From be64c37576a9ae342cdaedf64b84e06a7eaaf2a3 Mon Sep 17 00:00:00 2001 From: aka4rKO Date: Tue, 22 Oct 2024 22:21:09 +0530 Subject: [PATCH] added fapi 1 changes to open source branch --- .../resources/wso2am-4.2.0-deployment.toml | 1 + .../repository/conf/common.auth.script.js | 1 + .../resources/wso2is-5.11.0-deployment.toml | 52 +++++--- .../resources/wso2is-6.0.0-deployment.toml | 52 +++++--- .../resources/wso2is-6.1.0-deployment.toml | 52 +++++--- .../pom.xml | 7 +- .../validator/FapiRequestObjectValidator.java | 53 ++++++++ .../annotations/ExpirationValidator.java | 96 ++++++++++++++ .../annotations/NotBeforeValidator.java | 96 ++++++++++++++ .../annotations/ValidExpiration.java | 47 +++++++ .../validator/annotations/ValidNotBefore.java | 47 +++++++ .../validator/models/FapiRequestObject.java | 49 ++++++++ .../OBCodeResponseTypeValidator.java | 12 +- .../OBHybridResponseTypeValidator.java | 1 + .../claims/OBDefaultClaimProvider.java | 33 ++--- .../OBMutualTLSClientAuthenticator.java | 42 +++---- .../OBPrivateKeyJWTClientAuthenticator.java | 109 ++++++++++++++++ .../IdentityExtensionsServiceComponent.java | 3 + .../util/IdentityCommonConstants.java | 1 + .../identity/util/IdentityCommonUtil.java | 75 ++++++++--- .../DefaultOBRequestObjectValidatorTest.java | 27 +--- .../FapiRequestObjectValidatorTest.java | 117 ++++++++++++++++++ .../OBHybridResponseTypeValidatorTest.java | 1 + .../OBMutualTLSClientAuthenticatorTest.java | 30 +++-- ...BPrivateKeyJWTClientAuthenticatorTest.java | 94 ++++++++++++++ .../identity/token/util/TestConstants.java | 58 ++++----- .../accelerator/identity/utils/TestUtils.java | 55 ++++++++ .../src/test/resources/testng.xml | 6 + .../impl/DefaultConsentPersistStep.java | 4 +- .../SampleFapiPlainConsentPersistStep.java | 74 +++++++++++ .../SampleFapiPlainConsentRetrievalStep.java | 111 +++++++++++++++++ .../common/ConsentExtensionConstants.java | 11 +- .../common/ConsentExtensionUtils.java | 22 +++- .../AccountConsentManageRequestHandler.java | 8 +- .../extensions/util/ConsentManageUtil.java | 2 +- .../impl/DefaultConsentValidator.java | 8 +- ...mentFundsConfirmationPayloadValidator.java | 2 +- .../flow/VRPConsentRetrievalStepTest.java | 4 +- .../flow/VRPConsentRetrievalUtilTest.java | 4 +- .../validate/VRPSubmissionTest.java | 34 ++--- .../mgt/dao/impl/OBConsentMgtDAOTests.java | 27 ++++ .../mgt/dao/util/ConsentMgtDAOTestData.java | 12 ++ pom.xml | 6 + 43 files changed, 1335 insertions(+), 211 deletions(-) create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidator.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/NotBeforeValidator.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidExpiration.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidNotBefore.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticator.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidatorTest.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticatorTest.java create mode 100644 open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/utils/TestUtils.java create mode 100644 open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentPersistStep.java create mode 100644 open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentRetrievalStep.java diff --git a/open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.2.0-deployment.toml b/open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.2.0-deployment.toml index 13f005ff..24110663 100644 --- a/open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.2.0-deployment.toml +++ b/open-banking-accelerator/accelerators/ob-apim/repository/resources/wso2am-4.2.0-deployment.toml @@ -227,6 +227,7 @@ RevokeURL = "https://IS_HOSTNAME:${https.nio.port}/revoke" [apim.oauth_config] enable_outbound_auth_header = true white_listed_scopes = ["^device_.*", "openid", "^OB_.*", "^TIME_.*"] +enable_certificate_bound_access_token = true #auth_header = "Authorization" #revoke_endpoint = "https://localhost:${https.nio.port}/revoke" #enable_token_encryption = false diff --git a/open-banking-accelerator/accelerators/ob-is/carbon-home/repository/conf/common.auth.script.js b/open-banking-accelerator/accelerators/ob-is/carbon-home/repository/conf/common.auth.script.js index 107478b2..be9604a2 100644 --- a/open-banking-accelerator/accelerators/ob-is/carbon-home/repository/conf/common.auth.script.js +++ b/open-banking-accelerator/accelerators/ob-is/carbon-home/repository/conf/common.auth.script.js @@ -5,6 +5,7 @@ var onLoginRequest = function(context) { executeStep(1, { onSuccess: function (context) { Log.info("Authentication Successful"); + context.selectedAcr = "urn:mace:incommon:iap:silver"; publishAuthData(context, "AuthenticationSuccessful", {'psuChannel': psuChannel}); }, onFail: function (context) { diff --git a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml index 2058ab3d..65bbeee6 100644 --- a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml +++ b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml @@ -208,12 +208,32 @@ username = "${admin.username}" password = "${admin.password}" 'header.X-WSO2-KEY-MANAGER' = "WSO2-IS" +[[event_listener]] +id = "ob_private_key_jwt_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.jwt.OBPrivateKeyJWTClientAuthenticator" +order = "897" +enable = true + +[event_listener.properties] +ParEndpointAlias = "https://IS_HOSTNAME:9446/api/openbanking/push-authorization/par" + +[event.default_listener.mutual_tls_authenticator] +enable = false + +[[event_listener]] +id = "ob_mutual_tls_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" +order = "898" +enable = true + [[event_listener]] id = "private_key_jwt_authenticator" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator" order = "899" - +enable = false [oauth.grant_type] iwa_ntlm.enable = false @@ -280,10 +300,9 @@ allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/push-authorization/(.*)" -secure="true" +secure="false" http_method="all" permissions=["/permission/admin"] -allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/event-notifications/(.*)" @@ -318,15 +337,8 @@ custom_webapps = ["/keymanager-operations/"] [oauth.mutualtls] client_certificate_header = "x-wso2-mutual-auth-cert" -[event.default_listener.mutual_tls_authenticator] -enable = false - -[[event_listener]] -id = "ob_mutual_tls_authenticator" -type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" -name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" -order = "26" -enable = true +[oauth.oidc.id_token] +signature_algorithm = "SHA256withPS" [oauth.token.validation] include_validation_context_as_jwt_in_reponse = "true" @@ -391,8 +403,8 @@ connection_verification_timeout=1 #=======================dcr configs====================== [open_banking.dcr] validator = "com.wso2.openbanking.accelerator.identity.dcr.validation.DefaultRegistrationValidatorImpl" -jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" -jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" +jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" +jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" applicationupdater = "com.wso2.openbanking.accelerator.identity.listener.application.ApplicationUpdaterImpl" use_softwareIdForAppName = true append_registration_attributes_in_response = false @@ -504,10 +516,20 @@ priority = 1 class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentRetrievalStep" priority = 2 +# Remove the DefaultConsentRetrievalStep and uncomment the SampleFapiPlainConsentRetrievalStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.retrieve]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentRetrievalStep" +#priority = 2 + [[open_banking.consent.authorize_steps.persist]] class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentPersistStep" priority = 1 +# Remove the DefaultConsentPersistStep and uncomment the SampleFapiPlainConsentPersistStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.persist]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentPersistStep" +#priority = 1 + [open_banking.consent.manage] handler="com.wso2.openbanking.accelerator.consent.extensions.manage.impl.DefaultConsentManageHandler" @@ -547,6 +569,8 @@ api_manager_server_base_url="https://localhost:8243" [open_banking.identity.extensions] request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.DefaultOBRequestObjectValidator" +# Use the FapiRequestObjectValidator for FAPI plain flow validations +#request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator" push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator" [open_banking.identity.application_information_webapp] diff --git a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml index 2160f0ac..9b620c9c 100644 --- a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml +++ b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml @@ -208,12 +208,32 @@ username = "${admin.username}" password = "${admin.password}" 'header.X-WSO2-KEY-MANAGER' = "WSO2-IS" +[[event_listener]] +id = "ob_private_key_jwt_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.jwt.OBPrivateKeyJWTClientAuthenticator" +order = "897" +enable = true + +[event_listener.properties] +ParEndpointAlias = "https://IS_HOSTNAME:9446/api/openbanking/push-authorization/par" + +[event.default_listener.mutual_tls_authenticator] +enable = false + +[[event_listener]] +id = "ob_mutual_tls_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" +order = "898" +enable = true + [[event_listener]] id = "private_key_jwt_authenticator" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator" order = "899" - +enable = false [oauth.grant_type] iwa_ntlm.enable = false @@ -280,10 +300,9 @@ allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/push-authorization/(.*)" -secure="true" +secure="false" http_method="all" permissions=["/permission/admin"] -allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/event-notifications/(.*)" @@ -318,15 +337,8 @@ custom_webapps = ["/keymanager-operations/"] [oauth.mutualtls] client_certificate_header = "x-wso2-mutual-auth-cert" -[event.default_listener.mutual_tls_authenticator] -enable = false - -[[event_listener]] -id = "ob_mutual_tls_authenticator" -type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" -name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" -order = "26" -enable = true +[oauth.oidc.id_token] +signature_algorithm = "SHA256withPS" [oauth.token.validation] include_validation_context_as_jwt_in_reponse = "true" @@ -391,8 +403,8 @@ connection_verification_timeout=1 #=======================dcr configs====================== [open_banking.dcr] validator = "com.wso2.openbanking.accelerator.identity.dcr.validation.DefaultRegistrationValidatorImpl" -jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" -jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" +jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" +jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" applicationupdater = "com.wso2.openbanking.accelerator.identity.listener.application.ApplicationUpdaterImpl" use_softwareIdForAppName = true append_registration_attributes_in_response = false @@ -550,10 +562,20 @@ priority = 1 class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentRetrievalStep" priority = 2 +# Remove the DefaultConsentRetrievalStep and uncomment the SampleFapiPlainConsentRetrievalStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.retrieve]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentRetrievalStep" +#priority = 2 + [[open_banking.consent.authorize_steps.persist]] class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentPersistStep" priority = 1 +# Remove the DefaultConsentPersistStep and uncomment the SampleFapiPlainConsentPersistStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.persist]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentPersistStep" +#priority = 1 + [open_banking.consent.manage] handler="com.wso2.openbanking.accelerator.consent.extensions.manage.impl.DefaultConsentManageHandler" @@ -593,6 +615,8 @@ api_manager_server_base_url="https://localhost:8243" [open_banking.identity.extensions] request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.DefaultOBRequestObjectValidator" +# Use the FapiRequestObjectValidator for FAPI plain flow validations +#request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator" push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator" [open_banking.identity.application_information_webapp] diff --git a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml index 1c5792ec..56bb0e38 100644 --- a/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml +++ b/open-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml @@ -208,12 +208,32 @@ username = "${admin.username}" password = "${admin.password}" 'header.X-WSO2-KEY-MANAGER' = "WSO2-IS" +[[event_listener]] +id = "ob_private_key_jwt_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.jwt.OBPrivateKeyJWTClientAuthenticator" +order = "897" +enable = true + +[event_listener.properties] +ParEndpointAlias = "https://IS_HOSTNAME:9446/api/openbanking/push-authorization/par" + +[event.default_listener.mutual_tls_authenticator] +enable = false + +[[event_listener]] +id = "ob_mutual_tls_authenticator" +type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" +name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" +order = "898" +enable = true + [[event_listener]] id = "private_key_jwt_authenticator" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator" order = "899" - +enable = false [oauth.grant_type] iwa_ntlm.enable = false @@ -280,10 +300,9 @@ allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/push-authorization/(.*)" -secure="true" +secure="false" http_method="all" permissions=["/permission/admin"] -allowed_auth_handlers = ["BasicAuthentication"] [[resource.access_control]] context = "(.*)/api/openbanking/event-notifications/(.*)" @@ -318,15 +337,8 @@ custom_webapps = ["/keymanager-operations/"] [oauth.mutualtls] client_certificate_header = "x-wso2-mutual-auth-cert" -[event.default_listener.mutual_tls_authenticator] -enable = false - -[[event_listener]] -id = "ob_mutual_tls_authenticator" -type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" -name = "com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator" -order = "26" -enable = true +[oauth.oidc.id_token] +signature_algorithm = "SHA256withPS" [oauth.token.validation] include_validation_context_as_jwt_in_reponse = "true" @@ -391,8 +403,8 @@ connection_verification_timeout=1 #=======================dcr configs====================== [open_banking.dcr] validator = "com.wso2.openbanking.accelerator.identity.dcr.validation.DefaultRegistrationValidatorImpl" -jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" -jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/9b5usDpbNtmxDcTzs7GzKp.jwks" +jwks_url_sandbox = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" +jwks_url_production = "https://keystore.openbankingtest.org.uk/0015800001HQQrZAAX/0015800001HQQrZAAX.jwks" applicationupdater = "com.wso2.openbanking.accelerator.identity.listener.application.ApplicationUpdaterImpl" use_softwareIdForAppName = true append_registration_attributes_in_response = false @@ -504,10 +516,20 @@ priority = 1 class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentRetrievalStep" priority = 2 +# Remove the DefaultConsentRetrievalStep and uncomment the SampleFapiPlainConsentRetrievalStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.retrieve]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentRetrievalStep" +#priority = 2 + [[open_banking.consent.authorize_steps.persist]] class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.DefaultConsentPersistStep" priority = 1 +# Remove the DefaultConsentPersistStep and uncomment the SampleFapiPlainConsentPersistStep for FAPI Plain flow +#[[open_banking.consent.authorize_steps.persist]] +#class = "com.wso2.openbanking.accelerator.consent.extensions.authorize.impl.SampleFapiPlainConsentPersistStep" +#priority = 1 + [open_banking.consent.manage] handler="com.wso2.openbanking.accelerator.consent.extensions.manage.impl.DefaultConsentManageHandler" @@ -547,6 +569,8 @@ api_manager_server_base_url="https://localhost:8243" [open_banking.identity.extensions] request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.DefaultOBRequestObjectValidator" +# Use the FapiRequestObjectValidator for FAPI plain flow validations +#request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator" push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator" [open_banking.identity.application_information_webapp] diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/pom.xml b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/pom.xml index 16e67fe9..734473f0 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/pom.xml +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/pom.xml @@ -79,6 +79,10 @@ org.wso2.carbon.extension.identity.oauth.addons org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls + + org.wso2.carbon.extension.identity.oauth.addons + org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt + org.wso2.carbon.identity.inbound.auth.oauth2 org.wso2.carbon.identity.oauth @@ -263,7 +267,7 @@ INSTRUCTION COVEREDRATIO - 0.8 + 0.7 @@ -344,6 +348,7 @@ org.wso2.carbon.identity.core.*;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.oauth2.keyidprovider;version="${identity.inbound.auth.oauth.version.range}", org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.*;version="${carbon.identity.clientauth.mutualtls.version}", + org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.*;version="${carbon.identity.clientauth.jwt.version}", org.wso2.carbon.identity.openidconnect.*;version="${identity.inbound.auth.oauth.version.range}", org.wso2.carbon.identity.oauth2.*;version="${identity.inbound.auth.oauth.version.range}", org.wso2.carbon.identity.oauth2.model.*;version="${identity.inbound.auth.oauth.version.range}", diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidator.java new file mode 100644 index 00000000..3c737916 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidator.java @@ -0,0 +1,53 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator; + +import com.wso2.openbanking.accelerator.common.validator.OpenBankingValidator; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.FapiRequestObject; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.OBRequestObject; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.ValidationResponse; +import org.apache.commons.lang.StringUtils; + +import java.util.Map; + +/** + * The extension class for enforcing FAPI Request Object Validations. + */ +public class FapiRequestObjectValidator extends DefaultOBRequestObjectValidator { + + @Override + public ValidationResponse validateOBConstraints(OBRequestObject obRequestObject, Map dataMap) { + + ValidationResponse superValidationResponse = super.validateOBConstraints(obRequestObject, dataMap); + + if (superValidationResponse.isValid()) { + FapiRequestObject fapiRequestObject = new FapiRequestObject(obRequestObject); + String violation = OpenBankingValidator.getInstance().getFirstViolation(fapiRequestObject); + + if (StringUtils.isEmpty(violation)) { + return new ValidationResponse(true); + } else { + return new ValidationResponse(false, violation); + } + } else { + return superValidationResponse; + } + } + +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java new file mode 100644 index 00000000..bc5265e7 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java @@ -0,0 +1,96 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations; + +import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants; +import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil; +import org.apache.commons.beanutils.BeanUtils; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; + +import java.lang.reflect.InvocationTargetException; +import java.text.ParseException; +import java.util.Date; + +import javax.validation.ConstraintValidator; +import javax.validation.ConstraintValidatorContext; + +/** + * To validate if the expiration claim provided is valid. + */ +public class ExpirationValidator implements ConstraintValidator { + + private String expirationXPath; + private static Log log = LogFactory.getLog(ExpirationValidator.class); + + @Override + public void initialize(ValidExpiration constraintAnnotation) { + + this.expirationXPath = constraintAnnotation.expiration(); + } + + @Override + public boolean isValid(Object object, ConstraintValidatorContext constraintValidatorContext) { + + String errorMessage; + try { + final String expClaimInDateTimeFormat = BeanUtils.getProperty(object, expirationXPath); + + if (StringUtils.isNotBlank(expClaimInDateTimeFormat)) { + Date expirationDate = IdentityCommonUtil.parseStringToDate(expClaimInDateTimeFormat); + long timeStampSkewMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000; + long expirationTimeInMillis = expirationDate.getTime(); + long currentTimeInMillis = System.currentTimeMillis(); + // exp parameter should not be over 1 hour in the future. + if ((expirationTimeInMillis - (currentTimeInMillis + timeStampSkewMillis)) > + PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) { + errorMessage = "exp parameter in the request object is over 1 hour in the future"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage); + return false; + } + // exp parameter should not be in the past. + if ((currentTimeInMillis + timeStampSkewMillis) > expirationTimeInMillis) { + errorMessage = "Request object expired"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage); + return false; + } + } else { + errorMessage = "exp parameter is missing in the request object"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, + errorMessage); + return false; + } + + } catch (IllegalAccessException | InvocationTargetException | NoSuchMethodException exception) { + log.error("Error while resolving validation fields", exception); + return false; + } catch (ParseException exception) { + log.error("Error while parsing exp value", exception); + return false; + } + + return true; + } + +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/NotBeforeValidator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/NotBeforeValidator.java new file mode 100644 index 00000000..09a990fe --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/NotBeforeValidator.java @@ -0,0 +1,96 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations; + +import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants; +import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil; +import org.apache.commons.beanutils.BeanUtils; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; + +import java.lang.reflect.InvocationTargetException; +import java.text.ParseException; +import java.util.Date; + +import javax.validation.ConstraintValidator; +import javax.validation.ConstraintValidatorContext; + +/** + * To validate if the not before claim provided is valid. + */ +public class NotBeforeValidator implements ConstraintValidator { + + private String notBeforeXPath; + private static Log log = LogFactory.getLog(NotBeforeValidator.class); + + @Override + public void initialize(ValidNotBefore constraintAnnotation) { + + this.notBeforeXPath = constraintAnnotation.notBefore(); + } + + @Override + public boolean isValid(Object object, ConstraintValidatorContext constraintValidatorContext) { + + String errorMessage; + try { + final String nbfClaimInDateTimeFormat = BeanUtils.getProperty(object, notBeforeXPath); + + if (StringUtils.isNotBlank(nbfClaimInDateTimeFormat)) { + Date notBeforeDate = IdentityCommonUtil.parseStringToDate(nbfClaimInDateTimeFormat); + long timeStampSkewMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000; + long notBeforeTimeInMillis = notBeforeDate.getTime(); + long currentTimeInMillis = System.currentTimeMillis(); + // request object should be used on or after nbf value. + if ((currentTimeInMillis + timeStampSkewMillis) < notBeforeTimeInMillis) { + errorMessage = "Request object is not valid yet"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage); + return false; + } + // nbf parameter should not be over 1 hour in the past. + if (((currentTimeInMillis + timeStampSkewMillis) - notBeforeTimeInMillis) > + PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) { + errorMessage = "nbf parameter in the request object is over 1 hour in the past"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage); + return false; + } + } else { + errorMessage = "nbf parameter is missing in the request object"; + log.debug(errorMessage); + IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, + errorMessage); + return false; + } + + } catch (IllegalAccessException | InvocationTargetException | NoSuchMethodException exception) { + log.error("Error while resolving validation fields", exception); + return false; + } catch (ParseException exception) { + log.error("Error while parsing nbf value", exception); + return false; + } + + return true; + } + +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidExpiration.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidExpiration.java new file mode 100644 index 00000000..c84d5715 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidExpiration.java @@ -0,0 +1,47 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations; + +import java.lang.annotation.Documented; +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import javax.validation.Constraint; +import javax.validation.Payload; + +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +/** + * An annotation to execute expiration claim validation. + */ +@Target(ElementType.TYPE) +@Retention(RUNTIME) +@Documented +@Constraint(validatedBy = {ExpirationValidator.class}) +public @interface ValidExpiration { + + String message() default "Invalid expiration claim"; + + Class[] groups() default {}; + + Class[] payload() default {}; + + String expiration() default "exp"; +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidNotBefore.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidNotBefore.java new file mode 100644 index 00000000..7eb76487 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/annotations/ValidNotBefore.java @@ -0,0 +1,47 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations; + +import java.lang.annotation.Documented; +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import javax.validation.Constraint; +import javax.validation.Payload; + +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +/** + * An annotation to execute not before claim validation. + */ +@Target(ElementType.TYPE) +@Retention(RUNTIME) +@Documented +@Constraint(validatedBy = {NotBeforeValidator.class}) +public @interface ValidNotBefore { + + String message() default "Invalid not before claim"; + + Class[] groups() default {}; + + Class[] payload() default {}; + + String notBefore() default "nbf"; +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java new file mode 100644 index 00000000..456cf0aa --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java @@ -0,0 +1,49 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models; + +import com.wso2.openbanking.accelerator.common.validator.annotation.RequiredParameter; +import com.wso2.openbanking.accelerator.common.validator.annotation.RequiredParameters; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations.ValidExpiration; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations.ValidNotBefore; + +/** + * Model class for FAPI request object. + */ +@RequiredParameters({ + @RequiredParameter(param = "claimsSet.claims.redirect_uri", + message = "Mandatory parameter redirect_uri, not found in the request"), + @RequiredParameter(param = "claimsSet.claims.nonce", + message = "nonce parameter is missing in the request object"), + @RequiredParameter(param = "claimsSet.claims.exp", + message = "exp parameter is missing in the request object"), + @RequiredParameter(param = "claimsSet.claims.nbf", + message = "nbf parameter is missing in the request object") +}) +@ValidExpiration(expiration = "claimsSet.claims.exp") +@ValidNotBefore(notBefore = "claimsSet.claims.nbf") +public class FapiRequestObject extends OBRequestObject { + + private static final long serialVersionUID = -83973857804232423L; + + public FapiRequestObject(OBRequestObject obRequestObject) { + + super(obRequestObject); + } +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBCodeResponseTypeValidator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBCodeResponseTypeValidator.java index 7ba4aebc..17e8a2bb 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBCodeResponseTypeValidator.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBCodeResponseTypeValidator.java @@ -19,9 +19,11 @@ package com.wso2.openbanking.accelerator.identity.auth.extensions.response.validator; import com.wso2.openbanking.accelerator.common.exception.OpenBankingException; +import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants; import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.oltu.oauth2.common.error.OAuthError; import org.apache.oltu.oauth2.common.exception.OAuthProblemException; import org.apache.oltu.oauth2.common.validators.AbstractValidator; @@ -49,11 +51,15 @@ public void validateContentType(HttpServletRequest request) throws OAuthProblemE @Override public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException { - String responseType = request.getParameter("response_type"); - String clientId = request.getParameter("client_id"); + String responseType = request.getParameter(IdentityCommonConstants.RESPONSE_TYPE); + String clientId = request.getParameter(IdentityCommonConstants.CLIENT_ID); + String state = IdentityCommonUtil.decodeRequestObjectAndGetKey(request, IdentityCommonConstants.STATE); if (!isValidResponseType(clientId, responseType)) { log.error("Unsupported Response Type"); - throw OAuthProblemException.error("Unsupported Response Type"); + throw OAuthProblemException + .error(OAuthError.CodeResponse.UNSUPPORTED_RESPONSE_TYPE) + .description("Unsupported Response Type") + .state(state); } } diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidator.java index 0b8cb1e5..9f298cee 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidator.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidator.java @@ -63,6 +63,7 @@ public void validateRequiredParameters(HttpServletRequest request) throws OAuthP this.notAllowedParams.add(IdentityCommonConstants.REQUEST); openIdScope = IdentityCommonUtil.decodeRequestObjectAndGetKey(request, OAuth.OAUTH_SCOPE); } else { + this.requiredParams = new ArrayList(Arrays.asList(IdentityCommonConstants.REQUEST)); openIdScope = request.getParameter(OAuth.OAUTH_SCOPE); } diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/claims/OBDefaultClaimProvider.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/claims/OBDefaultClaimProvider.java index 187a10d9..c6b5070a 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/claims/OBDefaultClaimProvider.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/claims/OBDefaultClaimProvider.java @@ -41,15 +41,13 @@ import java.util.List; import java.util.Map; -import static org.wso2.carbon.identity.openidconnect.model.Constants.JWT_PART_DELIMITER; -import static org.wso2.carbon.identity.openidconnect.model.Constants.NUMBER_OF_PARTS_IN_JWE; - /** * Default OB specific claim provider implementation. */ public class OBDefaultClaimProvider extends OBClaimProvider { private static final Log log = LogFactory.getLog(OBDefaultClaimProvider.class); + private static final String S_HASH_CLAIM = "s_hash"; @Override public Map getAdditionalClaims(OAuthAuthzReqMessageContext authAuthzReqMessageContext, @@ -57,26 +55,21 @@ public Map getAdditionalClaims(OAuthAuthzReqMessageContext authA throws IdentityOAuth2Exception { Map claims = new HashMap<>(); - String[] cachedRequests = null; final String sessionDataKey = authAuthzReqMessageContext.getAuthorizationReqDTO().getSessionDataKey(); - if (StringUtils.isNotBlank(sessionDataKey)) { - cachedRequests = SessionDataCache.getInstance() - .getValueFromCache(new SessionDataCacheKey(sessionDataKey)).getParamMap().get("request"); - } - if (cachedRequests != null && !(cachedRequests[0].split(JWT_PART_DELIMITER).length == NUMBER_OF_PARTS_IN_JWE)) { - JSONObject requestBody = getRequestBodyFromCache(cachedRequests); - - /* State is an optional parameter, so the authorization server must successfully authenticate and - * must NOT return state nor s_hash. (FAPI1-ADV-5.2.2.1-5) - */ - final String state = requestBody.getAsString(OAuthConstants.OAuth20Params.STATE); - if (StringUtils.isNotEmpty(state)) { - claims.put(IdentityCommonConstants.S_HASH, IdentityCommonUtil.getHashValue(state, null)); - } else { - // state is empty, removing state from cache too - removeStateFromCache(sessionDataKey); + + /* State is an optional parameter, so the authorization server must successfully authenticate and + * must NOT return state nor s_hash. (FAPI1-ADV-5.2.2.1-5) + */ + String stateValue = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(sessionDataKey)) + .getoAuth2Parameters().getState(); + + if (stateValue != null) { + claims.put(S_HASH_CLAIM, IdentityCommonUtil.getHashValue(stateValue, null)); + if (log.isDebugEnabled()) { + log.debug("S_HASH value created using given algorithm for state value:" + stateValue); } } + final String responseType = authAuthzReqMessageContext.getAuthorizationReqDTO().getResponseType(); avoidSettingATHash(responseType, authorizeRespDTO, claims); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticator.java index 87c6f5ed..2f17e1e4 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticator.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticator.java @@ -18,8 +18,7 @@ package com.wso2.openbanking.accelerator.identity.clientauth; -import com.wso2.openbanking.accelerator.common.exception.OpenBankingException; -import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper; +import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants; import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; @@ -48,32 +47,27 @@ public class OBMutualTLSClientAuthenticator extends MutualTLSClientAuthenticator public boolean canAuthenticate(HttpServletRequest request, Map bodyParams, OAuthClientAuthnContext oAuthClientAuthnContext) { - try { - String clientId = oAuthClientAuthnContext.getClientId(); - if (StringUtils.isEmpty(clientId)) { - clientId = (super.getClientId(request, bodyParams, oAuthClientAuthnContext) == null - && request.getParameter("client_id") != null) ? request.getParameter("client_id") : - super.getClientId(request, bodyParams, oAuthClientAuthnContext); - } - if ((IdentityCommonUtil.getRegulatoryFromSPMetaData(clientId))) { - if (new IdentityCommonHelper().isMTLSAuthentication(request)) { - log.debug("Client ID and a valid certificate was found in the request attribute hence returning " + - "true."); - return true; - } else { - log.debug("Mutual TLS authenticator cannot handle this request. Client id is not available in " + - "body params or valid certificate not found in request attributes."); + // Look for client assertion in request parameters. + String clientAssertion = request.getParameter(IdentityCommonConstants.OAUTH_JWT_ASSERTION); + if (StringUtils.isNotEmpty(clientAssertion)) { + log.debug("Request cannot be handled by OBMutualTLSClientAuthenticator"); + return false; + } + + // Look for client assertion in bodyParams map. + if (bodyParams != null) { + List clientAssertionList = bodyParams.get(IdentityCommonConstants.OAUTH_JWT_ASSERTION); + if (clientAssertionList != null && !clientAssertionList.isEmpty() && clientAssertionList.get(0) != null) { + String bodyParamsClientAssertion = clientAssertionList.get(0).toString(); + if (StringUtils.isNotEmpty(bodyParamsClientAssertion)) { + log.debug("Client assertion found in body parameters. Request cannot be handled by " + + "OBMutualTLSClientAuthenticator."); return false; } - } else { - return super.canAuthenticate(request, bodyParams, oAuthClientAuthnContext); } - } catch (OpenBankingException | OAuthClientAuthnException e) { - if (log.isDebugEnabled()) { - log.debug("Mutual TLS authenticator cannot handle this request. " + e.getMessage()); - } - return false; } + + return super.canAuthenticate(request, bodyParams, oAuthClientAuthnContext); } @Override diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticator.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticator.java new file mode 100644 index 00000000..15eafeba --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticator.java @@ -0,0 +1,109 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.clientauth.jwt; + +import com.wso2.openbanking.accelerator.common.util.Generated; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext; +import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.Constants; +import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator; +import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator; +import org.wso2.carbon.identity.oauth2.util.OAuth2Util; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; + +import static org.apache.commons.lang.StringUtils.isNotEmpty; + +/** + * OBPrivateKeyJWTClientAuthenticator for authenticating private key jwt requests. + */ +public class OBPrivateKeyJWTClientAuthenticator extends PrivateKeyJWTClientAuthenticator { + + private static final Log log = LogFactory.getLog(OBPrivateKeyJWTClientAuthenticator.class); + private static final String PAR_ENDPOINT_ALIAS = "ParEndpointAlias"; + + @Generated(message = "Used only for testing purpose") + protected OBPrivateKeyJWTClientAuthenticator(JWTValidator jwtValidator) { + setJwtValidator(jwtValidator); + } + + @Generated(message = "Does not contain logic") + public OBPrivateKeyJWTClientAuthenticator() { + + int rejectBeforePeriod = Constants.DEFAULT_VALIDITY_PERIOD_IN_MINUTES; + boolean preventTokenReuse = true; + String endpointAlias = Constants.DEFAULT_AUDIENCE; + try { + if (isNotEmpty(properties.getProperty(PAR_ENDPOINT_ALIAS))) { + endpointAlias = properties.getProperty(PAR_ENDPOINT_ALIAS); + } + if (isNotEmpty(properties.getProperty(Constants.PREVENT_TOKEN_REUSE))) { + preventTokenReuse = Boolean.parseBoolean(properties.getProperty(Constants.PREVENT_TOKEN_REUSE)); + } + if (isNotEmpty(properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES))) { + rejectBeforePeriod = Integer.parseInt(properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES)); + } + JWTValidator jwtValidator = createJWTValidator(endpointAlias, preventTokenReuse, rejectBeforePeriod); + setJwtValidator(jwtValidator); + } catch (NumberFormatException e) { + log.warn("Invalid PrivateKeyJWT Validity period found in the configuration. Using default value: " + + rejectBeforePeriod); + } + } + + @Override + public boolean canAuthenticate(HttpServletRequest httpServletRequest, Map bodyParameters, + OAuthClientAuthnContext oAuthClientAuthnContext) { + + log.debug("Request is being handled by OBPrivateKeyJWTClientAuthenticator"); + return super.canAuthenticate(httpServletRequest, bodyParameters, oAuthClientAuthnContext); + } + + @Generated(message = "Does not contain logic") + protected JWTValidator createJWTValidator(String accessedEndpoint, boolean preventTokenReuse, int rejectBefore) { + + String tokenEndpoint = OAuth2Util.OAuthURL.getOAuth2TokenEPUrl(); + String issuer = OAuth2Util.getIDTokenIssuer(); + + List acceptedAudienceList = new ArrayList<>(); + acceptedAudienceList.add(accessedEndpoint); + acceptedAudienceList.add(tokenEndpoint); + acceptedAudienceList.add(issuer); + + return new JWTValidator(preventTokenReuse, acceptedAudienceList, rejectBefore, null, + populateMandatoryClaims(), Constants.DEFAULT_ENABLE_JTI_CACHE); + } + + @Generated(message = "Does not contain logic") + private List populateMandatoryClaims() { + + List mandatoryClaims = new ArrayList<>(); + mandatoryClaims.add(Constants.ISSUER_CLAIM); + mandatoryClaims.add(Constants.SUBJECT_CLAIM); + mandatoryClaims.add(Constants.AUDIENCE_CLAIM); + mandatoryClaims.add(Constants.EXPIRATION_TIME_CLAIM); + mandatoryClaims.add(Constants.JWT_ID_CLAIM); + return mandatoryClaims; + } +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsServiceComponent.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsServiceComponent.java index a1f76804..2d58cb0d 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsServiceComponent.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsServiceComponent.java @@ -27,6 +27,7 @@ import com.wso2.openbanking.accelerator.identity.claims.OBClaimProvider; import com.wso2.openbanking.accelerator.identity.claims.RoleClaimProviderImpl; import com.wso2.openbanking.accelerator.identity.clientauth.OBMutualTLSClientAuthenticator; +import com.wso2.openbanking.accelerator.identity.clientauth.jwt.OBPrivateKeyJWTClientAuthenticator; import com.wso2.openbanking.accelerator.identity.interceptor.OBIntrospectionDataProvider; import com.wso2.openbanking.accelerator.identity.keyidprovider.OBKeyIDProvider; import com.wso2.openbanking.accelerator.identity.listener.TokenRevocationListener; @@ -76,6 +77,8 @@ protected void activate(ComponentContext context) { bundleContext.registerService(ApplicationMgtListener.class, new OBApplicationManagementListener(), null); bundleContext.registerService(OAuthClientAuthenticator.class.getName(), new OBMutualTLSClientAuthenticator(), null); + bundleContext.registerService(OAuthClientAuthenticator.class.getName(), + new OBPrivateKeyJWTClientAuthenticator(), null); bundleContext.registerService(ApplicationManagementService.class, ApplicationManagementService.getInstance(), null); bundleContext.registerService(ClaimProvider.class.getName(), new OBClaimProvider(), null); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java index 0b9c38ef..55dacb61 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java @@ -26,6 +26,7 @@ public class IdentityCommonConstants { public static final String CLIENT_ID = "client_id"; public static final String REQUEST_URI = "request_uri"; public static final String REQUEST = "request"; + public static final String STATE = "state"; public static final String RESPONSE_TYPE = "response_type"; public static final String REDIRECT_URI = "redirect_uri"; public static final String CARBON_HOME = "carbon.home"; diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonUtil.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonUtil.java index 69bf3fa3..dbdf545f 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonUtil.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonUtil.java @@ -67,9 +67,11 @@ import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; +import java.util.Date; import java.util.HashMap; import java.util.LinkedList; import java.util.List; @@ -78,6 +80,7 @@ import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; +import javax.validation.ConstraintValidatorContext; /** * Utility Class for Identity Open Banking. @@ -123,7 +126,7 @@ public static String[] removeInternalScopes(String[] scopes) { /** * Cache regulatory property if exists. * - * @param clientId clientId ClientId of the application + * @param clientId ClientId of the application * @return the regulatory property from cache if exists or from sp metadata * @throws OpenBankingException */ @@ -392,6 +395,8 @@ public static X509Certificate getCertificateFromAttribute(Object certObject) { public static String decodeRequestObjectAndGetKey(HttpServletRequest request, String key) throws OAuthProblemException { + String essentialClaims = null; + if (request.getParameterMap().containsKey(IdentityCommonConstants.REQUEST_URI) && request.getParameter(IdentityCommonConstants.REQUEST_URI) != null) { @@ -400,32 +405,37 @@ public static String decodeRequestObjectAndGetKey(HttpServletRequest request, St String requestUriRef = requestUri[requestUri.length - 1]; SessionDataCacheEntry valueFromCache = SessionDataCache.getInstance() .getValueFromCache(new SessionDataCacheKey(requestUriRef)); + if (valueFromCache != null) { - String essentialClaims = valueFromCache.getoAuth2Parameters().getEssentialClaims(); - if (essentialClaims != null) { - String[] essentialClaimsWithExpireTime = essentialClaims.split(":"); - essentialClaims = essentialClaimsWithExpireTime[0]; - essentialClaims = essentialClaims.split("\\.")[1]; - byte[] requestObject; - try { - requestObject = Base64.getDecoder().decode(essentialClaims); - } catch (IllegalArgumentException e) { - - // Decode if the requestObject is base64-url encoded. - requestObject = Base64.getUrlDecoder().decode(essentialClaims); - } - org.json.JSONObject - requestObjectVal = - new org.json.JSONObject(new String(requestObject, StandardCharsets.UTF_8)); - return requestObjectVal.has(key) ? requestObjectVal.getString(key) : null; - } + essentialClaims = valueFromCache.getoAuth2Parameters().getEssentialClaims(); } else { throw OAuthProblemException.error("invalid_request_uri") .description("Provided request URI is not valid"); } + + } else if (request.getParameterMap().containsKey(IdentityCommonConstants.REQUEST) && + request.getParameter(IdentityCommonConstants.REQUEST) != null) { + + essentialClaims = request.getParameter(IdentityCommonConstants.REQUEST); } - return null; + if (essentialClaims != null) { + essentialClaims = essentialClaims.split("\\.")[1]; + byte[] requestObject; + + try { + requestObject = Base64.getDecoder().decode(essentialClaims); + } catch (IllegalArgumentException e) { + // Decode if the requestObject is base64-url encoded. + requestObject = Base64.getUrlDecoder().decode(essentialClaims); + } + + org.json.JSONObject requestObjectVal = + new org.json.JSONObject(new String(requestObject, StandardCharsets.UTF_8)); + return requestObjectVal.has(key) ? requestObjectVal.getString(key) : null; + } + + return null; } public static OAuthProblemException handleOAuthProblemException(String errorCode, String message, String state) { @@ -433,4 +443,29 @@ public static OAuthProblemException handleOAuthProblemException(String errorCode return OAuthProblemException.error(errorCode).description(message).state(state); } + /** + * Method to set custom error message for constraint validator context. + * + * @param context ConstraintValidatorContext + * @param message Error message + */ + public static void setCustomErrorMessage(ConstraintValidatorContext context, String message) { + + context.disableDefaultConstraintViolation(); + context.buildConstraintViolationWithTemplate(message).addConstraintViolation(); + } + + /** + * Method to convert a string to a date object. + * + * @param dateString date and time in string format. + * @return Date object. + * @throws ParseException + */ + public static Date parseStringToDate(String dateString) throws ParseException { + + SimpleDateFormat dateFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss zzz yyyy"); + return dateFormat.parse(dateString); + } + } diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/DefaultOBRequestObjectValidatorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/DefaultOBRequestObjectValidatorTest.java index 477c3cba..8dc0ec80 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/DefaultOBRequestObjectValidatorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/DefaultOBRequestObjectValidatorTest.java @@ -18,10 +18,6 @@ package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator; -import com.nimbusds.jose.JOSEObject; -import com.nimbusds.jose.JWSAlgorithm; -import com.nimbusds.jwt.PlainJWT; -import com.nimbusds.jwt.SignedJWT; import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException; import com.wso2.openbanking.accelerator.common.validator.OpenBankingValidator; import com.wso2.openbanking.accelerator.consent.mgt.dao.models.DetailedConsentResource; @@ -29,6 +25,7 @@ import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.OBRequestObject; import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.ValidationResponse; import com.wso2.openbanking.accelerator.identity.internal.IdentityExtensionsDataHolder; +import com.wso2.openbanking.accelerator.identity.utils.TestUtils; import org.mockito.Mockito; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PowerMockIgnore; @@ -38,10 +35,7 @@ import org.testng.annotations.BeforeClass; import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; -import org.wso2.carbon.identity.oauth2.RequestObjectException; -import org.wso2.carbon.identity.openidconnect.model.RequestObject; -import java.text.ParseException; import java.util.Collections; import static org.mockito.Mockito.anyString; @@ -92,7 +86,7 @@ public void testValidateOBConstraintsWithValidRequestObject() throws Exception { // act DefaultOBRequestObjectValidator uut = new DefaultOBRequestObjectValidator(); - OBRequestObject obRequestObject = getObRequestObject(ReqObjectTestDataProvider.VALID_REQUEST); + OBRequestObject obRequestObject = TestUtils.getObRequestObject(ReqObjectTestDataProvider.VALID_REQUEST); ValidationResponse validationResponse = uut.validateOBConstraints(obRequestObject, Collections.emptyMap()); // assert @@ -117,7 +111,8 @@ public void testValidateOBConstraintsWhenNoClientId() throws Exception { // act DefaultOBRequestObjectValidator uut = new DefaultOBRequestObjectValidator(); - OBRequestObject obRequestObject = getObRequestObject(ReqObjectTestDataProvider.NO_CLIENT_ID_REQUEST); + OBRequestObject obRequestObject = TestUtils + .getObRequestObject(ReqObjectTestDataProvider.NO_CLIENT_ID_REQUEST); ValidationResponse validationResponse = uut.validateOBConstraints(obRequestObject, Collections.emptyMap()); // assert @@ -138,7 +133,7 @@ public void testValidateOBConstraintsWhenOBRequestObjectHasErrors() throws Excep // act DefaultOBRequestObjectValidator uut = new DefaultOBRequestObjectValidator(); - OBRequestObject obRequestObject = getObRequestObject(ReqObjectTestDataProvider.REQUEST_STRING); + OBRequestObject obRequestObject = TestUtils.getObRequestObject(ReqObjectTestDataProvider.REQUEST_STRING); ValidationResponse validationResponse = uut.validateOBConstraints(obRequestObject, Collections.emptyMap()); // assert @@ -146,16 +141,4 @@ public void testValidateOBConstraintsWhenOBRequestObjectHasErrors() throws Excep Assert.assertEquals(validationResponse.getViolationMessage(), "dummy-error"); } - private OBRequestObject getObRequestObject(String request) throws ParseException, RequestObjectException { - - RequestObject requestObject = new RequestObject(); - JOSEObject jwt = JOSEObject.parse(request); - if (jwt.getHeader().getAlgorithm() == null || jwt.getHeader().getAlgorithm().equals(JWSAlgorithm.NONE)) { - requestObject.setPlainJWT(PlainJWT.parse(request)); - } else { - requestObject.setSignedJWT(SignedJWT.parse(request)); - } - return new OBRequestObject<>(requestObject); - } - } diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidatorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidatorTest.java new file mode 100644 index 00000000..ec34a1e9 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/request/validator/FapiRequestObjectValidatorTest.java @@ -0,0 +1,117 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator; + +import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException; +import com.wso2.openbanking.accelerator.common.validator.OpenBankingValidator; +import com.wso2.openbanking.accelerator.consent.mgt.dao.models.DetailedConsentResource; +import com.wso2.openbanking.accelerator.consent.mgt.service.impl.ConsentCoreServiceImpl; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.OBRequestObject; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.ValidationResponse; +import com.wso2.openbanking.accelerator.identity.internal.IdentityExtensionsDataHolder; +import com.wso2.openbanking.accelerator.identity.utils.TestUtils; +import org.mockito.Mockito; +import org.powermock.api.mockito.PowerMockito; +import org.powermock.core.classloader.annotations.PowerMockIgnore; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.powermock.modules.testng.PowerMockTestCase; +import org.testng.Assert; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; + +import java.util.Collections; + +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.mock; + +@PrepareForTest({OpenBankingValidator.class, IdentityExtensionsDataHolder.class}) +@PowerMockIgnore("jdk.internal.reflect.*") +public class FapiRequestObjectValidatorTest extends PowerMockTestCase { + + private static final String CLIENT_ID_1 = "2X0n9WSNmPiq3XTB8dtC0Shs5r8a"; + private static ConsentCoreServiceImpl consentCoreServiceMock; + + @BeforeClass + public void initTest() { + + consentCoreServiceMock = PowerMockito.mock(ConsentCoreServiceImpl.class); + } + + @BeforeMethod + private void mockStaticClasses() throws ConsentManagementException { + + PowerMockito.mockStatic(IdentityExtensionsDataHolder.class); + IdentityExtensionsDataHolder mock = PowerMockito.mock(IdentityExtensionsDataHolder.class); + PowerMockito.when(IdentityExtensionsDataHolder.getInstance()).thenReturn(mock); + PowerMockito.when(IdentityExtensionsDataHolder.getInstance().getConsentCoreService()) + .thenReturn(consentCoreServiceMock); + } + + @Test + public void testValidateOBConstraintsWithValidRequestObject() throws Exception { + // mock + DetailedConsentResource consentResourceMock = mock(DetailedConsentResource.class); + doReturn(CLIENT_ID_1).when(consentResourceMock).getClientID(); + + doReturn(consentResourceMock).when(consentCoreServiceMock).getDetailedConsent(anyString()); + + OpenBankingValidator openBankingValidatorMock = mock(OpenBankingValidator.class); + doReturn("").when(openBankingValidatorMock).getFirstViolation(Mockito.anyObject()); + + PowerMockito.mockStatic(OpenBankingValidator.class); + PowerMockito.when(OpenBankingValidator.getInstance()).thenReturn(openBankingValidatorMock); + + // act + FapiRequestObjectValidator uut = new FapiRequestObjectValidator(); + + OBRequestObject obRequestObject = TestUtils.getObRequestObject(ReqObjectTestDataProvider.REQUEST_STRING); + ValidationResponse validationResponse = uut.validateOBConstraints(obRequestObject, Collections.emptyMap()); + + // assert + Assert.assertTrue(validationResponse.isValid()); + } + + @Test + public void testValidateOBConstraintsWithInValidRequestObject() throws Exception { + // mock + DetailedConsentResource consentResourceMock = mock(DetailedConsentResource.class); + doReturn(CLIENT_ID_1).when(consentResourceMock).getClientID(); + + doReturn(consentResourceMock).when(consentCoreServiceMock).getDetailedConsent(anyString()); + + OpenBankingValidator openBankingValidatorMock = mock(OpenBankingValidator.class); + doReturn("dummy-error").when(openBankingValidatorMock).getFirstViolation(Mockito.anyObject()); + + PowerMockito.mockStatic(OpenBankingValidator.class); + PowerMockito.when(OpenBankingValidator.getInstance()).thenReturn(openBankingValidatorMock); + + // act + FapiRequestObjectValidator uut = new FapiRequestObjectValidator(); + + OBRequestObject obRequestObject = TestUtils + .getObRequestObject(ReqObjectTestDataProvider.NO_CLIENT_ID_REQUEST); + ValidationResponse validationResponse = uut.validateOBConstraints(obRequestObject, Collections.emptyMap()); + + // assert + Assert.assertFalse(validationResponse.isValid()); + } + +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidatorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidatorTest.java index cf9c667f..e6c69975 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidatorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/auth/extensions/response/validator/OBHybridResponseTypeValidatorTest.java @@ -68,6 +68,7 @@ public void checkValidHybridResponseTypeValidationWithoutRequestURI() throws OAu when(httpServletRequestMock.getParameter(IdentityCommonConstants.CLIENT_ID)).thenReturn("1234567"); when(httpServletRequestMock.getParameter(IdentityCommonConstants.RESPONSE_TYPE)).thenReturn("code id_token"); when(httpServletRequestMock.getParameter(IdentityCommonConstants.REDIRECT_URI)).thenReturn("abc.com"); + when(httpServletRequestMock.getParameter(IdentityCommonConstants.REQUEST)).thenReturn("sample-request-object"); OBHybridResponseTypeValidator uut = spy(new OBHybridResponseTypeValidator()); diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticatorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticatorTest.java index 01c2e95f..220498ea 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticatorTest.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/OBMutualTLSClientAuthenticatorTest.java @@ -54,7 +54,7 @@ * Test for Open Banking mutual TLS client authenticator. */ @PowerMockIgnore("jdk.internal.reflect.*") -@PrepareForTest({IdentityCommonUtil.class, MutualTLSUtil.class}) +@PrepareForTest({IdentityCommonUtil.class, MutualTLSUtil.class, IdentityUtil.class}) public class OBMutualTLSClientAuthenticatorTest extends PowerMockTestCase { MockHttpServletResponse response; @@ -77,6 +77,7 @@ public void beforeMethod() { @Test(description = "Test whether can authenticate is engaged for mtls request") public void canAuthenticateTest() throws OpenBankingException { PowerMockito.mockStatic(IdentityCommonUtil.class); + PowerMockito.mockStatic(IdentityUtil.class); Map bodyParams = new HashMap<>(); clientAuthnContext.setClientId(""); bodyParams.put("client_id", Collections.singletonList("test")); @@ -86,7 +87,8 @@ public void canAuthenticateTest() throws OpenBankingException { request.setParameter(IdentityCommonConstants.CLIENT_ID, "test"); request.addHeader(TestConstants.CERTIFICATE_HEADER, TestConstants.CERTIFICATE_CONTENT); PowerMockito.when(IdentityCommonUtil.getRegulatoryFromSPMetaData("test")).thenReturn(true); - PowerMockito.when(IdentityCommonUtil.getMTLSAuthHeader()).thenReturn(TestConstants.CERTIFICATE_HEADER); + PowerMockito.when(IdentityUtil.getProperty(IdentityCommonConstants.MTLS_AUTH_HEADER)) + .thenReturn(TestConstants.CERTIFICATE_HEADER); boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); assertTrue(response); @@ -100,23 +102,24 @@ public void canAuthenticateNoClientIDTest() throws OpenBankingException { request.addHeader(TestConstants.CERTIFICATE_HEADER, TestConstants.CERTIFICATE_CONTENT); PowerMockito.when(IdentityCommonUtil.getRegulatoryFromSPMetaData("test")).thenReturn(true); PowerMockito.when(IdentityCommonUtil.getMTLSAuthHeader()).thenReturn(TestConstants.CERTIFICATE_HEADER); - boolean response = authenticator.canAuthenticate(request, null, clientAuthnContext); + boolean response = authenticator.canAuthenticate(request, new HashMap<>(), clientAuthnContext); assertFalse(response); } @Test(description = "Test whether can authenticate is not engaged when request has invalid certificate") public void canAuthenticateInvalidCertTest() throws OpenBankingException { PowerMockito.mockStatic(IdentityCommonUtil.class); + PowerMockito.mockStatic(IdentityUtil.class); OBMutualTLSClientAuthenticator authenticator = Mockito.spy(OBMutualTLSClientAuthenticator.class); PowerMockito.when(IdentityCommonUtil.getRegulatoryFromSPMetaData("test")).thenReturn(true); - PowerMockito.when(IdentityCommonUtil.getMTLSAuthHeader()).thenReturn(TestConstants.CERTIFICATE_HEADER); - request.setParameter(IdentityCommonConstants.CLIENT_ID, "test"); + PowerMockito.when(IdentityUtil.getProperty(IdentityCommonConstants.MTLS_AUTH_HEADER)) + .thenReturn(TestConstants.CERTIFICATE_HEADER); + + Map bodyParams = new HashMap<>(); + bodyParams.put("client_id", Collections.singletonList("test")); + request.addHeader(TestConstants.CERTIFICATE_HEADER, "test"); - try { - authenticator.canAuthenticate(request, null, clientAuthnContext); - } catch (Exception e) { - assertEquals(e.getMessage(), "Transport certificate passed through the request not valid"); - } + assertFalse(authenticator.canAuthenticate(request, bodyParams, clientAuthnContext)); } @Test(description = "Test whether can authenticate is not engaged when request does not have a cert header") @@ -125,8 +128,11 @@ public void canAuthenticateNoCertHeaderTest() throws OpenBankingException { OBMutualTLSClientAuthenticator authenticator = Mockito.spy(OBMutualTLSClientAuthenticator.class); PowerMockito.when(IdentityCommonUtil.getRegulatoryFromSPMetaData("test")).thenReturn(true); PowerMockito.when(IdentityCommonUtil.getMTLSAuthHeader()).thenReturn(TestConstants.CERTIFICATE_HEADER); - request.setParameter(IdentityCommonConstants.CLIENT_ID, "test"); - boolean response = authenticator.canAuthenticate(request, null, clientAuthnContext); + + Map bodyParams = new HashMap<>(); + bodyParams.put("client_id", Collections.singletonList("test")); + + boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); assertFalse(response); } diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticatorTest.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticatorTest.java new file mode 100644 index 00000000..206642f0 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/clientauth/jwt/OBPrivateKeyJWTClientAuthenticatorTest.java @@ -0,0 +1,94 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.clientauth.jwt; + +import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants; +import org.mockito.Mockito; +import org.springframework.mock.web.MockHttpServletRequest; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.Test; +import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext; +import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator; + +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +/** + * Test class for testing the OBPrivateKeyJWTClientAuthenticator class. + */ +public class OBPrivateKeyJWTClientAuthenticatorTest { + + private static final String JWT_ASSERTION_TYPE_VALUE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"; + MockHttpServletRequest request; + OAuthClientAuthnContext clientAuthnContext = new OAuthClientAuthnContext(); + + @BeforeMethod + public void beforeMethod() { + request = new MockHttpServletRequest(); + } + + @Test(description = "Test whether can authenticate is engaged for pvt key jwt request") + public void canAuthenticateTest() { + JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); + OBPrivateKeyJWTClientAuthenticator authenticator = Mockito + .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); + + Map bodyParams = new HashMap<>(); + bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE, Collections + .singletonList(JWT_ASSERTION_TYPE_VALUE)); + bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION, Collections + .singletonList("test")); + + boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); + assertTrue(response); + } + + @Test(description = "Test whether can authenticate is not engaged when client assertion is not there") + public void canAuthenticateWithoutClientAssertionTest() { + JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); + OBPrivateKeyJWTClientAuthenticator authenticator = Mockito + .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); + + Map bodyParams = new HashMap<>(); + bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE, Collections + .singletonList(JWT_ASSERTION_TYPE_VALUE)); + + boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); + assertFalse(response); + } + + @Test(description = "Test whether can authenticate is not engaged when client assertion type is not there") + public void canAuthenticateWithoutClientAssertionTypeTest() { + JWTValidator jwtValidatorMock = Mockito.mock(JWTValidator.class); + OBPrivateKeyJWTClientAuthenticator authenticator = Mockito + .spy(new OBPrivateKeyJWTClientAuthenticator(jwtValidatorMock)); + + Map bodyParams = new HashMap<>(); + bodyParams.put(IdentityCommonConstants.OAUTH_JWT_ASSERTION, Collections + .singletonList("test")); + + boolean response = authenticator.canAuthenticate(request, bodyParams, clientAuthnContext); + assertFalse(response); + } +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/token/util/TestConstants.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/token/util/TestConstants.java index 971c2158..4bfb666e 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/token/util/TestConstants.java +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/token/util/TestConstants.java @@ -55,35 +55,35 @@ public class TestConstants { "i2/qxT3AlWtHtxrz0mKSC3rlgYAHCzCAHoASWKpf5tnB3TodPVZ6DYOu7oI=" + "-----END CERTIFICATE-----"; - public static final String CERTIFICATE_CONTENT = "-----BEGIN CERTIFICATE-----\n" + - "MIIFODCCBCCgAwIBAgIEWcbiiTANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJH\n" + - "QjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxLjAsBgNVBAMTJU9wZW5CYW5raW5nIFBy\n" + - "ZS1Qcm9kdWN0aW9uIElzc3VpbmcgQ0EwHhcNMjMxMTE1MDUxMDMxWhcNMjQxMjE1\n" + - "MDU0MDMxWjBhMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxGzAZ\n" + - "BgNVBAsTEjAwMTU4MDAwMDFIUVFyWkFBWDEfMB0GA1UEAxMWakZRdVE0ZVFiTkNN\n" + - "U3FkQ29nMjFuRjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJslGjTm\n" + - "0tWwnnKgC7WNqUSYNxblURkJyoD5UuSmzpsM5nlUBAxYxBgztTo062LJELzUTzA/\n" + - "9kgLIMMgj+wG1OS475QCgeyoDmwf0SPuFRBl0G0AjxAvJzzs2aijzxiYRbKUa4gm\n" + - "O1KPU3Xlz89mi8lwjTZlxtGk3ABwBG4f5na5TY7uZMlgWPXDnTg7Cc1H4mrMbEFk\n" + - "UaXmb6ZhhGtp0JL04+4Lp16QWrgiHrlop+P8bd+pwmmOmLuglTIEh+v993j+7v8B\n" + - "XYqdmYQ3noiOhK9ynFPD1A7urrm71Pgkuq+Wk5HCvMiBK7zZ4Sn9FDovykDKZTFY\n" + - "MloVDXLhmfDQrmcCAwEAAaOCAgQwggIAMA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUB\n" + - "Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgeAGA1UdIASB2DCB1TCB0gYLKwYB\n" + - "BAGodYEGAWQwgcIwKgYIKwYBBQUHAgEWHmh0dHA6Ly9vYi50cnVzdGlzLmNvbS9w\n" + - "b2xpY2llczCBkwYIKwYBBQUHAgIwgYYMgYNVc2Ugb2YgdGhpcyBDZXJ0aWZpY2F0\n" + - "ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBPcGVuQmFua2luZyBSb290\n" + - "IENBIENlcnRpZmljYXRpb24gUG9saWNpZXMgYW5kIENlcnRpZmljYXRlIFByYWN0\n" + - "aWNlIFN0YXRlbWVudDBtBggrBgEFBQcBAQRhMF8wJgYIKwYBBQUHMAGGGmh0dHA6\n" + - "Ly9vYi50cnVzdGlzLmNvbS9vY3NwMDUGCCsGAQUFBzAChilodHRwOi8vb2IudHJ1\n" + - "c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNydDA6BgNVHR8EMzAxMC+gLaArhilo\n" + - "dHRwOi8vb2IudHJ1c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNybDAfBgNVHSME\n" + - "GDAWgBRQc5HGIXLTd/T+ABIGgVx5eW4/UDAdBgNVHQ4EFgQU7T6cMtCSQTT5JWW3\n" + - "O6vifRUSdpkwDQYJKoZIhvcNAQELBQADggEBAE9jrd/AE65vy3SEWdmFKPS4su7u\n" + - "EHy+KH18PETV6jMF2UFIJAOx7jl+5a3O66NkcpxFPeyvSuH+6tAAr2ZjpoQwtW9t\n" + - "Z9k2KSOdNOiJeQgjavwQC6t/BHI3yXWOIQm445BUN1cV9pagcRJjRyL3SPdHVoRf\n" + - "IbF7VI/+ULHwWdZYPXxtwUoda1mQFf6a+2lO4ziUHb3U8iD90FBURzID7WJ1ODSe\n" + - "B5zE/hG9Sxd9wlSXvl1oNmc/ha5oG/7rJpRqrx5Dcq3LEoX9iZZ3knHLkCm/abIQ\n" + - "7Nff8GQytuGhnGZxmGFYKDXdKElcl9dAlZ3bIK2I+I6jD2z2XvSfrhFyRjU=\n" + + public static final String CERTIFICATE_CONTENT = "-----BEGIN CERTIFICATE-----" + + "MIIFODCCBCCgAwIBAgIEWcbiiTANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJH" + + "QjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxLjAsBgNVBAMTJU9wZW5CYW5raW5nIFBy" + + "ZS1Qcm9kdWN0aW9uIElzc3VpbmcgQ0EwHhcNMjMxMTE1MDUxMDMxWhcNMjQxMjE1" + + "MDU0MDMxWjBhMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxGzAZ" + + "BgNVBAsTEjAwMTU4MDAwMDFIUVFyWkFBWDEfMB0GA1UEAxMWakZRdVE0ZVFiTkNN" + + "U3FkQ29nMjFuRjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJslGjTm" + + "0tWwnnKgC7WNqUSYNxblURkJyoD5UuSmzpsM5nlUBAxYxBgztTo062LJELzUTzA/" + + "9kgLIMMgj+wG1OS475QCgeyoDmwf0SPuFRBl0G0AjxAvJzzs2aijzxiYRbKUa4gm" + + "O1KPU3Xlz89mi8lwjTZlxtGk3ABwBG4f5na5TY7uZMlgWPXDnTg7Cc1H4mrMbEFk" + + "UaXmb6ZhhGtp0JL04+4Lp16QWrgiHrlop+P8bd+pwmmOmLuglTIEh+v993j+7v8B" + + "XYqdmYQ3noiOhK9ynFPD1A7urrm71Pgkuq+Wk5HCvMiBK7zZ4Sn9FDovykDKZTFY" + + "MloVDXLhmfDQrmcCAwEAAaOCAgQwggIAMA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUB" + + "Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgeAGA1UdIASB2DCB1TCB0gYLKwYB" + + "BAGodYEGAWQwgcIwKgYIKwYBBQUHAgEWHmh0dHA6Ly9vYi50cnVzdGlzLmNvbS9w" + + "b2xpY2llczCBkwYIKwYBBQUHAgIwgYYMgYNVc2Ugb2YgdGhpcyBDZXJ0aWZpY2F0" + + "ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBPcGVuQmFua2luZyBSb290" + + "IENBIENlcnRpZmljYXRpb24gUG9saWNpZXMgYW5kIENlcnRpZmljYXRlIFByYWN0" + + "aWNlIFN0YXRlbWVudDBtBggrBgEFBQcBAQRhMF8wJgYIKwYBBQUHMAGGGmh0dHA6" + + "Ly9vYi50cnVzdGlzLmNvbS9vY3NwMDUGCCsGAQUFBzAChilodHRwOi8vb2IudHJ1" + + "c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNydDA6BgNVHR8EMzAxMC+gLaArhilo" + + "dHRwOi8vb2IudHJ1c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNybDAfBgNVHSME" + + "GDAWgBRQc5HGIXLTd/T+ABIGgVx5eW4/UDAdBgNVHQ4EFgQU7T6cMtCSQTT5JWW3" + + "O6vifRUSdpkwDQYJKoZIhvcNAQELBQADggEBAE9jrd/AE65vy3SEWdmFKPS4su7u" + + "EHy+KH18PETV6jMF2UFIJAOx7jl+5a3O66NkcpxFPeyvSuH+6tAAr2ZjpoQwtW9t" + + "Z9k2KSOdNOiJeQgjavwQC6t/BHI3yXWOIQm445BUN1cV9pagcRJjRyL3SPdHVoRf" + + "IbF7VI/+ULHwWdZYPXxtwUoda1mQFf6a+2lO4ziUHb3U8iD90FBURzID7WJ1ODSe" + + "B5zE/hG9Sxd9wlSXvl1oNmc/ha5oG/7rJpRqrx5Dcq3LEoX9iZZ3knHLkCm/abIQ" + + "7Nff8GQytuGhnGZxmGFYKDXdKElcl9dAlZ3bIK2I+I6jD2z2XvSfrhFyRjU=" + "-----END CERTIFICATE-----"; public static final String CLIENT_ASSERTION = "eyJraWQiOiJqeVJVY3l0MWtWQ2xjSXZsVWxjRHVrVlozdFUiLCJhbGciOiJQUzI1" + "NiJ9.eyJzdWIiOiJpWXBSbTY0YjJ2bXZtS0RoZEw2S1pEOXo2ZmNhIiwiYXVkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0a" + diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/utils/TestUtils.java b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/utils/TestUtils.java new file mode 100644 index 00000000..77707c99 --- /dev/null +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/java/com/wso2/openbanking/accelerator/identity/utils/TestUtils.java @@ -0,0 +1,55 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.identity.utils; + +import com.nimbusds.jose.JOSEObject; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jwt.PlainJWT; +import com.nimbusds.jwt.SignedJWT; +import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.models.OBRequestObject; +import org.wso2.carbon.identity.oauth2.RequestObjectException; +import org.wso2.carbon.identity.openidconnect.model.RequestObject; + +import java.text.ParseException; + +/** + * Test utils class. + */ +public class TestUtils { + + /** + * Get OB request object. + * + * @param request request + * @return OBRequestObject + * @throws ParseException + * @throws RequestObjectException + */ + public static OBRequestObject getObRequestObject(String request) throws ParseException, RequestObjectException { + RequestObject requestObject = new RequestObject(); + JOSEObject jwt = JOSEObject.parse(request); + if (jwt.getHeader().getAlgorithm() == null || jwt.getHeader().getAlgorithm().equals(JWSAlgorithm.NONE)) { + requestObject.setPlainJWT(PlainJWT.parse(request)); + } else { + requestObject.setSignedJWT(SignedJWT.parse(request)); + } + return new OBRequestObject<>(requestObject); + } + +} diff --git a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/resources/testng.xml b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/resources/testng.xml index f2b8a270..0b21f929 100644 --- a/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/resources/testng.xml +++ b/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/test/resources/testng.xml @@ -48,6 +48,7 @@ + @@ -56,6 +57,11 @@ + + + + + diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/DefaultConsentPersistStep.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/DefaultConsentPersistStep.java index 47a06698..49760439 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/DefaultConsentPersistStep.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/DefaultConsentPersistStep.java @@ -75,7 +75,7 @@ public void execute(ConsentPersistData consentPersistData) throws ConsentExcepti } catch (ConsentManagementException e) { throw new ConsentException(ResponseStatus.INTERNAL_SERVER_ERROR, - "Exception occured while persisting consent"); + "Exception occurred while persisting consent"); } } @@ -113,7 +113,7 @@ public static void consentPersist(ConsentPersistData consentPersistData, Consent String consentStatus; if (consentPersistData.getApproval()) { - consentStatus = ConsentExtensionConstants.AUTHORIZED_STATUS; + consentStatus = ConsentExtensionConstants.AUTHORISED_STATUS; } else { consentStatus = ConsentExtensionConstants.REJECTED_STATUS; } diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentPersistStep.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentPersistStep.java new file mode 100644 index 00000000..acae2222 --- /dev/null +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentPersistStep.java @@ -0,0 +1,74 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.consent.extensions.authorize.impl; + +import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException; +import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentData; +import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentPersistData; +import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentPersistStep; +import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentException; +import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentExtensionConstants; +import com.wso2.openbanking.accelerator.consent.extensions.common.ResponseStatus; +import com.wso2.openbanking.accelerator.consent.extensions.internal.ConsentExtensionsDataHolder; +import net.minidev.json.JSONArray; +import net.minidev.json.JSONObject; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import java.util.ArrayList; + +/** + * Consent persist step sample implementation for FAPI plain flow. + */ +public class SampleFapiPlainConsentPersistStep implements ConsentPersistStep { + + private static final Log log = LogFactory.getLog(SampleFapiPlainConsentPersistStep.class); + + @Override + public void execute(ConsentPersistData consentPersistData) throws ConsentException { + + if (consentPersistData.getApproval()) { + try { + ConsentData consentData = consentPersistData.getConsentData(); + JSONObject payloadData = consentPersistData.getPayload(); + + JSONArray accountIds = (JSONArray) payloadData.get(ConsentExtensionConstants.ACCOUNT_IDS); + ArrayList accountIdsString = new ArrayList<>(); + for (Object account : accountIds) { + if (!(account instanceof String)) { + log.error("Account IDs format error in persist request"); + throw new ConsentException(ResponseStatus.BAD_REQUEST, + "Account IDs format error in persist request"); + } + accountIdsString.add((String) account); + } + + ConsentExtensionsDataHolder.getInstance().getConsentCoreService() + .bindUserAccountsToConsent(consentData.getConsentResource(), consentData.getUserId(), + consentData.getAuthResource().getAuthorizationID(), accountIdsString, + ConsentExtensionConstants.AUTHORISED_STATUS, + ConsentExtensionConstants.AUTHORISED_STATUS); + } catch (ConsentManagementException e) { + throw new ConsentException(ResponseStatus.INTERNAL_SERVER_ERROR, + "Exception occurred while persisting consent"); + } + } + } + +} diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentRetrievalStep.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentRetrievalStep.java new file mode 100644 index 00000000..5863d4b2 --- /dev/null +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/impl/SampleFapiPlainConsentRetrievalStep.java @@ -0,0 +1,111 @@ +/** + * Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com). + * + * WSO2 LLC. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package com.wso2.openbanking.accelerator.consent.extensions.authorize.impl; + +import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException; +import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentData; +import com.wso2.openbanking.accelerator.consent.extensions.authorize.model.ConsentRetrievalStep; +import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentException; +import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentExtensionConstants; +import com.wso2.openbanking.accelerator.consent.extensions.common.ConsentExtensionUtils; +import com.wso2.openbanking.accelerator.consent.extensions.common.ResponseStatus; +import com.wso2.openbanking.accelerator.consent.extensions.internal.ConsentExtensionsDataHolder; +import com.wso2.openbanking.accelerator.consent.mgt.dao.models.ConsentResource; +import com.wso2.openbanking.accelerator.consent.mgt.dao.models.DetailedConsentResource; +import net.minidev.json.JSONArray; +import net.minidev.json.JSONObject; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.oauth.cache.SessionDataCache; +import org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey; + +import java.util.UUID; + +/** + * Consent retrieval step sample implementation for FAPI plain flow. + */ +public class SampleFapiPlainConsentRetrievalStep implements ConsentRetrievalStep { + + private static final Log log = LogFactory.getLog(SampleFapiPlainConsentRetrievalStep.class); + + @Override + public void execute(ConsentData consentData, JSONObject jsonObject) throws ConsentException { + + if (!consentData.isRegulatory()) { + return; + } + + // Removes request_uri cache entry to avoid reusing the same request object stored in cache + removeRequestUriCacheEntry(consentData.getSpQueryParams()); + + JSONArray permissions = new JSONArray(); + + if (consentData.getScopeString().contains(ConsentExtensionConstants.ACCOUNTS)) { + permissions.addAll(ConsentExtensionConstants.VALID_PERMISSIONS); + } else { + permissions.add(ConsentExtensionConstants.DEFAULT_PERMISSION); + } + + String consentID = UUID.randomUUID().toString(); + ConsentResource consentResource = new ConsentResource(consentData.getClientId(), permissions.toJSONString(), + ConsentExtensionConstants.ACCOUNTS, ConsentExtensionConstants.AUTHORISED_STATUS); + consentResource.setConsentID(consentID); + + DetailedConsentResource createdConsent; + try { + createdConsent = ConsentExtensionsDataHolder.getInstance().getConsentCoreService() + .createAuthorizableConsent(consentResource, consentData.getUserId(), + "created", "authorization", true); + } catch (ConsentManagementException e) { + throw new ConsentException(ResponseStatus.INTERNAL_SERVER_ERROR, e.getMessage()); + } + + consentData.setConsentId(createdConsent.getConsentID()); + consentData.setType(createdConsent.getConsentType()); + consentData.setConsentResource(consentResource); + consentData.setAuthResource(createdConsent.getAuthorizationResources().get(0)); + + JSONArray consentDataJSON = new JSONArray(); + + JSONObject jsonElementPermissions = new JSONObject(); + jsonElementPermissions.appendField(ConsentExtensionConstants.TITLE, ConsentExtensionConstants.PERMISSIONS); + jsonElementPermissions.appendField(ConsentExtensionConstants.DATA, permissions); + + consentDataJSON.add(jsonElementPermissions); + + jsonObject.appendField(ConsentExtensionConstants.CONSENT_DATA, consentDataJSON); + + jsonObject.appendField(ConsentExtensionConstants.ACCOUNTS, ConsentExtensionUtils.getDummyAccounts()); + + } + + private void removeRequestUriCacheEntry(String spQueryParams) { + if (spQueryParams != null && spQueryParams.contains(ConsentExtensionConstants.REQUEST_URI_PARAMETER)) { + String[] requestUri = spQueryParams + .substring(ConsentExtensionConstants.REQUEST_URI_PARAMETER.length()) + .replaceAll("\\%3A", ":") + .split(":"); + String sessionKey = requestUri[requestUri.length - 1]; + SessionDataCacheKey cacheKey = new SessionDataCacheKey(sessionKey); + log.debug("Removing request_uri entry from cache"); + SessionDataCache.getInstance().clearCacheEntry(cacheKey); + } + } + +} diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionConstants.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionConstants.java index 4062a1bf..3da1a41e 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionConstants.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionConstants.java @@ -17,6 +17,9 @@ */ package com.wso2.openbanking.accelerator.consent.extensions.common; +import java.util.Arrays; +import java.util.List; + /** * Constant class for consent extension module. */ @@ -25,6 +28,7 @@ public class ConsentExtensionConstants { public static final String ERROR_URI_FRAGMENT = "#error="; public static final String ERROR_DESCRIPTION_PARAMETER = "&error_description="; public static final String STATE_PARAMETER = "&state="; + public static final String REQUEST_URI_PARAMETER = "request_uri="; public static final String PRESERVE_CONSENT = "Consent.PreserveConsentLink"; public static final String SENSITIVE_DATA_MAP = "sensitiveDataMap"; public static final String LOGGED_IN_USER = "loggedInUser"; @@ -48,6 +52,11 @@ public class ConsentExtensionConstants { public static final String ERRORS = "errors"; public static final String PAYMENTS = "payments"; public static final String VRP = "vrp"; + public static final List VALID_PERMISSIONS = Arrays.asList( + "ReadAccountsDetail", + "ReadTransactionsDetail", + "ReadBalances"); + public static final String DEFAULT_PERMISSION = "ReadPersonalDetail"; public static final String DATA = "Data"; public static final String INITIATION = "Initiation"; @@ -106,7 +115,7 @@ public class ConsentExtensionConstants { public static final String[] CLAIM_FIELDS = new String[]{"userinfo", "id_token"}; public static final String OPENBANKING_INTENT_ID = "openbanking_intent_id"; public static final String VALUE = "value"; - public static final String AUTHORIZED_STATUS = "authorised"; + public static final String AUTHORISED_STATUS = "authorised"; public static final String EXPIRATION_DATE = "ExpirationDateTime"; public static final String EXPIRATION_DATE_TITLE = "Expiration Date Time"; public static final String INSTRUCTED_AMOUNT_TITLE = "Instructed Amount"; diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionUtils.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionUtils.java index 141410ab..3588725c 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionUtils.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/common/ConsentExtensionUtils.java @@ -402,7 +402,7 @@ public static ConsentCoreServiceImpl getConsentService() { public static String getConsentStatus(String defaultStatus) { switch (defaultStatus) { - case ConsentExtensionConstants.AUTHORIZED_STATUS: + case ConsentExtensionConstants.AUTHORISED_STATUS: return ConsentExtensionConstants.OB_AUTHORIZED_STATUS; case ConsentExtensionConstants.REVOKED_STATUS: return ConsentExtensionConstants.OB_REVOKED_STATUS; @@ -414,4 +414,24 @@ public static String getConsentStatus(String defaultStatus) { return ConsentExtensionConstants.OB_AWAITING_AUTH_STATUS; } } + + /** + * Get dummy accounts. + * + * @return Dummy accounts as a JSON array. + */ + public static JSONArray getDummyAccounts() { + JSONArray accountsJSON = new JSONArray(); + JSONObject accountOne = new JSONObject(); + accountOne.appendField("account_id", "12345"); + accountOne.appendField("display_name", "Salary Saver Account"); + + JSONObject accountTwo = new JSONObject(); + accountTwo.appendField("account_id", "67890"); + accountTwo.appendField("display_name", "Max Bonus Account"); + + accountsJSON.add(accountOne); + accountsJSON.add(accountTwo); + return accountsJSON; + } } diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/manage/impl/AccountConsentManageRequestHandler.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/manage/impl/AccountConsentManageRequestHandler.java index 83d7d0f2..3d6f1c55 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/manage/impl/AccountConsentManageRequestHandler.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/manage/impl/AccountConsentManageRequestHandler.java @@ -45,9 +45,7 @@ import java.time.ZonedDateTime; import java.time.format.DateTimeFormatter; import java.time.format.DateTimeParseException; -import java.util.Arrays; import java.util.HashMap; -import java.util.List; import java.util.Map; /** @@ -60,10 +58,6 @@ public class AccountConsentManageRequestHandler implements ConsentManageRequestH private static final String UUID_REGEX = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"; private static final String REVOKED_STATUS = "revoked"; - private static final List validPermissions = Arrays.asList( - "ReadAccountsDetail", - "ReadTransactionsDetail", - "ReadBalances"); private static final String ACCOUNT_CONSENT_CREATE_PATH = "account-access-consents"; private static final String CREATED_STATUS = "created"; private static final String AUTH_TYPE_AUTHORIZATION = "authorization"; @@ -236,7 +230,7 @@ private boolean validateInitiation(JSONObject initiation) { return false; } String permissionString = (String) permission; - if (!validPermissions.contains(permissionString)) { + if (!ConsentExtensionConstants.VALID_PERMISSIONS.contains(permissionString)) { return false; } } diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/util/ConsentManageUtil.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/util/ConsentManageUtil.java index f4297901..c0a7c2a6 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/util/ConsentManageUtil.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/util/ConsentManageUtil.java @@ -355,7 +355,7 @@ public static void handleConsentManageDelete(ConsentManageData consentManageData } //Revoke tokens related to the consent if the flag 'shouldRevokeTokens' is true. - shouldRevokeTokens = ConsentExtensionConstants.AUTHORIZED_STATUS + shouldRevokeTokens = ConsentExtensionConstants.AUTHORISED_STATUS .equals(consentResource.getCurrentStatus()); boolean success = ConsentExtensionsDataHolder.getInstance().getConsentCoreService() diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/DefaultConsentValidator.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/DefaultConsentValidator.java index 0692ec13..6c3e6ebc 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/DefaultConsentValidator.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/DefaultConsentValidator.java @@ -158,7 +158,7 @@ private void validateAccountSubmission(ConsentValidateData consentValidateData, } //Consent Status Validation - if (!ConsentExtensionConstants.AUTHORIZED_STATUS + if (!ConsentExtensionConstants.AUTHORISED_STATUS .equalsIgnoreCase(consentValidateData.getComprehensiveConsent().getCurrentStatus())) { consentValidationResult.setErrorMessage(ErrorConstants.ACCOUNT_CONSENT_STATE_INVALID); consentValidationResult.setErrorCode(ErrorConstants.RESOURCE_INVALID_CONSENT_STATUS); @@ -225,7 +225,7 @@ private void validatePaymentSubmission(ConsentValidateData consentValidateData, consentValidationResult, detailedConsentResource); return; } else { - if (!ConsentExtensionConstants.AUTHORIZED_STATUS + if (!ConsentExtensionConstants.AUTHORISED_STATUS .equalsIgnoreCase(consentValidateData.getComprehensiveConsent().getCurrentStatus())) { log.error(ErrorConstants.PAYMENT_CONSENT_STATE_INVALID); consentValidationResult.setErrorMessage(ErrorConstants.PAYMENT_CONSENT_STATE_INVALID); @@ -337,7 +337,7 @@ private static void validateFundsConfirmationSubmission(ConsentValidateData cons } //Consent Status Validation - if (!ConsentExtensionConstants.AUTHORIZED_STATUS + if (!ConsentExtensionConstants.AUTHORISED_STATUS .equalsIgnoreCase(consentValidateData.getComprehensiveConsent().getCurrentStatus())) { consentValidationResult.setErrorMessage(ErrorConstants.COF_CONSENT_STATE_INVALID); consentValidationResult.setErrorCode(ErrorConstants.RESOURCE_INVALID_CONSENT_STATUS); @@ -395,7 +395,7 @@ private void validateVRPSubmission(ConsentValidateData consentValidateData, JSON DetailedConsentResource detailedConsentResource = consentValidateData.getComprehensiveConsent(); - if (!ConsentExtensionConstants.AUTHORIZED_STATUS + if (!ConsentExtensionConstants.AUTHORISED_STATUS .equals(consentValidateData.getComprehensiveConsent().getCurrentStatus())) { log.error(ErrorConstants.VRP_CONSENT_STATUS_INVALID); consentValidationResult.setErrorMessage(ErrorConstants.VRP_CONSENT_STATUS_INVALID); diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/PaymentFundsConfirmationPayloadValidator.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/PaymentFundsConfirmationPayloadValidator.java index 968a7181..3bf52b92 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/PaymentFundsConfirmationPayloadValidator.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/main/java/com/wso2/openbanking/accelerator/consent/extensions/validate/impl/PaymentFundsConfirmationPayloadValidator.java @@ -47,7 +47,7 @@ public void validatePaymentFundsConfirmationRequest(ConsentValidateData consentV DetailedConsentResource detailedConsentResource) { //Consent Status Validation - if (!ConsentExtensionConstants.AUTHORIZED_STATUS + if (!ConsentExtensionConstants.AUTHORISED_STATUS .equalsIgnoreCase(consentValidateData.getComprehensiveConsent().getCurrentStatus())) { consentValidationResult.setErrorMessage(ErrorConstants.PAYMENT_CONSENT_STATE_INVALID); consentValidationResult.setErrorCode(ErrorConstants.RESOURCE_INVALID_CONSENT_STATUS); diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalStepTest.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalStepTest.java index f8b11e02..251e0432 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalStepTest.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalStepTest.java @@ -178,13 +178,13 @@ public void testConsentRetrievalWithValidRequestObject() throws ConsentManagemen Mockito.doReturn(true).when(consentDataMock).isRegulatory(); Mockito.doReturn(request).when(consentDataMock).getSpQueryParams(); - Mockito.doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(consentResourceMock).getCurrentStatus(); + Mockito.doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(consentResourceMock).getCurrentStatus(); Mockito.doReturn(ConsentExtensionConstants.ACCOUNTS).when(consentResourceMock).getConsentType(); Mockito.doReturn(ConsentAuthorizeTestConstants.VALID_INITIATION_OBJECT).when(consentResourceMock) .getReceipt(); Mockito.doReturn(consentResourceMock).when(consentCoreServiceMock) .getConsent(Mockito.anyString(), Mockito.anyBoolean()); - Mockito.doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(authorizationResourceMock) + Mockito.doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(authorizationResourceMock) .getAuthorizationStatus(); authResources.add(authorizationResourceMock); Mockito.doReturn(authResources).when(consentCoreServiceMock) diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalUtilTest.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalUtilTest.java index 9ad35bf6..14d831a8 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalUtilTest.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/authorize/vrp/retrieval/flow/VRPConsentRetrievalUtilTest.java @@ -183,13 +183,13 @@ public void testConsentRetrievalWithValidRequestObject() throws ConsentManagemen Mockito.doReturn(true).when(consentDataMock).isRegulatory(); Mockito.doReturn(request).when(consentDataMock).getSpQueryParams(); - Mockito.doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(consentResourceMock).getCurrentStatus(); + Mockito.doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(consentResourceMock).getCurrentStatus(); Mockito.doReturn(ConsentExtensionConstants.ACCOUNTS).when(consentResourceMock).getConsentType(); Mockito.doReturn(ConsentAuthorizeTestConstants.VALID_INITIATION_OBJECT).when(consentResourceMock) .getReceipt(); Mockito.doReturn(consentResourceMock).when(consentCoreServiceMock) .getConsent(Mockito.anyString(), Mockito.anyBoolean()); - Mockito.doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(authorizationResourceMock) + Mockito.doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(authorizationResourceMock) .getAuthorizationStatus(); authResources.add(authorizationResourceMock); Mockito.doReturn(authResources).when(consentCoreServiceMock) diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/validate/VRPSubmissionTest.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/validate/VRPSubmissionTest.java index 70c17895..7917e866 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/validate/VRPSubmissionTest.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.extensions/src/test/java/com/wso2/openbanking/accelerator/consent/extensions/validate/VRPSubmissionTest.java @@ -154,7 +154,7 @@ public void testValidateVRPSubmission() throws ParseException, ConsentManagement doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -192,7 +192,7 @@ public void testValidateVRPSubmissionWithoutRisk() throws ParseException, Consen doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -278,7 +278,7 @@ public void testValidateVRPSubmissionWithInvalidInstruction() throws ParseExcept doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -321,7 +321,7 @@ public void testValidateVRPSubmissionWithInvalidRisk() throws ParseException, Co doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -363,7 +363,7 @@ public void testValidateVRPSubmissionWithoutInstruction() throws ParseException doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -413,7 +413,7 @@ public void testValidateVRPSubmissionWithoutCreditorAccount() throws ParseExcept doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -456,7 +456,7 @@ public void testValidateVRPSubmissionWithDebtorAccountMisMatch() throws ParseExc doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -499,7 +499,7 @@ public void testValidateVRPSubmissionWithoutRemittanceInfo() throws ParseExcepti doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -543,7 +543,7 @@ public void testValidateVRPSubmissionWithRemittanceInfoMisMatch() throws ParseEx doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -587,7 +587,7 @@ public void testValidateVRPSubmissionForInvalidInitiation(String payload) throws doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -618,7 +618,7 @@ public void testValidateVRPSubmissionWithIntegerInstructionIdentification() thro doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -661,7 +661,7 @@ public void testValidateVRPSubmissionWithIntegerEndToEndIdentification() throws doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -706,7 +706,7 @@ public void testValidateVRPSubmissionWithoutDebtorAccInSubmission() throws Parse doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION_WITHOUT_DEBTOR_ACC).when(detailedConsentResourceMock) .getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -750,7 +750,7 @@ public void testValidateVRPSubmissionWithoutCreditorAccInInitiation() throws Par doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION_WITHOUT_CREDITOR_ACC).when(detailedConsentResourceMock). getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -793,7 +793,7 @@ public void testValidateVRPSubmissionForInvalidInstruction(String payload) throw doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -824,7 +824,7 @@ public void testValidateVRPSubmissionWithInstructionRemittanceMismatch() throws doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); doReturn(ConsentValidateTestConstants.VRP_INITIATION).when(detailedConsentResourceMock).getReceipt(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(getVRPConsentAttributes()).when(detailedConsentResourceMock).getConsentAttributes(); doReturn(ConsentValidateTestConstants.CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); @@ -865,7 +865,7 @@ public void testConsentValidateVRPvWithInvalidConsentId() { doReturn(ConsentValidateTestConstants.CLIENT_ID).when(detailedConsentResourceMock).getClientID(); doReturn(detailedConsentResourceMock).when(consentValidateDataMock).getComprehensiveConsent(); doReturn(ConsentExtensionConstants.VRP).when(detailedConsentResourceMock).getConsentType(); - doReturn(ConsentExtensionConstants.AUTHORIZED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); + doReturn(ConsentExtensionConstants.AUTHORISED_STATUS).when(detailedConsentResourceMock).getCurrentStatus(); doReturn(ConsentValidateTestConstants.INVALID_CONSENT_ID).when(detailedConsentResourceMock).getConsentID(); doReturn(ConsentExtensionTestConstants.VALID_INITIATION_OBJECT).when(detailedConsentResourceMock) .getReceipt(); diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/impl/OBConsentMgtDAOTests.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/impl/OBConsentMgtDAOTests.java index d6cdfd1f..1b6228de 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/impl/OBConsentMgtDAOTests.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/impl/OBConsentMgtDAOTests.java @@ -47,6 +47,7 @@ import java.sql.SQLException; import java.util.ArrayList; import java.util.Arrays; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.UUID; @@ -573,6 +574,16 @@ public Object[][] updateConsentMappingStatusData() { return ConsentMgtDAOTestData.DataProviders.CONSENT_MAPPING_STATUS_UPDATE_DATA_HOLDER; } + @DataProvider(name = "updateConsentMappingPermissionDataProvider") + public Object[][] updateConsentMappingPermissionData() { + + /* + * mappingId + * newMappingPermission + */ + return ConsentMgtDAOTestData.DataProviders.CONSENT_MAPPING_PERMISSION_UPDATE_DATA_HOLDER; + } + @Test (dataProvider = "updateConsentMappingStatusDataProvider") public void testUpdateConsentMappingStatus(String newMappingStatus) throws Exception { @@ -613,6 +624,22 @@ public void testUpdateConsentMappingStatus(String newMappingStatus) throws Excep Assert.assertTrue(isConsentMappingStatusUpdated); } + @Test (dataProvider = "updateConsentMappingPermissionDataProvider") + public void testUpdateConsentMappingPermission(String mappingId, String newMappingPermission) throws Exception { + + boolean isConsentMappingPermissionUpdated; + + try (Connection connection = DAOUtils.getConnection(DB_NAME)) { + + Map map = new HashMap<>(); + map.put(mappingId, newMappingPermission); + + isConsentMappingPermissionUpdated = consentCoreDAO.updateConsentMappingPermission(connection, + map); + } + Assert.assertTrue(isConsentMappingPermissionUpdated); + } + @Test (expectedExceptions = OBConsentDataUpdationException.class) public void testUpdateConsentMappingStatusSQLError() throws Exception { diff --git a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/util/ConsentMgtDAOTestData.java b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/util/ConsentMgtDAOTestData.java index 91e082f7..6feba6e3 100644 --- a/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/util/ConsentMgtDAOTestData.java +++ b/open-banking-accelerator/components/consent-management/com.wso2.openbanking.accelerator.consent.mgt.dao/src/test/java/com/wso2/openbanking/accelerator/consent/mgt/dao/util/ConsentMgtDAOTestData.java @@ -300,6 +300,18 @@ public static final class DataProviders { } }; + /* + * mappingId + * newMappingPermission + */ + public static final Object[][] CONSENT_MAPPING_PERMISSION_UPDATE_DATA_HOLDER = new Object[][] { + + { + SAMPLE_MAPPING_ID, + SAMPLE_PERMISSION + } + }; + /* * newAuthorizationStatus */ diff --git a/pom.xml b/pom.xml index 03e987bd..7b25efb3 100644 --- a/pom.xml +++ b/pom.xml @@ -418,6 +418,11 @@ org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls ${carbon.identity.clientauth.mutualtls.version} + + org.wso2.carbon.extension.identity.oauth.addons + org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt + ${carbon.identity.clientauth.jwt.version} + org.wso2.carbon.identity.framework org.wso2.carbon.identity.application.authentication.endpoint.util @@ -779,6 +784,7 @@ 6.3.11 5.19.32 2.3.5 + 2.3.11 3.3.7 2.12.0 2.7.18