Test Plan for CAPIF Api Security Service
At this documentation you will have all information and related files and examples of test plan for this API.
Test Case 1: Create a security context for an API invoker
Test ID: capif_security_api-1
Description:
This test case will check that an API Invoker can create a Security context
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority)
Execution Steps:
- Register and onboard Invoker at CCF
- Store signed Certificate
- Create Security Context
Information of Test:
- Perform Invoker Onboarding
- Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Use Invoker Certificate
Expected Result:
- Create security context:
- 201 Created response.
- body returned must accomplish ServiceSecurity data structure.
- Location Header must contain the new resource URL {apiRoot}/capif-security/v1/trustedInvokers/{apiInvokerId}
Test Case 2: Create a security context for an API invoker with Provider role
Test ID:: capif_security_api-2
Description:
This test case will check that an Provider cannot create a Security context with valid apiInvokerId.
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context using Provider certificate
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker but using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using AEF Certificate
Expected Result:
-
Create security context using Provider certificate:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be invoker".
-
No context stored at DB
Test Case 3: Create a security context for an API invoker with Provider entity role and invalid apiInvokerId
Test ID:: capif_security_api-3
Description:
This test case will check that an Provider cannot create a Security context with invalid apiInvokerID.
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role
Execution Steps:
- Register Provider at CCF
- Create Security Context using Provider certificate
Information of Test:
-
Perform Provider Registration
-
Create Security Context for this not valid apiInvokerId and using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- body service security body
- Using AEF Certificate
Expected Result:
- Create security context using Provider certificate:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be invoker".
- No context stored at DB
Test Case 4: Create a security context for an API invoker with Invoker entity role and invalid apiInvokerId
Test ID:: capif_security_api-4
Description:
This test case will check that an Invoker cannot create a Security context with valid apiInvokerId.
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with invalid apiInvokerId
Execution Steps:
- Register and onboard Invoker at CCF
- Create Security Context using Provider certificate
Information of Test:
-
Perform Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- body service security body
- Use Invoker Certificate
Expected Result:
-
Create security context using Provider certificate:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Invoker not found".
- cause with message "API Invoker not exists or invalid ID".
-
No context stored at DB
Test Case 5: Retrieve the Security Context of an API Invoker
Test ID:: capif_security_api-5
Description:
This test case will check that an provider can retrieve the Security context of an API Invoker
Pre-Conditions:
- Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context using Provider certificate
- Retrieve Security Context by Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
-
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate
Expected Result:
- Retrieve security context:
- 200 OK response.
- body returned must accomplish ServiceSecurity data structure.
Test Case 6: Retrieve the Security Context of an API Invoker with invalid apiInvokerID
Test ID:: capif_security_api-6
Description:
This test case will check that an provider can retrieve the Security context of an API Invoker
Pre-Conditions:
- Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context
Execution Steps:
- Register Provider at CCF
- Create Security Context using Provider certificate
- Retrieve Security Context by Provider of invalid invoker
Information of Test:
-
Perform Provider Registration
-
Retrieve Security Context of invalid Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Using AEF Certificate.
Expected Result:
- Retrieve security context:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Invoker not found".
- cause with message "API Invoker not exists or invalid ID".
Test Case 7: Retrieve the Security Context of an API Invoker with invalid apfId
Test ID:: capif_security_api-7
Description:
This test case will check that an Provider cannot retrieve the Security context of an API Invoker without valid apfId
Pre-Conditions:
- API Exposure Function is not pre-authorised (has invalid apfId)
Execution Steps:
- Register and onboard Invoker at CCF
- Store signed Certificate
- Create Security Context
- Retrieve Security Context as Provider.
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
-
Retrieve Security Context as Invoker role:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using Invoker Certificate
Expected Result:
- Create security context:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be aef".
Test Case 8: Delete the Security Context of an API Invoker
Test ID:: capif_security_api-8
Description:
This test case will check that an Provider can delete a Security context
Pre-Conditions:
- Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context using Provider certificate
- Delete Security Context by Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker but using Provider certificate.
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using AEF Certificate
-
Delete Security Context of Invoker by Provider:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Use AEF Certificate
-
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate
Expected Result:
-
Delete security context:
- 204 No Content response.
-
Retrieve security context:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Security context not found".
- cause with message "API Invoker not exists or invalid ID".
Test Case 9: Delete the Security Context of an API Invoker with Invoker entity role
Test ID:: capif_security_api-9
Description:
This test case will check that an Invoker cannot delete a Security context
Pre-Conditions:
- Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context
Execution Steps:
- Register Provider at CCF
- Create Security Context using Provider certificate
- Delete Security Context by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
-
Delete Security Context of Invoker:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Use Invoker Certificate
Expected Result:
- Delete security context:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be aef".
Test Case 10: Delete the Security Context of an API Invoker with Invoker entity role and invalid apiInvokerID
Test ID:: capif_security_api-10
Description:
This test case will check that an Invoker cannot delete a Security context with invalid
Pre-Conditions:
- Invoker is pre-authorised.
Execution Steps:
- Register Provider at CCF
- Delete Security Context by invoker
Information of Test:
-
Perform Invoker Onboarding
-
Delete Security Context of Invoker:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Use Invoker Certificate
Expected Result:
- Delete security context:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be aef".
Test Case 11: Delete the Security Context of an API Invoker with invalid apiInvokerID
Test ID:: capif_security_api-11
Description:
This test case will check that an Provider cannot delete a Security context of invalid apiInvokerId
Pre-Conditions:
- Provider is pre-authorised (has valid apfId from CAPIF Authority).
Execution Steps:
- Register Provider at CCF
- Delete Security Context by provider
Information of Test:
-
Perform Provider Registration
-
Delete Security Context of Invoker by Provider:
- Send DELETE https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}
- Use AEF Certificate
Expected Result:
- Retrieve security context:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Invoker not found".
- cause with message "API Invoker not exists or invalid ID".
Test Case 12: Update the Security Context of an API Invoker
Test ID:: capif_security_api-12
Description:
This test case will check that an API Invoker can update a Security context
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context By Invoker
- Update Security Context By Invoker
- Retrieve Security Context By Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
-
Update Security Context of Invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/update
- body service security body but with notification destination modified to http://robot.testing2
- Using Invoker Certificate.
-
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate.
Expected Result:
-
Update security context:
- 200 OK response.
- body returned must accomplish ServiceSecurity data structure.
-
Retrieve security context:
- 200 OK response.
- body returned must accomplish ServiceSecurity data structure.
- Check is this returned object match with modified one.
Test Case 13: Update the Security Context of an API Invoker with Provider entity role
Test ID:: capif_security_api-13
Description:
This test case will check that an Provider cannot update a Security context
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized.
- Invoker has created the Security Context previously.
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context
- Update Security Context as Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
-
Update Security Context of Invoker by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/update
- body service security body but with notification destination modified to http://robot.testing2
- Using AEF Certificate
Expected Result:
- Update security context:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be invoker".
Test Case 14: Update the Security Context of an API Invoker with AEF entity role and invalid apiInvokerId
Test ID:: capif_security_api-14
Description:
This test case will check that an Provider cannot update a Security context of invalid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized.
- Invoker has created the Security Context previously.
Execution Steps:
- Register Provider at CCF
- Update Security Context as Provider
Information of Test:
-
Perform Provider Registration
-
Update Security Context of Invoker by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/update
- body service security body
- Using AEF Certificate
Expected Result:
- Update security context:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be invoker".
Test Case 15: Update the Security Context of an API Invoker with invalid apiInvokerID
Test ID:: capif_security_api-15
Description:
This test case will check that an API Invoker cannot update a Security context not valid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority)
Execution Steps:
- Register and onboard Invoker at CCF
- Update Security Context
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Update Security Context of Invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/update
- body service security body
- Using Invoker Certificate.
Expected Result:
- Retrieve security context:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Invoker not found".
- cause with message "API Invoker not exists or invalid ID".
Test Case 16: Revoke the authorization of the API invoker for APIs.
Test ID:: capif_security_api-16
Description:
This test case will check that a Provider can revoke the authorization for APIs
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context by Invoker
- Revoke Security Context by Provider
- Retrieve Security Context by Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context By Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate
-
Revoke Authorization by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/delete
- body security notification body
- Using AEF Certificate.
-
Retrieve Security Context by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using AEF Certificate.
Expected Result:
-
Revoke Authorization:
- 204 No Content response.
-
Retrieve security context:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Security context not found".
- cause with message "API Invoker has no security context".
Test Case 17: Revoke the authorization of the API invoker for APIs without valid apfID.
Test ID:: capif_security_api-17
Description:
This test case will check that an Invoker can't revoke the authorization for APIs
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context
- Revoke Security Context by invoker
- Retrieve Security Context
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
-
Revoke Authorization by invoker:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}/delete
- body security notification body
- Using Invoker Certificate
-
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- Using Provider Certificate
Expected Result:
-
Revoke Security Context by invoker:
- 401 Unauthorized response.
- body returned must accomplish ProblemDetails data structure, with:
- status 401
- title with message "Unauthorized"
- detail with message "Role not authorized for this API route".
- cause with message "User role must be provider".
-
Retrieve security context:
- 200 OK response.
- body returned must accomplish ServiceSecurity data structure.
- Check is this returned object match with created one.
Test Case 18: Revoke the authorization of the API invoker for APIs with invalid apiInvokerId.
Test ID:: capif_security_api-18
Description:
This test case will check that an API Exposure Function cannot revoke the authorization for APIs for invalid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized
Execution Steps:
- Register and onboard Invoker at CCF
- Register Provider at CCF
- Create Security Context
- Revoke Security Context by Provider
- Retrieve Security Context
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Create Security Context for this Invoker:
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
-
Revoke Authorization by Provider:
- Send POST https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}/delete
- body security notification body
- Using AEF Certificate.
-
Retrieve Security Context of Invoker by Provider:
- Send GET https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}?authenticationInfo=true&authorizationInfo=true
- This request will ask with parameter to retrieve authenticationInfo and authorizationInfo
- Using AEF Certificate.
Expected Result:
-
Revoke Security Context by invoker:
- 404 Not Found response.
- body returned must accomplish ProblemDetails data structure, with:
- status 404
- title with message "Not Found"
- detail with message "Invoker not found".
- cause with message "API Invoker not exists or invalid ID".
-
Retrieve security context:
- 200 OK response.
- body returned must accomplish ServiceSecurity data structure.
- Check is this return one object that match with created one.
Test Case 19: Retrieve access token
Test ID:: capif_security_api-19
Description:
This test case will check that an API Invoker can retrieve a security access token OAuth 2.0.
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerId)
- Service API of Provider is published
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token:
- body access token req body and example example
- securityId is apiInvokerId.
- grant_type=client_credentials.
- Create Scope properly for request: 3gpp#{aef_id}:{api_name}
- Using Invoker Certificate.
Expected Result:
- Response to Request of Access Token:
- 200 OK
- body must follow AccessTokenRsp with:
- access_token present
- token_type=Bearer
Test Case 20: Retrieve access token by Provider
Test ID:: capif_security_api-20
Description:
This test case will check that an API Exposure Function cannot revoke the authorization for APIs for invalid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority) and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by provider:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token:
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using AEF Certificate
Expected Result:
- Response to Request of Access Token:
- 401 Unauthorized response.
- body returned must accomplish AccessTokenErr data structure, with:
- error unauthorized_client
- error_description=Role not authorized for this API route
Test Case 21: Retrieve access token by Provider with invalid apiInvokerId
Test ID:: capif_security_api-21
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token without valid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Provider
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by provider:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{API_INVOKER_NOT_VALID}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using AEF Certificate
Expected Result:
- Response to Request of Access Token:
- 401 Unauthorized response.
- body returned must accomplish AccessTokenErr data structure, with:
- error unauthorized_client
- error_description=Role not authorized for this API route
Test Case 22: Retrieve access token with invalid apiInvokerId
Test ID:: capif_security_api-22
Description:
This test case will check that an API Invoker can't retrieve a security access token without valid apiInvokerId
Pre-Conditions:
- API Invoker is pre-authorised (has valid apiInvokerId)
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
- Perform Provider Registration and Invoker Onboarding
- Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
- Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
- Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
- Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{API_INVOKER_NOT_VALID}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 404 Not Found response.
- body returned must accomplish ProblemDetails29571 data structure, with:
- status 404
- title Not Found
- detail Security context not found
- cause API Invoker has no security context
NOTE: ProblemDetails29571 is the definition present for this request at swagger of ProblemDetails, and this is different from definition of ProblemDetails across other CAPIF Services
Test Case 23: Retrieve access token with invalid client_id
Test ID:: capif_security_api-23
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token without valid client_id at body
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- client_id is not-valid
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 400 Bad Request response.
- body returned must accomplish AccessTokenErr data structure, with:
- error invalid_client
- error_description=Client Id not found
Test Case 24: Retrieve access token with unsupported grant_type
Test ID:: capif_security_api-24
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token with unsupported grant_type
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=not_valid
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 400 Bad Request response.
- body returned must accomplish AccessTokenErr data structure, with:
- error unsupported_grant_type
- error_description=Invalid value for
grant_type
\(${grant_type}\), must be one of \['client_credentials'\] - 'grant_type'
Test Case 25: Retrieve access token with invalid scope
Test ID:: capif_security_api-25
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token with complete invalid scope
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=not-valid-scope
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 400 Bad Request response.
- body returned must accomplish AccessTokenErr data structure, with:
- error invalid_scope
- error_description=The first characters must be '3gpp'
Test Case 26: Retrieve access token with invalid aefid at scope
Test ID:: capif_security_api-26
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token with invalid aefId at scope
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=3gpp#1234:*service_1*
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 400 Bad Request response.
- body returned must accomplish AccessTokenErr data structure, with:
- error invalid_scope
- error_description=One of aef_id not belongs of your security context
Test Case 27: Retrieve access token with invalid apiName at scope
Test ID:: capif_security_api-27
Description:
This test case will check that an API Exposure Function cannot retrieve a security access token with invalid apiName at scope
Pre-Conditions:
- API Invoker is pre-authorised and Provider is also authorized
Execution Steps:
- Register Provider at CCF, store certificates and Publish Service API service_1 at CCF
- Register and onboard Invoker at CCF
- Discover Service APIs by Invoker.
- Create Security Context According to Service APIs discovered.
- Request Access Token by Invoker
Information of Test:
-
Perform Provider Registration and Invoker Onboarding
-
Publish Service API at CCF:
- Send POST to ccf_publish_url https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis
- body [service api description] with apiName service_1
- Use APF Certificate
-
Request Discover Published APIs not filtered:
- Send GET to ccf_discover_url https://{CAPIF_HOSTNAME}/service-apis/v1/allServiceAPIs?api-invoker-id={apiInvokerId}
- Param api-invoker-id is mandatory
- Using Invoker Certificate
-
Create Security Context for this Invoker
- Send PUT https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}
- body service security body
- Using Invoker Certificate.
- Create Security Information Body with one securityInfo for each aef present at each serviceAPIDescription present at Discover.
-
Request Access Token by invoker:
- Sent POST https://{CAPIF_HOSTNAME}/securities/{securityId}/token.
- body access token req body
- securityId is apiInvokerId
- grant_type=client_credentials
- scope=3gpp#{aef_id}:not-valid
- Using Invoker Certificate
Expected Result:
- Response to Request of Access Token:
- 400 Bad Request response.
- body returned must accomplish AccessTokenErr data structure, with:
- error invalid_scope
- error_description=One of the api names does not exist or is not associated with the aef id provided