
} | ||
|
53 changes: 53 additions & 0 deletions
53
...in/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/api/TokenRefreshApiExtension.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/* | ||
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package org.eclipse.tractusx.edc.dataplane.tokenrefresh.api; | ||
|
||
import org.eclipse.edc.runtime.metamodel.annotation.Extension; | ||
import org.eclipse.edc.runtime.metamodel.annotation.Inject; | ||
import org.eclipse.edc.spi.system.ServiceExtension; | ||
import org.eclipse.edc.spi.system.ServiceExtensionContext; | ||
import org.eclipse.edc.web.spi.WebService; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.v1.TokenRefreshApiController; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.DataPlaneTokenRefreshService; | ||
|
||
import static org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.TokenRefreshApiExtension.NAME; | ||
|
||
@Extension(value = NAME) | ||
public class TokenRefreshApiExtension implements ServiceExtension { | ||
|
||
public static final String NAME = "DataPlane Token Refresh API Extension"; | ||
private static final String PUBLIC_API_CONTEXT = "public"; | ||
@Inject | ||
private DataPlaneTokenRefreshService refreshService; | ||
|
||
@Inject | ||
private WebService webService; | ||
|
||
@Override | ||
public String name() { | ||
return NAME; | ||
} | ||
|
||
@Override | ||
public void initialize(ServiceExtensionContext context) { | ||
var controller = new TokenRefreshApiController(refreshService); | ||
webService.registerResource(PUBLIC_API_CONTEXT, controller); | ||
} | ||
} |
58 changes: 58 additions & 0 deletions
58
...src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/api/v1/TokenRefreshApi.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.v1; | ||
|
||
import io.swagger.v3.oas.annotations.OpenAPIDefinition; | ||
import io.swagger.v3.oas.annotations.Operation; | ||
import io.swagger.v3.oas.annotations.Parameter; | ||
import io.swagger.v3.oas.annotations.enums.SecuritySchemeType; | ||
import io.swagger.v3.oas.annotations.info.Info; | ||
import io.swagger.v3.oas.annotations.media.ArraySchema; | ||
import io.swagger.v3.oas.annotations.media.Content; | ||
import io.swagger.v3.oas.annotations.media.Schema; | ||
import io.swagger.v3.oas.annotations.responses.ApiResponse; | ||
import io.swagger.v3.oas.annotations.security.SecurityScheme; | ||
import io.swagger.v3.oas.annotations.tags.Tag; | ||
import org.eclipse.edc.web.spi.ApiErrorDetail; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.model.TokenResponse; | ||
|
||
@SecurityScheme(name = "Authentication", | ||
description = "Self-Issued ID token containing an access_token", | ||
type = SecuritySchemeType.HTTP, | ||
scheme = "bearer", | ||
bearerFormat = "JWT") | ||
@OpenAPIDefinition(info = @Info(description = "With this API clients can refresh their access token for a provider's HTTP data plane using an authentication token and a refresh token.", title = "Token Refresh API")) | ||
@Tag(name = "Token Refresh API") | ||
public interface TokenRefreshApi { | ||
|
||
@Operation(description = "Resolves all groups for a particular BPN", | ||
parameters = { @Parameter(name = "grant_type", description = "The grant type. Must be \"refresh_token\""), | ||
@Parameter(name = "refresh_token", description = "The refresh token") }, | ||
responses = { | ||
@ApiResponse(responseCode = "200", description = "The access token and refresh token were updated. Expiry should be " + | ||
"interpreted as starting from the time of message reception, allowing for some leeway.", | ||
content = @Content(schema = @Schema(implementation = TokenResponse.class))), | ||
@ApiResponse(responseCode = "401", description = "The token could not be refreshed due to an authentication error, either the refresh token or the Authorization header were invalid.", | ||
content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)))), | ||
@ApiResponse(responseCode = "400", description = "Request body was malformed, query parameters were missing, etc.", | ||
content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)))) | ||
}) | ||
TokenResponse refreshToken(String grantType, String refreshToken, String bearerToken); | ||
} |
59 changes: 59 additions & 0 deletions
59
...ava/org/eclipse/tractusx/edc/dataplane/tokenrefresh/api/v1/TokenRefreshApiController.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
/* | ||
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.v1; | ||
|
||
import jakarta.ws.rs.Consumes; | ||
import jakarta.ws.rs.HeaderParam; | ||
import jakarta.ws.rs.POST; | ||
import jakarta.ws.rs.Path; | ||
import jakarta.ws.rs.Produces; | ||
import jakarta.ws.rs.QueryParam; | ||
import jakarta.ws.rs.core.MediaType; | ||
import org.eclipse.edc.web.spi.exception.AuthenticationFailedException; | ||
import org.eclipse.edc.web.spi.exception.InvalidRequestException; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.DataPlaneTokenRefreshService; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.model.TokenResponse; | ||
|
||
import static jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION; | ||
|
||
@Produces({ MediaType.APPLICATION_JSON }) | ||
@Path("/token") | ||
public class TokenRefreshApiController implements TokenRefreshApi { | ||
private static final String REFRESH_TOKEN_GRANT = "refresh_token"; | ||
private final DataPlaneTokenRefreshService tokenRefreshService; | ||
|
||
public TokenRefreshApiController(DataPlaneTokenRefreshService tokenRefreshService) { | ||
this.tokenRefreshService = tokenRefreshService; | ||
} | ||
|
||
@POST | ||
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) | ||
@Override | ||
public TokenResponse refreshToken(@QueryParam("grant_type") String grantType, | ||
@QueryParam("refresh_token") String refreshToken, | ||
@HeaderParam(AUTHORIZATION) String bearerToken) { | ||
if (!REFRESH_TOKEN_GRANT.equals(grantType)) { | ||
throw new InvalidRequestException("Grant type MUST be '%s' but was '%s'".formatted(REFRESH_TOKEN_GRANT, grantType)); | ||
} | ||
|
||
return tokenRefreshService.refreshToken(refreshToken, bearerToken) | ||
.orElseThrow(f -> new AuthenticationFailedException(f.getFailureDetail())); | ||
} | ||
} |
20 changes: 20 additions & 0 deletions
20
...resh-api/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
################################################################################# | ||
# Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) | ||
# | ||
# See the NOTICE file(s) distributed with this work for additional | ||
# information regarding copyright ownership. | ||
# | ||
# This program and the accompanying materials are made available under the | ||
# terms of the Apache License, Version 2.0 which is available at | ||
# https://www.apache.org/licenses/LICENSE-2.0. | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
################################################################################# | ||
|
||
org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.TokenRefreshApiExtension |
146 changes: 146 additions & 0 deletions
146
...org/eclipse/tractusx/edc/dataplane/tokenrefresh/api/v1/TokenRefreshApiControllerTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
/* | ||
* Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft | ||
* | ||
* See the NOTICE file(s) distributed with this work for additional | ||
* information regarding copyright ownership. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0. | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package org.eclipse.tractusx.edc.dataplane.tokenrefresh.api.v1; | ||
|
||
import io.restassured.http.ContentType; | ||
import io.restassured.specification.RequestSpecification; | ||
import org.eclipse.edc.spi.result.Result; | ||
import org.eclipse.edc.web.jersey.testfixtures.RestControllerTestBase; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.DataPlaneTokenRefreshService; | ||
import org.eclipse.tractusx.edc.dataplane.tokenrefresh.spi.model.TokenResponse; | ||
import org.hamcrest.Matchers; | ||
import org.junit.jupiter.api.DisplayName; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.params.ParameterizedTest; | ||
import org.junit.jupiter.params.provider.EmptySource; | ||
import org.junit.jupiter.params.provider.NullSource; | ||
import org.junit.jupiter.params.provider.ValueSource; | ||
|
||
import static io.restassured.RestAssured.given; | ||
import static jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION; | ||
import static org.hamcrest.Matchers.containsString; | ||
import static org.mockito.ArgumentMatchers.any; | ||
import static org.mockito.Mockito.mock; | ||
import static org.mockito.Mockito.when; | ||
|
||
class TokenRefreshApiControllerTest extends RestControllerTestBase { | ||
|
||
private final DataPlaneTokenRefreshService refreshService = mock(); | ||
|
||
@DisplayName("Expect HTTP 400 when no Authorization header is present") | ||
@Test | ||
void refresh_noAuthHeader_expect401() { | ||
baseRequest() | ||
.queryParam("grant_type", "refresh_token") | ||
.queryParam("refresh_token", "foo-token") | ||
/* missing: .header(AUTHORIZATION, "auth-token") */ | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(401); | ||
} | ||
|
||
@DisplayName("Expect HTTP 200 when the token was successfully refreshed") | ||
@Test | ||
void refresh_expect200() { | ||
when(refreshService.refreshToken(any(), any())).thenReturn(Result.success(new TokenResponse("new-accesstoken", "new-refreshtoken", 3000L, "bearer"))); | ||
baseRequest() | ||
.queryParam("grant_type", "refresh_token") | ||
.queryParam("refresh_token", "foo-token") | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(200) | ||
.body(Matchers.isA(TokenResponse.class)); | ||
} | ||
|
||
@DisplayName("Expect HTTP 400 when an invalid grant type was provided") | ||
@ParameterizedTest(name = "Invalid grant_type: {0}") | ||
@ValueSource(strings = { "REFRESH_TOKEN", "refreshToken", "invalid_grant", "client_credentials", "" }) | ||
@NullSource | ||
void refresh_invalidGrantType_expect400(String grant) { | ||
baseRequest() | ||
.queryParam("grant_type", grant) | ||
.queryParam("refresh_token", "foo-token") | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(400); | ||
} | ||
|
||
@DisplayName("Expect HTTP 400 when an invalid refresh token was provided") | ||
@ParameterizedTest(name = "Invalid refresh_token: {0}") | ||
@NullSource | ||
@EmptySource | ||
void refresh_invalidRefreshToken_expect400(String refreshToken) { | ||
baseRequest() | ||
.queryParam("grant_type", "refresh_token") | ||
.queryParam("refresh_token", refreshToken) | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(400); | ||
} | ||
|
||
@DisplayName("Expect HTTP 400 when one of the query params was missing") | ||
@Test | ||
void refresh_queryParamsMissing() { | ||
baseRequest() | ||
.queryParam("grant_type", "refresh_token") | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(400); | ||
|
||
baseRequest() | ||
.queryParam("refresh_token", "foo-token") | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(400); | ||
} | ||
|
||
@DisplayName("Expect HTTP 401 if the auth header or refresh token are invalid") | ||
@Test | ||
void refresh_tokenInvalid_expect401() { | ||
when(refreshService.refreshToken(any(), any())).thenReturn(Result.failure("Invalid auth token")); | ||
|
||
baseRequest() | ||
.queryParam("grant_type", "refresh_token") | ||
.queryParam("refresh_token", "foo-token") | ||
.header(AUTHORIZATION, "auth-token") | ||
.contentType(ContentType.URLENC) | ||
.then() | ||
.statusCode(401) | ||
.body(containsString("Invalid auth token")); | ||
} | ||
|
||
@Override | ||
protected Object controller() { | ||
return new TokenRefreshApiController(refreshService); | ||
} | ||
|
||
private RequestSpecification baseRequest() { | ||
return given() | ||
.baseUri("http://localhost:" + port) | ||
.basePath("/token") | ||
.when(); | ||
} | ||
|
||
} |
Oops, something went wrong.