X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=capifcore%2Finternal%2Fsecurityservice%2Fsecurity.go;h=dcf1dbb10684f73614a2d41f9681655bd76a6a2d;hb=4308df0663b45eb9d95b3babdf519a06ee76c15a;hp=ab0abde3d59abf1d90cd613232ed479ad4a9544e;hpb=c2422dba52b7c2fe640ff957137ccf64d2c96753;p=nonrtric%2Fplt%2Fsme.git

diff --git a/capifcore/internal/securityservice/security.go b/capifcore/internal/securityservice/security.go
index ab0abde..dcf1dbb 100644
--- a/capifcore/internal/securityservice/security.go
+++ b/capifcore/internal/securityservice/security.go
@@ -30,53 +30,71 @@ import (
 	securityapi "oransc.org/nonrtric/capifcore/internal/securityapi"
 
 	"oransc.org/nonrtric/capifcore/internal/invokermanagement"
+	"oransc.org/nonrtric/capifcore/internal/keycloak"
 	"oransc.org/nonrtric/capifcore/internal/providermanagement"
 	"oransc.org/nonrtric/capifcore/internal/publishservice"
 )
 
 type Security struct {
 	serviceRegister providermanagement.ServiceRegister
-	apiRegister     publishservice.APIRegister
+	publishRegister publishservice.PublishRegister
 	invokerRegister invokermanagement.InvokerRegister
+	keycloak        keycloak.AccessManagement
 }
 
-func NewSecurity(serviceRegister providermanagement.ServiceRegister, apiRegister publishservice.APIRegister, invokerRegister invokermanagement.InvokerRegister) *Security {
+func NewSecurity(serviceRegister providermanagement.ServiceRegister, publishRegister publishservice.PublishRegister, invokerRegister invokermanagement.InvokerRegister, km keycloak.AccessManagement) *Security {
 	return &Security{
 		serviceRegister: serviceRegister,
-		apiRegister:     apiRegister,
+		publishRegister: publishRegister,
 		invokerRegister: invokerRegister,
+		keycloak:        km,
 	}
 }
 
 func (s *Security) PostSecuritiesSecurityIdToken(ctx echo.Context, securityId string) error {
-	clientId := ctx.FormValue("client_id")
-	clientSecret := ctx.FormValue("client_secret")
-	scope := ctx.FormValue("scope")
+	var accessTokenReq securityapi.AccessTokenReq
+	accessTokenReq.GetAccessTokenReq(ctx)
 
-	if !s.invokerRegister.IsInvokerRegistered(clientId) {
-		return sendCoreError(ctx, http.StatusBadRequest, "Invoker not registered")
+	if valid, err := accessTokenReq.Validate(); !valid {
+		return ctx.JSON(http.StatusBadRequest, err)
 	}
-	if !s.invokerRegister.VerifyInvokerSecret(clientId, clientSecret) {
-		return sendCoreError(ctx, http.StatusBadRequest, "Invoker secret not valid")
+
+	if !s.invokerRegister.IsInvokerRegistered(accessTokenReq.ClientId) {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidClient, "Invoker not registered")
 	}
-	if scope != "" {
-		scopeData := strings.Split(strings.Split(scope, "#")[1], ":")
-		if !s.serviceRegister.IsFunctionRegistered(scopeData[0]) {
-			return sendCoreError(ctx, http.StatusBadRequest, "Function not registered")
-		}
-		if !s.apiRegister.IsAPIRegistered(scopeData[0], scopeData[1]) {
-			return sendCoreError(ctx, http.StatusBadRequest, "API not published")
+
+	if !s.invokerRegister.VerifyInvokerSecret(accessTokenReq.ClientId, *accessTokenReq.ClientSecret) {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, "Invoker secret not valid")
+	}
+
+	if accessTokenReq.Scope != nil && *accessTokenReq.Scope != "" {
+		scope := strings.Split(*accessTokenReq.Scope, "#")
+		aefList := strings.Split(scope[1], ";")
+		for _, aef := range aefList {
+			apiList := strings.Split(aef, ":")
+			if !s.serviceRegister.IsFunctionRegistered(apiList[0]) {
+				return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "AEF Function not registered")
+			}
+			for _, api := range strings.Split(apiList[1], ",") {
+				if !s.publishRegister.IsAPIPublished(apiList[0], api) {
+					return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorInvalidScope, "API not published")
+				}
+			}
 		}
 	}
+	jwtToken, err := s.keycloak.GetToken(accessTokenReq.ClientId, *accessTokenReq.ClientSecret, *accessTokenReq.Scope, "invokerrealm")
+	if err != nil {
+		return sendAccessTokenError(ctx, http.StatusBadRequest, securityapi.AccessTokenErrErrorUnauthorizedClient, err.Error())
+	}
 
 	accessTokenResp := securityapi.AccessTokenRsp{
-		AccessToken: "asdadfsrt dsr t5",
-		ExpiresIn:   0,
-		Scope:       &scope,
+		AccessToken: jwtToken.AccessToken,
+		ExpiresIn:   common29122.DurationSec(jwtToken.ExpiresIn),
+		Scope:       accessTokenReq.Scope,
 		TokenType:   "Bearer",
 	}
 
-	err := ctx.JSON(http.StatusCreated, accessTokenResp)
+	err = ctx.JSON(http.StatusCreated, accessTokenResp)
 	if err != nil {
 		// Something really bad happened, tell Echo that our handler failed
 		return err
@@ -105,11 +123,10 @@ func (s *Security) PostTrustedInvokersApiInvokerIdUpdate(ctx echo.Context, apiIn
 	return ctx.NoContent(http.StatusNotImplemented)
 }
 
-func sendCoreError(ctx echo.Context, code int, message string) error {
-	pd := common29122.ProblemDetails{
-		Cause:  &message,
-		Status: &code,
+func sendAccessTokenError(ctx echo.Context, code int, err securityapi.AccessTokenErrError, message string) error {
+	accessTokenErr := securityapi.AccessTokenErr{
+		Error:            err,
+		ErrorDescription: &message,
 	}
-	err := ctx.JSON(code, pd)
-	return err
+	return ctx.JSON(code, accessTokenErr)
 }