Merge pull request #210 from Akila94/role-validation-improvement-2

[OB3] Role extraction improvement - add support to extract both PSD2 and PSP roles from the certificate as needed

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java

@@ -23,7 +23,12 @@
  */
 public enum PSD2RoleEnum {
 
-    AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp");
+    AISP("aisp"), 
+    PISP("pisp"), 
+    CBPII("cbpii"), 
+    ASPSP("aspsp"), 
+    PSP_AI("psp_ai"),
+    PSP_PI("psp_pi"), PSP_IC("psp_ic"), PSP_AS("psp_as");
 
     private String value;
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java

@@ -27,6 +27,7 @@
 public class CertificateContent {
     private String pspAuthorisationNumber;
     private List<String> pspRoles;
+    private List<String> psd2Roles;
     private String name;
     private String ncaName;
     private String ncaId;
@@ -54,6 +55,14 @@ public void setPspRoles(List<String> pspRoles) {
         this.pspRoles = pspRoles;
     }
 
+    public List<String> getPsd2Roles() {
+        return psd2Roles;
+    }
+
+    public void setPsd2Roles(List<String> psd2Roles) {
+        this.psd2Roles = psd2Roles;
+    }
+
     public String getName() {
 
         return name;

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java

@@ -66,12 +66,17 @@ public static CertificateContent extract(X509Certificate cert)
         PSPRoles pspRoles = psd2QcType.getPspRoles();
         List<PSPRole> rolesArray = pspRoles.getRoles();
 
+        // Roles as defined in the certificate (PSP_AI, PSP_PI, etc)
         List<String> roles = new ArrayList<>();
+        // Relative PSD2 role names (AISP, PISP, etc)
+        List<String> psd2Roles = new ArrayList<>();
 
         for (PSPRole pspRole : rolesArray) {
-            roles.add(pspRole.getPsd2RoleName());
+            roles.add(pspRole.getPspRoleName());
+            psd2Roles.add(pspRole.getPsd2RoleName());
         }
         tppCertData.setPspRoles(roles);
+        tppCertData.setPsd2Roles(psd2Roles);
 
         tppCertData.setNcaName(psd2QcType.getnCAName().getString());
         tppCertData.setNcaId(psd2QcType.getnCAId().getString());

open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java

@@ -42,15 +42,29 @@ public void testExtractValidCertificate() throws Exception {
         CertificateContent extract = CertificateContentExtractor.extract(cert);
 
         Assert.assertTrue(extract.getPspRoles().size() == 3);
-        Assert.assertTrue(extract.getPspRoles().contains("AISP"));
-        Assert.assertTrue(extract.getPspRoles().contains("PISP"));
-        Assert.assertTrue(extract.getPspRoles().contains("CBPII"));
+        Assert.assertTrue(extract.getPspRoles().contains("PSP_AI"));
+        Assert.assertTrue(extract.getPspRoles().contains("PSP_PI"));
+        Assert.assertTrue(extract.getPspRoles().contains("PSP_IC"));
         Assert.assertTrue(extract.getPspAuthorisationNumber().equals("PSDDE-BAFIN-123456"));
         Assert.assertTrue(extract.getName().equals("www.hanseaticbank.de"));
         Assert.assertTrue(extract.getNcaName().equals("Federal Financial Supervisory Authority"));
         Assert.assertTrue(extract.getNcaId().equals("DE-BAFIN"));
     }
 
+    @Test
+    public void testExtractPSD2RoleFromCert() throws Exception {
+
+        X509Certificate cert =
+                CommonTestUtil.parseTransportCert(CommonTestUtil.EIDAS_CERT).orElse(null);
+
+        CertificateContent extract = CertificateContentExtractor.extract(cert);
+
+        Assert.assertTrue(extract.getPsd2Roles().size() == 3);
+        Assert.assertTrue(extract.getPsd2Roles().contains("AISP"));
+        Assert.assertTrue(extract.getPsd2Roles().contains("PISP"));
+        Assert.assertTrue(extract.getPsd2Roles().contains("CBPII"));
+    }
+
     @Test
     public void testExtractInvalidCertificate() throws CertificateException {
 

open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java

@@ -212,25 +212,26 @@ public boolean validateTppRoles(X509Certificate tppCertificate, List<PSD2RoleEnu
      * Validate whether the psd2 roles match with the scopes.
      *
      * @param tppCertificate    eidas certificate with roles
-     * @param requiredPSD2Roles client requested roles
+     * @param requiredRoles client requested roles
      * @return true if all required values are present in the certificate
      */
     private boolean isRequiredRolesMatchWithScopes(X509Certificate tppCertificate
-            , List<PSD2RoleEnum> requiredPSD2Roles) throws CertificateValidationException, TPPValidationException {
+            , List<PSD2RoleEnum> requiredRoles) throws CertificateValidationException, TPPValidationException {
 
 
         // Extract the certContent from the eidas certificate (i.e. roles, authorization number, etc)
         CertificateContent certContent = CertificateContentExtractor.extract(tppCertificate);
 
         if (log.isDebugEnabled()) {
-            log.debug("The TPP is requesting roles: " + requiredPSD2Roles);
+            log.debug("The TPP is requesting roles: " + requiredRoles);
             log.debug("Provided PSD2 eIDAS certificate" +
                     " contains the role: " + certContent.getPspRoles());
         }
 
         // Validate whether the eIDAS certificate contains the required roles that matches with the token scopes.
-        for (PSD2RoleEnum requiredRole : requiredPSD2Roles) {
-            if (!certContent.getPspRoles().contains(requiredRole.name())) {
+        for (PSD2RoleEnum requiredRole : requiredRoles) {
+            if (!(certContent.getPspRoles().contains(requiredRole.name())
+                    || certContent.getPsd2Roles().contains(requiredRole.name()))) {
                 // Return false if any one of the roles that are bound to the scope is not present in the PSD2
                 // role list of the client eIDAS certificate.
                 final String errorMsg = "The PSD2 eIDAS certificate does not contain the required role "