Loading get_superadmin_certs.sh 0 → 100755 +3 −0 Original line number Diff line number Diff line docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/ca_root.crt > ca_root.crt docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.crt > superadmin.crt docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.key > superadmin.key No newline at end of file services/TS29222_CAPIF_Publish_Service_API/published_apis/core/serviceapidescriptions.py +2 −1 Original line number Diff line number Diff line Loading @@ -224,6 +224,7 @@ class PublishServiceOperations(Resource): mycol.insert_one(rec) if "APF" in apf_id: self.auth_manager.add_auth_service(api_id, apf_id) current_app.logger.debug("Service inserted in database") Loading services/nginx/endpoints/endpoints.conf +2 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ map $uri $endpoint { # Regex matches for endpoints that can be grouped by common patterns # Helper related endpoints ~^/helper/interconnection/interconnect helper_interconnect; ~^/helper/interconnection/connect helper_connect; ~^/helper/ helper_base_tree; # Invoker management related endpoints Loading services/nginx/nginx_prepare.sh +4 −4 Original line number Diff line number Diff line Loading @@ -81,11 +81,11 @@ generate_server_key_and_sign() { echo "[STEP 3] Server certificate not found" echo "[STEP 3] Generating CSR for CAPIF service" echo "[INFO] Common Name (CN): $CAPIF_HOSTNAME" echo "[INFO] Common Name (CN): CCF$CAPIF_HOSTNAME" # Generate CSR using the previously generated server.key # Generate CSR using the previously generated server.key openssl req -new -key $CERTS_FOLDER/server.key \ -subj "/CN=$CAPIF_HOSTNAME" \ -subj "/CN=CCF$CAPIF_HOSTNAME" \ -addext "subjectAltName=DNS:$CAPIF_HOSTNAME" \ -out $CERTS_FOLDER/server.csr Loading @@ -106,7 +106,7 @@ generate_server_key_and_sign() { # POST /v1/pki_int/sign/my-ca intermediate's endpoint to sign the CSR SIGN_RESPONSE=$(curl -s -X POST \ -H "X-Vault-Token: $VAULT_TOKEN" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"$CAPIF_HOSTNAME\"}" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"CCF$CAPIF_HOSTNAME\",\"alt_names\":\"$CAPIF_HOSTNAME\"}" \ "$VAULT_ADDR/v1/pki_int/sign/my-ca") # SIGN_RESPONSE; return a PEM bundle format with the signed certificate + intermediate certificate chain (but without the root). Loading services/nginx/policies/helper-mtls.conf +7 −1 Original line number Diff line number Diff line map "$endpoint:$method:$role" $helper_mtls_policy { default "DENY"; # /interconnect: only an operator with a superadmin cert may start interconnection ~^helper_interconnect:.*:superadmin$ ALLOW; # /connect: the peer CCF authenticates with its server certificate. # A server cert's CN is a hostname, so it resolves to role "unknown". ~^helper_connect:.*:ccf$ ALLOW; # Everything else under /helper keeps the previous behaviour ~^helper_base_tree:.*:superadmin$ ALLOW; ~^helper_base_tree:.*:amf$ ALLOW; } No newline at end of file Loading
get_superadmin_certs.sh 0 → 100755 +3 −0 Original line number Diff line number Diff line docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/ca_root.crt > ca_root.crt docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.crt > superadmin.crt docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.key > superadmin.key No newline at end of file
services/TS29222_CAPIF_Publish_Service_API/published_apis/core/serviceapidescriptions.py +2 −1 Original line number Diff line number Diff line Loading @@ -224,6 +224,7 @@ class PublishServiceOperations(Resource): mycol.insert_one(rec) if "APF" in apf_id: self.auth_manager.add_auth_service(api_id, apf_id) current_app.logger.debug("Service inserted in database") Loading
services/nginx/endpoints/endpoints.conf +2 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ map $uri $endpoint { # Regex matches for endpoints that can be grouped by common patterns # Helper related endpoints ~^/helper/interconnection/interconnect helper_interconnect; ~^/helper/interconnection/connect helper_connect; ~^/helper/ helper_base_tree; # Invoker management related endpoints Loading
services/nginx/nginx_prepare.sh +4 −4 Original line number Diff line number Diff line Loading @@ -81,11 +81,11 @@ generate_server_key_and_sign() { echo "[STEP 3] Server certificate not found" echo "[STEP 3] Generating CSR for CAPIF service" echo "[INFO] Common Name (CN): $CAPIF_HOSTNAME" echo "[INFO] Common Name (CN): CCF$CAPIF_HOSTNAME" # Generate CSR using the previously generated server.key # Generate CSR using the previously generated server.key openssl req -new -key $CERTS_FOLDER/server.key \ -subj "/CN=$CAPIF_HOSTNAME" \ -subj "/CN=CCF$CAPIF_HOSTNAME" \ -addext "subjectAltName=DNS:$CAPIF_HOSTNAME" \ -out $CERTS_FOLDER/server.csr Loading @@ -106,7 +106,7 @@ generate_server_key_and_sign() { # POST /v1/pki_int/sign/my-ca intermediate's endpoint to sign the CSR SIGN_RESPONSE=$(curl -s -X POST \ -H "X-Vault-Token: $VAULT_TOKEN" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"$CAPIF_HOSTNAME\"}" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"CCF$CAPIF_HOSTNAME\",\"alt_names\":\"$CAPIF_HOSTNAME\"}" \ "$VAULT_ADDR/v1/pki_int/sign/my-ca") # SIGN_RESPONSE; return a PEM bundle format with the signed certificate + intermediate certificate chain (but without the root). Loading
services/nginx/policies/helper-mtls.conf +7 −1 Original line number Diff line number Diff line map "$endpoint:$method:$role" $helper_mtls_policy { default "DENY"; # /interconnect: only an operator with a superadmin cert may start interconnection ~^helper_interconnect:.*:superadmin$ ALLOW; # /connect: the peer CCF authenticates with its server certificate. # A server cert's CN is a hostname, so it resolves to role "unknown". ~^helper_connect:.*:ccf$ ALLOW; # Everything else under /helper keeps the previous behaviour ~^helper_base_tree:.*:superadmin$ ALLOW; ~^helper_base_tree:.*:amf$ ALLOW; } No newline at end of file