Merge branch 'develop' of github.com:POSSIBLE-X/possible-x-edc-extension

Author: UsulSK

deployment/helm/possible-x-edc/templates/db_stateful_set.yaml

@@ -16,6 +16,9 @@ spec:
       labels:
         app: {{ include "possible-x-edc.fullname" . }}-postgres
     spec:
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 0
       containers:
       - name: postgres
         image: "{{ .Values.persistence.db.image.repository }}:{{ .Values.persistence.db.image.tag }}"
@@ -24,6 +27,10 @@ spec:
         - containerPort: 5432
           name: postgres
         env:
+        - name: PGDATA
+          value: /var/lib/postgresql/root/data
+        - name: PGROOT
+          value: /var/lib/postgresql/root
         - name: POSTGRES_DB
           value: "{{ .Values.persistence.db.databaseName }}"
         - name: POSTGRES_USER
@@ -35,7 +42,7 @@ spec:
               key: POSTGRES_PASSWORD
         volumeMounts:
         - name: {{ include "possible-x-edc.fullname" . }}-postgres-storage
-          mountPath: /var/lib/postgresql
+          mountPath: /var/lib/postgresql/root
   volumeClaimTemplates:
   - metadata:
       name: {{ include "possible-x-edc.fullname" . }}-postgres-storage

deployment/pg_admin/pg_admin.yaml

@@ -18,6 +18,9 @@ spec:
         command: ["/bin/sh", "-c"]
         args: 
         - |
+          touch /config/pgpass
+          echo "possible-x-portal-postgres.edc-dev:*:*:admin:$PORTAL_POSTGRES_PASSWORD" >> /config/pgpass
+          echo "*:*:*:*:$POSTGRES_PASSWORD" >> /config/pgpass
           echo '{
               "Servers": {
                 "1": {
@@ -27,7 +30,7 @@ spec:
                   "Port": 5432,
                   "MaintenanceDB": "edc",
                   "Username": "admin",
-                  "Password": "'$POSTGRES_PASSWORD'",
+                  "PassFile": "/pgadmin4/pgpass",
                   "SSLMode": "prefer",
                   "ConnectNow": true
                 },
@@ -38,7 +41,7 @@ spec:
                   "Port": 5432,
                   "MaintenanceDB": "edc",
                   "Username": "admin",
-                  "Password": "'$POSTGRES_PASSWORD'",
+                  "PassFile": "/pgadmin4/pgpass",
                   "SSLMode": "prefer",
                   "ConnectNow": true
                 },
@@ -49,12 +52,16 @@ spec:
                   "Port": 5432,
                   "MaintenanceDB": "portal",
                   "Username": "admin",
-                  "Password": "'$PORTAL_POSTGRES_PASSWORD'",
+                  "PassFile": "/pgadmin4/pgpass",
                   "SSLMode": "prefer",
                   "ConnectNow": true
                 }
               }
             }' > /config/servers.json
+            chmod 600 /config/pgpass
+            chown 5050:0 /config/pgpass
+            chown 5050:0 /config/servers.json
+
         env:
         - name: POSTGRES_PASSWORD
           valueFrom:
@@ -72,6 +79,7 @@ spec:
       containers:
       - name: pgadmin
         image: dpage/pgadmin4:latest
+        resources: {}
         ports:
         - containerPort: 80
         env:
@@ -81,6 +89,8 @@ spec:
           value: "False"
         - name: PGADMIN_DEFAULT_EMAIL
           value: "admin@possible-x.de"  # Set your admin email
+        - name: PGPASSFILE
+          value: /pgadmin4/pgpass
         - name: PGADMIN_DEFAULT_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -90,6 +100,9 @@ spec:
         - name: config-volume
           mountPath: /pgadmin4/servers.json
           subPath: servers.json
+        - name: config-volume
+          mountPath: /pgadmin4/pgpass
+          subPath: pgpass
       volumes:
       - name: config-volume
         emptyDir: {}

policy-extension/src/main/java/org/eclipse/edc/extension/possiblepolicy/ConnectorIdConstraintFunction.java

@@ -4,16 +4,18 @@
 import org.eclipse.edc.policy.engine.spi.PolicyContext;
 import org.eclipse.edc.policy.model.Operator;
 import org.eclipse.edc.policy.model.Permission;
+import org.eclipse.edc.policy.model.Rule;
 import org.eclipse.edc.spi.agent.ParticipantAgent;
 import org.eclipse.edc.spi.monitor.Monitor;
 
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Map;
 import java.util.Objects;
 
 import static java.lang.String.format;
 
-public class ConnectorIdConstraintFunction implements AtomicConstraintFunction<Permission> {
+public class ConnectorIdConstraintFunction<R extends Rule> implements AtomicConstraintFunction<R> {
 
     private final Monitor monitor;
 
@@ -22,7 +24,13 @@ public ConnectorIdConstraintFunction(Monitor monitor) {
     }
 
     @Override
-    public boolean evaluate(Operator operator, Object rightValue, Permission rule, PolicyContext context) {
+    public boolean evaluate(Operator operator, Object rightValue, R rule, PolicyContext context) {
+
+        if (!(rightValue instanceof String)) {
+            context.reportProblem("Right-value expected to be String but was " + rightValue.getClass());
+            return false;
+        }
+
         var contextData = context.getContextData(ParticipantAgent.class);
         if (contextData == null) {
             return false;
@@ -36,18 +44,19 @@ public boolean evaluate(Operator operator, Object rightValue, Permission rule, P
             monitor.info(format("Found attribute %s : %s", e.getKey(), e.getValue()));
         }
 
-        var clientIdClaim = contextData.getClaims().get("client_id");
+        String clientIdClaim = (String) contextData.getClaims().get("client_id");
 
         if (clientIdClaim == null) {
             return false;
         }
 
-        monitor.info(format("Evaluating constraint: connectorId %s %s %s", clientIdClaim, operator, rightValue.toString()));
+        monitor.info(format("Evaluating constraint: connectorId %s %s %s", clientIdClaim, operator, rightValue));
 
         return switch (operator) {
             case EQ -> Objects.equals(clientIdClaim, rightValue);
             case NEQ -> !Objects.equals(clientIdClaim, rightValue);
-            case IN -> ((Collection<?>) rightValue).contains(clientIdClaim);
+            case IN, IS_ANY_OF -> Arrays.asList(((String) rightValue).split(",")).contains(clientIdClaim);
+            case IS_NONE_OF -> !Arrays.asList(((String) rightValue).split(",")).contains(clientIdClaim);
             default -> false;
         };
     }

policy-extension/src/main/java/org/eclipse/edc/extension/possiblepolicy/PossiblePolicyExtension.java

@@ -18,6 +18,7 @@
 import org.eclipse.edc.policy.engine.spi.PolicyEngine;
 import org.eclipse.edc.policy.engine.spi.RuleBindingRegistry;
 import org.eclipse.edc.policy.model.Permission;
+import org.eclipse.edc.policy.model.Prohibition;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.spi.system.ServiceExtension;
@@ -48,6 +49,7 @@ public void initialize(ServiceExtensionContext context) {
 
         ruleBindingRegistry.bind("use", ALL_SCOPES);
         ruleBindingRegistry.bind(CONNECTORID_CONSTRAINT_KEY, ALL_SCOPES);
-        policyEngine.registerFunction(ALL_SCOPES, Permission.class, CONNECTORID_CONSTRAINT_KEY, new ConnectorIdConstraintFunction(monitor));
+        policyEngine.registerFunction(ALL_SCOPES, Permission.class, CONNECTORID_CONSTRAINT_KEY, new ConnectorIdConstraintFunction<>(monitor));
+        policyEngine.registerFunction(ALL_SCOPES, Prohibition.class, CONNECTORID_CONSTRAINT_KEY, new ConnectorIdConstraintFunction<>(monitor));
     }
 }