-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/realtime' into realtime
- Loading branch information
Showing
7 changed files
with
447 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
...2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| /** | ||
| * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package com.wso2.openbanking.accelerator.identity.clientauth.jwt; | ||
|
|
||
| import com.wso2.openbanking.accelerator.common.util.Generated; | ||
| import org.apache.commons.logging.Log; | ||
| import org.apache.commons.logging.LogFactory; | ||
| import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext; | ||
| import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.Constants; | ||
| import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator; | ||
| import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator; | ||
| import org.wso2.carbon.identity.oauth2.util.OAuth2Util; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
|
|
||
| import static org.apache.commons.lang.StringUtils.isNotEmpty; | ||
|
|
||
| /** | ||
| * OBPrivateKeyJWTClientAuthenticator for authenticating private key jwt requests. | ||
| */ | ||
| public class OBPrivateKeyJWTClientAuthenticator extends PrivateKeyJWTClientAuthenticator { | ||
|
|
||
| private static final Log log = LogFactory.getLog(OBPrivateKeyJWTClientAuthenticator.class); | ||
| private static final String PAR_ENDPOINT_ALIAS = "ParEndpointAlias"; | ||
|
|
||
| @Generated(message = "Used only for testing purpose") | ||
| protected OBPrivateKeyJWTClientAuthenticator(JWTValidator jwtValidator) { | ||
| setJwtValidator(jwtValidator); | ||
| } | ||
|
|
||
| @Generated(message = "Does not contain logic") | ||
| public OBPrivateKeyJWTClientAuthenticator() { | ||
|
|
||
| int rejectBeforePeriod = Constants.DEFAULT_VALIDITY_PERIOD_IN_MINUTES; | ||
| boolean preventTokenReuse = true; | ||
| String endpointAlias = Constants.DEFAULT_AUDIENCE; | ||
| try { | ||
| if (isNotEmpty(properties.getProperty(PAR_ENDPOINT_ALIAS))) { | ||
| endpointAlias = properties.getProperty(PAR_ENDPOINT_ALIAS); | ||
| } | ||
| if (isNotEmpty(properties.getProperty(Constants.PREVENT_TOKEN_REUSE))) { | ||
| preventTokenReuse = Boolean.parseBoolean(properties.getProperty(Constants.PREVENT_TOKEN_REUSE)); | ||
| } | ||
| if (isNotEmpty(properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES))) { | ||
| rejectBeforePeriod = Integer.parseInt(properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES)); | ||
| } | ||
| JWTValidator jwtValidator = createJWTValidator(endpointAlias, preventTokenReuse, rejectBeforePeriod); | ||
| setJwtValidator(jwtValidator); | ||
| } catch (NumberFormatException e) { | ||
| log.warn("Invalid PrivateKeyJWT Validity period found in the configuration. Using default value: " + | ||
| rejectBeforePeriod); | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| public boolean canAuthenticate(HttpServletRequest httpServletRequest, Map<String, List> bodyParameters, | ||
| OAuthClientAuthnContext oAuthClientAuthnContext) { | ||
|
|
||
| log.debug("Request is being handled by OBPrivateKeyJWTClientAuthenticator"); | ||
| return super.canAuthenticate(httpServletRequest, bodyParameters, oAuthClientAuthnContext); | ||
| } | ||
|
|
||
| @Generated(message = "Does not contain logic") | ||
| protected JWTValidator createJWTValidator(String accessedEndpoint, boolean preventTokenReuse, int rejectBefore) { | ||
|
|
||
| String tokenEndpoint = OAuth2Util.OAuthURL.getOAuth2TokenEPUrl(); | ||
| String issuer = OAuth2Util.getIDTokenIssuer(); | ||
|
|
||
| List<String> acceptedAudienceList = new ArrayList<>(); | ||
| acceptedAudienceList.add(accessedEndpoint); | ||
| acceptedAudienceList.add(tokenEndpoint); | ||
| acceptedAudienceList.add(issuer); | ||
|
|
||
| return new JWTValidator(preventTokenReuse, acceptedAudienceList, rejectBefore, null, | ||
| populateMandatoryClaims(), Constants.DEFAULT_ENABLE_JTI_CACHE); | ||
| } | ||
|
|
||
| @Generated(message = "Does not contain logic") | ||
| private List<String> populateMandatoryClaims() { | ||
|
|
||
| List<String> mandatoryClaims = new ArrayList<>(); | ||
| mandatoryClaims.add(Constants.ISSUER_CLAIM); | ||
| mandatoryClaims.add(Constants.SUBJECT_CLAIM); | ||
| mandatoryClaims.add(Constants.AUDIENCE_CLAIM); | ||
| mandatoryClaims.add(Constants.EXPIRATION_TIME_CLAIM); | ||
| mandatoryClaims.add(Constants.JWT_ID_CLAIM); | ||
| return mandatoryClaims; | ||
| } | ||
| } |
94 changes: 94 additions & 0 deletions
94
...enbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| /** | ||
| * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package com.wso2.openbanking.accelerator.identity.clientauth.jwt; | ||
|
|
||
| import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants; | ||
| import org.mockito.Mockito; | ||
| import org.springframework.mock.web.MockHttpServletRequest; | ||
| import org.testng.annotations.BeforeMethod; | ||
| import org.testng.annotations.Test; | ||
| import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext; | ||
| import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator; | ||
|
|
||
| import java.util.Collections; | ||
| import java.util.HashMap; | ||
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| import static org.junit.Assert.assertFalse; | ||
| import static org.junit.Assert.assertTrue; | ||
|
|
||
| /** | ||
| * Test class for testing the OBPrivateKeyJWTClientAuthenticator class. | ||
| */ | ||
| public class OBPrivateKeyJWTClientAuthenticatorTest { | ||
|
|
||
| private static final String JWT_ASSERTION_TYPE_VALUE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"; | ||
| MockHttpServletRequest request; | ||
| OAuthClientAuthnContext clientAuthnContext = new OAuthClientAuthnContext(); | ||
|
|
||
| @BeforeMethod | ||
| public void beforeMethod() { | ||
| request = new MockHttpServletRequest(); | ||
| } | ||
|
|
||
| @Test(description = "Test whether can authenticate is engaged for pvt key jwt request") | ||
| public void canAuthenticateTest() { | ||
| JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); | ||
| OBPrivateKeyJWTClientAuthenticator authenticator = Mockito | ||
| .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); | ||
|
|
||
| Map<String, List> bodyParams = new HashMap<>(); | ||
| bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE, Collections | ||
| .singletonList(JWT_ASSERTION_TYPE_VALUE)); | ||
| bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION, Collections | ||
| .singletonList("test")); | ||
|
|
||
| boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); | ||
| assertTrue(response); | ||
| } | ||
|
|
||
| @Test(description = "Test whether can authenticate is not engaged when client assertion is not there") | ||
| public void canAuthenticateWithoutClientAssertionTest() { | ||
| JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); | ||
| OBPrivateKeyJWTClientAuthenticator authenticator = Mockito | ||
| .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); | ||
|
|
||
| Map<String, List> bodyParams = new HashMap<>(); | ||
| bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE, Collections | ||
| .singletonList(JWT_ASSERTION_TYPE_VALUE)); | ||
|
|
||
| boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); | ||
| assertFalse(response); | ||
| } | ||
|
|
||
| @Test(description = "Test whether can authenticate is not engaged when client assertion type is not there") | ||
| public void canAuthenticateWithoutClientAssertionTypeTest() { | ||
| JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); | ||
| OBPrivateKeyJWTClientAuthenticator authenticator = Mockito | ||
| .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); | ||
|
|
||
| Map<String, List> bodyParams = new HashMap<>(); | ||
| bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION, Collections | ||
| .singletonList("test")); | ||
|
|
||
| boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); | ||
| assertFalse(response); | ||
| } | ||
| } |
55 changes: 55 additions & 0 deletions
55
...tor.identity/src/test/java/com/wso2/openbanking/accelerator/identity/utils/TestUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| /** | ||
| * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package com.wso2.openbanking.accelerator.identity.utils; | ||
|
|
||
| import com.nimbusds.jose.JOSEObject; | ||
| import com.nimbusds.jose.JWSAlgorithm; | ||
| import com.nimbusds.jwt.PlainJWT; | ||
| import com.nimbusds.jwt.SignedJWT; | ||
| import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.OBRequestObject; | ||
| import org.wso2.carbon.identity.oauth2.RequestObjectException; | ||
| import org.wso2.carbon.identity.openidconnect.model.RequestObject; | ||
|
|
||
| import java.text.ParseException; | ||
|
|
||
| /** | ||
| * Test utils class. | ||
| */ | ||
| public class TestUtils { | ||
|
|
||
| /** | ||
| * Get OB request object. | ||
| * | ||
| * @param request request | ||
| * @return OBRequestObject | ||
| * @throws ParseException | ||
| * @throws RequestObjectException | ||
| */ | ||
| public static OBRequestObject<?> getObRequestObject(String request) throws ParseException, RequestObjectException { | ||
| RequestObject requestObject = new RequestObject(); | ||
| JOSEObject jwt = JOSEObject.parse(request); | ||
| if (jwt.getHeader().getAlgorithm() == null || jwt.getHeader().getAlgorithm().equals(JWSAlgorithm.NONE)) { | ||
| requestObject.setPlainJWT(PlainJWT.parse(request)); | ||
| } else { | ||
| requestObject.setSignedJWT(SignedJWT.parse(request)); | ||
| } | ||
| return new OBRequestObject<>(requestObject); | ||
| } | ||
|
|
||
| } |
74 changes: 74 additions & 0 deletions
74
...king/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentPersistStep.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| /** | ||
| * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package com.wso2.openbanking.accelerator.consent.extensions.authorize.impl; | ||
|
|
||
| import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentData; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentPersistData; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentPersistStep; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentException; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentExtensionConstants; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.common.ResponseStatus; | ||
| import com.wso2.openbanking.accelerator.consent.extensions.internal.ConsentExtensionsDataHolder; | ||
| import net.minidev.json.JSONArray; | ||
| import net.minidev.json.JSONObject; | ||
| import org.apache.commons.logging.Log; | ||
| import org.apache.commons.logging.LogFactory; | ||
|
|
||
| import java.util.ArrayList; | ||
|
|
||
| /** | ||
| * Consent persist step sample implementation for FAPI plain flow. | ||
| */ | ||
| public class SampleFapiPlainConsentPersistStep implements ConsentPersistStep { | ||
|
|
||
| private static final Log log = LogFactory.getLog(SampleFapiPlainConsentPersistStep.class); | ||
|
|
||
| @Override | ||
| public void execute(ConsentPersistData consentPersistData) throws ConsentException { | ||
|
|
||
| if (consentPersistData.getApproval()) { | ||
| try { | ||
| ConsentData consentData = consentPersistData.getConsentData(); | ||
| JSONObject payloadData = consentPersistData.getPayload(); | ||
|
|
||
| JSONArray accountIds = (JSONArray) payloadData.get(ConsentExtensionConstants.ACCOUNT_IDS); | ||
| ArrayList<String> accountIdsString = new ArrayList<>(); | ||
| for (Object account : accountIds) { | ||
| if (!(account instanceof String)) { | ||
| log.error("Account IDs format error in persist request"); | ||
| throw new ConsentException(ResponseStatus.BAD_REQUEST, | ||
| "Account IDs format error in persist request"); | ||
| } | ||
| accountIdsString.add((String) account); | ||
| } | ||
|
|
||
| ConsentExtensionsDataHolder.getInstance().getConsentCoreService() | ||
| .bindUserAccountsToConsent(consentData.getConsentResource(), consentData.getUserId(), | ||
| consentData.getAuthResource().getAuthorizationID(), accountIdsString, | ||
| ConsentExtensionConstants.AUTHORISED_STATUS, | ||
| ConsentExtensionConstants.AUTHORISED_STATUS); | ||
| } catch (ConsentManagementException e) { | ||
| throw new ConsentException(ResponseStatus.INTERNAL_SERVER_ERROR, | ||
| "Exception occurred while persisting consent"); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.