Loading .gitignore +2 −1 Original line number Original line Diff line number Diff line Loading @@ -37,4 +37,5 @@ results helm/capif/*.lock helm/capif/*.lock helm/capif/charts/tempo* helm/capif/charts/tempo* *.bakresults/ *.bak *.bak helm/capif/charts/ocf-helper/templates/ocf-helper-configmap.yaml +4 −0 Original line number Original line Diff line number Diff line Loading @@ -36,5 +36,9 @@ data: "configuration_api": { "configuration_api": { "path": "/configuration", "path": "/configuration", "openapi_file": "configuration/openapi/openapi.yaml" "openapi_file": "configuration/openapi/openapi.yaml" }, "visibility_control": { "path": "/visibility-control", "openapi_file": "visibility_control/openapi/openapi.yaml" } } } } No newline at end of file helm/vault-job/vault-job.yaml +22 −122 Original line number Original line Diff line number Diff line Loading @@ -16,7 +16,7 @@ data: echo "install dependencies" echo "install dependencies" apk add --no-cache jq openssl apk add --no-cache jq openssl # Establecer las variables de entorno de Vault # Set Vault environment variables export VAULT_ADDR='http://vault-internal:8200' export VAULT_ADDR='http://vault-internal:8200' Loading @@ -37,22 +37,22 @@ data: vault secrets enable pki vault secrets enable pki echo "# Generar una CA en Vault #" echo "# Generate a CA in Vault #" vault secrets tune -max-lease-ttl=87600h pki vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ common_name="capif" \ issuer_name="root-2023" \ issuer_name="root-2026" \ ttl=87600h > root_2023_ca.crt ttl=87600h > root_2026_ca.crt echo "# check root_2023_ca.crt #" echo "# check root_2026_ca.crt #" cat root_2023_ca.crt cat root_2026_ca.crt vault write pki/config/urls \ vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # # Generar una CA intermedia en Vault # # Generate an intermediate CA in Vault vault secrets enable -path=pki_int pki vault secrets enable -path=pki_int pki vault secrets tune -max-lease-ttl=43800h pki_int vault secrets tune -max-lease-ttl=43800h pki_int Loading @@ -65,20 +65,20 @@ data: echo "### content pki_intermediate.csr ###" echo "### content pki_intermediate.csr ###" cat pki_intermediate.csr cat pki_intermediate.csr # Firmar la CA intermedia con la CA raíz # Sign the intermediate CA with the root CA vault write -format=json pki/root/sign-intermediate \ vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ issuer_ref="root-2026" \ csr=@pki_intermediate.csr \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > capif_intermediate.cert.pem | jq -r '.data.certificate' > capif_intermediate.cert.pem # Configurar la CA intermedia en Vault # Configure the intermediate AC in Vault vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem #Crear rol en Vault # Create a role in Vault vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h # Emitir un certificado firmado por la CA intermedia # Issue a certificate signed by the intermediary CA # vault write -format=json pki_int/issue/my-ca \ # vault write -format=json pki_int/issue/my-ca \ # common_name="nginx.mon.svc.cluster.local" \ # common_name="nginx.mon.svc.cluster.local" \ # format=pem_bundle ttl="438h" \ # format=pem_bundle ttl="438h" \ Loading @@ -92,131 +92,31 @@ data: # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json #Create CSR ############################################################ openssl genrsa -out ./server.key 2048 # 4) CA BUNDLE (KV v2) ############################################################ cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.mon.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' #cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr #cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr #$COUNTRY #$STATE #$LOCALITY #$ORGNAME #$ORGUNIT #$COMMONNAME #$EMAIL #$CHALLENGE #$COMPANY #__EOF__ # vault write -format=json pki_int/issue/my-ca \ # csr=@server.csr \ # format=pem_bundle ttl="438h" \ # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem #vault kv put secret/ca ca=@root_helm.pem root_2023_ca.crt #cat root_2023_ca.crt root_2023_ca.crt > ca.crt cat > certificados_concatenados.crt << EOF $(cat "root_2023_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_2023_ca.crt ###" cat root_2023_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certificados_concatenados.crt ###" cat certificados_concatenados.crt # vault kv put secret/ca ca=@root_2023_ca.crt echo "### enable secrets kv ###" echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certificados_concatenados.crt # Store CA bundle at secret/ca (same as docker script) vault kv put secret/ca ca=@capif_intermediate.cert.pem vault kv put secret/server_cert cert=@server_certificate.crt.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem echo "[INFO] CA bundle stored at secret/ca" vault kv put secret/server_cert/private key=@server.key #POLICY_NAME="my-policy" #POLICY_NAME="my-policy" #POLICY_FILE="my-policy.hcl" #POLICY_FILE="my-policy.hcl" #TOKEN_ID="read-ca-token" #TOKEN_ID="read-ca-token" # Crear la política en Vault # Create the policy in Vault #echo "path \"secret/data/ca\" { #echo "path \"secret/data/ca\" { # capabilities = [\"read\"] # capabilities = [\"read\"] #}" > "$POLICY_FILE" #}" > "$POLICY_FILE" #vault policy write "$POLICY_NAME" "$POLICY_FILE" #vault policy write "$POLICY_NAME" "$POLICY_FILE" # Generar un nuevo token y asignar la política # Generate a new token and assign the policy #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token') #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token') #echo "Token generado:" #echo "Token generado:" Loading services/TS29222_CAPIF_API_Invoker_Management_API/api_invoker_management/app.py +19 −0 Original line number Original line Diff line number Diff line Loading @@ -24,6 +24,10 @@ from opentelemetry.sdk.trace.export import BatchSpanProcessor from opentelemetry.trace.propagation.tracecontext import \ from opentelemetry.trace.propagation.tracecontext import \ TraceContextTextMapPropagator TraceContextTextMapPropagator from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization NAME = "Invoker-Service" NAME = "Invoker-Service" # Setting log level # Setting log level Loading Loading @@ -120,6 +124,21 @@ def verbose_formatter(): with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file: with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file: pub_data = pub_file.read() pub_data = pub_file.read() # with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as f: # pem_data = f.read() # # Extract the first certificate from the PEM (even if it comes in a bundle) # cert = x509.load_pem_x509_certificate(pem_data, default_backend()) # # Extract the public key # public_key = cert.public_key() # # Convert the public key to PEM (which JWT needs) # pub_data = public_key.public_bytes( # encoding=serialization.Encoding.PEM, # format=serialization.PublicFormat.SubjectPublicKeyInfo, # ) app = connexion.App(__name__, specification_dir='openapi/') app = connexion.App(__name__, specification_dir='openapi/') app.app.json_encoder = encoder.CustomJSONEncoder app.app.json_encoder = encoder.CustomJSONEncoder app.add_api('openapi.yaml', app.add_api('openapi.yaml', Loading services/TS29222_CAPIF_API_Invoker_Management_API/api_invoker_management/controllers/individual_on_boarded_api_invoker_document_controller.py +7 −1 Original line number Original line Diff line number Diff line Loading @@ -6,6 +6,8 @@ from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend from flask import current_app, request from flask import current_app, request from ..core.responses import unauthorized_error from ..core.apiinvokerenrolmentdetails import InvokerManagementOperations from ..core.apiinvokerenrolmentdetails import InvokerManagementOperations from ..core.validate_user import ControlAccess from ..core.validate_user import ControlAccess from ..models.api_invoker_enrolment_details import \ from ..models.api_invoker_enrolment_details import \ Loading @@ -20,7 +22,11 @@ def cert_validation(): def __cert_validation(*args, **kwargs): def __cert_validation(*args, **kwargs): args = request.view_args args = request.view_args cert_tmp = request.headers['X-Ssl-Client-Cert'] cert_tmp = request.headers.get('X-Ssl-Client-Cert') if not cert_tmp: return unauthorized_error("Client certificate required", "X-Ssl-Client-Cert header is missing") cert_raw = cert_tmp.replace('\t', '') cert_raw = cert_tmp.replace('\t', '') cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend()) cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend()) Loading Loading
.gitignore +2 −1 Original line number Original line Diff line number Diff line Loading @@ -37,4 +37,5 @@ results helm/capif/*.lock helm/capif/*.lock helm/capif/charts/tempo* helm/capif/charts/tempo* *.bakresults/ *.bak *.bak
helm/capif/charts/ocf-helper/templates/ocf-helper-configmap.yaml +4 −0 Original line number Original line Diff line number Diff line Loading @@ -36,5 +36,9 @@ data: "configuration_api": { "configuration_api": { "path": "/configuration", "path": "/configuration", "openapi_file": "configuration/openapi/openapi.yaml" "openapi_file": "configuration/openapi/openapi.yaml" }, "visibility_control": { "path": "/visibility-control", "openapi_file": "visibility_control/openapi/openapi.yaml" } } } } No newline at end of file
helm/vault-job/vault-job.yaml +22 −122 Original line number Original line Diff line number Diff line Loading @@ -16,7 +16,7 @@ data: echo "install dependencies" echo "install dependencies" apk add --no-cache jq openssl apk add --no-cache jq openssl # Establecer las variables de entorno de Vault # Set Vault environment variables export VAULT_ADDR='http://vault-internal:8200' export VAULT_ADDR='http://vault-internal:8200' Loading @@ -37,22 +37,22 @@ data: vault secrets enable pki vault secrets enable pki echo "# Generar una CA en Vault #" echo "# Generate a CA in Vault #" vault secrets tune -max-lease-ttl=87600h pki vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ common_name="capif" \ issuer_name="root-2023" \ issuer_name="root-2026" \ ttl=87600h > root_2023_ca.crt ttl=87600h > root_2026_ca.crt echo "# check root_2023_ca.crt #" echo "# check root_2026_ca.crt #" cat root_2023_ca.crt cat root_2026_ca.crt vault write pki/config/urls \ vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # # Generar una CA intermedia en Vault # # Generate an intermediate CA in Vault vault secrets enable -path=pki_int pki vault secrets enable -path=pki_int pki vault secrets tune -max-lease-ttl=43800h pki_int vault secrets tune -max-lease-ttl=43800h pki_int Loading @@ -65,20 +65,20 @@ data: echo "### content pki_intermediate.csr ###" echo "### content pki_intermediate.csr ###" cat pki_intermediate.csr cat pki_intermediate.csr # Firmar la CA intermedia con la CA raíz # Sign the intermediate CA with the root CA vault write -format=json pki/root/sign-intermediate \ vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ issuer_ref="root-2026" \ csr=@pki_intermediate.csr \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > capif_intermediate.cert.pem | jq -r '.data.certificate' > capif_intermediate.cert.pem # Configurar la CA intermedia en Vault # Configure the intermediate AC in Vault vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem #Crear rol en Vault # Create a role in Vault vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h # Emitir un certificado firmado por la CA intermedia # Issue a certificate signed by the intermediary CA # vault write -format=json pki_int/issue/my-ca \ # vault write -format=json pki_int/issue/my-ca \ # common_name="nginx.mon.svc.cluster.local" \ # common_name="nginx.mon.svc.cluster.local" \ # format=pem_bundle ttl="438h" \ # format=pem_bundle ttl="438h" \ Loading @@ -92,131 +92,31 @@ data: # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json #Create CSR ############################################################ openssl genrsa -out ./server.key 2048 # 4) CA BUNDLE (KV v2) ############################################################ cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.mon.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' #cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr #cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr #$COUNTRY #$STATE #$LOCALITY #$ORGNAME #$ORGUNIT #$COMMONNAME #$EMAIL #$CHALLENGE #$COMPANY #__EOF__ # vault write -format=json pki_int/issue/my-ca \ # csr=@server.csr \ # format=pem_bundle ttl="438h" \ # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem #vault kv put secret/ca ca=@root_helm.pem root_2023_ca.crt #cat root_2023_ca.crt root_2023_ca.crt > ca.crt cat > certificados_concatenados.crt << EOF $(cat "root_2023_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_2023_ca.crt ###" cat root_2023_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certificados_concatenados.crt ###" cat certificados_concatenados.crt # vault kv put secret/ca ca=@root_2023_ca.crt echo "### enable secrets kv ###" echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certificados_concatenados.crt # Store CA bundle at secret/ca (same as docker script) vault kv put secret/ca ca=@capif_intermediate.cert.pem vault kv put secret/server_cert cert=@server_certificate.crt.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem echo "[INFO] CA bundle stored at secret/ca" vault kv put secret/server_cert/private key=@server.key #POLICY_NAME="my-policy" #POLICY_NAME="my-policy" #POLICY_FILE="my-policy.hcl" #POLICY_FILE="my-policy.hcl" #TOKEN_ID="read-ca-token" #TOKEN_ID="read-ca-token" # Crear la política en Vault # Create the policy in Vault #echo "path \"secret/data/ca\" { #echo "path \"secret/data/ca\" { # capabilities = [\"read\"] # capabilities = [\"read\"] #}" > "$POLICY_FILE" #}" > "$POLICY_FILE" #vault policy write "$POLICY_NAME" "$POLICY_FILE" #vault policy write "$POLICY_NAME" "$POLICY_FILE" # Generar un nuevo token y asignar la política # Generate a new token and assign the policy #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token') #TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token') #echo "Token generado:" #echo "Token generado:" Loading
services/TS29222_CAPIF_API_Invoker_Management_API/api_invoker_management/app.py +19 −0 Original line number Original line Diff line number Diff line Loading @@ -24,6 +24,10 @@ from opentelemetry.sdk.trace.export import BatchSpanProcessor from opentelemetry.trace.propagation.tracecontext import \ from opentelemetry.trace.propagation.tracecontext import \ TraceContextTextMapPropagator TraceContextTextMapPropagator from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization NAME = "Invoker-Service" NAME = "Invoker-Service" # Setting log level # Setting log level Loading Loading @@ -120,6 +124,21 @@ def verbose_formatter(): with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file: with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as pub_file: pub_data = pub_file.read() pub_data = pub_file.read() # with open("/usr/src/app/api_invoker_management/pubkey.pem", "rb") as f: # pem_data = f.read() # # Extract the first certificate from the PEM (even if it comes in a bundle) # cert = x509.load_pem_x509_certificate(pem_data, default_backend()) # # Extract the public key # public_key = cert.public_key() # # Convert the public key to PEM (which JWT needs) # pub_data = public_key.public_bytes( # encoding=serialization.Encoding.PEM, # format=serialization.PublicFormat.SubjectPublicKeyInfo, # ) app = connexion.App(__name__, specification_dir='openapi/') app = connexion.App(__name__, specification_dir='openapi/') app.app.json_encoder = encoder.CustomJSONEncoder app.app.json_encoder = encoder.CustomJSONEncoder app.add_api('openapi.yaml', app.add_api('openapi.yaml', Loading
services/TS29222_CAPIF_API_Invoker_Management_API/api_invoker_management/controllers/individual_on_boarded_api_invoker_document_controller.py +7 −1 Original line number Original line Diff line number Diff line Loading @@ -6,6 +6,8 @@ from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend from flask import current_app, request from flask import current_app, request from ..core.responses import unauthorized_error from ..core.apiinvokerenrolmentdetails import InvokerManagementOperations from ..core.apiinvokerenrolmentdetails import InvokerManagementOperations from ..core.validate_user import ControlAccess from ..core.validate_user import ControlAccess from ..models.api_invoker_enrolment_details import \ from ..models.api_invoker_enrolment_details import \ Loading @@ -20,7 +22,11 @@ def cert_validation(): def __cert_validation(*args, **kwargs): def __cert_validation(*args, **kwargs): args = request.view_args args = request.view_args cert_tmp = request.headers['X-Ssl-Client-Cert'] cert_tmp = request.headers.get('X-Ssl-Client-Cert') if not cert_tmp: return unauthorized_error("Client certificate required", "X-Ssl-Client-Cert header is missing") cert_raw = cert_tmp.replace('\t', '') cert_raw = cert_tmp.replace('\t', '') cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend()) cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend()) Loading
