From 0c51276c39cfb6085a945d36fabdc3b19f3f090a Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Mon, 7 Apr 2025 11:58:11 +0200 Subject: [PATCH 1/2] updated release notes --- doc/releasenotes.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/doc/releasenotes.md b/doc/releasenotes.md index 2b3cee8c..106b2cef 100644 --- a/doc/releasenotes.md +++ b/doc/releasenotes.md @@ -17,8 +17,6 @@ ### **Technical Debt Solved** -- Implemented in the API Provider Management the supported features negotiation for the suppFeat field during provider registration. The server now decodes the negotiated feature set based on client capabilities and system support. - #### **Hardening on startup scripts for services interacting with Vault** The startup scripts of the ***Invoker Management Service***, ***Provider Management Service***, and ***Security Service*** have been improved to ensure reliability when the Vault service takes longer to become ready. These new scripts check responses from the Vault to ensure the returned information is valid before starting each service. @@ -33,6 +31,18 @@ This will also helps on the restart issue on k8s deployed OpenCAPIF. - Documentation about Dynamic Configuration. - Documentation about Helper and Register swaggers. +#### SupportedFeatures Negotiation + +- Implemented in the API Provider Management the supported features negotiation for the suppFeat field during provider registration. The server now decodes the negotiated feature set based on client capabilities and system support. + +- Code Review of Events API according to the supported features negotiation. + +- Code Review of Discover API according to the supported features negotiation. + +#### Security Method PKI + +- Security API Service GET /trustedInvokers/{apiIncokerId} logic updated. Now it will check securityMethod selected and according to that, inserts on authenticationInfo and authorizedInfo attributes the needed information [PKI Flow](https://labs.etsi.org/rep/ocf/community/-/wikis/pki-flow) + ### **Documentation** #### Improvements over documentation @@ -46,6 +56,7 @@ This will also helps on the restart issue on k8s deployed OpenCAPIF. - New tests related with [Event Filter Feature](./testing/testplan/event_filter/README.md). - New tests related with [Vendor Extensibility](./testing/testplan/vendor_extensibility/README.md) - [Security Service Testplan](./testing/testplan/api_security_service/README.md) updated according to new features and Technical debts. +- New test on [Security Service Testplan](./testing/testplan/api_security_service/README.md) related with PKI security Method flow, GET request to security perform by AEF must returns CA_Root on authenticationInfo attribute at SecurityInfo. ## **Release 2.0.0** -- GitLab From 3651ce080d50e4d4fea159d29208250b21451455 Mon Sep 17 00:00:00 2001 From: Jorge Moratinos Salcines Date: Mon, 7 Apr 2025 13:31:18 +0200 Subject: [PATCH 2/2] New test to check PKI AEF flog --- .../testplan/api_security_service/README.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/doc/testing/testplan/api_security_service/README.md b/doc/testing/testplan/api_security_service/README.md index eeed75e4..224d1c22 100644 --- a/doc/testing/testplan/api_security_service/README.md +++ b/doc/testing/testplan/api_security_service/README.md @@ -1341,6 +1341,61 @@ At this documentation you will have all information and related files and exampl * error invalid_scope * error_description=One of the api names does not exist or is not associated with the aef id provided +## Test Case 28: Retrieve Security Context from AEF using PKI-secured API Invoker + +**Test ID**:: ***capif_security_api-28***, ***smoke*** + +**Description**: + + Validate that the AEF can successfully retrieve the security context of an API Invoker when the selected security method is PKI and it contains CA root at ***authenticationInfo*** attribute inside securityInfo. + +**Pre-Conditions**: + + * API Invoker is pre-authorised and Provider is also authorized + +**Execution Steps**: + +1. Register and onboard Invoker at CCF. +2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF with only **PKI** as security method allowed. +3. Create Security Context indicating all security methods security methods as preferred in ***prefSecurityMethods*** attribute. +4. Retrieve Security Context by **AEF**. + +**Information of Test**: + +1. Perform [Invoker Onboarding] and [Provider Registration] + +2. Publish Service API at CCF: + * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis** + * body [service api description] with apiName **service_1** + * apiName: **service_1** + * securityMethods: **PKI** + * Use **APF Certificate** + +3. Create Security Context for this Invoker + * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}** + * body [service security body] + * prefSecurityMethods: **['PKI','PSK','OAUTH']** + * Using **Invoker Certificate**. + * Create Security Information Body with one **securityInfo** for each aef present at each serviceAPIDescription present at Discover. + +4. Retrieve Service Security by AEF: + * Sent GET **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}?authenticationInfo=true&authorizationInfo=true**. + * Query parameters ***authenticationInfo*** and ***authorizationInfo*** set to true. + * Using **AEF Certificate** + +**Expected Result**: + +1. Response to Security Context Creation: + 1. **200 OK** response. + 2. body returned must accomplish **ServiceSecurity** data structure, with: + * ***selSecurityMethod*** inside ***securityInfo***: **PKI** + +2. Response to GET Service Security: + 1. **200 OK** Response. + 2. body returned must accomplish **ServiceSecurity** + 1. ***securityinfo*** attribue only contains one item with ***authenticationInfo*** containing CA root. + + [Return To All Test Plans]: ../README.md [service security body]: ./service_security.json "Service Security Request" -- GitLab