From c90149ebbd82708750ef887e83e66addea112e33 Mon Sep 17 00:00:00 2001 From: akila94 Date: Fri, 29 Nov 2024 12:24:39 +0530 Subject: [PATCH 1/3] Role validation improvement --- .../common/model/PSD2RoleEnum.java | 3 ++- .../extractor/CertificateContent.java | 9 +++++++++ .../CertificateContentExtractor.java | 7 ++++++- .../CertificateContentExtractorTest.java | 20 ++++++++++++++++--- .../service/CertValidationService.java | 3 ++- 5 files changed, 36 insertions(+), 6 deletions(-) diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java index 441dacef..d036fca7 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java @@ -23,7 +23,8 @@ */ public enum PSD2RoleEnum { - AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"); + AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"), PSP_AI("psp_ai"), + PSP_PI("psp_pi"), PSP_IC("psp_ic"), PSP_AS("psp_as"); private String value; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java index 4dbd6efe..6414e83e 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContent.java @@ -27,6 +27,7 @@ public class CertificateContent { private String pspAuthorisationNumber; private List pspRoles; + private List psd2Roles; private String name; private String ncaName; private String ncaId; @@ -54,6 +55,14 @@ public void setPspRoles(List pspRoles) { this.pspRoles = pspRoles; } + public List getPsd2Roles() { + return psd2Roles; + } + + public void setPsd2Roles(List psd2Roles) { + this.psd2Roles = psd2Roles; + } + public String getName() { return name; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java index 2f6b5093..a14ee983 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/util/eidas/certificate/extractor/CertificateContentExtractor.java @@ -66,12 +66,17 @@ public static CertificateContent extract(X509Certificate cert) PSPRoles pspRoles = psd2QcType.getPspRoles(); List rolesArray = pspRoles.getRoles(); + // Roles as defined in the certificate (PSP_AI, PSP_PI, etc) List roles = new ArrayList<>(); + // Relative PSD2 role names (AISP, PISP, etc) + List psd2Roles = new ArrayList<>(); for (PSPRole pspRole : rolesArray) { - roles.add(pspRole.getPsd2RoleName()); + roles.add(pspRole.getPspRoleName()); + psd2Roles.add(pspRole.getPsd2RoleName()); } tppCertData.setPspRoles(roles); + tppCertData.setPsd2Roles(psd2Roles); tppCertData.setNcaName(psd2QcType.getnCAName().getString()); tppCertData.setNcaId(psd2QcType.getnCAId().getString()); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java index 03913254..005f22d7 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/test/java/com/wso2/openbanking/accelerator/common/test/util/eidas/certificate/extractor/CertificateContentExtractorTest.java @@ -42,15 +42,29 @@ public void testExtractValidCertificate() throws Exception { CertificateContent extract = CertificateContentExtractor.extract(cert); Assert.assertTrue(extract.getPspRoles().size() == 3); - Assert.assertTrue(extract.getPspRoles().contains("AISP")); - Assert.assertTrue(extract.getPspRoles().contains("PISP")); - Assert.assertTrue(extract.getPspRoles().contains("CBPII")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_AI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_PI")); + Assert.assertTrue(extract.getPspRoles().contains("PSP_IC")); Assert.assertTrue(extract.getPspAuthorisationNumber().equals("PSDDE-BAFIN-123456")); Assert.assertTrue(extract.getName().equals("www.hanseaticbank.de")); Assert.assertTrue(extract.getNcaName().equals("Federal Financial Supervisory Authority")); Assert.assertTrue(extract.getNcaId().equals("DE-BAFIN")); } + @Test + public void testExtractPSD2RoleFromCert() throws Exception { + + X509Certificate cert = + CommonTestUtil.parseTransportCert(CommonTestUtil.EIDAS_CERT).orElse(null); + + CertificateContent extract = CertificateContentExtractor.extract(cert); + + Assert.assertTrue(extract.getPsd2Roles().size() == 3); + Assert.assertTrue(extract.getPsd2Roles().contains("AISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("PISP")); + Assert.assertTrue(extract.getPsd2Roles().contains("CBPII")); + } + @Test public void testExtractInvalidCertificate() throws CertificateException { diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java index 84897229..bcc8b638 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java @@ -230,7 +230,8 @@ private boolean isRequiredRolesMatchWithScopes(X509Certificate tppCertificate // Validate whether the eIDAS certificate contains the required roles that matches with the token scopes. for (PSD2RoleEnum requiredRole : requiredPSD2Roles) { - if (!certContent.getPspRoles().contains(requiredRole.name())) { + if (!(certContent.getPspRoles().contains(requiredRole.name()) + || certContent.getPsd2Roles().contains(requiredRole.name()))) { // Return false if any one of the roles that are bound to the scope is not present in the PSD2 // role list of the client eIDAS certificate. final String errorMsg = "The PSD2 eIDAS certificate does not contain the required role " From c9d6ba71c82bfd8cf50b300e094be910dd83f4b3 Mon Sep 17 00:00:00 2001 From: akila94 Date: Fri, 29 Nov 2024 15:32:46 +0530 Subject: [PATCH 2/3] Refactor variable name --- .../gateway/executor/service/CertValidationService.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java index bcc8b638..b7a16cbf 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.gateway/src/main/java/com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.java @@ -212,24 +212,24 @@ public boolean validateTppRoles(X509Certificate tppCertificate, List requiredPSD2Roles) throws CertificateValidationException, TPPValidationException { + , List requiredRoles) throws CertificateValidationException, TPPValidationException { // Extract the certContent from the eidas certificate (i.e. roles, authorization number, etc) CertificateContent certContent = CertificateContentExtractor.extract(tppCertificate); if (log.isDebugEnabled()) { - log.debug("The TPP is requesting roles: " + requiredPSD2Roles); + log.debug("The TPP is requesting roles: " + requiredRoles); log.debug("Provided PSD2 eIDAS certificate" + " contains the role: " + certContent.getPspRoles()); } // Validate whether the eIDAS certificate contains the required roles that matches with the token scopes. - for (PSD2RoleEnum requiredRole : requiredPSD2Roles) { + for (PSD2RoleEnum requiredRole : requiredRoles) { if (!(certContent.getPspRoles().contains(requiredRole.name()) || certContent.getPsd2Roles().contains(requiredRole.name()))) { // Return false if any one of the roles that are bound to the scope is not present in the PSD2 From 0a195fda391fadca36a901e0a8dd62cc5226613b Mon Sep 17 00:00:00 2001 From: Akila Amarasinghe Date: Tue, 10 Dec 2024 11:31:14 +0530 Subject: [PATCH 3/3] Update open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java Co-authored-by: Anju Chamantha <42867633+anjuchamantha@users.noreply.github.com> --- .../openbanking/accelerator/common/model/PSD2RoleEnum.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java index d036fca7..24314b64 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.common/src/main/java/com/wso2/openbanking/accelerator/common/model/PSD2RoleEnum.java @@ -23,7 +23,11 @@ */ public enum PSD2RoleEnum { - AISP("aisp"), PISP("pisp"), CBPII("cbpii"), ASPSP("aspsp"), PSP_AI("psp_ai"), + AISP("aisp"), + PISP("pisp"), + CBPII("cbpii"), + ASPSP("aspsp"), + PSP_AI("psp_ai"), PSP_PI("psp_pi"), PSP_IC("psp_ic"), PSP_AS("psp_as"); private String value;