use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class AccountsApiEndpointWrapper method verifyMatlsFromAccountRequest.
public void verifyMatlsFromAccountRequest() throws OBErrorException {
// MTLS check. We verify that the certificate is associated with the expected AISP ID
log.debug("verifyMatlsFromAccountRequest() verifying account request token was issued to the Tpp indicated" + " by the MATLS tranport certificate presented");
UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();
AccountRequest accountRequest = getAccountRequest();
String oauth2ClientIdFromAccountRequest = accountRequest.getClientId();
log.debug("verifyMatlsFromAccountRequest() oauth2 clientId from account request is '{}'", oauth2ClientIdFromAccountRequest);
Optional<Tpp> isTpp = this.tppStoreService.findByClientId(oauth2ClientIdFromAccountRequest);
if (isTpp.isEmpty()) {
log.info("The OAuth2 client to which the accountAccessToken was issued no longer exists. ClientId is " + "'{}'", oauth2ClientIdFromAccountRequest);
throw new OBErrorException(OBRIErrorType.MATLS_TPP_AUTHENTICATION_INVALID_FROM_ACCOUNT_REQUEST, currentUser.getUsername(), getAccountRequest().getClientId());
} else {
Tpp tpp = isTpp.get();
String tppAuthorisationNumber = tpp.getAuthorisationNumber();
if (!currentUser.getUsername().equals(tppAuthorisationNumber)) {
log.warn("AISP ID from account request '{}' is not the one associated with the certificate '{}'", tppAuthorisationNumber, currentUser.getUsername());
throw new OBErrorException(OBRIErrorType.MATLS_TPP_AUTHENTICATION_INVALID_FROM_ACCOUNT_REQUEST, currentUser.getUsername(), getAccountRequest().getClientId());
}
}
log.info("Account Request with clientId of {} has been verified as belonging to X509 certificate (MTLS) " + "principal '{}'", oauth2ClientIdFromAccountRequest, currentUser.getUsername());
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class AggregatedPollingApiEndpointWrapper method verifyAccessToken.
@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
try {
// Verify access token
log.info("Verify the access token {}", authorization);
accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
if (grantTypeSerialised == null) {
log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
}
OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
}
if (scopes.stream().noneMatch(expectedScopes::contains)) {
log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
}
} catch (ParseException e) {
log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
} catch (InvalidTokenException e) {
log.warn("Invalid access token {}", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
} catch (IOException e) {
log.error("IO exception", e);
throw new OBErrorException(SERVER_ERROR, e.getMessage());
}
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class CustomerInfoApiEndpointWrapper method verifyCustomerInfoRequest.
public void verifyCustomerInfoRequest() throws OBErrorException {
log.debug("Verifying Customer Info Consent");
verifyAccountRequestStatus();
AccountRequest accountConsent = getAccountRequest();
List<FRExternalPermissionsCode> permissions = accountConsent.getPermissions();
for (FRExternalPermissionsCode permssion : permissions) {
if (permssion != FRExternalPermissionsCode.READCUSTOMERINFOCONSENT) {
log.info("The associated AccountRequest contains a permission that is not '{}'", FRExternalPermissionsCode.READCUSTOMERINFOCONSENT);
throw new OBErrorException(OBRIErrorType.PERMISSIONS_INVALID, List.of(FRExternalPermissionsCode.READCUSTOMERINFOCONSENT, permissions));
}
}
log.debug("verifyCustomerInfoRequest() - request has correct permissions for customer info");
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class DomesticVrpPaymentsEndpointWrapper method checkRequestAndConsentInitiationMatch.
// The Initiation section must matches the values specified in the consent.
public void checkRequestAndConsentInitiationMatch(OBDomesticVRPInitiation requestInitiation, FRDomesticVRPConsent consent) throws OBErrorException {
FRWriteDomesticVRPDataInitiation consentFRInitiation = consent.getInitiation();
OBDomesticVRPInitiation consentOBInitiation = toOBDomesticVRPInitiation(consentFRInitiation);
if (!consentOBInitiation.equals(requestInitiation)) {
throw new OBErrorException(OBRIErrorType.REQUEST_VRP_INITIATION_DOESNT_MATCH_CONSENT);
}
}
use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.
the class EventNotificationsApiEndpointWrapper method verifyAccessToken.
@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
try {
// Verify access token
log.info("Verify the access token {}", authorization);
accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
if (grantTypeSerialised == null) {
log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
}
OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
}
if (scopes.stream().noneMatch(expectedScopes::contains)) {
log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
}
} catch (ParseException e) {
log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
} catch (InvalidTokenException e) {
log.warn("Invalid access token {}", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
} catch (IOException e) {
log.error("IO exception", e);
throw new OBErrorException(SERVER_ERROR, e.getMessage());
}
}
Aggregations