Adds an example for the Dynamic Management of RBAC rules using Security Submodel (#598)

* Adds BaSyx Dynamic RBAC Management Example

Signed-off-by: Mohammad Ghazanfar Ali Danish <[email protected]>

* Addresses review remarks

Signed-off-by: Mohammad Ghazanfar Ali Danish <[email protected]>

* Fixes the Preconfig Rules

Signed-off-by: Mohammad Ghazanfar Ali Danish <[email protected]>

* Fixes line endings inside entrypoint.sh

Signed-off-by: Mohammad Ghazanfar Ali Danish <[email protected]>

* Fixes line endings by setting them to LF instead of CRLF

---------

Signed-off-by: Mohammad Ghazanfar Ali Danish <[email protected]>
Co-authored-by: Aaron Zielstorff <[email protected]>

Author: mdanish98

examples/BaSyxDynamicRBAC/.env

@@ -0,0 +1,3 @@
+BASYX_VERSION=2.0.0-SNAPSHOT
+AAS_WEBUI_VERSION=SNAPSHOT
+KEYCLOAK_VERSION=24.0.4

examples/BaSyxDynamicRBAC/Dockerfile

@@ -0,0 +1,35 @@
+# Use Ubuntu as the base image
+FROM ubuntu:20.04 AS installer
+
+# Switch to root user to install dependencies (default user is root in Ubuntu)
+USER root
+
+# Install curl (to download jq) and other dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    libcurl4-openssl-dev \
+    wget
+
+# Download jq version 1.4 binary from GitHub releases
+RUN wget -O /usr/local/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.4/jq-linux-x86_64
+
+# Make jq executable
+RUN chmod +x /usr/local/bin/jq
+
+# Stage 2: Build the final image based on the submodel-repository image
+FROM eclipsebasyx/submodel-repository:2.0.0-milestone-04
+
+# Switch to root user to install dependencies
+USER root
+
+# Copy jq binary from the Ubuntu stage to the final image (submodel-repository)
+COPY --from=installer /usr/local/bin/jq /usr/local/bin/jq
+
+# Copy the file from local system to Docker container
+COPY ./initial-submodel.json /application/initial-submodel.json
+
+# Expose necessary ports
+EXPOSE 8081
+
+# Set the entrypoint to run the JAR file
+ENTRYPOINT ["java", "-jar", "basyxExecutable.jar"]

examples/BaSyxDynamicRBAC/DynamicRBAC.postman_collection.json

@@ -0,0 +1,185 @@
+# BaSyx Dynamic RBAC Management
+
+* BaSyx supports dynamic management of RBAC rules using a security Submodel.
+* The administrator of the system controls the policy/access rules inside the Submodel.
+* Rules can be added or deleted during the system's runtime.
+
+<img width="60%" alt="image" src="images/DynamicRBACMgmt.png">
+
+## Prerequisites
+1. REST API Client (e.g., [Postman](https://www.postman.com/downloads/))
+2. Import the [Postman Collection](DynamicRBAC.postman_collection.json)
+3. Docker
+
+To start the secure setup execute the following command
+
+```bash
+docker-compose up -d
+```
+
+This will start the BaSyx components and the Keycloak server. The Keycloak server can be found at http://localhost:9097.
+There you can login as admin with username `admin` and password `keycloak-admin`.
+
+<img width="60%" alt="image" src="images/users.png">
+
+The example comes with an already configured realm `BaSyx` and a user `john.doe` with password `johndoe`.
+This user has the `admin` role and can access all BaSyx components and all information about each component.
+
+The entry point for accessing the Asset Administration Shells and their Submodels is the AAS Web UI running at http://localhost:3000.
+After opening the page you will be redirected to the Keycloak login page. Use the credentials of user `john.doe` to log in.
+
+<img width="60%" alt="image" src="images/login.png">
+
+## 📌 Note
+
+> **Important:**  
+> Currently, AAS GUI can only be used by admin account (`john.doe` with password `johndoe`) and not with any user account due to a limitation.
+> This problem will be fixed with this [Pull Request](https://github.com/eclipse-basyx/basyx-java-server-sdk/pull/575)
+> Once this PR is merged then you can login with any user account.
+> For now, please use provided Postman collection to interact with the authorized components with user accounts.
+
+
+## Security in BaSyx
+
+Detailed documentation of BaSyx Security is available inside Authorization section of each component [here](https://wiki.basyx.org/en/latest/content/user_documentation/basyx_components/v2/index.html)
+
+For e.g., AAS Repository authorization is documented [here](https://wiki.basyx.org/en/latest/content/user_documentation/basyx_components/v2/aas_repository/features/authorization.html)
+
+Following shows how a JSON based RBAC rule looks like a Submodel-based rule:
+
+#### Example of a Simple RBAC Rule
+```json
+{
+  "role": "admin",
+  "action": "READ",
+  "targetInformation": {
+    "@type": "aas",
+    "aasIds": "*"
+  }
+}
+```
+
+#### Example of a Simple Submodel persistent RBAC Rule
+```json
+{
+  "modelType": "SubmodelElementCollection",
+  "idShort": "YWRtaW5ERUxFVEVvcmcuZWNsaXBzZS5kaWdpdGFsdHdpbi5iYXN5eC5hYXNyZXBvc2l0b3J5LmZlYXR1cmUuYXV0aG9yaXphdGlvbi5BYXNUYXJnZXRJbmZvcm1hdGlvbg==",
+  "value": [
+      {
+          "modelType": "Property",
+          "value": "admin",
+          "idShort": "role"
+      },
+      {
+          "modelType": "SubmodelElementList",
+          "idShort": "action",
+          "orderRelevant": true,
+          "value": [
+              {
+                  "modelType": "Property",
+                  "value": "READ"
+              }
+          ]
+      },
+      {
+          "modelType": "SubmodelElementCollection",
+          "idShort": "targetInformation",
+          "value": [
+              {
+                  "modelType": "SubmodelElementList",
+                  "idShort": "aasIds",
+                  "orderRelevant": true,
+                  "value": [
+                      {
+                          "modelType": "Property",
+                          "value": "*"
+                      }
+                  ]
+              }
+          ]
+      }
+  ]
+}
+```
+
+## Example use case
+
+* A bicycle manufacturer and suppliers of parts of bicycle works collaboratively.
+* There is one Manufacturer and two Suppliers.
+* Two suppliers are for Gear and Frame.
+* Following are the information for access rules configuration in Identity Management:
+
+| Role               | User  | Password |
+|--------------------|-------|----------|
+| FrameSupplier      | alice | alice    |
+| GearSupplier       | bob   | bob      |
+| ManufacturerFrame  | dave  | dave     |
+| ManufacturerGear   | dave  | dave     |
+
+<img width="60%" alt="image" src="images/AASDS2.png">
+
+### View Rules for this example
+
+* Postman -> AASDataspace -> Rules -> Frame (In Postman collection)
+* Open any request
+* Go to body and check the structure of rules
+
+### Formula for generating idShort of the RBAC rule for the Rule SubmodelElementCollection
+
+* The idShort of the RBAC rule for the Rule SubmodelElementCollection is the Base64 encode of the concatenation of **Role** + **Action** + **TargetInformation Class**.
+* For e.g., Role = admin, Action = DELETE, TargetInformation Class = org.eclipse.digitaltwin.basyx.aasrepository.feature.authorization.AasTargetInformation. The idShort will be Base64(adminDELETEorg.eclipse.digitaltwin.basyx.aasrepository.feature.authorization.AasTargetInformation) which is YWRtaW5ERUxFVEVvcmcuZWNsaXBzZS5kaWdpdGFsdHdpbi5iYXN5eC5hYXNyZXBvc2l0b3J5LmZlYXR1cmUuYXV0aG9yaXphdGlvbi5BYXNUYXJnZXRJbmZvcm1hdGlvbg==.
+
+Similarly, you can create idShorts using the below TargetInformation class as per the TargetInformation in consideration.
+
+| Component                         |                                         TargetInformation Class                                                                     |
+|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| AAS Environment                   | org.eclipse.digitaltwin.basyx.aasenvironment.feature.authorization.AasEnvironmentTargetInformation                                  |
+| AAS Repository                    | org.eclipse.digitaltwin.basyx.aasrepository.feature.authorization.AuthorizedAasRepository                                           |
+| Submodel Repository               | org.eclipse.digitaltwin.basyx.submodelrepository.feature.authorization.SubmodelTargetInformation                                    |
+| Concept Description Repository    | org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.feature.authorization.ConceptDescriptionTargetInformation                |
+| AAS Registry                      | org.eclipse.digitaltwin.basyx.aasregistry.feature.authorization.AasRegistryTargetInformation                                        |
+| Submodel Registry                 | org.eclipse.digitaltwin.basyx.submodelregistry.feature.authorization.SubmodelRegistryTargetInformation                              |
+| AAS Discovery                     | org.eclipse.digitaltwin.basyx.aasdiscoveryservice.feature.authorization.AasDiscoveryServiceTargetInformation                        |
+
+### Scenario
+
+<img width="80%" alt="image" src="images/BicycleExampleDataspaceFlow_short.png">
+
+* When Frame Supplier delivers the product they also add a policy/rule (using Dynamic RBAC) so that the manufacturer can see the Digital Twin of the supplied product.
+  - Postman -> AASDataspace -> Rules -> Frame (In Postman collection)
+    - We need to add rules separately for AAS/SM Registry as well as AAS/SM Repository
+    - Before providing the access
+      - Postman -> AASDataspace -> Rules -> Manufacturer
+      - Go to GET_FrameAAS request or GET_SupplierSMFrom_FrameAAS -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send the request
+      - These requests will return 403
+    - Add rules to provide access
+      - Postman -> AASDataspace -> Rules -> Frame
+      - For each requests -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send each requests
+      - These requests will return 201 indicating a new rule has been added to the Security Submodel using Dynamic RBAC Management
+    - Now retry accessing the resource as a Manufacturer
+      - Postman -> AASDataspace -> Rules -> Manufacturer
+      - Go to GET_FrameAAS request or GET_SupplierSMFrom_FrameAAS -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send the request
+      - These requests will return 200 OK
+
+
+* Similarly, when Gear Supplier delivers the product they also add a policy/rule (using Dynamic RBAC) so that the manufacturer can see the Digital Twin of the supplied product.
+  - Postman -> AASDataspace -> Rules -> Gear (In Postman collection)
+    - We need to add rules separately for AAS/SM Registry as well as AAS/SM Repository
+    - Before providing the access
+      - Postman -> AASDataspace -> Rules -> Manufacturer
+      - Go to GET_GearAAS request or GET_SupplierSMFrom_GearAAS -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send the request
+      - These requests will return 403
+    - Add rules to provide access
+      - Postman -> AASDataspace -> Rules -> Gear
+      - For each requests -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send each requests
+      - These requests will return 201 indicating a new rule has been added to the Security Submodel using Dynamic RBAC Management
+    - Now retry accessing the resource as a Manufacturer
+      - Postman -> AASDataspace -> Rules -> Manufacturer
+      - Go to GET_GearAAS request or GET_SupplierSMFrom_GearAAS -> Authorization -> Get New Access Token (at very bottom) -> Use Token
+      - Send the request
+      - These requests will return 200 OK

examples/BaSyxDynamicRBAC/README.md

@@ -0,0 +1,12 @@
+server.port=8081
+spring.application.name=AAS Discovery Service
+basyx.aasdiscoveryservice.name=aas-discovery-service
+basyx.backend=InMemory
+basyx.cors.allowed-origins=*
+basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
+
+basyx.feature.authorization.enabled = true
+basyx.feature.authorization.type = rbac
+basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak:9097/realms/BaSyx

examples/BaSyxDynamicRBAC/aas/FrameAAS.aasx

@@ -0,0 +1,45 @@
+server.port=8081
+basyx.backend=InMemory
+basyx.environment=file:aas
+basyx.cors.allowed-origins=*
+basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD
+basyx.aasrepository.feature.registryintegration=http://aas-registry:8080
+basyx.submodelrepository.feature.registryintegration=http://sm-registry:8080
+basyx.externalurl=http://localhost:8081
+
+basyx.feature.authorization.enabled = true
+basyx.feature.authorization.type = rbac
+basyx.feature.authorization.jwtBearerTokenProvider = keycloak
+basyx.feature.authorization.rbac.file = file:/application/rbac_rules.json
+
+basyx.feature.authorization.rules.backend=Submodel
+basyx.feature.authorization.rules.backend.submodel.authorization.endpoint=http://security-submodel:8081/submodels/U2VjdXJpdHlTdWJtb2RlbA==
+basyx.feature.authorization.rules.backend.submodel.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.feature.authorization.rules.backend.submodel.authorization.grant-type = CLIENT_CREDENTIALS
+basyx.feature.authorization.rules.backend.submodel.authorization.client-id=workstation-1
+basyx.feature.authorization.rules.backend.submodel.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
+
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://keycloak-rbac:8080/realms/BaSyx
+basyx.aasenvironment.authorization.preconfiguration.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.aasenvironment.authorization.preconfiguration.grant-type = CLIENT_CREDENTIALS
+basyx.aasenvironment.authorization.preconfiguration.client-id=workstation-1
+basyx.aasenvironment.authorization.preconfiguration.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
+#basyx.aasenvironment.authorization.preconfiguration.username=username
+#basyx.aasenvironment.authorization.preconfiguration.password=password
+#basyx.aasenvironment.authorization.preconfiguration.scopes=
+spring.servlet.multipart.max-request-size=128MB
+spring.servlet.multipart.max-file-size=128MB
+
+basyx.aasrepository.feature.registryintegration.authorization.enabled=true
+basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.aasrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
+basyx.aasrepository.feature.registryintegration.authorization.client-id = workstation-1
+basyx.aasrepository.feature.registryintegration.authorization.client-secret = nY0mjyECF60DGzNmQUjL81XurSl8etom
+basyx.submodelrepository.feature.registryintegration.authorization.enabled=true
+basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://keycloak-rbac:8080/realms/BaSyx/protocol/openid-connect/token
+basyx.submodelrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
+basyx.submodelrepository.feature.registryintegration.authorization.client-id=workstation-1
+basyx.submodelrepository.feature.registryintegration.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom
+#basyx.aasrepository.feature.registryintegration.authorization.username=test
+#basyx.aasrepository.feature.registryintegration.authorization.password=test
+#basyx.aasrepository.feature.registryintegration.authorization.scopes=[]

examples/BaSyxDynamicRBAC/aas/GearAAS.aasx

@@ -0,0 +1,43 @@
+[
+  {
+    "role": "basyx-assetid-creator",
+    "action": "CREATE",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-assetid-discoverer",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-assetid-deleter",
+    "action": "DELETE",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": "*",
+      "assetIds": []
+    }
+  },
+  {
+    "role": "basyx-aas-discoverer",
+    "action": "READ",
+    "targetInformation": {
+      "@type": "aas-discovery-service",
+      "aasIds": null,
+      "assetIds": [
+        {
+          "name": "*",
+          "value": "*"
+        }
+      ]
+    }
+  }
+]

examples/BaSyxDynamicRBAC/basyx/aas-discovery.properties

@@ -0,0 +1,36 @@
+[
+  {
+    "role": "admin",
+    "action": ["CREATE", "READ", "UPDATE", "DELETE"],
+    "targetInformation": {
+      "@type": "concept-description",
+      "conceptDescriptionIds": "*"
+    }
+  },
+  {
+    "role": "admin",
+    "action": ["CREATE", "READ", "UPDATE", "DELETE"],
+    "targetInformation": {
+      "@type": "aas",
+      "aasIds": "*"
+    }
+  },
+  {
+    "role": "admin",
+    "action": ["CREATE", "READ", "UPDATE", "DELETE", "EXECUTE"],
+    "targetInformation": {
+      "@type": "submodel",
+      "submodelIds": "*",
+      "submodelElementIdShortPaths": "*"
+    }
+  },
+  {
+    "role": "admin",
+    "action": ["CREATE", "READ", "UPDATE", "DELETE"],
+    "targetInformation": {
+      "@type": "aas-environment",
+      "aasIds": "*",
+      "submodelIds": "*"
+    }
+  }
+]