Search in sources :

Example 1 with X509Authentication

use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.

the class AccountsApiEndpointWrapperTest method testMatls_success.

@Test
public void testMatls_success() {
    // Given
    String authorisatioNumber = "PSDGB-OB-2345343";
    String clientId = "clientId";
    FRAccountRequest accountRequest = new FRAccountRequest();
    accountRequest.setClientId(clientId);
    wrapper.accountRequest = accountRequest;
    Collection<? extends GrantedAuthority> authorities = Collections.emptyList();
    Authentication authentication = new X509Authentication(authorisatioNumber, authorities, null);
    wrapper.principal = authentication;
    Tpp tpp = new Tpp();
    tpp.setAuthorisationNumber(authorisatioNumber);
    given(this.tppStoreService.findByClientId(clientId)).willReturn(Optional.of(tpp));
    // Then
    assertThatCode(() -> wrapper.verifyMatlsFromAccountRequest()).doesNotThrowAnyException();
}
Also used : FRAccountRequest(com.forgerock.openbanking.common.model.openbanking.persistence.account.FRAccountRequest) Tpp(com.forgerock.openbanking.model.Tpp) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) Authentication(org.springframework.security.core.Authentication) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) Test(org.junit.Test)

Example 2 with X509Authentication

use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.

the class ApiClientIdentityFactory method getApiClientIdentity.

public ApiClientIdentity getApiClientIdentity(Principal principal) throws ApiClientException, OAuth2InvalidClientException {
    ApiClientIdentity apiClientIdentity = null;
    if (principal instanceof PSD2Authentication) {
        PSD2Authentication authentication = (PSD2Authentication) principal;
        Psd2CertInfo certInfo = authentication.getPsd2CertInfo();
        if (certInfo.isPsd2Cert()) {
            ApiClientCertificateType certType = getApiClientCertificateTypeFromPSD2(authentication);
            switch(certType) {
                case FR_TRANSPORT:
                    apiClientIdentity = new ApiClientIdentityFRTransport(authentication);
                    break;
                case OBWAC:
                    apiClientIdentity = new ApiClientIdentityOBWac(authentication);
                    break;
                case QWAC:
                    apiClientIdentity = new ApiClientIdentityQWac(authentication);
                    break;
                default:
                    String errorString = "Client presented an invalid Certificate " + "Type for use as a Transport certificate. Type presented ': " + certType + "'";
                    log.info("getApiClientIdentity() {}", errorString);
                    throw new ApiClientException(errorString);
            }
        } else {
            log.info("ApiClient presented a deprecated OBTransport certificate.");
            throw new OAuth2InvalidClientException("Onboarding must be done with a PSD2 eIDAS certificate. " + "OBTransport certificates have been depricated");
        }
    } else if (principal instanceof X509Authentication) {
        X509Authentication authentication = (X509Authentication) principal;
        apiClientIdentity = createOBTransportIdentity(authentication);
    } else {
        log.info("getApiClientIdentity() Principal is not of recognised type. Class name is '{}'", apiClientIdentity.getClass().getName());
        throw new ApiClientException("Unrecognised Principal type. Was expecting a PSDAuthentication or a " + "X509Authentication");
    }
    return apiClientIdentity;
}
Also used : PSD2Authentication(com.forgerock.spring.security.multiauth.model.authentication.PSD2Authentication) OAuth2InvalidClientException(com.forgerock.openbanking.common.error.exception.oauth2.OAuth2InvalidClientException) Psd2CertInfo(com.forgerock.cert.Psd2CertInfo) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication)

Example 3 with X509Authentication

use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiControllerTest method shouldSucceed_register.

@Test
public void shouldSucceed_register() throws OAuth2InvalidClientException, DynamicClientRegistrationException, InvalidPsd2EidasCertificate, ApiClientException {
    Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_ANONYMOUS, OBRIRole.UNREGISTERED_TPP, OBRIRole.ROLE_EIDAS));
    X509Authentication principal = testSpec.getPrincipal(authorities);
    ApiClientIdentity apiClientIdentity = this.identityFactory.getApiClientIdentity(principal);
    String directoryName = "ForgeRock";
    given(this.tppRegistrationService.validateSsaAgainstIssuingDirectoryJwksUri(anyString(), eq("ForgeRock"))).willReturn(directoryName);
    RegistrationRequest regRequest = registrationRequestFactory.getRegistrationRequestFromJwt(registrationRequestJwtSerialised);
    Tpp tpp = new Tpp();
    tpp.setRegistrationResponse(new OIDCRegistrationResponse());
    given(this.tppRegistrationService.registerTpp(any(ApiClientIdentity.class), any(RegistrationRequest.class))).willReturn(tpp);
    // when
    ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal);
    assertThat(response.getStatusCode()).isEqualTo(HttpStatus.CREATED);
}
Also used : OBRIRole(com.forgerock.openbanking.model.OBRIRole) Tpp(com.forgerock.openbanking.model.Tpp) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) ApiClientIdentity(com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity) RegistrationRequest(com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest) Test(org.junit.Test)

Example 4 with X509Authentication

use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiControllerTest method successful_updateClient.

@Test
public void successful_updateClient() throws InvalidPsd2EidasCertificate, OAuth2InvalidClientException, DynamicClientRegistrationException, OAuth2BearerTokenUsageMissingAuthInfoException, OAuth2BearerTokenUsageInvalidTokenException {
    // Given
    String clientId = "3105f70b-b417-427e-922d-7ba04d16278a";
    String authToken = "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
    String authTokenHeaderValue = "Bearer " + "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
    Collection<? extends GrantedAuthority> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_DATA, OBRIRole.ROLE_AISP, OBRIRole.ROLE_CBPII, OBRIRole.ROLE_EIDAS, new PSD2GrantType(new RoleOfPsp(Psd2Role.PSP_IC))));
    X509Authentication principal = testSpec.getPrincipal(authorities);
    String directoryName = "ForgeRock";
    given(this.tppRegistrationService.validateSsaAgainstIssuingDirectoryJwksUri(anyString(), eq("ForgeRock"))).willReturn(directoryName);
    given(tokenExtractor.extract(authTokenHeaderValue)).willReturn(authToken);
    Tpp tpp = this.getValidTpp();
    tpp.setClientId("3105f70b-b417-427e-922d-7ba04d16278a");
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setRegistrationAccessToken(authToken);
    tpp.setRegistrationResponse(registrationResponse);
    given(tppRegistrationService.getTpp(clientId)).willReturn(tpp);
    given(tppRegistrationService.validateAccessTokenIsValidForOidcRegistration(tpp, authTokenHeaderValue)).willReturn(authToken);
    given(this.tppRegistrationService.updateTpp(any(ApiClientIdentity.class), eq(tpp), eq(authToken), any(RegistrationRequest.class))).willReturn(tpp);
    given(tokenExtractor.extract(authTokenHeaderValue)).willReturn(authToken);
    // when
    ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.updateRegistration(clientId, authTokenHeaderValue, registrationRequestJwtSerialised, principal);
    assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
}
Also used : RoleOfPsp(com.forgerock.cert.psd2.RoleOfPsp) Tpp(com.forgerock.openbanking.model.Tpp) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) PSD2GrantType(com.forgerock.spring.security.multiauth.model.granttypes.PSD2GrantType) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) ApiClientIdentity(com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity) RegistrationRequest(com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest) Test(org.junit.Test)

Example 5 with X509Authentication

use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiControllerTest method failWithInvalidClientIfCertificateIsNotFromATrustedParty_register.

@Test
public void failWithInvalidClientIfCertificateIsNotFromATrustedParty_register() throws InvalidPsd2EidasCertificate {
    // given
    Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.UNKNOWN_CERTIFICATE));
    X509Authentication principal = testSpec.getPrincipal(authorities);
    // when
    OAuth2InvalidClientException exception = catchThrowableOfType(() -> dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal), OAuth2InvalidClientException.class);
    // then
    assertThat(exception.getRfc6750ErrorCode()).isEqualTo(OAuth2Exception.INVALID_CLIENT);
}
Also used : OBRIRole(com.forgerock.openbanking.model.OBRIRole) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) Test(org.junit.Test)

Aggregations

X509Authentication (com.forgerock.spring.security.multiauth.model.authentication.X509Authentication)11 Test (org.junit.Test)10 OBRIRole (com.forgerock.openbanking.model.OBRIRole)5 Tpp (com.forgerock.openbanking.model.Tpp)5 RegistrationRequest (com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest)4 FRAccountRequest (com.forgerock.openbanking.common.model.openbanking.persistence.account.FRAccountRequest)3 ApiClientIdentity (com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity)3 OIDCRegistrationResponse (com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse)3 Authentication (org.springframework.security.core.Authentication)3 RoleOfPsp (com.forgerock.cert.psd2.RoleOfPsp)2 DynamicClientRegistrationException (com.forgerock.openbanking.common.error.exception.dynamicclientregistration.DynamicClientRegistrationException)2 OBErrorException (com.forgerock.openbanking.exceptions.OBErrorException)2 PSD2GrantType (com.forgerock.spring.security.multiauth.model.granttypes.PSD2GrantType)2 Psd2CertInfo (com.forgerock.cert.Psd2CertInfo)1 OAuth2InvalidClientException (com.forgerock.openbanking.common.error.exception.oauth2.OAuth2InvalidClientException)1 PSD2Authentication (com.forgerock.spring.security.multiauth.model.authentication.PSD2Authentication)1