Fix compliant ETSI NFV-SOL versions

This patch mainly fixes the description related to the version of
ETSI NFV-SOL that Tacker complies with.
The fixes are as follows:
* Fix the supported version of SubscriptionAuthentication to
  SOL013 v3.4.1
  * Add comment that TLS_CERT is not supported
  * Add comment that OAUTH2_CLIENT_CERT complies with SOL013 v3.5.1
  * Add authentication details to the create subscription request
    for VNF FM
* Fix the supported version of the coordination interface to
  SOL002 v3.6.1

Change-Id: Ie0bc2c45a068a24a262709b4caba510979b0a1ce

api-ref/source/v1/parameters_vnflcm.yaml

@@ -195,11 +195,7 @@ authentication_auth_type:
     an OAuth 2.0 bearer token, obtained using the
     client credentials grant type.
 
-    TLS_CERT: Every HTTP request to the
+    TLS_CERT is not supported.
-    notification endpoint is sent over a mutually
-    authenticated TLS session, i.e. not only the
-    server is authenticated, but also the client is
-    authenticated during the TLS tunnel setup.
   in: body
   required: true
   type: string

api-ref/source/v2/parameters_vnffm.yaml

@@ -72,6 +72,63 @@ authentication:
   in: body
   required: false
   type: string
+authentication_auth_type:
+  description: |
+    Defines the types of Authentication/Authorization which
+    the API consumer is willing to accept when receiving a
+    notification.
+    Permitted values:
+
+    BASIC: In every HTTP request to the
+    notification endpoint, use HTTP Basic
+    authentication with the client credentials.
+
+    OAUTH2_CLIENT_CREDENTIALS: In every HTTP request
+    to the notification endpoint, use an OAuth 2.0 token,
+    obtained using the client credentials grant type
+    after authenticating using client identifier and
+    client password towards the token endpoint.
+
+    OAUTH2_CLIENT_CERT: In every HTTP request to
+    the notification endpoint, use an OAuth 2.0 token,
+    obtained using the client credentials grant type
+    after mutually authenticating using client identifier
+    and X.509 certificates towards the token endpoint.
+
+    TLS_CERT is not supported.
+  in: body
+  required: true
+  type: array
+authentication_params_basic:
+  description: |
+    Parameters for authentication/authorization using BASIC.
+    Shall be present if authType is "BASIC" and the
+    contained information has not been provisioned out of
+    band. Shall be absent otherwise.
+  in: body
+  required: false
+  type: object
+authentication_params_oauth2_client_cert:
+  description: |
+    Parameters for authentication/authorization using
+    OAUTH2_CLIENT_CERT.
+    Shall be present if authType is "OAUTH2_CLIENT_CERT" and the
+    contained information has not been provisioned out of band.
+    Shall be absent otherwise.
+  in: body
+  required: false
+  type: object
+authentication_params_oauth2_client_credentials:
+  description: |
+    Parameters for authentication/authorization using
+    OAUTH2_CLIENT_CREDENTIALS.
+    Shall be present if authType is
+    "OAUTH2_CLIENT_CREDENTIALS" and the contained
+    information has not been provisioned out of band.
+    Shall be absent otherwise.
+  in: body
+  required: false
+  type: object
 callback_uri:
   description: |
     The URI of the endpoint to send the notification to.
@@ -229,6 +286,85 @@ object_instance:
   in: body
   required: false
   type: object
+params_oauth2_client_cert_certificate_ref:
+  description: |
+    Fingerprint of the client certificate. The hash function
+    shall use SHA256 or higher. Shall be present if it has not
+    been provisioned out of band.
+  in: body
+  required: true
+  type: object
+params_oauth2_client_cert_client_id:
+  description: |
+    Client identifier to be used in the access token request
+    of the OAuth 2.0 client credentials grant type. Shall be
+    present if it has not been provisioned out of band.
+  in: body
+  required: true
+  type: string
+params_oauth2_client_cert_token_endpoint:
+  description: |
+    The token endpoint from which the access token can be
+    obtained. Shall be present if it has not been provisioned
+    out of band.
+  in: body
+  required: true
+  type: string
+params_oauth2_client_cert_type:
+  description: |
+    The type of fingerprint.
+    Permitted values:
+
+    x5t#S256: The SHA-256 thumbprint of the X.509 certificate
+    as defined in section 4.1.8 of IETF RFC 7515.
+  in: body
+  required: true
+  type: string
+params_oauth2_client_cert_value:
+  description: |
+    The fingerprint value as defined by the type. Shall be
+    present if it has not been provisioned out of band.
+  in: body
+  required: true
+  type: string
+params_oauth2_client_credentials_client_id:
+  description: |
+    Client identifier to be used in the access token request
+    of the OAuth 2.0 client credentials grant type. Shall be
+    present if it has not been provisioned out of band.
+  in: body
+  required: false
+  type: string
+params_oauth2_client_credentials_client_password:
+  description: |
+    Client password to be used in the access token request
+    of the OAuth 2.0 client credentials grant type. Shall be
+    present if it has not been provisioned out of band.
+  in: body
+  required: false
+  type: string
+params_oauth2_client_credentials_token_endpoint:
+  description: |
+    The token endpoint from which the access token can be
+    obtained. Shall be present if it has not been provisioned
+    out of band.
+  in: body
+  required: false
+  type: string
+paramsBasic_password:
+  description: |
+    Password to be used in HTTP Basic authentication.
+    Shall be present if it has not been provisioned out of band.
+  in: body
+  required: false
+  type: string
+paramsBasic_userName:
+  description: |
+    Username to be used in HTTP Basic authentication.
+    Shall be present if it has not been provisioned out of band.
+  in: body
+  required: false
+  type: string
 perceived_severity:
   description: |
     Perceived severity of the managed object failure. CRITICAL,MAJOR,MINOR,

api-ref/source/v2/parameters_vnflcm.yaml

@@ -269,11 +269,7 @@ authentication_auth_type:
     after mutually authenticating using client identifier
     and X.509 certificates towards the token endpoint.
 
-    TLS_CERT: Every HTTP request to the
+    TLS_CERT is not supported.
-    notification endpoint is sent over a mutually
-    authenticated TLS session, i.e. not only the
-    server is authenticated, but also the client is
-    authenticated during the TLS tunnel setup.
   in: body
   required: true
   type: array

api-ref/source/v2/parameters_vnfpm.yaml

@@ -44,11 +44,7 @@ authentication_auth_type:
     after mutually authenticating using client identifier
     and X.509 certificates towards the token endpoint.
 
-    TLS_CERT: Every HTTP request to the
+    TLS_CERT is not supported.
-    notification endpoint is sent over a mutually
-    authenticated TLS session, i.e. not only the
-    server is authenticated, but also the client is
-    authenticated during the TLS tunnel setup.
   in: body
   required: true
   type: array

api-ref/source/v2/vnffm.inc

@@ -263,6 +263,20 @@ Request Parameters
   - probableCauses: filter_probable_causes
   - callbackUri: callback_uri
   - authentication: authentication
+  - authType: authentication_auth_type
+  - paramsBasic: authentication_params_basic
+  - userName: paramsBasic_userName
+  - password: paramsBasic_password
+  - paramsOauth2ClientCredentials: authentication_params_oauth2_client_credentials
+  - clientId: params_oauth2_client_credentials_client_id
+  - clientPassword: params_oauth2_client_credentials_client_password
+  - tokenEndpoint: params_oauth2_client_credentials_token_endpoint
+  - paramsOauth2ClientCert: authentication_params_oauth2_client_cert
+  - clientId: params_oauth2_client_cert_client_id
+  - certificateRef: params_oauth2_client_cert_certificate_ref
+  - type: params_oauth2_client_cert_type
+  - value: params_oauth2_client_cert_value
+  - tokenEndpoint: params_oauth2_client_cert_token_endpoint
 
 Request Example
 ---------------

doc/source/user/v2/vnf/chg_vnfpkg/index.rst

@@ -230,7 +230,7 @@ You can set following parameter in additionalParams:
   * ``vnfdId`` is the VNFD id of the new VNF package you uploaded.
   * ``lcm-operation-coordinate-old-vnf`` and
     ``lcm-operation-coordinate-new-vnf`` are unique implementations of Tacker
-    to simulate the coordination interface in `ETSI SOL002 v3.5.1`_. Mainly a
+    to simulate the coordination interface in `ETSI SOL002 v3.6.1`_. Mainly a
     script that can communicate with the VM after the VM is created, perform
     special customization of the VM or confirm the status of the VM.
   * ``vimConnectionInfo`` is an optional parameter.
@@ -1174,7 +1174,7 @@ The samples make the following updates:
 
 
 .. _Heat CLI reference: https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/heat.html
-.. _ETSI SOL002 v3.5.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.05.01_60/gs_nfv-sol002v030501p.pdf
+.. _ETSI SOL002 v3.6.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.06.01_60/gs_nfv-sol002v030601p.pdf
 .. _test_instantiate_vnf_with_old_image_or_volume for 2023.2 Bobcat:
   https://opendev.org/openstack/tacker/src/branch/stable/2023.2/tacker/tests/functional/sol_v2_common/samples/test_instantiate_vnf_with_old_image_or_volume
 .. _test_change_vnf_pkg_with_new_image for 2023.2 Bobcat:

doc/source/user/v2/vnf/chg_vnfpkg_with_standard/index.rst

@@ -259,7 +259,7 @@ definition file before running command.
   * ``lcm-operation-coordinate-old-vnf`` and
     ``lcm-operation-coordinate-new-vnf`` are unique implementations of
     Tacker to simulate the coordination interface in
-    `ETSI NFV-SOL002 v3.5.1`_.
+    `ETSI NFV-SOL002 v3.6.1`_.
     Mainly a script that can communicate with the VM after the VM is
     created, perform special customization of the VM or confirm the
     status of the VM.
@@ -1112,7 +1112,7 @@ The samples make the following updates:
 
 
 .. _Heat CLI reference: https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/heat.html
-.. _ETSI NFV-SOL002 v3.5.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.05.01_60/gs_nfv-sol002v030501p.pdf
+.. _ETSI NFV-SOL002 v3.6.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.06.01_60/gs_nfv-sol002v030601p.pdf
 .. _userdata_standard for 2023.2 Bobcat:
   https://opendev.org/openstack/tacker/src/branch/stable/2023.2/tacker/tests/functional/sol_v2_common/samples/userdata_standard
 .. _userdata_standard_change_vnfpkg_nw for 2023.2 Bobcat:

tacker/sol_refactored/api/schemas/common_types.py

@@ -122,7 +122,7 @@ _IpAddresses = {
     'additionalProperties': True
 }
 
-# SOL013 v3.5.1 8.3.4
+# SOL013 v3.4.1 8.3.4
 SubscriptionAuthentication = {
     'type': 'object',
     'properties': {
@@ -131,8 +131,11 @@ SubscriptionAuthentication = {
             'items': {
                 'type': 'string',
                 'enum': [
+                    # NOTE: 'TLS_CERT' is not supported
                     'BASIC',
                     'OAUTH2_CLIENT_CREDENTIALS',
+                    # NOTE: 'OAUTH2_CLIENT_CERT' is defined
+                    # in NFV-SOL 013 v3.5.1 8.3.4
                     'OAUTH2_CLIENT_CERT']
             }
         },
@@ -151,6 +154,8 @@ SubscriptionAuthentication = {
                 'tokenEndpoint': {'type': 'string'}
             }
         },
+        # NOTE: 'paramsOauth2ClientCert' is defined
+        # in NFV-SOL 013 v3.5.1 8.3.4
         'paramsOauth2ClientCert': {
             'type': 'object',
             'properties': {

tacker/sol_refactored/api/schemas/vnflcm_v2.py

@@ -157,7 +157,7 @@ ChangeExtVnfConnectivityRequest_V200 = {
     'additionalProperties': True,
 }
 
-# SOL013 v3.5.1 8.3.4
+# SOL013 v3.4.1 8.3.4
 _SubscriptionAuthentication = {
     'type': 'object',
     'properties': {
@@ -166,8 +166,11 @@ _SubscriptionAuthentication = {
             'items': {
                 'type': 'string',
                 'enum': [
+                    # NOTE: 'TLS_CERT' is not supported
                     'BASIC',
                     'OAUTH2_CLIENT_CREDENTIALS',
+                    # NOTE: 'OAUTH2_CLIENT_CERT' is defined
+                    # in NFV-SOL 013 v3.5.1 8.3.4
                     'OAUTH2_CLIENT_CERT']
             }
         },
@@ -192,6 +195,8 @@ _SubscriptionAuthentication = {
             # band is not supported.
             'required': ['clientId', 'clientPassword', 'tokenEndpoint']
         },
+        # NOTE: 'paramsOauth2ClientCert' is defined
+        # in NFV-SOL 013 v3.5.1 8.3.4
         'paramsOauth2ClientCert': {
             'type': 'object',
             'properties': {

tacker/sol_refactored/objects/common/subscription_authentication.py

@@ -18,7 +18,7 @@ from tacker.sol_refactored.objects import fields
 
 
 # NFV-SOL 013
-# - v3.5.1 Table 8.3.4-1
+# - v3.4.1 Table 8.3.4-1
 @base.TackerObjectRegistry.register
 class SubscriptionAuthentication(base.TackerObject,
                                  base.TackerObjectDictCompat):
@@ -31,7 +31,10 @@ class SubscriptionAuthentication(base.TackerObject,
             valid_values=[
                 'BASIC',
                 'OAUTH2_CLIENT_CREDENTIALS',
+                # NOTE: 'OAUTH2_CLIENT_CERT' is defined
+                # in NFV-SOL 013 v3.5.1 Table 8.3.4-1
                 'OAUTH2_CLIENT_CERT',
+                # `TLS_CERT` is not supported
                 'TLS_CERT',
             ],
             nullable=False),
@@ -39,6 +42,8 @@ class SubscriptionAuthentication(base.TackerObject,
             'SubscriptionAuthentication_ParamsBasic', nullable=True),
         'paramsOauth2ClientCredentials': fields.ObjectField(
             'SubscriptionAuthentication_ParamsOauth2', nullable=True),
+        # NOTE: 'paramsOauth2ClientCert' is defined
+        # in NFV-SOL 013 v3.5.1 Table 8.3.4-1
         'paramsOauth2ClientCert': fields.ObjectField(
             'SubscriptionAuthentication_ParamsOauth2ClientCert',
             nullable=True),