From 6876c74234175b3ea0c2a644473cbf731d712465 Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Fri, 6 Feb 2026 11:28:51 +0100 Subject: [PATCH 1/5] Changed Helper and invoker management --- services/nginx/Dockerfile | 3 +++ services/nginx/endpoints/endpoints.conf | 9 +++++++++ services/nginx/maps/00-services.conf | 6 ++++++ services/nginx/maps/20-methods.conf | 8 ++++++++ services/nginx/maps/30-auth-type.conf | 9 +++++++++ services/nginx/maps/40-roles.conf | 9 +++++++++ services/nginx/maps/90-policy-dispatch.conf | 12 ++++++++++++ services/nginx/maps/95-auth-error.conf | 6 ++++++ services/nginx/maps/99-auth-decision.conf | 4 ++++ services/nginx/nginx.conf | 18 ++++++++++++++---- services/nginx/nginx_prepare.sh | 2 ++ services/nginx/policies/helper-mtls.conf | 4 ++++ services/nginx/policies/invoker-mtls.conf | 10 ++++++++++ services/nginx/policies/invoker-token.conf | 4 ++++ 14 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 services/nginx/endpoints/endpoints.conf create mode 100644 services/nginx/maps/00-services.conf create mode 100644 services/nginx/maps/20-methods.conf create mode 100644 services/nginx/maps/30-auth-type.conf create mode 100644 services/nginx/maps/40-roles.conf create mode 100644 services/nginx/maps/90-policy-dispatch.conf create mode 100644 services/nginx/maps/95-auth-error.conf create mode 100644 services/nginx/maps/99-auth-decision.conf create mode 100644 services/nginx/policies/helper-mtls.conf create mode 100644 services/nginx/policies/invoker-mtls.conf create mode 100644 services/nginx/policies/invoker-token.conf diff --git a/services/nginx/Dockerfile b/services/nginx/Dockerfile index b163386e..f8bb5356 100644 --- a/services/nginx/Dockerfile +++ b/services/nginx/Dockerfile @@ -9,6 +9,9 @@ RUN mkdir -p /etc/nginx/certs COPY ./certs/sign_req_body_tmp.json /etc/nginx/certs/sign_req_body_tmp.json COPY ./nginx.conf /etc/nginx/nginx.conf +COPY ./endpoints /etc/nginx/endpoints +COPY ./maps /etc/nginx/maps +COPY ./policies /etc/nginx/policies COPY ./nginx_prepare.sh . RUN chmod a+x nginx_prepare.sh diff --git a/services/nginx/endpoints/endpoints.conf b/services/nginx/endpoints/endpoints.conf new file mode 100644 index 00000000..a32e51d7 --- /dev/null +++ b/services/nginx/endpoints/endpoints.conf @@ -0,0 +1,9 @@ +map $uri $endpoint { + default "NO MATCH"; + + /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; + + ~^/helper/ helper_base_tree; + ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; + +} diff --git a/services/nginx/maps/00-services.conf b/services/nginx/maps/00-services.conf new file mode 100644 index 00000000..0ae9d393 --- /dev/null +++ b/services/nginx/maps/00-services.conf @@ -0,0 +1,6 @@ +map $uri $service { + default ""; + ~^/helper(/|$) helper; + ~^/api-invoker-management(/|$) invoker-management; + +} diff --git a/services/nginx/maps/20-methods.conf b/services/nginx/maps/20-methods.conf new file mode 100644 index 00000000..2f3bd120 --- /dev/null +++ b/services/nginx/maps/20-methods.conf @@ -0,0 +1,8 @@ +map $request_method $method { + default OTHER; + GET GET; + POST POST; + PUT PUT; + DELETE DELETE; + PATCH PATCH; +} diff --git a/services/nginx/maps/30-auth-type.conf b/services/nginx/maps/30-auth-type.conf new file mode 100644 index 00000000..90309a9a --- /dev/null +++ b/services/nginx/maps/30-auth-type.conf @@ -0,0 +1,9 @@ +map $ssl_client_verify $has_cert { + default 0; + SUCCESS 1; +} + +map $http_authorization $has_token { + default 0; + ~^Bearer\s+.+ 1; +} diff --git a/services/nginx/maps/40-roles.conf b/services/nginx/maps/40-roles.conf new file mode 100644 index 00000000..7984b351 --- /dev/null +++ b/services/nginx/maps/40-roles.conf @@ -0,0 +1,9 @@ +map $ssl_client_s_dn_cn $role { + default unknown; + superadmin superadmin; + "~^INV[a-zA-Z0-9]+$" invoker; + "~^AMF[a-zA-Z0-9]+$" amf; + "~^APF[a-zA-Z0-9]+$" apf; + "~^AEF[a-zA-Z0-9]+$" aef; + "~^CCF[a-zA-Z0-9]+$" ccf; +} \ No newline at end of file diff --git a/services/nginx/maps/90-policy-dispatch.conf b/services/nginx/maps/90-policy-dispatch.conf new file mode 100644 index 00000000..99e5b141 --- /dev/null +++ b/services/nginx/maps/90-policy-dispatch.conf @@ -0,0 +1,12 @@ +map "$service:$has_token:$has_cert" $active_policy { + default DENY; + # Define policies for each service, based on the presence of a token and/or client certificate + # The format is: service_name:has_token:has_cert + + # Helper Service + helper:0:1 $helper_mtls_policy; + + # Api Invoker Management Service + invoker-management:1:0 $invoker_token_policy; + invoker-management:0:1 $invoker_mtls_policy; +} diff --git a/services/nginx/maps/95-auth-error.conf b/services/nginx/maps/95-auth-error.conf new file mode 100644 index 00000000..218a22d4 --- /dev/null +++ b/services/nginx/maps/95-auth-error.conf @@ -0,0 +1,6 @@ +map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { + default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}'; + ~^.*:.*:.*:0:0:.*$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}'; + + ~^helper:.*:.*:0:1:(invoker|apf|aef|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; +} diff --git a/services/nginx/maps/99-auth-decision.conf b/services/nginx/maps/99-auth-decision.conf new file mode 100644 index 00000000..82aa8bf0 --- /dev/null +++ b/services/nginx/maps/99-auth-decision.conf @@ -0,0 +1,4 @@ +map $active_policy $auth_allowed { + default 0; + ALLOW 1; +} diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index dfea48b8..ea1c30cb 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -12,6 +12,13 @@ http { default ""; ~(^|,)CN=(?[^,]+) $CN; } + include maps/*.conf; + include policies/*.conf; + include endpoints/*.conf; + + log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn'; + + map "$request_method:$uri:$ssl_client_s_dn_cn" $helper_error_message { default 'SUCCESS'; "~*(GET|DELETE):.*:(?!(superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; @@ -72,14 +79,17 @@ http { ssl_verify_depth 2; ssl_session_tickets off; + # (ONLY DEVELOPMENT)Send the log directly to the console (useful in Docker or terminal) + access_log /dev/stdout debug_map; + location / { proxy_pass $scheme://$http_host/api-invoker-management/v1/ui/; } location /api-invoker-management { - if ( $invoker_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $invoker_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invoker-management:8080; @@ -173,9 +183,9 @@ http { } location /helper { - if ( $helper_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $helper_error_message; + return 401 $auth_error; } proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/services/nginx/nginx_prepare.sh b/services/nginx/nginx_prepare.sh index 91884863..5d2179e9 100644 --- a/services/nginx/nginx_prepare.sh +++ b/services/nginx/nginx_prepare.sh @@ -126,6 +126,8 @@ case "$LOG_LEVEL" in ;; esac +echo "Using log level: $LOG_LEVEL" envsubst '$LOG_LEVEL' < /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.tmp mv /etc/nginx/nginx.conf.tmp /etc/nginx/nginx.conf +echo "Saving nginx configuration with log level: $LOG_LEVEL" nginx diff --git a/services/nginx/policies/helper-mtls.conf b/services/nginx/policies/helper-mtls.conf new file mode 100644 index 00000000..5f50229a --- /dev/null +++ b/services/nginx/policies/helper-mtls.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method:$role" $helper_mtls_policy { + default "DENY"; + "~^helper_base_tree:.*:superadmin$" "ALLOW"; +} diff --git a/services/nginx/policies/invoker-mtls.conf b/services/nginx/policies/invoker-mtls.conf new file mode 100644 index 00000000..1d559d88 --- /dev/null +++ b/services/nginx/policies/invoker-mtls.conf @@ -0,0 +1,10 @@ +map "$endpoint:$method:$role" $invoker_mtls_policy { + default DENY; + # Invoker policies that use mTLS for authentication + "~^invoker_onboarding_tree:.*:superadmin$" ALLOW; + invoker_onboarding_tree:PUT:invoker ALLOW; + invoker_onboarding_tree:DELETE:invoker ALLOW; + invoker_onboarding_tree:PATCH:invoker ALLOW; + +} + diff --git a/services/nginx/policies/invoker-token.conf b/services/nginx/policies/invoker-token.conf new file mode 100644 index 00000000..8f385e02 --- /dev/null +++ b/services/nginx/policies/invoker-token.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method" $invoker_token_policy { + default DENY; + invoker_onboarding_exact:POST ALLOW; +} -- GitLab From 15acbb53d88f1b8aafbbd3ba6df09042722b2b82 Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Fri, 6 Feb 2026 14:33:13 +0100 Subject: [PATCH 2/5] added helper, invoker, provider, published, discover, auditin, login events, events, acl --- services/nginx/endpoints/endpoints.conf | 37 +++++++++++-- services/nginx/maps/00-services.conf | 9 +++- services/nginx/maps/90-policy-dispatch.conf | 22 ++++++++ services/nginx/maps/95-auth-error.conf | 15 +++++- services/nginx/nginx.conf | 57 +++++++-------------- services/nginx/policies/auditing-mtls.conf | 6 +++ services/nginx/policies/discover-mtls.conf | 6 +++ services/nginx/policies/helper-mtls.conf | 2 +- services/nginx/policies/invoker-mtls.conf | 7 +-- services/nginx/policies/logging-mtls.conf | 6 +++ services/nginx/policies/provider-mtls.conf | 7 +++ services/nginx/policies/provider-token.conf | 4 ++ services/nginx/policies/publish-mtls.conf | 6 +++ services/nginx/policies/security-mtls.conf | 14 +++++ 14 files changed, 148 insertions(+), 50 deletions(-) create mode 100644 services/nginx/policies/auditing-mtls.conf create mode 100644 services/nginx/policies/discover-mtls.conf create mode 100644 services/nginx/policies/logging-mtls.conf create mode 100644 services/nginx/policies/provider-mtls.conf create mode 100644 services/nginx/policies/provider-token.conf create mode 100644 services/nginx/policies/publish-mtls.conf create mode 100644 services/nginx/policies/security-mtls.conf diff --git a/services/nginx/endpoints/endpoints.conf b/services/nginx/endpoints/endpoints.conf index a32e51d7..76448f7e 100644 --- a/services/nginx/endpoints/endpoints.conf +++ b/services/nginx/endpoints/endpoints.conf @@ -1,9 +1,40 @@ map $uri $endpoint { default "NO MATCH"; - /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; + # Exact matches for endpoints that require specific handling (Must be on top of the regex matches) + /api-invoker-management/v1/onboardedInvokers invoker_onboarding_exact; + /api-provider-management/v1/registrations provider_registrations_exact; + /service-apis/v1/allServiceAPIs discover_service_exact; + + # Regex matches for endpoints that can be grouped by common patterns + # Helper related endpoints + ~^/helper/ helper_base_tree; + + # Invoker management related endpoints + ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; + + # Provider management related endpoints + ~^/api-provider-management/v1/registrations/ provider_registrations_tree; - ~^/helper/ helper_base_tree; - ~^/api-invoker-management/v1/onboardedInvokers/ invoker_onboarding_tree; + # Published APIs related endpoints + ~^/published-apis/v1/ published_apis_tree; + + # Logging related endpoints + ~^/api-invocation-logs/v1/ logging_tree; + + # Auditing related endpoints + ~^/logs/v1/ auditing_tree; + + # Security related endpoints + ~^/capif-security/v1/trustedInvokers/.+/update security_update; + ~^/capif-security/v1/trustedInvokers/.+/delete security_delete; + ~^/capif-security/v1/trustedInvokers/.+ security_trusted_invokers_exact; + ~^/capif-security/v1/securities/.+/token security_token; + ~^/capif-security/v1/ security_tree; + + # Events related endpoints + ~^/capif-events/v1/ events_tree; + # Access control policy related endpoints + ~^/access-control-policy/v1/ acl_tree; } diff --git a/services/nginx/maps/00-services.conf b/services/nginx/maps/00-services.conf index 0ae9d393..44ec4730 100644 --- a/services/nginx/maps/00-services.conf +++ b/services/nginx/maps/00-services.conf @@ -2,5 +2,12 @@ map $uri $service { default ""; ~^/helper(/|$) helper; ~^/api-invoker-management(/|$) invoker-management; - + ~^/api-provider-management(/|$) provider-management; + ~^/service-apis(/|$) discover-service; + ~^/published-apis(/|$) publish-service; + ~^/api-invocation-logs(/|$) logging-service; + ~^/logs(/|$) auditing-service; + ~^/capif-security(/|$) security-service; + ~^/capif-events(/|$) events-service; + ~^/access-control-policy(/|$) access-control-policy; } diff --git a/services/nginx/maps/90-policy-dispatch.conf b/services/nginx/maps/90-policy-dispatch.conf index 99e5b141..4ff4bab7 100644 --- a/services/nginx/maps/90-policy-dispatch.conf +++ b/services/nginx/maps/90-policy-dispatch.conf @@ -9,4 +9,26 @@ map "$service:$has_token:$has_cert" $active_policy { # Api Invoker Management Service invoker-management:1:0 $invoker_token_policy; invoker-management:0:1 $invoker_mtls_policy; + + # Api Provider Management Service + provider-management:1:0 $provider_token_policy; + provider-management:0:1 $provider_mtls_policy; + + # Discover Service + discover-service:0:1 $discover_service_mtls_policy; + + # Published APIs Service + publish-service:0:1 $publish_service_mtls_policy; + + # Logging Service + logging-service:0:1 $logging_service_mtls_policy; + + # Auditing Service + auditing-service:0:1 $auditing_service_mtls_policy; + + # Security Service + security-service:0:1 $security_service_mtls_policy; + + + } diff --git a/services/nginx/maps/95-auth-error.conf b/services/nginx/maps/95-auth-error.conf index 218a22d4..5862f05d 100644 --- a/services/nginx/maps/95-auth-error.conf +++ b/services/nginx/maps/95-auth-error.conf @@ -1,6 +1,19 @@ map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { default '{"status":401,"title":"Unauthorized","detail":"Operation not allowed","cause":"Access denied by policy"}'; ~^.*:.*:.*:0:0:.*$ '{"status":401, "title":"Unauthorized" ,"detail":"Certifcate not present", "cause":"Certificate is required for this API route"}'; - ~^helper:.*:.*:0:1:(invoker|apf|aef|amf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; + ~^invoker-management:.*:.*:0:1:(amf|apf|aef|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^provider-management:.*:.*:0:1:(invoker|apf|aef|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; + ~^discover-service:.*:.*:0:1:(amf|apf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + ~^publish-service:.*:.*:0:1:(invoker|amf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + + ~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_trusted_invokers_exact:PUT:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^security-service:security_update:POST:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; + ~^security-service:security_delete:POST:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; + ~^security-service:security_token:POST:0:1:(aef|amf|apf|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; + + + } diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index ea1c30cb..b85182a5 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -18,40 +18,11 @@ http { log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn'; - - map "$request_method:$uri:$ssl_client_s_dn_cn" $helper_error_message { - default 'SUCCESS'; - "~*(GET|DELETE):.*:(?!(superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be superadmin"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $invoker_error_message { - default 'SUCCESS'; - "~*(PUT|DELETE):.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $provider_error_message { - default 'SUCCESS'; - "~*(PUT|DELETE|PATCH):.*:(?!(AMF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $publish_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(APF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message { default 'SUCCESS'; "~*.*:.*:(?!(AEF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; } - map "$request_method:$uri:$ssl_client_s_dn_cn" $discover_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(INV|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } - map "$request_method:$uri:$ssl_client_s_dn_cn" $security_error_message { - default 'SUCCESS'; - "~*DELETE:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*PUT:.*:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - "~*GET:.*:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*POST:.*/update:(?!(INV|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; - "~*POST:.*/delete:(?!(AEF|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; - "~*POST:.*/token:(?!(INV|superadmin))(.*)" '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; - } + map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message { default 'SUCCESS'; "~*.*:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; @@ -96,9 +67,9 @@ http { } location /api-provider-management { - if ( $provider_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $provider_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-provider-management:8080; @@ -108,9 +79,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $discover_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $discover_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://service-apis:8080; @@ -120,9 +91,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $publish_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $publish_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://published-apis:8080; @@ -132,6 +103,10 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; + } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://api-invocation-logs:8080; } @@ -140,6 +115,10 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; + } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://logs:8080; } @@ -148,9 +127,9 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $security_error_message != SUCCESS ) { - add_header Content-Type 'application/problem+json'; - return 401 $security_error_message; + if ($auth_allowed = 0) { + add_header Content-Type 'application/problem+json'; + return 401 $auth_error; } proxy_set_header X-TLS-Protocol $ssl_protocol; diff --git a/services/nginx/policies/auditing-mtls.conf b/services/nginx/policies/auditing-mtls.conf new file mode 100644 index 00000000..3c1379fa --- /dev/null +++ b/services/nginx/policies/auditing-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $auditing_service_mtls_policy { + default DENY; + # Auditing policies that use mTLS for authentication + ~^auditing_tree:(GET):(amf|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/discover-mtls.conf b/services/nginx/policies/discover-mtls.conf new file mode 100644 index 00000000..ba07065a --- /dev/null +++ b/services/nginx/policies/discover-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $discover_service_mtls_policy { + default DENY; + # Discover policies that use mTLS for authentication + ~^discover_service_exact:GET:(invoker|ccf|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/helper-mtls.conf b/services/nginx/policies/helper-mtls.conf index 5f50229a..22f87ca9 100644 --- a/services/nginx/policies/helper-mtls.conf +++ b/services/nginx/policies/helper-mtls.conf @@ -1,4 +1,4 @@ map "$endpoint:$method:$role" $helper_mtls_policy { default "DENY"; - "~^helper_base_tree:.*:superadmin$" "ALLOW"; + ~^helper_base_tree:.*:superadmin$ ALLOW; } diff --git a/services/nginx/policies/invoker-mtls.conf b/services/nginx/policies/invoker-mtls.conf index 1d559d88..ccd479a6 100644 --- a/services/nginx/policies/invoker-mtls.conf +++ b/services/nginx/policies/invoker-mtls.conf @@ -1,10 +1,7 @@ map "$endpoint:$method:$role" $invoker_mtls_policy { default DENY; # Invoker policies that use mTLS for authentication - "~^invoker_onboarding_tree:.*:superadmin$" ALLOW; - invoker_onboarding_tree:PUT:invoker ALLOW; - invoker_onboarding_tree:DELETE:invoker ALLOW; - invoker_onboarding_tree:PATCH:invoker ALLOW; - + ~^invoker_onboarding_tree:(PUT|DELETE|PATCH):superadmin$ ALLOW; + ~^invoker_onboarding_tree:(PUT|DELETE|PATCH):invoker$ ALLOW; } diff --git a/services/nginx/policies/logging-mtls.conf b/services/nginx/policies/logging-mtls.conf new file mode 100644 index 00000000..dc66bb49 --- /dev/null +++ b/services/nginx/policies/logging-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $logging_service_mtls_policy { + default DENY; + # Logging policies that use mTLS for authentication + ~^logging_tree:POST:(aef|superadmin)$ ALLOW; +} + diff --git a/services/nginx/policies/provider-mtls.conf b/services/nginx/policies/provider-mtls.conf new file mode 100644 index 00000000..d8db996e --- /dev/null +++ b/services/nginx/policies/provider-mtls.conf @@ -0,0 +1,7 @@ +map "$endpoint:$method:$role" $provider_mtls_policy { + default DENY; + #Provider policies that use mTLS for authentication + ~^provider_registrations_tree:(PUT|DELETE|PATCH):superadmin$ ALLOW; + ~^provider_registrations_tree:(PUT|DELETE|PATCH):amf$ ALLOW; +} + diff --git a/services/nginx/policies/provider-token.conf b/services/nginx/policies/provider-token.conf new file mode 100644 index 00000000..3dac3cf3 --- /dev/null +++ b/services/nginx/policies/provider-token.conf @@ -0,0 +1,4 @@ +map "$endpoint:$method" $provider_token_policy { + default DENY; + provider_registrations_exact:POST ALLOW; +} diff --git a/services/nginx/policies/publish-mtls.conf b/services/nginx/policies/publish-mtls.conf new file mode 100644 index 00000000..368089f7 --- /dev/null +++ b/services/nginx/policies/publish-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $publish_service_mtls_policy { + default DENY; + #Publish policies that use mTLS for authentication + ~^published_apis_tree:(GET|POST|PUT|DELETE|PATCH):(apf|superadmin|ccf)$ ALLOW; +} + diff --git a/services/nginx/policies/security-mtls.conf b/services/nginx/policies/security-mtls.conf new file mode 100644 index 00000000..f1879835 --- /dev/null +++ b/services/nginx/policies/security-mtls.conf @@ -0,0 +1,14 @@ +map "$endpoint:$method:$role" $security_service_mtls_policy { + default DENY; + # Security policies that use mTLS for authentication + security_trusted_invokers_exact:DELETE:aef ALLOW; + security_trusted_invokers_exact:PUT:invoker ALLOW; + security_trusted_invokers_exact:GET:aef ALLOW; + security_update:POST:invoker ALLOW; + security_delete:POST:aef ALLOW; + security_token:POST:invoker ALLOW; + + ~^.*:.*:superadmin$ ALLOW; + +} + -- GitLab From 355921f1dcd037a5e9fd999e3c9128075634b688 Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Mon, 9 Feb 2026 10:43:15 +0100 Subject: [PATCH 3/5] Added other services to nginx --- services/nginx/maps/90-policy-dispatch.conf | 4 ++++ services/nginx/maps/95-auth-error.conf | 6 +++--- services/nginx/nginx.conf | 18 ++++-------------- services/nginx/policies/acl-mtls.conf | 7 +++++++ services/nginx/policies/events-mtls.conf | 6 ++++++ 5 files changed, 24 insertions(+), 17 deletions(-) create mode 100644 services/nginx/policies/acl-mtls.conf create mode 100644 services/nginx/policies/events-mtls.conf diff --git a/services/nginx/maps/90-policy-dispatch.conf b/services/nginx/maps/90-policy-dispatch.conf index 4ff4bab7..6c856570 100644 --- a/services/nginx/maps/90-policy-dispatch.conf +++ b/services/nginx/maps/90-policy-dispatch.conf @@ -29,6 +29,10 @@ map "$service:$has_token:$has_cert" $active_policy { # Security Service security-service:0:1 $security_service_mtls_policy; + # Events Service + events-service:0:1 $events_service_mtls_policy; + # Access Control Policy Service + access-control-policy:0:1 $access_control_policy_mtls_policy; } diff --git a/services/nginx/maps/95-auth-error.conf b/services/nginx/maps/95-auth-error.conf index 5862f05d..f3e63ce0 100644 --- a/services/nginx/maps/95-auth-error.conf +++ b/services/nginx/maps/95-auth-error.conf @@ -6,14 +6,14 @@ map "$service:$endpoint:$method:$has_token:$has_cert:$role" $auth_error { ~^provider-management:.*:.*:0:1:(invoker|apf|aef|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be amf"}'; ~^discover-service:.*:.*:0:1:(amf|apf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; ~^publish-service:.*:.*:0:1:(invoker|amf|aef)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - + ~^events-service:.*:.*:0:1:(ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; + ~^access-control-policy:.*:.*:0:1:(amf|apf|invoker)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; + ~^security-service:security_trusted_invokers_exact:GET:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; ~^security-service:security_trusted_invokers_exact:DELETE:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; ~^security-service:security_trusted_invokers_exact:PUT:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; ~^security-service:security_update:POST:0:1:(aef|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be invoker"}'; ~^security-service:security_delete:POST:0:1:(invoker|amf|apf|ccf)$ '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"User role must be aef"}'; ~^security-service:security_token:POST:0:1:(aef|amf|apf|ccf)$ '{"error":"unauthorized_client", "error_description":"Role not authorized for this API route"}'; - - } diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index b85182a5..aa12111f 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -18,16 +18,6 @@ http { log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn'; - map "$request_method:$uri:$ssl_client_s_dn_cn" $acl_error_message { - default 'SUCCESS'; - "~*.*:.*:(?!(AEF|ccf|superadmin))(.*)" '{"status":401, "title":"Unauthorized" ,"detail":"Role not authorized for this API route", "cause":"Certificate not authorized"}'; - } - - map "$request_method:$uri:$ssl_client_s_dn_cn" $events_error_message { - default 'SUCCESS'; - "~*.*:.*:ccf" '{"status":401, "title":"Unauthorized" ,"detail":"User not authorized", "cause":"Certificate not authorized"}'; - } - server { listen 8080; @@ -144,18 +134,18 @@ http { if ($ssl_client_verify != SUCCESS) { return 403; } - if ( $events_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $events_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://capif-events:8080; } location /access-control-policy { - if ( $acl_error_message != SUCCESS ) { + if ($auth_allowed = 0) { add_header Content-Type 'application/problem+json'; - return 401 $acl_error_message; + return 401 $auth_error; } proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_pass http://access-control-policy:8080; diff --git a/services/nginx/policies/acl-mtls.conf b/services/nginx/policies/acl-mtls.conf new file mode 100644 index 00000000..67d8a4a5 --- /dev/null +++ b/services/nginx/policies/acl-mtls.conf @@ -0,0 +1,7 @@ +map "$endpoint:$method:$role" $access_control_policy_mtls_policy { + default DENY; + # Security policies that use mTLS for authentication + ~^acl_tree:GET:(aef|superadmin)$ ALLOW; + +} + diff --git a/services/nginx/policies/events-mtls.conf b/services/nginx/policies/events-mtls.conf new file mode 100644 index 00000000..2000826a --- /dev/null +++ b/services/nginx/policies/events-mtls.conf @@ -0,0 +1,6 @@ +map "$endpoint:$method:$role" $events_service_mtls_policy { + default DENY; + #Publish policies that use mTLS for authentication + ~^events_tree:(POST|DELETE|PUT|PATCH):(amf|apf|aef|invoker|superadmin)$ ALLOW; +} + -- GitLab From 890e48985489fff4ecdf0a399dc5a20474faf026 Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Tue, 10 Feb 2026 10:23:34 +0100 Subject: [PATCH 4/5] Remove development log --- services/nginx/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index aa12111f..371ed6b2 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -16,7 +16,7 @@ http { include policies/*.conf; include endpoints/*.conf; - log_format debug_map 'política: $uri - $endpoint:$method:$role / $helper_mtls_policy / $invoker_token_policy / $invoker_mtls_policy/ "$service:$has_token:$has_cert" / $active_policy /$auth_allowed // $ssl_client_s_dn_cn'; + # log_format debug_map 'Policy: $uri - $endpoint:$method:$role"$service:$has_token:$has_cert:$active_policy:$auth_allowed:$ssl_client_s_dn_cn' server { listen 8080; @@ -41,7 +41,7 @@ http { ssl_session_tickets off; # (ONLY DEVELOPMENT)Send the log directly to the console (useful in Docker or terminal) - access_log /dev/stdout debug_map; + # access_log /dev/stdout debug_map; location / { proxy_pass $scheme://$http_host/api-invoker-management/v1/ui/; -- GitLab From ea105112da074a20103559da100f80790953e13e Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Tue, 10 Feb 2026 16:36:37 +0100 Subject: [PATCH 5/5] Include a rule to allow customer to see swagger UI --- services/helper/helper_service/app.py | 2 +- services/nginx/nginx.conf | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/services/helper/helper_service/app.py b/services/helper/helper_service/app.py index cb7a3d51..fcb9b8cd 100644 --- a/services/helper/helper_service/app.py +++ b/services/helper/helper_service/app.py @@ -120,7 +120,7 @@ for name, pkg in package_paths.items(): openapi_file, # relative to specification_dir (SERVICES_DIR) arguments={"title": title}, pythonic_params=True, - base_path=base_path + base_path="/helper/" + base_path ) diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf index 371ed6b2..b6453b45 100644 --- a/services/nginx/nginx.conf +++ b/services/nginx/nginx.conf @@ -43,8 +43,12 @@ http { # (ONLY DEVELOPMENT)Send the log directly to the console (useful in Docker or terminal) # access_log /dev/stdout debug_map; - location / { - proxy_pass $scheme://$http_host/api-invoker-management/v1/ui/; + location ~^/(?[^/]+)(?:/(?[^/]+))?/(ui|openapi\.json|swagger\.json) { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://$service_forwarding:8080; } location /api-invoker-management { @@ -159,7 +163,7 @@ http { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://helper:8080/; + proxy_pass http://helper:8080; } } -- GitLab