Resolves #1830 Merged the 1.3.1-rc.1 release in develop branch.

.github/workflows/push-trigger.yml

@@ -56,15 +56,13 @@ jobs:
           - SERVICE_LOCATION: 'data-share/data-share-service'
             SERVICE_NAME: 'data-share-service'
             BUILD_ARTIFACT: 'data-share'
-            SQUASH_LAYERS: '11'
       fail-fast: false
     name: ${{ matrix.SERVICE_NAME }}
     uses: mosip/kattu/.github/workflows/docker-build.yml@master-java21
     with:
       SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }}
       SERVICE_NAME: ${{ matrix.SERVICE_NAME }}
       BUILD_ARTIFACT: ${{ matrix.BUILD_ARTIFACT }}
-      SQUASH_LAYERS: ${{ matrix.SQUASH_LAYERS }}
     secrets:
       DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }}
       ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }}

AGENTS.md

@@ -0,0 +1,166 @@
+# AGENTS.md
+
+This file provides guidance to AI agents when working with code in this repository.
+
+## Project Overview
+
+**Durian** is the **MOSIP Datashare Service** — a Spring Boot microservice within the MOSIP (Modular Open Source Identity Platform) ID lifecycle. It securely stores binary data (biometric packets, UIN PDFs) in object storage and returns time-limited, policy-governed URLs that trusted partners use to retrieve that data.
+
+Callers from Registration Processor (ABIS Handler, Manual Adjudication, Verification Stage, Print Service) POST data to Durian; ABIS systems, adjudicators, and print services then GET the data back via the returned URL.
+
+## Build Commands
+
+All commands run from the repo root (the Maven parent at `pom.xml`):
+
+```bash
+# Full build — skip Javadoc and GPG for local dev
+mvn clean install -Dmaven.javadoc.skip=true -Dgpg.skip=true
+
+# Run all tests
+mvn test
+
+# Run a single test class
+mvn test -pl data-share/data-share-service -Dtest=ClassName
+
+# Run a single test method
+mvn test -pl data-share/data-share-service -Dtest=ClassName#methodName
+
+# Build only the service module
+mvn clean install -pl data-share/data-share-service -am -Dmaven.javadoc.skip=true -Dgpg.skip=true
+
+# Coverage report (output: data-share/data-share-service/target/site/jacoco/index.html)
+mvn clean verify
+
+# SonarQube static analysis
+mvn clean verify -Psonar
+
+# Generate OpenAPI JSON (starts/stops the service during integration-test phase)
+mvn verify -Popenapi-doc-generate-profile -pl data-share/data-share-service
+```
+
+## Running the Service
+
+The service requires a running **Spring Cloud Config Server** on `http://localhost:51000/config` before it will start. Configuration files (`application-default.properties`, `data-share-default.properties`) must exist in the [mosip-config](https://github.com/mosip/mosip-config) repository.
+
+```bash
+java \
+  -Dspring.cloud.config.uri=http://localhost:51000/config \
+  -Dspring.cloud.config.label=master \
+  -Dspring.profiles.active=default \
+  -jar data-share/data-share-service/target/data-share-service-<version>.jar
+```
+
+The service listens on port `8097` at servlet path `/v1/datashare` (both configurable). Swagger UI is at `/v1/datashare/swagger-ui.html`.
+
+**Standalone mode** (no external service dependencies) is enabled by adding `standalone` to `spring.profiles.active` and setting the properties below.
+
+## Architecture
+
+### Request Flow
+
+1. **POST `/v1/datashare/create/{policyId}/{subscriberId}`** — caller uploads a file (`multipart/form-data`).
+2. `DataShareController` delegates to `DataShareServiceImpl`.
+3. In normal mode, `PolicyUtil` fetches the sharing policy from **Partner Management Service** (cached in Spring's `partnerpolicyCache`, evicted on a configurable schedule).
+4. Based on `encryptionType` in the policy:
+   - `"Partner Based"` → `EncryptionUtil` calls **Cryptomanager** to encrypt the bytes.
+   - `"none"` → data is stored as-is.
+5. Simultaneously (via `CompletableFuture` on a dedicated `dataShareTaskExecutor` thread pool), `DigitalSignatureUtil` calls **Keymanager** for a JWT signature over the file's SHA-256 digest.
+6. `DataShareServiceImpl` stores the encrypted bytes in **Object Store** (S3-compatible via `khazana` `S3Adapter`) with metadata: policyId, subscriberId, expiry time, transaction count, JWT signature.
+7. A URL is returned: either a full URL (`/get/{policyId}/{subscriberId}/{randomShareKey}`) or a short URL (`/datashare/{shortKey}`) depending on `mosip.data.share.urlshortner`.
+
+### Retrieval Flow
+
+**GET `/v1/datashare/get/{policyId}/{subscriberId}/{randomShareKey}`** (or `/datashare/{shortKey}`)
+1. Reads object metadata from the object store.
+2. Checks `transactionsallowed` — decrements by 1 if > 0; allows unlimited access if set to `-1`.
+3. Returns the raw bytes in the response body with a `Signature` response header containing the JWT.
+4. Throws `DataShareExpiredException` (quota exhausted) or `DataShareNotFoundException` (key missing).
+
+### Key Components
+
+| Class | Location | Purpose |
+|---|---|---|
+| `DataShareController` | `controller/` | REST endpoints — create and get |
+| `DataShareServiceImpl` | `service/impl/` | Orchestrates policy lookup, encryption, signing, storage |
+| `PolicyUtil` | `util/` | Partner Management Service client; caches policy responses |
+| `EncryptionUtil` | `util/` | Cryptomanager client for partner-based encryption |
+| `DigitalSignatureUtil` | `util/` | Keymanager JWT signing client |
+| `CacheUtil` | `util/` | Spring `@Cacheable` wrapper for short-URL → full-key mapping |
+| `DataShareBeanConfig` | `config/` | Wires `S3Adapter`, `TaskExecutor`, `ObjectMapper`, `RestUtil` |
+| `DataShareExceptionHandler` | `controller/handler/` | `@ControllerAdvice` — maps domain exceptions to HTTP responses |
+
+### External Service Dependencies
+
+| Service | Integration Point | `ApiName` enum value |
+|---|---|---|
+| Partner Management | Policy lookup by `policyId` + `subscriberId` | `PARTNER_POLICY` |
+| Cryptomanager | Encrypt data for partner-based encryption | `CRYPTOMANAGER_ENCRYPT` |
+| Keymanager | JWT sign the payload digest | `KEYMANAGER_JWTSIGN` |
+| Keymanager | Certificate fetch / upload | `KEYMANAGER_GET_CERTIFICATE`, `KEYMANAGER_UPLOAD_OTHER_DOMAIN_CERTIFICATE` |
+| Object Store | Binary blob + metadata (S3-compatible) | `khazana` `S3Adapter` |
+
+`RestUtil` wraps Spring `RestTemplate` for all outbound REST calls. URL values for each `ApiName` are resolved from environment properties (e.g., `PARTNER_POLICY`, `CRYPTOMANAGER_ENCRYPT`) provided by the config server.
+
+### Async Thread Pool
+
+Encryption and JWT signing are parallelised per request using a `ThreadPoolTaskExecutor` bean (`dataShareTaskExecutor`). The pool degrades gracefully under saturation via `CallerRunsPolicy`. Sizes are tunable:
+
+```
+mosip.data.share.async.core-pool-size=25   # default
+mosip.data.share.async.max-pool-size=50
+mosip.data.share.async.queue-capacity=80
+```
+
+## Standalone Mode
+
+Standalone mode bypasses Partner Management and Keymanager. Set these properties:
+
+```properties
+mosip.data.share.standalone.mode.enabled=true
+mosip.data.share.static-policy.policy-json={"typeOfShare":"","transactionsAllowed":"2","shareDomain":"datashare.datashare","encryptionType":"NONE","source":"","validForInMinutes":"30"}
+mosip.data.share.static-policy.policy-id=<must match policyId in /create request>
+mosip.data.share.static-policy.subscriber-id=<must match subscriberId in /create request>
+mosip.data.share.signature.disabled=true
+```
+
+`transactionsAllowed` of `-1` grants unlimited downloads. The `/create` API accepts an optional `usageCountForStandaloneMode` query parameter that overrides the configured count at request time (must be ≥ 1 or exactly -1).
+
+**Standalone mode is not safe for production** — it disables policy verification and signature computation.
+
+## Key Configuration Properties
+
+All runtime properties come from the Spring Cloud Config Server:
+
+| Property | Description |
+|---|---|
+| `mosip.data.share.urlshortner` | `true` → return short `/datashare/{key}` URL; `false` → full `/get/{policyId}/{subscriberId}/{key}` |
+| `mosip.data.share.protocol` | `http` or `https` prefix for constructed URLs |
+| `mosip.data.share.key.length` | Byte length of the random key appended to the share key (default `8`) |
+| `mosip.data.share.policy-cache.expiry-time-millisec` | How often the policy cache is evicted (Spring `@Scheduled` fixed rate) |
+| `mosip.data.share.prependThumbprint` | Whether to prepend the key thumbprint to encrypted output |
+| `mosip.data.share.includeCertificate` | Include cert in JWT signing request |
+| `mosip.data.share.includeCertificateHash` | Include cert hash in JWT signing request |
+| `mosip.data.share.includePayload` | Include payload in JWT signing request |
+| `mosip.data.share.digest.algorithm` | Digest algorithm for JWT payload (default `SHA256`) |
+| `data.share.application.id` | Application ID sent to Cryptomanager (default `PARTNER`) |
+| `PARTNER_POLICY` | URL template for Partner Management policy API |
+| `CRYPTOMANAGER_ENCRYPT` | URL for Cryptomanager encrypt API |
+| `KEYMANAGER_JWTSIGN` | URL for Keymanager JWT sign API |
+
+## CI/CD
+
+GitHub Actions (`.github/workflows/push-trigger.yml`) triggers on pushes to `master`, `develop*`, `release*`, and `MOSIP*` branches:
+1. Maven build via reusable `mosip/kattu` workflow (Java 21).
+2. Publish JARs to Maven Central (OSSRH) — skipped for PRs, master, and releases.
+3. Build and push `data-share-service` Docker image to Docker Hub.
+4. SonarCloud analysis (project key: `mosip_durian`) — skipped for PRs.
+
+Kubernetes deployment uses the Helm chart in `helm/datashare/` (requires Kubernetes 1.12+, Helm 3.1.0+).
+
+## Testing Notes
+
+- Unit tests use JUnit 4, Mockito, and PowerMock.
+- Tests run against an H2 in-memory database; no external services are required.
+- Surefire is configured with `--add-opens` JVM args for Java 21 module compatibility.
+- SonarQube excludes `constant/`, `config/`, `dto/`, `entity/`, `repository/`, `httpfilter/`, and `*BootApplication` from coverage.
+- The `TestBootApplication` in `src/test/java` bootstraps the test Spring context with a `TestSecurityConfig` that bypasses auth.

NOTICE

@@ -45,3 +45,4 @@ separately in the LICENSE directory.
 
 Full license texts for all dependencies are available in the `license/`
 directory or from the respective project repositories.
+

THIRD-PARTY-NOTICES.txt

@@ -0,0 +1,137 @@
+THIRD-PARTY-NOTICES
+
+This project includes third-party packages that are distributed under various open-source licenses. Below is a list of packages and their associated licenses.
+
+================================================================================
+Package: Spring Boot (Starter Web, Starter Security, Starter Cache, Starter Data JPA)
+Version: Not specified in SBOM
+License: Apache License 2.0
+Homepage: https://spring.io/projects/spring-boot
+================================================================================
+
+================================================================================
+Package: Spring Cloud Starter Config
+Version: Not specified in SBOM
+License: Apache License 2.0
+Homepage: https://spring.io/projects/spring-cloud-config
+================================================================================
+
+================================================================================
+Package: SpringDoc OpenAPI (Starter WebMVC UI, Maven Plugin)
+Version: 2.5.0 (UI), 0.2 (Plugin)
+License: Apache License 2.0
+Homepage: https://springdoc.org
+================================================================================
+
+================================================================================
+Package: Micrometer (micrometer-core, micrometer-registry-prometheus)
+Version: Not specified in SBOM
+License: Apache License 2.0
+Homepage: https://micrometer.io
+================================================================================
+
+================================================================================
+Package: Gson (com.google.code.gson:gson)
+Version: Not specified in SBOM
+License: Apache License 2.0 (Inferred from project’s official repository)
+Homepage: https://github.com/google/gson
+================================================================================
+
+================================================================================
+Package: JSON Simple (com.googlecode.json-simple:json-simple)
+Version: Not specified in SBOM
+License: Apache License 2.0 (Inferred from project’s official repository)
+Homepage: https://github.com/fangyidong/json-simple
+================================================================================
+
+================================================================================
+Package: Mockito Core (org.mockito:mockito-core)
+Version: Not specified in SBOM
+License: MIT License
+Homepage: https://github.com/mockito/mockito
+================================================================================
+
+================================================================================
+Package: PowerMock (powermock-api-mockito2, powermock-module-junit4)
+Version: Not specified in SBOM
+License: Apache License 2.0 (Inferred from project’s official repository)
+Homepage: https://github.com/powermock/powermock
+================================================================================
+
+================================================================================
+Package: JUnit 4 (junit:junit)
+Version: Not specified in SBOM
+License: Eclipse Public License 1.0
+Homepage: https://junit.org/junit4/
+================================================================================
+
+================================================================================
+Package: JUnit Vintage Engine (org.junit.vintage:junit-vintage-engine)
+Version: Not specified in SBOM
+License: Eclipse Public License 2.0
+Homepage: https://junit.org
+================================================================================
+
+================================================================================
+Package: JAXB API (javax.xml.bind:jaxb-api)
+Version: Not specified in SBOM
+License: CDDL 1.1 AND GPL v2 with Classpath Exception (Dual License)
+Homepage: https://eclipse-ee4j.github.io/jaxb-ri/
+================================================================================
+
+================================================================================
+Package: H2 Database (com.h2database:h2)
+Version: Not specified in SBOM
+License: EPL 1.0 or MPL 2.0 (Dual License)
+Homepage: https://www.h2database.com
+================================================================================
+
+================================================================================
+Package: Apache Maven Compiler Plugin
+Version: 3.11.0
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-compiler-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven Source Plugin
+Version: 2.2.1
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-source-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven Jar Plugin
+Version: 3.0.2
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-jar-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven Javadoc Plugin
+Version: 3.2.0
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-javadoc-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven War Plugin
+Version: 3.1.0
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-war-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven GPG Plugin
+Version: 1.5
+License: Apache License 2.0
+Homepage: https://maven.apache.org/plugins/maven-gpg-plugin/
+================================================================================
+
+================================================================================
+Package: Apache Maven Surefire Plugin
+Version: 2.22.0
+License: Apache License 2.0
+Homepage: https://maven.apache.org/surefire/maven-surefire-plugin/
+================================================================================
+Full license texts and additional details for each of the above packages are available in the license/ directory of this repository. Please refer to those files or the original source of each package for complete legal terms and conditions.

data-share/data-share-service/Dockerfile

@@ -75,14 +75,18 @@ VOLUME ${work_dir}/logs
 
 ADD ./target/data-share-service-*.jar data-share-service.jar
 
+COPY configure_start.sh ${work_dir}/configure_start.sh
+
 # change permissions of file inside working dir
-RUN chown -R ${container_user}:${container_user} /home/${container_user}
+RUN sed -i 's/\r$//' ${work_dir}/configure_start.sh \
+    && chmod +x ${work_dir}/configure_start.sh \
+    && chown -R ${container_user}:${container_user} ${work_dir}
 
 # select container user for all tasks
 USER ${container_user_uid}:${container_user_gid}
 
 EXPOSE 8097
 
-CMD wget "${iam_adapter_url_env}" -O "${loader_path_env}"/kernel-auth-adapter.jar; \
-    java -XX:-UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:-UseParallelGC -XX:+UseZGC -XX:+ZGenerational -XX:-UseShenandoahGC -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+UseStringDeduplication -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8 -XX:+UseCompressedOops \
-    -Dloader.path="${loader_path_env}" -Dspring.cloud.config.label="${spring_config_label_env}" -Dspring.profiles.active="${active_profile_env}" -Dspring.cloud.config.uri="${spring_config_url_env}" -jar data-share-service.jar ; \
+ENTRYPOINT ["sh", "configure_start.sh"]
+
+CMD java -Dloader.path="${loader_path_env}" -Dspring.cloud.config.label="${spring_config_label_env}" -Dspring.profiles.active="${active_profile_env}" -Dspring.cloud.config.uri="${spring_config_url_env}" -jar data-share-service.jar ; \

data-share/data-share-service/configure_start.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+#installs the pre-requisites.
+set -e
+
+echo "Downloading pre-requisites install scripts"
+
+wget "${iam_adapter_url_env}" -O "${loader_path_env}"/kernel-auth-adapter.jar; \
+
+echo "Installating pre-requisites completed."
+
+exec "$@"