Commit 9e67b93a authored by Afonso Castanheta's avatar Afonso Castanheta
Browse files

Refactor user validation logic to fix fail-open pattern vulnerability (API Provider Management)

parent 3e3f32f5
Loading
Loading
Loading
Loading
Loading
+10 −6
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ from ..encoder import CustomJSONEncoder
from ..models.problem_details import ProblemDetails
from ..util import serialize_clean_camel_case
from .resources import Resource
from .responses import internal_server_error
from .responses import internal_server_error, not_found_error, forbidden_error


class ControlAccess(Resource):
@@ -19,11 +19,15 @@ class ControlAccess(Resource):
            my_query = {'provider_id':api_provider_id, "role": "AMF"}
            cert_entry = cert_col.find_one(my_query)

            if cert_entry is not None:
            if cert_entry is None:
                provider_exists = cert_col.find_one({'provider_id': api_provider_id})
                if provider_exists is None:
                    return not_found_error(detail="Please provide an existing API Provider ID", cause="API Provider ID does not exist")
                else:
                    return forbidden_error(detail="AMF certificate required", cause="Only API Management Function (AMF) certificates can manage provider registrations")
            
            if cert_entry["cert_signature"] != cert_signature:
                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
                    prob = serialize_clean_camel_case(prob)
                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
                return forbidden_error(detail="User not authorized", cause="You are not the owner of this resource")

        except Exception as e:
            exception = "An exception occurred in validate amf"
+6 −6
Original line number Diff line number Diff line
@@ -129,8 +129,8 @@ Update Not Registered Api Provider
    Check Response Variable Type And Values    ${resp}    404    ProblemDetails
    ...    status=404
    ...    title=Not Found
    ...    detail=Not Exist Provider Enrolment Details
    ...    cause=Not found registrations to send this api provider details
    ...    detail=Please provide an existing API Provider ID
    ...    cause=API Provider ID does not exist

# Partially Update Registered Api Provider
#    [Tags]    capif_api_provider_management-5
@@ -169,8 +169,8 @@ Partially Update Not Registered Api Provider
    Check Response Variable Type And Values    ${resp}    404    ProblemDetails
    ...    status=404
    ...    title=Not Found
    ...    detail=Not Exist Provider Enrolment Details
    ...    cause=Not found registrations to send this api provider details
    ...    detail=Please provide an existing API Provider ID
    ...    cause=API Provider ID does not exist

Delete Registered Api Provider
    [Tags]    capif_api_provider_management-7
@@ -201,8 +201,8 @@ Delete Not Registered Api Provider
    Check Response Variable Type And Values    ${resp}    404    ProblemDetails
    ...    status=404
    ...    title=Not Found
    ...    detail=Not Exist Provider Enrolment Details
    ...    cause=Not found registrations to send this api provider details
    ...    detail=Please provide an existing API Provider ID
    ...    cause=API Provider ID does not exist

Onboard provider without supported_features
    [Tags]    capif_api_provider_management-9