Search in sources :

Example 36 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class AccountsApiEndpointWrapper method verifyMatlsFromAccountRequest.

public void verifyMatlsFromAccountRequest() throws OBErrorException {
    // MTLS check. We verify that the certificate is associated with the expected AISP ID
    log.debug("verifyMatlsFromAccountRequest() verifying account request token was issued to the Tpp indicated" + " by the MATLS tranport certificate presented");
    UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();
    AccountRequest accountRequest = getAccountRequest();
    String oauth2ClientIdFromAccountRequest = accountRequest.getClientId();
    log.debug("verifyMatlsFromAccountRequest() oauth2 clientId from account request is '{}'", oauth2ClientIdFromAccountRequest);
    Optional<Tpp> isTpp = this.tppStoreService.findByClientId(oauth2ClientIdFromAccountRequest);
    if (isTpp.isEmpty()) {
        log.info("The OAuth2 client to which the accountAccessToken was issued no longer exists. ClientId is " + "'{}'", oauth2ClientIdFromAccountRequest);
        throw new OBErrorException(OBRIErrorType.MATLS_TPP_AUTHENTICATION_INVALID_FROM_ACCOUNT_REQUEST, currentUser.getUsername(), getAccountRequest().getClientId());
    } else {
        Tpp tpp = isTpp.get();
        String tppAuthorisationNumber = tpp.getAuthorisationNumber();
        if (!currentUser.getUsername().equals(tppAuthorisationNumber)) {
            log.warn("AISP ID from account request '{}' is not the one associated with the certificate '{}'", tppAuthorisationNumber, currentUser.getUsername());
            throw new OBErrorException(OBRIErrorType.MATLS_TPP_AUTHENTICATION_INVALID_FROM_ACCOUNT_REQUEST, currentUser.getUsername(), getAccountRequest().getClientId());
        }
    }
    log.info("Account Request with clientId of {} has been verified as belonging to X509 certificate (MTLS) " + "principal '{}'", oauth2ClientIdFromAccountRequest, currentUser.getUsername());
}
Also used : AccountRequest(com.forgerock.openbanking.common.model.openbanking.persistence.account.AccountRequest) UserDetails(org.springframework.security.core.userdetails.UserDetails) Tpp(com.forgerock.openbanking.model.Tpp) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException)

Example 37 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class AggregatedPollingApiEndpointWrapper method verifyAccessToken.

@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
    try {
        // Verify access token
        log.info("Verify the access token {}", authorization);
        accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
        List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
        String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
        if (grantTypeSerialised == null) {
            log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
            throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
        }
        OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
        if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
            log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
        }
        if (scopes.stream().noneMatch(expectedScopes::contains)) {
            log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
        }
    } catch (ParseException e) {
        log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
    } catch (InvalidTokenException e) {
        log.warn("Invalid access token {}", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
    } catch (IOException e) {
        log.error("IO exception", e);
        throw new OBErrorException(SERVER_ERROR, e.getMessage());
    }
}
Also used : InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) OIDCConstants(com.forgerock.openbanking.constants.OIDCConstants) List(java.util.List) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) ParseException(java.text.ParseException) IOException(java.io.IOException)

Example 38 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class CustomerInfoApiEndpointWrapper method verifyCustomerInfoRequest.

public void verifyCustomerInfoRequest() throws OBErrorException {
    log.debug("Verifying Customer Info Consent");
    verifyAccountRequestStatus();
    AccountRequest accountConsent = getAccountRequest();
    List<FRExternalPermissionsCode> permissions = accountConsent.getPermissions();
    for (FRExternalPermissionsCode permssion : permissions) {
        if (permssion != FRExternalPermissionsCode.READCUSTOMERINFOCONSENT) {
            log.info("The associated AccountRequest contains a permission that is not '{}'", FRExternalPermissionsCode.READCUSTOMERINFOCONSENT);
            throw new OBErrorException(OBRIErrorType.PERMISSIONS_INVALID, List.of(FRExternalPermissionsCode.READCUSTOMERINFOCONSENT, permissions));
        }
    }
    log.debug("verifyCustomerInfoRequest() - request has correct permissions for customer info");
}
Also used : AccountRequest(com.forgerock.openbanking.common.model.openbanking.persistence.account.AccountRequest) FRExternalPermissionsCode(com.forgerock.openbanking.common.model.openbanking.domain.account.common.FRExternalPermissionsCode) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException)

Example 39 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class DomesticVrpPaymentsEndpointWrapper method checkRequestAndConsentInitiationMatch.

// The Initiation section must matches the values specified in the consent.
public void checkRequestAndConsentInitiationMatch(OBDomesticVRPInitiation requestInitiation, FRDomesticVRPConsent consent) throws OBErrorException {
    FRWriteDomesticVRPDataInitiation consentFRInitiation = consent.getInitiation();
    OBDomesticVRPInitiation consentOBInitiation = toOBDomesticVRPInitiation(consentFRInitiation);
    if (!consentOBInitiation.equals(requestInitiation)) {
        throw new OBErrorException(OBRIErrorType.REQUEST_VRP_INITIATION_DOESNT_MATCH_CONSENT);
    }
}
Also used : FRDomesticVRPConsentConverter.toOBDomesticVRPInitiation(com.forgerock.openbanking.common.services.openbanking.converter.vrp.FRDomesticVRPConsentConverter.toOBDomesticVRPInitiation) OBDomesticVRPInitiation(uk.org.openbanking.datamodel.vrp.OBDomesticVRPInitiation) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) FRWriteDomesticVRPDataInitiation(com.forgerock.openbanking.common.model.openbanking.persistence.vrp.FRWriteDomesticVRPDataInitiation)

Example 40 with OBErrorException

use of com.forgerock.openbanking.exceptions.OBErrorException in project openbanking-aspsp by OpenBankingToolkit.

the class EventNotificationsApiEndpointWrapper method verifyAccessToken.

@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
    try {
        // Verify access token
        log.info("Verify the access token {}", authorization);
        accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
        List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
        String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
        if (grantTypeSerialised == null) {
            log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
            throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
        }
        OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
        if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
            log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
        }
        if (scopes.stream().noneMatch(expectedScopes::contains)) {
            log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
        }
    } catch (ParseException e) {
        log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
    } catch (InvalidTokenException e) {
        log.warn("Invalid access token {}", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
    } catch (IOException e) {
        log.error("IO exception", e);
        throw new OBErrorException(SERVER_ERROR, e.getMessage());
    }
}
Also used : InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) OIDCConstants(com.forgerock.openbanking.constants.OIDCConstants) List(java.util.List) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) ParseException(java.text.ParseException) IOException(java.io.IOException)

Aggregations

OBErrorException (com.forgerock.openbanking.exceptions.OBErrorException)69 Test (org.junit.Test)20 ParseException (java.text.ParseException)19 IOException (java.io.IOException)13 OBErrorResponseException (com.forgerock.openbanking.exceptions.OBErrorResponseException)9 SignedJWT (com.nimbusds.jwt.SignedJWT)9 ResponseEntity (org.springframework.http.ResponseEntity)9 InvalidTokenException (com.forgerock.openbanking.jwt.exceptions.InvalidTokenException)8 Tpp (com.forgerock.openbanking.model.Tpp)8 HttpClientErrorException (org.springframework.web.client.HttpClientErrorException)6 PaymentConsent (com.forgerock.openbanking.common.model.openbanking.persistence.payment.PaymentConsent)5 List (java.util.List)5 HttpServletRequest (javax.servlet.http.HttpServletRequest)5 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4 AccountRequest (com.forgerock.openbanking.common.model.openbanking.persistence.account.AccountRequest)4 OIDCConstants (com.forgerock.openbanking.constants.OIDCConstants)4 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4 PermissionDenyException (com.forgerock.openbanking.common.error.exception.PermissionDenyException)3 OAuth2BearerTokenUsageInvalidTokenException (com.forgerock.openbanking.common.error.exception.oauth2.OAuth2BearerTokenUsageInvalidTokenException)3 OAuth2InvalidClientException (com.forgerock.openbanking.common.error.exception.oauth2.OAuth2InvalidClientException)3