From 290c4a521535fc15f1579077a1943044989af6f0 Mon Sep 17 00:00:00 2001
From: Panagiotis Pavlidis <p.pavlidis@iit.demokritos.gr>
Date: Tue, 23 Dec 2025 12:04:19 +0200
Subject: [PATCH] cert verification in provider modify #188

  - Implement certificate verification for api_provider_enrolment_details_controller
---
 ...i_provider_enrolment_details_controller.py | 34 ++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/services/TS29222_CAPIF_API_Provider_Management_API/api_provider_management/controllers/individual_api_provider_enrolment_details_controller.py b/services/TS29222_CAPIF_API_Provider_Management_API/api_provider_management/controllers/individual_api_provider_enrolment_details_controller.py
index cefef1ef..d79a106e 100644
--- a/services/TS29222_CAPIF_API_Provider_Management_API/api_provider_management/controllers/individual_api_provider_enrolment_details_controller.py
+++ b/services/TS29222_CAPIF_API_Provider_Management_API/api_provider_management/controllers/individual_api_provider_enrolment_details_controller.py
@@ -1,10 +1,42 @@
+from functools import wraps
 from flask import current_app, request
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 
 from ..core.provider_enrolment_details_api import ProviderManagementOperations
-from ..models.api_provider_enrolment_details_patch import APIProviderEnrolmentDetailsPatch  # noqa: E501
+from ..core.validate_user import ControlAccess
+from ..models.api_provider_enrolment_details_patch import \
+        APIProviderEnrolmentDetailsPatch  # noqa: E501
 
 provider_management_ops = ProviderManagementOperations()
+valid_user = ControlAccess()
 
+def cert_validation():
+    def _cert_validation(f):
+        @wraps(f)
+        def __cert_validation(*args, **kwargs):
+
+            args = request.view_args
+            cert_tmp = request.headers['X-Ssl-Client-Cert']
+            cert_raw = cert_tmp.replace('\t', '')
+
+            cert = x509.load_pem_x509_certificate(str.encode(cert_raw), default_backend())
+
+            cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value.strip()
+
+            if cn != "superadmin":
+                cert_signature = cert.signature.hex()
+                result = valid_user.validate_user_cert(args["registrationId"], cert_signature)
+
+                if result is not None:
+                    return result
+
+            result = f(**kwargs)
+            return result
+        return __cert_validation
+    return _cert_validation
+
+@cert_validation()
 def modify_ind_api_provider_enrolment(registration_id, body):  # noqa: E501
     """modify_ind_api_provider_enrolment
 
-- 
GitLab