Loading services/helper/helper_service/app.py +2 −1 Original line number Diff line number Diff line Loading @@ -120,7 +120,8 @@ for name, pkg in package_paths.items(): openapi_file, # relative to specification_dir (SERVICES_DIR) arguments={"title": title}, pythonic_params=True, base_path=base_path # base_path=base_path base_path="/helper/" + base_path ) Loading services/helper/helper_service/services/visibility_control/core/visibility_control_core.py +0 −110 Original line number Diff line number Diff line Loading @@ -8,33 +8,6 @@ from visibility_control.core.validate_user import ControlAccess valid_user = ControlAccess() # def get_all_rules(): # db = get_mongo() # # Usamos la colección configurada en el helper # col = db.get_col_by_name("visibility_rules") # rules = list(col.find({}, {"_id": 0})) # return {"rules": rules}, 200 # def get_all_rules(): # """ # Retrieve visibility rules. # - If superadmin: Returns all rules without filtering. # - If provider: Returns only rules matching the certificate identity (CN). # """ # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # # Safely retrieve identity from request object # cn = request.user_cn # # Professional logic tree: # # 1. Bypass security filters for Superadmin # if cn != "superadmin": # rules = list(col.find({"userName": cn}, {"_id": 0})) # return {"rules": rules}, 200 # rules = list(col.find({}, {"_id": 0})) # return {"rules": rules}, 200 def get_all_rules(): db = get_mongo() Loading Loading @@ -189,47 +162,6 @@ def get_rule_by_id(rule_id): "detail": "You do not have permission to view this rule" }, 401 # def get_rule_by_id(rule_id): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # rule = col.find_one({"ruleId": rule_id}, {"_id": 0}) # # if rule: # # return rule, 200 # # return {"title": "Not Found", "detail": "Rule not found"}, 404 # if not rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # SECURITY CHECK: Only Superadmin or the actual owner (CN) can view # if request.user_cn != "superadmin" and rule.get('updatedBy') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to view this rule"}, 401 # rule.pop('_id', None) # return rule, 200 # def delete_rule_by_id(rule_id): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # # 1. Fetch the rule first to check ownership # rule = col.find_one({"ruleId": rule_id}) # if not rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # 2. SECURITY CHECK: Only Superadmin or the actual owner (CN) can delete # # We compare the current certificate CN against the stored 'updatedBy' # if request.user_cn != "superadmin" and rule.get('userName') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to delete this rule"}, 401 # # 3. Perform the actual deletion # res = col.delete_one({"ruleId": rule_id}) # # 4. Final check on the operation result # if res.deleted_count > 0: # return None, 204 # return {"title": "Not Found", "detail": "Rule not found"}, 404 def delete_rule_by_id(rule_id): """ Delete a specific visibility rule after verifying ownership. Loading Loading @@ -273,48 +205,6 @@ def delete_rule_by_id(rule_id): "detail": "You do not have permission to delete this rule" }, 401 # def update_rule_patch(rule_id, body): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # # Fetch existing rule for comparison # existing_rule = col.find_one({"ruleId": rule_id}) # if not existing_rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # SECURITY CHECK: Only Superadmin or the actual owner (CN) can update # if request.user_cn != "superadmin" and existing_rule.get('userName') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to modify this rule"}, 401 # # Always update 'updatedAt' timestamp # now = datetime.now(timezone.utc).isoformat().replace('+00:00', 'Z') # body['updatedAt'] = now # # Re-validate date logic if dates are being modified # new_start = body.get('startsAt', existing_rule.get('startsAt')) # new_end = body.get('endsAt', existing_rule.get('endsAt')) # if new_start and new_end: # try: # s = datetime.fromisoformat(new_start.replace('Z', '+00:00')) # e = datetime.fromisoformat(new_end.replace('Z', '+00:00')) # if e <= s: # return { # "title": "Bad Request", # "detail": "Validation Error: endsAt must be later than startsAt" # }, 400 # except ValueError: # return {"title": "Bad Request", "detail": "Invalid date format."}, 400 # # # Update metadata if user info is provided # # if 'providerSelector' in body and 'createdByUser' in body['providerSelector']: # # body['updatedBy'] = body['providerSelector']['createdByUser'] # body['updatedBy'] = cn # col.update_one({"ruleId": rule_id}, {"$set": body}) # updated_rule = col.find_one({"ruleId": rule_id}, {"_id": 0}) # return updated_rule, 200 def update_rule_patch(rule_id, body): """ Update a specific visibility rule using PATCH logic. Loading services/nginx/Dockerfile +3 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,9 @@ RUN mkdir -p /etc/nginx/certs COPY ./certs/sign_req_body_tmp.json /etc/nginx/certs/sign_req_body_tmp.json COPY ./nginx.conf /etc/nginx/nginx.conf COPY ./endpoints /etc/nginx/endpoints COPY ./maps /etc/nginx/maps COPY ./policies /etc/nginx/policies COPY ./nginx_prepare.sh . RUN chmod a+x nginx_prepare.sh Loading services/nginx/endpoints/endpoints.conf 0 → 100644 +40 −0 Original line number Diff line number Diff line map $uri $endpoint { default "NO MATCH"; # Exact matches for endpoints that require specific handling (Must be on top of the regex matches) /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; /api-provider-management/v1/registrations provider_registrations_exact; /service-apis/v1/allServiceAPIs discover_service_exact; # Regex matches for endpoints that can be grouped by common patterns # Helper related endpoints ~^/helper/ helper_base_tree; # Invoker management related endpoints ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; # Provider management related endpoints ~^/api-provider-management/v1/registrations/ provider_registrations_tree; # Published APIs related endpoints ~^/published-apis/v1/ published_apis_tree; # Logging related endpoints ~^/api-invocation-logs/v1/ logging_tree; # Auditing related endpoints ~^/logs/v1/ auditing_tree; # Security related endpoints ~^/capif-security/v1/trustedInvokers/.+/update security_update; ~^/capif-security/v1/trustedInvokers/.+/delete security_delete; ~^/capif-security/v1/trustedInvokers/.+ security_trusted_invokers_exact; ~^/capif-security/v1/securities/.+/token security_token; ~^/capif-security/v1/ security_tree; # Events related endpoints ~^/capif-events/v1/ events_tree; # Access control policy related endpoints ~^/access-control-policy/v1/ acl_tree; } services/nginx/maps/00-services.conf 0 → 100644 +13 −0 Original line number Diff line number Diff line map $uri $service { default ""; ~^/helper(/|$) helper; ~^/api-invoker-management(/|$) invoker-management; ~^/api-provider-management(/|$) provider-management; ~^/service-apis(/|$) discover-service; ~^/published-apis(/|$) publish-service; ~^/api-invocation-logs(/|$) logging-service; ~^/logs(/|$) auditing-service; ~^/capif-security(/|$) security-service; ~^/capif-events(/|$) events-service; ~^/access-control-policy(/|$) access-control-policy; } Loading
services/helper/helper_service/app.py +2 −1 Original line number Diff line number Diff line Loading @@ -120,7 +120,8 @@ for name, pkg in package_paths.items(): openapi_file, # relative to specification_dir (SERVICES_DIR) arguments={"title": title}, pythonic_params=True, base_path=base_path # base_path=base_path base_path="/helper/" + base_path ) Loading
services/helper/helper_service/services/visibility_control/core/visibility_control_core.py +0 −110 Original line number Diff line number Diff line Loading @@ -8,33 +8,6 @@ from visibility_control.core.validate_user import ControlAccess valid_user = ControlAccess() # def get_all_rules(): # db = get_mongo() # # Usamos la colección configurada en el helper # col = db.get_col_by_name("visibility_rules") # rules = list(col.find({}, {"_id": 0})) # return {"rules": rules}, 200 # def get_all_rules(): # """ # Retrieve visibility rules. # - If superadmin: Returns all rules without filtering. # - If provider: Returns only rules matching the certificate identity (CN). # """ # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # # Safely retrieve identity from request object # cn = request.user_cn # # Professional logic tree: # # 1. Bypass security filters for Superadmin # if cn != "superadmin": # rules = list(col.find({"userName": cn}, {"_id": 0})) # return {"rules": rules}, 200 # rules = list(col.find({}, {"_id": 0})) # return {"rules": rules}, 200 def get_all_rules(): db = get_mongo() Loading Loading @@ -189,47 +162,6 @@ def get_rule_by_id(rule_id): "detail": "You do not have permission to view this rule" }, 401 # def get_rule_by_id(rule_id): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # rule = col.find_one({"ruleId": rule_id}, {"_id": 0}) # # if rule: # # return rule, 200 # # return {"title": "Not Found", "detail": "Rule not found"}, 404 # if not rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # SECURITY CHECK: Only Superadmin or the actual owner (CN) can view # if request.user_cn != "superadmin" and rule.get('updatedBy') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to view this rule"}, 401 # rule.pop('_id', None) # return rule, 200 # def delete_rule_by_id(rule_id): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # # 1. Fetch the rule first to check ownership # rule = col.find_one({"ruleId": rule_id}) # if not rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # 2. SECURITY CHECK: Only Superadmin or the actual owner (CN) can delete # # We compare the current certificate CN against the stored 'updatedBy' # if request.user_cn != "superadmin" and rule.get('userName') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to delete this rule"}, 401 # # 3. Perform the actual deletion # res = col.delete_one({"ruleId": rule_id}) # # 4. Final check on the operation result # if res.deleted_count > 0: # return None, 204 # return {"title": "Not Found", "detail": "Rule not found"}, 404 def delete_rule_by_id(rule_id): """ Delete a specific visibility rule after verifying ownership. Loading Loading @@ -273,48 +205,6 @@ def delete_rule_by_id(rule_id): "detail": "You do not have permission to delete this rule" }, 401 # def update_rule_patch(rule_id, body): # db = get_mongo() # col = db.get_col_by_name("visibility_rules") # cn = request.user_cn # # Fetch existing rule for comparison # existing_rule = col.find_one({"ruleId": rule_id}) # if not existing_rule: # return {"title": "Not Found", "detail": "Rule not found"}, 404 # # SECURITY CHECK: Only Superadmin or the actual owner (CN) can update # if request.user_cn != "superadmin" and existing_rule.get('userName') != request.user_cn: # return {"title": "Unauthorized", "detail": "You do not have permission to modify this rule"}, 401 # # Always update 'updatedAt' timestamp # now = datetime.now(timezone.utc).isoformat().replace('+00:00', 'Z') # body['updatedAt'] = now # # Re-validate date logic if dates are being modified # new_start = body.get('startsAt', existing_rule.get('startsAt')) # new_end = body.get('endsAt', existing_rule.get('endsAt')) # if new_start and new_end: # try: # s = datetime.fromisoformat(new_start.replace('Z', '+00:00')) # e = datetime.fromisoformat(new_end.replace('Z', '+00:00')) # if e <= s: # return { # "title": "Bad Request", # "detail": "Validation Error: endsAt must be later than startsAt" # }, 400 # except ValueError: # return {"title": "Bad Request", "detail": "Invalid date format."}, 400 # # # Update metadata if user info is provided # # if 'providerSelector' in body and 'createdByUser' in body['providerSelector']: # # body['updatedBy'] = body['providerSelector']['createdByUser'] # body['updatedBy'] = cn # col.update_one({"ruleId": rule_id}, {"$set": body}) # updated_rule = col.find_one({"ruleId": rule_id}, {"_id": 0}) # return updated_rule, 200 def update_rule_patch(rule_id, body): """ Update a specific visibility rule using PATCH logic. Loading
services/nginx/Dockerfile +3 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,9 @@ RUN mkdir -p /etc/nginx/certs COPY ./certs/sign_req_body_tmp.json /etc/nginx/certs/sign_req_body_tmp.json COPY ./nginx.conf /etc/nginx/nginx.conf COPY ./endpoints /etc/nginx/endpoints COPY ./maps /etc/nginx/maps COPY ./policies /etc/nginx/policies COPY ./nginx_prepare.sh . RUN chmod a+x nginx_prepare.sh Loading
services/nginx/endpoints/endpoints.conf 0 → 100644 +40 −0 Original line number Diff line number Diff line map $uri $endpoint { default "NO MATCH"; # Exact matches for endpoints that require specific handling (Must be on top of the regex matches) /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; /api-provider-management/v1/registrations provider_registrations_exact; /service-apis/v1/allServiceAPIs discover_service_exact; # Regex matches for endpoints that can be grouped by common patterns # Helper related endpoints ~^/helper/ helper_base_tree; # Invoker management related endpoints ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; # Provider management related endpoints ~^/api-provider-management/v1/registrations/ provider_registrations_tree; # Published APIs related endpoints ~^/published-apis/v1/ published_apis_tree; # Logging related endpoints ~^/api-invocation-logs/v1/ logging_tree; # Auditing related endpoints ~^/logs/v1/ auditing_tree; # Security related endpoints ~^/capif-security/v1/trustedInvokers/.+/update security_update; ~^/capif-security/v1/trustedInvokers/.+/delete security_delete; ~^/capif-security/v1/trustedInvokers/.+ security_trusted_invokers_exact; ~^/capif-security/v1/securities/.+/token security_token; ~^/capif-security/v1/ security_tree; # Events related endpoints ~^/capif-events/v1/ events_tree; # Access control policy related endpoints ~^/access-control-policy/v1/ acl_tree; }
services/nginx/maps/00-services.conf 0 → 100644 +13 −0 Original line number Diff line number Diff line map $uri $service { default ""; ~^/helper(/|$) helper; ~^/api-invoker-management(/|$) invoker-management; ~^/api-provider-management(/|$) provider-management; ~^/service-apis(/|$) discover-service; ~^/published-apis(/|$) publish-service; ~^/api-invocation-logs(/|$) logging-service; ~^/logs(/|$) auditing-service; ~^/capif-security(/|$) security-service; ~^/capif-events(/|$) events-service; ~^/access-control-policy(/|$) access-control-policy; }
