Adds new Secured Setup Example for BaSyx (#374)

Signed-off-by: FriedJannik <[email protected]>
Co-authored-by: Aaron Zielstorff <[email protected]>

Author: FriedJannik

examples/BaSyxSecured/README.md

@@ -0,0 +1,28 @@
+# BaSyx Secure Setup
+
+All BaSyx components support role-based access control by using Keycloak as identity provider.
+Access rules are defined based on roles. Roles are defined in the Keycloak server.
+
+To start the secure setup execute the following command
+
+```bash
+docker-compose up -d
+```
+
+This will start the BaSyx components and the Keycloak server. The Keycloak server can be found at http://localhost:9097.
+There you can login as admin with username `admin` and password `keycloak-admin`.
+![BaSyx Realm User Overview](users.png)
+
+The example comes with an already configured realm `BaSyx` and a user `john.doe` with password `johndoe`.
+This user has the `admin` role and can access all BaSyx components and all information about each component.
+
+The entry point for accessing the Asset Administration Shells and their Submodels is the AAS Web UI running at http://localhost:3000.
+After opening the page you will be redirected to the Keycloak login page. Use the credentials of user `john.doe` to log in.
+![Login to BaSyx using Keycloak](login.png)
+
+From there you can access the AAS and Submodels of the BaSyx components.
+The UI shows the login status in the top right corner.
+To end your session click on the logout button in the top right corner.
+![Logout button in the AAS UI](logout.png)
+
+There are several other user accounts available, each with different roles. You can use them to test the different levels of access. The password for these users is their username without the dots. You can find them in the [Users](http://localhost:9097/admin/master/console/#/BaSyx/users) tab of the BaSyx realm in Keycloak.

examples/BaSyxSecured/aas/ExampleV3.aasx

@@ -0,0 +1,12 @@
+server.port=8081
+spring.application.name=AAS Discovery Service
+basyx.aasdiscoveryservice.name=aas-discovery-service
+basyx.backend=InMemory
+basyx.cors.allowed-origins=*
+basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
+
+basyx.feature.authorization.enabled = true
+basyx.feature.authorization.type = rbac
+basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak:9097/realms/BaSyx

examples/BaSyxSecured/aas/test_demo_full_example.xml

@@ -0,0 +1,37 @@
+server.port=8081
+basyx.backend=InMemory
+basyx.environment=file:aas
+basyx.cors.allowed-origins=*
+basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
+basyx.aasrepository.feature.registryintegration=http://aas-registry:8080
+basyx.submodelrepository.feature.registryintegration=http://sm-registry:8080
+basyx.externalurl=http://localhost:8081
+
+basyx.feature.authorization.enabled = true
+basyx.feature.authorization.type = rbac
+basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak-rbac:8080/realms/BaSyx
+basyx.aasenvironment.authorization.preconfiguration.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.aasenvironment.authorization.preconfiguration.grant-type = CLIENT_CREDENTIALS
+basyx.aasenvironment.authorization.preconfiguration.client-id=workstation-1
+basyx.aasenvironment.authorization.preconfiguration.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
+#basyx.aasenvironment.authorization.preconfiguration.username=username
+#basyx.aasenvironment.authorization.preconfiguration.password=password
+#basyx.aasenvironment.authorization.preconfiguration.scopes=
+spring.servlet.multipart.max-request-size=128MB
+spring.servlet.multipart.max-file-size=128MB
+
+basyx.aasrepository.feature.registryintegration.authorization.enabled=true
+basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.aasrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
+basyx.aasrepository.feature.registryintegration.authorization.client-id = workstation-1
+basyx.aasrepository.feature.registryintegration.authorization.client-secret = nY0mjyECF60DGzNmQUjL81XurSl8etom
+basyx.submodelrepository.feature.registryintegration.authorization.enabled=true
+basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.submodelrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
+basyx.submodelrepository.feature.registryintegration.authorization.client-id=workstation-1
+basyx.submodelrepository.feature.registryintegration.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
+#basyx.aasrepository.feature.registryintegration.authorization.username=test
+#basyx.aasrepository.feature.registryintegration.authorization.password=test
+#basyx.aasrepository.feature.registryintegration.authorization.scopes=[]

examples/BaSyxSecured/basyx/aas-discovery.properties

@@ -0,0 +1,43 @@
+[
+  {
+    "role": "basyx-assetid-creator",
+    "action": "CREATE",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-assetid-discoverer",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-assetid-deleter",
+    "action": "DELETE",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-aas-discoverer",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": null,
+      "assetIds": [
+        {
+          "name": "*",
+          "value": "*"
+        }
+      ]
+    }
+  }
+]