Merge pull request #18 from gematik/feature/more_OpenAPI

Feature/more open api

docs/tmp/ZETA_BDE.md

@@ -6,11 +6,19 @@ Die Erfassung der Betriebsdaten dient sowohl der **Betriebsüberwachung** als au
 
 ---
 
-### **HTTP Request-Daten (PEP, PDP, Auth Server, Client-Registry)**
-1. **Zweck**:
+### **HTTP Request-Daten**
+1. **Komponenten**
+   - PEP
+   - PDP
+     - Auth Server
+     - Client-Registry
+     - Policy Engine
+   - Notification Service
+   - Cluster Management Service
+2. **Zweck**:
    - **Betriebsüberwachung**: Identifikation von Bottlenecks, Fehlkonfigurationen und Auswertungen der Lastverteilung.
    - **Sicherheitsanalyse**: Erkennung unautorisierter Zugriffe, Anomalien und potenzieller Angriffe.
-2. **Erfasste Attribute**:
+3. **Erfasste Attribute**:
    - **Method**: Analyse der genutzten HTTP-Methoden.
    - **URL**: Optional, konfigurierbar (z. B. ob Parameter eingeschlossen werden), zur Analyse angefragter Ressourcen.
    - **Host**: Identifikation der Zielkomponenten.
@@ -99,6 +107,16 @@ Die Erfassung der Betriebsdaten dient sowohl der **Betriebsüberwachung** als au
 
 ---
 
+---
+
+## Offene Punkte
+
+- Soll auch ZETA Guard interne Kommunikation für BDE aufbereitet werden? Policy Decision ja; Zugriff auf DBs noch nicht geklärt.
+- Es soll auch Kommunikation von Moonitoring und SIEM des Anbieters zu ZETA Guard Komponenten für BDE aufbereitet werden
+- Es sollen Daten vom Cluster Management Service zum Zustand des Clusters an BDE geliefert werden (start und stop von Pods z. B.)
+
+---
+
 ## Anforderungen an den BDE-Server
 
 1. **Validierung**:

src/examples/tmp/open_telemetry_example.json

@@ -0,0 +1,113 @@
+[
+    {
+      "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
+      "spanId": "00f067aa0ba902b7",
+      "parentSpanId": null,
+      "name": "HTTP GET /api/users",
+      "kind": "SERVER",
+      "startTimeUnixNano": "1678886400000000000",
+      "endTimeUnixNano": "1678886400150000000",
+      "attributes": {
+        "http.method": "GET",
+        "http.url": "https://api.example.com/api/users",
+        "http.target": "/api/users",
+        "http.host": "api.example.com",
+        "http.scheme": "https",
+        "http.status_code": 200,
+        "http.response_content_length": "1234",
+        "net.peer.ip": "192.168.1.10",
+        "net.peer.port": "443"
+      },
+      "status": {
+        "code": "OK"
+      }
+    },
+    {
+      "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
+      "spanId": "74755584d576b4d9",
+      "parentSpanId": "00f067aa0ba902b7",
+      "name": "HTTP GET /api/users/123",
+      "kind": "CLIENT",
+      "startTimeUnixNano": "1678886400050000000",
+      "endTimeUnixNano": "1678886400100000000",
+      "attributes": {
+        "http.method": "GET",
+        "http.url": "https://internal-api/api/users/123",
+        "http.target": "/api/users/123",
+        "http.host": "internal-api",
+        "http.scheme": "https",
+        "http.status_code": 200,
+        "http.response_content_length": "256",
+        "net.peer.ip": "10.0.0.5",
+        "net.peer.port": "8080"
+      },
+      "status": {
+        "code": "OK"
+      }
+    },
+    {
+      "traceId": "8a3c60f7d4dff4d6b2f9f8e7d8d7c8f7",
+      "spanId": "245fa4b9655567cd",
+      "parentSpanId": null,
+      "name": "HTTP POST /api/orders",
+      "kind": "SERVER",
+      "startTimeUnixNano": "1678886401000000000",
+      "endTimeUnixNano": "1678886401500000000",
+      "attributes": {
+        "http.method": "POST",
+        "http.url": "https://api.example.com/api/orders",
+        "http.target": "/api/orders",
+        "http.host": "api.example.com",
+        "http.scheme": "https",
+        "http.status_code": 201,
+        "http.request_content_length": "567",
+        "net.peer.ip": "192.168.1.20",
+        "net.peer.port": "443"
+      },
+      "status": {
+        "code": "OK"
+      }
+    },
+    {
+      "traceId": "8a3c60f7d4dff4d6b2f9f8e7d8d7c8f7",
+      "spanId": "195ee4b965556711",
+      "parentSpanId": "245fa4b9655567cd",
+      "name": "database.query",
+      "kind": "CLIENT",
+      "startTimeUnixNano": "1678886401100000000",
+      "endTimeUnixNano": "1678886401400000000",
+      "attributes": {
+        "db.system": "postgresql",
+        "db.statement": "INSERT INTO orders (user_id, product_id) VALUES ($1, $2)",
+        "net.peer.ip": "10.0.0.10",
+        "net.peer.port": "5432"
+      },
+      "status": {
+        "code": "OK"
+      }
+    },
+    {
+      "traceId": "f4a7b8c9d0e1f23456789abcdef01234",
+      "spanId": "c3d4e5f6a7b89012",
+      "parentSpanId": null,
+      "name": "HTTP GET /api/products/99",
+      "kind": "SERVER",
+      "startTimeUnixNano": "1678886402000000000",
+      "endTimeUnixNano": "1678886402200000000",
+      "attributes": {
+        "http.method": "GET",
+        "http.url": "https://api.example.com/api/products/99",
+        "http.target": "/api/products/99",
+        "http.host": "api.example.com",
+        "http.scheme": "https",
+        "http.status_code": 404,
+        "http.response_content_length": "42",
+        "net.peer.ip": "192.168.1.30",
+        "net.peer.port": "443"
+      },
+      "status": {
+        "code": "ERROR",
+        "message": "Not Found"
+      }
+    }
+  ]

src/openapi/as_par_endpoint.yaml

@@ -1,14 +1,14 @@
 openapi: 3.0.0
 info:
-  title: OAuth 2.0 Pushed Authorization Request Endpoint (RFC 8628 Section 3)
+  title: OAuth 2.0 Pushed Authorization Requests (PAR) Endpoint (RFC 9126)
   version: 1.0.0
 servers:
   - url: https://as.example.com
 paths:
   /par:
     post:
-      summary: Push authorization request payload
-      description: Enables clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. 
+      summary: Submit an authorization request to the PAR endpoint
+      description: This endpoint allows clients to push the payload of an OAuth 2.0 authorization request directly to the authorization server.
       requestBody:
         content:
           application/x-www-form-urlencoded:
@@ -17,37 +17,43 @@ paths:
               properties:
                 response_type:
                   type: string
-                  description: The requested response type. Must be set to "code" for requesting an authorization code.
-                  enum: [code]
+                  description: REQUIRED. OAuth 2.0 Response Type value.
                 client_id:
                   type: string
-                  description: The client identifier issued to the client during the registration process.
+                  description: REQUIRED. The client identifier as described in Section 2.2 of RFC 6749.
                 redirect_uri:
                   type: string
-                  description: The URI to which the authorization server redirects the user-agent after authorization.
-                  format: uri
+                  description: OPTIONAL. As described in Section 3.1.2 of RFC 6749.
                 scope:
                   type: string
-                  description: The scope of the access request.
+                  description: OPTIONAL. The scope of the access request as described by Section 3.3 of RFC 6749.
                 state:
                   type: string
-                  description: An opaque value used by the client to maintain state between the request and callback.
-                # ... all other applicable authorization request parameters and client authentication parameters
+                  description: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback.
+                code_challenge:
+                  type: string
+                  description: OPTIONAL. PKCE code challenge as described in RFC 7636.
+                code_challenge_method:
+                  type: string
+                  description: OPTIONAL. PKCE code challenge method as described in RFC 7636.
+                request:
+                  type: string
+                  description: OPTIONAL. JWT-encoded request object as defined in RFC 9101.
               required:
                 - response_type
                 - client_id
-                - redirect_uri
+
       responses:
         201:
-          description: Successful response with request URI.
+          description: The authorization request has been successfully processed.
           content:
             application/json:
               schema:
                 type: object
                 properties:
                   request_uri:
                     type: string
-                    description: The request URI corresponding to the posted authorization request.
+                    description: The request URI that can be used to reference the pushed authorization request at the authorization endpoint.
                   expires_in:
                     type: integer
                     description: The lifetime in seconds of the request URI.
@@ -67,3 +73,11 @@ paths:
                   error_uri:
                     type: string
                     description: A URI pointing to a web page with more information about the error.
+        401:
+          description: Unauthorized. Client authentication failed.
+        405:
+          description: Method Not Allowed. The method is not POST.
+        413:
+          description: Payload Too Large. The request size exceeds the allowed limit.
+        429:
+          description: Too Many Requests. The client has exceeded the allowed request rate.

src/plantuml/sm-b-auth.puml

@@ -13,15 +13,15 @@ box "LEI" #GhostWhite
   participant SMB as "SM-B"
 end box
 
-box "Betreiber" #TECHNOLOGY
-  box "ZT Cluster" #SandyBrown
+box "Anbieter" #TECHNOLOGY
+  box "ZETA Guard" #SandyBrown
     participant HP as "PEP\nhttp Proxy"
     participant AS as "PDP\nAuthorization Server" 
     participant PE as "PDP\nPolicy Engine"
-  endbox
-   box TI 2.0 Dienst #DarkSeaGreen
-    participant RS as "Resource Server"
-  endbox
+  end box
+    box TI 2.0 Dienst #DarkSeaGreen
+      participant RS as "Resource Server"
+    end box
 end box
 
 activate Client
@@ -31,10 +31,10 @@ alt Client has no Authorization Server FQDN (AS-FQDN) but Resource Server FQDN (
   HP --> Client: Client: 200 OK; json body with Well-Known json Document (RFC8414)
   deactivate HP
 else Client has Authorization Server FQDN
-  Client -> HP: GET /.well-known/oauth-authorization-server Host: AS-FQDN
-  activate HP
-  HP --> Client: 200 OK; json body with Well-Known json Document (RFC8414)
-  deactivate HP
+  Client -> AS: GET /.well-known/oauth-authorization-server Host: AS-FQDN
+  activate AS
+  AS --> Client: 200 OK; json body with Well-Known json Document (RFC8414)
+  deactivate AS
 end
 
 Client -> Client: generate DPoP key pair

src/plantuml/tmp/client_assertion_jwt_authentication.puml

@@ -0,0 +1,23 @@
+@startuml "Client_Assertion_JWT_Authentication"
+participant Client
+participant AS
+participant RS
+
+Client -> AS: Clientregistrierung (mit public key)
+activate AS
+AS --> Client: client_id
+deactivate AS
+
+Client -> AS: Token Request mit JWT client_assertion und DPoP Header
+activate AS
+note right: Client Authentifizierung\n mit JWT und Benutzerinformationen
+AS --> Client: Access Token (DPoP gebunden)
+deactivate AS
+
+Client -> RS: Zugriff auf Ressource mit Access Token und DPoP Header
+activate RS
+note right: Zugriffsschutz\n mit DPoP
+RS --> Client: Ressource
+deactivate RS
+
+@enduml