Commit 0883b1d3 authored by Stavros-Anastasios Charismiadis's avatar Stavros-Anastasios Charismiadis
Browse files

seperate nginx rules for helper interconnection services and add ccf prefix to ccf certificates

parent b3bf4573
Loading
Loading
Loading
Loading
+3 −0
Original line number Diff line number Diff line
docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/ca_root.crt > ca_root.crt
docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.crt > superadmin.crt
docker exec -i $(docker ps -aqf "name=^helper$") cat ./helper_service/certs/superadmin.key > superadmin.key
 No newline at end of file
+2 −1
Original line number Diff line number Diff line
@@ -224,6 +224,7 @@ class PublishServiceOperations(Resource):

            mycol.insert_one(rec)

            if "APF" in apf_id:
                self.auth_manager.add_auth_service(api_id, apf_id)

            current_app.logger.debug("Service inserted in database")
+2 −0
Original line number Diff line number Diff line
@@ -8,6 +8,8 @@ map $uri $endpoint {

    # Regex matches for endpoints that can be grouped by common patterns
    # Helper related endpoints
    ~^/helper/interconnection/interconnect  helper_interconnect;
    ~^/helper/interconnection/connect       helper_connect;
    ~^/helper/ helper_base_tree;

    # Invoker management related endpoints
+4 −4
Original line number Diff line number Diff line
@@ -81,11 +81,11 @@ generate_server_key_and_sign() {
        
        echo "[STEP 3] Server certificate not found"
        echo "[STEP 3] Generating CSR for CAPIF service"
        echo "[INFO] Common Name (CN): $CAPIF_HOSTNAME"
                echo "[INFO] Common Name (CN): CCF$CAPIF_HOSTNAME"

        # Generate CSR using the previously generated server.key
        # Generate CSR using the previously generated server.key
        openssl req -new -key $CERTS_FOLDER/server.key \
            -subj "/CN=$CAPIF_HOSTNAME" \
            -subj "/CN=CCF$CAPIF_HOSTNAME" \
            -addext "subjectAltName=DNS:$CAPIF_HOSTNAME" \
            -out $CERTS_FOLDER/server.csr

@@ -106,7 +106,7 @@ generate_server_key_and_sign() {
            # POST /v1/pki_int/sign/my-ca intermediate's endpoint to sign the CSR
            SIGN_RESPONSE=$(curl -s -X POST \
                -H "X-Vault-Token: $VAULT_TOKEN" \
                -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"$CAPIF_HOSTNAME\"}" \
                -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"CCF$CAPIF_HOSTNAME\",\"alt_names\":\"$CAPIF_HOSTNAME\"}" \
                "$VAULT_ADDR/v1/pki_int/sign/my-ca")

            # SIGN_RESPONSE; return a PEM bundle format with the signed certificate + intermediate certificate chain (but without the root).
+7 −1
Original line number Diff line number Diff line
map "$endpoint:$method:$role" $helper_mtls_policy {
    default "DENY";
    # /interconnect: only an operator with a superadmin cert may start interconnection
    ~^helper_interconnect:.*:superadmin$ ALLOW;
    # /connect: the peer CCF authenticates with its server certificate.
    # A server cert's CN is a hostname, so it resolves to role "unknown".
    ~^helper_connect:.*:ccf$ ALLOW;
    # Everything else under /helper keeps the previous behaviour
    ~^helper_base_tree:.*:superadmin$ ALLOW;
    ~^helper_base_tree:.*:amf$        ALLOW;
}
 No newline at end of file