Test Plan for CAPIF Api Security Service

At this documentation you will have all information and related files and examples of test plan for this API.

Test Case 1: Create a security context for an API invoker

Test ID: capif_security_api-1

Description:

This test case will check that an API Invoker can create a Security context

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority)

Execution Steps:

Register and onboard Invoker at CCF
Store signed Certificate
Create Security Context

Information of Test:

Perform Invoker Onboarding
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Use Invoker Certificate

Expected Result:

Create security context:
1. 201 Created response.
2. body returned must accomplish ServiceSecurity data structure.
3. Location Header must contain the new resource URL {apiRoot}/capif-security/v1/trustedInvokers/{apiInvokerId}

Test Case 2: Create a security context for an API invoker with Provider role

Test ID:: capif_security_api-2

Description:

This test case will check that an Provider cannot create a Security context with valid apiInvokerId.

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context using Provider certificate

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker but using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using AEF Certificate

Expected Result:

Create security context using Provider certificate:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be invoker".
No context stored at DB

Test Case 3: Create a security context for an API invoker with Provider entity role and invalid apiInvokerId

Test ID:: capif_security_api-3

Description:

This test case will check that an Provider cannot create a Security context with invalid apiInvokerID.

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role

Execution Steps:

Register Provider at CCF
Create Security Context using Provider certificate

Information of Test:

Perform Provider Registration
Create Security Context for this not valid apiInvokerId and using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- body service security body
- Using AEF Certificate

Expected Result:

Create security context using Provider certificate:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be invoker".
No context stored at DB

Test Case 4: Create a security context for an API invoker with Invoker entity role and invalid apiInvokerId

Test ID:: capif_security_api-4

Description:

This test case will check that an Invoker cannot create a Security context with valid apiInvokerId.

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with invalid apiInvokerId

Execution Steps:

Register and onboard Invoker at CCF
Create Security Context using Provider certificate

Information of Test:

Perform Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- body service security body
- Use Invoker Certificate

Expected Result:

Create security context using Provider certificate:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Invoker not found".
  - cause with message "API Invoker not exists or invalid ID".
No context stored at DB

Test Case 5: Retrieve the Security Context of an API Invoker

Test ID:: capif_security_api-5

Description:

This test case will check that an provider can retrieve the Security context of an API Invoker

Pre-Conditions:

Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context using Provider certificate
Retrieve Security Context by Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate

Expected Result:

Retrieve security context:
1. 200 OK response.
2. body returned must accomplish ServiceSecurity data structure.

Test Case 6: Retrieve the Security Context of an API Invoker with invalid apiInvokerID

Test ID:: capif_security_api-6

Description:

This test case will check that an provider can retrieve the Security context of an API Invoker

Pre-Conditions:

Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context

Execution Steps:

Register Provider at CCF
Create Security Context using Provider certificate
Retrieve Security Context by Provider of invalid invoker

Information of Test:

Perform Provider Registration
Retrieve Security Context of invalid Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Using AEF Certificate.

Expected Result:

Retrieve security context:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Invoker not found".
  - cause with message "API Invoker not exists or invalid ID".

Test Case 7: Retrieve the Security Context of an API Invoker with invalid apfId

Test ID:: capif_security_api-7

Description:

This test case will check that an Provider cannot retrieve the Security context of an API Invoker without valid apfId

Pre-Conditions:

API Exposure Function is not pre-authorised (has invalid apfId)

Execution Steps:

Register and onboard Invoker at CCF
Store signed Certificate
Create Security Context
Retrieve Security Context as Provider.

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
Retrieve Security Context as Invoker role:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using Invoker Certificate

Expected Result:

Create security context:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be aef".

Test Case 8: Delete the Security Context of an API Invoker

Test ID:: capif_security_api-8

Description:

This test case will check that an Provider can delete a Security context

Pre-Conditions:

Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context using Provider certificate
Delete Security Context by Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker but using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using AEF Certificate
Delete Security Context of Invoker by Provider:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Use AEF Certificate
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate

Expected Result:

Delete security context:
1. 204 No Content response.
Retrieve security context:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Security context not found".
  - cause with message "API Invoker not exists or invalid ID".

Test Case 9: Delete the Security Context of an API Invoker with Invoker entity role

Test ID:: capif_security_api-9

Description:

This test case will check that an Invoker cannot delete a Security context

Pre-Conditions:

Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context

Execution Steps:

Register Provider at CCF
Create Security Context using Provider certificate
Delete Security Context by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
Delete Security Context of Invoker:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Use Invoker Certificate

Expected Result:

Delete security context:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be aef".

Test Case 10: Delete the Security Context of an API Invoker with Invoker entity role and invalid apiInvokerID

Test ID:: capif_security_api-10

Description:

This test case will check that an Invoker cannot delete a Security context with invalid

Pre-Conditions:

Invoker is pre-authorised.

Execution Steps:

Register Provider at CCF
Delete Security Context by invoker

Information of Test:

Perform Invoker Onboarding
Delete Security Context of Invoker:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Use Invoker Certificate

Expected Result:

Delete security context:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be aef".

Test Case 11: Delete the Security Context of an API Invoker with invalid apiInvokerID

Test ID:: capif_security_api-11

Description:

This test case will check that an Provider cannot delete a Security context of invalid apiInvokerId

Pre-Conditions:

Provider is pre-authorised (has valid apfId from CAPIF Authority).

Execution Steps:

Register Provider at CCF
Delete Security Context by provider

Information of Test:

Perform Provider Registration
Delete Security Context of Invoker by Provider:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Use AEF Certificate

Expected Result:

Retrieve security context:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Invoker not found".
  - cause with message "API Invoker not exists or invalid ID".

Test Case 12: Update the Security Context of an API Invoker

Test ID:: capif_security_api-12

Description:

This test case will check that an API Invoker can update a Security context

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context By Invoker
Update Security Context By Invoker
Retrieve Security Context By Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
Update Security Context of Invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/update
- body service security body but with notification destination modified to http://robot.testing2
- Using Invoker Certificate.
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate.

Expected Result:

Update security context:
1. 200 OK response.
2. body returned must accomplish ServiceSecurity data structure.
Retrieve security context:
1. 200 OK response.
2. body returned must accomplish ServiceSecurity data structure.
  1. Check is this returned object match with modified one.

Test Case 13: Update the Security Context of an API Invoker with Provider entity role

Test ID:: capif_security_api-13

Description:

This test case will check that an Provider cannot update a Security context

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized.
Invoker has created the Security Context previously.

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context
Update Security Context as Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
Update Security Context of Invoker by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/update
- body service security body but with notification destination modified to http://robot.testing2
- Using AEF Certificate

Expected Result:

Update security context:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be invoker".

Test Case 14: Update the Security Context of an API Invoker with AEF entity role and invalid apiInvokerId

Test ID:: capif_security_api-14

Description:

This test case will check that an Provider cannot update a Security context of invalid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized.
Invoker has created the Security Context previously.

Execution Steps:

Register Provider at CCF
Update Security Context as Provider

Information of Test:

Perform Provider Registration
Update Security Context of Invoker by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/update
- body service security body
- Using AEF Certificate

Expected Result:

Update security context:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be invoker".

Test Case 15: Update the Security Context of an API Invoker with invalid apiInvokerID

Test ID:: capif_security_api-15

Description:

This test case will check that an API Invoker cannot update a Security context not valid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority)

Execution Steps:

Register and onboard Invoker at CCF
Update Security Context

Information of Test:

Perform Provider Registration and Invoker Onboarding
Update Security Context of Invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/update
- body service security body
- Using Invoker Certificate.

Expected Result:

Retrieve security context:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Invoker not found".
  - cause with message "API Invoker not exists or invalid ID".

Test Case 16: Revoke the authorization of the API invoker for APIs.

Test ID:: capif_security_api-16

Description:

This test case will check that a Provider can revoke the authorization for APIs

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context by Invoker
Revoke Security Context by Provider
Retrieve Security Context by Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context By Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
Revoke Authorization by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/delete
- body security notification body
- Using AEF Certificate.
Retrieve Security Context by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate.

Expected Result:

Revoke Authorization:
1. 204 No Content response.
Retrieve security context:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Security context not found".
  - cause with message "API Invoker has no security context".

Test Case 17: Revoke the authorization of the API invoker for APIs without valid apfID.

Test ID:: capif_security_api-17

Description:

This test case will check that an Invoker can't revoke the authorization for APIs

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context
Revoke Security Context by invoker
Retrieve Security Context

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
Revoke Authorization by invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/delete
- body security notification body
- Using Invoker Certificate
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using Provider Certificate

Expected Result:

Revoke Security Context by invoker:
1. 401 Unauthorized response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 401
  - title with message "Unauthorized"
  - detail with message "Role not authorized for this API route".
  - cause with message "User role must be provider".
Retrieve security context:
1. 200 OK response.
2. body returned must accomplish ServiceSecurity data structure.
  1. Check is this returned object match with created one.

Test Case 18: Revoke the authorization of the API invoker for APIs with invalid apiInvokerId.

Test ID:: capif_security_api-18

Description:

This test case will check that an API Exposure Function cannot revoke the authorization for APIs for invalid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized

Execution Steps:

Register and onboard Invoker at CCF
Register Provider at CCF
Create Security Context
Revoke Security Context by Provider
Retrieve Security Context

Information of Test:

Perform Provider Registration and Invoker Onboarding
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
Revoke Authorization by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/delete
- body security notification body
- Using AEF Certificate.
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}?authenticationInfo=true&authorizationInfo=true
- This request will ask with parameter to retrieve authenticationInfo and authorizationInfo
- Using AEF Certificate.

Expected Result:

Revoke Security Context by invoker:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails data structure, with:
  - status 404
  - title with message "Not Found"
  - detail with message "Invoker not found".
  - cause with message "API Invoker not exists or invalid ID".
Retrieve security context:
1. 200 OK response.
2. body returned must accomplish ServiceSecurity data structure.
  1. Check is this return one object that match with created one.

Test Case 19: Retrieve access token

Test ID:: capif_security_api-19

Description:

This test case will check that an API Invoker can retrieve a security access token OAuth 2.0.

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerId)
Service API of Provider is published

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token:
- body access token req body and example example
- securityId is apiInvokerId.
- grant_type=client_credentials.
- Create Scope properly for request: 3gpp#{aef_id}:{api_name}
- Using Invoker Certificate.

Expected Result:

Response to Request of Access Token:
1. 200 OK
2. body must follow AccessTokenRsp with:
  1. access_token present
  2. token_type=Bearer

Test Case 20: Retrieve access token by Provider

Test ID:: capif_security_api-20

Description:

This test case will check that an API Exposure Function cannot revoke the authorization for APIs for invalid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by provider:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token:
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using AEF Certificate

Expected Result:

Response to Request of Access Token:
1. 401 Unauthorized response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error unauthorized_client
  - error_description=Role not authorized for this API route

Test Case 21: Retrieve access token by Provider with invalid apiInvokerId

Test ID:: capif_security_api-21

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token without valid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Provider

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by provider:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{API_INVOKER_NOT_VALID}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using AEF Certificate

Expected Result:

Response to Request of Access Token:
1. 401 Unauthorized response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error unauthorized_client
  - error_description=Role not authorized for this API route

Test Case 22: Retrieve access token with invalid apiInvokerId

Test ID:: capif_security_api-22

Description:

This test case will check that an API Invoker can't retrieve a security access token without valid apiInvokerId

Pre-Conditions:

API Invoker is pre-authorised (has valid apiInvokerId)

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{API_INVOKER_NOT_VALID}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 404 Not Found response.
2. body returned must accomplish ProblemDetails29571 data structure, with:
  - status 404
  - title Not Found
  - detail Security context not found
  - cause API Invoker has no security context

NOTE: ProblemDetails29571 is the definition present for this request at swagger of ProblemDetails, and this is different from definition of ProblemDetails across other CAPIF Services

Test Case 23: Retrieve access token with invalid client_id

Test ID:: capif_security_api-23

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token without valid client_id at body

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- client_id is not-valid
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 400 Bad Request response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error invalid_client
  - error_description=Client Id not found

Test Case 24: Retrieve access token with unsupported grant_type

Test ID:: capif_security_api-24

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token with unsupported grant_type

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=not_valid
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 400 Bad Request response.
2. body returned must accomplish ProblemDetails data structure, with:
  - title=Bad Request
  - detail='not_valid' is not one of \['client_credentials', 'authorization_code'\] - 'grant_type'
  - status=400

Test Case 25: Retrieve access token with invalid scope

Test ID:: capif_security_api-25

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token with complete invalid scope

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=not-valid-scope
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 400 Bad Request response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error invalid_scope
  - error_description=The first characters must be '3gpp'

Test Case 26: Retrieve access token with invalid aefid at scope

Test ID:: capif_security_api-26

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token with invalid aefId at scope

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=3gpp#1234:*service_1*
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 400 Bad Request response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error invalid_scope
  - error_description=One of aef_id not belongs of your security context

Test Case 27: Retrieve access token with invalid apiName at scope

Test ID:: capif_security_api-27

Description:

This test case will check that an API Exposure Function cannot retrieve a security access token with invalid apiName at scope

Pre-Conditions:

API Invoker is pre-authorised and Provider is also authorized

Execution Steps:

Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
Register and onboard Invoker at CCF
Discover Service APIs by Invoker.
Create Security Context According to Service APIs discovered.
Request Access Token by Invoker

Information of Test:

Perform Provider Registration and Invoker Onboarding
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=3gpp#{aef_id}:not-valid
- Using Invoker Certificate

Expected Result:

Response to Request of Access Token:
1. 400 Bad Request response.
2. body returned must accomplish AccessTokenErr data structure, with:
  - error invalid_scope
  - error_description=One of the api names does not exist or is not associated with the aef id provided