use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.
the class AccountsApiEndpointWrapperTest method testMatls_success.
@Test
public void testMatls_success() {
// Given
String authorisatioNumber = "PSDGB-OB-2345343";
String clientId = "clientId";
FRAccountRequest accountRequest = new FRAccountRequest();
accountRequest.setClientId(clientId);
wrapper.accountRequest = accountRequest;
Collection<? extends GrantedAuthority> authorities = Collections.emptyList();
Authentication authentication = new X509Authentication(authorisatioNumber, authorities, null);
wrapper.principal = authentication;
Tpp tpp = new Tpp();
tpp.setAuthorisationNumber(authorisatioNumber);
given(this.tppStoreService.findByClientId(clientId)).willReturn(Optional.of(tpp));
// Then
assertThatCode(() -> wrapper.verifyMatlsFromAccountRequest()).doesNotThrowAnyException();
}
use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.
the class ApiClientIdentityFactory method getApiClientIdentity.
public ApiClientIdentity getApiClientIdentity(Principal principal) throws ApiClientException, OAuth2InvalidClientException {
ApiClientIdentity apiClientIdentity = null;
if (principal instanceof PSD2Authentication) {
PSD2Authentication authentication = (PSD2Authentication) principal;
Psd2CertInfo certInfo = authentication.getPsd2CertInfo();
if (certInfo.isPsd2Cert()) {
ApiClientCertificateType certType = getApiClientCertificateTypeFromPSD2(authentication);
switch(certType) {
case FR_TRANSPORT:
apiClientIdentity = new ApiClientIdentityFRTransport(authentication);
break;
case OBWAC:
apiClientIdentity = new ApiClientIdentityOBWac(authentication);
break;
case QWAC:
apiClientIdentity = new ApiClientIdentityQWac(authentication);
break;
default:
String errorString = "Client presented an invalid Certificate " + "Type for use as a Transport certificate. Type presented ': " + certType + "'";
log.info("getApiClientIdentity() {}", errorString);
throw new ApiClientException(errorString);
}
} else {
log.info("ApiClient presented a deprecated OBTransport certificate.");
throw new OAuth2InvalidClientException("Onboarding must be done with a PSD2 eIDAS certificate. " + "OBTransport certificates have been depricated");
}
} else if (principal instanceof X509Authentication) {
X509Authentication authentication = (X509Authentication) principal;
apiClientIdentity = createOBTransportIdentity(authentication);
} else {
log.info("getApiClientIdentity() Principal is not of recognised type. Class name is '{}'", apiClientIdentity.getClass().getName());
throw new ApiClientException("Unrecognised Principal type. Was expecting a PSDAuthentication or a " + "X509Authentication");
}
return apiClientIdentity;
}
use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiControllerTest method shouldSucceed_register.
@Test
public void shouldSucceed_register() throws OAuth2InvalidClientException, DynamicClientRegistrationException, InvalidPsd2EidasCertificate, ApiClientException {
Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_ANONYMOUS, OBRIRole.UNREGISTERED_TPP, OBRIRole.ROLE_EIDAS));
X509Authentication principal = testSpec.getPrincipal(authorities);
ApiClientIdentity apiClientIdentity = this.identityFactory.getApiClientIdentity(principal);
String directoryName = "ForgeRock";
given(this.tppRegistrationService.validateSsaAgainstIssuingDirectoryJwksUri(anyString(), eq("ForgeRock"))).willReturn(directoryName);
RegistrationRequest regRequest = registrationRequestFactory.getRegistrationRequestFromJwt(registrationRequestJwtSerialised);
Tpp tpp = new Tpp();
tpp.setRegistrationResponse(new OIDCRegistrationResponse());
given(this.tppRegistrationService.registerTpp(any(ApiClientIdentity.class), any(RegistrationRequest.class))).willReturn(tpp);
// when
ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal);
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.CREATED);
}
use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiControllerTest method successful_updateClient.
@Test
public void successful_updateClient() throws InvalidPsd2EidasCertificate, OAuth2InvalidClientException, DynamicClientRegistrationException, OAuth2BearerTokenUsageMissingAuthInfoException, OAuth2BearerTokenUsageInvalidTokenException {
// Given
String clientId = "3105f70b-b417-427e-922d-7ba04d16278a";
String authToken = "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
String authTokenHeaderValue = "Bearer " + "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
Collection<? extends GrantedAuthority> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_DATA, OBRIRole.ROLE_AISP, OBRIRole.ROLE_CBPII, OBRIRole.ROLE_EIDAS, new PSD2GrantType(new RoleOfPsp(Psd2Role.PSP_IC))));
X509Authentication principal = testSpec.getPrincipal(authorities);
String directoryName = "ForgeRock";
given(this.tppRegistrationService.validateSsaAgainstIssuingDirectoryJwksUri(anyString(), eq("ForgeRock"))).willReturn(directoryName);
given(tokenExtractor.extract(authTokenHeaderValue)).willReturn(authToken);
Tpp tpp = this.getValidTpp();
tpp.setClientId("3105f70b-b417-427e-922d-7ba04d16278a");
OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
registrationResponse.setRegistrationAccessToken(authToken);
tpp.setRegistrationResponse(registrationResponse);
given(tppRegistrationService.getTpp(clientId)).willReturn(tpp);
given(tppRegistrationService.validateAccessTokenIsValidForOidcRegistration(tpp, authTokenHeaderValue)).willReturn(authToken);
given(this.tppRegistrationService.updateTpp(any(ApiClientIdentity.class), eq(tpp), eq(authToken), any(RegistrationRequest.class))).willReturn(tpp);
given(tokenExtractor.extract(authTokenHeaderValue)).willReturn(authToken);
// when
ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.updateRegistration(clientId, authTokenHeaderValue, registrationRequestJwtSerialised, principal);
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
}
use of com.forgerock.spring.security.multiauth.model.authentication.X509Authentication in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiControllerTest method failWithInvalidClientIfCertificateIsNotFromATrustedParty_register.
@Test
public void failWithInvalidClientIfCertificateIsNotFromATrustedParty_register() throws InvalidPsd2EidasCertificate {
// given
Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.UNKNOWN_CERTIFICATE));
X509Authentication principal = testSpec.getPrincipal(authorities);
// when
OAuth2InvalidClientException exception = catchThrowableOfType(() -> dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal), OAuth2InvalidClientException.class);
// then
assertThat(exception.getRfc6750ErrorCode()).isEqualTo(OAuth2Exception.INVALID_CLIENT);
}
Aggregations