MaximilianHauer
diff --git a/‎README.md
+4 b/‎README.md
+4
diff --git a/‎docker/notice-credential-issuer-service.md
+1-1 b/‎docker/notice-credential-issuer-service.md
+1-1
diff --git a/‎docs/architecture/Architecture Constraints.md
+38 b/‎docs/architecture/Architecture Constraints.md
+38
diff --git a/‎docs/architecture/Context and scope.md
+18 b/‎docs/architecture/Context and scope.md
+18
diff --git a/‎docs/architecture/Development Concept.md
+143 b/‎docs/architecture/Development Concept.md
+143
diff --git a/‎docs/architecture/Requirements.md
+21 b/‎docs/architecture/Requirements.md
+21
diff --git a/‎docs/architecture/Security_Assessment.md
+16-20 b/‎docs/architecture/Security_Assessment.md
+16-20
diff --git a/‎docs/architecture/Solution strategy.md
+14 b/‎docs/architecture/Solution strategy.md
+14
diff --git a/‎docs/architecture/Whitebox Overall System.md
+55 b/‎docs/architecture/Whitebox Overall System.md
+55
@@ -2,6 +2,10 @@
 
 This repository contains the backend code for the SSI Credential Issuer written in C#.
 
+For **information about the SSI Credential Issuer**, please refer to the documentation, especially the context and scope section in the [architecture documentation](./docs/architecture).
+
+For **installation** details, please refer to the [README.md](./charts/ssi-credential-issuer/README.md) of the provided helm chart.
+
 ## How to build and run
 
 Install the [.NET 8.0 SDK](https://www.microsoft.com/net/download).
 
@@ -4,7 +4,7 @@ DockerHub: [https://hub.docker.com/r/tractusx/ssi-credential-issuer-service](htt
 
 Eclipse Tractus-X product(s) installed within the image:
 
-__Policy Hub Service__
+__SSI Credential Issuer Service__
 
 - GitHub: https://github.com/eclipse-tractusx/ssi-credential-issuer
 - Project home: https://projects.eclipse.org/projects/automotive.tractusx
 
@@ -0,0 +1,38 @@
+# Architecture Constraints
+
+## General
+
+- The SSI Credential Issuer is a central API for the handling of credentials. It handles the wallet communication for the creation and revocation of credentials of the issuer and holder. Another purpose is the expiry handling and automatic revocation of already expired credentials. There is no plan to implement an UI at the current stage.
+
+- Run anywhere: can be deployed as a docker image, e. g. on Kubernetes (platform-independent, cloud, on prem or local).
+
+## Developer
+
+- OpenSource software first - FOSS licenses approved by the eclipse foundation has to be used. It could represent the initial set that the CX community agrees on to regulate the content contribution under FOSS licenses.
+
+- Coding guidelines for FE and BE are defined and are to be followed for all portal related developments.
+
+- Apache License 2.0 - Apache License 2.0 is one of the approved licenses which should be used to respect and guarantee Intellectual property (IP).
+
+- Code Analysis, Linting and Code Coverage - Consistent style increases readability and maintainability of the code base. Hence, we use analyzers to enforce consistency and style rules. We enforce the code style and rules in the CI to avoid merging code that does not comply with standards.
+
+## Code analysis, linting and code coverage
+
+As part of the standard reviews, following code analysis and security checks have been executed:
+
+- SonarCloud Code Analysis
+- Thread Modelling Analysis
+- Static Application Security Testing (SAST)
+- Dynamic Application Security Testing (DAST)
+- Secret Scans
+- Software Composition Analysis (SCA)
+- Container Scans
+- Infrastructure as Code (IaC)
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer
@@ -0,0 +1,18 @@
+# Content and Scope
+
+## Business Context
+
+The SSI credential issuer is created to enable the communication with wallets and handle the creation, revocation and expiry of credentials.
+Additionally it gives the user a overview of available use case credentials.
+
+## Technical Context
+
+The SSI credential issuer comprise the technical foundation for interaction, monitoring, auditing and further functionalities. They are state of the art in terms of technology portfolio, consist of open-source components whenever possible and are open-sourced themselves 100%.
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer
@@ -0,0 +1,143 @@
+# Development Concept
+
+## Build, test, deploy
+
+Details to the build, test and deploy process can get found under the following md file: [Release Process](/docs/technical-documentation/release-process/Release%20Process.md)
+
+## Development Guidelines
+
+The SSI credential issuer is using following key frameworks:
+
+- .Net
+- Entity Framework
+
+### Swagger
+
+The API uses OpenAPI annotations to describe the endpoints with all necessary information. The annotations are then used to automatically generate the OpenAPI specification file, which can be viewed in the Swagger UI that is deployed with the application.
+
+#### API Dev Guidelines
+
+##### Implement authorization
+
+API's need to ensure that they only grant access to the authorized requester. For example, a user might be approved to access the API, but if they’re not allowed to add information to the application’s database via the POST method, any request to do so should be rejected. Authorization information can also be contained within a request as a token.
+
+Unlike some other API types, REST APIs must authenticate and authorize each request made to the server, even if multiple requests come from the same user. This is because REST communications are stateless — that is, each request can be understood by the API in isolation, without information from previous requests.
+
+Authorization can be governed by user roles, where each role comes with different permissions. Generally, API developers should adhere to the principle of least privilege, which states that users should only have access to the resources and methods necessary for their role, and nothing more. Predefined roles make it easier to oversee and change user permissions, reducing the chance that a bad actor can access sensitive data.
+
+In terms of implementation all endpoints should be secured with the highest restrictions as default. Restrictions should only be lessened through explicit exemptions. This ensures that in case of oversights an endpoint can be more secured than intended but never less secured.
+
+##### Validate all requests
+
+As mentioned, sometimes requests from perfectly valid sources may be hacking attempts. Therefore, APIs need rules to determine whether a request is friendly, friendly but invalid, or harmful, like an attempt to inject harmful code.
+
+An API request is only processed once its contents pass a thorough validation check — otherwise, the request should never reach the application data layer.
+
+Validation also includes sanity checks: Define sensible value ranges for the parameters a user provides. This especially is valid for the size of the request and the response. APIs should limit the possible number of records to process in order to prevent intentional or unintentional overloads of the system.
+
+##### Encrypt all requests and responses
+
+To prevent MITM attacks, any data transfer from the user to the API server or vice versa must be properly encrypted. This way, any intercepted requests or responses are useless to the intruder without the right decryption method.
+
+Since REST APIs use HTTP, encryption can be achieved by using the Transport Layer Security (TLS) protocol or Secure Sockets Layer (SSL) protocol. These protocols supply the S in “HTTPS” (“S” meaning “secure'') and are the standard for encrypting web pages and REST API communications.
+
+TLS/SSL only encrypts data when that data is being transferred. It doesn’t encrypt data sitting behind your API, which is why sensitive data should also be encrypted in the database layer as well.
+
+##### Only include necessary information in responses
+
+Like you might unintentionally let a secret slip when telling a story to a friend, it’s possible for an API response to expose information hackers can use. To prevent this, all responses sent to the end-user should include only the information to communicate the success or failure of the request, the resource requested (if any), and any other information directly related to these resources.
+
+In other words, avoid “oversharing” data — the response is a chance for you to inadvertently expose private data, either through the returned resources or verbose status messages.
+
+=> in the ownership of every API Developer
+
+##### Throttle API requests and establish quotas
+
+To prevent brute-force attacks like DDoS, an API can impose rate-limiting, a way to control the number of requests to the API server at any given time.
+
+There are two main ways to rate-limit API requests, quotas and throttling. Quotas limit the number of requests allowed from a user over a span of time, while throttling slows a user’s connection while still allowing them to use your API.
+
+Both methods should allow normal API requests but prevent floods of traffic intended to disrupt, as well as unexpected request spikes in general.
+
+##### Log API activity
+
+Logging API activities is extremely important when it comes to tracing user activity and in worst case hack activity.
+
+###### Conduct security tests
+
+=> see [Test Section](#tests) below
+
+##### Error Handling
+
+The simplest way we handle errors is to respond with an appropriate status code.
+
+Common agreed response codes:
+
+- 400 Bad Request – client sent an invalid request, such as lacking required request body or parameter.
+  Example: The same constraint has been configured multiple times in the request
+- 401 Unauthorized – user authenticated but doesn't have permission to access the requested resource.
+  Example: User token doesn't have the access on the resource.
+- 403 Forbidden – client failed to authenticate with the server.
+  Example: token expired oder invalid login.
+- 404 Not Found – the requested resource does not exist.
+  Example: A specific credential was requested which does not exist in the database.
+- 500 Internal Server Error – a generic error occurred in the internal system logic.
+  Example: Unexpected server-side issue during credential validation.
+  Additionally to the generic error code, a detailed message/error is needed to ensure that the issue can get validated and resolved quickly.
+
+##### Repository Pattern
+
+The repositories are used via the Factory HubRepositories, which ensures that the same database instance is used for all repositories.
+
+Furthermore, it provides an implicit transaction functionality.
+
+The repositories themselves must not be registered for dependency injection in the corresponding startup; the method IssuerRepositories.GetInstance<RepositoryType> provides the instance of a requested repository.
+
+In the repository itself, you should not work with SaveChanges, it should only be called via the IssuerRepositories.SaveChanges to ensure that any transaction dependencies can be rolled back.
+
+#### Tests
+
+##### User Authentication Test
+
+If authentication mechanisms are implemented incorrectly, attackers can compromise authentication tokens or exploit implementation flaws to assume other users’ identities and gain access to your API’s endpoints.
+
+To test your authentication mechanisms, try sending API requests without proper authentication (either no tokens or credentials, or incorrect ones) and see if your API responds with the correct error and messaging.
+
+##### Parameter Tampering Test
+
+To run a parameter tampering test, try various combinations of invalid query parameters in your API requests and see if it responds with the correct error codes. If not, then your API likely has some backend validation errors that need to be resolved.
+
+##### Injection Test
+
+To test if your API is vulnerable to injections, try injecting SQL, NoSQL, LDAP, OS, or other commands in API inputs and see if your API executes them. These commands should be harmless, like reboot commands or cat commands.
+
+##### Unhandled HTTP Methods Test
+
+Most APIs have various HTTP methods that are used to retrieve, store, or delete data. Sometimes web servers will give access to unsupported HTTP methods by default, which makes your API vulnerable.
+
+To test for this vulnerability, you should try all the common HTTP methods (POST, GET, PUT, PATCH, and DELETE) as well as a few uncommon ones. TRY sending an API request with the HEAD verb instead of GET, for example, or a request with an arbitrary method like FOO. You should get an error code, but if you get a 200 OK response, then your API has a vulnerability.
+
+##### Load Test
+
+Load testing should be one of the last steps of your API security auditing process. This type is pushing the API to its limits in order to discover any functional or security issues that have yet to be revealed.
+
+To achieve this, send a large number of randomized requests, including SQL queries, system commands, arbitrary numbers, and other non-text characters, and see if your API responds with errors, processes any of these inputs incorrectly, or crashes. This type of testing will mimic Overflow and DDoS attacks.
+
+An API manager or gateway tool will handle or help address the API security guidelines described above (including testing).
+
+## Migration
+
+To run the SSI credential issuer, migrations are needed to load the initial data inside the SSI credential issuer db to enable the SSI credential issuer to work.
+The migration will consist of an initial migration as well as delta migration files with future releases. As part of a new release, a migration file (if applicable) will get released and can get loaded via a delta load.
+
+## Configurability
+
+SSI Credential Issuer configuration is mainly possible via the appsettings files as well as the static data migration files.
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer
@@ -0,0 +1,21 @@
+# Requirements overview
+
+## What is the Portal & Marketplace Product?
+
+The SSI Credential Issuer is a central API for the handling of credentials. It handles the wallet communication for the creation and revocation of credentials of the issuer and holder. Another purpose is the expiry handling and automatic revocation of already expired credentials. There is no plan to implement an UI at the current stage.
+
+## Requirements
+
+<!-- TODO (JJ): could you please add the requirements -->
+For Catena-X Member Companies
+|ID|Title|Requirement|
+|--------|--------|--------|
+|REQ|tbd|tbd|
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer
@@ -33,12 +33,12 @@ flowchart LR
     CU(Company user or Service Account)
     K("Keycloak (REST API)")
     IS(Issuer Service)
-    CS(Credential Service)
-    RS(Revocation Service)
     EW(Expiry Worker)
     IW(Issuer Wallet)
+    PW(Process Worker)
     HW(3rd Party Holder Wallets)
-    P(Portal Backend)
+    PB(Portal Backend)
+    PF(Portal Frontend)
     PHD[(Issuer DB \n Postgres \n EF Core for mapping \n objects to SQL)]
 
     subgraph centralidp[centralidp Keycloak]
@@ -51,33 +51,29 @@ flowchart LR
 
     subgraph SSI-Issuer-Component Product
      IS
-     CS
-     RS
+     PW
      EW
      PHD
     end
 
     subgraph External Systems
-     P
+     PB
+     PF
      IW
      HW
     end
 
     K-->|"Authentication & Authorization Data \n (Using JWT)"|IS
-    K-->|"Authentication & Authorization Data \n (Using JWT)"|CS
-    K-->|"Authentication & Authorization Data \n (Using JWT)"|RS
-    CU-->|"Consumption of central, read-only REST API \n [HTTPS]"|IS
-    CU-->|"Consumption of central, read-only REST API \n [HTTPS]"|CS
-    CU-->|"Consumption of central, read-only REST API \n [HTTPS]"|RS
-    IS-->|"Read and write credentials"|PHD
-    IS-->|"Read and write credentials"|IW
-    IS-->|"Read and write credentials"|HW
-    EW-->|"Read and write credentials"|IW
-    RS-->|"Read and write credentials"|IW
-    P-->|"Create and revoke credentials"|IS
-    IS-->|"Create notifications and mails"|P
-    CS-->|"Read credentials and document"|PHD
-    RS-->|"Read and update credential data"|PHD
+    IS-->|"Read and write credential data"|PHD
+    PF-->|"Read and Write Credentials"|IS
+    PW-->|"Read and Write Credentials"|HW
+    PW-->|"Write Credentials"|IW
+    PW-->|"Creates Mails & Notifications"|PB
+    PW-->|"Revoke Credential"|IW
+    EW-->|"Read credentials \n write process data"|PHD
+    PB-->|"Create and revoke credentials"|IS
+    PF-->|"Read and Write Credentials"|IS
+    IS-->|"Create notifications and mails"|PB
     CU-->|"IAM with OIDC \n [HTTPS]"|K
 ```
 
 
@@ -0,0 +1,14 @@
+# Solution Strategy
+
+- The technology portfolio and development stack are kept simple, based on commodity and oss components and products.
+- APIs are always REST-based with token authentication.
+- OIDC is used for authentication and authorization.
+- IaC is fully realized via helm charts.
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer
@@ -0,0 +1,55 @@
+# Whitebox Overall System
+
+## Summary
+
+In the following image you see the overall system overview of the SSI Credential Issuer
+
+```mermaid
+flowchart LR
+
+    C(Customer)
+    ING(Ingress)
+    IS(Issuer Service)
+    ES(Expiry Service)
+    PW(Process Worker)
+    P(Portal)
+    HW(Holder Wallet)
+    IW(Issuer Wallet)
+    PHD[("Postgres Database \n \n (Base data created with \n application seeding)")]
+
+    subgraph SSI Credential Issuer Product   
+        ING
+        PHD
+        IS
+        ES
+        PW
+    end
+
+    subgraph External Systems
+        P
+        HW
+        IW
+    end
+
+    C-->|"Authentication & Authorization Data \n (Using JWT)"|ING
+    ING-->|"Forward Request"|IS
+    ES-->|"Revokes Credentials"|IW
+    ES-->|"Revokes Credentials"|HW
+    ES-->|"Creates Mails & Notifications"|P
+    ES-->|"Reads & updates credentials"|PHD
+    PW-->|"Read, Write & Sign Credentials"|IW
+    PW-->|"Write Credentials"|HW
+    PW-->|"Creates Mails & Notifications"|P
+    PW-->|"Reads credential requests, \n saves documents"|PHD
+    IS-->|"Read credentialTypes and versions, \n saves credential requests, \n revokes credential"|PHD
+    ES-->|"Updates credentials"|PHD
+
+```
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/ssi-credential-issuer