Validating BNR permission for consent revocation

[anjuchamantha]

Validating BNR permission for consent revocation

With this PR, the following validation is added to check when a BNR(Business Nominated Representative) user tries to revoke a consent.

• For all the active accounts in the consent, if the BNR user has AUTHORIZE or REVOKE permission, then the user can revoke that consent.
  (i.e. For any active account in consent mappings, if the user does not have AUTHORIZE or REVOKE permission, he/she cannot revoke the consent)

Also a new can_revoke (boolean) variable is sent in the /admin/search response, which is used in consent manager UI to decide showing the Stop Sharing button.
(i.e. BNR users who does not meet the above validation will not see a Stop Sharing button.

Issue:

• https://github.com/wso2-enterprise/ob-compliance-toolkit-cds/issues/439

Applicable Labels: OB3 CDS Toolkit

---

Development Checklist

1. Built complete solution with pull request in place.
2. Ran checkstyle plugin with pull request in place.
3. Ran Findbugs plugin with pull request in place.
4. Ran FindSecurityBugs plugin and verified report.
5. Formatted code according to WSO2 code style.
6. Have you verify the PR does't commit any keys, passwords, tokens, usernames, or other secrets?
7. Migration scripts written (if applicable).
8. Have you followed secure coding standards in WSO2 Secure Engineering Guidelines?

Testing Checklist

1. Written unit tests.
2. Documented test scenarios(link available in guides).
3. Written automation tests (link available in guides).
4. Verified tests in multiple database environments (if applicable).
5. Verified tests in multiple deployed specifications (if applicable).
6. Tested with OBBI enabled (if applicable).
7. Tested with specification regulatory conformance suites (if applicable).

Automation Test Details

Test Suite	Test Script IDs
Integration Suite	TCXXXXX, TCXXXX

Conformance Tests Details

Test Suite Name	Test Suite Version	Scenarios	Result
Security Suite	VX.X	Foo, Bar	Passed

Resources

Knowledge Base: https://sites.google.com/wso2.com/open-banking/

Guides: https://sites.google.com/wso2.com/open-banking/developer-guides

[imesh94]

User can revoke the consent only if he has authorize permission.

[anjuchamantha]

Fixed with e7670fa

[aka4rKO]

when can there be a list of userIDs? because usually revoke is done by a single user right? If there is a scenario when a list of userIDs can come shall we add that as a comment as well?

[anjuchamantha]

It is because consentAdminData.getQueryParams() returns a Map, and and .get(<key>) returns an array list. That doesn't mean that we can have multiple userIDs for revoke. Since ConsentAdminData is a common class we cannot change that behaviour for revoke only.
For this scenario (revoking a consent from consent manager) we only have 1 user.

[anjuchamantha]

There was already a validateAndGetQueryParam method to get the first element from query params. Modified with bc8b123