https://telecominfraproject.atlassian.net/browse/WIFI-7831

Signed-off-by: stephb9959 <[email protected]>
Telecominfraproject · Sep 12, 2023 · ca7c618 · ca7c618
1 parent 8826031
commit ca7c618
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 5 deletions.
diff --git a/src/OpenRoamin_GlobalReach.cpp b/src/OpenRoamin_GlobalReach.cpp
@@ -3,6 +3,15 @@
 //
 
 #include "OpenRoamin_GlobalReach.h"
+#include <Poco/JWT/Token.h>
+#include <Poco/JWT/Signer.h>
+#include <Poco/Net/HTTPSClientSession.h>
+#include <Poco/URI.h>
+#include <Poco/TemporaryFile.h>
+#include <Poco/JSON/Object.h>
+#include <Poco/JSON/Parser.h>
+
+#include <framework/MicroServiceFuncs.h>
 
 namespace OpenWifi {
 
@@ -88,4 +97,62 @@ namespace OpenWifi {
         return true;
     }
 
+    std::string OpenRoaming_GlobalReach::MakeToken(const std::string &GlobalReachAccountId, const std::string &PrivateKey) {
+        Poco::JWT::Token token;
+
+        token.setType("JWT");
+        token.setAlgorithm("ES256");
+        token.setIssuedAt(std::time(nullptr));
+
+        token.payload().set("iss", GlobalReachAccountId);
+        token.payload().set("iat", (unsigned long) std::time(nullptr));
+
+        Poco::SharedPtr<Poco::Crypto::ECKey>    Key;
+        auto KeyHash = Utils::ComputeHash(PrivateKey);
+        auto KeyHint = PrivateKeys_.find(KeyHash);
+        if(KeyHint!=PrivateKeys_.end()) {
+            Key = KeyHint->second;
+        } else {
+            Poco::TemporaryFile F;
+            std::ofstream ofs(F.path().c_str(),std::ios_base::trunc|std::ios_base::out|std::ios_base::binary);
+            ofs << PrivateKey;
+            ofs.close();
+            auto NewKey = Poco::SharedPtr<Poco::Crypto::ECKey>(
+                    new Poco::Crypto::ECKey("", F.path(),""));
+            Key = PrivateKeys_[KeyHash] = NewKey;
+        }
+
+        Poco::JWT::Signer Signer;
+        Signer.setECKey(Key);
+        Signer.addAllAlgorithms();
+        return Signer.sign(token, Poco::JWT::Signer::ALGO_ES256);
+    }
+
+    bool OpenRoaming_GlobalReach::VerifyAccount(const std::string &GlobalReachAccountId, const std::string &PrivateKey, [[
+    maybe_unused]] std::string &Name) {
+        auto BearerToken = MakeToken(GlobalReachAccountId, PrivateKey);
+
+        Poco::URI   URI{"https://config.openro.am/v1/config"};
+        std::string Path(URI.getPathAndQuery());
+        Poco::Net::HTTPRequest Request(Poco::Net::HTTPRequest::HTTP_GET, Path,
+                                       Poco::Net::HTTPMessage::HTTP_1_1);
+        Request.add("Authorization", "Bearer " + BearerToken);
+
+        Poco::Net::HTTPSClientSession Session(URI.getHost(), URI.getPort());
+        Session.setTimeout(Poco::Timespan(10000, 10000));
+        Session.sendRequest(Request);
+        Poco::Net::HTTPResponse Response;
+        std::istream &is = Session.receiveResponse(Response);
+        if(Response.getStatus()==Poco::Net::HTTPResponse::HTTP_OK) {
+            Poco::JSON::Parser P;
+            auto Result = P.parse(is).extract<Poco::JSON::Object::Ptr>();
+            if(Result->has("name")) {
+                Name = Result->get("name").toString();
+            }
+            return true;
+        }
+        return false;
+    }
+
+
 } // OpenWifi
diff --git a/src/OpenRoamin_GlobalReach.h b/src/OpenRoamin_GlobalReach.h
@@ -22,9 +22,12 @@ namespace OpenWifi {
         bool GetAccountInfo(const std::string &AccountName, ProvObjects::GLBLRAccountInfo &Account);
         bool CreateRadsecCertificate(const std::string &AccountName, ProvObjects::GLBLRCertificateInfo &NewCertificate);
         bool GetRadsecCertificate(const std::string &AccountName, std::string & CertificateId, ProvObjects::GLBLRCertificateInfo &NewCertificate);
+        bool VerifyAccount(const std::string &GlobalReachAccountId, const std::string &PrivateKey, std::string &Name);
 
     private:
-        std::string CreateJWTToken(const std::string &AccountName);
+        std::string MakeToken(const std::string &GlobalReachAccountId, const std::string &PrivateKey);
+
+        std::map<std::string,Poco::SharedPtr<Poco::Crypto::ECKey>>   PrivateKeys_;
 
         OpenRoaming_GlobalReach() noexcept
                 : SubSystemServer("OpenRoaming_GlobalReach", "GLBL-REACH", "globalreach") {

diff --git a/src/RESTAPI/RESTAPI_openroaming_gr_acct_handler.cpp b/src/RESTAPI/RESTAPI_openroaming_gr_acct_handler.cpp
@@ -3,6 +3,7 @@
 //
 
 #include "RESTAPI_openroaming_gr_acct_handler.h"
+#include "OpenRoamin_GlobalReach.h"
 
 namespace OpenWifi {
 
@@ -48,10 +49,17 @@ namespace OpenWifi {
             return BadRequest(OpenWifi::RESTAPI::Errors::InvalidJSONDocument);
         }
 
-        if(RawObject->has("privateKey")) {
-            if(!NewObject.privateKey.empty() && !Utils::VerifyECKey(NewObject.privateKey)) {
-                return BadRequest(RESTAPI::Errors::NotAValidECKey);
-            }
+        if(NewObject.privateKey.empty() || NewObject.GlobalReachAcctId.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        if(!NewObject.privateKey.empty() && !Utils::VerifyECKey(NewObject.privateKey)) {
+            return BadRequest(RESTAPI::Errors::NotAValidECKey);
+        }
+
+        std::string GlobalReachName;
+        if(!OpenRoaming_GlobalReach()->VerifyAccount(NewObject.GlobalReachAcctId,NewObject.privateKey,GlobalReachName)) {
+            return BadRequest(RESTAPI::Errors::InvalidGlobalReachAccount);
         }
 
         if( NewObject.commonName.empty() || NewObject.organization.empty() ||
@@ -100,6 +108,11 @@ namespace OpenWifi {
             Existing.privateKey = Modify.privateKey;
         }
 
+        std::string GlobalReachName;
+        if(!OpenRoaming_GlobalReach()->VerifyAccount(Existing.GlobalReachAcctId,Existing.privateKey,GlobalReachName)) {
+            return BadRequest(RESTAPI::Errors::InvalidGlobalReachAccount);
+        }
+
         auto Modified = AssignIfPresent(RawObject,"country",Existing.country)   ||
                         AssignIfPresent(RawObject,"commonName",Existing.commonName) ||
                         AssignIfPresent(RawObject,"city",Existing.city) ||

diff --git a/src/framework/ow_constants.h b/src/framework/ow_constants.h
@@ -408,6 +408,7 @@ namespace OpenWifi::RESTAPI::Errors {
 
     static const struct msg DefFirmwareNameExists { 1172, "Firmware name already exists." };
     static const struct msg NotAValidECKey { 1173, "Provided key supplied is not valid." };
+    static const struct msg InvalidGlobalReachAccount { 1174, "Invalid Global Reach account information (id or key)." };
 
     static const struct msg SimulationDoesNotExist {
         7000, "Simulation Instance ID does not exist."