refactor: moved security checks in protocol service layer

core/control-plane/contract-core/src/test/java/org/eclipse/edc/connector/contract/negotiation/ContractNegotiationIntegrationTest.java

@@ -37,6 +37,8 @@
 import org.eclipse.edc.policy.model.Policy;
 import org.eclipse.edc.policy.model.PolicyType;
 import org.eclipse.edc.spi.iam.ClaimToken;
+import org.eclipse.edc.spi.iam.IdentityService;
+import org.eclipse.edc.spi.iam.TokenRepresentation;
 import org.eclipse.edc.spi.message.RemoteMessageDispatcherRegistry;
 import org.eclipse.edc.spi.monitor.ConsoleMonitor;
 import org.eclipse.edc.spi.protocol.ProtocolWebhook;
@@ -85,7 +87,9 @@ class ContractNegotiationIntegrationTest {
     private final ContractValidationService validationService = mock(ContractValidationService.class);
     private final RemoteMessageDispatcherRegistry providerDispatcherRegistry = mock(RemoteMessageDispatcherRegistry.class);
     private final RemoteMessageDispatcherRegistry consumerDispatcherRegistry = mock(RemoteMessageDispatcherRegistry.class);
+    private final IdentityService identityService = mock();
     protected ClaimToken token = ClaimToken.Builder.newInstance().build();
+    protected TokenRepresentation tokenRepresentation = TokenRepresentation.Builder.newInstance().build();
     private final ProtocolWebhook protocolWebhook = () -> "http://dummy";
     private String consumerNegotiationId;
 
@@ -119,8 +123,9 @@ void init() {
                 .protocolWebhook(protocolWebhook)
                 .build();
 
-        consumerService = new ContractNegotiationProtocolServiceImpl(consumerStore, new NoopTransactionContext(), validationService, new ContractNegotiationObservableImpl(), monitor, mock(Telemetry.class));
-        providerService = new ContractNegotiationProtocolServiceImpl(providerStore, new NoopTransactionContext(), validationService, new ContractNegotiationObservableImpl(), monitor, mock(Telemetry.class));
+        when(identityService.verifyJwtToken(eq(tokenRepresentation), any())).thenReturn(Result.success(token));
+        consumerService = new ContractNegotiationProtocolServiceImpl(consumerStore, new NoopTransactionContext(), validationService, identityService, new ContractNegotiationObservableImpl(), monitor, mock(Telemetry.class));
+        providerService = new ContractNegotiationProtocolServiceImpl(providerStore, new NoopTransactionContext(), validationService, identityService, new ContractNegotiationObservableImpl(), monitor, mock(Telemetry.class));
     }
 
     @AfterEach
@@ -261,7 +266,7 @@ private Answer<Object> onConsumerSentOfferRequest() {
         return i -> {
             ContractRequestMessage request = i.getArgument(1);
             consumerNegotiationId = request.getProcessId();
-            var result = providerService.notifyRequested(request, token);
+            var result = providerService.notifyRequested(request, tokenRepresentation);
             return toFuture(result);
         };
     }
@@ -270,7 +275,7 @@ private Answer<Object> onConsumerSentOfferRequest() {
     private Answer<Object> onConsumerSentRejection() {
         return i -> {
             ContractNegotiationTerminationMessage request = i.getArgument(1);
-            var result = providerService.notifyTerminated(request, token);
+            var result = providerService.notifyTerminated(request, tokenRepresentation);
             return toFuture(result);
         };
     }
@@ -279,7 +284,7 @@ private Answer<Object> onConsumerSentRejection() {
     private Answer<Object> onProviderSentAgreementRequest() {
         return i -> {
             ContractAgreementMessage request = i.getArgument(1);
-            var result = consumerService.notifyAgreed(request, token);
+            var result = consumerService.notifyAgreed(request, tokenRepresentation);
             return toFuture(result);
         };
     }
@@ -288,7 +293,7 @@ private Answer<Object> onProviderSentAgreementRequest() {
     private Answer<Object> onProviderSentNegotiationEventMessage() {
         return i -> {
             ContractNegotiationEventMessage request = i.getArgument(1);
-            var result = consumerService.notifyFinalized(request, token);
+            var result = consumerService.notifyFinalized(request, tokenRepresentation);
             return toFuture(result);
         };
     }
@@ -297,7 +302,7 @@ private Answer<Object> onProviderSentNegotiationEventMessage() {
     private Answer<Object> onConsumerSentAgreementVerification() {
         return i -> {
             ContractAgreementVerificationMessage request = i.getArgument(1);
-            var result = providerService.notifyVerified(request, token);
+            var result = providerService.notifyVerified(request, tokenRepresentation);
             return toFuture(result);
         };
     }
@@ -306,7 +311,7 @@ private Answer<Object> onConsumerSentAgreementVerification() {
     private Answer<Object> onProviderSentRejection() {
         return i -> {
             ContractNegotiationTerminationMessage request = i.getArgument(1);
-            var result = consumerService.notifyTerminated(request, token);
+            var result = consumerService.notifyTerminated(request, tokenRepresentation);
             return toFuture(result);
         };
     }

core/control-plane/control-plane-aggregate-services/src/main/java/org/eclipse/edc/connector/service/ControlPlaneServicesExtension.java

@@ -58,6 +58,7 @@
 import org.eclipse.edc.spi.asset.AssetIndex;
 import org.eclipse.edc.spi.command.CommandHandlerRegistry;
 import org.eclipse.edc.spi.event.EventRouter;
+import org.eclipse.edc.spi.iam.IdentityService;
 import org.eclipse.edc.spi.message.RemoteMessageDispatcherRegistry;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.system.ServiceExtension;
@@ -136,6 +137,9 @@ public class ControlPlaneServicesExtension implements ServiceExtension {
     @Inject
     private DataAddressValidatorRegistry dataAddressValidator;
 
+    @Inject
+    private IdentityService identityService;
+
     @Override
     public String name() {
         return NAME;
@@ -155,7 +159,7 @@ public CatalogService catalogService() {
 
     @Provider
     public CatalogProtocolService catalogProtocolService(ServiceExtensionContext context) {
-        return new CatalogProtocolServiceImpl(datasetResolver, participantAgentService, dataServiceRegistry, context.getParticipantId());
+        return new CatalogProtocolServiceImpl(datasetResolver, participantAgentService, dataServiceRegistry, identityService, monitor, context.getParticipantId());
     }
 
     @Provider
@@ -178,7 +182,7 @@ public ContractNegotiationService contractNegotiationService() {
     @Provider
     public ContractNegotiationProtocolService contractNegotiationProtocolService() {
         return new ContractNegotiationProtocolServiceImpl(contractNegotiationStore,
-                transactionContext, contractValidationService, contractNegotiationObservable,
+                transactionContext, contractValidationService, identityService, contractNegotiationObservable,
                 monitor, telemetry);
     }
 
@@ -198,6 +202,6 @@ public TransferProcessService transferProcessService() {
     @Provider
     public TransferProcessProtocolService transferProcessProtocolService() {
         return new TransferProcessProtocolServiceImpl(transferProcessStore, transactionContext, contractNegotiationStore,
-                contractValidationService, dataAddressValidator, transferProcessObservable, clock, monitor, telemetry);
+                contractValidationService, identityService, dataAddressValidator, transferProcessObservable, clock, monitor, telemetry);
     }
 }

core/control-plane/control-plane-aggregate-services/src/main/java/org/eclipse/edc/connector/service/catalog/CatalogProtocolServiceImpl.java

@@ -19,17 +19,20 @@
 import org.eclipse.edc.catalog.spi.DataServiceRegistry;
 import org.eclipse.edc.catalog.spi.Dataset;
 import org.eclipse.edc.catalog.spi.DatasetResolver;
+import org.eclipse.edc.connector.service.protocol.BaseProtocolService;
 import org.eclipse.edc.connector.spi.catalog.CatalogProtocolService;
 import org.eclipse.edc.spi.agent.ParticipantAgentService;
-import org.eclipse.edc.spi.iam.ClaimToken;
+import org.eclipse.edc.spi.iam.IdentityService;
+import org.eclipse.edc.spi.iam.TokenRepresentation;
+import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.result.ServiceResult;
 import org.jetbrains.annotations.NotNull;
 
 import static java.lang.String.format;
 import static java.util.stream.Collectors.toList;
 import static org.eclipse.edc.spi.CoreConstants.EDC_NAMESPACE;
 
-public class CatalogProtocolServiceImpl implements CatalogProtocolService {
+public class CatalogProtocolServiceImpl extends BaseProtocolService implements CatalogProtocolService {
 
     private static final String PARTICIPANT_ID_PROPERTY_KEY = "participantId";
 
@@ -40,7 +43,11 @@ public class CatalogProtocolServiceImpl implements CatalogProtocolService {
 
     public CatalogProtocolServiceImpl(DatasetResolver datasetResolver,
                                       ParticipantAgentService participantAgentService,
-                                      DataServiceRegistry dataServiceRegistry, String participantId) {
+                                      DataServiceRegistry dataServiceRegistry,
+                                      IdentityService identityService,
+                                      Monitor monitor,
+                                      String participantId) {
+        super(identityService, monitor);
         this.datasetResolver = datasetResolver;
         this.participantAgentService = participantAgentService;
         this.dataServiceRegistry = dataServiceRegistry;
@@ -49,32 +56,36 @@ public CatalogProtocolServiceImpl(DatasetResolver datasetResolver,
 
     @Override
     @NotNull
-    public ServiceResult<Catalog> getCatalog(CatalogRequestMessage message, ClaimToken claimToken) {
-        var agent = participantAgentService.createFor(claimToken);
+    public ServiceResult<Catalog> getCatalog(CatalogRequestMessage message, TokenRepresentation tokenRepresentation) {
+        return withClaimToken(tokenRepresentation, (claimToken) -> {
+            var agent = participantAgentService.createFor(claimToken);
 
-        try (var datasets = datasetResolver.query(agent, message.getQuerySpec())) {
-            var dataServices = dataServiceRegistry.getDataServices();
+            try (var datasets = datasetResolver.query(agent, message.getQuerySpec())) {
+                var dataServices = dataServiceRegistry.getDataServices();
 
-            var catalog = Catalog.Builder.newInstance()
-                    .dataServices(dataServices)
-                    .datasets(datasets.collect(toList()))
-                    .property(EDC_NAMESPACE + PARTICIPANT_ID_PROPERTY_KEY, participantId)
-                    .build();
+                var catalog = Catalog.Builder.newInstance()
+                        .dataServices(dataServices)
+                        .datasets(datasets.collect(toList()))
+                        .property(EDC_NAMESPACE + PARTICIPANT_ID_PROPERTY_KEY, participantId)
+                        .build();
 
-            return ServiceResult.success(catalog);
-        }
+                return ServiceResult.success(catalog);
+            }
+        });
     }
 
     @Override
-    public @NotNull ServiceResult<Dataset> getDataset(String datasetId, ClaimToken claimToken) {
-        var agent = participantAgentService.createFor(claimToken);
+    public @NotNull ServiceResult<Dataset> getDataset(String datasetId, TokenRepresentation tokenRepresentation) {
+        return withClaimToken(tokenRepresentation, (claimToken) -> {
+            var agent = participantAgentService.createFor(claimToken);
 
-        var dataset = datasetResolver.getById(agent, datasetId);
+            var dataset = datasetResolver.getById(agent, datasetId);
 
-        if (dataset == null) {
-            return ServiceResult.notFound(format("Dataset %s does not exist", datasetId));
-        }
+            if (dataset == null) {
+                return ServiceResult.notFound(format("Dataset %s does not exist", datasetId));
+            }
 
-        return ServiceResult.success(dataset);
+            return ServiceResult.success(dataset);
+        });
     }
 }