Feat/initial constructx policy extension

edc-extensions/constructx-policy/README.md

@@ -0,0 +1,7 @@
+# EDC Control-Plane Base Module
+
+## Building
+
+```shell
+./gradlew :edc-extensions:constructx-policy:build
+```

edc-extensions/constructx-policy/build.gradle.kts

@@ -0,0 +1,49 @@
+/********************************************************************************
+ * Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ * Copyright (c) 2025 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+plugins {
+    `java-library`
+    `java-test-fixtures`
+}
+
+dependencies {
+    api(project(":edc-extensions:bpn-validation:bpn-validation-spi"))
+    implementation(project(":spi:core-spi"))
+    implementation(project(":core:core-utils"))
+    implementation(project(":spi:bdrs-client-spi"))
+    implementation(libs.edc.core.policy.monitor)
+    implementation(libs.edc.spi.catalog)
+    implementation(libs.edc.spi.contract)
+    implementation(libs.edc.spi.decentralized.claims)
+    implementation(libs.edc.spi.policyengine)
+    implementation(libs.edc.spi.vc)
+    implementation(libs.jakartaJson)
+    implementation(libs.edc.spi.jsonld)
+    testImplementation(libs.jacksonJsonP)
+    testImplementation(libs.titaniumJsonLd)
+
+    //validator dependencies
+    api(libs.edc.spi.controlplane)
+    implementation(libs.edc.lib.validator)
+
+    testImplementation(libs.edc.junit)
+    testFixturesImplementation(libs.edc.junit)
+    testFixturesImplementation(libs.edc.spi.jsonld)
+}

edc-extensions/constructx-policy/src/main/java/org/constructx/edc/policy/constructx/ConstructxPolicyConstants.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2026 Materna SE
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.constructx.edc.policy.constructx;
+
+/**
+ * Constants used across Construct-X EDC policy extension.
+ */
+public final class ConstructxPolicyConstants {
+
+    public static final String CONSTRUCTX_POLICY_NS = "https://w3id.org/constructx/policy/v1.0/";
+    public static final String CONSTRUCTX_POLICY_PREFIX = "constructx-policy";
+    public static final String CONSTRUCTX_POLICY_CONTEXT = CONSTRUCTX_POLICY_NS + "context.jsonld";
+
+    public static final String CONSTRUCTX_CONTEXT = "https://w3id.org/constructx/edc/v0.0.1";
+
+    public static final String CONSTRUCTX_CREDENTIAL_NS = "https://w3id.org/constructx/credentials/v1.0/";
+    public static final String CONSTRUCTX_CREDENTIAL_PREFIX = "constructx-credentials";
+    public static final String CONSTRUCTX_CREDENTIAL_CONTEXT = CONSTRUCTX_CREDENTIAL_NS + "context.jsonld";
+
+    private ConstructxPolicyConstants() {
+    }
+}

edc-extensions/constructx-policy/src/main/java/org/constructx/edc/policy/constructx/ConstructxPolicyExtension.java

@@ -0,0 +1,58 @@
+/********************************************************************************
+ * Copyright (c) 2024 T-Systems International GmbH
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.constructx.edc.policy.constructx;
+
+import org.eclipse.edc.policy.engine.spi.PolicyEngine;
+import org.eclipse.edc.policy.engine.spi.RuleBindingRegistry;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+
+import static org.constructx.edc.policy.constructx.ConstructxPolicyRegistration.registerBindings;
+import static org.constructx.edc.policy.constructx.ConstructxPolicyRegistration.registerFunctions;
+
+
+/**
+ * Provides implementations of standard Construct-X usage policies.
+ */
+public class ConstructxPolicyExtension implements ServiceExtension {
+    private static final String NAME = "Construct-X Policy";
+
+    @Inject
+    private PolicyEngine policyEngine;
+
+    @Inject
+    private Monitor monitor;
+
+    @Inject
+    private RuleBindingRegistry bindingRegistry;
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Override
+    public void initialize(ServiceExtensionContext context) {
+        registerFunctions(policyEngine, monitor);
+        registerBindings(bindingRegistry);
+    }
+}

edc-extensions/constructx-policy/src/main/java/org/constructx/edc/policy/constructx/ConstructxPolicyRegistration.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2024 T-Systems International GmbH
+ * Copyright (c) 2025 SAP SE
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.constructx.edc.policy.constructx;
+
+import org.constructx.edc.policy.constructx.membership.MembershipCredentialConstraintFunction;
+import org.eclipse.edc.policy.engine.spi.PolicyEngine;
+import org.eclipse.edc.policy.engine.spi.RuleBindingRegistry;
+import org.eclipse.edc.policy.model.Permission;
+import org.eclipse.edc.spi.monitor.Monitor;
+
+import java.util.Set;
+import java.util.stream.Stream;
+
+import static org.constructx.edc.policy.constructx.ConstructxPolicyConstants.CONSTRUCTX_POLICY_NS;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.CATALOG_REQUEST_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.CATALOG_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.CATALOG_SCOPE_CLASS;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.NEGOTIATION_REQUEST_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.NEGOTIATION_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.NEGOTIATION_SCOPE_CLASS;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.TRANSFER_PROCESS_REQUEST_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.TRANSFER_PROCESS_SCOPE;
+import static org.constructx.edc.policy.constructx.common.PolicyScopes.TRANSFER_PROCESS_SCOPE_CLASS;
+import static org.constructx.edc.policy.constructx.membership.MembershipCredentialConstraintFunction.CONSTRUCTX_MEMBERSHIP_LITERAL;
+import static org.constructx.edc.policy.constructx.membership.MembershipCredentialConstraintFunction.MEMBERSHIP_LITERAL;
+import static org.eclipse.edc.policy.model.OdrlNamespace.ODRL_SCHEMA;
+
+/**
+ * Registers Construct-X policy constraints to the EDC.
+ */
+public class ConstructxPolicyRegistration {
+    private static final Set<Class> FUNCTION_SCOPES_CLASSES =
+            Set.of(CATALOG_SCOPE_CLASS, NEGOTIATION_SCOPE_CLASS, TRANSFER_PROCESS_SCOPE_CLASS);
+
+    private static final Set<String> RULE_SCOPES =
+            Set.of(CATALOG_REQUEST_SCOPE, NEGOTIATION_REQUEST_SCOPE, TRANSFER_PROCESS_REQUEST_SCOPE,
+                    CATALOG_SCOPE, NEGOTIATION_SCOPE, TRANSFER_PROCESS_SCOPE);
+
+    public static void registerFunctions(PolicyEngine engine, Monitor monitor) {
+        FUNCTION_SCOPES_CLASSES.forEach(scope ->
+                engine.registerFunction(scope, Permission.class, new MembershipCredentialConstraintFunction<>(monitor))
+        );
+    }
+
+    public static void registerBindings(RuleBindingRegistry registry) {
+        registry.dynamicBind(s -> {
+            if (Stream.of(MEMBERSHIP_LITERAL, CONSTRUCTX_MEMBERSHIP_LITERAL)
+                    .anyMatch(postfix -> s.startsWith(CONSTRUCTX_POLICY_NS + postfix))) {
+                return RULE_SCOPES;
+            }
+            return Set.of();
+        });
+
+        registry.bind(ODRL_SCHEMA + "use", CATALOG_SCOPE);
+        registry.bind(ODRL_SCHEMA + "use", NEGOTIATION_SCOPE);
+        registry.bind(ODRL_SCHEMA + "use", TRANSFER_PROCESS_SCOPE);
+    }
+}

edc-extensions/constructx-policy/src/main/java/org/constructx/edc/policy/constructx/common/AbstractDynamicCredentialConstraintFunction.java

@@ -0,0 +1,112 @@
+/********************************************************************************
+ * Copyright (c) 2024 T-Systems International GmbH
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.constructx.edc.policy.constructx.common;
+
+import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential;
+import org.eclipse.edc.participant.spi.ParticipantAgent;
+import org.eclipse.edc.participant.spi.ParticipantAgentPolicyContext;
+import org.eclipse.edc.policy.engine.spi.DynamicAtomicConstraintRuleFunction;
+import org.eclipse.edc.policy.engine.spi.PolicyContext;
+import org.eclipse.edc.policy.model.Operator;
+import org.eclipse.edc.policy.model.Permission;
+import org.eclipse.edc.spi.result.Result;
+
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * This is a base class for dynamically bound Construct-X constraint evaluation functions that implements some basic common functionality and defines some
+ * common constants
+ */
+public abstract class AbstractDynamicCredentialConstraintFunction<C extends ParticipantAgentPolicyContext> implements DynamicAtomicConstraintRuleFunction<Permission, C> {
+    /**
+     * Verifiable credential key to extract values
+     */
+    public static final String VC_CLAIM = "vc";
+
+    /**
+     * Expected right operand of membership. Inactive members cannot participate.
+     */
+    public static final String ACTIVE = "active";
+
+    /**
+     * Credential Literal used to identify credentials and extract from credentialScopeExtractor
+     */
+    public static final String CREDENTIAL_LITERAL = "Credential";
+
+    /**
+     * Expected ODRL operators to check fx policy
+     */
+    protected static final Collection<Operator> EQUALITY_OPERATORS = List.of(Operator.EQ, Operator.NEQ);
+
+    /**
+     * checks acceptability of ODRL operator passed for constraint validation.
+     *
+     * @param actual operator from request
+     * @param context context of the policy
+     * @param expectedOperators collection of allowed operators
+     * @return true/false based on validity of the operator
+     */
+    protected boolean checkOperator(Operator actual, PolicyContext context, Collection<Operator> expectedOperators) {
+        if (!expectedOperators.contains(actual)) {
+            context.reportProblem("Invalid operator: this constraint only allows the following operators: %s, but received '%s'.".formatted(EQUALITY_OPERATORS, actual));
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * extracts participant agent from the policy context.
+     *
+     * @param context policy context from which participant is extracted.
+     * @return participant agent needed to validate policies.
+     */
+    protected Result<ParticipantAgent> extractParticipantAgent(C context) {
+        // make sure the ParticipantAgent is there
+        var participantAgent = context.participantAgent();
+        if (participantAgent == null) {
+            return Result.failure("Required PolicyContext data not found: " + ParticipantAgent.class.getName());
+        }
+        return Result.success(participantAgent);
+    }
+
+    /**
+     * Extracts a {@link List} of {@link VerifiableCredential} objects from the {@link ParticipantAgent}. Credentials must be
+     * stored in the agent's claims map using the "vc" key.
+     *
+     * @param agent participantAgent which contains information on the participant.
+     * @return list of verifiable credentials extracted from the participant agent
+     */
+    protected Result<List<VerifiableCredential>> getCredentialList(ParticipantAgent agent) {
+        var vcListClaim = agent.getClaims().get(VC_CLAIM);
+
+        if (vcListClaim == null) {
+            return Result.failure("ParticipantAgent did not contain a '%s' claim.".formatted(VC_CLAIM));
+        }
+        if (!(vcListClaim instanceof List)) {
+            return Result.failure("ParticipantAgent contains a '%s' claim, but the type is incorrect. Expected %s, received %s.".formatted(VC_CLAIM, List.class.getName(), vcListClaim.getClass().getName()));
+        }
+        var vcList = (List<VerifiableCredential>) vcListClaim;
+        if (vcList.isEmpty()) {
+            return Result.failure("ParticipantAgent contains a '%s' claim but it did not contain any VerifiableCredentials.".formatted(VC_CLAIM));
+        }
+        return Result.success(vcList);
+    }
+}