diff --git a/services/helper/helper_service/app.py b/services/helper/helper_service/app.py index cb7a3d51effb087fbb2b8e078b3d4bd8d4732053..fcb9b8cd0330fdb10395352bbbc39b9090e1455d 100644 --- a/services/helper/helper_service/app.py +++ b/services/helper/helper_service/app.py @@ -120,7 +120,7 @@ for name, pkg in package_paths.items(): openapi_file, # relative to specification_dir (SERVICES_DIR) arguments={"title": title}, pythonic_params=True, - base_path=base_path + base_path="/helper/" + base_path ) diff --git a/services/nginx/Dockerfile b/services/nginx/Dockerfile index b163386ec2e8883c87d09c768fe9edd1b6f35704..f8bb53561d5b1dc8c929c1dfc04216bfdfbcb6dd 100644 --- a/services/nginx/Dockerfile +++ b/services/nginx/Dockerfile @@ -9,6 +9,9 @@ RUN mkdir -p /etc/nginx/certs COPY ./certs/sign_req_body_tmp.json /etc/nginx/certs/sign_req_body_tmp.json COPY ./nginx.conf /etc/nginx/nginx.conf +COPY ./endpoints /etc/nginx/endpoints +COPY ./maps /etc/nginx/maps +COPY ./policies /etc/nginx/policies COPY ./nginx_prepare.sh . RUN chmod a+x nginx_prepare.sh diff --git a/services/nginx/endpoints/endpoints.conf b/services/nginx/endpoints/endpoints.conf new file mode 100644 index 0000000000000000000000000000000000000000..76448f7e633213cf1976d0e68f2c10f9c9454a66 --- /dev/null +++ b/services/nginx/endpoints/endpoints.conf @@ -0,0 +1,40 @@ +map $uri $endpoint { + default "NO MATCH"; + + # Exact matches for endpoints that require specific handling (Must be on top of the regex matches) + /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; + /api-provider-management/v1/registrations provider_registrations_exact; + /service-apis/v1/allServiceAPIs discover_service_exact; + + # Regex matches for endpoints that can be grouped by common patterns + # Helper related endpoints + ~^/helper/ helper_base_tree; + + # Invoker management related endpoints + ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; + + # Provider management related endpoints + ~^/api-provider-management/v1/registrations/ provider_registrations_tree; + + # Published APIs related endpoints + ~^/published-apis/v1/ published_apis_tree; + + # Logging related endpoints + ~^/api-invocation-logs/v1/ logging_tree; + + # Auditing related endpoints + ~^/logs/v1/ auditing_tree; + + # Security related endpoints + ~^/capif-security/v1/trustedInvokers/.+/update security_update; + ~^/capif-security/v1/trustedInvokers/.+/delete security_delete; + ~^/capif-security/v1/trustedInvokers/.+ security_trusted_invokers_exact; + ~^/capif-security/v1/securities/.+/token security_token; + ~^/capif-security/v1/ security_tree; + + # Events related endpoints + ~^/capif-events/v1/ events_tree; + + # Access control policy related endpoints + ~^/access-control-policy/v1/ acl_tree; +} diff --git a/services/nginx/maps/00-services.conf b/services/nginx/maps/00-services.conf new file mode 100644 index 0000000000000000000000000000000000000000..44ec473001ac1be68faace8731da7b38d4cfbdbd --- /dev/null +++ b/services/nginx/maps/00-services.conf @@ -0,0 +1,13 @@ +map $uri $service { + default ""; + ~^/helper(/|$) helper; + ~^/api-invoker-management(/|$) invoker-management; + ~^/api-provider-management(/|$) provider-management; + ~^/service-apis(/|$) discover-service; + ~^/published-apis(/|$) publish-service; + ~^/api-invocation-logs(/|$) logging-service; + ~^/logs(/|$) auditing-service; + ~^/capif-security(/|$) security-service; + ~^/capif-events(/|$) events-service; + ~^/access-control-policy(/|$) access-control-policy; +} diff --git a/services/nginx/maps/20-methods.conf b/services/nginx/maps/20-methods.conf new file mode 100644 index 0000000000000000000000000000000000000000..2f3bd12088f3fce6f580a631b4384b977fbd8718 --- /dev/null +++ b/services/nginx/maps/20-methods.conf @@ -0,0 +1,8 @@ +map $request_method $method { + default OTHER; + GET GET; + POST POST; + PUT PUT; + DELETE DELETE; + PATCH PATCH; +} diff --git a/services/nginx/maps/30-auth-type.conf b/services/nginx/maps/30-auth-type.conf new file mode 100644 index 0000000000000000000000000000000000000000..90309a9a4a74329483ace155cec089d743963341 --- /dev/null +++ b/services/nginx/maps/30-auth-type.conf @@ -0,0 +1,9 @@ +map $ssl_client_verify $has_cert { + default 0; + SUCCESS 1; +} + +map $http_authorization $has_token { + default 0; + ~^Bearer\s+.+ 1; +} diff --git a/services/nginx/maps/40-roles.conf b/services/nginx/maps/40-roles.conf new file mode 100644 index 0000000000000000000000000000000000000000..7984b351f4f3a3351948fa53056bd928b66921ef --- /dev/null +++ b/services/nginx/maps/40-roles.conf @@ -0,0 +1,9 @@ +map $ssl_client_s_dn_cn $role { + default unknown; + superadmin superadmin; + "~^INV[a-zA-Z0-9]+$" invoker; + "~^AMF[a-zA-Z0-9]+$" amf; + "~^APF[a-zA-Z0-9]+$" apf; + "~^AEF[a-zA-Z0-9]+$" aef; + "~^CCF[a-zA-Z0-9]+$" ccf; +} \ No newline at end of file diff --git a/services/nginx/maps/90-policy-dispatch.conf b/services/nginx/maps/90-policy-dispatch.conf new file mode 100644 index 0000000000000000000000000000000000000000..6c85657084bf48c23f0b87dd449453229765a5f0 --- /dev/null +++ b/services/nginx/maps/90-policy-dispatch.conf @@ -0,0 +1,38 @@ +map "$service:$has_token:$has_cert" $active_policy { + default DENY; + # Define policies for each service, based on the presence of a token and/or client certificate + # The format is: service_name:has_token:has_cert + + # Helper Service + helper:0:1 $helper_mtls_policy; + + # Api Invoker Management Service + invoker-management:1:0 $invoker_token_policy; + invoker-management:0:1 $invoker_mtls_policy; + + # Api Provider Management Service + provider-management:1:0 $provider_token_policy; + provider-management:0:1 $provider_mtls_policy; + + # Discover Service + discover-service:0:1 $discover_service_mtls_policy; + + # Published APIs Service + publish-service:0:1 $publish_service_mtls_policy; + + # Logging Service + logging-service:0:1 $logging_service_mtls_policy; + + # Auditing Service + auditing-service:0:1 $auditing_service_mtls_policy; + + # Security Service + security-service:0:1 $security_service_mtls_policy; + + # Events Service + events-service:0:1 $events_service_mtls_policy; + + # Access Control Policy Service + access-control-policy:0:1 $access_control_policy_mtls_policy; + +} diff --git a/services/nginx/maps/95-auth-error.conf b/services/nginx/maps/95-auth-error.conf new file mode 100644 index 0000000000000000000000000000000000000000..f3e63ce0ffa0cf91c6eda8c2da20bb1294c8f68b --- /dev/null +++ b/services/nginx/maps/95-auth-error.conf @@ -0,0 +1,19 @@ +map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { + default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}'; + ~^.*:.*:.*:0:0:.*$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}'; + ~^helper:.*:.*:0:1:(invoker|apf|aef|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; + ~^invoker-management:.*:.*:0:1:(amf|apf|aef|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^provider-management:.*:.*:0:1:(invoker|apf|aef|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; + ~^discover-service:.*:.*:0:1:(amf|apf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + ~^publish-service:.*:.*:0:1:(invoker|amf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + ~^events-service:.*:.*:0:1:(ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + ~^access-control-policy:.*:.*:0:1:(amf|apf|invoker)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; + + ~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_trusted_invokers_exact:PUT:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^security-service:security_update:POST:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^security-service:security_delete:POST:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_token:POST:0:1:(aef|amf|apf|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; + +} diff --git a/services/nginx/maps/99-auth-decision.conf b/services/nginx/maps/99-auth-decision.conf new file mode 100644 index 0000000000000000000000000000000000000000..82aa8bf06f1236ca7873ad056089aa9ba65a4fd4 --- /dev/null +++ b/services/nginx/maps/99-auth-decision.conf @@ -0,0 +1,4 @@ +map $active_policy $auth_allowed { + default 0; + ALLOW 1; +} diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index dfea48b85985aa91b6138e18c85d0a0c775b0439..b6453b45b2ba833e5187b6a42724b5cb87bb0a0f 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -12,43 +12,11 @@ http { default ""; ~(^|,)CN=(?[^,]+) $CN; } - map "$request_method:$uri:$ssl_client_s_dn_cn" $helper_error_message { - default 'SUCCESS'; - "~*(GET|DELETE):.*:(?!(superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $invoker_error_message { - default 'SUCCESS'; - "~*(PUT|DELETE):.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $provider_error_message { - default 'SUCCESS'; - "~*(PUT|DELETE|PATCH):.*:(?!(AMF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $publish_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(APF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(AEF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $discover_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(INV|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $security_error_message { - default 'SUCCESS'; - "~*DELETE:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*PUT:.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - "~*GET:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*POST:.*/update:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - "~*POST:.*/delete:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*POST:.*/token:(?!(INV|superadmin))(.*)" '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message { - default 'SUCCESS'; - "~*.*:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } + include maps/*.conf; + include policies/*.conf; + include endpoints/*.conf; + + # log_format debug_map 'Policy: $uri - $endpoint:$method:$role"$service:$has_token:$has_cert:$active_policy:$auth_allowed:$ssl_client_s_dn_cn' server { listen 8080; @@ -72,23 +40,30 @@ http { ssl_verify_depth 2; ssl_session_tickets off; - location / { - proxy_pass $scheme://$http_host/api-invoker-management/v1/ui/; + # (ONLY DEVELOPMENT)Send the log directly to the console (useful in Docker or terminal) + # access_log /dev/stdout debug_map; + + location ~^/(?[^/]+)(?:/(?[^/]+))?/(ui|openapi\.json|swagger\.json) { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://$service_forwarding:8080; } location /api-invoker-management { - if ( $invoker_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $invoker_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invoker-management:8080; } location /api-provider-management { - if ( $provider_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $provider_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-provider-management:8080; @@ -98,9 +73,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $discover_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $discover_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://service-apis:8080; @@ -110,9 +85,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $publish_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $publish_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://published-apis:8080; @@ -122,6 +97,10 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; + } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invocation-logs:8080; } @@ -130,6 +109,10 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; + } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://logs:8080; } @@ -138,9 +121,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $security_error_message != SUCCESS ) { - add_header Content-Type 'application/problem+json'; - return 401 $security_error_message; + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; } proxy_set_header X-TLS-Protocol $ssl_protocol; @@ -155,32 +138,32 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $events_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $events_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://capif-events:8080; } location /access-control-policy { - if ( $acl_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $acl_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://access-control-policy:8080; } location /helper { - if ( $helper_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $helper_error_message; + return 401 $auth_error; } proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://helper:8080/; + proxy_pass http://helper:8080; } } diff --git a/services/nginx/nginx_prepare.sh b/services/nginx/nginx_prepare.sh index 91884863cc069fc05e1ad71e018627143ed5aa88..5d2179e9085e712e26863a0874a3dc6a31da0882 100644 --- a/services/nginx/nginx_prepare.sh +++ b/services/nginx/nginx_prepare.sh @@ -126,6 +126,8 @@ case "$LOG_LEVEL" in ;; esac +echo "Using log level: $LOG_LEVEL" envsubst '$LOG_LEVEL' < /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.tmp mv /etc/nginx/nginx.conf.tmp /etc/nginx/nginx.conf +echo "Saving nginx configuration with log level: $LOG_LEVEL" nginx diff --git a/services/nginx/policies/acl-mtls.conf b/services/nginx/policies/acl-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..67d8a4a5716125c81b796edc8497fd7f011809d0 --- /dev/null +++ b/services/nginx/policies/acl-mtls.conf @@ -0,0 +1,7 @@ +map "$endpoint:$method:$role" $access_control_policy_mtls_policy { + default DENY; + # Security policies that use mTLS for authentication + ~^acl_tree:GET:(aef|superadmin)$ ALLOW; + +} + diff --git a/services/nginx/policies/auditing-mtls.conf b/services/nginx/policies/auditing-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..3c1379faa0d9944026751e7e4b8cf145257e7858 --- /dev/null +++ b/services/nginx/policies/auditing-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $auditing_service_mtls_policy { + default DENY; + # Auditing policies that use mTLS for authentication + ~^auditing_tree:(GET):(amf|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/discover-mtls.conf b/services/nginx/policies/discover-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..ba07065a8da87ce67fb5f092e38cc3615f60c2b2 --- /dev/null +++ b/services/nginx/policies/discover-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $discover_service_mtls_policy { + default DENY; + # Discover policies that use mTLS for authentication + ~^discover_service_exact:GET:(invoker|ccf|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/events-mtls.conf b/services/nginx/policies/events-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..2000826adff826c30f4558855ff0896bb7ac9fa4 --- /dev/null +++ b/services/nginx/policies/events-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $events_service_mtls_policy { + default DENY; + #Publish policies that use mTLS for authentication + ~^events_tree:(POST|DELETE|PUT|PATCH):(amf|apf|aef|invoker|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/helper-mtls.conf b/services/nginx/policies/helper-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..22f87ca92753007a8a39bc47cd3c561e8840b9e7 --- /dev/null +++ b/services/nginx/policies/helper-mtls.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method:$role" $helper_mtls_policy { + default "DENY"; + ~^helper_base_tree:.*:superadmin$ ALLOW; +} diff --git a/services/nginx/policies/invoker-mtls.conf b/services/nginx/policies/invoker-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..ccd479a6a1eaf9a842f373f447e1fd21497793da --- /dev/null +++ b/services/nginx/policies/invoker-mtls.conf @@ -0,0 +1,7 @@ +map "$endpoint:$method:$role" $invoker_mtls_policy { + default DENY; + # Invoker policies that use mTLS for authentication + ~^invoker_onboarding_tree:(PUT|DELETE|PATCH):superadmin$ ALLOW; + ~^invoker_onboarding_tree:(PUT|DELETE|PATCH):invoker$ ALLOW; +} + diff --git a/services/nginx/policies/invoker-token.conf b/services/nginx/policies/invoker-token.conf new file mode 100644 index 0000000000000000000000000000000000000000..8f385e0261bebc2931c05a74317e5a0131ff2961 --- /dev/null +++ b/services/nginx/policies/invoker-token.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method" $invoker_token_policy { + default DENY; + invoker_onboarding_exact:POST ALLOW; +} diff --git a/services/nginx/policies/logging-mtls.conf b/services/nginx/policies/logging-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..dc66bb4906bcd2aa3732deb3bf8b9345c0da0151 --- /dev/null +++ b/services/nginx/policies/logging-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $logging_service_mtls_policy { + default DENY; + # Logging policies that use mTLS for authentication + ~^logging_tree:POST:(aef|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/provider-mtls.conf b/services/nginx/policies/provider-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..d8db996eb54bcd979db2c6d981e3dee0d1d56a07 --- /dev/null +++ b/services/nginx/policies/provider-mtls.conf @@ -0,0 +1,7 @@ +map "$endpoint:$method:$role" $provider_mtls_policy { + default DENY; + #Provider policies that use mTLS for authentication + ~^provider_registrations_tree:(PUT|DELETE|PATCH):superadmin$ ALLOW; + ~^provider_registrations_tree:(PUT|DELETE|PATCH):amf$ ALLOW; +} + diff --git a/services/nginx/policies/provider-token.conf b/services/nginx/policies/provider-token.conf new file mode 100644 index 0000000000000000000000000000000000000000..3dac3cf3ef2e34340d8195085382fc3b95eb88f6 --- /dev/null +++ b/services/nginx/policies/provider-token.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method" $provider_token_policy { + default DENY; + provider_registrations_exact:POST ALLOW; +} diff --git a/services/nginx/policies/publish-mtls.conf b/services/nginx/policies/publish-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..368089f7c01298d1c2eaef7fbd774e955f72a1ce --- /dev/null +++ b/services/nginx/policies/publish-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $publish_service_mtls_policy { + default DENY; + #Publish policies that use mTLS for authentication + ~^published_apis_tree:(GET|POST|PUT|DELETE|PATCH):(apf|superadmin|ccf)$ ALLOW; +} + diff --git a/services/nginx/policies/security-mtls.conf b/services/nginx/policies/security-mtls.conf new file mode 100644 index 0000000000000000000000000000000000000000..f1879835f0bf37a6142cce18114d7f2e8438a4d8 --- /dev/null +++ b/services/nginx/policies/security-mtls.conf @@ -0,0 +1,14 @@ +map "$endpoint:$method:$role" $security_service_mtls_policy { + default DENY; + # Security policies that use mTLS for authentication + security_trusted_invokers_exact:DELETE:aef ALLOW; + security_trusted_invokers_exact:PUT:invoker ALLOW; + security_trusted_invokers_exact:GET:aef ALLOW; + security_update:POST:invoker ALLOW; + security_delete:POST:aef ALLOW; + security_token:POST:invoker ALLOW; + + ~^.*:.*:superadmin$ ALLOW; + +} +