Merge pull request #33 from a3828162/OAuth2

feature/OAuth2
free5gc · Feb 7, 2024 · 4e377b7 · 4e377b7
2 parents 3f54f76 + a360dcf
commit 4e377b7
Show file tree

Hide file tree

Showing 18 changed files with 355 additions and 57 deletions.
diff --git a/go.mod b/go.mod
@@ -5,10 +5,11 @@ go 1.17
 require (
 	github.com/antihax/optional v1.0.0
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
-	github.com/free5gc/openapi v1.0.7-0.20240103020621-eac6ed4c55a2
+	github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693
 	github.com/free5gc/util v1.0.5-0.20231001095115-433858e5be94
 	github.com/gin-gonic/gin v1.9.1
 	github.com/google/uuid v1.3.0
+	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/urfave/cli v1.22.5
 	golang.org/x/crypto v0.17.0
@@ -39,7 +40,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/stretchr/testify v1.8.4 // indirect

diff --git a/go.sum b/go.sum
@@ -60,12 +60,8 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
-github.com/free5gc/openapi v1.0.7-0.20231216094313-e15a4ff046f6 h1:8P/wOkTAQMgZJe9pUUNSTE5PWeAdlMrsU9kLsI+VAVE=
-github.com/free5gc/openapi v1.0.7-0.20231216094313-e15a4ff046f6/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
-github.com/free5gc/openapi v1.0.7-0.20240103015505-c59d25933307 h1:+nPBoSAXDX8v0ZhQTMjVwPk5dPcfyzUL95SrnL/BZ9M=
-github.com/free5gc/openapi v1.0.7-0.20240103015505-c59d25933307/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
-github.com/free5gc/openapi v1.0.7-0.20240103020621-eac6ed4c55a2 h1:+zyYDAnGtY72HUiF4PwIC2y7V3Pcdf0PgvN9gtkDJ2A=
-github.com/free5gc/openapi v1.0.7-0.20240103020621-eac6ed4c55a2/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
+github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693 h1:gFyYBsErQAkx4OVHXYqjO0efO9gPWydQavQcjU0CkHY=
+github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
 github.com/free5gc/util v1.0.5-0.20231001095115-433858e5be94 h1:tNylIqH/m5Kq+3KuC+jjXGl06Y6EmM8yq61ZUgNrPBY=
 github.com/free5gc/util v1.0.5-0.20231001095115-433858e5be94/go.mod h1:aMszJZbCkcg5xaGgzya+55jz+OPMsJqPLq5Z3fWDFPE=
 github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=

diff --git a/internal/context/context.go b/internal/context/context.go
@@ -21,7 +21,7 @@ import (
 	"github.com/free5gc/util/idgenerator"
 )
 
-var udmContext UDMContext
+var udmContext = UDMContext{}
 
 const (
 	LocationUriAmf3GppAccessRegistration int = iota
@@ -36,6 +36,12 @@ func Init() {
 	GetSelf().EeSubscriptionIDGenerator = idgenerator.NewGenerator(1, math.MaxInt32)
 }
 
+type NFContext interface {
+	AuthorizationCheck(token string, serviceName models.ServiceName) error
+}
+
+var _ NFContext = &UDMContext{}
+
 type UDMContext struct {
 	NfId                           string
 	GroupId                        string
@@ -483,16 +489,29 @@ func (context *UDMContext) InitNFService(serviceName []string, version string) {
 	}
 }
 
-func (c *UDMContext) GetTokenCtx(scope, targetNF string) (
+func (c *UDMContext) GetTokenCtx(serviceName models.ServiceName, targetNF models.NfType) (
 	context.Context, *models.ProblemDetails, error,
 ) {
 	if !c.OAuth2Required {
 		return context.TODO(), nil, nil
 	}
-	return oauth.GetTokenCtx(models.NfType_UDM,
-		c.NfId, c.NrfUri, scope, targetNF)
+	return oauth.GetTokenCtx(models.NfType_UDM, targetNF,
+		c.NfId, c.NrfUri, string(serviceName))
 }
 
 func GetSelf() *UDMContext {
 	return &udmContext
 }
+
+func (context *UDMContext) AuthorizationCheck(token string, serviceName models.ServiceName) error {
+	if !context.OAuth2Required {
+		logger.UtilLog.Debugf("UDMContext::AuthorizationCheck: OAuth2 not required\n")
+		return nil
+	}
+	logger.UtilLog.Debugf("UDMContext::AuthorizationCheck: token[%s] serviceName[%s]\n", token, serviceName)
+	err := oauth.VerifyOAuth(token, string(serviceName), context.NrfCertPem)
+	if err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/internal/sbi/consumer/nf_discovery.go b/internal/sbi/consumer/nf_discovery.go
@@ -25,7 +25,7 @@ func SendNFIntances(nrfUri string, targetNfType, requestNfType models.NfType,
 	configuration.SetBasePath(nrfUri) // addr
 	clientNRF := Nnrf_NFDiscovery.NewAPIClient(configuration)
 
-	ctx, _, err := udm_context.GetSelf().GetTokenCtx("nnrf-disc", "NRF")
+	ctx, _, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_DISC, models.NfType_NRF)
 	if err != nil {
 		return
 	}

diff --git a/internal/sbi/consumer/nf_management.go b/internal/sbi/consumer/nf_management.go
@@ -94,8 +94,7 @@ func SendRegisterNFInstance(nrfUri, nfInstanceId string, profile models.NfProfil
 
 func SendDeregisterNFInstance() (problemDetails *models.ProblemDetails, err error) {
 	logger.ConsumerLog.Infof("Send Deregister NFInstance")
-
-	ctx, pd, err := udm_context.GetSelf().GetTokenCtx("nnrf-nfm", "NRF")
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_NFM, models.NfType_NRF)
 	if err != nil {
 		return pd, err
 	}

diff --git a/internal/sbi/eventexposure/routers.go b/internal/sbi/eventexposure/routers.go
@@ -15,7 +15,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	udm_context "github.com/free5gc/udm/internal/context"
 	"github.com/free5gc/udm/internal/logger"
+	"github.com/free5gc/udm/internal/util"
 	"github.com/free5gc/udm/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -38,13 +41,18 @@ type Routes []Route
 // NewRouter returns a new router.
 func NewRouter() *gin.Engine {
 	router := logger_util.NewGinWithLogrus(logger.GinLog)
+
 	AddService(router)
 	return router
 }
 
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.UdmEeResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NUDM_EE)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, udm_context.GetSelf())
+	})
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":

diff --git a/internal/sbi/parameterprovision/routers.go b/internal/sbi/parameterprovision/routers.go
@@ -15,7 +15,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	udm_context "github.com/free5gc/udm/internal/context"
 	"github.com/free5gc/udm/internal/logger"
+	"github.com/free5gc/udm/internal/util"
 	"github.com/free5gc/udm/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -38,13 +41,17 @@ type Routes []Route
 // NewRouter returns a new router.
 func NewRouter() *gin.Engine {
 	router := logger_util.NewGinWithLogrus(logger.GinLog)
+
 	AddService(router)
 	return router
 }
 
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.UdmPpResUriPrefix)
-
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NUDM_PP)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, udm_context.GetSelf())
+	})
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":

diff --git a/internal/sbi/producer/callback/callback.go b/internal/sbi/producer/callback/callback.go
@@ -1,7 +1,6 @@
 package callback
 
 import (
-	"context"
 	"net/http"
 
 	"github.com/free5gc/openapi/Nudm_SubscriberDataManagement"
@@ -12,6 +11,11 @@ import (
 )
 
 func DataChangeNotificationProcedure(notifyItems []models.NotifyItem, supi string) *models.ProblemDetails {
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NUDM_SDM, models.NfType_UDM)
+	if err != nil {
+		return pd
+	}
+
 	ue, _ := udm_context.GetSelf().UdmUeFindBySupi(supi)
 	configuration := Nudm_SubscriberDataManagement.NewConfiguration()
 	clientAPI := Nudm_SubscriberDataManagement.NewAPIClient(configuration)
@@ -21,8 +25,9 @@ func DataChangeNotificationProcedure(notifyItems []models.NotifyItem, supi strin
 		onDataChangeNotificationurl := subscriptionDataSubscription.OriginalCallbackReference
 		dataChangeNotification := models.ModificationNotification{}
 		dataChangeNotification.NotifyItems = notifyItems
+
 		httpResponse, err := clientAPI.DataChangeNotificationCallbackDocumentApi.OnDataChangeNotification(
-			context.TODO(), onDataChangeNotificationurl, dataChangeNotification)
+			ctx, onDataChangeNotificationurl, dataChangeNotification)
 		if err != nil {
 			if httpResponse == nil {
 				logger.HttpLog.Error(err.Error())
@@ -52,11 +57,15 @@ func DataChangeNotificationProcedure(notifyItems []models.NotifyItem, supi strin
 func SendOnDeregistrationNotification(ueId string, onDeregistrationNotificationUrl string,
 	deregistData models.DeregistrationData,
 ) *models.ProblemDetails {
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NUDM_UECM, models.NfType_UDM)
+	if err != nil {
+		return pd
+	}
 	configuration := Nudm_UEContextManagement.NewConfiguration()
 	clientAPI := Nudm_UEContextManagement.NewAPIClient(configuration)
 
 	httpResponse, err := clientAPI.DeregistrationNotificationCallbackApi.DeregistrationNotify(
-		context.TODO(), onDeregistrationNotificationUrl, deregistData)
+		ctx, onDeregistrationNotificationUrl, deregistData)
 	if err != nil {
 		if httpResponse == nil {
 			logger.HttpLog.Error(err.Error())

diff --git a/internal/sbi/producer/event_exposure.go b/internal/sbi/producer/event_exposure.go
@@ -36,7 +36,6 @@ func CreateEeSubscriptionProcedure(ueIdentity string,
 	eesubscription models.EeSubscription,
 ) (*models.CreatedEeSubscription, *models.ProblemDetails) {
 	udmSelf := udm_context.GetSelf()
-
 	logger.EeLog.Debugf("udIdentity: %s", ueIdentity)
 	switch {
 	// GPSI (MSISDN identifier) represents a single UE

diff --git a/internal/sbi/producer/generate_auth_data.go b/internal/sbi/producer/generate_auth_data.go
@@ -1,7 +1,6 @@
 package producer
 
 import (
-	"context"
 	cryptoRand "crypto/rand"
 	"encoding/hex"
 	"fmt"
@@ -119,6 +118,10 @@ func HandleConfirmAuthDataRequest(request *httpwrapper.Request) *httpwrapper.Res
 }
 
 func ConfirmAuthDataProcedure(authEvent models.AuthEvent, supi string) (problemDetails *models.ProblemDetails) {
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return pd
+	}
 	var createAuthParam Nudr_DataRepository.CreateAuthenticationStatusParamOpts
 	optInterface := optional.NewInterface(authEvent)
 	createAuthParam.AuthEvent = optInterface
@@ -127,8 +130,9 @@ func ConfirmAuthDataProcedure(authEvent models.AuthEvent, supi string) (problemD
 	if err != nil {
 		return openapi.ProblemDetailsSystemFailure(err.Error())
 	}
+
 	resp, err := client.AuthenticationStatusDocumentApi.CreateAuthenticationStatus(
-		context.Background(), supi, &createAuthParam)
+		ctx, supi, &createAuthParam)
 	if err != nil {
 		problemDetails = &models.ProblemDetails{
 			Status: int32(resp.StatusCode),
@@ -151,6 +155,10 @@ func ConfirmAuthDataProcedure(authEvent models.AuthEvent, supi string) (problemD
 func GenerateAuthDataProcedure(authInfoRequest models.AuthenticationInfoRequest, supiOrSuci string) (
 	response *models.AuthenticationInfoResult, problemDetails *models.ProblemDetails,
 ) {
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return nil, pd
+	}
 	logger.UeauLog.Traceln("In GenerateAuthDataProcedure")
 
 	response = &models.AuthenticationInfoResult{}
@@ -173,7 +181,7 @@ func GenerateAuthDataProcedure(authInfoRequest models.AuthenticationInfoRequest,
 	if err != nil {
 		return nil, openapi.ProblemDetailsSystemFailure(err.Error())
 	}
-	authSubs, res, err := client.AuthenticationDataDocumentApi.QueryAuthSubsData(context.Background(), supi, nil)
+	authSubs, res, err := client.AuthenticationDataDocumentApi.QueryAuthSubsData(ctx, supi, nil)
 	if err != nil {
 		problemDetails = &models.ProblemDetails{
 			Status: http.StatusForbidden,
@@ -461,8 +469,9 @@ func GenerateAuthDataProcedure(authInfoRequest models.AuthenticationInfoRequest,
 	}
 
 	var rsp *http.Response
+
 	rsp, err = client.AuthenticationDataDocumentApi.ModifyAuthentication(
-		context.Background(), supi, patchItemArray)
+		ctx, supi, patchItemArray)
 	if err != nil {
 		problemDetails = &models.ProblemDetails{
 			Status: http.StatusForbidden,

diff --git a/internal/sbi/producer/parameter_provision.go b/internal/sbi/producer/parameter_provision.go
@@ -1,11 +1,11 @@
 package producer
 
 import (
-	"context"
 	"net/http"
 
 	"github.com/free5gc/openapi"
 	"github.com/free5gc/openapi/models"
+	udm_context "github.com/free5gc/udm/internal/context"
 	"github.com/free5gc/udm/internal/logger"
 	"github.com/free5gc/util/httpwrapper"
 )
@@ -30,11 +30,15 @@ func HandleUpdateRequest(request *httpwrapper.Request) *httpwrapper.Response {
 }
 
 func UpdateProcedure(updateRequest models.PpData, gpsi string) (problemDetails *models.ProblemDetails) {
+	ctx, pd, err := udm_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return pd
+	}
 	clientAPI, err := createUDMClientToUDR(gpsi)
 	if err != nil {
 		return openapi.ProblemDetailsSystemFailure(err.Error())
 	}
-	res, err := clientAPI.ProvisionedParameterDataDocumentApi.ModifyPpData(context.Background(), gpsi, nil)
+	res, err := clientAPI.ProvisionedParameterDataDocumentApi.ModifyPpData(ctx, gpsi, nil)
 	if err != nil {
 		problemDetails = &models.ProblemDetails{
 			Status: int32(res.StatusCode),