Merge pull request #20 from KunLee76/feature/oauth

ianchen0119 · web-flow · commit 04c86d64c0de · 2024-02-07T15:56:31.000+08:00
diff --git a/go.mod b/go.mod
@@ -1,18 +1,19 @@
 module github.com/free5gc/pcf
 
-go 1.17
+go 1.18
 
 require (
 	github.com/antihax/optional v1.0.0
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/cydev/zero v0.0.0-20160322155811-4a4535dd56e7
-	github.com/free5gc/openapi v1.0.7-0.20231216094313-e15a4ff046f6
+	github.com/free5gc/openapi v1.0.7-0.20240207073137-2f335d104547
 	github.com/free5gc/util v1.0.5-0.20231001095115-433858e5be94
 	github.com/gin-contrib/cors v1.3.1
 	github.com/gin-gonic/gin v1.9.1
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.4.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/sirupsen/logrus v1.8.1
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.9.3
 	github.com/urfave/cli v1.22.5
 	go.mongodb.org/mongo-driver v1.8.4
 	gopkg.in/yaml.v2 v2.4.0
@@ -43,7 +44,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/tim-ywliu/nested-logrus-formatter v1.3.2 // indirect
@@ -54,12 +54,12 @@ require (
 	github.com/xdg-go/stringprep v1.0.2 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20210810183815-faf39c7919d5 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/appengine v1.6.6 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/h2non/gock.v1 v1.1.2 // indirect
diff --git a/go.sum b/go.sum
diff --git a/internal/context/context.go b/internal/context/context.go
@@ -71,7 +71,13 @@ type AppSessionData struct {
 	SmPolicyData *UeSmPolicyData
 }
 
-var pcfContext PCFContext
+var pcfContext = PCFContext{}
+
+type NFContext interface {
+	AuthorizationCheck(token string, serviceName models.ServiceName) error
+}
+
+var _ NFContext = &PCFContext{}
 
 func InitpcfContext(context *PCFContext) {
 	config := factory.PcfConfig
@@ -433,12 +439,27 @@ func (c *PCFContext) NewAmfStatusSubscription(subscriptionID string, subscriptio
 	c.AMFStatusSubsData.Store(subscriptionID, subscriptionData)
 }
 
-func (c *PCFContext) GetTokenCtx(scope, targetNF string) (
+func (c *PCFContext) GetTokenCtx(serviceName models.ServiceName, targetNF models.NfType) (
 	context.Context, *models.ProblemDetails, error,
 ) {
 	if !c.OAuth2Required {
 		return context.TODO(), nil, nil
 	}
-	return oauth.GetTokenCtx(models.NfType_PCF,
-		c.NfId, c.NrfUri, scope, targetNF)
+	return oauth.GetTokenCtx(models.NfType_PCF, targetNF,
+		c.NfId, c.NrfUri, string(serviceName))
+}
+
+func (c *PCFContext) AuthorizationCheck(token string, serviceName models.ServiceName) error {
+	if !c.OAuth2Required {
+		logger.UtilLog.Debugf("PCFContext::AuthorizationCheck: OAuth2 not required\n")
+		return nil
+	}
+	// TODO: free5gc webconsole uses npcf-oam but it can't get token since it's not an NF.
+	if serviceName == models.ServiceName_NPCF_OAM {
+		logger.UtilLog.Warnf("OAuth2 is enable but namf-oam didn't check token now.")
+		return nil
+	}
+
+	logger.UtilLog.Debugf("PCFContext::AuthorizationCheck: token[%s] serviceName[%s]\n", token, serviceName)
+	return oauth.VerifyOAuth(token, string(serviceName), c.NrfCertPem)
 }
diff --git a/internal/sbi/ampolicy/routers.go b/internal/sbi/ampolicy/routers.go
@@ -15,7 +15,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	pcf_context "github.com/free5gc/pcf/internal/context"
 	"github.com/free5gc/pcf/internal/logger"
+	"github.com/free5gc/pcf/internal/util"
 	"github.com/free5gc/pcf/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -45,6 +48,11 @@ func NewRouter() *gin.Engine {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.PcfAMpolicyCtlResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_AM_POLICY_CONTROL)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, pcf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":
diff --git a/internal/sbi/bdtpolicy/routers.go b/internal/sbi/bdtpolicy/routers.go
@@ -18,7 +18,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	pcf_context "github.com/free5gc/pcf/internal/context"
 	"github.com/free5gc/pcf/internal/logger"
+	"github.com/free5gc/pcf/internal/util"
 	"github.com/free5gc/pcf/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -48,6 +51,11 @@ func NewRouter() *gin.Engine {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.PcfBdtPolicyCtlResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_BDTPOLICYCONTROL)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, pcf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":
diff --git a/internal/sbi/consumer/communication.go b/internal/sbi/consumer/communication.go
@@ -1,7 +1,6 @@
 package consumer
 
 import (
-	"context"
 	"fmt"
 	"strings"
 
@@ -24,9 +23,12 @@ func AmfStatusChangeSubscribe(amfUri string, guamiList []models.Guami) (
 		AmfStatusUri: fmt.Sprintf("%s"+factory.PcfCallbackResUriPrefix+"/amfstatus", pcfSelf.GetIPv4Uri()),
 		GuamiList:    guamiList,
 	}
-
+	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NAMF_COMM, models.NfType_AMF)
+	if err != nil {
+		return pd, err
+	}
 	res, httpResp, localErr := client.SubscriptionsCollectionDocumentApi.AMFStatusChangeSubscribe(
-		context.Background(), subscriptionData)
+		ctx, subscriptionData)
 	defer func() {
 		if rspCloseErr := httpResp.Body.Close(); rspCloseErr != nil {
 			logger.ConsumerLog.Errorf("AMFStatusChangeSubscribe response body cannot close: %+v",
diff --git a/internal/sbi/consumer/influenceDataSubscription.go b/internal/sbi/consumer/influenceDataSubscription.go
@@ -1,7 +1,6 @@
 package consumer
 
 import (
-	"context"
 	"strconv"
 	"strings"
 
@@ -20,10 +19,14 @@ func CreateInfluenceDataSubscription(ue *pcf_context.UeContext, request models.S
 		logger.ConsumerLog.Warnf("Can't find corresponding UDR with UE[%s]", ue.Supi)
 		return "", &problemDetail, nil
 	}
+	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return "", pd, err
+	}
 	udrClient := util.GetNudrClient(ue.UdrUri)
 	trafficInfluSub := buildTrafficInfluSub(request)
 	_, httpResp, localErr := udrClient.InfluenceDataSubscriptionsCollectionApi.
-		ApplicationDataInfluenceDataSubsToNotifyPost(context.Background(), trafficInfluSub)
+		ApplicationDataInfluenceDataSubsToNotifyPost(ctx, trafficInfluSub)
 	if localErr == nil {
 		locationHeader := httpResp.Header.Get("Location")
 		subscriptionID = locationHeader[strings.LastIndex(locationHeader, "/")+1:]
@@ -70,9 +73,13 @@ func RemoveInfluenceDataSubscription(ue *pcf_context.UeContext, subscriptionID s
 		logger.ConsumerLog.Warnf("Can't find corresponding UDR with UE[%s]", ue.Supi)
 		return &problemDetail, nil
 	}
+	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return pd, err
+	}
 	udrClient := util.GetNudrClient(ue.UdrUri)
 	httpResp, localErr := udrClient.IndividualInfluenceDataSubscriptionDocumentApi.
-		ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete(context.Background(), subscriptionID)
+		ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete(ctx, subscriptionID)
 	if localErr == nil {
 		logger.ConsumerLog.Debugf("Nudr_DataRepository Remove Influence Data Subscription Status %s",
 			httpResp.Status)
diff --git a/internal/sbi/consumer/nf_discovery.go b/internal/sbi/consumer/nf_discovery.go
@@ -22,7 +22,7 @@ func SendSearchNFInstances(
 	configuration.SetBasePath(nrfUri)
 	client := Nnrf_NFDiscovery.NewAPIClient(configuration)
 
-	ctx, _, err := pcf_context.GetSelf().GetTokenCtx("nnrf-disc", "NRF")
+	ctx, _, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_DISC, models.NfType_NRF)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/sbi/consumer/nf_management.go b/internal/sbi/consumer/nf_management.go
@@ -1,12 +1,13 @@
 package consumer
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 
+	"github.com/pkg/errors"
+
 	"github.com/free5gc/openapi"
 	"github.com/free5gc/openapi/Nnrf_NFManagement"
 	"github.com/free5gc/openapi/models"
@@ -51,12 +52,18 @@ func SendRegisterNFInstance(nrfUri, nfInstanceId string, profile models.NfProfil
 	// Set client and set url
 	configuration := Nnrf_NFManagement.NewConfiguration()
 	configuration.SetBasePath(nrfUri)
-	client := Nnrf_NFManagement.NewAPIClient(configuration)
+	apiClient := Nnrf_NFManagement.NewAPIClient(configuration)
+
+	ctx, _, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_NFM, models.NfType_NRF)
+	if err != nil {
+		return "", "",
+			errors.Errorf("SendRegisterNFInstance error: %+v", err)
+	}
 
 	var res *http.Response
 	var nf models.NfProfile
 	for {
-		nf, res, err = client.NFInstanceIDDocumentApi.RegisterNFInstance(context.TODO(), nfInstanceId, profile)
+		nf, res, err = apiClient.NFInstanceIDDocumentApi.RegisterNFInstance(ctx, nfInstanceId, profile)
 		if err != nil || res == nil {
 			// TODO : add log
 			fmt.Println(fmt.Errorf("PCF register to NRF Error[%v]", err.Error()))
@@ -102,7 +109,7 @@ func SendRegisterNFInstance(nrfUri, nfInstanceId string, profile models.NfProfil
 func SendDeregisterNFInstance() (problemDetails *models.ProblemDetails, err error) {
 	logger.ConsumerLog.Infof("Send Deregister NFInstance")
 
-	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx("nnrf-nfm", "NRF")
+	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_NFM, models.NfType_NRF)
 	if err != nil {
 		return pd, err
 	}
diff --git a/internal/sbi/httpcallback/router.go b/internal/sbi/httpcallback/router.go
@@ -35,7 +35,7 @@ func NewRouter() *gin.Engine {
 
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.PcfCallbackResUriPrefix)
-	// https://localhost:29507/{factory.PcfCallbackResUriPrefix}/route
+
 	for _, route := range routes {
 		switch route.Method {
 		case "POST":
diff --git a/internal/sbi/oam/routers.go b/internal/sbi/oam/routers.go
@@ -5,7 +5,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	pcf_context "github.com/free5gc/pcf/internal/context"
 	"github.com/free5gc/pcf/internal/logger"
+	"github.com/free5gc/pcf/internal/util"
 	"github.com/free5gc/pcf/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -35,6 +38,11 @@ func NewRouter() *gin.Engine {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.PcfOamResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_OAM)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, pcf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":
diff --git a/internal/sbi/policyauthorization/routers.go b/internal/sbi/policyauthorization/routers.go
@@ -15,7 +15,10 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/free5gc/openapi/models"
+	pcf_context "github.com/free5gc/pcf/internal/context"
 	"github.com/free5gc/pcf/internal/logger"
+	"github.com/free5gc/pcf/internal/util"
 	"github.com/free5gc/pcf/pkg/factory"
 	logger_util "github.com/free5gc/util/logger"
 )
@@ -45,6 +48,11 @@ func NewRouter() *gin.Engine {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.PcfPolicyAuthResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_POLICYAUTHORIZATION)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, pcf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":
diff --git a/internal/sbi/producer/ampolicy.go b/internal/sbi/producer/ampolicy.go
@@ -1,7 +1,6 @@
 package producer
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -235,10 +234,15 @@ func PostPoliciesProcedure(polAssoId string,
 	assolId := fmt.Sprintf("%s-%d", ue.Supi, ue.PolAssociationIDGenerator)
 	amPolicy := ue.AMPolicyData[assolId]
 
+	ctx, pd, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NUDR_DR, models.NfType_UDR)
+	if err != nil {
+		return nil, "", pd
+	}
+
 	if amPolicy == nil || amPolicy.AmPolicyData == nil {
 		client := util.GetNudrClient(udrUri)
 		var response *http.Response
-		amData, response, err := client.DefaultApi.PolicyDataUesUeIdAmDataGet(context.Background(), ue.Supi)
+		amData, response, err := client.DefaultApi.PolicyDataUesUeIdAmDataGet(ctx, ue.Supi)
 		if err != nil || response == nil || response.StatusCode != http.StatusOK {
 			problemDetail := util.GetProblemDetail("Can't find UE AM Policy Data in UDR", util.USER_UNKNOWN)
 			logger.AmPolicyLog.Errorf("Can't find UE[%s] AM Policy Data in UDR", ue.Supi)
@@ -326,10 +330,16 @@ func SendAMPolicyUpdateNotification(ue *pcf_context.UeContext, PolId string, req
 		logger.AmPolicyLog.Warnf("Policy Update Notification Error[Can't find polAssoId[%s] in UE(%s)]", PolId, ue.Supi)
 		return
 	}
+
+	ctx, _, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NPCF_AM_POLICY_CONTROL, models.NfType_PCF)
+	if err != nil {
+		return
+	}
+
 	client := util.GetNpcfAMPolicyCallbackClient()
 	uri := amPolicyData.NotificationUri
 	for uri != "" {
-		rsp, err := client.DefaultCallbackApi.PolicyUpdateNotification(context.Background(), uri, request)
+		rsp, err := client.DefaultCallbackApi.PolicyUpdateNotification(ctx, uri, request)
 		if err != nil {
 			if rsp != nil && rsp.StatusCode != http.StatusNoContent {
 				logger.AmPolicyLog.Warnf("Policy Update Notification Error[%s]", rsp.Status)
@@ -378,9 +388,15 @@ func SendAMPolicyTerminationRequestNotification(ue *pcf_context.UeContext,
 	}
 	client := util.GetNpcfAMPolicyCallbackClient()
 	uri := amPolicyData.NotificationUri
+
+	ctx, _, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NPCF_AM_POLICY_CONTROL, models.NfType_PCF)
+	if err != nil {
+		return
+	}
+
 	for uri != "" {
 		rsp, err := client.DefaultCallbackApi.PolicyAssocitionTerminationRequestNotification(
-			context.Background(), uri, request)
+			ctx, uri, request)
 		if err != nil {
 			if rsp != nil && rsp.StatusCode != http.StatusNoContent {
 				logger.AmPolicyLog.Warnf("Policy Assocition Termination Request Notification Error[%s]", rsp.Status)
diff --git a/internal/sbi/producer/bdtpolicy.go b/internal/sbi/producer/bdtpolicy.go
diff --git a/internal/sbi/producer/policyauthorization.go b/internal/sbi/producer/policyauthorization.go
diff --git a/internal/sbi/producer/smpolicy.go b/internal/sbi/producer/smpolicy.go
diff --git a/internal/util/router_auth_check.go b/internal/util/router_auth_check.go
diff --git a/internal/util/router_auth_check_test.go b/internal/util/router_auth_check_test.go

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ func SendSearchNFInstances(`
`22`	`22`	`configuration.SetBasePath(nrfUri)`
`23`	`23`	`client := Nnrf_NFDiscovery.NewAPIClient(configuration)`
`24`	`24`
`25`		`- ctx, _, err := pcf_context.GetSelf().GetTokenCtx("nnrf-disc", "NRF")`
	`25`	`+ ctx, _, err := pcf_context.GetSelf().GetTokenCtx(models.ServiceName_NNRF_DISC, models.NfType_NRF)`
`26`	`26`	`if err != nil {`
`27`	`27`	`return nil, err`
`28`	`28`	`}`