Implementation #16 - [IDM.TRAIN.00016] Trusted Content Resolver - Client...

d6702600 · Andrei Danciuc · Denis Sukhoroslov · faa4a120 · d6702600 · d6702600
Commit d6702600 authored 1 year ago by Andrei Danciuc Committed by Denis Sukhoroslov 1 year ago
--- a/.gitignore
+++ b/.gitignore
@@ -47,4 +47,7 @@ server/logs/

 ### py ###
 *.egg-info
-.coverage
\ No newline at end of file
+.coverage
+
+## TRAIN specific ##
+/clients/java/all_dependent_jars/
--- a/bdd/.gitignore
+++ b/bdd/.gitignore
+/example/clients/java/*.java
+/example/clients/py/*.py
+/example/clients/go/*.go
+/example/clients/js/*.js
--- a/bdd/Makefile
+++ b/bdd/Makefile
@@ -6,8 +6,8 @@ PYTHON_D ?= /opt/python.d
 SOURCE_PATHS := "src/train_bdd"
 CMD_SELENIUM := train_bdd.selenium # :: NOT Implemented yet

-VENV_PATH_DEV := $(PYTHON_D)/dev/train
-VENV_PATH_PROD := $(PYTHON_D)/prod/train
+VENV_PATH_DEV := $(PYTHON_D)/dev/train/bdd
+VENV_PATH_PROD := $(PYTHON_D)/prod/train/bdd

 setup_dev: $(VENV_PATH_DEV)

@@ -67,5 +67,10 @@ activate_env_prod:
 activate_env_dev:
 	@echo "source \"$(VENV_PATH_DEV)/bin/activate\""

-start-trusted-content-resolver-server:
+start-trusted-content-resolver-server-in-debug-mode:
+	mvn -f ../pom.xml clean install
 	mvn -f ../service/pom.xml spring-boot:run -Dmaven.surefire.debug
+
+pre-setup:
+	cd ../docker && docker compose --env-file unires.env -f uni-resolver-web.yml up -d
+	cd ../docker && docker compose up -d
--- a/bdd/env.andrei.danciuc.sh
+++ b/bdd/env.andrei.danciuc.sh
+#!/bin/env bash
+
+export TRAIN_TRUST_CONTENT_RESOLVER_HOST="http://localhost:8887"
+source TRAIN_TRUST_CONTENT_RESOLVER_CLIENT_PY_VENV="/opt/python.d/dev/train/trusted_content_resolver_client"
+source TRAIN_TRUST_CONTENT_RESOLVER_CLIENT_JAVA_TARGET="/Users/A200084132/a-train/andrei.danciuc/trusted-content-resolver/clients/java/target/"
--- a/bdd/env.sample.sh
+++ b/bdd/env.sample.sh
+#!/bin/env bash
+
+export TRAIN_TRUST_CONTENT_RESOLVER_HOST="http://localhost:8887"
+source TRAIN_TRUST_CONTENT_RESOLVER_CLIENT_PY_VENV="/opt/python.d/dev/train/trusted_content_resolver_client"
+source TRAIN_TRUST_CONTENT_RESOLVER_CLIENT_JAVA_TARGET="/Users/app/trusted-content-resolver/clients/java/target/"
--- a/bdd/example/clients/README.rst
+++ b/bdd/example/clients/README.rst
+Real or templated examples for Client Implementation.
--- a/bdd/example/clients/go/trust_content_resolver_example.go.j2
+++ b/bdd/example/clients/go/trust_content_resolver_example.go.j2
+// go list ... | grep 'a'
+
+import "eu.xfsc.train.tcr.client.ResolveServiceClient"
--- a/bdd/example/clients/java/TrustContentResolverExample.java.j2
+++ b/bdd/example/clients/java/TrustContentResolverExample.java.j2
+// mvn dependency:copy-dependencies -DoutputDirectory=all_dependent_jars
+// java --class-path="all_dependent_jars/*.jar:" TrustContentResolverExample.java
+
+import java.util.List;
+import eu.xfsc.train.tcr.client.ResolveServiceClient;
+import eu.xfsc.train.tcr.api.generated.model.ResolveResult;
+
+class TrustContentResolverExample {
+
+    public static void main(String args[])
+    {
+        System.out.println("result");
+        ResolveServiceClient client = new ResolveServiceClient("some-baseUrl", "some-jwt");
+        List<ResolveResult> result = client.resolveTrustList(
+           "{{ did }}",
+            "{{ trust_framework_pointers[0] }}",
+            null
+        );
+        System.out.println(result.size());
+    }
+}
--- a/bdd/example/clients/java/run_java_example.sh
+++ b/bdd/example/clients/java/run_java_example.sh
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+cd $SCRIPT_DIR/../../../../clients/java
+
+## Collect all jars dependencies into single folder
+test !-d all_dependent_jars && mvn dependency:copy-dependencies -DoutputDirectory=all_dependent_jars -q
+
+## Collect jars into CLASSPATH
+CLASSPATH_="$(pwd)/target/trusted-content-resolver-java-client-1.0.0-SNAPSHOT.jar"
+for i in $(pwd)/all_dependent_jars/*.jar; do CLASSPATH_=$CLASSPATH_:$i; done
+
+## Execute example script
+java -cp $CLASSPATH_ $SCRIPT_DIR/TrustContentResolverExample.java
--- a/bdd/example/clients/js/trust_content_resolver_example.js.j2
+++ b/bdd/example/clients/js/trust_content_resolver_example.js.j2
+// npm list -g 'a'
+
+const ResolveServiceClient = require("eu.xfsc.train.tcr.client.ResolveServiceClient");
--- a/bdd/example/clients/py/trust_content_resolver_example.py.j2
+++ b/bdd/example/clients/py/trust_content_resolver_example.py.j2
+from trusted_content_resolver_client.resolve_service_client import resolve_trust_list
+
+if __name__ == '__main__':
+    print(resolve_trust_list(
+        trust_framework_pointers={{ trust_framework_pointers }},
+        did="{{ did }}"
+    ))
--- a/bdd/example/service/README.rst
+++ b/bdd/example/service/README.rst
+Real or templated examples for Server Implementation.
--- a/bdd/features/01 DNS Zone Manager.feature
+++ b/bdd/features/01 DNS Zone Manager.feature
+Feature:  Publishing the Trust Framework and the DID in the DNS Zone file
+
+  Background: fully environment setup
+
+    Given that the Notary Connector (API) is online
+    And the DNS-Server is running (NSD & KNOT DNS-Server)
+    And The DNS entry is configured
+    And DNSSEC is configured
+
+  Scenario: 00024-A1_A create request of trust framework is successfully reflected in the SQLite storage and DNS Zone file (200)
+
+    Given the fully environment setup
+    When the Notary has sent a create request of trust framework via the Notary Connector (API)
+    And the Trust Framework has been created in the Trust List Provisioning Domain
+    Then the Trust Framework is reflected as a PTR record in the DNS Zone Manager SQLite DataBase Zone file
+    And the DID corresponding to the Trust Framework is published as URI records in the DNS Zone Manager SQLite DataBase Zone file
+
+  Scenario: 00024-A1_2_An update request of trust framework is successfully reflected in the SQLite storage and DNS Zone File (200)
+
+    Given the fully environment setup
+    When the Notary has sent an update request of trust framework via the Notary Connector (API)
+    And the updated Trust Framework has been published in the Trust List Provisioning Domain
+    Then the Trust Framework update is reflected as a PTR record in the DNS Zone Manager SQLite DataBase Zone file
+    And the DID corresponding to the Trust Framework is published as URI records in the DNS Zone Manager SQLite DataBase Zone file
+    And the Zone file is resigned based on DNSSEC for every new update
+
+  Scenario: 00024-A3_A wrong context leads to an exception (400)
+
+    Given the fully environment setup
+    When the context of the Notary request is wrong
+    Then the request leads to an exception (400)
+    And an audit entry is created
+
+  Scenario: 00024-A4_A missing data leads to an exception (404)
+
+    Given the fully environment setup
+    When the Notary request has some missing data
+    Then the request leads to an exception (404)
+    And an audit entry is created
+
+  Scenario: 00024-A5_An error is provided if a record is in progress by the operator
+ #low priority
+  @manual
+    Given the fully environment setup
+    And an update or create record is still in progress by the operator
+    When a next create/update request of trust framework is sent
+    Then an error `409 Conflict` is provided
\ No newline at end of file
--- a/bdd/features/02 Trust List Management.feature
+++ b/bdd/features/02 Trust List Management.feature
+Feature: Trust List Management
+  allow CRUD (create, read, update, delete) operations on the trust list at the Trusted Data Store
+
+  Scenario: 00015-A1_A request update has been successfully reflected in the trust list (200)
+    Given fully environment setup
+      And a trust list at the Trusted Data Store
+     When the Notary sends an update request of trust list via the Notary Connector (API)
+     Then a request update is reflected in the trust list (200)
+
+    When in create operation
+    Then a new trust list entry is created
+
+    When in read operation
+
+    Then trust list is referenced by name `endpoint/federation1.test.train.trust-scheme.de`
+    # e.g. https://tspa.trust-scheme.de/tspa_train_domain/api/v1/scheme/federation1.test.train.trust-scheme.de
+
+    When in update operation
+    Then the requested change is reflected in trust list
+
+    When in delete operation
+    Then the trust list entry of the entity is deleted from the list
+
+    Given client rust client installed
\ No newline at end of file
--- a/bdd/features/03 Trust Framework Configuration.feature
+++ b/bdd/features/03 Trust Framework Configuration.feature
+Feature: Creation of trust frameworks
+  creation and configuration of DIDs with well-known did configurations
+  instantiation of trust lists, the envelopment of trust lists in Verifiable Credentials
+  with proof and configuring the enveloped VCs in the service end point of DID Documents
+
+  Background: fully environment setup
+
+    Given that the Notary Connector (API) is online
+    And the DNS-Server is running
+    And the DID Resolver is running
+
+  Scenario: 00014-A1_1_A create request of trust framework is successfully reflected in the DNS Zone File (200)
+
+    Given the fully environment setup
+    When the Notary sends a create request of trust framework via the Notary Connector (API)
+    Then the Trust Framework is created in the Trust List Provisioning Domain
+    And the Trust Framework is reflected as a PTR record in the DNS Zone Manager (Zone File 200)
+    And the DID is enrolled as a URI RR mapped with corresponding Trust Framework
+
+  Scenario: 00014-A1_2_An update request of trust framework is successfully reflected in the DNS Zone File (200)
+
+    Given the fully environment setup
+    When the Notary sends an update request of trust framework via the Notary Connector (API)
+    Then the updated Trust Framework is published in the Trust List Provisioning Domain
+    And the Trust Framework is reflected as a PTR record in the DNS Zone Manager (Zone File 200)
+    And the DID is enrolled as a URI RR mapped with corresponding Trust Framework
+
+  Scenario: 00014-A2_An instantiation of a trust list is reflected in the trust list storage with possibility to retrieve via API endpoints
+
+    Given the fully environment setup
+    When the Notary sends a create request of Trust List via the Notary Connector (API)
+    Then a Trust List is published in storage (Web Server or IPFS) with retrievable API endpoint in the Trust List Provisioning Domain
+
+  Scenario: 00014-A3_Creation of a Verifiable Credential (VC) is allowed with ability to sign the credential
+
+    Given the fully environment setup
+    When the DID is enrolled via the Notary Connector (API) as a URI RR mapped with corresponding Trust Framework
+    Then a DID Document is created for the DID and stored on a https URL resource
+    And the DID document defines a Service End Point with the URI to a VC
+    Then the VC (e.g. "VC_1") is created so that it can be resolved via the URI in the DID Document
+    And the "VC_1" contains the URI to resolve the Trust List
+    And the "VC_1" is signed so that it can be validated with the public key from the DID Document
+
+  Scenario: 00014-A4_A wrong context leads to an exception (400)
+
+    Given the fully environment setup
+    When the context of the Notary request is wrong
+    Then the request leads to an exception (400)
+    And an audit entry is created
+
+  Scenario: 00014-A5_A missing data leads to an exception (404)
+
+    Given the fully environment setup
+    When the Notary request has some missing data
+    Then the request leads to an exception (404)
+    And an audit entry is created
+
+  Scenario: 00014-A6_An error is provided if a record is in progress by the operator
+ #low priority
+  @manual
+    Given the fully environment setup
+    And an update or create record is still in progress by the operator
+    When a next create/update request of trust framework is sent
+    Then an error `409 Conflict` is provided
+
+  Scenario: 00014-A7_Should be able to reference Trust Frameworks from other Domains
+
+    Given the fully environment setup
+    When a Trust Framework DNS entry (_scheme._trust.federation1.com) contains several PTR RRs (PTR RR_1,PTR RR_2,PTR RR_3)
+    Then each PTR RR points to a DNS entry where the location of a trust list can be found, in a URI RR
+    And the PTR RRs allows one Trust Framework to point to several trust lists from other Domains
\ No newline at end of file
--- a/bdd/features/00016_Trusted_Content_Resolver.feature
+++ b/bdd/features/00016_Trusted_Content_Resolver.feature
@@ -8,7 +8,8 @@ Feature: Testing Trusted Content Resolver REST API
  @succeed
  Scenario Outline: Trust Discovery with <Authoritative DNS server> succeed

-    Given <Authoritative DNS server> with <IP> is running
+    Given client <Client> installed
+      And <Authoritative DNS server> with <IP> is running
      And multiple Trust Framework Pointers
          """
          sausweis.train1.trust-scheme.de
@@ -19,14 +20,18 @@ Feature: Testing Trusted Content Resolver REST API
    When above Trust Framework Pointers are supplied in resolver trust request by `did:example:123456789abcdefghijk`
    Then Trust List's corresponding Trust Framework pointers from context

+    Examples: Combination "DNS Server" / "Client implementation"
+      | Authoritative DNS server | IP      | Client                                       |
+      | Configured Mocked DNS    | x.x.x.1 | Trust-content-resolver-client-validator-go   |
+      | Configured Mocked DNS    | x.x.x.1 | Trust-content-resolver-client-validator-java |
+      | Configured Mocked DNS    | x.x.x.1 | Trust-content-resolver-client-validator-js   |
+      | Configured Mocked DNS    | x.x.x.1 | Trust-content-resolver-client-validator-py   |

-    Examples: DNS Server
-      | Authoritative DNS server | IP      |
-      | Configured Mocked DNS    | x.x.x.1 |
      #| CI/CD KNOT               | x.x.x.2 |
      #| CI/CD NSD                | x.x.x.3 |
      #| Fraunhofer NSD           | 3.67.18.47 |

+
  @edge-case
  Scenario Outline: Trust Discovery with <Authoritative DNS server> fail


--- a/bdd/features/04.2 Trusted Content Resolver_Verification.feature
+++ b/bdd/features/04.2 Trusted Content Resolver_Verification.feature
+Feature:  validate the output of the trust discovery functionality of the Trusted Content Resolver
+  validate the association of DID with a well-known DID configuration
+  validate the integrity of the VC
+  validate the issuer details from the trust lists extracted from service endpoints
+  integrate by TRAIN client libraries (go, java, js, py)
+
+Background: fully environment setup
+
+  Given that the TCR is running
+    And The DID Resolver is running
+    And The DNS entry is configured
+    And DNSSEC is correct
+    And Multiple Trust Framework Pointers exist (example.federation1.de, example.federation2.de)
+    And client `Trust-content-resolver-client-validator-java` installed
+    And client `Trust-content-resolver-client-validator-py` installed
+    And client `Trust-content-resolver-client-validator-go` installed
+    And client `Trust-content-resolver-client-validator-js` installed
+
+# make 2 use case:
+# 1. RSA
+# 2. ECDSA
+# (1) and (2) combination with (VALID, INVALID, INDETERMINATE)
+Scenario: 00017-A1_VC validation mechanism supports multiple signature proofs (RSA, ECDSA)
+
+  Given the fully environment setup
+    And Corresponding DID mapped to Trust Framework Pointer 
+    And DID Document of the DID registered
+    And Trust List VC endpoint available
+   When the Trusted Content Resolver (TCR) reads the PTR RRs of the DNS Domain resolved from the Trust Framework Pointer
+   Then the 'Well Known DID configuration' verification is performed for DID-method "web"
+    And the DID Document is resolved which leads to a VC via its Service Endpoint
+    And the proof of the VC is validated against the public keys of the DID Document using cryptograhic libraries
+    And the result of the VC is validated (result: VALID, INVALID, INDETERMINATE)
+    And multiple signature proofs (RSA, ECDSA) are supported
+    And the Credential Subject of the VC is ready to obtain the URI of the Trust List (at a https URL)
+    And the trust list is resolved
+    And the TCR checks that the specific entity is listed in the trust list
+    And the TCR will return that the claimed entity is a member of the trust framework operated by "DNS name"
+    And the VC schema can be checked
--- a/bdd/setup.cfg
+++ b/bdd/setup.cfg
@@ -13,6 +13,8 @@ install_requires =
    requests==2.31.0
    behave[docs,develop,formatters,toml]==1.2.6
    pydantic==2.4.2
+    bash==0.6
+    Jinja2==3.1.2

    # dnspython; If cryptography is installed,
    # then dnspython will be able to do low-level DNSSEC signature generation and validation.
@@ -45,7 +47,7 @@ branch=True
 source=src

 [coverage:report]
-fail_under=16
+fail_under=12
 show_missing=True
 exclude_lines =
    pragma: no cover
@@ -75,4 +77,15 @@ filterwarnings =

 [pylint.FORMAT]
 # Regexp for a line that is allowed to be longer than the limit.
-ignore-long-lines=^\s*(# )?<?https?://\S+>?$|See `https://\S+`_
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$|See `https://\S+`_| GIT_ROOT / .+
+
+[pylint.MESSAGES CONTROL]
+disable=
+    fixme
+
+[mypy]
+strict = True
+show_error_codes = True
+
+[mypy-bash.*]
+ignore_missing_imports = True
--- a/bdd/src/train_bdd/_env.py
+++ b/bdd/src/train_bdd/_env.py
@@ -6,4 +6,6 @@ import os
 _PREFIX = "TRAIN"

 DID_RESOLVER_HOST = os.getenv(_PREFIX + "_DID_RESOLVER_HOST")
-TRUST_CONTENT_RESOLVER_HOST = os.getenv(_PREFIX + "_TRUST_CONTENT_RESOLVER_HOST")
+HOST = os.getenv(_PREFIX + "_TRUST_CONTENT_RESOLVER_HOST")
+CLIENT_PY_VENV = os.getenv(_PREFIX + "_TRUST_CONTENT_RESOLVER_CLIENT_PY_VENV")
+CLIENT_JAVA_TARGET = os.getenv(_PREFIX + "_TRUST_CONTENT_RESOLVER_CLIENT_JAVA_TARGET")
--- a/bdd/src/train_bdd/models/client/__init__.py
+++ b/bdd/src/train_bdd/models/client/__init__.py