1. Security Edge Protection Proxy (SEPP) Cloud Native User's Guide
  2. Configuring SEPP using rules

2 Configuring SEPP using rules

NF-Mediation Reloading ConfigMap, if in case any updates made in the Rules.

  • Tool NF Mediation Download Tool can be used to download the rule config map in a folder (folder name will be configmap name). It needs namespace as well as required configmap name. These rules then can be changed accordingly.
  • Tool NF Mediation Upload Tool can be used to upload the rule config map from the existing config map folder. It needs namespace as well as required configmap name to be uploaded.
  • If rules changed on NF active mediation then use "<release-name>-nf-mediation-config-active" as the name of the configmap.
  • If rules changed on NF test mediation then use "<release-name>-nf-mediation-config-test" as the name of the configmap.

Configure SEPP using rules

Following is the procedure to configure SEPP using rules:
  1. Login to the node where you want to update the SEPP config map.
  2. Execute rules download script to download the existing config map. Refer to NF Mediation Download Toolfor download script.
  3. Edit the config map with new values.
  4. Execute rules upload script to upload the new config map. Refer to NF Mediation Upload Tool for upload script. The modifcation in the new rules can be in the headers or the body of the request or response sent to mediation.

NF Mediation Download Tool

Following is the rule for downloading NF mediation:
#!/bin/sh

read -p "Enter a valid Namespace name: " in_namespace
read -p "Enter a valid rules ConfigMap Name: " in_config

if ( [ -z "$in_namespace" ] || [ -z "$in_config" ] )
then 
  	echo "Namespace/ConfigMap can not be empty"
else
 	#default_namespace="seppsvc"
	#namespace=${in_namespace:-$default_namespace}
 
	mkdir -p $in_config
	cd $in_config
 
	kubectl get cm $in_config -n $in_namespace -o json > rule_file
 
	 for i in $(jq -r '.data | keys | .[]' rule_file);
	 do
		 j=$(echo $i | sed 's/\./\\./g')
		 var="{.data."$j"}"
		 kubectl get cm $in_config -n $in_namespace -o jsonpath=$var > $i
	 done
	 rm -rf rule_file
        
	 cd ../../../
fi

NF Mediation Upload Tool

Following is the rule for uploading the NF mediation:
#!/bin/sh

read -p "Enter a valid Namespace name: " in_namespace
read -p "Enter a valid rules ConfigMap Name: " in_config

if ( [ -z "$in_namespace" ] || [ -z "$in_config" ] )
then 
  	echo "Namespace/ConfigMap can not be empty"
else
 	#default_namespace="seppsvc"
	#namespace=${in_namespace:-$default_namespace}
 
	#mkdir -p $in_config
	#cd $in_config
	
	folder_name="$in_config/"
	#echo $folder_name
	kubectl create configmap $in_config -n $in_namespace  --dry-run -o yaml --from-file=$folder_name| kubectl replace -f - 
fi

NF-Mediation Rule Configuration

Following are the sample mediation rules.

Roaming Partner

Following is the sample rule to configure roaming partner:

rule "Roaming-partner-1"
when
    req : Request(body.get("$.dataToIntegrityProtectBlock.requestLine.path") == "nnrf-disc/v1/nf-instances")
then
   req.headers.add("x-destination-uri", "http://psepp-stub-service.default:8084/sepp/ipx/testing/server")
end

Modification operation

Following is the sample rule to add Modification Oparation:

rule "Modification-policy"
when
    rsp : Response(body.has("$..metaData.authorizedIpxId", "ipx.oracle.com") && body.has("$..statusLine","HTTP/2 200 OK"))
then
    String iePath1 = rsp.body.absPath("$..payload","iePath", "/nfInstances/0/fqdn")
    String iePath2 = rsp.body.absPath("$..payload","iePath", "/nfInstances/0/ausfInfo/supiRanges/0/start")
    rsp.body.put("$.modifications","operations",operation("ADD", "dataToIntegrityProtectBlock/payload", null, "['/validity','BODY','400']"))
    rsp.body.put("$.modifications","operations",operation("REMOVE", "dataToIntegrityProtectBlock"+iePath1,null, null))
    rsp.body.add("$.modifications.operations",operation("REPLACE", "dataToIntegrityProtectBlock"+iePath2,null, "20"))
end

Common functions

Following is the sample rule to add the mediation rules:
function Map<Object, Object> addObject() {
        return new HashMap<Object, Object>();
}
 
function ArrayList<Object> addArray() {
        return new  ArrayList<Object>();
}
 
function Map<String,Object> operation(String op,
                                                  String path,
                                                  String from,
                                                  Object value) {
        Map< String,Object> operationObj = new HashMap< String,Object>();
        operationObj.put("op", op);
        operationObj.put("path", path);
        operationObj.put("from", from);
        operationObj.put("value", value);
        return operationObj;
}

Common rules

Following is a common rule sample file.
rule "Ipx-Add-Modification-block-If-Not-Found"
      salience 3
when
    req : Request(body.has("$.modifications") == false)
then
        req.body.put("$", "modifications", addObject())
        req.body.put("$.modifications", "operations", addArray())
end
 
 
rule "Ipx-Add-Operations-Array-If-Not-Found"
      salience 4
when
    req : Request(body.has("$.modifications.operations") == false)
then
        req.body.put("$.modifications", "operations", addArray())
end
 
rule "Ipx-Add-Modification-block-If-Not-Found-Rsp"
      salience 5
when
    rsp : Response(body.has("$.modifications") == false)
then
        rsp.body.put("$", "modifications", addObject())
        rsp.body.put("$.modifications", "operations", addArray())
end
 
rule "Ipx-Add-Operations-Array-If-Not-Found-Rsp"
      salience 6
when
    rsp : Response(body.has("$.modifications.operations") == false)
then
        rsp.body.put("$.modifications", "operations", addArray())
end

Custom rules

Following is the custom rule sample file.
rule "IPX-Sample Rule Behave1"
when
    rsp : Response(body.has("$..metaData.authorizedIpxId", "ipx.oracle.com") && body.has("$..statusLine","HTTP/2 200 OK"))
then
    String iePath1 = rsp.body.absPath("$..payload","iePath", "/nfInstances/0/fqdn")
    String iePath2 = rsp.body.absPath("$..payload","iePath", "/nfInstances/0/ausfInfo/supiRanges/0/start")
    rsp.body.put("$.modifications","operations",operation("ADD", "dataToIntegrityProtectBlock/payload", null, "['/validity','BODY','400']"))
    rsp.body.put("$.modifications","operations",operation("REMOVE", "dataToIntegrityProtectBlock"+iePath1,null, null))
    rsp.body.add("$.modifications.operations",operation("REPLACE", "dataToIntegrityProtectBlock"+iePath2,null, "20"))
end
 
rule "IPX-Sample Rule Behave2"
when
    rsp : Response(body.has("$..metaData.authorizedIpxId", "ipx.oracle.com") && body.has("$..statusLine","HTTP/2 200 OK") && body.has("$..headers[*].header","content-type"))
then
    String iePath = rsp.body.absPath("$..headers","header", "content-type")
    rsp.body.add("$.modifications.operations",operation("ADD", "dataToIntegrityProtectBlock/headers", null, "['Content-type','charset=UTF-8']"))
    rsp.body.add("$.modifications.operations",operation("ADD", "dataToIntegrityProtectBlock/headers",null, "['Content-type','text/plain']"))
    rsp.body.add("$.modifications.operations",operation("REMOVE", "dataToIntegrityProtectBlock"+iePath,null, null))
end
 
rule "IPX-Sample Rule Behave4"
when
    rsp : Response(body.has("$..metaData.authorizedIpxId", "ipx.oracle.com") && body.has("$..statusLine","HTTP/2 200 OK") && body.has("$..payload[*].iePath","/nfInstances/0/ausfInfo/supiRanges/0/end"))
then
    String iePath = rsp.body.absPath("$..payload","iePath", "/nfInstances/0/ausfInfo/supiRanges/0/end")
    rsp.body.add("$.modifications.operations",operation("REMOVE", "dataToIntegrityProtectBlock"+iePath, null, null))
end