added helper, invoker, provider, published, discover, auditin, login events, events, acl (15acbb53) · Commits · OCF / capif

services/nginx/endpoints/endpoints.conf

+34 −3

Original line number	Original line	Diff line number	Diff line
	map $uri $endpoint {		map $uri $endpoint {
	default "NO MATCH";		default "NO MATCH";

			# Exact matches for endpoints that require specific handling (Must be on top of the regex matches)
	/api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact;		/api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact;
			/api-provider-management/v1/registrations provider_registrations_exact;
			/service-apis/v1/allServiceAPIs discover_service_exact;

			# Regex matches for endpoints that can be grouped by common patterns
			# Helper related endpoints
	~^/helper/ helper_base_tree;		~^/helper/ helper_base_tree;

			# Invoker management related endpoints
	~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree;		~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree;

			# Provider management related endpoints
			~^/api-provider-management/v1/registrations/ provider_registrations_tree;

			# Published APIs related endpoints
			~^/published-apis/v1/ published_apis_tree;

			# Logging related endpoints
			~^/api-invocation-logs/v1/ logging_tree;

			# Auditing related endpoints
			~^/logs/v1/ auditing_tree;

			# Security related endpoints
			~^/capif-security/v1/trustedInvokers/.+/update security_update;
			~^/capif-security/v1/trustedInvokers/.+/delete security_delete;
			~^/capif-security/v1/trustedInvokers/.+ security_trusted_invokers_exact;
			~^/capif-security/v1/securities/.+/token security_token;
			~^/capif-security/v1/ security_tree;

			# Events related endpoints
			~^/capif-events/v1/ events_tree;

			# Access control policy related endpoints
			~^/access-control-policy/v1/ acl_tree;
	}		}

services/nginx/maps/00-services.conf

+8 −1

Original line number	Original line	Diff line number	Diff line
	@@ -2,5 +2,12 @@ map $uri $service {
	default "";		default "";
	~^/helper(/\|$) helper;		~^/helper(/\|$) helper;
	~^/api-invoker-management(/\|$) invoker-management;		~^/api-invoker-management(/\|$) invoker-management;
			~^/api-provider-management(/\|$) provider-management;
			~^/service-apis(/\|$) discover-service;
			~^/published-apis(/\|$) publish-service;
			~^/api-invocation-logs(/\|$) logging-service;
			~^/logs(/\|$) auditing-service;
			~^/capif-security(/\|$) security-service;
			~^/capif-events(/\|$) events-service;
			~^/access-control-policy(/\|$) access-control-policy;
	}		}

services/nginx/maps/90-policy-dispatch.conf

+22 −0

Original line number	Original line	Diff line number	Diff line
	@@ -9,4 +9,26 @@ map "$service:$has_token:$has_cert" $active_policy {
	# Api Invoker Management Service		# Api Invoker Management Service
	invoker-management:1:0 $invoker_token_policy;		invoker-management:1:0 $invoker_token_policy;
	invoker-management:0:1 $invoker_mtls_policy;		invoker-management:0:1 $invoker_mtls_policy;

			# Api Provider Management Service
			provider-management:1:0 $provider_token_policy;
			provider-management:0:1 $provider_mtls_policy;

			# Discover Service
			discover-service:0:1 $discover_service_mtls_policy;

			# Published APIs Service
			publish-service:0:1 $publish_service_mtls_policy;

			# Logging Service
			logging-service:0:1 $logging_service_mtls_policy;

			# Auditing Service
			auditing-service:0:1 $auditing_service_mtls_policy;

			# Security Service
			security-service:0:1 $security_service_mtls_policy;



	}		}

services/nginx/maps/95-auth-error.conf

+14 −1

Original line number	Original line	Diff line number	Diff line
	map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error {		map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error {
	default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}';		default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}';
	~^.:.:.:0:0:.$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}';		~^.:.:.:0:0:.$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}';

	~^helper:.:.:0:1:(invoker\|apf\|aef\|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}';		~^helper:.:.:0:1:(invoker\|apf\|aef\|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}';
			~^invoker-management:.:.:0:1:(amf\|apf\|aef\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^provider-management:.:.:0:1:(invoker\|apf\|aef\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}';
			~^discover-service:.:.:0:1:(amf\|apf\|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';
			~^publish-service:.:.:0:1:(invoker\|amf\|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

			~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_trusted_invokers_exact:PUT:0:1:(aef\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^security-service:security_update:POST:0:1:(aef\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^security-service:security_delete:POST:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_token:POST:0:1:(aef\|amf\|apf\|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}';



	}		}

services/nginx/nginx.conf

+18 −39

Original line number	Original line	Diff line number	Diff line
	@@ -18,40 +18,11 @@ http {

	log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn';		log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn';


	map "$request_method:$uri:$ssl_client_s_dn_cn" $helper_error_message {
	default 'SUCCESS';
	"~(GET\|DELETE):.:(?!(superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $invoker_error_message {
	default 'SUCCESS';
	"~(PUT\|DELETE):.:(?!(INV\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $provider_error_message {
	default 'SUCCESS';
	"~(PUT\|DELETE\|PATCH):.:(?!(AMF\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $publish_error_message {
	default 'SUCCESS';
	"~.:.:(?!(APF\|ccf\|superadmin))(.)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message {		map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message {
	default 'SUCCESS';		default 'SUCCESS';
	"~.:.:(?!(AEF\|ccf\|superadmin))(.)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}';		"~.:.:(?!(AEF\|ccf\|superadmin))(.)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}';
	}		}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $discover_error_message {
	default 'SUCCESS';
	"~.:.:(?!(INV\|ccf\|superadmin))(.)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $security_error_message {
	default 'SUCCESS';
	"~DELETE:.:(?!(AEF\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
	"~PUT:.:(?!(INV\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
	"~GET:.:(?!(AEF\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
	"~POST:./update:(?!(INV\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
	"~POST:./delete:(?!(AEF\|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
	"~POST:./token:(?!(INV\|superadmin))(.*)" '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}';
	}
	map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message {		map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message {
	default 'SUCCESS';		default 'SUCCESS';
	"~.:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';		"~.:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';
	@@ -96,9 +67,9 @@ http {
	}		}

	location /api-provider-management {		location /api-provider-management {
	if ( $provider_error_message != SUCCESS ) {		if ($auth_allowed = 0) {
	add_header Content-Type 'application/problem+json';		add_header Content-Type 'application/problem+json';
	return 401 $provider_error_message;		return 401 $auth_error;
	}		}
	proxy_set_header X-SSL-Client-Cert $ssl_client_cert;		proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
	proxy_pass http://api-provider-management:8080;		proxy_pass http://api-provider-management:8080;
	@@ -108,9 +79,9 @@ http {
	if ($ssl_client_verify != SUCCESS) {		if ($ssl_client_verify != SUCCESS) {
	return 403;		return 403;
	}		}
	if ( $discover_error_message != SUCCESS ) {		if ($auth_allowed = 0) {
	add_header Content-Type 'application/problem+json';		add_header Content-Type 'application/problem+json';
	return 401 $discover_error_message;		return 401 $auth_error;
	}		}
	proxy_set_header X-SSL-Client-Cert $ssl_client_cert;		proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
	proxy_pass http://service-apis:8080;		proxy_pass http://service-apis:8080;
	@@ -120,9 +91,9 @@ http {
	if ($ssl_client_verify != SUCCESS) {		if ($ssl_client_verify != SUCCESS) {
	return 403;		return 403;
	}		}
	if ( $publish_error_message != SUCCESS ) {		if ($auth_allowed = 0) {
	add_header Content-Type 'application/problem+json';		add_header Content-Type 'application/problem+json';
	return 401 $publish_error_message;		return 401 $auth_error;
	}		}
	proxy_set_header X-SSL-Client-Cert $ssl_client_cert;		proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
	proxy_pass http://published-apis:8080;		proxy_pass http://published-apis:8080;
	@@ -132,6 +103,10 @@ http {
	if ($ssl_client_verify != SUCCESS) {		if ($ssl_client_verify != SUCCESS) {
	return 403;		return 403;
	}		}
			if ($auth_allowed = 0) {
			add_header Content-Type 'application/problem+json';
			return 401 $auth_error;
			}
	proxy_set_header X-SSL-Client-Cert $ssl_client_cert;		proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
	proxy_pass http://api-invocation-logs:8080;		proxy_pass http://api-invocation-logs:8080;
	}		}
	@@ -140,6 +115,10 @@ http {
	if ($ssl_client_verify != SUCCESS) {		if ($ssl_client_verify != SUCCESS) {
	return 403;		return 403;
	}		}
			if ($auth_allowed = 0) {
			add_header Content-Type 'application/problem+json';
			return 401 $auth_error;
			}
	proxy_set_header X-SSL-Client-Cert $ssl_client_cert;		proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
	proxy_pass http://logs:8080;		proxy_pass http://logs:8080;
	}		}
	@@ -148,9 +127,9 @@ http {
	if ($ssl_client_verify != SUCCESS) {		if ($ssl_client_verify != SUCCESS) {
	return 403;		return 403;
	}		}
	if ( $security_error_message != SUCCESS ) {		if ($auth_allowed = 0) {
	add_header Content-Type 'application/problem+json';		add_header Content-Type 'application/problem+json';
	return 401 $security_error_message;		return 401 $auth_error;
	}		}

	proxy_set_header X-TLS-Protocol $ssl_protocol;		proxy_set_header X-TLS-Protocol $ssl_protocol;

Original line number	Original line	Diff line number	Diff line
	@@ -2,5 +2,12 @@ map $uri $service {
	default "";		default "";
	~^/helper(/\|$) helper;		~^/helper(/\|$) helper;
	~^/api-invoker-management(/\|$) invoker-management;		~^/api-invoker-management(/\|$) invoker-management;
			~^/api-provider-management(/\|$) provider-management;
			~^/service-apis(/\|$) discover-service;
			~^/published-apis(/\|$) publish-service;
			~^/api-invocation-logs(/\|$) logging-service;
			~^/logs(/\|$) auditing-service;
			~^/capif-security(/\|$) security-service;
			~^/capif-events(/\|$) events-service;
			~^/access-control-policy(/\|$) access-control-policy;
	}		}

Original line number	Original line	Diff line number	Diff line
	map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error {		map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error {
	default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}';		default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}';
	~^.:.:.:0:0:.$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}';		~^.:.:.:0:0:.$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}';

	~^helper:.:.:0:1:(invoker\|apf\|aef\|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}';		~^helper:.:.:0:1:(invoker\|apf\|aef\|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}';
			~^invoker-management:.:.:0:1:(amf\|apf\|aef\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^provider-management:.:.:0:1:(invoker\|apf\|aef\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}';
			~^discover-service:.:.:0:1:(amf\|apf\|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';
			~^publish-service:.:.:0:1:(invoker\|amf\|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

			~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_trusted_invokers_exact:PUT:0:1:(aef\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^security-service:security_update:POST:0:1:(aef\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}';
			~^security-service:security_delete:POST:0:1:(invoker\|amf\|apf\|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
			~^security-service:security_token:POST:0:1:(aef\|amf\|apf\|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}';



	}		}