From 65a70e1f61f4374474f3a2d9f4e3664f42242300 Mon Sep 17 00:00:00 2001 From: akila94 Date: Fri, 29 Nov 2024 12:24:39 +0530 Subject: [PATCH] Role validation improvement --- .../common/model/PSD2RoleEnum.java | 3 ++- .../extractor/CertificateContent.java | 9 +++++++++ .../CertificateContentExtractor.java | 7 ++++++- .../CertificateContentExtractorTest.java | 20 ++++++++++++++++--- .../service/CertValidationService.java | 3 ++- 5 files changed, 36 insertions(+), 6 deletions(-) diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java index 441dacef..d036fca7 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java @@ -23,7 +23,8 @@ */ public enum PSD2RoleEnum { - AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"); + AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"), PSP_AI("psp_ai"), + PSP_PI("psp_pi"), PSP_IC("psp_ic"), PSP_AS("psp_as"); private String value; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java index 4dbd6efe..6414e83e 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java @@ -27,6 +27,7 @@ public class CertificateContent { private String pspAuthorisationNumber; private List pspRoles; + private List psd2Roles; private String name; private String ncaName; private String ncaId; @@ -54,6 +55,14 @@ public void setPspRoles(List pspRoles) { this.pspRoles = pspRoles; } + public List getPsd2Roles() { + return psd2Roles; + } + + public void setPsd2Roles(List psd2Roles) { + this.psd2Roles = psd2Roles; + } + public String getName() { return name; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java index 2f6b5093..a14ee983 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java @@ -66,12 +66,17 @@ public static CertificateContent extract(X509Certificate cert) PSPRoles pspRoles = psd2QcType.getPspRoles(); List rolesArray = pspRoles.getRoles(); + // Roles as defined in the certificate (PSP_AI, PSP_PI, etc) List roles = new ArrayList<>(); + // Relative PSD2 role names (AISP, PISP, etc) + List psd2Roles = new ArrayList<>(); for (PSPRole pspRole : rolesArray) { - roles.add(pspRole.getPsd2RoleName()); + roles.add(pspRole.getPspRoleName()); + psd2Roles.add(pspRole.getPsd2RoleName()); } tppCertData.setPspRoles(roles); + tppCertData.setPsd2Roles(psd2Roles); tppCertData.setNcaName(psd2QcType.getnCAName().getString()); tppCertData.setNcaId(psd2QcType.getnCAId().getString()); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java index 03913254..005f22d7 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java @@ -42,15 +42,29 @@ public void testExtractValidCertificate() throws Exception { CertificateContent extract = CertificateContentExtractor.extract(cert); Assert.assertTrue(extract.getPspRoles().size() == 3); - Assert.assertTrue(extract.getPspRoles().contains("AISP")); - Assert.assertTrue(extract.getPspRoles().contains("PISP")); - Assert.assertTrue(extract.getPspRoles().contains("CBPII")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_AI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_PI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_IC")); Assert.assertTrue(extract.getPspAuthorisationNumber().equals("PSDDE-BAFIN-123456")); Assert.assertTrue(extract.getName().equals("www.hanseaticbank.de")); Assert.assertTrue(extract.getNcaName().equals("Federal Financial Supervisory Authority")); Assert.assertTrue(extract.getNcaId().equals("DE-BAFIN")); } + @Test + public void testExtractPSD2RoleFromCert() throws Exception { + + X509Certificate cert = + CommonTestUtil.parseTransportCert(CommonTestUtil.EIDAS_CERT).orElse(null); + + CertificateContent extract = CertificateContentExtractor.extract(cert); + + Assert.assertTrue(extract.getPsd2Roles().size() == 3); + Assert.assertTrue(extract.getPsd2Roles().contains("AISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("PISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("CBPII")); + } + @Test public void testExtractInvalidCertificate() throws CertificateException { diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java index 84897229..bcc8b638 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java @@ -230,7 +230,8 @@ private boolean isRequiredRolesMatchWithScopes(X509Certificate tppCertificate // Validate whether the eIDAS certificate contains the required roles that matches with the token scopes. for (PSD2RoleEnum requiredRole : requiredPSD2Roles) { - if (!certContent.getPspRoles().contains(requiredRole.name())) { + if (!(certContent.getPspRoles().contains(requiredRole.name()) + || certContent.getPsd2Roles().contains(requiredRole.name()))) { // Return false if any one of the roles that are bound to the scope is not present in the PSD2 // role list of the client eIDAS certificate. final String errorMsg = "The PSD2 eIDAS certificate does not contain the required role "