diff --git a/internal/context/context.go b/internal/context/context.go index d5f4975..2d0434c 100644 --- a/internal/context/context.go +++ b/internal/context/context.go @@ -50,8 +50,6 @@ type UDMContext struct { SubscriptionOfSharedDataChange sync.Map // subscriptionID as key SuciProfiles []suci.SuciProfile EeSubscriptionIDGenerator *idgenerator.IDGenerator - ClientMap sync.Map - TokenMap sync.Map } type UdmUeContext struct { diff --git a/internal/sbi/consumer/nf_discovery.go b/internal/sbi/consumer/nf_discovery.go index ab8cf1f..cacdb50 100644 --- a/internal/sbi/consumer/nf_discovery.go +++ b/internal/sbi/consumer/nf_discovery.go @@ -1,7 +1,6 @@ package consumer import ( - "context" "fmt" "net/http" @@ -21,27 +20,28 @@ const ( func SendNFIntances(nrfUri string, targetNfType, requestNfType models.NfType, param Nnrf_NFDiscovery.SearchNFInstancesParamOpts, -) (result models.SearchResult, err error) { +) (*models.SearchResult, error) { configuration := Nnrf_NFDiscovery.NewConfiguration() configuration.SetBasePath(nrfUri) // addr clientNRF := Nnrf_NFDiscovery.NewAPIClient(configuration) - result, res, err1 := clientNRF.NFInstancesStoreApi.SearchNFInstances(context.TODO(), targetNfType, - requestNfType, ¶m) - if err1 != nil { - err = err1 - return + ctx, _, err := GetTokenCtx("nnrf-disc", "NRF") + if err != nil { + return nil, err + } + + result, res, err := clientNRF.NFInstancesStoreApi.SearchNFInstances(ctx, targetNfType, requestNfType, ¶m) + if res != nil && res.StatusCode == http.StatusTemporaryRedirect { + err = fmt.Errorf("Temporary Redirect For Non NRF Consumer") + return nil, err } + defer func() { if rspCloseErr := res.Body.Close(); rspCloseErr != nil { logger.ConsumerLog.Errorf("SearchNFInstances response body cannot close: %+v", rspCloseErr) } }() - - if res != nil && res.StatusCode == http.StatusTemporaryRedirect { - err = fmt.Errorf("Temporary Redirect For Non NRF Consumer") - } - return + return &result, err } func SendNFIntancesUDR(id string, types int) string { diff --git a/internal/sbi/eventexposure/api_create_ee_subscription.go b/internal/sbi/eventexposure/api_create_ee_subscription.go index 3f876b2..eda5aa0 100644 --- a/internal/sbi/eventexposure/api_create_ee_subscription.go +++ b/internal/sbi/eventexposure/api_create_ee_subscription.go @@ -23,6 +23,11 @@ import ( // HTTPCreateEeSubscription - Subscribe func HTTPCreateEeSubscription(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var eeSubscriptionReq models.EeSubscription requestBody, err := c.GetRawData() diff --git a/internal/sbi/eventexposure/api_delete_ee_subscription.go b/internal/sbi/eventexposure/api_delete_ee_subscription.go index 8b7343e..44ff48d 100644 --- a/internal/sbi/eventexposure/api_delete_ee_subscription.go +++ b/internal/sbi/eventexposure/api_delete_ee_subscription.go @@ -18,6 +18,11 @@ import ( // DeleteEeSubscription - Unsubscribe func HTTPDeleteEeSubscription(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + req := httpwrapper.NewRequest(c.Request, nil) req.Params["ueIdentity"] = c.Params.ByName("ueIdentity") req.Params["subscriptionID"] = c.Params.ByName("subscriptionId") diff --git a/internal/sbi/eventexposure/api_update_ee_subscription.go b/internal/sbi/eventexposure/api_update_ee_subscription.go index f310ce2..75192dd 100644 --- a/internal/sbi/eventexposure/api_update_ee_subscription.go +++ b/internal/sbi/eventexposure/api_update_ee_subscription.go @@ -23,6 +23,11 @@ import ( // UpdateEeSubscription - Patch func HTTPUpdateEeSubscription(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var patchList []models.PatchItem requestBody, err := c.GetRawData() diff --git a/internal/sbi/eventexposure/routers.go b/internal/sbi/eventexposure/routers.go index f02d860..a01acd1 100644 --- a/internal/sbi/eventexposure/routers.go +++ b/internal/sbi/eventexposure/routers.go @@ -16,6 +16,7 @@ import ( "github.com/gin-gonic/gin" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" "github.com/free5gc/udm/pkg/factory" logger_util "github.com/free5gc/util/logger" ) @@ -42,6 +43,10 @@ func NewRouter() *gin.Engine { return router } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-ee") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group(factory.UdmEeResUriPrefix) diff --git a/internal/sbi/httpcallback/data_change_notification_to_nf.go b/internal/sbi/httpcallback/data_change_notification_to_nf.go index dfc6be4..2fc3336 100644 --- a/internal/sbi/httpcallback/data_change_notification_to_nf.go +++ b/internal/sbi/httpcallback/data_change_notification_to_nf.go @@ -13,6 +13,10 @@ import ( ) func HTTPDataChangeNotificationToNF(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } var dataChangeNotify models.DataChangeNotify // step 1: retrieve http request body requestBody, err := c.GetRawData() diff --git a/internal/sbi/httpcallback/router.go b/internal/sbi/httpcallback/router.go index 2d926b6..9a8979d 100644 --- a/internal/sbi/httpcallback/router.go +++ b/internal/sbi/httpcallback/router.go @@ -8,6 +8,7 @@ import ( "github.com/sirupsen/logrus" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" logger_util "github.com/free5gc/util/logger" ) @@ -39,6 +40,10 @@ func NewRouter() *gin.Engine { return router } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-sdm") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group("") diff --git a/internal/sbi/parameterprovision/api_subscription_data_update.go b/internal/sbi/parameterprovision/api_subscription_data_update.go index aec820c..f1927d2 100644 --- a/internal/sbi/parameterprovision/api_subscription_data_update.go +++ b/internal/sbi/parameterprovision/api_subscription_data_update.go @@ -23,6 +23,10 @@ import ( // Update - provision parameters func HTTPUpdate(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } var ppDataReq models.PpData // step 1: retrieve http request body diff --git a/internal/sbi/parameterprovision/routers.go b/internal/sbi/parameterprovision/routers.go index 8c37a3e..7b030a7 100644 --- a/internal/sbi/parameterprovision/routers.go +++ b/internal/sbi/parameterprovision/routers.go @@ -16,6 +16,7 @@ import ( "github.com/gin-gonic/gin" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" "github.com/free5gc/udm/pkg/factory" logger_util "github.com/free5gc/util/logger" ) @@ -42,6 +43,10 @@ func NewRouter() *gin.Engine { return router } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-pp") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group(factory.UdmPpResUriPrefix) diff --git a/internal/sbi/subscriberdatamanagement/routers.go b/internal/sbi/subscriberdatamanagement/routers.go index 7624eb6..fe13d56 100644 --- a/internal/sbi/subscriberdatamanagement/routers.go +++ b/internal/sbi/subscriberdatamanagement/routers.go @@ -16,6 +16,7 @@ import ( "github.com/gin-gonic/gin" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" "github.com/free5gc/udm/pkg/factory" logger_util "github.com/free5gc/util/logger" ) @@ -43,6 +44,11 @@ func NewRouter() *gin.Engine { } func oneLayerPathHandlerFunc(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + supi := c.Param("supi") for _, route := range oneLayerPathRouter { if strings.Contains(route.Pattern, supi) && route.Method == c.Request.Method { @@ -61,6 +67,11 @@ func oneLayerPathHandlerFunc(c *gin.Context) { } func twoLayerPathHandlerFunc(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + supi := c.Param("supi") op := c.Param("subscriptionId") @@ -94,6 +105,11 @@ func twoLayerPathHandlerFunc(c *gin.Context) { } func threeLayerPathHandlerFunc(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + op := c.Param("subscriptionId") // for "/:supi/sdm-subscriptions/:subscriptionId" @@ -125,6 +141,10 @@ func threeLayerPathHandlerFunc(c *gin.Context) { c.String(http.StatusNotFound, "404 page not found") } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-sdm") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group(factory.UdmSdmResUriPrefix) diff --git a/internal/sbi/ueauthentication/api_confirm_auth.go b/internal/sbi/ueauthentication/api_confirm_auth.go index 6e6e79d..556995a 100644 --- a/internal/sbi/ueauthentication/api_confirm_auth.go +++ b/internal/sbi/ueauthentication/api_confirm_auth.go @@ -23,6 +23,11 @@ import ( // ConfirmAuth - Create a new confirmation event func HTTPConfirmAuth(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var authEvent models.AuthEvent // step 1: retrieve http request body requestBody, err := c.GetRawData() diff --git a/internal/sbi/ueauthentication/routers.go b/internal/sbi/ueauthentication/routers.go index dda263f..a1a7226 100644 --- a/internal/sbi/ueauthentication/routers.go +++ b/internal/sbi/ueauthentication/routers.go @@ -17,6 +17,7 @@ import ( "github.com/sirupsen/logrus" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" "github.com/free5gc/udm/pkg/factory" logger_util "github.com/free5gc/util/logger" ) @@ -50,6 +51,11 @@ func NewRouter() *gin.Engine { } func genAuthDataHandlerFunc(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + c.Params = append(c.Params, gin.Param{Key: "supiOrSuci", Value: c.Param("supi")}) if strings.ToUpper("Post") == c.Request.Method { HttpGenerateAuthData(c) @@ -59,6 +65,10 @@ func genAuthDataHandlerFunc(c *gin.Context) { c.String(http.StatusNotFound, "404 page not found") } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-ueau") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group(factory.UdmUeauResUriPrefix) diff --git a/internal/sbi/uecontextmanagement/api_amf3_gpp_access_registration_info_retrieval.go b/internal/sbi/uecontextmanagement/api_amf3_gpp_access_registration_info_retrieval.go index 4a0acd5..0172516 100644 --- a/internal/sbi/uecontextmanagement/api_amf3_gpp_access_registration_info_retrieval.go +++ b/internal/sbi/uecontextmanagement/api_amf3_gpp_access_registration_info_retrieval.go @@ -23,6 +23,11 @@ import ( // GetAmf3gppAccess - retrieve the AMF registration for 3GPP access information func HTTPGetAmf3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + req := httpwrapper.NewRequest(c.Request, nil) req.Params["ueId"] = c.Param("ueId") req.Query.Add("supported-features", c.Query("supported-features")) diff --git a/internal/sbi/uecontextmanagement/api_amf_non3_gpp_access_registration_info_retrieval.go b/internal/sbi/uecontextmanagement/api_amf_non3_gpp_access_registration_info_retrieval.go index b33fb42..0475dec 100644 --- a/internal/sbi/uecontextmanagement/api_amf_non3_gpp_access_registration_info_retrieval.go +++ b/internal/sbi/uecontextmanagement/api_amf_non3_gpp_access_registration_info_retrieval.go @@ -23,6 +23,11 @@ import ( // GetAmfNon3gppAccess - retrieve the AMF registration for non-3GPP access information func HTTPGetAmfNon3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + req := httpwrapper.NewRequest(c.Request, nil) req.Params["ueId"] = c.Param("ueId") req.Query.Add("supported-features", c.Query("supported-features")) diff --git a/internal/sbi/uecontextmanagement/api_amf_registration_for3_gpp_access.go b/internal/sbi/uecontextmanagement/api_amf_registration_for3_gpp_access.go index 7e39c21..62bf8d4 100644 --- a/internal/sbi/uecontextmanagement/api_amf_registration_for3_gpp_access.go +++ b/internal/sbi/uecontextmanagement/api_amf_registration_for3_gpp_access.go @@ -23,6 +23,11 @@ import ( // RegistrationAmf3gppAccess - register as AMF for 3GPP access func HTTPRegistrationAmf3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var amf3GppAccessRegistration models.Amf3GppAccessRegistration // step 1: retrieve http request body requestBody, err := c.GetRawData() diff --git a/internal/sbi/uecontextmanagement/api_amf_registration_for_non3_gpp_access.go b/internal/sbi/uecontextmanagement/api_amf_registration_for_non3_gpp_access.go index 6190365..5ac9bef 100644 --- a/internal/sbi/uecontextmanagement/api_amf_registration_for_non3_gpp_access.go +++ b/internal/sbi/uecontextmanagement/api_amf_registration_for_non3_gpp_access.go @@ -23,6 +23,11 @@ import ( // Register - register as AMF for non-3GPP access func HTTPRegistrationAmfNon3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var amfNon3GppAccessRegistration models.AmfNon3GppAccessRegistration // step 1: retrieve http request body diff --git a/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for3_gpp_access.go b/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for3_gpp_access.go index 3646f85..726a873 100644 --- a/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for3_gpp_access.go +++ b/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for3_gpp_access.go @@ -23,6 +23,11 @@ import ( // UpdateAmf3gppAccess - Update a parameter in the AMF registration for 3GPP access func HTTPUpdateAmf3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var amf3GppAccessRegistrationModification models.Amf3GppAccessRegistrationModification // step 1: retrieve http request body diff --git a/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for_non3_gpp_access.go b/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for_non3_gpp_access.go index 775071e..69b7c42 100644 --- a/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for_non3_gpp_access.go +++ b/internal/sbi/uecontextmanagement/api_parameter_update_in_the_amf_registration_for_non3_gpp_access.go @@ -23,6 +23,11 @@ import ( // UpdateAmfNon3gppAccess - update a parameter in the AMF registration for non-3GPP access func HTTPUpdateAmfNon3gppAccess(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var amfNon3GppAccessRegistrationModification models.AmfNon3GppAccessRegistrationModification // step 1: retrieve http request body requestBody, err := c.GetRawData() diff --git a/internal/sbi/uecontextmanagement/api_smf_deregistration.go b/internal/sbi/uecontextmanagement/api_smf_deregistration.go index bdbc0a0..4c5cdbf 100644 --- a/internal/sbi/uecontextmanagement/api_smf_deregistration.go +++ b/internal/sbi/uecontextmanagement/api_smf_deregistration.go @@ -23,6 +23,11 @@ import ( // DeregistrationSmfRegistrations - delete an SMF registration func HTTPDeregistrationSmfRegistrations(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + req := httpwrapper.NewRequest(c.Request, nil) req.Params["ueId"] = c.Params.ByName("ueId") req.Params["pduSessionId"] = c.Params.ByName("pduSessionId") diff --git a/internal/sbi/uecontextmanagement/api_smf_registration.go b/internal/sbi/uecontextmanagement/api_smf_registration.go index 03b2f13..0dfcef1 100644 --- a/internal/sbi/uecontextmanagement/api_smf_registration.go +++ b/internal/sbi/uecontextmanagement/api_smf_registration.go @@ -23,6 +23,11 @@ import ( // RegistrationSmfRegistrations - register as SMF func HTTPRegistrationSmfRegistrations(c *gin.Context) { + auth_err := authorizationCheck(c) + if auth_err != nil { + return + } + var smfRegistration models.SmfRegistration // step 1: retrieve http request body diff --git a/internal/sbi/uecontextmanagement/routers.go b/internal/sbi/uecontextmanagement/routers.go index 493d592..791dae7 100644 --- a/internal/sbi/uecontextmanagement/routers.go +++ b/internal/sbi/uecontextmanagement/routers.go @@ -16,6 +16,7 @@ import ( "github.com/gin-gonic/gin" "github.com/free5gc/udm/internal/logger" + "github.com/free5gc/udm/internal/util" "github.com/free5gc/udm/pkg/factory" logger_util "github.com/free5gc/util/logger" ) @@ -42,6 +43,10 @@ func NewRouter() *gin.Engine { return router } +func authorizationCheck(c *gin.Context) error { + return util.AuthorizationCheck(c, "nudm-uecm") +} + func AddService(engine *gin.Engine) *gin.RouterGroup { group := engine.Group(factory.UdmUecmResUriPrefix) diff --git a/internal/util/nf_authorization.go b/internal/util/nf_authorization.go new file mode 100644 index 0000000..496e1ea --- /dev/null +++ b/internal/util/nf_authorization.go @@ -0,0 +1,27 @@ +package util + +import ( + "net/http" + + "github.com/free5gc/openapi" + "github.com/free5gc/udm/pkg/factory" + "github.com/gin-gonic/gin" +) + +// This function would check the OAuth2 token, and the requestNF is in ServiceAllowNfType +func AuthorizationCheck(c *gin.Context, serviceName string) error { + if factory.UdmConfig.GetOAuth() { + oauth_err := openapi.VerifyOAuth(c.Request.Header.Get("Authorization"), serviceName, + factory.UdmConfig.GetNrfCertPemPath()) + if oauth_err != nil { + c.JSON(http.StatusUnauthorized, gin.H{"error": oauth_err.Error()}) + return oauth_err + } + } + allowNf_err := factory.UdmConfig.VerifyServiceAllowType(c.Request.Header.Get("requestNF"), serviceName) + if allowNf_err != nil { + c.JSON(http.StatusUnauthorized, gin.H{"error": allowNf_err.Error()}) + return allowNf_err + } + return nil +}