chore: prepare release (#658)

.env

@@ -1,6 +1,6 @@
 # Env variables for docker-compose.yaml
-EDC_IMAGE=ghcr.io/sovity/edc-dev:6.0.0
-TEST_BACKEND_IMAGE=ghcr.io/sovity/test-backend:6.0.0
-EDC_UI_IMAGE=ghcr.io/sovity/edc-ui:2.1.0
+EDC_IMAGE=ghcr.io/sovity/edc-dev:7.0.0
+TEST_BACKEND_IMAGE=ghcr.io/sovity/test-backend:7.0.0
+EDC_UI_IMAGE=ghcr.io/sovity/edc-ui:2.2.0
 EDC_UI_ACTIVE_PROFILE=sovity-open-source
 

CHANGELOG.md

@@ -17,21 +17,60 @@ please see [changelog_updates.md](docs/dev/changelog_updates.md).
 
 #### Patch Changes
 
-- Fixed an issue preventing Contract Negotiations between MDS Connectors.
+### Deployment Migration Notes
+
+#### Compatible Versions
+
+## [7.0.0] - 2023-12-06
+
+### Overview
+
+`MY_EDC_PARTICIPANT_ID` must now coincide with a DAT claim.
+This fixes the Contract Negotiation issue that affected `5.0.0` and `6.0.0`.
+
+### EDC UI
+
+https://github.com/sovity/edc-ui/releases/tag/v2.2.0
+
+### EDC Extensions
+
+#### Major Changes
+
+- Participant IDs must now coincide with a DAT claim.
+
+#### Patch Changes
+
+- Fixed an issue preventing Contract Negotiations.
 - Fixed an issue preventing transfer processes from being marked as `COMPLETED` in Eclipse EDC `0.2`.
-- Improved `:extensions:wrapper:wrapper-common-mappers` for broker: `AssetJsonLdUtils`, made some methods public.
+- Fixed policy and permission targets shown as warnings in the UI.
 - Added example for using the API Wrapper to offer and consume data.
+- Added CHANGELOG documentation.
 - Marked `MY_EDC_NAME_KEBAB_CASE` as deprecated in favor of `MY_EDC_PARTICIPANT_ID`.
-- Improved development documentation documenting our CHANGELOG.
 
 ### Deployment Migration Notes
 
-- Renamed ~~`MY_EDC_NAME_KEBAB_CASE`~~ to `MY_EDC_PARTICIPANT_ID`. ~~`MY_EDC_NAME_KEBAB_CASE`~~ continues working, but prints a warning on startup.
-- The value of `MY_EDC_PARTICIPANT_ID` must coincide with the claim value `referringConnector`
-  as configured for this Connector in the DAPS.
+- The configured value of `MY_EDC_PARTICIPANT_ID` will now be validated via the DAPS:
+    - The configured value of `MY_EDC_PARTICIPANT_ID` must coincide with the claim value `referringConnector`
+      as configured for this Connector in the DAPS.
+    - For MS8-migrated connectors, if the Participant ID was not configured well before, existing contract agreements
+      will stop working. The Participant ID is referenced heavily in counter-party connectors, which makes a migration
+      of Participant IDs for old contract agreements impractical.
+- If a given data space has no "Participant ID" / "Connector ID" concept or does not use the `referringConnector` claim:
+    - It is possible to override the checked claim by overriding `EDC_AGENT_IDENTITY_KEY`.
+    - `EDC_AGENT_IDENTITY_KEY` could be set to the claim name of the AKI / SKI Client ID, which should always be part of
+      the issued DAT. This would be `sub` for a sovity DAPS and `client_id` for an Omejdn DAPS.
+    - `MY_EDC_PARTICIPANT_ID` would have to be set to the AKI / SKI Client ID.
+- Renamed ~~`MY_EDC_NAME_KEBAB_CASE`~~ to `MY_EDC_PARTICIPANT_ID`. ~~`MY_EDC_NAME_KEBAB_CASE`~~ continues working, but
+  prints a warning on startup if configured.
 
 #### Compatible Versions
 
+- Connector Backend Docker Images:
+    - Dev EDC: `ghcr.io/sovity/edc-dev:7.0.0`
+    - sovity EDC CE: `ghcr.io/sovity/edc-ce:7.0.0`
+    - MDS EDC CE: `ghcr.io/sovity/edc-ce-mds:7.0.0`
+- Connector UI Docker Image: `ghcr.io/sovity/edc-ui:2.2.0`
+
 ## [6.0.0] - 2023-11-17
 
 ### Overview

docker-compose-dev.yaml

@@ -5,11 +5,12 @@ services:
     ports:
       - '11000:8080'
     environment:
-      - EDC_UI_ACTIVE_PROFILE=${EDC_UI_ACTIVE_PROFILE}
-      - EDC_UI_CONFIG_URL=edc-ui-config
-      - EDC_UI_MANAGEMENT_API_URL=http://localhost:11002/api/management
-      - EDC_UI_MANAGEMENT_API_KEY=ApiKeyDefaultValue
-      - EDC_UI_CATALOG_URLS=http://edc2:11003/api/dsp
+      EDC_UI_ACTIVE_PROFILE: ${EDC_UI_ACTIVE_PROFILE}
+      EDC_UI_CONFIG_URL: edc-ui-config
+      EDC_UI_MANAGEMENT_API_URL: http://localhost:11002/api/management
+      EDC_UI_MANAGEMENT_API_KEY: ApiKeyDefaultValue
+      EDC_UI_CATALOG_URLS: http://edc2:11003/api/dsp
+      NGINX_ACCESS_LOG: off
 
   edc:
     image: ${EDC_IMAGE}
@@ -37,6 +38,7 @@ services:
       EDC_WEB_REST_CORS_ENABLED: 'true'
       EDC_WEB_REST_CORS_HEADERS: 'origin,content-type,accept,authorization,X-Api-Key'
       EDC_WEB_REST_CORS_ORIGINS: '*'
+      EDC_AGENT_IDENTITY_KEY: 'client_id' # required for Mock IAM to work
     ports:
       - '11001:11001'
       - '11002:11002'
@@ -49,11 +51,12 @@ services:
     ports:
       - '22000:8080'
     environment:
-      - EDC_UI_ACTIVE_PROFILE=${EDC_UI_ACTIVE_PROFILE}
-      - EDC_UI_CONFIG_URL=edc-ui-config
-      - EDC_UI_MANAGEMENT_API_URL=http://localhost:22002/api/management
-      - EDC_UI_MANAGEMENT_API_KEY=ApiKeyDefaultValue
-      - EDC_UI_CATALOG_URLS=http://edc:11003/api/dsp
+      EDC_UI_ACTIVE_PROFILE: ${EDC_UI_ACTIVE_PROFILE}
+      EDC_UI_CONFIG_URL: edc-ui-config
+      EDC_UI_MANAGEMENT_API_URL: http://localhost:22002/api/management
+      EDC_UI_MANAGEMENT_API_KEY: ApiKeyDefaultValue
+      EDC_UI_CATALOG_URLS: http://edc:11003/api/dsp
+      NGINX_ACCESS_LOG: off
 
   edc2:
     image: ${EDC_IMAGE}
@@ -81,6 +84,7 @@ services:
       EDC_WEB_REST_CORS_ENABLED: 'true'
       EDC_WEB_REST_CORS_HEADERS: 'origin,content-type,accept,authorization,X-Api-Key'
       EDC_WEB_REST_CORS_ORIGINS: '*'
+      EDC_AGENT_IDENTITY_KEY: 'client_id' # required for Mock IAM to work
     ports:
       - '22001:11001'
       - '22002:11002'

docker-compose.yaml

@@ -5,18 +5,19 @@ services:
     ports:
       - '11000:8080'
     environment:
-      - EDC_UI_ACTIVE_PROFILE=${EDC_UI_ACTIVE_PROFILE}
-      - EDC_UI_CONFIG_URL=edc-ui-config
-      - EDC_UI_MANAGEMENT_API_URL=http://localhost:11002/api/management
-      - EDC_UI_MANAGEMENT_API_KEY=ApiKeyDefaultValue
-      - EDC_UI_CATALOG_URLS=http://edc2:11003/api/dsp
+      EDC_UI_ACTIVE_PROFILE: ${EDC_UI_ACTIVE_PROFILE}
+      EDC_UI_CONFIG_URL: edc-ui-config
+      EDC_UI_MANAGEMENT_API_URL: http://localhost:11002/api/management
+      EDC_UI_MANAGEMENT_API_KEY: ApiKeyDefaultValue
+      EDC_UI_CATALOG_URLS: http://edc2:11003/api/dsp
+      NGINX_ACCESS_LOG: off
 
   edc:
     image: ${EDC_IMAGE}
     depends_on:
       - postgresql
     environment:
-      MY_EDC_NAME_KEBAB_CASE: "my-edc"
+      MY_EDC_PARTICIPANT_ID: "my-edc"
       MY_EDC_TITLE: "EDC Connector"
       MY_EDC_DESCRIPTION: "sovity Community Edition EDC Connector"
       MY_EDC_CURATOR_URL: "https://example.com"
@@ -37,6 +38,7 @@ services:
       EDC_WEB_REST_CORS_ENABLED: 'true'
       EDC_WEB_REST_CORS_HEADERS: 'origin,content-type,accept,authorization,X-Api-Key'
       EDC_WEB_REST_CORS_ORIGINS: '*'
+      EDC_AGENT_IDENTITY_KEY: 'client_id' # required for Mock IAM to work
     ports:
       - '11001:11001'
       - '11002:11002'
@@ -49,18 +51,19 @@ services:
     ports:
       - '22000:8080'
     environment:
-      - EDC_UI_ACTIVE_PROFILE=${EDC_UI_ACTIVE_PROFILE}
-      - EDC_UI_CONFIG_URL=edc-ui-config
-      - EDC_UI_MANAGEMENT_API_URL=http://localhost:22002/api/management
-      - EDC_UI_MANAGEMENT_API_KEY=ApiKeyDefaultValue
-      - EDC_UI_CATALOG_URLS=http://edc:11003/api/dsp
+      EDC_UI_ACTIVE_PROFILE: ${EDC_UI_ACTIVE_PROFILE}
+      EDC_UI_CONFIG_URL: edc-ui-config
+      EDC_UI_MANAGEMENT_API_URL: http://localhost:22002/api/management
+      EDC_UI_MANAGEMENT_API_KEY: ApiKeyDefaultValue
+      EDC_UI_CATALOG_URLS: http://edc:11003/api/dsp
+      NGINX_ACCESS_LOG: off
 
   edc2:
     image: ${EDC_IMAGE}
     depends_on:
       - postgresql2
     environment:
-      MY_EDC_NAME_KEBAB_CASE: "my-edc2"
+      MY_EDC_PARTICIPANT_ID: "my-edc2"
       MY_EDC_TITLE: "EDC Connector 2"
       MY_EDC_DESCRIPTION: "sovity Community Edition EDC Connector"
       MY_EDC_CURATOR_URL: "https://example.com"
@@ -81,6 +84,7 @@ services:
       EDC_WEB_REST_CORS_ENABLED: 'true'
       EDC_WEB_REST_CORS_HEADERS: 'origin,content-type,accept,authorization,X-Api-Key'
       EDC_WEB_REST_CORS_ORIGINS: '*'
+      EDC_AGENT_IDENTITY_KEY: 'client_id' # required for Mock IAM to work
     ports:
       - '22001:11001'
       - '22002:11002'

docs/deployment-guide/goals/development/README.md

@@ -30,10 +30,10 @@ the [docker-compose-dev.yaml](../../../../docker-compose-dev.yaml), execute:
 docker login ghcr.io
 
 # Pull the latest images
-docker compose --env-file .env-dev -f docker-compose-dev.yaml pull
+docker compose --env-file .env.dev -f docker-compose-dev.yaml pull
 
 # Start sovity EDC Connectors
-docker compose --env-file .env-dev -f docker-compose-dev.yaml up
+docker compose --env-file .env.dev -f docker-compose-dev.yaml up
 ```
 
 </td>
@@ -46,10 +46,10 @@ docker compose --env-file .env-dev -f docker-compose-dev.yaml up
 docker login ghcr.io
 
 # Pull the latest images
-docker compose --env-file .env-dev -f docker-compose-dev.yaml pull
+docker compose --env-file .env.dev -f docker-compose-dev.yaml pull
 
 # Start MDS EDC Connectors
-EDC_UI_ACTIVE_PROFILE=mds-open-source docker compose --env-file .env-dev -f docker-compose-dev.yaml up
+EDC_UI_ACTIVE_PROFILE=mds-open-source docker compose --env-file .env.dev -f docker-compose-dev.yaml up
 ```
 
 </td>

docs/deployment-guide/goals/production/README.md

@@ -167,7 +167,50 @@ You can use a script (if you're on WSL or Linux) to generate the SKI, AKI and jk
 No, locally run connectors cannot exchange data with online connectors. A connector must have a proper URL +
 configuration and be accesible from the data provider via REST calls.
 
+### Can I use a different DAT Claim for the Participant ID verification?
+
+The checked DAT claim name can be changed by overriding `EDC_AGENT_IDENTITY_KEY`. However, this must be done in sync
+with all connectors of the data space for contract negotations and transfers to work.
+
+### Can I change the Participant ID of my connector?
+
+You can always re-start your connector with a different Participant ID. Please make sure your changed Participant ID is
+deposited in the DAPS as new Contract Negotiations or Transfer Processes will validate the Participant ID of each
+connector. Both connectors must also be configured to check for the same claim.
+
+After changing your Participant ID old Contract Agreements will stop working, because the Participant ID is heavily
+referenced in both connectors, and there is no way for the other connector to know what your Participant ID changed to.
+
+This is relevant, because for MS8 connectors the Participant ID concept did not exist yet or was not enforced in any
+way, which might force participants to re-negotiate old contracts.
+
+### What if I have no Participant ID / Connector ID concept in my Dataspace?
+
+If there is no Participant ID / Connector ID concept in your Dataspace, you could use the AKI / SKI Client ID as
+Participant ID / Connector ID:
+
+```yaml
+# Using the SKI / AKI Client ID as Participant ID
+MY_EDC_PARTICIPANT_ID: '_your SKI/AKI_'
+
+# Claim Name of the AKI / SKI Client ID:
+EDC_AGENT_IDENTITY_KEY: 'sub' # or 'client_id' in Omejdn
+```
+
+The downside to doing this is that the AKI / SKI Client ID is not human-readable, but will be shown in many places.
+
 ### Can I still use the deprecated Omejdn DAPS?
 
 In the current version of the sovity EDC CE Connector the Omejdn DAPS is not supported due to the Omejdn DAPS requiring
 a special OAuth2 extension and custom messages that exceed the default DSP Oauth2 Specification.
+
+When using the required extension, these additional env variables would be required for the backend to be configured for
+the Omejdn DAPS:
+
+```yaml
+# Required Config for an Omejdn DAPS:
+MY_EDC_PARTICIPANT_ID: '_your SKI/AKI_'
+EDC_AGENT_IDENTITY_KEY: 'client_id'
+EDC_OAUTH_PROVIDER_AUDIENCE: 'idsc:IDS_CONNECTORS_ALL'
+EDC_OAUTH_ENDPOINT_AUDIENCE: 'idsc:IDS_CONNECTORS_ALL'
+```

extensions/wrapper/wrapper-common-mappers/src/main/java/de/sovity/edc/ext/wrapper/api/common/mappers/utils/PolicyValidator.java

@@ -60,10 +60,6 @@ public void validateOtherPolicyFieldsUnset(Policy policy, MappingErrors errors)
             errors.add("Policy has an assignee, which is currently unsupported.");
         }
 
-        if (StringUtils.isNotBlank(policy.getTarget())) {
-            errors.add("Policy has a target.");
-        }
-
         if (policy.getExtensibleProperties() != null && !policy.getExtensibleProperties().isEmpty()) {
             errors.add("Policy has extensible properties.");
         }
@@ -95,10 +91,6 @@ public void validateOtherPermissionFieldsUnset(Permission permission, MappingErr
             errors.add("Permission has an assignee, which is currently unsupported.");
         }
 
-        if (isNotBlank(permission.getTarget())) {
-            errors.add("Permission has a target.");
-        }
-
         validateAction(permission.getAction(), errors.forChildObject("action"));
     }
 

extensions/wrapper/wrapper-common-mappers/src/test/java/de/sovity/edc/ext/wrapper/api/common/mappers/utils/PolicyValidatorTest.java

@@ -75,7 +75,6 @@ void testPolicy_full() {
                 "$: Policy has inheritsFrom, which is currently unsupported.",
                 "$: Policy has an assigner, which is currently unsupported.",
                 "$: Policy has an assignee, which is currently unsupported.",
-                "$: Policy has a target.",
                 "$: Policy has extensible properties.",
                 "$: Policy does not have type SET, but OFFER, which is currently unsupported."
         );
@@ -151,7 +150,6 @@ void testPermission_full() {
                 "$: Permission has duties, which is currently unsupported.",
                 "$: Permission has an assigner, which is currently unsupported.",
                 "$: Permission has an assignee, which is currently unsupported.",
-                "$: Permission has a target.",
                 "$.action: Action has a type that is not 'USE', but 'idk'.",
                 "$.action: Action has a value for includedIn, which is currently unsupported.",
                 "$.action: Action has a constraint, which is currently unsupported."

launchers/.env

@@ -88,7 +88,7 @@ EDC_DATASOURCE_DATAPLANEINSTANCE_PASSWORD=$MY_EDC_JDBC_PASSWORD
 # Oauth default configurations for compatibility with sovity DAPS
 EDC_OAUTH_PROVIDER_AUDIENCE=${EDC_OAUTH_TOKEN_URL}
 EDC_OAUTH_ENDPOINT_AUDIENCE=idsc:IDS_CONNECTORS_ALL
-EDC_AGENT_IDENTITY_KEY=referring_connector
+EDC_AGENT_IDENTITY_KEY=referringConnector
 
 # This file could contain an entry replacing the EDC_KEYSTORE ENV var
 # but for some reason it is required, and EDC won't start up if it isn't configured