feat: introduce cel expressions

.github/workflows/e2e-tests.yaml

@@ -87,7 +87,7 @@ jobs:
       - name: "Deploy JAD applications"
         run: |-
           # this is crucial - without it, KinD would take the prebuilt images from GHCR
-          grep -rlZ "imagePullPolicy:.*Always" . | xargs sed -i "s/imagePullPolicy:.*Always/imagePullPolicy: Never/g"
+          grep -rlZ "imagePullPolicy:.*Always" . | xargs --null sed -i "s/imagePullPolicy:.*Always/imagePullPolicy: Never/g"
 
           kubectl apply -f k8s/apps
           kubectl wait --namespace edc-v \

README.md

@@ -70,10 +70,10 @@ following the following steps:
 
   ```shell
   kind load docker-image \
-      ghcr.io/metaform/jad/controlplane:0.16.0-SNAPSHOT \
-      ghcr.io/metaform/jad/identity-hub:0.16.0-SNAPSHOT \
-      ghcr.io/metaform/jad/issuerservice:0.16.0-SNAPSHOT \
-      ghcr.io/metaform/jad/dataplane:0.16.0-SNAPSHOT \
+      ghcr.io/metaform/jad/controlplane:latest \
+      ghcr.io/metaform/jad/identity-hub:latest \
+      ghcr.io/metaform/jad/issuerservice:latest \
+      ghcr.io/metaform/jad/dataplane:latest \
       ghcr.io/metaform/jad/postgres:wal2json -n edcv
   ```
   or if you're a bash god:
@@ -134,6 +134,26 @@ This sets up accounts in the IssuerService, the IdentityHub and the ControlPlane
 `MembershipCredential` to each new participant. It also seeds dummy data to each participant, specifically an Asset, a
 Policy and a ContractDefinition.
 
+## Seeding EDC-V CEL Expressions
+
+For evaluating policies EDC-V makes usage of the CEL (Common Expression Language) engine. To demonstrate this, we
+will create a simple CEL expression that allows data access only to participants that possess a valid Membership
+Credential.
+
+Run the requests in the `Create CEL expression` request in folder `EDC-V Management` in the same Bruno collection
+to create the CEL expression in the ControlPlane.
+
+![img.png](docs/images/bruno_cel_expr.png)
+
+## Seeding the Provider
+
+Before we can transfer data, we need to seed the Provider with an asset, a policy and a contract definition. This is
+done by running the requests in the `EDC-V Management (Provider)` folder in the same Bruno collection. Again, make sure
+to select the
+`"KinD Local"` environment.
+
+![img.png](docs/images/bruno_provider_seed.png)
+
 ## Transfer Data
 
 EDC-V offers a one-stop-shop API to transfer data. This is achieved by two endpoints, one that fetches the catalog (
@@ -225,22 +245,22 @@ To start, edit the `readinessProbe` section of the `keycloak` deployment manifes
 
 ```yaml
 # keycloak.yaml, Line 79ff
-   readinessProbe:
-     httpGet:
-       path: /health/ready
-       port: 9000
-     initialDelaySeconds: 30 # changed
-     periodSeconds: 10 # changed
-     successThreshold: 1
-     failureThreshold: 15 # changed
-   livenessProbe:
-     httpGet:
-       path: /health/live
-       port: 9000
-     initialDelaySeconds: 30 # changed
-     periodSeconds: 10 # changed
-     successThreshold: 1
-     failureThreshold: 15 # changed
+readinessProbe:
+  httpGet:
+    path: /health/ready
+    port: 9000
+  initialDelaySeconds: 30 # changed
+  periodSeconds: 10 # changed
+  successThreshold: 1
+  failureThreshold: 15 # changed
+livenessProbe:
+  httpGet:
+    path: /health/live
+    port: 9000
+  initialDelaySeconds: 30 # changed
+  periodSeconds: 10 # changed
+  successThreshold: 1
+  failureThreshold: 15 # changed
 ```
 
 

extensions/api/mgmt/src/main/java/org/eclipse/edc/virtualized/ApiExtension.java

@@ -14,11 +14,8 @@
 
 package org.eclipse.edc.virtualized;
 
-import org.eclipse.edc.connector.controlplane.services.spi.asset.AssetService;
 import org.eclipse.edc.connector.controlplane.services.spi.catalog.CatalogService;
-import org.eclipse.edc.connector.controlplane.services.spi.contractdefinition.ContractDefinitionService;
 import org.eclipse.edc.connector.controlplane.services.spi.contractnegotiation.ContractNegotiationService;
-import org.eclipse.edc.connector.controlplane.services.spi.policydefinition.PolicyDefinitionService;
 import org.eclipse.edc.connector.controlplane.services.spi.transferprocess.TransferProcessService;
 import org.eclipse.edc.connector.dataplane.selector.spi.DataPlaneSelectorService;
 import org.eclipse.edc.edr.spi.store.EndpointDataReferenceStore;
@@ -65,12 +62,6 @@ public class ApiExtension implements ServiceExtension {
     @Inject
     private DataPlaneSelectorService selectorService;
     @Inject
-    private AssetService assetService;
-    @Inject
-    private PolicyDefinitionService policyService;
-    @Inject
-    private ContractDefinitionService contractDefinitionService;
-    @Inject
     private TransactionContext transactionContext;
     @Inject
     private ContractNegotiationService contractNegotiationService;
@@ -83,7 +74,7 @@ public class ApiExtension implements ServiceExtension {
 
     @Override
     public void initialize(ServiceExtensionContext context) {
-        var onboardingService = new OnboardingService(transactionContext, service, configService, vault, selectorService, assetService, policyService, contractDefinitionService, url);
+        var onboardingService = new OnboardingService(transactionContext, service, configService, vault, selectorService, url);
         webService.registerResource(ApiContext.MANAGEMENT, new ParticipantContextApiController(onboardingService));
         var dataRequestService = new DataRequestService(contractNegotiationService, transferProcessService, didResolverRegistry, edrStore);
         webService.registerResource(ApiContext.MANAGEMENT, new DataApiController(catalogService, didResolverRegistry, participantContextService, dataRequestService));

extensions/api/mgmt/src/main/java/org/eclipse/edc/virtualized/service/OnboardingService.java

@@ -16,12 +16,6 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.eclipse.edc.connector.controlplane.asset.spi.domain.Asset;
-import org.eclipse.edc.connector.controlplane.contract.spi.types.offer.ContractDefinition;
-import org.eclipse.edc.connector.controlplane.policy.spi.PolicyDefinition;
-import org.eclipse.edc.connector.controlplane.services.spi.asset.AssetService;
-import org.eclipse.edc.connector.controlplane.services.spi.contractdefinition.ContractDefinitionService;
-import org.eclipse.edc.connector.controlplane.services.spi.policydefinition.PolicyDefinitionService;
 import org.eclipse.edc.connector.dataplane.selector.spi.DataPlaneSelectorService;
 import org.eclipse.edc.connector.dataplane.selector.spi.instance.DataPlaneInstance;
 import org.eclipse.edc.participantcontext.spi.config.model.ParticipantContextConfiguration;
@@ -30,17 +24,12 @@
 import org.eclipse.edc.participantcontext.spi.types.ParticipantContext;
 import org.eclipse.edc.participantcontext.spi.types.ParticipantContextState;
 import org.eclipse.edc.spi.EdcException;
-import org.eclipse.edc.spi.query.Criterion;
 import org.eclipse.edc.spi.result.ServiceFailure;
-import org.eclipse.edc.spi.result.ServiceResult;
 import org.eclipse.edc.spi.security.Vault;
-import org.eclipse.edc.spi.types.domain.DataAddress;
 import org.eclipse.edc.transaction.spi.TransactionContext;
 import org.eclipse.edc.virtualized.api.management.ParticipantManifest;
 
-import java.util.List;
 import java.util.Map;
-import java.util.UUID;
 
 /**
  * This service is a quick-n-dirty onboarding agent, that performs all necessary tasks required to onboard a new participant into the control plane:
@@ -68,28 +57,19 @@ public class OnboardingService {
     private final ParticipantContextConfigService configService;
     private final Vault vault;
     private final DataPlaneSelectorService dataPlaneSelectorService;
-    private final AssetService assetService;
-    private final PolicyDefinitionService policyService;
-    private final ContractDefinitionService contractDefinitionService;
     private final String defaultVaultUrl;
     private final ObjectMapper objectMapper = new ObjectMapper();
 
     public OnboardingService(TransactionContext transactionContext, ParticipantContextService participantContextStore,
                              ParticipantContextConfigService configService,
                              Vault vault,
                              DataPlaneSelectorService dataPlaneSelectorService,
-                             AssetService assetService,
-                             PolicyDefinitionService policyService,
-                             ContractDefinitionService contractDefinitionService,
                              String defaultVaultUrl) {
         this.transactionContext = transactionContext;
         this.participantContextStore = participantContextStore;
         this.configService = configService;
         this.vault = vault;
         this.dataPlaneSelectorService = dataPlaneSelectorService;
-        this.assetService = assetService;
-        this.policyService = policyService;
-        this.contractDefinitionService = contractDefinitionService;
         this.defaultVaultUrl = defaultVaultUrl;
     }
 
@@ -134,12 +114,6 @@ public void onboardParticipant(ParticipantManifest manifest) {
                             .build())
                     .orElseThrow(OnboardingException::new);
 
-
-            var assetId = UUID.randomUUID().toString();
-            createAssets(assetId, participantContextId)
-                    .compose(a -> createPolicies(participantContextId))
-                    .compose(p -> createContractDefinitions(assetId, p.getId(), participantContextId))
-                    .orElseThrow(OnboardingException::new);
         });
 
     }
@@ -151,41 +125,4 @@ private String toJson(Object obj) {
             throw new EdcException(e);
         }
     }
-
-    private ServiceResult<PolicyDefinition> createPolicies(String participantContextId) {
-        var policy = PolicyDefinition.Builder.newInstance()
-                .id(UUID.randomUUID().toString())
-                .participantContextId(participantContextId)
-                .policy(Data.MEMBERSHIP_POLICY)
-                .build();
-
-        return policyService.create(policy);
-    }
-
-    private ServiceResult<ContractDefinition> createContractDefinitions(String assetId, String policyId, String participantContextId) {
-
-        var contractDefinition = ContractDefinition.Builder.newInstance()
-                .id(UUID.randomUUID().toString())
-                .participantContextId(participantContextId)
-                .contractPolicyId(policyId)
-                .accessPolicyId(policyId)
-                .assetsSelector(List.of(new Criterion("https://w3id.org/edc/v0.0.1/ns/id", "=", assetId)))
-                .build();
-        return contractDefinitionService.create(contractDefinition);
-    }
-
-    private ServiceResult<Asset> createAssets(String assetId, String participantContextId) {
-        var asset1 = Asset.Builder.newInstance()
-                .id(assetId)
-                .participantContextId(participantContextId)
-                .property("description", "This asset requires the Membership credential to access")
-                .dataAddress(DataAddress.Builder.newInstance()
-                        .type("HttpData")
-                        .property("https://w3id.org/edc/v0.0.1/ns/baseUrl", "https://jsonplaceholder.typicode.com/todos")
-                        .property("https://w3id.org/edc/v0.0.1/ns/proxyPath", "true")
-                        .property("https://w3id.org/edc/v0.0.1/ns/proxyQueryParams", "true")
-                        .build())
-                .build();
-        return assetService.create(asset1);
-    }
 }

extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/PolicyEvaluationExtension.java

@@ -22,12 +22,10 @@
 import org.eclipse.edc.policy.engine.spi.PolicyEngine;
 import org.eclipse.edc.policy.engine.spi.RuleBindingRegistry;
 import org.eclipse.edc.policy.model.Duty;
-import org.eclipse.edc.policy.model.Permission;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 
-import static org.eclipse.edc.demo.dcp.policy.MembershipCredentialEvaluationFunction.MEMBERSHIP_CONSTRAINT_KEY;
 import static org.eclipse.edc.policy.model.OdrlNamespace.ODRL_SCHEMA;
 
 public class PolicyEvaluationExtension implements ServiceExtension {
@@ -40,13 +38,7 @@ public class PolicyEvaluationExtension implements ServiceExtension {
 
     @Override
     public void initialize(ServiceExtensionContext context) {
-
-        bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), TransferProcessPolicyContext.class, TransferProcessPolicyContext.TRANSFER_SCOPE, MEMBERSHIP_CONSTRAINT_KEY);
-        bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), ContractNegotiationPolicyContext.class, ContractNegotiationPolicyContext.NEGOTIATION_SCOPE, MEMBERSHIP_CONSTRAINT_KEY);
-        bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, MEMBERSHIP_CONSTRAINT_KEY);
-
         registerDataAccessLevelFunction();
-
     }
 
     private void registerDataAccessLevelFunction() {
@@ -57,14 +49,6 @@ private void registerDataAccessLevelFunction() {
         bindDutyFunction(DataAccessLevelFunction.create(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, accessLevelKey);
     }
 
-    private <C extends PolicyContext> void bindPermissionFunction(AtomicConstraintRuleFunction<Permission, C> function, Class<C> contextClass, String scope, String constraintType) {
-        ruleBindingRegistry.bind("use", scope);
-        ruleBindingRegistry.bind(ODRL_SCHEMA + "use", scope);
-        ruleBindingRegistry.bind(constraintType, scope);
-
-        policyEngine.registerFunction(contextClass, Permission.class, constraintType, function);
-    }
-
     private <C extends PolicyContext> void bindDutyFunction(AtomicConstraintRuleFunction<Duty, C> function, Class<C> contextClass, String scope, String constraintType) {
         ruleBindingRegistry.bind("use", scope);
         ruleBindingRegistry.bind(ODRL_SCHEMA + "use", scope);

gradle/libs.versions.toml

@@ -56,6 +56,7 @@ edcv-nats-subscriber-cn = { module = "org.eclipse.edc.virtualized:negotiation-su
 edcv-nats-publisher-tp = { module = "org.eclipse.edc.virtualized:transfer-process-cdc-publisher-nats", version.ref = "edc" }
 edcv-nats-publisher-cn = { module = "org.eclipse.edc.virtualized:negotiation-cdc-publisher-nats", version.ref = "edc" }
 edcv-cel-extension = { module = "org.eclipse.edc.virtualized:cel-extension", version.ref = "edc" }
+edcv-cel-store-sql = { module = "org.eclipse.edc.virtualized:cel-store-sql", version.ref = "edc" }
 
 # EDC spi dependencies
 edc-spi-participantcontext = { module = "org.eclipse.edc:connector-participant-context-spi", version.ref = "edc" }

k8s/apps/controlplane.yaml

@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
         - name: controlplane
-          image: ghcr.io/metaform/jad/controlplane:0.16.0-SNAPSHOT
+          image: ghcr.io/metaform/jad/controlplane:latest
           imagePullPolicy: Always
           envFrom:
             - configMapRef: { name: controlplane-config }

k8s/apps/dataplane.yaml

@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
         - name: dataplane
-          image: ghcr.io/metaform/jad/dataplane:0.16.0-SNAPSHOT
+          image: ghcr.io/metaform/jad/dataplane:latest
           imagePullPolicy: Always
           envFrom:
             - configMapRef:

k8s/apps/identityhub.yaml

@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
         - name: identityhub
-          image: ghcr.io/metaform/jad/identity-hub:0.16.0-SNAPSHOT
+          image: ghcr.io/metaform/jad/identity-hub:latest
           imagePullPolicy: Always
           envFrom:
             - configMapRef:

k8s/apps/issuerservice.yaml

@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
         - name: issuerservice
-          image: ghcr.io/metaform/jad/issuerservice:0.16.0-SNAPSHOT
+          image: ghcr.io/metaform/jad/issuerservice:latest
           imagePullPolicy: Always
           ports:
             - containerPort: 80