feat: reduced mocking in the pg‑runtime test classes (#2552)

Author: BrunoMiguelNogueira

edc-tests/compatibility-tests/build.gradle.kts

@@ -22,6 +22,10 @@ plugins {
     `java-library`
 }
 
+configurations.all {
+    exclude("org.eclipse.edc", "decentralized-claims-core")
+}
+
 dependencies {
     testImplementation(libs.edc.junit)
     testImplementation(libs.edc.lib.cryptocommon)

edc-tests/e2e-fixtures/build.gradle.kts

@@ -54,6 +54,9 @@ dependencies {
 
     testFixturesApi(testFixtures(libs.edc.api.management.test.fixtures))
 
+    testFixturesApi(libs.edc.iam.decentralized.claims.core)
+    testFixturesApi(libs.edc.verifiablecredentials.jwt)
+
     testFixturesApi(libs.awaitility)
     testFixturesApi(libs.aws.s3)
     testFixturesApi(libs.azure.storage.blob)

edc-tests/e2e-fixtures/src/testFixtures/java/org/eclipse/tractusx/edc/tests/MockIdentityServiceExtension.java

@@ -0,0 +1,54 @@
+/********************************************************************************
+ * Copyright (c) 2026 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ * Copyright (c) 2025 Cofinity-X GmbH
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.eclipse.tractusx.edc.tests;
+
+import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
+import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.runtime.metamodel.annotation.Provider;
+import org.eclipse.edc.spi.iam.IdentityService;
+import org.eclipse.edc.spi.system.ServiceExtension;
+
+public class MockIdentityServiceExtension implements ServiceExtension {
+    @Inject
+    private IdentityService identityService;    //ensure the original IdentityService dependencies are injected before overriding with the mocked class
+
+    @Inject
+    private JtiValidationStore jtiValidationStore;
+
+    @Inject
+    private DidPublicKeyResolver didPublicKeyResolver;
+
+    private final String bpn;
+    private final String did;
+
+    public MockIdentityServiceExtension(String bpn, String did) {
+        this.bpn = bpn;
+        this.did = did;
+    }
+
+    @Provider
+    public IdentityService mockIdentityService() {
+        var mockTokenValidationService = new MockTokenValidationService();
+        var mockTokenValidationAction = new MockTokenValidationAction(mockTokenValidationService, didPublicKeyResolver, jtiValidationStore);
+        return new MockVcIdentityService(bpn, did, mockTokenValidationAction);
+    }
+}

edc-tests/e2e-fixtures/src/testFixtures/java/org/eclipse/tractusx/edc/tests/MockTokenValidationAction.java

@@ -0,0 +1,87 @@
+/********************************************************************************
+ * Copyright (c) 2026 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.eclipse.tractusx.edc.tests;
+
+import com.nimbusds.jwt.SignedJWT;
+import org.eclipse.edc.iam.decentralizedclaims.spi.validation.TokenValidationAction;
+import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
+import org.eclipse.edc.keys.spi.PublicKeyResolver;
+import org.eclipse.edc.spi.iam.ClaimToken;
+import org.eclipse.edc.spi.iam.TokenRepresentation;
+import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.token.rules.AudienceValidationRule;
+import org.eclipse.edc.token.rules.ExpirationIssuedAtValidationRule;
+import org.eclipse.edc.token.rules.NotBeforeValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationService;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.HasSubjectRule;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.IssuerEqualsSubjectRule;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.IssuerKeyIdValidationRule;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.JtiValidationRule;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.SubJwkIsNullRule;
+import org.eclipse.edc.verifiablecredentials.jwt.rules.TokenNotNullRule;
+
+import java.time.Clock;
+import java.util.ArrayList;
+
+public class MockTokenValidationAction implements TokenValidationAction {
+
+    private final TokenValidationService tokenValidationService;
+    private final PublicKeyResolver publicKeyResolver;
+    private final JtiValidationStore jtiValidationStore;
+    private final Clock clock = Clock.systemUTC();
+
+    public MockTokenValidationAction(TokenValidationService tokenValidationService, PublicKeyResolver publicKeyResolver, JtiValidationStore jtiValidationStore) {
+        this.tokenValidationService = tokenValidationService;
+        this.publicKeyResolver = publicKeyResolver;
+        this.jtiValidationStore = jtiValidationStore;
+    }
+
+    public Result<ClaimToken> validate(String participantContextId, TokenRepresentation tokenRepresentation) {
+        try {
+            var signedJwt = SignedJWT.parse(tokenRepresentation.getToken());
+            var keyId = signedJwt.getHeader().getKeyID();
+            var rules = new ArrayList<TokenValidationRule>();
+
+            rules.add(new IssuerEqualsSubjectRule());
+            rules.add(new SubJwkIsNullRule());
+            rules.add(new ExpirationIssuedAtValidationRule(clock, 5, false));
+            rules.add(new TokenNotNullRule());
+            rules.add(new NotBeforeValidationRule(clock, 4, true));
+            rules.add(new HasSubjectRule());
+            rules.add(new JtiValidationRule(jtiValidationStore, null));
+            rules.add(new IssuerKeyIdValidationRule(keyId));
+            rules.add(new AudienceValidationRule(audResolver(tokenRepresentation)));
+
+            return tokenValidationService.validate(tokenRepresentation, publicKeyResolver, rules);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private String audResolver(TokenRepresentation tokenRepresentation) {
+        try {
+            var jwt = SignedJWT.parse(tokenRepresentation.getToken());
+            return jwt.getJWTClaimsSet().getAudience().get(0);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to extract audience from token", e);
+        }
+    }
+}

edc-tests/e2e-fixtures/src/testFixtures/java/org/eclipse/tractusx/edc/tests/MockTokenValidationService.java

@@ -0,0 +1,67 @@
+/********************************************************************************
+ * Copyright (c) 2026 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.eclipse.tractusx.edc.tests;
+
+import com.nimbusds.jwt.SignedJWT;
+import org.eclipse.edc.keys.spi.PublicKeyResolver;
+import org.eclipse.edc.spi.iam.ClaimToken;
+import org.eclipse.edc.spi.iam.TokenRepresentation;
+import org.eclipse.edc.spi.result.AbstractResult;
+import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.token.spi.TokenValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationService;
+
+import java.text.ParseException;
+import java.util.List;
+
+public class MockTokenValidationService implements TokenValidationService {
+
+    @Override
+    public Result<ClaimToken> validate(TokenRepresentation tokenRepresentation, PublicKeyResolver publicKeyResolver, List<TokenValidationRule> rules) {
+        var token = tokenRepresentation.getToken();
+        var additional = tokenRepresentation.getAdditional();
+        try {
+            var signedJwt = SignedJWT.parse(token);
+            var tokenBuilder = ClaimToken.Builder.newInstance();
+
+            signedJwt.getJWTClaimsSet().getClaims().entrySet().stream()
+                    .filter(entry -> entry.getValue() != null)
+                    .forEach(entry -> tokenBuilder.claim(entry.getKey(), entry.getValue()));
+
+            var claimToken = tokenBuilder.build();
+            var errors = rules.stream()
+                    .map(r -> r.checkRule(claimToken, additional))
+                    .reduce(Result::merge)
+                    .stream()
+                    .filter(AbstractResult::failed)
+                    .flatMap(r -> r.getFailureMessages().stream())
+                    .toList();
+
+            if (!errors.isEmpty()) {
+                return Result.failure(errors);
+            }
+
+            return Result.success(claimToken);
+
+        } catch (ParseException e) {
+            return Result.failure("Failed to decode token");
+        }
+    }
+}

edc-tests/e2e-fixtures/src/testFixtures/java/org/eclipse/tractusx/edc/tests/MockVcIdentityService.java

@@ -19,7 +19,7 @@
 
 package org.eclipse.tractusx.edc.tests;
 
-import com.fasterxml.jackson.core.type.TypeReference;
+import org.eclipse.edc.iam.decentralizedclaims.spi.validation.TokenValidationAction;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.CredentialSubject;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.Issuer;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential;
@@ -33,10 +33,16 @@
 import org.eclipse.edc.spi.types.TypeManager;
 
 import java.time.Instant;
+import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 
-import static java.lang.String.format;
+import static org.eclipse.edc.iam.decentralizedclaims.spi.SelfIssuedTokenConstants.PRESENTATION_TOKEN_CLAIM;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.AUDIENCE;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.EXPIRATION_TIME;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.ISSUED_AT;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.ISSUER;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.SUBJECT;
 
 /**
  * An {@link IdentityService} that will inject the BPN claim in every token.
@@ -49,59 +55,94 @@ public class MockVcIdentityService implements IdentityService {
     private final String businessPartnerNumber;
     private final String did;
     private final TypeManager typeManager = new JacksonTypeManager();
-    
-    public MockVcIdentityService(String businessPartnerNumber, String did) {
+    private final TokenValidationAction tokenValidationAction;
+
+    public MockVcIdentityService(String businessPartnerNumber, String did, TokenValidationAction tokenValidationAction) {
         this.businessPartnerNumber = businessPartnerNumber;
         this.did = did;
+        this.tokenValidationAction = tokenValidationAction;
     }
-    
+
     @Override
     public Result<TokenRepresentation> obtainClientCredentials(String participantContextId, TokenParameters parameters) {
-        var credentials = List.of(membershipCredential(), dataExchangeGovernanceCredential());
-        var token = Map.of(VC_CLAIM, credentials);
-
         var tokenRepresentation = TokenRepresentation.Builder.newInstance()
-                .token(typeManager.writeValueAsString(token))
+                .token(getTestToken(parameters.getStringClaim("aud")))
                 .build();
+
         return Result.success(tokenRepresentation);
     }
-    
+
     @Override
     public Result<ClaimToken> verifyJwtToken(String participantContextId, TokenRepresentation tokenRepresentation, VerificationContext verificationContext) {
         var token = tokenRepresentation.getToken().replace("Bearer ", "");
-        var tokenParsed = typeManager.readValue(token, Map.class);
-
-        if (tokenParsed.containsKey(VC_CLAIM)) {
-            var credentials = typeManager.getMapper().convertValue(tokenParsed.get(VC_CLAIM), new TypeReference<List<VerifiableCredential>>(){});
-            var claimToken = ClaimToken.Builder.newInstance()
-                    .claim(VC_CLAIM, credentials)
-                    .build();
-            return Result.success(claimToken);
+        tokenRepresentation = tokenRepresentation.toBuilder().token(token).build();
+        var claimTokenResult = tokenValidationAction.validate(participantContextId, tokenRepresentation);
+
+        if (claimTokenResult.failed()) {
+            return claimTokenResult;
         }
-        return Result.failure(format("Expected %s claim, but token did not contain them", VC_CLAIM));
+
+        var claimToken = claimTokenResult.getContent();
+        var bpnlConsumer = claimToken.getStringClaim(BUSINESS_PARTNER_NUMBER_CLAIM);
+        var didConsumer = claimToken.getStringClaim(ISSUER);
+        var credentials = List.of(membershipCredential(bpnlConsumer, didConsumer), dataExchangeGovernanceCredential(bpnlConsumer, didConsumer));
+
+        var claimTokenWithVc = ClaimToken.Builder.newInstance()
+                .claim(VC_CLAIM, credentials)
+                .build();
+
+        return Result.success(claimTokenWithVc);
     }
-    
-    private VerifiableCredential membershipCredential() {
+
+    private String getTestToken(String aud) {
+        var header = Map.of(
+                "alg", "ES256K",
+                "typ", "JWT",
+                "kid", did + "#key-1"
+        );
+
+        var now = Instant.now();
+        var payload = new java.util.HashMap<String, Object>();
+        payload.put(ISSUER, did);
+        payload.put(SUBJECT, did);
+        payload.put(AUDIENCE, aud);
+        payload.put(EXPIRATION_TIME, now.plusSeconds(3600).getEpochSecond());
+        payload.put(ISSUED_AT, now.getEpochSecond());
+        payload.put(PRESENTATION_TOKEN_CLAIM, "token");
+        payload.put(BUSINESS_PARTNER_NUMBER_CLAIM, businessPartnerNumber);
+
+        var signature = "signature";
+
+        String headerJson = typeManager.writeValueAsString(header);
+        String payloadJson = typeManager.writeValueAsString(payload);
+        String encodedHeader = Base64.getUrlEncoder().withoutPadding().encodeToString(headerJson.getBytes());
+        String encodedToken = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes());
+        String encodedSignature = Base64.getUrlEncoder().withoutPadding().encodeToString(signature.getBytes());
+
+        return (encodedHeader + "." + encodedToken + "." + encodedSignature);
+    }
+
+    private VerifiableCredential dataExchangeGovernanceCredential(String bpnlConsumer, String didConsumer) {
         return VerifiableCredential.Builder.newInstance()
                 .type("VerifiableCredential")
-                .type("MembershipCredential")
+                .type("DataExchangeGovernanceCredential")
                 .credentialSubject(CredentialSubject.Builder.newInstance()
-                        .id(did)
-                        .claim("holderIdentifier", businessPartnerNumber)
+                        .id(didConsumer)
+                        .claim("holderIdentifier", bpnlConsumer)
+                        .claim("contractVersion", "1.0")
                         .build())
                 .issuer(new Issuer("issuer", Map.of()))
                 .issuanceDate(Instant.now())
                 .build();
     }
 
-    private VerifiableCredential dataExchangeGovernanceCredential() {
+    private VerifiableCredential membershipCredential(String bpnlConsumer, String didConsumer) {
         return VerifiableCredential.Builder.newInstance()
                 .type("VerifiableCredential")
-                .type("DataExchangeGovernanceCredential")
+                .type("MembershipCredential")
                 .credentialSubject(CredentialSubject.Builder.newInstance()
-                        .id(did)
-                        .claim("holderIdentifier", businessPartnerNumber)
-                        .claim("contractVersion", "1.0")
+                        .id(didConsumer)
+                        .claim("holderIdentifier", bpnlConsumer)
                         .build())
                 .issuer(new Issuer("issuer", Map.of()))
                 .issuanceDate(Instant.now())