Skip to content

fix(pcf): add missing auth middleware to smPolicyGroup and uePolicyGroup#63

Open
solar224 wants to merge 1 commit intofree5gc:mainfrom
solar224:fix/pcf-smpolicy-auth-middleware
Open

fix(pcf): add missing auth middleware to smPolicyGroup and uePolicyGroup#63
solar224 wants to merge 1 commit intofree5gc:mainfrom
solar224:fix/pcf-smpolicy-auth-middleware

Conversation

@solar224
Copy link
Contributor

@solar224 solar224 commented Mar 5, 2026
edited
Loading

@c9274326 @roundspring2003 PTAL

Problem

In NewServer(), smPolicyGroup and uePolicyGroup are registered without RouterAuthorizationCheck middleware:

// internal/sbi/server.go (before)
smPolicyGroup := s.router.Group(factory.PcfSMpolicyCtlResUriPrefix)
applyRoutes(smPolicyGroup, smPolicyRoutes) // no .Use(auth)

All other PCF service groups (amPolicyGroup, bdtPolicyGroup, oamGroup, policyAuthorizationGroup) attach auth middleware before registering routes. The missing middleware allows unauthenticated requests to bypass the 401 rejection and reach business handlers directly. When session context exists, an unauthenticated GET /npcf-smpolicycontrol/v1/sm-policies/{id} returns 200 with context.supi in the response body.

Fix

Add RouterAuthorizationCheck middleware to both groups, following the same pattern used by the other groups:

// internal/sbi/server.go
  smPolicyGroup := s.router.Group(factory.PcfSMpolicyCtlResUriPrefix)
+ smRouterAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_SMPOLICYCONTROL)
+ smPolicyGroup.Use(func(c *gin.Context) {
+     smRouterAuthorizationCheck.Check(c, s.Context())
+ })
  ...
  
  applyRoutes(smPolicyGroup, smPolicyRoutes)
  uePolicyGroup := s.router.Group(factory.PcfUePolicyCtlResUriPrefix)
+ uePolicyRouterAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_UE_POLICY_CONTROL)
+ uePolicyGroup.Use(func(c *gin.Context) {
+     uePolicyRouterAuthorizationCheck.Check(c, s.Context())
+ })
  applyRoutes(uePolicyGroup, uePolicyRoutes)

Unauthenticated requests to all Npcf_SMPolicyControl endpoints now receive 401 before any business logic is executed.
Fixes: free5gc/free5gc#844

@solar224
fix(pcf): add missing auth middleware to smPolicyGroup and uePolicyGroup
599803b 
Npcf_SMPolicyControl and Npcf_UEPolicyControl route groups were
registered without RouterAuthorizationCheck middleware, allowing
unauthenticated requests to reach business handlers directly.

Add auth middleware to both groups following the same pattern used
by amPolicyGroup, bdtPolicyGroup, oamGroup, and policyAuthorizationGroup.
Unauthenticated requests now receive 401 before any business logic runs.

Fixes: unauthenticated access exposing subscriber SUPI via GET
/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bugs] PCF Npcf_SMPolicyControl lacks auth middleware: unauthenticated requests reach handlers and can expose subscriber SUPI

1 participant

@solar224