dsba-pdp

command module

v0.0.0-...-702c227 Latest Latest Go to latest Published: Sep 19, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/fiware/dsba-pdp

Links

Open Source Insights

README ¶

DSBA PDP

Implementation of a Policy-Desicion Point, evaluating Json-Web-Tokens containing VerifiableCredentials in an DSBA-compliant way. It also supports the evaluation in the context of i4Trust.

Quick start

The PDP will run in the context of an iShare-Dataprovider, therefor you need to supply the certificate and key, together with the client-id. The certificate needs to be the full chain in pem-format, the key needs to be an unencrypted rsa-privatekey. See the (invalid!) examples in the examples-folder.
The files need to be mounted to the container, default paths are /iShare/cert.pem and /iShare/key.pem. The Id has to be provided via the environment variable ISHARE_CLIENT_ID. The default will use the authorization-registry at https://ar.isharetest.net .

Assuming the certificate and key for EU.EORI.NLPACKETDEL reside in $(pwd)/examples, a PDP for PacketDelivery can be started via

    docker run -v $(pwd)/examples:/iShare -e ISHARE_CLIENT_ID="EU.EORI.NLPACKETDEL" -p 8080:8080 quay.io/wi_stefan/dsba-pdp

The PDP is now available at localhost:8080 and can be asked for a decision at localhost:8080/authz An example request would look like:

curl --location --request POST 'localhost:8080/authz' \
--header 'X-Original-URI: https://packetdelivery.org/ngsi-ld/v1/entities?type=DELIVERYORDER' \
--header 'X-Original-Action: GET' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJkaWQ6ZWxzaTpwYWNrZXRkZWxpdmVyeSIsImlhdCI6MTY2NzU0NTExMiwiZXhwIjoxNjk5MDgxMTEyLCJhdWQiOiJFVS5FT1JJLk5MUEFDS0VFVERFTCIsInN1YiI6ImRpZDpwZWVyOjk5YWI1YmNhNDFiYjQ1Yjc4ZDI0MmE0NmYwMTU3YjdkIiwidmVyaWZpYWJsZUNyZWRlbnRpYWwiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL2hhcHB5cGV0cy5maXdhcmUuaW8vMjAyMi9jcmVkZW50aWFscy9lbXBsb3llZS92MSJdLCJpZCI6Imh0dHBzOi8vaGFwcHlwZXRzLmZpd2FyZS5pby9jcmVkZW50aWFsLzI1MTU5Mzg5LThkZDE3Yjc5NmFjMCIsInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJDdXN0b21lckNyZWRlbnRpYWwiXSwiaXNzdWVyIjp7ImlkIjoiZGlkOmVsc2k6aGFwcHlwZXRzIiwiaVNoYXJlSWQiOiJFVS5FT1JJLk5MSEFQUFlQRVRTIn0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOnBlZXI6OTlhYjViY2E0MWJiNDViNzhkMjQyYTQ2ZjAxNTdiN2QiLCJuYW1lIjoiVXNlckEiLCJnaXZlbl9uYW1lIjoiVXNlciIsImZhbWlseV9uYW1lIjoiQSIsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXItYSIsImVtYWlsIjoidXNlckBhLm9yZyIsInJvbGVzIjpbeyJuYW1lIjoiU1RBTkRBUkRfQ1VTVE9NRVIiLCJhdXRob3JpemF0aW9uUmVnaXN0cnkiOnsiaWQiOiJFVS5FT1JJLk5MMDAwMDAwMDA0IiwiaG9zdCI6Imh0dHBzOi8vYXIuaXNoYXJldGVzdC5uZXQifX1dfX19.1Yj_EXVFPf1QE91VGusOiAaVUOlHYln2mNgYwMTxkNQ'

In this case, the user "UserA" of HappyPets has fullfilled the SIOP flow to PacketDelivery with a VP that includes the following VC, issued by HappyPets(encoded in the accesstoken above):

{
	"@context": [
		"https://www.w3.org/2018/credentials/v1",
		"https://happypets.fiware.io/2022/credentials/employee/v1"
	],
	"id": "https://happypets.fiware.io/credential/25159389-8dd17b796ac0",
	"type": [
		"VerifiableCredential",
		"CustomerCredential"
	],
	"issuer": "did:ebsi:happypets",
  "issuanceDate": "2022-11-23T15:23:13Z",
  "validFrom": "2022-11-23T15:23:13Z",
  "expirationDate": "2032-11-23T15:23:13Z",
	"credentialSubject": {
		"id": "did:peer:99ab5bca41bb45b78d242a46f0157b7d",
		"roles": [{
			"name": ["STANDARD_CUSTOMER"],
      "target": "did:ebsi:packetdelivery"
		}]
	}
}

With that information, the PDP will:

Build the policies required for the submitted request - e.g. GET https://packetdelivery.org/ngsi-ld/v1/entities?type=DELIVERYORDER
Iterates through the roles in the VC:
1. Get and check the required policy for delegating the role from its own authorization-registry
2. Get and check the policy connected with the assigned role from the authorization-registry included in the role
Return the decision

Decision

The PDP will receive the contents of the credential in a trusted JWT, thus its already proofen that the issuer is allowed to issue the contained credential and claims.

Depending on the type of credential, the decider will then evaluate the request in the context of the VC. Currently, only the iShare-decider is implemented. Depending on the credentials type, the iShare-decider will use iShare-compliant authoriation-registries to evaluate the request against the registered policies.

Configuration

The service provides the following configuration options:

Name	Description	Default
SERVER_PORT	Port that the pdp will listen at.	`8080`
JSON_LOGGING_ENABLED	Should the pdp log in json format?	`true`
LOG_LEVEL	Log level to be used.	`INFO`
LOG_REQUESTS	If enabled incoming requests will be logged.	`true`
LOG_SKIP_PATHS	A comma seperated list of paths that should be excluded from request logging.
ISHARE_ENABLED	Should the pdp use the iShare-authorization registry?	`true`
ISHARE_TRUSTED_LIST_ENABLED	Should the pdp use the iShare-authorization registry as a trusted list?	`true`
ISHARE_CERTIFICATE_PATH	Path to read the iShare certificate from.	`/iShare/certificate.pem`
ISHARE_KEY_PATH	Path to read the iShare key from.	`/iShare/key.pem`
ISHARE_CLIENT_ID	Id to be used for the IDP when interacting in iShare.	`EU.EORI.MyDummyClient`
ISHARE_AR_ID	Id of the Authorization Registry to be used.	`EU.EORI.NL000000004`
ISHARE_AUTHORIZATION_REGISTRY_URL	URL of the authorization registry.	`https://ar.isharetest.net`
ISHARE_DELEGATION_PATH	Path to be used for making delegation requests at the AR.	`/delegation`
ISHARE_TOKEN_PATH	Path to be used for making token requests at the AR.	`/connect/token`
ISHARE_TRUSTED_FINGERPRINTS_LIST	Initial list of fingerprints for trusted cas. This will be overwritten after the first update from the trust anchor.	``````
ISHARE_TRUST_ANCHOR_URL	URL of the trust anchor service.	`https://scheme.isharetest.net`
ISHARE_TRUST_ANCHOR_ID	ID of the trust anchor service.	`EU.EORI.NL000000000`
ISHARE_TRUST_ANCHOR_TOKEN_PATH	Path to retrieve tokens from the trust anchor.	`/connect/token`
ISHARE_TRUST_ANCHOR_TRUSTED_LIST_PATH	Path to retrieve the trusted list from the trust anchor.	`/trusted_list`
ISHARE_TRUSTED_LIST_UPDATE_RATE	Frequncy of updates from the trust anchor. In s.	`5`
PROVIDER_ID	ID to be used as a (default) role provider when verfiying the issuer.	`did:ebsi:myprovider`
TRUSTED_VERIFIERS	Comma-seperated list of jwk-endpoints for the trusted verifiers(for verfiyng the incoming jwt.). Endpoints need to provide an RFC-7517 compatible JWKS.	``````
JWK_UPDATE_INTERVAL_IN_S	Update interval of the cache in s.	`10`

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
config
decision
http
ishare
logging
model
sql

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL