chore: split token-core into token-lib (#4572)

* chore: split token-core into token-lib

* fix e2e, comp and pg tests

* checkstyle

* fix license header

core/common/lib/token-lib/build.gradle.kts

@@ -0,0 +1,31 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+    `maven-publish`
+}
+
+dependencies {
+    api(project(":spi:common:keys-spi"))
+    api(project(":spi:common:token-spi"))
+    api(project(":spi:common:jwt-spi"))
+    api(project(":spi:common:jwt-signer-spi"))
+
+    implementation(project(":core:common:lib:crypto-common-lib")) // for the CryptoConverter
+    implementation(libs.nimbus.jwt)
+    api(libs.bouncyCastle.bcpkixJdk18on)
+}
+
+

core/common/token-core/src/main/java/org/eclipse/edc/token/rules/AudienceValidationRule.java → core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/AudienceValidationRule.java

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2022 - 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -14,6 +14,7 @@
 
 package org.eclipse.edc.token.rules;
 
+import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
@@ -22,8 +23,6 @@
 
 import java.util.Map;
 
-import static com.nimbusds.jwt.JWTClaimNames.AUDIENCE;
-
 
 public class AudienceValidationRule implements TokenValidationRule {
     private final String expectedAudience;
@@ -34,7 +33,7 @@ public AudienceValidationRule(String expectedAudience) {
 
     @Override
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
-        var audiences = toVerify.getListClaim(AUDIENCE);
+        var audiences = toVerify.getListClaim(JwtRegisteredClaimNames.AUDIENCE);
         if (audiences.isEmpty()) {
             return Result.failure("Required audience (aud) claim is missing in token");
         } else if (!audiences.contains(expectedAudience)) {

core/common/token-core/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java → core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2022 - 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -14,6 +14,7 @@
 
 package org.eclipse.edc.token.rules;
 
+import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
@@ -23,9 +24,6 @@
 import java.time.Clock;
 import java.util.Map;
 
-import static com.nimbusds.jwt.JWTClaimNames.EXPIRATION_TIME;
-import static com.nimbusds.jwt.JWTClaimNames.ISSUED_AT;
-
 
 /**
  * Token validation rule that checks if the token is not expired and if the "issued at" claim is valued correctly
@@ -55,7 +53,7 @@ public ExpirationIssuedAtValidationRule(Clock clock, int issuedAtLeeway, boolean
     @Override
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
         var now = clock.instant();
-        var expires = toVerify.getInstantClaim(EXPIRATION_TIME);
+        var expires = toVerify.getInstantClaim(JwtRegisteredClaimNames.EXPIRATION_TIME);
         if (expires == null) {
             if (!allowNull) {
                 return Result.failure("Required expiration time (exp) claim is missing in token");
@@ -64,7 +62,7 @@ public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String
             return Result.failure("Token has expired (exp)");
         }
 
-        var issuedAt = toVerify.getInstantClaim(ISSUED_AT);
+        var issuedAt = toVerify.getInstantClaim(JwtRegisteredClaimNames.ISSUED_AT);
         if (issuedAt != null) {
             if (issuedAt.isAfter(expires)) {
                 return Result.failure("Issued at (iat) claim is after expiration time (exp) claim in token");

core/common/token-core/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java → core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2022 - 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -14,6 +14,7 @@
 
 package org.eclipse.edc.token.rules;
 
+import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
@@ -23,8 +24,6 @@
 import java.time.Clock;
 import java.util.Map;
 
-import static com.nimbusds.jwt.JWTClaimNames.NOT_BEFORE;
-
 
 /**
  * Token validation rule that checks if the "not before" claim is valid
@@ -54,7 +53,7 @@ public NotBeforeValidationRule(Clock clock, int notBeforeLeeway, boolean allowNu
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
         var now = clock.instant();
         var leewayNow = now.plusSeconds(notBeforeLeeway);
-        var notBefore = toVerify.getInstantClaim(NOT_BEFORE);
+        var notBefore = toVerify.getInstantClaim(JwtRegisteredClaimNames.NOT_BEFORE);
 
         if (notBefore == null) {
             if (!allowNull) {

core/common/token-core/build.gradle.kts

@@ -18,14 +18,8 @@ plugins {
 }
 
 dependencies {
-    api(project(":spi:common:keys-spi"))
-    api(project(":spi:common:token-spi"))
-    api(project(":spi:common:jwt-spi"))
-    api(project(":spi:common:jwt-signer-spi"))
-
-    implementation(project(":core:common:lib:crypto-common-lib")) // for the CryptoConverter
-    implementation(libs.nimbus.jwt)
-    api(libs.bouncyCastle.bcpkixJdk18on)
+    implementation(project(":core:common:lib:token-lib"))
+    implementation(project(":core:common:lib:crypto-common-lib"))
 }
 
 

dist/bom/controlplane-base-bom/build.gradle.kts

@@ -23,6 +23,7 @@ dependencies {
     // core dependencies
     api(project(":core:common:boot"))
     api(project(":core:common:connector-core"))
+    api(project(":core:common:token-core"))
     api(project(":core:control-plane:control-plane-core"))
     api(project(":core:common:edr-store-core"))
     api(project(":data-protocols:dsp"))
@@ -49,5 +50,5 @@ dependencies {
 }
 
 edcBuild {
-    
+
 }

dist/bom/dataplane-base-bom/build.gradle.kts

@@ -23,6 +23,7 @@ dependencies {
     // core dependencies
     api(project(":core:common:boot"))
     api(project(":core:common:connector-core"))
+    api(project(":core:common:token-core"))
     api(project(":core:data-plane:data-plane-core"))
 
 

dist/bom/sts-feature-bom/build.gradle.kts

@@ -24,6 +24,7 @@ dependencies {
     // core dependencies
     api(project(":core:common:boot"))
     api(project(":core:common:connector-core"))
+    api(project(":core:common:token-core"))
 
 
     // extension dependencies

extensions/common/auth/auth-delegated/build.gradle.kts

@@ -19,8 +19,9 @@ plugins {
 dependencies {
     api(project(":spi:common:auth-spi"))
     api(project(":spi:common:token-spi"))
-    implementation(project(":core:common:token-core")) // for the validation rules
     implementation(project(":core:common:lib:crypto-common-lib"))
+    implementation(project(":core:common:lib:token-lib"))
+
     implementation(libs.jakarta.rsApi)
     implementation(libs.nimbus.jwt)
 

extensions/common/crypto/jwt-verifiable-credentials/build.gradle.kts

@@ -23,7 +23,7 @@ dependencies {
     implementation(project(":spi:common:jwt-spi"))
     implementation(project(":spi:common:identity-trust-spi"))
     implementation(project(":core:common:lib:util-lib"))
-    implementation(project(":core:common:token-core")) // for the token rules
+    implementation(project(":core:common:lib:token-lib"))
 
 
     testImplementation(project(":core:common:lib:json-ld-lib"))

extensions/common/crypto/jwt-verifiable-credentials/src/main/java/org/eclipse/edc/verifiablecredentials/jwt/rules/IssuerEqualsSubjectRule.java

@@ -14,7 +14,7 @@
 
 package org.eclipse.edc.verifiablecredentials.jwt.rules;
 
-import com.nimbusds.jwt.JWTClaimNames;
+import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
@@ -29,8 +29,8 @@
 public class IssuerEqualsSubjectRule implements TokenValidationRule {
     @Override
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
-        var iss = toVerify.getStringClaim(JWTClaimNames.ISSUER);
-        var sub = toVerify.getStringClaim(JWTClaimNames.SUBJECT);
+        var iss = toVerify.getStringClaim(JwtRegisteredClaimNames.ISSUER);
+        var sub = toVerify.getStringClaim(JwtRegisteredClaimNames.SUBJECT);
 
         return iss != null && Objects.equals(iss, sub) ?
                 Result.success() :

extensions/common/iam/identity-trust/identity-trust-core/build.gradle.kts

@@ -12,7 +12,7 @@ dependencies {
     implementation(project(":spi:common:participant-spi"))
     implementation(project(":core:common:lib:util-lib"))
     implementation(project(":core:common:lib:crypto-common-lib"))
-    implementation(project(":core:common:token-core"))
+    implementation(project(":core:common:lib:token-lib"))
     implementation(project(":extensions:common:crypto:lib:jws2020-lib"))
     implementation(project(":extensions:common:crypto:jwt-verifiable-credentials"))
     implementation(project(":extensions:common:crypto:ldp-verifiable-credentials"))

extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-core/build.gradle.kts

@@ -7,10 +7,11 @@ dependencies {
     api(project(":spi:common:transaction-spi"))
     api(project(":spi:common:identity-trust-spi"))
     api(project(":spi:common:identity-trust-sts-spi"))
+    api(project(":spi:common:jwt-signer-spi"))
 
     implementation(project(":spi:common:keys-spi"))
     implementation(project(":extensions:common:iam:identity-trust:identity-trust-sts:identity-trust-sts-embedded"))
-    implementation(project(":core:common:token-core"))
+    implementation(project(":core:common:lib:token-lib"))
     implementation(project(":core:common:lib:store-lib"))
 
     testImplementation(testFixtures(project(":spi:common:identity-trust-sts-spi")))

extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-embedded/build.gradle.kts

@@ -11,7 +11,7 @@ dependencies {
     implementation(project(":core:common:lib:util-lib"))
     testImplementation(testFixtures(project(":spi:common:identity-trust-spi")))
     testImplementation(project(":core:common:junit"))
-    testImplementation(project(":core:common:token-core"))
+    testImplementation(project(":core:common:lib:token-lib"))
     testImplementation(libs.nimbus.jwt)
 }
 

extensions/common/iam/oauth2/oauth2-core/build.gradle.kts

@@ -20,8 +20,9 @@ dependencies {
     api(project(":spi:common:http-spi"))
     api(project(":spi:common:oauth2-spi"))
     implementation(project(":spi:common:keys-spi"))
+    implementation(project(":spi:common:jwt-signer-spi"))
     implementation(project(":extensions:common:iam:oauth2:oauth2-client"))
-    implementation(project(":core:common:token-core"))
+    implementation(project(":core:common:lib:token-lib"))
 
     implementation(libs.nimbus.jwt)
 

extensions/common/iam/oauth2/oauth2-daps/build.gradle.kts

@@ -21,6 +21,7 @@ dependencies {
     api(project(":spi:common:oauth2-spi"))
 
     testImplementation(project(":core:common:connector-core"))
+    testImplementation(project(":core:common:token-core"))
     testImplementation(project(":extensions:common:iam:oauth2:oauth2-core"))
     testImplementation(project(":core:common:junit"))
     testImplementation(libs.testcontainers.junit)

extensions/data-plane/data-plane-http-oauth2-core/build.gradle.kts

@@ -19,8 +19,8 @@ plugins {
 dependencies {
     api(project(":spi:data-plane:data-plane-http-spi"))
     api(project(":spi:common:oauth2-spi"))
-    api(project(":core:common:token-core"))
-
+    api(project(":spi:common:jwt-signer-spi"))
+    implementation(project(":core:common:lib:token-lib"))
     implementation(project(":spi:common:keys-spi"))
 
     testImplementation(project(":core:common:junit"))

extensions/data-plane/data-plane-iam/build.gradle.kts

@@ -22,7 +22,7 @@ dependencies {
     api(project(":spi:common:token-spi"))
     api(project(":spi:data-plane:data-plane-spi"))
 
-    implementation(project(":core:common:token-core"))
+    implementation(project(":core:common:lib:token-lib"))
 
     testImplementation(project(":core:common:junit"))
 }

settings.gradle.kts

@@ -54,6 +54,7 @@ include(":core:common:lib:http-lib")
 include(":core:common:lib:keys-lib")
 include(":core:common:lib:query-lib")
 include(":core:common:lib:store-lib")
+include(":core:common:lib:token-lib")
 include(":core:common:lib:state-machine-lib")
 include(":core:common:lib:crypto-common-lib")
 include(":core:common:lib:json-lib")

spi/common/identity-trust-spi/build.gradle.kts

@@ -20,6 +20,7 @@ plugins {
 
 dependencies {
     api(project(":spi:common:core-spi"))
+    api(project(":spi:common:token-spi"))
     api(project(":spi:common:participant-spi"))
     api(project(":spi:common:policy:request-policy-context-spi"))
     api(project(":spi:common:policy-engine-spi"))

spi/common/identity-trust-spi/src/main/java/org/eclipse/edc/iam/identitytrust/spi/DcpParticipantAgentServiceExtension.java

@@ -14,6 +14,7 @@
 
 package org.eclipse.edc.iam.identitytrust.spi;
 
+
 import org.eclipse.edc.participant.spi.ParticipantAgentServiceExtension;
 
 /**

system-tests/e2e-dataplane-tests/runtimes/data-plane/build.gradle.kts

@@ -17,6 +17,7 @@ plugins {
 
 dependencies {
     implementation(project(":core:common:connector-core"))
+    implementation(project(":core:common:token-core"))
     implementation(project(":core:data-plane:data-plane-core"))
     implementation(project(":extensions:common:api:control-api-configuration"))
     implementation(project(":extensions:common:http"))

system-tests/e2e-dataplane-tests/tests/src/test/java/org/eclipse/edc/test/e2e/DataPlaneSelectorEndToEndTest.java

@@ -55,6 +55,7 @@ public class DataPlaneSelectorEndToEndTest {
                     "edc.core.retry.retries.max", "0"
             ),
             ":core:common:connector-core",
+            ":core:common:token-core",
             ":core:control-plane:control-plane-core",
             ":core:data-plane-selector:data-plane-selector-core",
             ":extensions:control-plane:transfer:transfer-data-plane-signaling",

system-tests/e2e-transfer-test/data-plane/build.gradle.kts

@@ -18,6 +18,7 @@ plugins {
 
 dependencies {
     implementation(project(":core:data-plane:data-plane-core"))
+    implementation(project(":core:common:token-core"))
     implementation(project(":extensions:common:api:control-api-configuration"))
     implementation(project(":extensions:common:http"))
     implementation(project(":extensions:control-plane:api:control-plane-api-client"))