From 7c014837b7d2504fbb04d426173ef61660618ab8 Mon Sep 17 00:00:00 2001 From: Jose Luis Urien Date: Fri, 2 Aug 2024 12:41:45 +0200 Subject: [PATCH] Aligned with #326 --- ...d-provision.yaml => qod-provisioning.yaml} | 255 ++++++++++++------ 1 file changed, 168 insertions(+), 87 deletions(-) rename code/API_definitions/{qod-provision.yaml => qod-provisioning.yaml} (76%) diff --git a/code/API_definitions/qod-provision.yaml b/code/API_definitions/qod-provisioning.yaml similarity index 76% rename from code/API_definitions/qod-provision.yaml rename to code/API_definitions/qod-provisioning.yaml index 98aaa5c303..fb81cfa5d2 100644 --- a/code/API_definitions/qod-provision.yaml +++ b/code/API_definitions/qod-provisioning.yaml @@ -13,7 +13,7 @@ info: Latency, throughput or priority requirements of the application mapped to relevant QoS profile values. The set of QoS Profiles that an operator is offering can be retrieved by means of the [QoS Profile API](link TBC). * **Identifier for the device**: - At least one identifier for the device (user equipment) out of four options: IPv4 address, IPv6 address, Phone number, or Network Access Identifier assigned by the network operator for the device, at the request time. When multiple identifiers are provided, they must identify the same device. After the provisioning request is accepted, the device may get different IP addresses, but the provisioning will still apply to the device that was identified during the request process.between the device and the network. + At least one identifier for the device (user equipment) out of four options: IPv4 address, IPv6 address, Phone number, or Network Access Identifier assigned by the network operator for the device, at the request time. After the provisioning request is accepted, the device may get different IP addresses, but the provisioning will still apply to the device that was identified during the request process. Note: Network Access Identifier is defined for future use and will not be supported with v0.1 of the API. * **Notification URL and token**: Developers may provide a callback URL on which notifications about all status change events (eg. provisioning termination) can be received from the service provider. This is an optional parameter. @@ -26,23 +26,47 @@ info: - An operation to get the QoD provisioning for a given device. - An operation to terminate a QoD provisioning, identified by its `provisioningId`. + # Authorization and Authentication - ### Authorization and authentication + [Camara Security and Interoperability Profile](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md) provides details on how a client requests an access token. - CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document [CAMARA-API-access-and-user-consent.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md). Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation. + Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation. It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. - termsOfService: http://swagger.io/terms/ - contact: - email: project-email@sample.com + # Identifying a device from the access token + + This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API. + + ## Handling of device information: + + ### Optional device object for 3-legged tokens: + + - When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations. + + ### Validation mechanism: + + - The server will extract the device identification from the access token, if available. + - If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token. + - If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token. + + ### Error handling for unidentifiable devices: + + - If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error. + + ### Restrictions for tokens without an associated authenticated identifier: + + - For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens. license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html version: wip + x-camara-commonalities: 0.4.0 + externalDocs: - description: Product documentation at Camara - url: https://github.com/camaraproject/ + description: Project documentation at CAMARA + url: https://github.com/camaraproject/QualityOnDemand + servers: - url: "{apiRoot}/qod-provisioning/vwip" variables: @@ -51,7 +75,8 @@ servers: description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath` tags: - name: QoD Provisioning - description: Manage the provisioning of QoD + description: Manage the permanent provisioning of QoD + paths: /device-qos: post: @@ -67,8 +92,13 @@ paths: - If the request includes a webhook, the client will receive a `status-changed` event with the outcome of the process. The event will be sent also for synchronous operations. - NOTE: When the provisioning status becomes `UNAVAILABLE`, the QoD provisioning resource is not immediately released, but will get deleted automatically, at earliest 360 seconds after. + **NOTES:** + - When the provisioning status becomes `UNAVAILABLE`, the QoD provisioning resource is not immediately released, but will get deleted automatically, at earliest 360 seconds after. + This behavior allows clients which are not receiving notification events but are polling, to get the provisioning status information. Before a client can attempt to create a new QoD provisioning for the same device, they must release the provisioning resources with an explicit `delete` operation if not yet automatically deleted. + - The access token may be either 2-legged or 3-legged. + - If a 3-legged access token which is associated with a device is used, it is recommended NOT to include the `device` parameter in the request (see "Handling of device information" within the API description for details). + - If a 2-legged access token is used, the device parameter must be provided and identify a device. operationId: createProvisioning parameters: @@ -137,11 +167,13 @@ paths: "403": $ref: "#/components/responses/Generic403" "404": - $ref: "#/components/responses/DeviceNotFound404" + $ref: "#/components/responses/GenericDevice404" "409": $ref: "#/components/responses/ProvisioningConflict409" "422": $ref: "#/components/responses/Generic422" + "429": + $ref: "#/components/responses/Generic429" "500": $ref: "#/components/responses/Generic500" "503": @@ -155,7 +187,13 @@ paths: tags: - QoD Provisioning summary: Get QoD provisioning information - description: Querying for QoD provisioning resource information details + description: | + Querying for QoD provisioning resource information details + + **NOTES:** + - The access token may be either 2-legged or 3-legged. + - If a 3-legged access token is used, the end user (and device) associated with the QoD provisioning must also be associated with the access token. + - The QoD provisioning must have been created by the same API client given in the access token. operationId: getProvisioningById parameters: - $ref: "#/components/parameters/provisioningId" @@ -175,6 +213,8 @@ paths: $ref: "#/components/examples/PROVISIONING_AVAILABLE" PROVISIONING_UNAVAILABLE: $ref: "#/components/examples/PROVISIONING_UNAVAILABLE" + PROVISIONING_AVAILABLE_WITHOUT_DEVICE: + $ref: "#/components/examples/PROVISIONING_AVAILABLE_WITHOUT_DEVICE" "400": $ref: "#/components/responses/Generic400" "401": @@ -183,6 +223,8 @@ paths: $ref: "#/components/responses/Generic403" "404": $ref: "#/components/responses/Generic404" + "429": + $ref: "#/components/responses/Generic429" "500": $ref: "#/components/responses/Generic500" "503": @@ -202,6 +244,11 @@ paths: - `status` as `UNAVAILABLE` and - `statusInfo` as `DELETE_REQUESTED` There will be no notification event if the `status` was already `UNAVAILABLE`. + + **NOTES:** + - The access token may be either 2-legged or 3-legged. + - If a 3-legged access token is used, the end user (and device) associated with the QoD provisioning must also be associated with the access token. + - The QoD provisioning must have been created by the same API client given in the access token. operationId: deleteProvisioning parameters: - $ref: "#/components/parameters/provisioningId" @@ -229,6 +276,8 @@ paths: $ref: "#/components/responses/Generic403" "404": $ref: "#/components/responses/Generic404" + "429": + $ref: "#/components/responses/Generic429" "500": $ref: "#/components/responses/Generic500" "503": @@ -237,13 +286,20 @@ paths: - openId: - "qod-provisioning:device-qos:delete" - /device-qos/retrieve: + /retrieve-device-qos: post: tags: - QoD Provisioning - summary: Gets the QoD provisioning for a given device + summary: Gets the QoD provisioning for a device description: | - Retrieves the QoD provisioning for a given device. + Retrieves the QoD provisioning for a device. + + **NOTES:** + - The access token may be either 2-legged or 3-legged. + - If a 3-legged access token is used, the end user (and device) associated with the QoD provisioning must also be associated with the access token. In this case it is recommended NOT to include the `device` parameter in the request (see "Handling of device information" within the API description for details). + - If a 2-legged access token is used, the device parameter must be provided and identify a device. + - The QoD provisioning must have been created by the same API client given in the access token. + - If no provisioning is found for the device, an error response 404 is returned with code "NOT_FOUND". operationId: retrieveProvisioningByDevice parameters: - $ref: "#/components/parameters/x-correlator" @@ -252,11 +308,10 @@ paths: content: application/json: schema: - $ref: "#/components/schemas/RetrieveProvisioning" - required: true + $ref: "#/components/schemas/RetrieveProvisioningByDevice" responses: "200": - description: Returns information about QoS provisioning for the device. If no provisioning is found for the device, an error response 404 is returned with code "PROVISIONING_NOT_FOUND". + description: Returns information about QoS provisioning for the device. headers: x-correlator: $ref: "#/components/headers/x-correlator" @@ -267,6 +322,8 @@ paths: examples: PROVISIONING_AVAILABLE: $ref: "#/components/examples/PROVISIONING_AVAILABLE" + PROVISIONING_AVAILABLE_WITHOUT_DEVICE: + $ref: "#/components/examples/PROVISIONING_AVAILABLE_WITHOUT_DEVICE" "400": $ref: "#/components/responses/Generic400" "401": @@ -274,16 +331,18 @@ paths: "403": $ref: "#/components/responses/Generic403" "404": - $ref: "#/components/responses/RetrieveProvisioning404" + $ref: "#/components/responses/GenericDevice404" "422": $ref: "#/components/responses/Generic422" + "429": + $ref: "#/components/responses/Generic429" "500": $ref: "#/components/responses/Generic500" "503": $ref: "#/components/responses/Generic503" security: - openId: - - "qod-provisioning:device-qos:read" + - "qod-provisioning:device-qos:read-by-device" components: securitySchemes: @@ -351,11 +410,13 @@ components: example: "c8974e592c2fa383d4a3960714" description: Authentication token for callback API required: - - device - qosProfile ProvisioningInfo: - description: Provisioning related information. + description: | + Provisioning related information returned in responses. + Optional device object only to be returned if provided in createProvisioning. If more than one type of device identifier was provided, only one identifier will be returned (at implementation choice and with the original value provided in createProvisioning). + Please note that IP addresses of devices can change and get reused, so the original values may no longer identify the same device. They identified the device at the time of QoD provisioning creation. allOf: - $ref: "#/components/schemas/BaseProvisioningInfo" - type: object @@ -380,14 +441,12 @@ components: allOf: - $ref: "#/components/schemas/BaseProvisioningInfo" - RetrieveProvisioning: + RetrieveProvisioningByDevice: description: Attributes to look for QoD provisioning type: object properties: device: $ref: "#/components/schemas/Device" - required: - - device Port: description: TCP or UDP port number @@ -499,7 +558,8 @@ components: * `phoneNumber` * `networkAccessIdentifier` - NOTE: the MNO might support only a subset of these options. The API invoker can provide multiple identifiers to be compatible across different MNOs. In this case the identifiers MUST belong to the same device + NOTE1: the MNO might support only a subset of these options. The API invoker can provide multiple identifiers to be compatible across different MNOs. In this case the identifiers MUST belong to the same device + NOTE2: for the Commonalities release v0.4, we are enforcing that the networkAccessIdentifier is only part of the schema for future-proofing, and CAMARA does not currently allow its use. After the CAMARA meta-release work is concluded and the relevant issues are resolved, its use will need to be explicitly documented in the guidelines. type: object properties: phoneNumber: @@ -695,6 +755,48 @@ components: code: NOT_FOUND message: "{{resource}} is not found" + GenericDevice404: + description: Not found + headers: + x-correlator: + $ref: "#/components/headers/x-correlator" + content: + application/json: + schema: + $ref: "#/components/schemas/ErrorInfo" + examples: + GENERIC_404_NOT_FOUND: + summary: Generic Not Found + description: Resource is not found + value: + status: 404 + code: NOT_FOUND + message: "{{resource}} is not found" + GENERIC_404_DEVICE_NOT_FOUND: + description: Device identifier not found + value: + status: 404 + code: DEVICE_NOT_FOUND + message: Device identifier not found. + + ProvisioningConflict409: + description: Provisioning conflict + headers: + x-correlator: + $ref: "#/components/headers/x-correlator" + content: + application/json: + schema: + $ref: "#/components/schemas/ErrorInfo" + examples: + PROVISIONING_409_CONFLICT: + summary: Provisioning Conflict + description: The requested provisioning conflicts with an existing one + value: + status: 409 + code: CONFLICT + message: "There is another existing provisioning for the same device" + Generic422: description: Unprocessable entity headers: @@ -733,6 +835,35 @@ components: status: 422 code: UNSUPPORTED_DEVICE_IDENTIFIERS message: "Supported device supported are: ..." + GENERIC_422_UNIDENTIFIABLE_DEVICE: + description: Service is not available for the provided device + value: + status: 422 + code: UNIDENTIFIABLE_DEVICE + message: The device cannot be identified. + + Generic429: + description: Too Many Requests + headers: + x-correlator: + $ref: "#/components/headers/x-correlator" + content: + application/json: + schema: + $ref: "#/components/schemas/ErrorInfo" + examples: + GENERIC_429_QUOTA_EXCEEDED: + description: Request is rejected due to exceeding a business quota limit + value: + status: 429 + code: QUOTA_EXCEEDED + message: Either out of resource quota or reaching rate limiting. + GENERIC_429_TOO_MANY_REQUESTS: + description: API Server request limit is overpassed + value: + status: 429 + code: TOO_MANY_REQUESTS + message: Either out of resource quota or reaching rate limiting. Generic500: description: Internal server error @@ -770,67 +901,6 @@ components: code: UNAVAILABLE message: "Service unavailable" - DeviceNotFound404: - description: Device not found - headers: - x-correlator: - $ref: "#/components/headers/x-correlator" - content: - application/json: - schema: - $ref: "#/components/schemas/ErrorInfo" - examples: - ERROR_404_DEVICE_NOT_FOUND: - summary: Some identifier cannot be matched to a device - description: One or more of the provided device identifiers do not match any device - value: - status: 404 - code: DEVICE_NOT_FOUND - message: "No device found for a provided identifier" - - RetrieveProvisioning404: - description: Device or provisioning not found - headers: - x-correlator: - $ref: "#/components/headers/x-correlator" - content: - application/json: - schema: - $ref: "#/components/schemas/ErrorInfo" - examples: - ERROR_404_DEVICE_NOT_FOUND: - summary: Some identifier cannot be matched to a device - description: One or more of the provided device identifiers do not match any device - value: - status: 404 - code: DEVICE_NOT_FOUND - message: "No device found for a provided identifier" - ERROR_404_PROVISIONING_NOT_FOUND: - summary: No provisioning found for the device - description: The provided device is valid but does not have any provisioning - value: - status: 404 - code: PROVISIONING_NOT_FOUND - message: "No provisioning found for the provided device" - - ProvisioningConflict409: - description: Provisioning conflict - headers: - x-correlator: - $ref: "#/components/headers/x-correlator" - content: - application/json: - schema: - $ref: "#/components/schemas/ErrorInfo" - examples: - PROVISIONING_409_CONFLICT: - summary: Provisioning Conflict - description: The requested provisioning conflicts with an existing one - value: - status: 409 - code: CONFLICT - message: "There is another existing provisioning for the same device" - examples: PROVISIONING_AVAILABLE: summary: QoD provisioning status is available @@ -862,6 +932,17 @@ components: status: UNAVAILABLE statusInfo: NETWORK_TERMINATED + PROVISIONING_AVAILABLE_WITHOUT_DEVICE: + summary: QoD provisioning status is available but no device information is provided + description: Device is optional in responses and must not be provided if it was not provided in the request + value: + qosProfile: QOS_M + webhook: + notificationUrl: https://application-server.com + provisioningId: 3fa85f64-5717-4562-b3fc-2c963f66afa6 + startedAt: 2024-05-12T17:32:01Z + status: AVAILABLE + PROVISIONING_STATUS_CHANGED_EXAMPLE: description: Provisioning status changed summary: Cloud event example for QoD provisioning status change to UNAVAILABLE due to NETWORK_TERMINATED