adding MC ATP yaml

[DT-DawidWroblewski]

No description provided.

[patrice-conil]

This openapi definition is incorrect, you need to check semantic and syntax erors using https://editor.swagger.io/.
For axample in schemas you need to group "required" attribute in a separate section.

    atpTimestamp:
      type: object
      properties:
        simChange:
          type: string
          required: true
          example: 'simChange: 2022-12-06'
        isUncontidionalCallDivertActive:
          type: string
          required: false

should be

    atpTimestamp:
      type: object
      properties:
        simChange:
          type: string
          example: 'simChange: 2022-12-06'
        isUncontidionalCallDivertActive:
          type: string
        required: 
          - simChange

I can help to fix these issues.

[jlurien]

I made a quick review with some comments for your consideration.
You can check also these errors at https://editor.swagger.io/#/:

Semantic error at security.0
Security requirements must match a security definition
Jump to line 118
Semantic error at security.1
Security requirements must match a security definition
Jump to line 119

[jlurien]

/token endpoint is part of the authentication flow and should not be here. All paths in this yaml file are supposed to have a common server and base path, so implementation could not hace distinct servers for /token and other resources

[bigludo7]

In CAMARA numberVerify proposal we have endpoints for /authorize & /token. We should have same pattern everywhere.
As this proposal is based on MC I'm fine with these endpoints but probably we could add a comment to indicate that they could be in a distinct server as mentionned by @jlurien

BTW, @jlurien in QoD API we have in the same swagger for both /sessions & notifications and they will not be implemented in same server.

[DT-DawidWroblewski]

We should leave this comment inside swagger or in MD file?

[jlurien]

I would document it in both. Problems with yaml may rise when some client library try to genere code directly from yaml definition. We should be more careful with these aspects across all APIs when final v1 versions are released.

[jlurien]

this property is not listed above

[DT-DawidWroblewski]

Yep - I saw this and fixing the swagger.

________________________________ From: Jose Luis Urien ***@***.***> Sent: Thursday, December 15, 2022 6:11:57 PM To: camaraproject/SimSwap ***@***.***> Cc: Wróblewski Dawid ***@***.***>; Author ***@***.***> Subject: Re: [camaraproject/SimSwap] adding MC ATP yaml (PR #8) SECURITY WARNING: Ta wiadomość pochodzi z zewnętrznego źródła - uważaj na załączniki i linki. Jeśli wiadomość wyda Ci się podejrzana zgłoś incydent. This email is from an external source - be careful of attachments and links. Please follow good practices and report suspicious emails. @jlurien commented on this pull request. I made a quick review with some comments for your consideration. You can check also these errors at https://editor.swagger.io/#/: Semantic error at security.0 Security requirements must match a security definition Jump to line 118 Semantic error at security.1 Security requirements must match a security definition Jump to line 119

________________________________ In code/API_definitions/MC_ATP.yaml<#8 (comment)>:

@@ -0,0 +1,160 @@

+openapi: 3.0.0 +info: + title: CAMARA simSwap ⬇️ Suggested change - title: CAMARA simSwap + title: SIM Swap It is the approved name for the API

________________________________ In code/API_definitions/MC_ATP.yaml<#8 (comment)>:

@@ -0,0 +1,160 @@

+openapi: 3.0.0 +info: + title: CAMARA simSwap + description: CAMARA simSwap API based on Mobile Connect Account Takeover Protection API definition. ⬇️ Suggested change - description: CAMARA simSwap API based on Mobile Connect Account Takeover Protection API definition. + description: SIM Swap API based on Mobile Connect Account Takeover Protection API definition.

________________________________ In code/API_definitions/MC_ATP.yaml<#8 (comment)>:

@@ -0,0 +1,160 @@

+openapi: 3.0.0 +info: + title: CAMARA simSwap + description: CAMARA simSwap API based on Mobile Connect Account Takeover Protection API definition. + version: 0.1.0 +servers: + - url: https://api.server.test + description: API server providing CAMARA APIs +tags: + - name: Mobile Connect ATP +paths: + /token: /token endpoint is part of the authentication flow and should not be here. All paths in this yaml file are supposed to have a common server and base path, so implementation could not hace distinct servers for /token and other resources

________________________________ In code/API_definitions/MC_ATP.yaml<#8 (comment)>:

+ simChange:

+ type: boolean + example: 'simChange: true' + isUncontidionalCallDivertActive: + type: string + isLostStolen: + type: boolean + deviceChange: + type: string + accountState: + type: string + enum: + - active + - inactive + required: + - simSwap this property is not listed above

________________________________ In code/API_definitions/MC_ATP.yaml<#8 (comment)>:

+ application/json:

+ schema: + type: object + example: + access_token: mkmaJ53--rCK1SBUIjxzavoJCcFbx3453dKmZr39A8k + scope: mc_atp + token_type: Bearer + expires_in: '500' + /openid/userinfo: + post: + tags: + - Mobile Connect ATP + summary: User Info + description: userinfo + requestBody: + content: {} No body definition? — Reply to this email directly, view it on GitHub<#8 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A3XZEQKLD4F2HRPX54EJRNTWNNGN3ANCNFSM6AAAAAAS6T7HGM>. You are receiving this because you authored the thread.Message ID: ***@***.***> T-MOBILE POLSKA S.A. z siedzibą w Warszawie Adres: ul. Marynarska 12, 02-674 Warszawa Zarząd Spółki: Andreas Maierhofer - Prezes Zarządu; Juraj Andráš - Członek Zarządu, Dyrektor ds. Finansowych; Dorota Kuprianowicz-Legutko – Członek Zarządu, Dyrektor ds. Polityki Personalnej; Goran Marković – Członek Zarządu, Dyrektor ds. Rynku Prywatnego; Alexander Jenbar – Członek Zarządu, Dyrektor ds. Technologii i Innowacji; Agnieszka Rynkowska - Członek Zarządu, Dyrektor ds. Rynku Biznesowego. Spółka zarejestrowana w Sądzie Rejonowym dla m.st. Warszawy w Warszawie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego. KRS 0000391193 | NIP 526-10-40-567 | Regon 011417295 Kapitał zakładowy 711.210.000 złotych, kapitał wpłacony w całości. DUŻE ZMIANY ZACZYNAJĄ SIĘ OD MAŁYCH - CHROŃ PLANETĘ, NIE DRUKUJ TEGO E-MAILA, JEŻELI NIE MUSISZ. Ta wiadomość i jej treść są zastrzeżone w szczegółowym zakresie dostępnym na http://www.t-mobile.pl/stopka This e-mail and its contents are subject to a DISCLAIMER with important RESERVATIONS: see http://www.t-mobile.pl/stopka

[DT-DawidWroblewski]

@bigludo7 can you please review the code today and approve? thx!

[DT-DawidWroblewski]

@bigludo7 please review the code - thx!

[bigludo7]

In CAMARA numberVerify proposal we have endpoints for /authorize & /token. We should have same pattern everywhere.
As this proposal is based on MC I'm fine with these endpoints but probably we could add a comment to indicate that they could be in a distinct server as mentionned by @jlurien

BTW, @jlurien in QoD API we have in the same swagger for both /sessions & notifications and they will not be implemented in same server.

[jlurien]

@bigludo7 Regarding "in QoD API we have in the same swagger for both /sessions & notifications and they will not be implemented in same server."

indeed it is a different server. In that case we opted to add a disclaimer in description:

      description: |
        Important: this endpoint is to be implemented by the API consumer.
        The QoD server will call this endpoint whenever any network related event occurs.
        Currently only SESSION_TERMINATED event is implemented. Any other network events are ignored.

[bigludo7]

Look good for me as a first version.
Agreed with @jlurien about /authorize & /token endpoints but should tackle this question globally for all API. This is probably a point worth to be discussed in Commonalities --> we need an issue for that.