Examples with OBErrorException com.forgerock.openbanking.exceptions.OBErrorException used on opensource projects

Example 31 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class DataEventsApiController method updateEvents.

/**
 * Update events
 * @param eventsToUpdate list of {@link FREventNotification} to update
 * @param frDataEvent the entity body {@link FRDataEvent}
 * @throws {@link OBErrorResponseException}
 */
private void updateEvents(List<FREventNotification> eventsToUpdate, FRDataEvent frDataEvent) throws OBErrorResponseException {
    try {
        frDataEvent.getObEventNotification2List().forEach(fde -> {
            Optional<FREventNotification> optionalFREventNotification = eventsToUpdate.stream().filter(e -> e.getJti().equals(fde.getJti())).findFirst();
            if (optionalFREventNotification.isEmpty()) {
                log.error("Error updating the events, the jti set in the request not match with any existing event");
                throw new RuntimeException(new OBErrorResponseException(OBRIErrorType.DATA_INVALID_REQUEST.getHttpStatus(), OBRIErrorResponseCategory.REQUEST_INVALID, OBRIErrorType.DATA_INVALID_REQUEST.toOBError1("The jti set in the request not match with any existing event")));
            }
            try {
                FREventNotification frEventNotification = optionalFREventNotification.get();
                frEventNotification.setSignedJwt(signPayload(fde));
                frPendingEventsRepository.save(frEventNotification);
            } catch (OBErrorException obErrorException) {
                throw new RuntimeException(obErrorException);
            }
        });
    } catch (RuntimeException exception) {
        throw handleError(exception);
    }
}

Example 32 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class DataEventsApiController method createEvents.

/**
 * Create new events
 * @param frDataEvent the entity body {@link FRDataEvent}
 */
private void createEvents(FRDataEvent frDataEvent) {
    frDataEvent.getObEventNotification2List().forEach(e -> {
        try {
            FREventNotification frEventNotification = FREventNotification.builder().jti(UUID.randomUUID().toString()).signedJwt(signPayload(e)).tppId(frDataEvent.getTppId()).build();
            log.debug("Create event notification {}", frEventNotification);
            frPendingEventsRepository.save(frEventNotification);
            frDataEvent.setJti(frEventNotification.getJti());
        } catch (OBErrorException obErrorException) {
            throw new RuntimeException(obErrorException);
        }
    });
}

Example 33 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiController method validateRequestParameter.

private SignedJWT validateRequestParameter(String responseType, String clientId, String state, String nonce, String scopes, String redirectUri, String requestParametersSerialised) throws OBErrorException {
    SignedJWT requestParameters;
    try {
        try {
            EncryptedJWT.parse(requestParametersSerialised);
            log.debug("Request parameter {} is encrypted (JWE).", requestParametersSerialised);
            requestParameters = cryptoApiClient.decryptJwe(requestParametersSerialised);
            requestParametersSerialised = requestParameters.serialize();
            log.debug("Request parameter {} decrypted (JWS).", requestParametersSerialised);
        } catch (ParseException | JOSEException e) {
            // If we got an exception, it means it's a JWS
            log.debug("Request parameter {} is just signed (JWS).", requestParametersSerialised);
            requestParameters = SignedJWT.parse(requestParametersSerialised);
        }
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "client_id", clientId);
        Optional<Tpp> byClientId = tppStoreService.findByClientId(clientId);
        if (byClientId.isEmpty()) {
            throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, "Unknown client id '" + clientId + "'");
        }
        Tpp tpp = byClientId.get();
        log.debug("Validate the request parameter signature");
        boolean validated = false;
        OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
        if (registrationResponse != null) {
            JWKSet jwkSet = registrationResponse.getJwks();
            if (jwkSet != null) {
                List<JWK> jwkSetKeys = jwkSet.getKeys();
                if (jwkSetKeys != null && !jwkSetKeys.isEmpty()) {
                    JWK jwk = jwkSetKeys.get(0);
                    String jwksKeys = jwk.toString();
                    log.debug("validateRequestParameters() tpp has jwksKeys as part of registraiton. They will be" + " used to validate the request parameter.");
                    cryptoApiClient.validateJwsWithJWK(requestParametersSerialised, clientId, jwksKeys);
                    validated = true;
                } else {
                    log.debug("validateRequestParameter() tpp has no jwkSetKeys; {}", tpp);
                }
            }
            if (!validated) {
                String jwks_uri = tpp.getRegistrationResponse().getJwks_uri();
                if (jwks_uri == null || jwks_uri.isBlank()) {
                    log.error("validateRequestparameters() tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details; {}", tpp);
                    throw new InvalidTokenException("Tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details");
                } else {
                    log.debug("validateRequestParameter() Validating request parameter using jwks_uri: " + "requestParametersSerialised: '{}', clientId; '{}', jwks_url: {}", requestParametersSerialised, clientId, jwks_uri);
                    cryptoApiClient.validateJws(requestParametersSerialised, clientId, jwks_uri);
                    validated = true;
                }
            }
        } else {
            log.error("validateRequestParameter() tpp has no registration response; {}", tpp);
            throw new InvalidTokenException("Tpp is not registered");
        }
        List<String> MANDATORY_CLAIMS = Arrays.asList(OpenBankingConstants.RequestParameterClaim.AUD, OpenBankingConstants.RequestParameterClaim.SCOPE, OpenBankingConstants.RequestParameterClaim.ISS, OpenBankingConstants.RequestParameterClaim.CLAIMS, OpenBankingConstants.RequestParameterClaim.RESPONSE_TYPE, OpenBankingConstants.RequestParameterClaim.REDIRECT_URI, OpenBankingConstants.RequestParameterClaim.EXP, OpenBankingConstants.RequestParameterClaim.NONCE, OpenBankingConstants.RequestParameterClaim.CLIENT_ID);
        for (String mandatoryClaim : MANDATORY_CLAIMS) {
            if (requestParameters.getJWTClaimsSet().getClaim(mandatoryClaim) == null) {
                throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_CLAIM_MANDATORY, mandatoryClaim);
            }
        }
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "response_type", responseType);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "state", state);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "nonce", nonce);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "redirect_uri", redirectUri);
        verifyScopeQueryParameterMatchesRequestParameterClaim(requestParameters, scopes);
        verifyRequestparameterClaims(requestParameters);
    } catch (ParseException | IOException e) {
        log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, e.getMessage());
    } catch (InvalidTokenException e) {
        log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_INVALID, e.getMessage());
    }
    return requestParameters;
}

Example 34 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiController method verifyRequestparameterClaims.

private void verifyRequestparameterClaims(SignedJWT requestParameters) throws OBErrorException {
    JSONObject claims = null;
    try {
        JWTClaimsSet claimSet = requestParameters.getJWTClaimsSet();
        claims = new JSONObject(claimSet.getJSONObjectClaim(OIDCConstants.OIDCClaim.CLAIMS));
    } catch (ParseException pe) {
        log.info("verifyRequestparameterClaims() Could not obtain the {} claim from the request parameter.", OIDCConstants.OIDCClaim.CLAIMS);
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_INVALID, "No claims obtainable from the " + "jwt");
    }
    if (!claims.containsKey(OpenBankingConstants.RequestParameterClaim.ID_TOKEN)) {
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_INVALID, "No id token claims");
    }
    Map<String, Claim> idTokenClaims = validateIdToken(claims);
    validateUserInfo(claims, idTokenClaims);
}

Example 35 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class RSEndpointWrapper method verifyAccessToken.

public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
    try {
        // Verify access token
        log.info("Verify the access token {}", authorization);
        accessToken = rsEndpointWrapperService.verifyAccessToken(authorization);
        String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
        if (grantTypeSerialised == null) {
            log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
            throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
        }
        OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
        if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
            log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
        }
        List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
        if (!scopes.containsAll(expectedScopes)) {
            log.warn("The access token {} doesn't contain the scope {}", authorization, expectedScopes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
        }
    } catch (ParseException e) {
        log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
    } catch (InvalidTokenException e) {
        log.warn("Invalid access token {}", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
    } catch (IOException e) {
        log.error("IO exception", e);
        throw new OBErrorException(SERVER_ERROR, e.getMessage());
    }
}