feat: implement Remote STS Account provisioning (#470)

* modularize provisioner: introduce local STS account service

* remote sts provisioner (wip)

* add component tests to remote sts service

* remove old test resources

* added a STS runtime

* adds e2e tests for the RemoteStsAccountService

* deps, minor fixes

* fix license headers

* DEPENDENCIES

* compile before PG tests

.github/workflows/verify.yaml

@@ -46,10 +46,10 @@ jobs:
       - uses: eclipse-edc/.github/.github/actions/setup-build@main
 
       - name: 'Build launcher'
-        run: ./gradlew :launcher:shadowJar
+        run: ./gradlew :launcher:identityhub:shadowJar
 
       - name: 'Build Docker image'
-        run: docker build -t identity-hub ./launcher
+        run: docker build -t identity-hub ./launcher/identityhub
 
       - name: 'Start Identity Hub'
         run: |
@@ -96,7 +96,7 @@ jobs:
       - uses: eclipse-edc/.github/.github/actions/setup-build@main
 
       - name: Postgresql Tests
-        run: ./gradlew test -DincludeTags="PostgresqlIntegrationTest"
+        run: ./gradlew compileJava compileTestJava test -DincludeTags="PostgresqlIntegrationTest"
 
   Verify-OpenApi:
     if: github.event_name == 'pull_request'

DEPENDENCIES

@@ -49,6 +49,7 @@ maven/mavencentral/com.github.java-json-tools/json-schema-core/1.2.14, Apache-2.
 maven/mavencentral/com.github.java-json-tools/json-schema-validator/2.2.14, Apache-2.0 OR LGPL-3.0-or-later, approved, #15263
 maven/mavencentral/com.github.java-json-tools/msg-simple/1.2, Apache-2.0 OR LGPL-3.0-or-later, approved, #15239
 maven/mavencentral/com.github.java-json-tools/uri-template/0.10, , approved, #15288
+maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0, approved, CQ21949
 maven/mavencentral/com.google.code.findbugs/jsr305/2.0.1, BSD-3-Clause AND CC-BY-2.5 AND LGPL-2.1+, approved, CQ13390
 maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, CC-BY-2.5, approved, #15220
 maven/mavencentral/com.google.code.gson/gson/2.10.1, Apache-2.0, approved, #6159
@@ -74,7 +75,7 @@ maven/mavencentral/com.lmax/disruptor/3.4.4, Apache-2.0, approved, clearlydefine
 maven/mavencentral/com.networknt/json-schema-validator/1.0.76, Apache-2.0, approved, CQ22638
 maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.28, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.41.1, Apache-2.0, approved, clearlydefined
-maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.41.2, , restricted, clearlydefined
+maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.41.2, Apache-2.0, approved, clearlydefined
 maven/mavencentral/com.puppycrawl.tools/checkstyle/10.18.2, LGPL-2.1-or-later AND (Apache-2.0 AND LGPL-2.1-or-later) AND Apache-2.0, approved, #16060
 maven/mavencentral/com.samskivert/jmustache/1.15, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.12.0, Apache-2.0, approved, #11159
@@ -241,6 +242,7 @@ maven/mavencentral/org.eclipse.edc/api-core/0.10.0-SNAPSHOT, Apache-2.0, approve
 maven/mavencentral/org.eclipse.edc/api-observability/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/asset-spi/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/auth-spi/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
+maven/mavencentral/org.eclipse.edc/auth-tokenbased/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/autodoc-processor/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/boot-lib/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/boot-spi/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
@@ -260,6 +262,7 @@ maven/mavencentral/org.eclipse.edc/identity-did-core/0.10.0-SNAPSHOT, Apache-2.0
 maven/mavencentral/org.eclipse.edc/identity-did-spi/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/identity-did-web/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/identity-trust-spi/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
+maven/mavencentral/org.eclipse.edc/identity-trust-sts-accounts-api/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/identity-trust-sts-api/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/identity-trust-sts-core/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc
 maven/mavencentral/org.eclipse.edc/identity-trust-sts-embedded/0.10.0-SNAPSHOT, Apache-2.0, approved, technology.edc

README.md

@@ -42,7 +42,8 @@ others.
 
 ## Quick start
 
-A basic launcher configured with in-memory stores (i.e. no persistent storage) can be found [here](launcher/). There are
+A basic launcher configured with in-memory stores (i.e. no persistent storage) can be
+found [here](launcher/identityhub). There are
 two ways of running IdentityHub:
 
 1. As native Java process
@@ -51,7 +52,7 @@ two ways of running IdentityHub:
 ### Build the `*.jar` file
 
 ```bash
-./gradlew :launcher:shadowJar
+./gradlew :launcher:identityhub:shadowJar
 ```
 
 ### Start IdentityHub as Java process
@@ -66,7 +67,7 @@ java -Dweb.http.presentation.port=10001 \
      -Dweb.http.identity.port=8182 \
      -Dweb.http.identity.path="/api/identity" \
      -Dedc.ih.api.superuser.key="c3VwZXItdXNlcgo=c3VwZXItc2VjcmV0Cg==" \
-     -jar launcher/build/libs/identity-hub.jar
+     -jar launcher/identityhub/build/libs/identity-hub.jar
 ```
 
 this will expose the Presentation API at `http://localhost:10001/api/presentation` and the Identity API
@@ -76,7 +77,7 @@ found [here](docs/developer/architecture/identityhub-apis.md)
 ### Create the Docker image
 
 ```bash
-docker build -t identity-hub ./launcher
+docker build -t identity-hub ./launcher/identityhub
 ```
 
 ### Start the Identity Hub

core/identity-hub-core/build.gradle.kts

@@ -10,7 +10,7 @@ dependencies {
     implementation(project(":core:lib:credential-query-lib"))
     implementation(libs.edc.spi.dcp) //SignatureSuiteRegistry
     implementation(libs.edc.core.connector) // for the CriterionToPredicateConverterImpl
-    implementation(libs.edc.ext.jsonld) // for the JSON-LD mapper
+    implementation(libs.edc.jsonld) // for the JSON-LD mapper
     implementation(libs.edc.lib.util)
     implementation(libs.edc.lib.store)
     implementation(libs.edc.lib.jsonld)
@@ -25,7 +25,7 @@ dependencies {
 
 
     testImplementation(libs.edc.junit)
-    testImplementation(libs.edc.ext.jsonld)
+    testImplementation(libs.edc.jsonld)
     testImplementation(testFixtures(project(":spi:identity-hub-store-spi")))
     testImplementation(testFixtures(libs.edc.vc.jwt)) // JWT generator
 }

core/identity-hub-did/build.gradle.kts

@@ -15,7 +15,7 @@ dependencies {
     implementation(libs.edc.lib.query)
 
     testImplementation(libs.edc.junit)
-    testImplementation(libs.edc.ext.jsonld)
+    testImplementation(libs.edc.jsonld)
     testImplementation(libs.edc.lib.keys)
     testImplementation(testFixtures(project(":spi:identity-hub-spi")))
     testImplementation(testFixtures(project(":spi:did-spi")))

core/identity-hub-participants/src/main/java/org/eclipse/edc/identityhub/participantcontext/ParticipantContextExtension.java

@@ -16,22 +16,20 @@
 
 import org.eclipse.edc.identithub.spi.did.store.DidResourceStore;
 import org.eclipse.edc.identityhub.spi.keypair.KeyPairService;
-import org.eclipse.edc.identityhub.spi.participantcontext.AccountProvisioner;
 import org.eclipse.edc.identityhub.spi.participantcontext.ParticipantContextService;
+import org.eclipse.edc.identityhub.spi.participantcontext.StsAccountProvisioner;
 import org.eclipse.edc.identityhub.spi.participantcontext.events.ParticipantContextObservable;
 import org.eclipse.edc.identityhub.spi.store.ParticipantContextStore;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Provider;
 import org.eclipse.edc.spi.event.EventRouter;
-import org.eclipse.edc.spi.result.ServiceResult;
 import org.eclipse.edc.spi.security.Vault;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.transaction.spi.TransactionContext;
 
 import java.time.Clock;
 
-import static java.util.Optional.ofNullable;
 import static org.eclipse.edc.identityhub.participantcontext.ParticipantContextExtension.NAME;
 
 @Extension(NAME)
@@ -53,8 +51,8 @@ public class ParticipantContextExtension implements ServiceExtension {
     @Inject
     private DidResourceStore didResourceStore;
 
-    @Inject(required = false)
-    private AccountProvisioner accountProvisioner;
+    @Inject
+    private StsAccountProvisioner stsAccountProvisioner;
 
     private ParticipantContextObservable participantContextObservable;
 
@@ -65,7 +63,7 @@ public String name() {
 
     @Provider
     public ParticipantContextService createParticipantService() {
-        return new ParticipantContextServiceImpl(participantContextStore, didResourceStore, vault, transactionContext, participantContextObservable(), accountProvisioner());
+        return new ParticipantContextServiceImpl(participantContextStore, didResourceStore, vault, transactionContext, participantContextObservable(), stsAccountProvisioner);
     }
 
     @Provider
@@ -76,9 +74,4 @@ public ParticipantContextObservable participantContextObservable() {
         }
         return participantContextObservable;
     }
-
-    private AccountProvisioner accountProvisioner() {
-        return ofNullable(accountProvisioner)
-                .orElseGet(() -> manifest -> ServiceResult.success()); // default is a NOOP
-    }
 }

core/identity-hub-participants/src/main/java/org/eclipse/edc/identityhub/participantcontext/ParticipantContextServiceImpl.java

@@ -15,8 +15,8 @@
 package org.eclipse.edc.identityhub.participantcontext;
 
 import org.eclipse.edc.identithub.spi.did.store.DidResourceStore;
-import org.eclipse.edc.identityhub.spi.participantcontext.AccountProvisioner;
 import org.eclipse.edc.identityhub.spi.participantcontext.ParticipantContextService;
+import org.eclipse.edc.identityhub.spi.participantcontext.StsAccountProvisioner;
 import org.eclipse.edc.identityhub.spi.participantcontext.events.ParticipantContextObservable;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContext;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContextState;
@@ -52,20 +52,20 @@ public class ParticipantContextServiceImpl implements ParticipantContextService
     private final TransactionContext transactionContext;
     private final ApiTokenGenerator tokenGenerator;
     private final ParticipantContextObservable observable;
-    private final AccountProvisioner accountProvisioner;
+    private final StsAccountProvisioner stsAccountProvisioner;
 
     public ParticipantContextServiceImpl(ParticipantContextStore participantContextStore,
                                          DidResourceStore didResourceStore,
                                          Vault vault,
                                          TransactionContext transactionContext,
                                          ParticipantContextObservable observable,
-                                         AccountProvisioner accountProvisioner) {
+                                         StsAccountProvisioner stsAccountProvisioner) {
         this.participantContextStore = participantContextStore;
         this.didResourceStore = didResourceStore;
         this.vault = vault;
         this.transactionContext = transactionContext;
         this.observable = observable;
-        this.accountProvisioner = accountProvisioner;
+        this.stsAccountProvisioner = stsAccountProvisioner;
         this.tokenGenerator = new ApiTokenGenerator();
     }
 
@@ -79,7 +79,7 @@ public ServiceResult<Map<String, Object>> createParticipantContext(ParticipantMa
             var context = convert(manifest);
             var res = createParticipantContext(context)
                     .compose(u -> createTokenAndStoreInVault(context)).onSuccess(k -> response.put("apiKey", k))
-                    .compose(apiKey -> accountProvisioner.create(manifest))
+                    .compose(apiKey -> stsAccountProvisioner.create(manifest))
                     .onSuccess(accountInfo -> {
                         if (accountInfo != null) {
                             response.put("clientId", accountInfo.clientId());

core/identity-hub-participants/src/test/java/org/eclipse/edc/identityhub/participantcontext/ParticipantContextServiceImplTest.java

@@ -20,7 +20,7 @@
 import org.assertj.core.api.Assertions;
 import org.eclipse.edc.identithub.spi.did.model.DidResource;
 import org.eclipse.edc.identithub.spi.did.store.DidResourceStore;
-import org.eclipse.edc.identityhub.spi.participantcontext.AccountProvisioner;
+import org.eclipse.edc.identityhub.spi.participantcontext.StsAccountProvisioner;
 import org.eclipse.edc.identityhub.spi.participantcontext.events.ParticipantContextObservable;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.KeyDescriptor;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContext;
@@ -62,7 +62,7 @@ class ParticipantContextServiceImplTest {
     private final ParticipantContextStore participantContextStore = mock();
     private final ParticipantContextObservable observableMock = mock();
     private final DidResourceStore didResourceStore = mock();
-    private final AccountProvisioner provisionerMock = mock();
+    private final StsAccountProvisioner provisionerMock = mock();
     private ParticipantContextServiceImpl participantContextService;
 
     @BeforeEach

core/presentation-api/build.gradle.kts

@@ -32,7 +32,7 @@ dependencies {
     implementation(libs.edc.dcp.transform)
     implementation(libs.jakarta.rsApi)
     testImplementation(libs.edc.junit)
-    testImplementation(libs.edc.ext.jsonld)
+    testImplementation(libs.edc.jsonld)
     testImplementation(testFixtures(libs.edc.core.jersey))
     testImplementation(testFixtures(project(":spi:verifiable-credential-spi")))
     testImplementation(libs.nimbus.jwt)

e2e-tests/api-tests/build.gradle.kts

@@ -18,7 +18,7 @@ dependencies {
     testImplementation(testFixtures(project(":spi:verifiable-credential-spi")))
     testImplementation(testFixtures(libs.edc.testfixtures.managementapi))
     testImplementation(testFixtures(libs.edc.core.sql))
-    testImplementation(libs.edc.ext.transaction.local)
+    testImplementation(libs.edc.transaction.local)
     testImplementation(libs.edc.sql.pool)
     testImplementation(libs.nimbus.jwt)
     testImplementation(libs.jakarta.rsApi)

e2e-tests/api-tests/src/test/java/org/eclipse/edc/identityhub/tests/ParticipantContextApiEndToEndTest.java

@@ -59,7 +59,7 @@
 import static io.restassured.http.ContentType.JSON;
 import static java.util.stream.IntStream.range;
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.eclipse.edc.identityhub.spi.participantcontext.AccountProvisioner.CLIENT_SECRET_PROPERTY;
+import static org.eclipse.edc.identityhub.spi.participantcontext.StsAccountProvisioner.CLIENT_SECRET_PROPERTY;
 import static org.eclipse.edc.identityhub.tests.fixtures.IdentityHubEndToEndTestContext.SUPER_USER;
 import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.equalTo;

e2e-tests/api-tests/src/test/java/org/eclipse/edc/identityhub/tests/fixtures/IdentityHubEndToEndExtension.java

@@ -76,7 +76,7 @@ public static IdentityHubEndToEndTestContext context() {
             var runtime = new EmbeddedRuntime(
                     "identity-hub",
                     configuration.config(),
-                    ":launcher"
+                    ":launcher:identityhub"
             );
 
             return new IdentityHubEndToEndTestContext(runtime, configuration);
@@ -112,7 +112,7 @@ public static IdentityHubEndToEndTestContext context(String dbName, Integer port
             var runtime = new EmbeddedRuntime(
                     "control-plane",
                     cfg,
-                    ":launcher",
+                    ":launcher:identityhub",
                     ":extensions:store:sql:identity-hub-credentials-store-sql",
                     ":extensions:store:sql:identity-hub-did-store-sql",
                     ":extensions:store:sql:identity-hub-keypair-store-sql",