Feature: Service authorization check via OAuth token (#23)

* Feature: Service authorization check via OAuth token * Fix: fix linter error * Refactor: Move authorization return context logic * Refactor: Move AuthorizationCheck() to udr_context * Fix: rename parameter name --------- Co-authored-by: CTFang@WireLab <[email protected]>
free5gc · Dec 26, 2023 · 1fc7dc8 · 1fc7dc8
1 parent 15809d2
commit 1fc7dc8
Show file tree

Hide file tree

Showing 26 changed files with 467 additions and 0 deletions.
diff --git a/internal/context/context.go b/internal/context/context.go
@@ -186,3 +186,14 @@ func (c *UDRContext) GetTokenCtx(scope, targetNF string) (
 	return oauth.GetTokenCtx(models.NfType_UDR,
 		c.NfId, c.NrfUri, scope, targetNF)
 }
+
+func (context *UDRContext) AuthorizationCheck(token, serviceName string) error {
+	if !context.OAuth2Required {
+		return nil
+	}
+	err := oauth.VerifyOAuth(token, serviceName, context.NrfCertPem)
+	if err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/internal/sbi/datarepository/api_access_and_mobility_subscription_data_document.go b/internal/sbi/datarepository/api_access_and_mobility_subscription_data_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPQueryAmData - Retrieves the access and mobility subscription data of a UE
 func HTTPQueryAmData(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")
 	req.Params["servingPlmnId"] = c.Params.ByName("servingPlmnId")

diff --git a/internal/sbi/datarepository/api_amf3_gpp_access_registration_document.go b/internal/sbi/datarepository/api_amf3_gpp_access_registration_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPAmfContext3gpp - To modify the AMF context data of a UE using 3gpp access in the UDR
 func HTTPAmfContext3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var patchItemArray []models.PatchItem
 
 	requestBody, err := c.GetRawData()
@@ -72,6 +78,12 @@ func HTTPAmfContext3gpp(c *gin.Context) {
 
 // HTTPCreateAmfContext3gpp - To store the AMF context data of a UE using 3gpp access in the UDR
 func HTTPCreateAmfContext3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var amf3GppAccessRegistration models.Amf3GppAccessRegistration
 
 	requestBody, err := c.GetRawData()
@@ -121,6 +133,12 @@ func HTTPCreateAmfContext3gpp(c *gin.Context) {
 
 // HTTPQueryAmfContext3gpp - Retrieves the AMF context data of a UE using 3gpp access
 func HTTPQueryAmfContext3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")
 

diff --git a/internal/sbi/datarepository/api_amf_non3_gpp_access_registration_document.go b/internal/sbi/datarepository/api_amf_non3_gpp_access_registration_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPAmfContextNon3gpp - To modify the AMF context data of a UE using non 3gpp access in the UDR
 func HTTPAmfContextNon3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var patchItemArray []models.PatchItem
 
 	requestBody, err := c.GetRawData()
@@ -72,6 +78,12 @@ func HTTPAmfContextNon3gpp(c *gin.Context) {
 
 // HTTPCreateAmfContextNon3gpp - To store the AMF context data of a UE using non-3gpp access in the UDR
 func HTTPCreateAmfContextNon3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var amfNon3GppAccessRegistration models.AmfNon3GppAccessRegistration
 
 	requestBody, err := c.GetRawData()
@@ -121,6 +133,12 @@ func HTTPCreateAmfContextNon3gpp(c *gin.Context) {
 
 // HTTPQueryAmfContextNon3gpp - Retrieves the AMF context data of a UE using non-3gpp access
 func HTTPQueryAmfContextNon3gpp(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")
 

diff --git a/internal/sbi/datarepository/api_amf_subscription_info_document.go b/internal/sbi/datarepository/api_amf_subscription_info_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPModifyAmfSubscriptionInfo - modify the AMF Subscription Info
 func HTTPModifyAmfSubscriptionInfo(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var patchItemArray []models.PatchItem
 
 	requestBody, err := c.GetRawData()

diff --git a/internal/sbi/datarepository/api_authentication_data_document.go b/internal/sbi/datarepository/api_authentication_data_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPModifyAuthentication - modify the authentication subscription data of a UE
 func HTTPModifyAuthentication(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var patchItemArray []models.PatchItem
 
 	requestBody, err := c.GetRawData()
@@ -72,6 +78,12 @@ func HTTPModifyAuthentication(c *gin.Context) {
 
 // HTTPQueryAuthSubsData - Retrieves the authentication subscription data of a UE
 func HTTPQueryAuthSubsData(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")
 

diff --git a/internal/sbi/datarepository/api_authentication_so_r_document.go b/internal/sbi/datarepository/api_authentication_so_r_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPCreateAuthenticationSoR - To store the SoR acknowledgement information of a UE
 func HTTPCreateAuthenticationSoR(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var sorData models.SorData
 
 	requestBody, err := c.GetRawData()
@@ -72,6 +78,12 @@ func HTTPCreateAuthenticationSoR(c *gin.Context) {
 
 // HTTPQueryAuthSoR - Retrieves the SoR acknowledgement information of a UE
 func HTTPQueryAuthSoR(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")
 

diff --git a/internal/sbi/datarepository/api_authentication_status_document.go b/internal/sbi/datarepository/api_authentication_status_document.go
@@ -23,6 +23,12 @@ import (
 
 // HTTPCreateAuthenticationStatus - To store the Authentication Status data of a UE
 func HTTPCreateAuthenticationStatus(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	var authEvent models.AuthEvent
 
 	requestBody, err := c.GetRawData()
@@ -72,6 +78,12 @@ func HTTPCreateAuthenticationStatus(c *gin.Context) {
 
 // HTTPQueryAuthenticationStatus - Retrieves the Authentication Status of a UE
 func HTTPQueryAuthenticationStatus(c *gin.Context) {
+	auth_err := authorizationCheck(c)
+	if auth_err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": auth_err.Error()})
+		return
+	}
+
 	req := httpwrapper.NewRequest(c.Request, nil)
 	req.Params["ueId"] = c.Params.ByName("ueId")