// ========================LICENSE_START=================================
// O-RAN-SC
// %%
-// Copyright (C) 2022: Nordix Foundation
+// Copyright (C) 2022-2023: Nordix Foundation
+// Copyright (C) 2024: OpenInfra Foundation Europe
// %%
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
package security
import (
+ "fmt"
"net/http"
+ "net/url"
+ "path"
"strings"
+ "sync"
"github.com/labstack/echo/v4"
-
+ copystructure "github.com/mitchellh/copystructure"
+ "k8s.io/utils/strings/slices"
"oransc.org/nonrtric/capifcore/internal/common29122"
securityapi "oransc.org/nonrtric/capifcore/internal/securityapi"
"oransc.org/nonrtric/capifcore/internal/invokermanagement"
+ "oransc.org/nonrtric/capifcore/internal/keycloak"
"oransc.org/nonrtric/capifcore/internal/providermanagement"
"oransc.org/nonrtric/capifcore/internal/publishservice"
)
type Security struct {
serviceRegister providermanagement.ServiceRegister
- apiRegister publishservice.APIRegister
+ publishRegister publishservice.PublishRegister
invokerRegister invokermanagement.InvokerRegister
+ keycloak keycloak.AccessManagement
+ trustedInvokers map[string]securityapi.ServiceSecurity
+ lock sync.Mutex
}
-func NewSecurity(serviceRegister providermanagement.ServiceRegister, apiRegister publishservice.APIRegister, invokerRegister invokermanagement.InvokerRegister) *Security {
+func NewSecurity(serviceRegister providermanagement.ServiceRegister, publishRegister publishservice.PublishRegister, invokerRegister invokermanagement.InvokerRegister, km keycloak.AccessManagement) *Security {
return &Security{
serviceRegister: serviceRegister,
- apiRegister: apiRegister,
+ publishRegister: publishRegister,
invokerRegister: invokerRegister,
+ keycloak: km,
+ trustedInvokers: make(map[string]securityapi.ServiceSecurity),
}
}
func (s *Security) PostSecuritiesSecurityIdToken(ctx echo.Context, securityId string) error {
- clientId := ctx.FormValue("client_id")
- clientSecret := ctx.FormValue("client_secret")
- // grantType := ctx.FormValue("grant_type")
- scope := ctx.FormValue("scope")
+ var accessTokenReq securityapi.AccessTokenReq
+ accessTokenReq.GetAccessTokenReq(ctx)
+
+ if valid, err := accessTokenReq.Validate(); !valid {
+ return ctx.JSON(http.StatusBadRequest, err)
+ }
- if !s.invokerRegister.IsInvokerRegistered(clientId) {
- return sendCoreError(ctx, http.StatusBadRequest, "Invoker not registered")
+ if !s.invokerRegister.IsInvokerRegistered(accessTokenReq.ClientId) {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidClient, "Invoker not registered")
}
- if !s.invokerRegister.VerifyInvokerSecret(clientId, clientSecret) {
- return sendCoreError(ctx, http.StatusBadRequest, "Invoker secret not valid")
+
+ if !s.invokerRegister.VerifyInvokerSecret(accessTokenReq.ClientId, *accessTokenReq.ClientSecret) {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, "Invoker secret not valid")
}
- if scope != "" {
- scopeData := strings.Split(strings.Split(scope, "#")[1], ":")
- if !s.serviceRegister.IsFunctionRegistered(scopeData[0]) {
- return sendCoreError(ctx, http.StatusBadRequest, "Function not registered")
+
+ if accessTokenReq.Scope != nil && *accessTokenReq.Scope != "" {
+ scope := strings.Split(*accessTokenReq.Scope, "#")
+ aefList := strings.Split(scope[1], ";")
+ for _, aef := range aefList {
+ apiList := strings.Split(aef, ":")
+ if !s.serviceRegister.IsFunctionRegistered(apiList[0]) {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "AEF Function not registered")
+ }
+ for _, api := range strings.Split(apiList[1], ",") {
+ if !s.publishRegister.IsAPIPublished(apiList[0], api) {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "API not published")
+ }
+ }
}
- if !s.apiRegister.IsAPIRegistered(scopeData[0], scopeData[1]) {
- return sendCoreError(ctx, http.StatusBadRequest, "API not published")
+ }
+ data := url.Values{"grant_type": {"client_credentials"}, "client_id": {accessTokenReq.ClientId}, "client_secret": {*accessTokenReq.ClientSecret}}
+
+ var jwtToken keycloak.Jwttoken
+ var err error
+
+ if s.keycloak != nil {
+ jwtToken, err = s.keycloak.GetToken("invokerrealm", data)
+ if err != nil {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, err.Error())
}
+ } else {
+ return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, "keycloak is nil")
}
accessTokenResp := securityapi.AccessTokenRsp{
- AccessToken: "asdadfsrt dsr t5",
- ExpiresIn: 0,
- Scope: &scope,
+ AccessToken: jwtToken.AccessToken,
+ ExpiresIn: common29122.DurationSec(jwtToken.ExpiresIn),
+ Scope: accessTokenReq.Scope,
TokenType: "Bearer",
}
- err := ctx.JSON(http.StatusCreated, accessTokenResp)
+ err = ctx.JSON(http.StatusCreated, accessTokenResp)
if err != nil {
// Something really bad happened, tell Echo that our handler failed
return err
}
func (s *Security) DeleteTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string) error {
- return ctx.NoContent(http.StatusNotImplemented)
+ if _, ok := s.trustedInvokers[apiInvokerId]; ok {
+ s.deleteTrustedInvoker(apiInvokerId)
+ }
+
+ return ctx.NoContent(http.StatusNoContent)
+}
+
+func (s *Security) deleteTrustedInvoker(apiInvokerId string) {
+ s.lock.Lock()
+ defer s.lock.Unlock()
+ delete(s.trustedInvokers, apiInvokerId)
}
func (s *Security) GetTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string, params securityapi.GetTrustedInvokersApiInvokerIdParams) error {
- return ctx.NoContent(http.StatusNotImplemented)
+
+ if trustedInvoker, ok := s.trustedInvokers[apiInvokerId]; ok {
+ updatedInvoker := s.checkParams(trustedInvoker, params)
+ if updatedInvoker != nil {
+ err := ctx.JSON(http.StatusOK, updatedInvoker)
+ if err != nil {
+ return err
+ }
+ }
+ } else {
+ return sendCoreError(ctx, http.StatusNotFound, fmt.Sprintf("invoker %s not registered as trusted invoker", apiInvokerId))
+ }
+
+ return nil
+}
+
+func (s *Security) checkParams(trustedInvoker securityapi.ServiceSecurity, params securityapi.GetTrustedInvokersApiInvokerIdParams) *securityapi.ServiceSecurity {
+ emptyString := ""
+
+ var sendAuthenticationInfo = (params.AuthenticationInfo != nil) && *params.AuthenticationInfo
+ var sendAuthorizationInfo = (params.AuthorizationInfo != nil) && *params.AuthorizationInfo
+
+ if sendAuthenticationInfo && sendAuthorizationInfo {
+ return &trustedInvoker
+ }
+
+ data, _ := copystructure.Copy(trustedInvoker)
+ updatedInvoker, ok := data.(securityapi.ServiceSecurity)
+ if !ok {
+ return nil
+ }
+
+ if !sendAuthenticationInfo {
+ for i := range updatedInvoker.SecurityInfo {
+ updatedInvoker.SecurityInfo[i].AuthenticationInfo = &emptyString
+ }
+ }
+ if !sendAuthorizationInfo {
+ for i := range updatedInvoker.SecurityInfo {
+ updatedInvoker.SecurityInfo[i].AuthorizationInfo = &emptyString
+ }
+ }
+ return &updatedInvoker
}
func (s *Security) PutTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string) error {
- return ctx.NoContent(http.StatusNotImplemented)
+ errMsg := "Unable to update security context due to %s."
+
+ if !s.invokerRegister.IsInvokerRegistered(apiInvokerId) {
+ return sendCoreError(ctx, http.StatusBadRequest, "Unable to update security context due to Invoker not registered")
+ }
+ serviceSecurity, err := getServiceSecurityFromRequest(ctx)
+ if err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+ }
+
+ if err := serviceSecurity.Validate(); err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+ }
+
+ err = s.prepareNewSecurityContext(&serviceSecurity, apiInvokerId)
+ if err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+ }
+
+ uri := ctx.Request().Host + ctx.Request().URL.String()
+ ctx.Response().Header().Set(echo.HeaderLocation, ctx.Scheme()+`://`+path.Join(uri, apiInvokerId))
+
+ err = ctx.JSON(http.StatusCreated, s.trustedInvokers[apiInvokerId])
+ if err != nil {
+ // Something really bad happened, tell Echo that our handler failed
+ return err
+ }
+
+ return nil
+}
+
+func getServiceSecurityFromRequest(ctx echo.Context) (securityapi.ServiceSecurity, error) {
+ var serviceSecurity securityapi.ServiceSecurity
+ err := ctx.Bind(&serviceSecurity)
+ if err != nil {
+ return securityapi.ServiceSecurity{}, fmt.Errorf("invalid format for service security")
+ }
+ return serviceSecurity, nil
+}
+
+func (s *Security) prepareNewSecurityContext(newContext *securityapi.ServiceSecurity, apiInvokerId string) error {
+ s.lock.Lock()
+ defer s.lock.Unlock()
+
+ err := newContext.PrepareNewSecurityContext(s.publishRegister.GetAllPublishedServices())
+ if err != nil {
+ return err
+ }
+
+ s.trustedInvokers[apiInvokerId] = *newContext
+ return nil
}
func (s *Security) PostTrustedInvokersApiInvokerIdDelete(ctx echo.Context, apiInvokerId string) error {
- return ctx.NoContent(http.StatusNotImplemented)
+ var notification securityapi.SecurityNotification
+
+ errMsg := "Unable to revoke invoker due to %s"
+
+ if err := ctx.Bind(¬ification); err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, "invalid format for security notification"))
+ }
+
+ if err := notification.Validate(); err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+ }
+
+ if ss, ok := s.trustedInvokers[apiInvokerId]; ok {
+ securityInfoCopy := s.revokeTrustedInvoker(&ss, notification)
+
+ if len(securityInfoCopy) == 0 {
+ s.deleteTrustedInvoker(apiInvokerId)
+ } else {
+ ss.SecurityInfo = securityInfoCopy
+ s.updateTrustedInvoker(ss, apiInvokerId)
+ }
+
+ } else {
+ return sendCoreError(ctx, http.StatusNotFound, "the invoker is not register as a trusted invoker")
+ }
+
+ return ctx.NoContent(http.StatusNoContent)
+
+}
+
+func (s *Security) revokeTrustedInvoker(ss *securityapi.ServiceSecurity, notification securityapi.SecurityNotification) []securityapi.SecurityInformation {
+
+ data, _ := copystructure.Copy(ss.SecurityInfo)
+ securityInfoCopy, _ := data.([]securityapi.SecurityInformation)
+
+ for i, context := range ss.SecurityInfo {
+ if notification.AefId == context.AefId || slices.Contains(notification.ApiIds, *context.ApiId) {
+ securityInfoCopy = append(securityInfoCopy[:i], securityInfoCopy[i+1:]...)
+ }
+ }
+
+ return securityInfoCopy
+
}
func (s *Security) PostTrustedInvokersApiInvokerIdUpdate(ctx echo.Context, apiInvokerId string) error {
- return ctx.NoContent(http.StatusNotImplemented)
+ var serviceSecurity securityapi.ServiceSecurity
+
+ errMsg := "Unable to update service security context due to %s"
+
+ if err := ctx.Bind(&serviceSecurity); err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, "invalid format for service security context"))
+ }
+
+ if err := serviceSecurity.Validate(); err != nil {
+ return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+ }
+
+ if _, ok := s.trustedInvokers[apiInvokerId]; ok {
+ s.updateTrustedInvoker(serviceSecurity, apiInvokerId)
+ } else {
+ return sendCoreError(ctx, http.StatusNotFound, "the invoker is not register as a trusted invoker")
+ }
+
+ uri := ctx.Request().Host + ctx.Request().URL.String()
+ ctx.Response().Header().Set(echo.HeaderLocation, ctx.Scheme()+`://`+path.Join(uri, apiInvokerId))
+
+ err := ctx.JSON(http.StatusOK, s.trustedInvokers[apiInvokerId])
+ if err != nil {
+ // Something really bad happened, tell Echo that our handler failed
+ return err
+ }
+
+ return nil
+}
+
+func (s *Security) updateTrustedInvoker(serviceSecurity securityapi.ServiceSecurity, invokerId string) {
+ s.lock.Lock()
+ defer s.lock.Unlock()
+ s.trustedInvokers[invokerId] = serviceSecurity
+}
+
+func sendAccessTokenError(ctx echo.Context, code int, err securityapi.AccessTokenErrError, message string) error {
+ accessTokenErr := securityapi.AccessTokenErr{
+ Error: err,
+ ErrorDescription: &message,
+ }
+ return ctx.JSON(code, accessTokenErr)
}
+// This function wraps sending of an error in the Error format, and
+// handling the failure to marshal that.
func sendCoreError(ctx echo.Context, code int, message string) error {
pd := common29122.ProblemDetails{
Cause: &message,