Commit 355921f1 authored by Jorge Moratinos's avatar Jorge Moratinos
Browse files

Added other services to nginx

parent 15acbb53

services/nginx/maps/90-policy-dispatch.conf

+4 −0
Original line number Diff line number Diff line
@@ -29,6 +29,10 @@ map "$service:$has_token:$has_cert" $active_policy { 
    # Security Service

    security-service:0:1 $security_service_mtls_policy; 



    # Events Service

    events-service:0:1 $events_service_mtls_policy;



    # Access Control Policy Service

    access-control-policy:0:1 $access_control_policy_mtls_policy;



}

services/nginx/maps/95-auth-error.conf

+3 −3
Original line number Diff line number Diff line
@@ -6,6 +6,8 @@ map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { 
    ~^provider-management:.*:.*:0:1:(invoker|apf|aef|ccf)$  '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}';

    ~^discover-service:.*:.*:0:1:(amf|apf|aef)$  '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

    ~^publish-service:.*:.*:0:1:(invoker|amf|aef)$  '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

    ~^events-service:.*:.*:0:1:(ccf)$  '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

    ~^access-control-policy:.*:.*:0:1:(amf|apf|invoker)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}';



    ~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';

    ~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';
@@ -14,6 +16,4 @@ map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { 
    ~^security-service:security_delete:POST:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}';

    ~^security-service:security_token:POST:0:1:(aef|amf|apf|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}';







}

services/nginx/nginx.conf

+4 −14
Original line number Diff line number Diff line
@@ -18,16 +18,6 @@ http { 


        log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn';



        map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message {

          default 'SUCCESS';

          "~*.*:.*:(?!(AEF|ccf|superadmin))(.*)"           '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}';

        }



        map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message {

          default 'SUCCESS';

          "~*.*:.*:ccf"           '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}';

        }



        server {

              listen      8080;
@@ -144,18 +134,18 @@ http { 
                if ($ssl_client_verify != SUCCESS) {

                    return 403;

                }

                if ( $events_error_message != SUCCESS ) {

                if ($auth_allowed = 0) {

                  add_header Content-Type 'application/problem+json';

                  return 401 $events_error_message;

                  return 401 $auth_error;

                }

                proxy_set_header X-SSL-Client-Cert $ssl_client_cert;

                proxy_pass http://capif-events:8080;

              }



              location /access-control-policy {

                if ( $acl_error_message != SUCCESS ) {

                if ($auth_allowed = 0) {

                  add_header Content-Type 'application/problem+json';

                  return 401 $acl_error_message;

                  return 401 $auth_error;

                }

                proxy_set_header X-SSL-Client-Cert $ssl_client_cert;

                proxy_pass http://access-control-policy:8080;

services/nginx/policies/acl-mtls.conf

0 → 100644
+7 −0
Original line number Diff line number Diff line 
map "$endpoint:$method:$role" $access_control_policy_mtls_policy {

    default DENY;

    # Security policies that use mTLS for authentication

    ~^acl_tree:GET:(aef|superadmin)$ ALLOW;

    

}

services/nginx/policies/events-mtls.conf

0 → 100644
+6 −0
Original line number Diff line number Diff line 
map "$endpoint:$method:$role" $events_service_mtls_policy {

    default DENY;

    #Publish policies that use mTLS for authentication

    ~^events_tree:(POST|DELETE|PUT|PATCH):(amf|apf|aef|invoker|superadmin)$ ALLOW;

}