feat(ssi): Issuer component re issuance of bpnl and membership credentials

README.md

@@ -36,6 +36,7 @@ See Docker notice files for more information:
 - [credential-issuer-service](./docker//notice-credential-issuer-service.md)
 - [credential-issuer-processes-worker](./docker/notice-credential-issuer-processes-worker.md)
 - [credential-expiry-app](./docker/notice-credential-expiry-app.md)
+- [credential-reissuance-app](./docker/notice-credential-reissuance-app.md)
 - [credential-issuer-migrations](./docker/notice-credential-issuer-migrations.md)
 
 ## Contributing

charts/ssi-credential-issuer/templates/cronjob-reissuance-app.yaml

@@ -0,0 +1,114 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "issuer.labels" . | nindent 4 }}
+spec:
+  schedule: "0 23 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+          - name: {{ include "issuer.fullname" . }}-{{ .Values.credentialReissuance.name }}
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+            image: "{{ .Values.credentialReissuance.image.name }}:{{ .Values.credentialReissuance.image.tag | default .Chart.AppVersion }}"
+            imagePullPolicy: "{{ .Values.credentialReissuance.imagePullPolicy }}"
+            env:
+            - name: DOTNET_ENVIRONMENT
+              value: "{{ .Values.dotnetEnvironment }}"
+            {{- if .Values.postgresql.enabled }}
+            - name: "ISSUER_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "issuer.postgresSecretName" . }}"
+                  key: "password"
+            - name: "CONNECTIONSTRINGS__ISSUERDB"
+              value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
+            {{- end }}
+            {{- if not .Values.postgresql.enabled }}
+            - name: "ISSUER_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.externalDatabase.secret }}"
+                  key: "password"
+            - name: "CONNECTIONSTRINGS__ISSUERDB"
+              value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
+            {{- end }}
+            - name: "EXPIRY__EXPIREDVCSTOREISSUEINDAYS"
+              value: "{{ .Values.credentialReissuance.expiry.expiredVcsToReissueInDays }}"
+            - name: "PORTAL__CLIENTID"
+              value: "{{ .Values.service.portal.clientId }}"
+            - name: "PORTAL__CLIENTSECRET"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "issuer.secretName" . }}"
+                  key: "portal-client-secret"
+            - name: "PORTAL__GRANTTYPE"
+              value: "{{ .Values.processesworker.portal.grantType }}"
+            - name: "PORTAL__TOKENADDRESS"
+              value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}"
+            - name: "PORTAL__BASEADDRESS"
+              value: "{{ .Values.portalBackendAddress }}"
+            - name: "PORTAL__PASSWORD"
+              value: "empty"
+            - name: "PORTAL__SCOPE"
+              value: "{{ .Values.processesworker.portal.scope }}"
+            - name: "PORTAL__USERNAME"
+              value: "empty"
+            - name: "CREDENTIAL__ISSUERDID"
+              value: "{{ .Values.service.credential.issuerDid }}"
+            - name: "CREDENTIAL__ISSUERBPN"
+              value: "{{ .Values.service.credential.issuerBpn }}"
+            - name: "CREDENTIAL__STATUSLISTURL"
+              value: "{{ .Values.service.credential.statusListUrl }}"
+            - name: "CREDENTIAL__ENCRYPTIONCONFIG__ENCRYPTIONCONFIGINDEX"
+              value: "{{ .Values.service.credential.encryptionConfigIndex }}"
+            - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__INDEX"
+              value: "{{ .Values.service.credential.encryptionConfigs.index0.index}}"
+            - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__CIPHERMODE"
+              value: "{{ .Values.service.credential.encryptionConfigs.index0.cipherMode}}"
+            - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__PADDINGMODE"
+              value: "{{ .Values.service.credential.encryptionConfigs.index0.paddingMode}}"
+            - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "issuer.secretName" . }}"
+                  key: "credential-encryption-key0"
+            ports:
+            - name: http
+              containerPort: {{ .Values.portContainer }}
+              protocol: TCP
+            resources:
+              {{- toYaml .Values.credentialReissuance.resources | nindent 14 }}

charts/ssi-credential-issuer/values.yaml

@@ -157,6 +157,27 @@ credentialExpiry:
     expiredVcsToDeleteInMonth: 12
     inactiveVcsToDeleteInWeeks: 12
 
+credentialReissuance:
+  name: "reissuance"
+  image:
+    name: "docker.io/tractusx/ssi-credential-reissuance-app"
+    tag: ""
+  imagePullPolicy: "IfNotPresent"
+  # -- We recommend to review the default resource limits as this should a conscious choice.
+  resources:
+    requests:
+      cpu: 15m
+      memory: 105M
+    limits:
+      cpu: 45m
+      memory: 105M
+  processIdentity:
+    identityId: 23db9ff3-20c7-476c-ba70-6bdfe5c97104
+  logging:
+    default: "Information"
+  expiry:
+    expiredVcsToReissueInDays: 1
+
 # -- Secret containing the client-secrets for the connection to portal and wallet
 # as well as encryptionKeys for issuer.credential and processesworker.wallet
 existingSecret: ""

docker/Dockerfile-credential-reissuance-app

@@ -0,0 +1,35 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS publish
+ARG TARGETARCH
+WORKDIR /
+COPY LICENSE NOTICE.md DEPENDENCIES /
+COPY src/ src/
+RUN dotnet restore "src/credentials/SsiCredentialIssuer.Reissuance.App/SsiCredentialIssuer.Reissuance.App.csproj"
+WORKDIR /src/credentials/SsiCredentialIssuer.Reissuance.App
+RUN dotnet publish "SsiCredentialIssuer.Reissuance.App.csproj" -c Release -o /app/publish
+
+FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine
+ENV COMPlus_EnableDiagnostics=0
+WORKDIR /app
+COPY --from=publish /app/publish .
+RUN chown -R 1000:3000 /app
+USER 1000:3000
+ENTRYPOINT ["dotnet", "Org.Eclipse.TractusX.SsiCredentialIssuer.reissuance.App.dll"]

docker/notice-credential-reissuance-app.md

@@ -0,0 +1,22 @@
+## Notice for Docker image
+
+DockerHub: [https://hub.docker.com/r/tractusx/ssi-credential-reissuance-app](https://hub.docker.com/r/tractusx/ssi-credential-reissuance-app)
+
+Eclipse Tractus-X product(s) installed within the image:
+
+__Credential Reissuance App__
+
+- GitHub: https://github.com/eclipse-tractusx/ssi-credential-issuer
+- Project home: https://projects.eclipse.org/projects/automotive.tractusx
+- Dockerfile: https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/main/docker/Dockerfile-credential-reissuance-app
+- Project license: [Apache License, Version 2.0](https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/main/LICENSE)
+
+__Used base images__
+
+- Dockerfile: [mcr.microsoft.com/dotnet/runtime:8.0-alpine](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime/8.0/alpine3.19/amd64/Dockerfile)
+- GitHub project: [https://github.com/dotnet/dotnet-docker](https://github.com/dotnet/dotnet-docker)
+- DockerHub: [https://hub.docker.com/_/microsoft-dotnet-runtime](https://hub.docker.com/_/microsoft-dotnet-runtime)
+
+As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
+
+As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

docs/database/db-view.md

@@ -135,6 +135,10 @@ erDiagram
         timestamp lock_expiry_date
         uuid version
     }
+    REISSUANCES {
+        uuid id FK
+        uuid reissued_credential_id
+    }    
     USE_CASES {
         uuid id PK
         text name
@@ -187,6 +191,7 @@ erDiagram
     PROCESS_STEPS ||--|| PROCESS_STEP_TYPES : process_step_type_id
     PROCESS_STEPS ||--|| PROCESSES : process_id
     PROCESSES ||--|| PROCESS_TYPES : process_type_id
+    REISSUANCES ||--|| COMPANY_SSI_DETAILS : company_ssi_detail_id
     VERIFIED_CREDENTIAL_EXTERNAL_TYPE_DETAIL_VERSIONS ||--|| VERIFIED_CREDENTIAL_EXTERNAL_TYPES : verified_credential_external_type_id
     VERIFIED_CREDENTIAL_TYPE_ASSIGNED_EXTERNAL_TYPES ||--|| VERIFIED_CREDENTIAL_EXTERNAL_TYPES : has
     VERIFIED_CREDENTIAL_TYPE_ASSIGNED_EXTERNAL_TYPES ||--|| VERIFIED_CREDENTIAL_TYPES : has
@@ -322,6 +327,7 @@ label (TEXT): The label of the process step type.
 
 - `CREATE_CREDENTIAL`: Creates a credential in the issuer wallet.
 - `SIGN_CREDENTIAL`: Signs the credential in the issuer wallet.
+- `REVOKE_REISSUED_CREDENTIAL`: Revoke reissued credentials.
 - `SAVE_CREDENTIAL_DOCUMENT`: Saves the credential in the database.
 - `CREATE_CREDENTIAL_FOR_HOLDER`: Creates the credential in the holder wallet.
 - `TRIGGER_CALLBACK`: Triggers the callback to the portal.
@@ -356,6 +362,11 @@ process_type_id (INTEGER): A foreign key referencing id in the PROCESS_TYPES tab
 lock_expiry_date (TIMESTAMP): The lock expiry date of the process.
 version (UUID): The version of the process.
 
+### REISSUANCES
+
+id (UUID): A foreign key referencing id in the COMPANY_SSI_DETAILS.
+reissued_credential_id(UUID): Id that identifies the reissued credential added to the COMPANY_SSI_DETAILS.
+
 ### USE_CASES
 
 id (UUID): A unique identifier for the use case. This is the primary key of the table.

environments/consortia/helm-values/values-dev.yaml

@@ -86,6 +86,13 @@ credentialExpiry:
   logging:
     default: "Debug"
 
+credentialReissuance:
+  image:
+    tag: "main"
+  imagePullPolicy: "Always"
+  logging:
+    default: "Debug"
+
 centralidp:
   address: "https://centralidp.dev.demo.catena-x.net"
   jwtBearerOptions:

environments/consortia/helm-values/values-int.yaml

@@ -74,6 +74,10 @@ credentialExpiry:
   logging:
     default: "Debug"
 
+credentialReissuance:
+  logging:
+    default: "Debug"
+
 centralidp:
   address: "https://centralidp.int.demo.catena-x.net"
   jwtBearerOptions:

environments/consortia/helm-values/values-rc.yaml

@@ -86,6 +86,13 @@ credentialExpiry:
   logging:
     default: "Debug"
 
+credentialReissuance:
+  image:
+    tag: "rc"
+  imagePullPolicy: "Always"
+  logging:
+    default: "Debug"
+
 centralidp:
   address: "https://centralidp-rc.dev.demo.catena-x.net"
   jwtBearerOptions:

environments/helm-values/values-int.yaml

@@ -73,6 +73,10 @@ credentialExpiry:
   logging:
     default: "Debug"
 
+credentialReissuance:
+  logging:
+    default: "Debug"
+
 centralidp:
   address: "https://centralidp.int.catena-x.net"
   jwtBearerOptions:

src/SsiCredentialIssuer.sln

@@ -1,4 +1,7 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
+# 
+VisualStudioVersion = 17.5.002.0
+MinimumVisualStudioVersion = 
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "database", "database", "{E9E08CE9-985A-4507-BBD3-9470623986CF}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "issuer", "issuer", "{32D0AE23-BFAA-4D65-AF9D-2DF951BA5A3B}"
@@ -59,6 +62,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Callback.Service", "externa
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Callback.Service.Tests", "..\tests\externalservices\Callback.Service.Tests\Callback.Service.Tests.csproj", "{61DB2ADF-DBC1-4647-AAD2-A8E992E75B37}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SsiCredentialIssuer.Reissuance.App", "credentials\SsiCredentialIssuer.Reissuance.App\SsiCredentialIssuer.Reissuance.App.csproj", "{2757DB44-F658-420F-B00A-48EC6DBA6035}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "credentials\SsiCredentialIssuer.Credential.Library", "credentials\SsiCredentialIssuer.Credential.Library\SsiCredentialIssuer.Credential.Library.csproj", "{832CA2B5-E08D-4EB6-9C99-020E01A86A2C}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SsiCredentialIssuer.Reissuance.App.Tests", "..\tests\credentials\SsiCredentialIssuer.Reissuance.App.Tests\SsiCredentialIssuer.Reissuance.App.Tests.csproj", "{677EC522-C102-4446-80E4-B98E6C527D33}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -161,6 +170,21 @@ Global
 		{61DB2ADF-DBC1-4647-AAD2-A8E992E75B37}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{61DB2ADF-DBC1-4647-AAD2-A8E992E75B37}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{61DB2ADF-DBC1-4647-AAD2-A8E992E75B37}.Release|Any CPU.Build.0 = Release|Any CPU
+		{2757DB44-F658-420F-B00A-48EC6DBA6035}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{2757DB44-F658-420F-B00A-48EC6DBA6035}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{2757DB44-F658-420F-B00A-48EC6DBA6035}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{2757DB44-F658-420F-B00A-48EC6DBA6035}.Release|Any CPU.Build.0 = Release|Any CPU
+		{832CA2B5-E08D-4EB6-9C99-020E01A86A2C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{832CA2B5-E08D-4EB6-9C99-020E01A86A2C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{832CA2B5-E08D-4EB6-9C99-020E01A86A2C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{832CA2B5-E08D-4EB6-9C99-020E01A86A2C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{677EC522-C102-4446-80E4-B98E6C527D33}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{677EC522-C102-4446-80E4-B98E6C527D33}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{677EC522-C102-4446-80E4-B98E6C527D33}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{677EC522-C102-4446-80E4-B98E6C527D33}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{6905B6DF-722B-4882-A2CB-5E6BFD0244F2} = {32D0AE23-BFAA-4D65-AF9D-2DF951BA5A3B}
@@ -187,5 +211,8 @@ Global
 		{0A9C65F7-62B6-421F-ADA5-709A1EE10901} = {A2FC3E0F-5AFE-44FA-909B-B8016DD1EB44}
 		{E1821527-A5F9-4D56-BAB0-6F45FE6F3299} = {A37A220C-4242-4FB2-98ED-EF4B602EF6C1}
 		{61DB2ADF-DBC1-4647-AAD2-A8E992E75B37} = {A2FC3E0F-5AFE-44FA-909B-B8016DD1EB44}
+		{2757DB44-F658-420F-B00A-48EC6DBA6035} = {A79FF417-08E7-4175-8089-5F21054F5BDE}
+		{832CA2B5-E08D-4EB6-9C99-020E01A86A2C} = {A79FF417-08E7-4175-8089-5F21054F5BDE}
+		{677EC522-C102-4446-80E4-B98E6C527D33} = {A2FC3E0F-5AFE-44FA-909B-B8016DD1EB44}
 	EndGlobalSection
 EndGlobal