feat: add contract definition empty asset selector validator (#1786)

* adds extension and unit tests

* Add ITs

* Add docs

* renamed module

* remove not needed stuff

* this was actually needed

* add bypass

* wording

* review suggestions

* removed bypass

* deps

* deps

* deps

* bump aws deps to 2.30.17

* deps

* deps

* deps

edc-controlplane/edc-controlplane-base/build.gradle.kts

@@ -31,6 +31,7 @@ dependencies {
     runtimeOnly(project(":edc-extensions:edr:edr-callback"))
     runtimeOnly(project(":edc-extensions:tokenrefresh-handler"))
     runtimeOnly(project(":edc-extensions:agreements"))
+    runtimeOnly(project(":edc-extensions:validators:empty-asset-selector"))
 
     runtimeOnly(libs.edc.core.edrstore)
     runtimeOnly(libs.edc.edr.store.receiver)
@@ -92,4 +93,5 @@ dependencies {
     runtimeOnly(libs.edc.fc.core)
     runtimeOnly(libs.edc.fc.api)
 
+
 }

edc-extensions/validators/empty-asset-selector/build.gradle.kts

@@ -0,0 +1,30 @@
+/********************************************************************************
+ * Copyright (c) 2025 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+plugins {
+    `maven-publish`
+    `java-library`
+}
+
+dependencies {
+    api(libs.edc.spi.controlplane)
+    implementation(libs.edc.lib.validator)
+
+    testImplementation(libs.edc.junit)
+}

edc-extensions/validators/empty-asset-selector/src/main/java/org/eclipse/tractusx/edc/validators/emptyassetselector/EmptyAssetSelectorBlockerExtension.java

@@ -0,0 +1,64 @@
+/********************************************************************************
+ * Copyright (c) 2025 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.eclipse.tractusx.edc.validators.emptyassetselector;
+
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.query.CriterionOperatorRegistry;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.validator.spi.JsonObjectValidatorRegistry;
+
+import static org.eclipse.edc.connector.controlplane.contract.spi.types.offer.ContractDefinition.CONTRACT_DEFINITION_TYPE;
+
+@Extension(value = EmptyAssetSelectorBlockerExtension.NAME)
+public class EmptyAssetSelectorBlockerExtension implements ServiceExtension {
+
+    public static final String NAME = "Empty Asset Selector Blocker extension";
+
+    private static final String BLOCKER_DISABLED = "false";
+
+    @Setting(description = "Block contract definitions from being created/updated with an empty asset selector.", defaultValue = BLOCKER_DISABLED, key = "tx.edc.validator.contractdefinitions.block-empty-asset-selector")
+    private boolean blockerEnabled;
+
+    @Inject
+    JsonObjectValidatorRegistry validatorRegistry;
+
+    @Inject
+    CriterionOperatorRegistry criterionOperatorRegistry;
+
+    @Inject
+    Monitor monitor;
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Override
+    public void prepare() {
+        if (blockerEnabled) {
+            monitor.info("ContractDefinition validator that blocks empty assetsSelector has been enabled");
+            validatorRegistry.register(CONTRACT_DEFINITION_TYPE, EmptyAssetSelectorValidator.instance(criterionOperatorRegistry));
+        }
+    }
+
+}

edc-extensions/validators/empty-asset-selector/src/main/java/org/eclipse/tractusx/edc/validators/emptyassetselector/EmptyAssetSelectorValidator.java

@@ -0,0 +1,44 @@
+/********************************************************************************
+ * Copyright (c) 2025 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+
+package org.eclipse.tractusx.edc.validators.emptyassetselector;
+
+import org.eclipse.edc.spi.query.CriterionOperatorRegistry;
+import org.eclipse.edc.validator.jsonobject.JsonObjectValidator;
+import org.eclipse.edc.validator.jsonobject.validators.MandatoryArray;
+import org.eclipse.edc.validator.jsonobject.validators.MandatoryValue;
+import org.eclipse.edc.validator.jsonobject.validators.OptionalIdNotBlank;
+import org.eclipse.edc.validator.jsonobject.validators.model.CriterionValidator;
+
+import static org.eclipse.edc.connector.controlplane.contract.spi.types.offer.ContractDefinition.CONTRACT_DEFINITION_ACCESSPOLICY_ID;
+import static org.eclipse.edc.connector.controlplane.contract.spi.types.offer.ContractDefinition.CONTRACT_DEFINITION_ASSETS_SELECTOR;
+import static org.eclipse.edc.connector.controlplane.contract.spi.types.offer.ContractDefinition.CONTRACT_DEFINITION_CONTRACTPOLICY_ID;
+
+public class EmptyAssetSelectorValidator {
+
+    public static JsonObjectValidator instance(CriterionOperatorRegistry criterionOperatorRegistry) {
+        return JsonObjectValidator.newValidator()
+                .verifyId(OptionalIdNotBlank::new)
+                .verify(CONTRACT_DEFINITION_ACCESSPOLICY_ID, MandatoryValue::new)
+                .verify(CONTRACT_DEFINITION_CONTRACTPOLICY_ID, MandatoryValue::new)
+                .verify(CONTRACT_DEFINITION_ASSETS_SELECTOR, MandatoryArray.min(1))
+                .verifyArrayItem(CONTRACT_DEFINITION_ASSETS_SELECTOR, path -> CriterionValidator.instance(path, criterionOperatorRegistry))
+                .build();
+    }
+}

edc-extensions/validators/empty-asset-selector/src/main/java/org/eclipse/tractusx/edc/validators/emptyassetselector/README.md

@@ -0,0 +1,46 @@
+# Contract Definitions Validator: Empty Asset Selector
+
+The goal of this extension is to provide a replacement validator for contract definition entities.
+It is used to validate requests that create or update contract definitions via the data management API endpoint.
+When enabled, it prevents contract definitions with no asset selector, or an empty one, from being created which
+elsewise leads to all available assets being included in the Contract Definition.
+
+This extension is included with the standard tractusx-edc distribution, but is disabled by default. To enable it,
+you can set `tx.edc.validator.contractdefinitions.block-empty-asset-selector`to `true` in your connector configuration.
+
+## Example
+
+When the validator extension is enabled, creating the following contract definition will lead to a 400 error.
+
+```json
+{
+  "@context": {
+    "@vocab": "https://w3id.org/edc/v0.0.1/ns/"
+  },
+  "@type": "ContractDefinition",
+  "@id": "myContractDefinitionId",
+  "accessPolicyId": "myAccessPolicyId",
+  "contractPolicyId": "myContractPolicyId"
+}
+```
+
+Above, the `assetSelector` property is missing from the request, so an empty one is added by default.
+The validator will block this contract definition from being created.
+
+Similarly, this will also fail:
+
+```json
+{
+  "@context": {
+    "@vocab": "https://w3id.org/edc/v0.0.1/ns/"
+  },
+  "@type": "ContractDefinition",
+  "@id": "myContractDefinitionId",
+  "accessPolicyId": "myAccessPolicyId",
+  "contractPolicyId": "myContractPolicyId",
+  "assetSelector": []
+}
+```
+
+The `assetSelector` property exists, but since it's an empty list the validator will also block this contract
+definition from being created. A valid contract definition should have at least one criterion.

edc-extensions/validators/empty-asset-selector/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension

@@ -0,0 +1,20 @@
+#################################################################################
+#  Copyright (c) 2025 Bayerische Motoren Werke Aktiengesellschaft
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0.
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#################################################################################
+
+org.eclipse.tractusx.edc.validators.emptyassetselector.EmptyAssetSelectorBlockerExtension