Merge branch 'develop' into kano-definitions

Author: mickenordin

.github/workflows/github-pages.yml

@@ -26,9 +26,9 @@ jobs:
             --metadata title="README" \
             -o dist/index.html
 
-          cp ./logo.png ./dist/logo.png
+          cp ./logo/OpenCloudMesh-text-vertical-300x116.png ./dist/logo.png
+          cp -R ./logo ./dist/logo
           cp ./docs.html ./dist/docs.html
-
       - name: Upload Pages artifact
         uses: actions/upload-pages-artifact@v3
         with:

HISTORY.md

@@ -48,3 +48,5 @@ The Open Cloud Mesh initiative started in 2015 within the [GÉANT Association](h
 ### [Sovereign Tech](https://www.sovereign.tech) funded efforts
 * In October 2025 a [grant was awarded](https://www.sovereign.tech/programs/fund) with a set of milestones to implement several missing pieces and introduce automated testing in each vendor's CI pipeline, as well as to support the IETF standardization efforts. This engagement was first made public at the [Open Source at CERN in 2025/2026 event](https://indico.cern.ch/event/1546072), featuring a number of funding agencies including Sovereign Tech, with a [lightning talk](https://indico.cern.ch/event/1546072/contributions/6754920) about CERNBox and OCM.
 * Presentations and demonstrations about the OCM-based EOSC Federation of Cloud Storage Systems at the [EOSC Symposium 2025](https://indico.cern.ch/event/1543880/timetable).
+* First [IETF WG interim meeting](https://datatracker.ietf.org/doc/agenda-interim-2025-ocm-01-ocm-01) held in November 2025 ([recording](https://www.youtube.com/watch?v=I9c6sFM2NZ8)): the draft is officially adopted by the WG.
+* [16th SIG-CISS Meet-up on Federated Storage and Storage Infrastructure](https://events.geant.org/event/1939) ([recording](https://drive.google.com/drive/folders/1EvvKgxTXO5UtQ0UBRuQaECvAhHgRMLxr)) featured a number of presentations about storage federations and OCM, with an OCM 10th anniversary presentation. 

IETF-RFC.md

@@ -5,7 +5,7 @@
 
 # Open Cloud Mesh Protocol Specification
 
-This repository contains the text of the [Open Cloud Mesh IETF Draft](https://datatracker.ietf.org/doc/draft-lopresti-open-cloud-mesh/), as well as the equivalent [OpenAPI](https://github.com/OAI/OpenAPI-Specification) (fka Swagger) specification for its API rendered as HTML (by [ReDoc](https://github.com/Redocly/redoc)).
+This repository contains the text of the [Open Cloud Mesh IETF Draft](https://datatracker.ietf.org/doc/draft-ietf-ocm-open-cloud-mesh/), as well as the equivalent [OpenAPI](https://github.com/OAI/OpenAPI-Specification) (fka Swagger) specification for its API rendered as HTML (by [ReDoc](https://github.com/Redocly/redoc)).
 
 The documents are available as follows:
 * **Latest official version, 1.2.2**: [RFC-formatted Draft](https://github.com/cs3org/OCM-API/blob/v1.2.2/IETF-RFC.md) | [API spec](https://cs3org.github.io/OCM-API/docs.html?branch=v1.2.2&repo=OCM-API&user=cs3org)

IETF-RFC.xml

@@ -1,26 +1,35 @@
 @startuml
 
-participant "Alice" as Alice_user #fdf2d0
+actor "Alice" as Alice_user #fdf2d0
 participant "EFSS" as Alice_EFSS #fdf2d0
 participant "Disco" as Alice_Disco #fdf2d0
 participant "Disco" as Bob_Disco #eececd
-participant "EFSS" as Bob_OCM #eececd
-participant "Bob" as Bob_user #eececd
-Bob_user -> Bob_OCM: Add contact 'Alice'
-Bob_user -> Alice_user: OCM invite [ token, FQDN ]
-Alice_user -> Alice_EFSS: Add contact 'Bob'
-Alice_EFSS -> Bob_OCM: POST /invite_accept [ token ]
-Bob_OCM -> Alice_EFSS: 201 created
+participant "EFSS" as Bob_EFSS #eececd
+actor "Bob" as Bob_user #eececd
+==Invite==
+Bob_user -> Bob_EFSS: Create token for 'Alice'
+Bob_EFSS -> Bob_user: token
+Bob_user -> Alice_user: OCM invite [ inviteString (token@Bob_FQDN) ]
+Alice_user -> Alice_EFSS: Add contact [ inviteString ]
+Alice_EFSS -> Bob_EFSS: **POST /ocm/invite-accepted** [ token ]
+Bob_EFSS -> Bob_user: 'Alice' is a trusted contact
+Bob_EFSS --> Alice_EFSS: 201 created
+Alice_EFSS -> Alice_user: 'Bob' is a trusted contact
+==Share==
 Alice_user -> Alice_EFSS: Share doc with 'Bob'
 Alice_EFSS -> Bob_Disco: GET /.well-known/ocm
 Bob_Disco -> Alice_EFSS: endpoints, capabilities, pubkey
-Alice_EFSS -> Bob_OCM: (signed) POST /ocm/share
-Bob_OCM -> Alice_Disco: GET /.well-known/ocm
-Alice_Disco -> Bob_OCM: pubkey
-Bob_OCM -> Alice_EFSS: 201 created
-Bob_OCM -> Alice_EFSS: (signed) /ocm/token
-Alice_EFSS -> Bob_OCM: short-lived bearer token
-Bob_OCM --> Alice_EFSS: (bearer) PROPFIND
-Alice_EFSS -> Bob_OCM: OK
+Alice_EFSS -> Bob_EFSS: (signed) **POST /ocm/share** [ refreshToken ]
+Bob_EFSS -> Alice_Disco: GET /.well-known/ocm
+Alice_Disco -> Bob_EFSS: pubkey
+Bob_EFSS --> Alice_EFSS: 201 created
+Bob_EFSS -> Bob_user: doc was shared by 'Alice'
+==Access==
+Bob_user -> Bob_EFSS: Access Alice's doc
+Bob_EFSS -> Alice_EFSS: (signed) **POST /ocm/token** [ refreshToken ]
+Alice_EFSS -> Bob_EFSS: short-lived bearer token
+Bob_EFSS -> Alice_EFSS: (bearer) PROPFIND
+Alice_EFSS --> Bob_EFSS: OK
+Bob_EFSS -> Bob_user: Display doc
 
-@enduml
+@enduml

README.md

@@ -1,28 +1,89 @@
 ```mermaid
 sequenceDiagram
-    participant Inviter
-    participant InviteSenderServer as Invite Sender Server
-    participant InviteReceiverServer as Invite Receiver Server
-    participant Invitee
 
-    Inviter->>InviteSenderServer: Calls Invite API
-    InviteSenderServer->>InviteSenderServer: Creates an invite record in the database
-    Note right of InviteSenderServer: Dispatch notification (Email) to invitee\n- Token\n- invite sender server FQDN
+    %% Instance A components
+    box "Instance A" #0f2749
+        participant InviteManagerA as InviteManager A
+        participant GatewayA as Gateway A
+        participant HTTPA as HTTP API A (ocm, sm)
+    end
 
-    InviteSenderServer->>Invitee: Send Email with Token and Server FQDN
-    Invitee->>InviteReceiverServer: Submit invite acceptance form\n(Token, invite sender server FQDN)
-    
-    InviteReceiverServer->>InviteSenderServer: Discover the OCM API of the inviter server
-    InviteReceiverServer->>InviteReceiverServer: Adds FQDN of invite sender server as trusted server
+    %% OCM Invitation Flow
+    %% Actors
+    actor UserA as Alice
+    actor UserB as Bob
+
+    %% Instance B components
+    box "Instance B" #0f2749
+        participant HTTPB as HTTP API B (ocm, sm)
+        participant GatewayB as Gateway B
+        participant InviteManagerB as InviteManager B
+    end
+
+    %% Invitation creation
+    UserA ->> HTTPA: POST /generate-invite (ocm, sm)
+    HTTPA ->> GatewayA: /generate-invite
+    GatewayA ->> InviteManagerA: GenerateInviteToken
+    Note right of InviteManagerA: store token in database
+    InviteManagerA -->> GatewayA: return token
+    GatewayA -->> HTTPA: return token
 
-    InviteReceiverServer->>InviteSenderServer: Accept invite API Call\n(InviteAcceptanceRequestDto)
-    Note left of InviteReceiverServer: InviteAcceptanceRequestDto\n+ recipientProvider: string\n+ token: string\n+ userID: string\n+ email: string\n+ name: string
+    alt
+        HTTPA ->> UserB: Send Email with Alice's Server FQDN and Token
+    else
+        HTTPA ->> UserA: Raw or Base64 encoded "token@FQDN"
+        UserA ->> UserB: Aice passes token to Bob
+    end
 
-    InviteSenderServer->>InviteSenderServer: Add invite receiver FQDN as trusted server
-    InviteSenderServer->>InviteSenderServer: Mark the invitation record as accepted
-    InviteSenderServer->>InviteSenderServer: Add invite receiver in the contacts table
-    InviteSenderServer->>InviteReceiverServer: Return InviteAcceptanceResponseDto
+    alt 
+        UserB ->> UserB: Accept token manually in the EFSS UI
+        UserB ->> HTTPB: POST /accept-invite (ocm, sm)
+    else Use WAYF
+         UserB ->> HTTPA: TODO
+    end
+ 
+    %% Invitation acceptance on B
+    UserB ->> HTTPB: POST /accept-invite (ocm, sm)
+    HTTPB ->> GatewayB: ForwardInvite
+    GatewayB ->> InviteManagerB: ForwardInvite
+    InviteManagerB ->> HTTPA: Discover the OCM API of the inviter server
+    HTTPA ->>InviteManagerB: OCM discovery data
+    InviteManagerB ->> InviteManagerB: Adds FQDN of invite sender server as trusted server
+    InviteManagerB ->> HTTPA: POST /invite-accepted (ocm)
+    rect rgb(191, 223, 255)
+        Note right of UserB: InviteAcceptanceRequestDto
+        rect
+            Note right of UserB: recipientProvider: string
+            Note right of UserB: token: string
+            Note right of UserB: userID: string
+            Note right of UserB: email: string
+            Note right of UserB: name: string
+        end
+    end
+
+    %% Process acceptance on A
+    HTTPA ->> GatewayA: AcceptInvite
+    GatewayA ->> InviteManagerA: AcceptInvite
+    Note right of InviteManagerA: get token from database
+    InviteManagerA ->> InviteManagerA: Add Bob's server FQDN as trusted server
+    InviteManagerA ->> InviteManagerA: Mark the invitation record as accepted
+    InviteManagerA ->> InviteManagerA: Add Bob in the contacts table
+    InviteManagerA -->> GatewayA: return Alice user
+    GatewayA -->> HTTPA: return Alice user
     
-    Note right of InviteReceiverServer: InviteAcceptanceResponseDto\n+ UserId: string\n+ Email: string\n+ Name: string
-    InviteReceiverServer->>Invitee: Adds Invite sender as contact
+    %% Propagation to B
+    HTTPA ->> InviteManagerB: return Alice user
+    rect rgb(191, 223, 255)
+        Note right of UserA: InviteAcceptanceResponseDto
+        rect
+            Note right of UserA: userID: string
+            Note right of UserA: email: string
+            Note right of UserA: name: string
+        end
+    end
+    InviteManagerB ->> InviteManagerB: Add Alice in the contacts table
+    InviteManagerB -->> GatewayB: return
+    GatewayB -->> HTTPB: return
+    HTTPB -->> UserB: return
+
 ```

diagrams/code-flow.puml

@@ -3,46 +3,64 @@
   <head>
     <title>Open Cloud Mesh API Reference Documentation</title>
     <!-- needed for adaptive design -->
-    <meta charset="utf-8"/>
+    <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700|Roboto:300,400,700" rel="stylesheet">
 
     <!--
-    ReDoc doesn't change outer page styles
-    -->
+      ReDoc doesn't change outer page styles
+      -->
     <style>
       body {
         margin: 0;
         padding: 0;
       }
     </style>
   </head>
+
   <body>
     <redoc></redoc>
     <script>
       const params = new URLSearchParams(window.location.search);
-      const user = params.get('user');
-      const repo = params.get('repo');
-      const branch = params.get('branch');
-      let changed = false;
-      if (user === null) {
-        params.set('user', 'cs3org');
-        changed = true;
-      }
-      if (repo === null) {
-        params.set('repo', 'OCM-API');
-        changed = true;
-      }
-      if (branch === null) {
-        params.set('branch', 'develop');
-        changed = true;
+
+      const defaults = {
+        user: 'cs3org',
+        repo: 'OCM-API',
+        branch: 'develop'
+      };
+
+      let mutated = false;
+      for (const key in defaults) {
+        if (!params.has(key)) {
+          params.set(key, defaults[key]);
+          mutated = true;
+        }
       }
-      if (changed) {
+
+      if (mutated) {
         params.sort();
-        window.location = `?${params.toString()}`;
+        window.location.replace('?' + params.toString());
       }
-      document.querySelector('redoc').setAttribute('spec-url', `https://raw.githubusercontent.com/${user}/${repo}/${branch}/spec.yaml`);
+
+      const user = params.get('user');
+      const repo = params.get('repo');
+      const branch = params.get('branch');
+
+      const specUrl =
+        `https://raw.githubusercontent.com/${user}/${repo}/${branch}/spec.yaml`;
+
+      const redocScriptUrl =
+        `https://cdn.redoc.ly/redoc/v3.0.0-rc.0/redoc.standalone.js`;
+
+      const redocEl = document.querySelector('redoc');
+      redocEl.setAttribute('spec-url', specUrl);
+
+      const script = document.createElement('script');
+      script.src = redocScriptUrl;
+      script.type = 'module';
+      script.async = true;
+      script.defer = true;
+      document.body.appendChild(script);
     </script>
-    <script src="https://cdn.jsdelivr.net/npm/redoc@next/bundles/redoc.standalone.js"> </script>
   </body>
 </html>

diagrams/invitation-flow.md

@@ -0,0 +1,101 @@
+{
+  "title": "OCM API Discovery",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "enabled": {
+      "type": "boolean"
+    },
+    "apiVersion": {
+      "type": "string"
+    },
+    "endPoint": {
+      "type": "string", 
+      "format": "uri"
+    },
+    "provider": {
+      "type": "string"
+    },
+    "resourceTypes": {
+      "type": "array",
+      "items": { "$ref": "#/$defs/resourceType" }
+    },
+    "capabilities": {
+      "type": "array",
+      "description": "Capabilities values of 'exchange-token', 'webdav-uri', 'protocol-object', 'invites', 'invite-wayf' defined in draft",
+      "items": {
+        "type": "string"
+      }
+    },
+    "criteria": {
+      "type": "array",
+      "description": "Criteria values of 'http-request-signatures', 'token-exchange', 'denlyist' and 'allowlist' are defined in draft",
+      "items": {
+        "type": "string"
+      }
+    },
+    "publicKey": {
+      "$ref": "#/$defs/publicKey" 
+    },
+    "inviteAcceptDialog": {
+      "type": "string",
+      "format": "uri"
+    },
+    "tokenEndPoint": {
+      "type": "string",
+      "format": "uri"
+    }
+  },
+  "required": [
+    "enabled", 
+    "apiVersion", 
+    "endPoint", 
+    "resourceTypes"
+  ],
+  "$defs": {
+    "resourceType": {
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "shareTypes": {
+          "type": "array"
+        },
+        "protocols": { "$ref": "#/$defs/protocols" }
+      },
+      "required": ["name", "shareTypes", "protocols"]
+    },
+    "protocols": {
+      "type": "object",
+      "minProperties": 1,
+      "description": "Additional protocols besides 'webdav', 'webapp' and 'datatx' may be defined.",
+      "properties": {
+        "webdav": {
+          "type": "string",
+          "pattern": "^/"
+        },
+        "webapp": {
+          "type": "string",
+          "pattern": "^/"
+        },
+        "datatx": {
+          "type": "string",
+          "pattern": "^/"
+        }
+      }
+    },
+    "publicKey": {
+      "type": "object",
+      "properties": {
+        "keyId": {
+          "type": "string"
+        },
+        "publicKeyPem": {
+          "type": "string"
+        }
+      },
+      "required": ["keyId", "publicKeyPem" ]
+
+    }
+  }
+}