feacture/oauth

go.mod

@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
-	github.com/free5gc/openapi v1.0.7-0.20231201151944-c3306de07dfb
+	github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693
 	github.com/free5gc/util v1.0.5-0.20231012123940-85f4557167be
 	github.com/gin-gonic/gin v1.9.1
 	github.com/golang-jwt/jwt v3.2.1+incompatible

go.sum

@@ -60,8 +60,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
-github.com/free5gc/openapi v1.0.7-0.20231201151944-c3306de07dfb h1:/ha0P045n7WA0fFi1M8Bcbbs0dENFrzq2MftN4FOE8I=
-github.com/free5gc/openapi v1.0.7-0.20231201151944-c3306de07dfb/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
+github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693 h1:gFyYBsErQAkx4OVHXYqjO0efO9gPWydQavQcjU0CkHY=
+github.com/free5gc/openapi v1.0.7-0.20240117084712-52ad99299693/go.mod h1:qv9KqEucoZSeENPRFGxfTe+33ZWYyiYFx1Rj+H0DoWA=
 github.com/free5gc/util v1.0.5-0.20231012123940-85f4557167be h1:SglM1KIL+bR50hPzbvxVwNW44+yHR2tq9nTpLra75UE=
 github.com/free5gc/util v1.0.5-0.20231012123940-85f4557167be/go.mod h1:d+79g84a3YHhzvjJ2IhurrBOavOA8xWIQ/GCywPXqQk=
 github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=

internal/context/context.go

@@ -25,8 +25,17 @@ type NRFContext struct {
 	NrfPrivKey       *rsa.PrivateKey
 	NrfPubKey        *rsa.PublicKey
 	NrfCert          *x509.Certificate
+	NrfCertPem       string
+
+	OAuth2Required bool
+}
+
+type NFContext interface {
+	AuthorizationCheck(token, serviceName string) error
 }
 
+var _ NFContext = &NRFContext{}
+
 var nrfContext NRFContext
 
 func InitNrfContext() error {
@@ -185,13 +194,12 @@ func GetSelf() *NRFContext {
 	return &nrfContext
 }
 
-func (context *NRFContext) AuthorizationCheck(token, serviceName string) error {
-	if !factory.NrfConfig.GetOAuth() {
+func (c *NRFContext) AuthorizationCheck(token, serviceName string) error {
+	if !c.OAuth2Required {
+		logger.UtilLog.Debugf("NRFContext::AuthorizationCheck: OAuth2 not required\n")
 		return nil
 	}
-	err := oauth.VerifyOAuth(token, serviceName, factory.NrfConfig.GetNrfCertPemPath())
-	if err != nil {
-		return err
-	}
-	return nil
+
+	logger.UtilLog.Debugf("NRFContext::AuthorizationCheck: token[%s] serviceName[%s]\n", token, serviceName)
+	return oauth.VerifyOAuth(token, serviceName, c.NrfCertPem)
 }

internal/logger/logger.go

@@ -18,6 +18,7 @@ var (
 	NfmLog      *logrus.Entry
 	AccTokenLog *logrus.Entry
 	DiscLog     *logrus.Entry
+	UtilLog     *logrus.Entry
 )
 
 func init() {

internal/sbi/discovery/routers.go

@@ -17,10 +17,14 @@ import (
 
 	nrf_context "github.com/free5gc/nrf/internal/context"
 	"github.com/free5gc/nrf/internal/logger"
+	"github.com/free5gc/nrf/internal/util"
 	"github.com/free5gc/nrf/pkg/factory"
+	"github.com/free5gc/openapi/models"
 	logger_util "github.com/free5gc/util/logger"
 )
 
+const serviceName string = string(models.ServiceName_NNRF_DISC)
+
 // Route is the information for every URI.
 type Route struct {
 	// Name is the name of this Route.
@@ -51,6 +55,11 @@ func authorizationCheck(c *gin.Context) error {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.NrfDiscResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(serviceName)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, nrf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":

internal/sbi/management/routers.go

@@ -17,10 +17,14 @@ import (
 
 	nrf_context "github.com/free5gc/nrf/internal/context"
 	"github.com/free5gc/nrf/internal/logger"
+	"github.com/free5gc/nrf/internal/util"
 	"github.com/free5gc/nrf/pkg/factory"
+	"github.com/free5gc/openapi/models"
 	logger_util "github.com/free5gc/util/logger"
 )
 
+const serviceName string = string(models.ServiceName_NNRF_NFM)
+
 // Route is the information for every URI.
 type Route struct {
 	// Name is the name of this Route.
@@ -51,6 +55,11 @@ func authorizationCheck(c *gin.Context) error {
 func AddService(engine *gin.Engine) *gin.RouterGroup {
 	group := engine.Group(factory.NrfNfmResUriPrefix)
 
+	routerAuthorizationCheck := util.NewRouterAuthorizationCheck(serviceName)
+	group.Use(func(c *gin.Context) {
+		routerAuthorizationCheck.Check(c, nrf_context.GetSelf())
+	})
+
 	for _, route := range routes {
 		switch route.Method {
 		case "GET":

internal/util/router_auth_check.go

@@ -0,0 +1,33 @@
+package util
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	nrf_context "github.com/free5gc/nrf/internal/context"
+	"github.com/free5gc/nrf/internal/logger"
+)
+
+type RouterAuthorizationCheck struct {
+	serviceName string
+}
+
+func NewRouterAuthorizationCheck(serviceName string) *RouterAuthorizationCheck {
+	return &RouterAuthorizationCheck{
+		serviceName: serviceName,
+	}
+}
+
+func (rac *RouterAuthorizationCheck) Check(c *gin.Context, pcfContext nrf_context.NFContext) {
+	token := c.Request.Header.Get("Authorization")
+	err := pcfContext.AuthorizationCheck(token, rac.serviceName)
+	if err != nil {
+		logger.UtilLog.Debugf("RouterAuthorizationCheck::Check Unauthorized: %s", err)
+		c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()})
+		c.Abort()
+		return
+	}
+
+	logger.UtilLog.Debugf("RouterAuthorizationCheck::Check Authorized")
+}