From 2b00570e28d55884506c9982777ff3acf0a3cd64 Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Tue, 24 Jun 2025 16:48:36 +0300
Subject: [PATCH 1/7] Add cert_validation in Discover

---
 .../config.yaml                               |  1 +
 .../controllers/default_controller.py         | 33 ++++++++++++++-
 .../service_apis/core/validate_user.py        | 42 +++++++++++++++++++
 .../service_apis/db/db.py                     |  1 +
 4 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py

diff --git a/services/TS29222_CAPIF_Discover_Service_API/config.yaml b/services/TS29222_CAPIF_Discover_Service_API/config.yaml
index 6257115b..47851c02 100644
--- a/services/TS29222_CAPIF_Discover_Service_API/config.yaml
+++ b/services/TS29222_CAPIF_Discover_Service_API/config.yaml
@@ -5,6 +5,7 @@ mongo: {
   'col': 'serviceapidescriptions',
   'invokers_col': 'invokerdetails',
   'capif_users_col': "user",
+  'certs_col': "certs",
   'host': 'mongo',
   'port': "27017"
 }
diff --git a/services/TS29222_CAPIF_Discover_Service_API/service_apis/controllers/default_controller.py b/services/TS29222_CAPIF_Discover_Service_API/service_apis/controllers/default_controller.py
index d1922947..f742f499 100644
--- a/services/TS29222_CAPIF_Discover_Service_API/service_apis/controllers/default_controller.py
+++ b/services/TS29222_CAPIF_Discover_Service_API/service_apis/controllers/default_controller.py
@@ -1,13 +1,44 @@
 import json
-
+from functools import wraps
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 from flask import current_app, request
 from service_apis.models.discovered_apis import DiscoveredAPIs  # noqa: E501
 
 from ..core.discoveredapis import DiscoverApisOperations, return_negotiated_supp_feat_dict
+from ..core.validate_user import ControlAccess
 
 discover_apis = DiscoverApisOperations()
+valid_user = ControlAccess()
+
+def cert_validation():
+    def _cert_validation(f):
+        @wraps(f)
+        def __cert_validation(*args, **kwargs):
+
+            args = request.view_args
+            cert_tmp = request.headers['X-Ssl-Client-Cert']
+            cert_raw = cert_tmp.replace('\t', '')
+
+            cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend())
+
+            cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value.strip()
+
+            if cn != "superadmin":
+                cert_signature = cert.signature.hex()
+                current_app.logger.debug(request.args)
+                result = valid_user.validate_user_cert(request.args["api-invoker-id"], cert_signature)
+
+                if result is not None:
+                    return result
+
+            result = f(**kwargs)
+            return result
+        return __cert_validation
+    return _cert_validation
 
 
+@cert_validation()
 def all_service_apis_get(api_invoker_id, api_name=None, api_version=None, comm_type=None, protocol=None, aef_id=None, data_format=None, api_cat=None, preferred_aef_loc=None, req_api_prov_name=None, supported_features=None, api_supported_features=None, ue_ip_addr=None, service_kpis=None, grant_types=None):  # noqa: E501
     """all_service_apis_get
 
diff --git a/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py b/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py
new file mode 100644
index 00000000..acde719f
--- /dev/null
+++ b/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py
@@ -0,0 +1,42 @@
+import json
+
+from flask import Response, current_app
+
+from ..encoder import CustomJSONEncoder
+from ..models.problem_details import ProblemDetails
+from ..util import serialize_clean_camel_case
+from .resources import Resource
+from .responses import internal_server_error
+
+
+class ControlAccess(Resource):
+
+    def validate_user_cert(self, api_invoker_id, cert_signature):
+
+        cert_col = self.db.get_col_by_name(self.db.certs_col)
+
+        try:
+            my_query = {'invoker_id':api_invoker_id}
+            cert_entry = cert_col.find_one(my_query)
+
+            current_app.logger.debug("*****************")
+            current_app.logger.debug(cert_entry)
+            current_app.logger.debug("*****************")
+
+            my_query = {'id': api_invoker_id}
+            cert_entry = cert_col.find_one(my_query)
+
+            current_app.logger.debug("*****************")
+            current_app.logger.debug(cert_entry)
+            current_app.logger.debug("*****************")
+
+            if cert_entry is not None:
+                if cert_entry["cert_signature"] != cert_signature:
+                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
+                    prob = serialize_clean_camel_case(prob)
+                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
+
+        except Exception as e:
+            exception = "An exception occurred in validate invoker"
+            current_app.logger.error(exception + "::" + str(e))
+            return internal_server_error(detail=exception, cause=str(e))
\ No newline at end of file
diff --git a/services/TS29222_CAPIF_Discover_Service_API/service_apis/db/db.py b/services/TS29222_CAPIF_Discover_Service_API/service_apis/db/db.py
index 39b1889d..15e7e138 100644
--- a/services/TS29222_CAPIF_Discover_Service_API/service_apis/db/db.py
+++ b/services/TS29222_CAPIF_Discover_Service_API/service_apis/db/db.py
@@ -20,6 +20,7 @@ class MongoDatabse():
         self.invoker_col = self.config['mongo']['invokers_col']
         self.service_api_descriptions = self.config['mongo']['col']
         self.capif_users = self.config['mongo']['capif_users_col']
+        self.certs_col = self.config['mongo']['certs_col']
 
 
     def get_col_by_name(self, name):
-- 
GitLab


From fc6dd09aa57fca3ad765cba6fdeb3484b2ab152c Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Wed, 25 Jun 2025 14:38:06 +0300
Subject: [PATCH 2/7] Add cert_validation in Event APIs

---
 .../controllers/default_controller.py         | 11 +++++++---
 .../capif_events/core/validate_user.py        | 20 +++++++++++++++++++
 .../CAPIF Api Events/capif_events_api.robot   |  8 ++++----
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py b/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
index f55aeb40..5779552f 100644
--- a/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
+++ b/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
@@ -27,7 +27,10 @@ def cert_validation():
 
             if cn != "superadmin":
                 cert_signature = cert.signature.hex()
-                result = valid_user.validate_user_cert(args["subscriptionId"], args["subscriberId"], cert_signature)
+                if request.method != 'POST':
+                    result = valid_user.validate_user_cert(args["subscriptionId"], args["subscriberId"], cert_signature)
+                else:
+                    result = valid_user.validate_user_cert_post(args["subscriberId"], cert_signature)
 
                 if result is not None:
                     return result
@@ -37,6 +40,8 @@ def cert_validation():
         return __cert_validation
     return _cert_validation
 
+
+@cert_validation()
 def subscriber_id_subscriptions_post(subscriber_id, body):  # noqa: E501
     """subscriber_id_subscriptions_post
 
@@ -76,7 +81,7 @@ def subscriber_id_subscriptions_subscription_id_delete(subscriber_id, subscripti
 
     return res
 
-
+@cert_validation()
 def subscriber_id_subscriptions_subscription_id_patch(subscriber_id, subscription_id, body):  # noqa: E501
     """subscriber_id_subscriptions_subscription_id_patch
 
@@ -97,7 +102,7 @@ def subscriber_id_subscriptions_subscription_id_patch(subscriber_id, subscriptio
     res = events_ops.patch_event(body, subscriber_id, subscription_id)
     return res
 
-
+@cert_validation()
 def subscriber_id_subscriptions_subscription_id_put(subscriber_id, subscription_id, body):  # noqa: E501
     """subscriber_id_subscriptions_subscription_id_put
 
diff --git a/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py b/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
index 2357408a..40d0bb5c 100644
--- a/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
+++ b/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
@@ -26,6 +26,26 @@ class ControlAccess(Resource):
 
                     return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
 
+        except Exception as e:
+            exception = "An exception occurred in validate subscriber"
+            current_app.logger.error(exception + "::" + str(e))
+            return internal_server_error(detail=exception, cause=str(e))
+
+    def validate_user_cert_post(self, subscriber_id, cert_signature):
+
+        cert_col = self.db.get_col_by_name(self.db.certs_col)
+
+        try:
+            my_query = {'id':subscriber_id}
+            cert_entry = cert_col.find_one(my_query)
+
+            if cert_entry is not None:
+                if cert_entry["cert_signature"] != cert_signature:
+                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
+                    prob = serialize_clean_camel_case(prob)
+
+                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
+
         except Exception as e:
             exception = "An exception occurred in validate subscriber"
             current_app.logger.error(exception + "::" + str(e))
diff --git a/tests/features/CAPIF Api Events/capif_events_api.robot b/tests/features/CAPIF Api Events/capif_events_api.robot
index 4b37d0a6..f78c9320 100644
--- a/tests/features/CAPIF Api Events/capif_events_api.robot	
+++ b/tests/features/CAPIF Api Events/capif_events_api.robot	
@@ -528,7 +528,7 @@ Provider receives an ACL unavailable event when invoker remove Security Context.
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=4
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
@@ -603,7 +603,7 @@ Invoker receives an Invoker Authorization Revoked and ACL unavailable event when
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=4
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
@@ -1065,7 +1065,7 @@ Provider receives an ACL unavailable event when invoker remove Security Context
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=0
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
@@ -1141,7 +1141,7 @@ Invoker receives an Invoker Authorization Revoked and ACL unavailable event when
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=0
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
-- 
GitLab


From 941d69d3fd4d1c92a370c497c4c795f758d7f9e6 Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Wed, 25 Jun 2025 16:04:25 +0300
Subject: [PATCH 3/7] Add cert_validation in Audit and Logging APIs. Fix some
 tests according to cert validation

---
 .../TS29222_CAPIF_Auditing_API/config.yaml    |  1 +
 .../logs/controllers/default_controller.py    | 32 +++++++++++++++++++
 .../TS29222_CAPIF_Auditing_API/logs/db/db.py  |  1 +
 .../controllers/default_controller.py         |  3 ++
 .../api_invocation_logs/db/db.py              |  1 +
 .../config.yaml                               |  1 +
 .../features/Event Filter/event_filter.robot  |  2 +-
 7 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/services/TS29222_CAPIF_Auditing_API/config.yaml b/services/TS29222_CAPIF_Auditing_API/config.yaml
index 6943b303..116076c1 100644
--- a/services/TS29222_CAPIF_Auditing_API/config.yaml
+++ b/services/TS29222_CAPIF_Auditing_API/config.yaml
@@ -4,6 +4,7 @@ mongo: {
   'db': 'capif',
   'logs_col': 'invocationlogs',
   'capif_users_col': "user",
+  'certs_col': "certs",
   'host': 'mongo',
   'port': "27017"
 }
diff --git a/services/TS29222_CAPIF_Auditing_API/logs/controllers/default_controller.py b/services/TS29222_CAPIF_Auditing_API/logs/controllers/default_controller.py
index 0ff05f0d..0f2866e5 100644
--- a/services/TS29222_CAPIF_Auditing_API/logs/controllers/default_controller.py
+++ b/services/TS29222_CAPIF_Auditing_API/logs/controllers/default_controller.py
@@ -3,13 +3,45 @@ from logs import util
 from logs.models.interface_description import InterfaceDescription  # noqa: E501
 from logs.models.operation import Operation  # noqa: E501
 from logs.models.protocol import Protocol  # noqa: E501
+from functools import wraps
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 
 from ..core.auditoperations import AuditOperations
 from ..core.responses import bad_request_error
+from ..core.validate_user import ControlAccess
 
 audit_operations = AuditOperations()
+valid_user = ControlAccess()
 
 
+def cert_validation():
+    def _cert_validation(f):
+        @wraps(f)
+        def __cert_validation(*args, **kwargs):
+
+            args = request.view_args
+            cert_tmp = request.headers['X-Ssl-Client-Cert']
+            cert_raw = cert_tmp.replace('\t', '')
+
+            cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend())
+
+            cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value.strip()
+
+            if cn != "superadmin":
+                cert_signature = cert.signature.hex()
+                result = valid_user.validate_user_cert(cert_signature)
+
+                if result is not None:
+                    return result
+
+            result = f(**kwargs)
+            return result
+        return __cert_validation
+    return _cert_validation
+
+
+@cert_validation()
 def api_invocation_logs_get(aef_id=None, api_invoker_id=None, time_range_start=None, time_range_end=None, api_id=None, api_name=None, api_version=None, protocol=None, operation=None, result=None, resource_name=None, src_interface=None, dest_interface=None, supported_features=None):  # noqa: E501
     """api_invocation_logs_get
 
diff --git a/services/TS29222_CAPIF_Auditing_API/logs/db/db.py b/services/TS29222_CAPIF_Auditing_API/logs/db/db.py
index 4520c846..108793c1 100644
--- a/services/TS29222_CAPIF_Auditing_API/logs/db/db.py
+++ b/services/TS29222_CAPIF_Auditing_API/logs/db/db.py
@@ -19,6 +19,7 @@ class MongoDatabse():
         self.db = self.__connect()
         self.invocation_logs = self.config['mongo']['logs_col']
         self.capif_users = self.config['mongo']['capif_users_col']
+        self.certs_col = self.config['mongo']['certs_col']
 
     def get_col_by_name(self, name):
         return self.db[name]
diff --git a/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/controllers/default_controller.py b/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/controllers/default_controller.py
index c91cce60..f23e6028 100644
--- a/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/controllers/default_controller.py
+++ b/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/controllers/default_controller.py
@@ -2,6 +2,7 @@ from api_invocation_logs.models.invocation_log import InvocationLog  # noqa: E50
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from flask import current_app, request
+from functools import wraps
 
 from ..core.invocationlogs import LoggingInvocationOperations
 from ..core.validate_user import ControlAccess
@@ -10,6 +11,7 @@ logging_invocation_operations = LoggingInvocationOperations()
 
 valid_user = ControlAccess()
 
+
 def cert_validation():
     def _cert_validation(f):
         @wraps(f)
@@ -36,6 +38,7 @@ def cert_validation():
     return _cert_validation
 
 
+@cert_validation()
 def aef_id_logs_post(aef_id, body):  # noqa: E501
     """aef_id_logs_post
 
diff --git a/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/db/db.py b/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/db/db.py
index 1999a2da..5cf1f6c7 100644
--- a/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/db/db.py
+++ b/services/TS29222_CAPIF_Logging_API_Invocation_API/api_invocation_logs/db/db.py
@@ -22,6 +22,7 @@ class MongoDatabse():
         self.provider_details = self.config['mongo']['prov_col']
         self.service_apis = self.config['mongo']['serv_col']
         self.capif_users = self.config['mongo']['capif_users_col']
+        self.certs_col = self.config['mongo']['certs_col']
 
     def get_col_by_name(self, name):
         return self.db[name]
diff --git a/services/TS29222_CAPIF_Logging_API_Invocation_API/config.yaml b/services/TS29222_CAPIF_Logging_API_Invocation_API/config.yaml
index 0625fc64..8b8825bd 100644
--- a/services/TS29222_CAPIF_Logging_API_Invocation_API/config.yaml
+++ b/services/TS29222_CAPIF_Logging_API_Invocation_API/config.yaml
@@ -7,6 +7,7 @@ mongo: {
   'prov_col': 'providerenrolmentdetails',
   'serv_col': 'serviceapidescriptions',
   'capif_users_col': "user",
+  'certs_col': "certs",
   'host': 'mongo',
   'port': "27017"
 }
diff --git a/tests/features/Event Filter/event_filter.robot b/tests/features/Event Filter/event_filter.robot
index 9853646b..a480248e 100644
--- a/tests/features/Event Filter/event_filter.robot	
+++ b/tests/features/Event Filter/event_filter.robot	
@@ -1007,7 +1007,7 @@ Send Log Message to CAPIF
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
-    ...    username=${provider_info['amf_username']}
+    ...    username=${provider_info['aef_username']}
 
     Check Response Variable Type And Values    ${resp}    201    InvocationLog
     ${resource_url}=    Check Location Header    ${resp}    ${LOCATION_LOGGING_RESOURCE_REGEX}
-- 
GitLab


From 940efcb61a374192bc142bfd06fc0d3e4a0c428c Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Wed, 25 Jun 2025 16:05:26 +0300
Subject: [PATCH 4/7] Add neccesary file to vaildate user in Audit

---
 .../logs/core/validate_user.py                | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 services/TS29222_CAPIF_Auditing_API/logs/core/validate_user.py

diff --git a/services/TS29222_CAPIF_Auditing_API/logs/core/validate_user.py b/services/TS29222_CAPIF_Auditing_API/logs/core/validate_user.py
new file mode 100644
index 00000000..545642e1
--- /dev/null
+++ b/services/TS29222_CAPIF_Auditing_API/logs/core/validate_user.py
@@ -0,0 +1,31 @@
+import json
+
+from flask import Response, current_app
+
+from ..encoder import CustomJSONEncoder
+from ..models.problem_details import ProblemDetails
+from ..util import serialize_clean_camel_case
+from .resources import Resource
+from .responses import internal_server_error
+
+
+class ControlAccess(Resource):
+
+    def validate_user_cert(self, cert_signature):
+
+        cert_col = self.db.get_col_by_name(self.db.certs_col)
+
+        try:
+            my_query = {'cert_signature': cert_signature}
+            cert_entry = cert_col.find_one(my_query)
+
+            if cert_entry is not None:
+                if cert_entry["role"] != "AMF":
+                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
+                    prob = serialize_clean_camel_case(prob)
+                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
+
+        except Exception as e:
+            exception = "An exception occurred in validate invoker"
+            current_app.logger.error(exception + "::" + str(e))
+            return internal_server_error(detail=exception, cause=str(e))
\ No newline at end of file
-- 
GitLab


From b14f07fa6d3c4308dd04d56134cd85e4fedc2e87 Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Wed, 25 Jun 2025 16:38:45 +0300
Subject: [PATCH 5/7] Remove unneccessary logs

---
 .../service_apis/core/validate_user.py                 | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py b/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py
index acde719f..6d2ea40f 100644
--- a/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py
+++ b/services/TS29222_CAPIF_Discover_Service_API/service_apis/core/validate_user.py
@@ -16,20 +16,10 @@ class ControlAccess(Resource):
         cert_col = self.db.get_col_by_name(self.db.certs_col)
 
         try:
-            my_query = {'invoker_id':api_invoker_id}
-            cert_entry = cert_col.find_one(my_query)
-
-            current_app.logger.debug("*****************")
-            current_app.logger.debug(cert_entry)
-            current_app.logger.debug("*****************")
 
             my_query = {'id': api_invoker_id}
             cert_entry = cert_col.find_one(my_query)
 
-            current_app.logger.debug("*****************")
-            current_app.logger.debug(cert_entry)
-            current_app.logger.debug("*****************")
-
             if cert_entry is not None:
                 if cert_entry["cert_signature"] != cert_signature:
                     prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
-- 
GitLab


From 4059cc8d89b0c6032554abe4f0ff8a03562405db Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Thu, 26 Jun 2025 17:02:05 +0300
Subject: [PATCH 6/7] Removed the second validation function in Events

---
 .../controllers/default_controller.py         |  2 +-
 .../capif_events/core/validate_user.py        | 32 +++++--------------
 2 files changed, 9 insertions(+), 25 deletions(-)

diff --git a/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py b/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
index 5779552f..5e6cba2d 100644
--- a/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
+++ b/services/TS29222_CAPIF_Events_API/capif_events/controllers/default_controller.py
@@ -30,7 +30,7 @@ def cert_validation():
                 if request.method != 'POST':
                     result = valid_user.validate_user_cert(args["subscriptionId"], args["subscriberId"], cert_signature)
                 else:
-                    result = valid_user.validate_user_cert_post(args["subscriberId"], cert_signature)
+                    result = valid_user.validate_user_cert(None, args["subscriberId"], cert_signature)
 
                 if result is not None:
                     return result
diff --git a/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py b/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
index 40d0bb5c..8d1f8b05 100644
--- a/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
+++ b/services/TS29222_CAPIF_Events_API/capif_events/core/validate_user.py
@@ -20,33 +20,17 @@ class ControlAccess(Resource):
             cert_entry = cert_col.find_one(my_query)
 
             if cert_entry is not None:
-                if cert_entry["cert_signature"] != cert_signature or "event_subscriptions" not in cert_entry["resources"] or event_id not in cert_entry["resources"]["event_subscriptions"]:
-                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
-                    prob = serialize_clean_camel_case(prob)
+                if (event_id is None and cert_entry["cert_signature"] != cert_signature):
+                        prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
+                        prob = serialize_clean_camel_case(prob)
 
-                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
+                        return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
+                elif event_id is not None and (cert_entry["cert_signature"] != cert_signature or "event_subscriptions" not in cert_entry["resources"] or event_id not in cert_entry["resources"]["event_subscriptions"]):
+                        prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
+                        prob = serialize_clean_camel_case(prob)
 
+                        return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
         except Exception as e:
             exception = "An exception occurred in validate subscriber"
             current_app.logger.error(exception + "::" + str(e))
             return internal_server_error(detail=exception, cause=str(e))
-
-    def validate_user_cert_post(self, subscriber_id, cert_signature):
-
-        cert_col = self.db.get_col_by_name(self.db.certs_col)
-
-        try:
-            my_query = {'id':subscriber_id}
-            cert_entry = cert_col.find_one(my_query)
-
-            if cert_entry is not None:
-                if cert_entry["cert_signature"] != cert_signature:
-                    prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
-                    prob = serialize_clean_camel_case(prob)
-
-                    return Response(json.dumps(prob, cls=CustomJSONEncoder), status=401, mimetype="application/json")
-
-        except Exception as e:
-            exception = "An exception occurred in validate subscriber"
-            current_app.logger.error(exception + "::" + str(e))
-            return internal_server_error(detail=exception, cause=str(e))
\ No newline at end of file
-- 
GitLab


From fbf3d0595e2c9384f635fce460aca343d93985cf Mon Sep 17 00:00:00 2001
From: Stavros-Anastasios Charismiadis <charismiadis@fogus.gr>
Date: Thu, 26 Jun 2025 17:23:00 +0300
Subject: [PATCH 7/7] Fix invocator of two tests

---
 tests/features/CAPIF Api Events/capif_events_api.robot | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/features/CAPIF Api Events/capif_events_api.robot b/tests/features/CAPIF Api Events/capif_events_api.robot
index f78c9320..4da4228d 100644
--- a/tests/features/CAPIF Api Events/capif_events_api.robot	
+++ b/tests/features/CAPIF Api Events/capif_events_api.robot	
@@ -528,11 +528,11 @@ Provider receives an ACL unavailable event when invoker remove Security Context.
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=4
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
-    ...    username=${INVOKER_USERNAME}
+    ...    username=${AMF_PROVIDER_USERNAME}
 
     # Check Results
     Check Response Variable Type And Values    ${resp}    201    EventSubscription
@@ -1065,11 +1065,11 @@ Provider receives an ACL unavailable event when invoker remove Security Context
     ...    notification_destination=${NOTIFICATION_DESTINATION_URL}/testing
     ...    supported_features=0
     ${resp}=    Post Request Capif
-    ...    /capif-events/v1/${register_user_info_invoker['api_invoker_id']}/subscriptions
+    ...    /capif-events/v1/${register_user_info_provider['amf_id']}/subscriptions
     ...    json=${request_body}
     ...    server=${CAPIF_HTTPS_URL}
     ...    verify=ca.crt
-    ...    username=${INVOKER_USERNAME}
+    ...    username=${AMF_PROVIDER_USERNAME}
 
     # Check Results
     Check Response Variable Type And Values    ${resp}    201    EventSubscription
-- 
GitLab