X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=capifcore%2Finternal%2Fsecurityservice%2Fsecurity.go;h=d3d9026979968b04de58ab4c858be8eec299611c;hb=856821490df816d7343d90f76f729240bd4e00d6;hp=25f9bbee4ccd5c4d7ef81b233f3531475326ab17;hpb=31a8d98341c723394deb355dfc828eaaaa13ce6d;p=nonrtric%2Fplt%2Fsme.git

diff --git a/capifcore/internal/securityservice/security.go b/capifcore/internal/securityservice/security.go
index 25f9bbe..d3d9026 100644
--- a/capifcore/internal/securityservice/security.go
+++ b/capifcore/internal/securityservice/security.go
@@ -21,63 +21,86 @@
 package security
 
 import (
+	"fmt"
 	"net/http"
+	"path"
 	"strings"
+	"sync"
 
 	"github.com/labstack/echo/v4"
-
+	copystructure "github.com/mitchellh/copystructure"
 	"oransc.org/nonrtric/capifcore/internal/common29122"
 	securityapi "oransc.org/nonrtric/capifcore/internal/securityapi"
 
 	"oransc.org/nonrtric/capifcore/internal/invokermanagement"
+	"oransc.org/nonrtric/capifcore/internal/keycloak"
 	"oransc.org/nonrtric/capifcore/internal/providermanagement"
 	"oransc.org/nonrtric/capifcore/internal/publishservice"
 )
 
 type Security struct {
 	serviceRegister providermanagement.ServiceRegister
-	apiRegister     publishservice.APIRegister
+	publishRegister publishservice.PublishRegister
 	invokerRegister invokermanagement.InvokerRegister
+	keycloak        keycloak.AccessManagement
+	trustedInvokers map[string]securityapi.ServiceSecurity
+	lock            sync.Mutex
 }
 
-func NewSecurity(serviceRegister providermanagement.ServiceRegister, apiRegister publishservice.APIRegister, invokerRegister invokermanagement.InvokerRegister) *Security {
+func NewSecurity(serviceRegister providermanagement.ServiceRegister, publishRegister publishservice.PublishRegister, invokerRegister invokermanagement.InvokerRegister, km keycloak.AccessManagement) *Security {
 	return &Security{
 		serviceRegister: serviceRegister,
-		apiRegister:     apiRegister,
+		publishRegister: publishRegister,
 		invokerRegister: invokerRegister,
+		keycloak:        km,
+		trustedInvokers: make(map[string]securityapi.ServiceSecurity),
 	}
 }
 
 func (s *Security) PostSecuritiesSecurityIdToken(ctx echo.Context, securityId string) error {
-	clientId := ctx.FormValue("client_id")
-	clientSecret := ctx.FormValue("client_secret")
-	// grantType := ctx.FormValue("grant_type")
-	scope := ctx.FormValue("scope")
+	var accessTokenReq securityapi.AccessTokenReq
+	accessTokenReq.GetAccessTokenReq(ctx)
 
-	if !s.invokerRegister.IsInvokerRegistered(clientId) {
-		return sendCoreError(ctx, http.StatusBadRequest, "Invoker not registered")
+	if valid, err := accessTokenReq.Validate(); !valid {
+		return ctx.JSON(http.StatusBadRequest, err)
 	}
-	if !s.invokerRegister.VerifyInvokerSecret(clientId, clientSecret) {
-		return sendCoreError(ctx, http.StatusBadRequest, "Invoker secret not valid")
+
+	if !s.invokerRegister.IsInvokerRegistered(accessTokenReq.ClientId) {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidClient, "Invoker not registered")
 	}
-	if scope != "" {
-		scopeData := strings.Split(strings.Split(scope, "#")[1], ":")
-		if !s.serviceRegister.IsFunctionRegistered(scopeData[0]) {
-			return sendCoreError(ctx, http.StatusBadRequest, "Function not registered")
-		}
-		if !s.apiRegister.IsAPIRegistered(scopeData[0], scopeData[1]) {
-			return sendCoreError(ctx, http.StatusBadRequest, "API not published")
+
+	if !s.invokerRegister.VerifyInvokerSecret(accessTokenReq.ClientId, *accessTokenReq.ClientSecret) {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, "Invoker secret not valid")
+	}
+
+	if accessTokenReq.Scope != nil && *accessTokenReq.Scope != "" {
+		scope := strings.Split(*accessTokenReq.Scope, "#")
+		aefList := strings.Split(scope[1], ";")
+		for _, aef := range aefList {
+			apiList := strings.Split(aef, ":")
+			if !s.serviceRegister.IsFunctionRegistered(apiList[0]) {
+				return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "AEF Function not registered")
+			}
+			for _, api := range strings.Split(apiList[1], ",") {
+				if !s.publishRegister.IsAPIPublished(apiList[0], api) {
+					return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "API not published")
+				}
+			}
 		}
 	}
+	jwtToken, err := s.keycloak.GetToken(accessTokenReq.ClientId, *accessTokenReq.ClientSecret, *accessTokenReq.Scope, "invokerrealm")
+	if err != nil {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, err.Error())
+	}
 
 	accessTokenResp := securityapi.AccessTokenRsp{
-		AccessToken: "asdadfsrt dsr t5",
-		ExpiresIn:   0,
-		Scope:       &scope,
+		AccessToken: jwtToken.AccessToken,
+		ExpiresIn:   common29122.DurationSec(jwtToken.ExpiresIn),
+		Scope:       accessTokenReq.Scope,
 		TokenType:   "Bearer",
 	}
 
-	err := ctx.JSON(http.StatusCreated, accessTokenResp)
+	err = ctx.JSON(http.StatusCreated, accessTokenResp)
 	if err != nil {
 		// Something really bad happened, tell Echo that our handler failed
 		return err
@@ -87,15 +110,117 @@ func (s *Security) PostSecuritiesSecurityIdToken(ctx echo.Context, securityId st
 }
 
 func (s *Security) DeleteTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string) error {
-	return ctx.NoContent(http.StatusNotImplemented)
+	if _, ok := s.trustedInvokers[apiInvokerId]; ok {
+		s.deleteTrustedInvoker(apiInvokerId)
+	}
+
+	return ctx.NoContent(http.StatusNoContent)
+}
+
+func (s *Security) deleteTrustedInvoker(apiInvokerId string) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	delete(s.trustedInvokers, apiInvokerId)
 }
 
 func (s *Security) GetTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string, params securityapi.GetTrustedInvokersApiInvokerIdParams) error {
-	return ctx.NoContent(http.StatusNotImplemented)
+
+	if trustedInvoker, ok := s.trustedInvokers[apiInvokerId]; ok {
+		updatedInvoker := s.checkParams(trustedInvoker, params)
+		if updatedInvoker != nil {
+			err := ctx.JSON(http.StatusOK, updatedInvoker)
+			if err != nil {
+				return err
+			}
+		}
+	} else {
+		return sendCoreError(ctx, http.StatusNotFound, fmt.Sprintf("invoker %s not registered as trusted invoker", apiInvokerId))
+	}
+
+	return nil
+}
+
+func (s *Security) checkParams(trustedInvoker securityapi.ServiceSecurity, params securityapi.GetTrustedInvokersApiInvokerIdParams) *securityapi.ServiceSecurity {
+	emptyString := ""
+
+	var sendAuthenticationInfo = (params.AuthenticationInfo != nil) && *params.AuthenticationInfo
+	var sendAuthorizationInfo = (params.AuthorizationInfo != nil) && *params.AuthorizationInfo
+
+	if sendAuthenticationInfo && sendAuthorizationInfo {
+		return &trustedInvoker
+	}
+
+	data, _ := copystructure.Copy(trustedInvoker)
+	updatedInvoker, ok := data.(securityapi.ServiceSecurity)
+	if !ok {
+		return nil
+	}
+
+	if !sendAuthenticationInfo {
+		for i := range updatedInvoker.SecurityInfo {
+			updatedInvoker.SecurityInfo[i].AuthenticationInfo = &emptyString
+		}
+	}
+	if !sendAuthorizationInfo {
+		for i := range updatedInvoker.SecurityInfo {
+			updatedInvoker.SecurityInfo[i].AuthorizationInfo = &emptyString
+		}
+	}
+	return &updatedInvoker
 }
 
 func (s *Security) PutTrustedInvokersApiInvokerId(ctx echo.Context, apiInvokerId string) error {
-	return ctx.NoContent(http.StatusNotImplemented)
+	errMsg := "Unable to update security context due to %s."
+
+	if !s.invokerRegister.IsInvokerRegistered(apiInvokerId) {
+		return sendCoreError(ctx, http.StatusBadRequest, "Unable to update security context due to Invoker not registered")
+	}
+	serviceSecurity, err := getServiceSecurityFromRequest(ctx)
+	if err != nil {
+		return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+	}
+
+	if err := serviceSecurity.Validate(); err != nil {
+		return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+	}
+
+	err = s.prepareNewSecurityContext(&serviceSecurity, apiInvokerId)
+	if err != nil {
+		return sendCoreError(ctx, http.StatusBadRequest, fmt.Sprintf(errMsg, err))
+	}
+
+	uri := ctx.Request().Host + ctx.Request().URL.String()
+	ctx.Response().Header().Set(echo.HeaderLocation, ctx.Scheme()+`://`+path.Join(uri, apiInvokerId))
+
+	err = ctx.JSON(http.StatusCreated, s.trustedInvokers[apiInvokerId])
+	if err != nil {
+		// Something really bad happened, tell Echo that our handler failed
+		return err
+	}
+
+	return nil
+}
+
+func getServiceSecurityFromRequest(ctx echo.Context) (securityapi.ServiceSecurity, error) {
+	var serviceSecurity securityapi.ServiceSecurity
+	err := ctx.Bind(&serviceSecurity)
+	if err != nil {
+		return securityapi.ServiceSecurity{}, fmt.Errorf("invalid format for service security")
+	}
+	return serviceSecurity, nil
+}
+
+func (s *Security) prepareNewSecurityContext(newContext *securityapi.ServiceSecurity, apiInvokerId string) error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
+	err := newContext.PrepareNewSecurityContext(s.publishRegister.GetAllPublishedServices())
+	if err != nil {
+		return err
+	}
+
+	s.trustedInvokers[apiInvokerId] = *newContext
+	return nil
 }
 
 func (s *Security) PostTrustedInvokersApiInvokerIdDelete(ctx echo.Context, apiInvokerId string) error {
@@ -106,6 +231,16 @@ func (s *Security) PostTrustedInvokersApiInvokerIdUpdate(ctx echo.Context, apiIn
 	return ctx.NoContent(http.StatusNotImplemented)
 }
 
+func sendAccessTokenError(ctx echo.Context, code int, err securityapi.AccessTokenErrError, message string) error {
+	accessTokenErr := securityapi.AccessTokenErr{
+		Error:            err,
+		ErrorDescription: &message,
+	}
+	return ctx.JSON(code, accessTokenErr)
+}
+
+// This function wraps sending of an error in the Error format, and
+// handling the failure to marshal that.
 func sendCoreError(ctx echo.Context, code int, message string) error {
 	pd := common29122.ProblemDetails{
 		Cause:  &message,