use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class AccessTokenService method verifyAccessTokenGrantTypes.
public void verifyAccessTokenGrantTypes(List<OIDCConstants.GrantType> expectedGrantTypes, SignedJWT accessToken) throws OAuth2BearerTokenUsageInvalidTokenException {
try {
String grantTypeSerialised = getGrantTypes(accessToken);
OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
log.debug("Access token grant type '{}' is not one of the expected grant types {}", grantType, expectedGrantTypes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
}
log.debug("verifyAccessTokenGrantTypes() - access token contains expected grant type");
} catch (Exception e) {
log.info("verifyAccessTokenGrantTypes() caught exception", e);
throw new OAuth2BearerTokenUsageInvalidTokenException(e.getMessage());
}
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class AccessTokenService method verifyMatlsFromAccessToken.
public void verifyMatlsFromAccessToken(SignedJWT accessToken, String tppName) throws OAuth2BearerTokenUsageInvalidTokenException {
log.debug("verifyMatlsFromAccessToken() called");
try {
JWTClaimsSet jwtClaimSet = getJwtClaims(accessToken);
String oauth2ClientId = getAudience(jwtClaimSet);
Optional<Tpp> tpp = this.tppStoreService.findByClientId(oauth2ClientId);
if (tpp.isPresent()) {
String authorisationNumberFromTppRecord = tpp.get().getAuthorisationNumber();
if (!tppName.equals(authorisationNumberFromTppRecord)) {
log.warn("TPP ID from account token {} is not the one associated with the certificate {}", authorisationNumberFromTppRecord, tppName);
throw new OBErrorException(OBRIErrorType.MATLS_TPP_AUTHENTICATION_INVALID_FROM_ACCESS_TOKEN, tppName, oauth2ClientId);
}
}
} catch (OAuth2BearerTokenUsageInvalidTokenException oe) {
log.info("verifyMatlsFromAccessToken() caught exception", oe);
throw oe;
} catch (Exception e) {
log.info("verifyMatlsFromAccessToken() caught exception", e);
throw new OAuth2BearerTokenUsageInvalidTokenException("Access token was not issued to the organisation " + "that owns the TLS certificate used to make the request.");
}
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class EventValidationService method verifyValidCallbackUrl.
public static void verifyValidCallbackUrl(final String callbackUrl) throws OBErrorException {
// It is valid to not use a callback URL here as TPP may be using polling only. But, if submitted, callback URL must be valid.
if (!StringUtils.isEmpty(callbackUrl)) {
try {
// Will throw exception is bad URL
new URL(callbackUrl);
// Already checked URL above so just check path must end /<OB_Version>/event-subscriptions
String regex = "[^\\s]+\\/(v(\\d+\\.)?(\\d+\\.)?(\\*|\\d+))\\/event-notifications$";
boolean matches = Pattern.matches(regex, callbackUrl);
if (!matches) {
log.debug("Event subscription callback URL must end with /{OB_VERSION>/event-notifications (e.g. /v3.1.1/). Submitted callback: was '{}'", callbackUrl);
throw new OBErrorException(OBRIErrorType.INVALID_CALLBACK_URL, callbackUrl);
}
} catch (MalformedURLException e) {
log.debug("Event subscription callback URL is malformed. Submitted callback: was '{}'", callbackUrl, e);
throw new OBErrorException(OBRIErrorType.INVALID_CALLBACK_URL, callbackUrl);
}
}
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class PaymentsSubmissionEndpointWrapperTest method verifyPaymentStatus_notConsented.
@Test
public void verifyPaymentStatus_notConsented() throws Exception {
// given
PaymentConsent payment = FRDomesticConsent.builder().status(ConsentStatusCode.ACCEPTEDTECHNICALVALIDATION).build();
// When
OBErrorException obErrorException = catchThrowableOfType(() -> wrapper.payment(payment).verifyPaymentStatus(), OBErrorException.class);
assertThat(obErrorException.getObriErrorType().getHttpStatus().value()).isEqualTo(406);
assertThat(obErrorException.getMessage()).isEqualTo("Payment invalid. Payment request hasn't been authorised by the PSU yet. Payment request status: 'ACCEPTEDTECHNICALVALIDATION'");
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class PaymentsSubmissionEndpointWrapperTest method verifyAccessUsing_GrantTypeWrong.
@Test
public void verifyAccessUsing_GrantTypeWrong() throws Exception {
// given
PaymentConsent payment = FRDomesticConsent.builder().status(ConsentStatusCode.AUTHORISED).build();
String jws = jws("payments", OIDCConstants.GrantType.CLIENT_CREDENTIAL);
wrapper.authorization("Bearer " + jws);
// mock handled stubbed
when(amResourceServerService.verifyAccessToken("Bearer " + jws)).thenReturn((SignedJWT) JWTParser.parse(jws));
// then
// When
OBErrorException obErrorException = catchThrowableOfType(() -> wrapper.payment(payment).applyFilters(), OBErrorException.class);
assertThat(obErrorException.getObriErrorType().getHttpStatus().value()).isEqualTo(403);
assertThat(obErrorException.getOBError().getErrorCode()).isEqualTo(ErrorCode.OBRI_ACCESS_TOKEN_INVALID.getValue());
assertThat(obErrorException.getMessage()).isEqualTo("The access token grant type CLIENT_CREDENTIAL doesn't match one of the expected grant types [AUTHORIZATION_CODE, HEADLESS_AUTH]");
}
Aggregations