diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java index 441dacef..24314b64 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java @@ -23,7 +23,12 @@ */ public enum PSD2RoleEnum { - AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"); + AISP("aisp"), + PISP("pisp"), + CBPII("cbpii"), + ASPSP("aspsp"), + PSP_AI("psp_ai"), + PSP_PI("psp_pi"), PSP_IC("psp_ic"), PSP_AS("psp_as"); private String value; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java index 4dbd6efe..6414e83e 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java @@ -27,6 +27,7 @@ public class CertificateContent { private String pspAuthorisationNumber; private List pspRoles; + private List psd2Roles; private String name; private String ncaName; private String ncaId; @@ -54,6 +55,14 @@ public void setPspRoles(List pspRoles) { this.pspRoles = pspRoles; } + public List getPsd2Roles() { + return psd2Roles; + } + + public void setPsd2Roles(List psd2Roles) { + this.psd2Roles = psd2Roles; + } + public String getName() { return name; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java index 2f6b5093..a14ee983 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java @@ -66,12 +66,17 @@ public static CertificateContent extract(X509Certificate cert) PSPRoles pspRoles = psd2QcType.getPspRoles(); List rolesArray = pspRoles.getRoles(); + // Roles as defined in the certificate (PSP_AI, PSP_PI, etc) List roles = new ArrayList<>(); + // Relative PSD2 role names (AISP, PISP, etc) + List psd2Roles = new ArrayList<>(); for (PSPRole pspRole : rolesArray) { - roles.add(pspRole.getPsd2RoleName()); + roles.add(pspRole.getPspRoleName()); + psd2Roles.add(pspRole.getPsd2RoleName()); } tppCertData.setPspRoles(roles); + tppCertData.setPsd2Roles(psd2Roles); tppCertData.setNcaName(psd2QcType.getnCAName().getString()); tppCertData.setNcaId(psd2QcType.getnCAId().getString()); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java index 03913254..005f22d7 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java @@ -42,15 +42,29 @@ public void testExtractValidCertificate() throws Exception { CertificateContent extract = CertificateContentExtractor.extract(cert); Assert.assertTrue(extract.getPspRoles().size() == 3); - Assert.assertTrue(extract.getPspRoles().contains("AISP")); - Assert.assertTrue(extract.getPspRoles().contains("PISP")); - Assert.assertTrue(extract.getPspRoles().contains("CBPII")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_AI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_PI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_IC")); Assert.assertTrue(extract.getPspAuthorisationNumber().equals("PSDDE-BAFIN-123456")); Assert.assertTrue(extract.getName().equals("www.hanseaticbank.de")); Assert.assertTrue(extract.getNcaName().equals("Federal Financial Supervisory Authority")); Assert.assertTrue(extract.getNcaId().equals("DE-BAFIN")); } + @Test + public void testExtractPSD2RoleFromCert() throws Exception { + + X509Certificate cert = + CommonTestUtil.parseTransportCert(CommonTestUtil.EIDAS_CERT).orElse(null); + + CertificateContent extract = CertificateContentExtractor.extract(cert); + + Assert.assertTrue(extract.getPsd2Roles().size() == 3); + Assert.assertTrue(extract.getPsd2Roles().contains("AISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("PISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("CBPII")); + } + @Test public void testExtractInvalidCertificate() throws CertificateException { diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java index 84897229..b7a16cbf 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java @@ -212,25 +212,26 @@ public boolean validateTppRoles(X509Certificate tppCertificate, List requiredPSD2Roles) throws CertificateValidationException, TPPValidationException { + , List requiredRoles) throws CertificateValidationException, TPPValidationException { // Extract the certContent from the eidas certificate (i.e. roles, authorization number, etc) CertificateContent certContent = CertificateContentExtractor.extract(tppCertificate); if (log.isDebugEnabled()) { - log.debug("The TPP is requesting roles: " + requiredPSD2Roles); + log.debug("The TPP is requesting roles: " + requiredRoles); log.debug("Provided PSD2 eIDAS certificate" + " contains the role: " + certContent.getPspRoles()); } // Validate whether the eIDAS certificate contains the required roles that matches with the token scopes. - for (PSD2RoleEnum requiredRole : requiredPSD2Roles) { - if (!certContent.getPspRoles().contains(requiredRole.name())) { + for (PSD2RoleEnum requiredRole : requiredRoles) { + if (!(certContent.getPspRoles().contains(requiredRole.name()) + || certContent.getPsd2Roles().contains(requiredRole.name()))) { // Return false if any one of the roles that are bound to the scope is not present in the PSD2 // role list of the client eIDAS certificate. final String errorMsg = "The PSD2 eIDAS certificate does not contain the required role "