From db57b8718fea862062aef780c23b9b3b1133b1ee Mon Sep 17 00:00:00 2001 From: hongwei Date: Tue, 1 Oct 2019 22:52:24 +0200 Subject: [PATCH 1/3] tweaked the header --- obp-api/src/main/webapp/dummy-user-tokens.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/obp-api/src/main/webapp/dummy-user-tokens.html b/obp-api/src/main/webapp/dummy-user-tokens.html index 84b2987bd..c60338095 100644 --- a/obp-api/src/main/webapp/dummy-user-tokens.html +++ b/obp-api/src/main/webapp/dummy-user-tokens.html @@ -28,7 +28,7 @@ Berlin 13359, Germany -->
-

Dummy user direct login headers

+

Dummy User Direct Login Headers

Consumer User name
From 873df7ccb55fa5dfbf35877b8349d476e63557c8 Mon Sep 17 00:00:00 2001 From: hongwei Date: Wed, 2 Oct 2019 00:27:48 +0200 Subject: [PATCH 2/3] added the guard for the consumerKey and Login user --- .../src/main/scala/code/snippet/ConsumerRegistration.scala | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala b/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala index bf0e115af..8167adf49 100644 --- a/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala +++ b/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala @@ -298,6 +298,12 @@ class ConsumerRegistration extends MdcLoggable { def showDummyCustomerTokens(): CssSel = { val consumerKeyBox = S.param("consumer_key") + // The following will check the login user and the user from the consumerkey. we do not want to share consumerkey to others. + val loginUserId = AuthUser.getCurrentUser.map(_.userId).openOr("") + val userCreatedByUserId = consumerKeyBox.map(Consumers.consumers.vend.getConsumerByConsumerKey(_)).flatten.map(_.createdByUserId.get).openOr("") + if(!loginUserId.equals(userCreatedByUserId)) + return "#dummy-user-tokens ^" #> "The consumer key in the URL is not created by the current login user, please create consumer for this user first!" + val dummyUsersInfo = getWebUiPropsValue("webui_dummy_user_logins", "") val isShowDummyUserTokens = getWebUiPropsValue("webui_show_dummy_user_tokens", "false").toBoolean From a59d3dfb6edee47a0b213df6709bfc291b9f7b4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Thu, 3 Oct 2019 12:03:32 +0200 Subject: [PATCH 3/3] Added endpoint getEntitlements v4.0.0 --- .../scala/code/api/v4_0_0/APIMethods400.scala | 50 +++++++++++++- .../scala/code/api/v4_0_0/OBPAPI4_0_0.scala | 3 +- .../code/api/v4_0_0/EntitlementTests.scala | 68 +++++++++++++++++++ 3 files changed, 119 insertions(+), 2 deletions(-) create mode 100644 obp-api/src/test/scala/code/api/v4_0_0/EntitlementTests.scala diff --git a/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala b/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala index 9f8590b55..3681c1881 100644 --- a/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala +++ b/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala @@ -9,10 +9,12 @@ import code.api.util.ExampleValue.{dynamicEntityRequestBodyExample, dynamicEntit import code.api.util.NewStyle.HttpCode import code.api.util._ import code.api.v1_4_0.JSONFactory1_4_0.{ChallengeAnswerJSON, TransactionRequestAccountJsonV140} +import code.api.v2_0_0.{EntitlementJSON, EntitlementJSONs, JSONFactory200} import code.api.v2_1_0._ import code.api.v3_1_0.ListResult import code.api.{APIFailureNewStyle, ChargePolicy} import code.dynamicEntity.DynamicEntityCommons +import code.entitlement.Entitlement import code.model.dataAccess.AuthUser import code.model.toUserExtended import code.transactionrequests.TransactionRequests.TransactionChallengeTypes._ @@ -990,7 +992,7 @@ trait APIMethods400 { apiInfoJson400, List(UnknownError, "no connector set"), Catalogs(Core, notPSD2, OBWG), - apiTagApi :: Nil) + apiTagApi :: apiTagNewStyle :: Nil) lazy val root : OBPEndpoint = { case "root" :: Nil JsonGet _ => { @@ -1010,6 +1012,52 @@ trait APIMethods400 { } } } + + + + resourceDocs += ResourceDoc( + getEntitlements, + implementedInApiVersion, + "getEntitlements", + "GET", + "/users/USER_ID/entitlements", + "Get Entitlements for User", + s""" + | + |${authenticationRequiredMessage(true)} + | + | + """.stripMargin, + emptyObjectJson, + entitlementJSONs, + List(UserNotLoggedIn, UserHasMissingRoles, UnknownError), + Catalogs(notCore, notPSD2, notOBWG), + List(apiTagRole, apiTagEntitlement, apiTagUser, apiTagNewStyle), + Some(List(canGetEntitlementsForAnyUserAtAnyBank))) + + + lazy val getEntitlements: OBPEndpoint = { + case "users" :: userId :: "entitlements" :: Nil JsonGet _ => { + cc => + for { + (Full(u), callContext) <- authorizedAccess(cc) + _ <- NewStyle.function.hasEntitlement("", u.userId, canGetEntitlementsForAnyUserAtAnyBank, callContext) + entitlements <- NewStyle.function.getEntitlementsByUserId(userId, callContext) + } yield { + var json = EntitlementJSONs(Nil) + // Format the data as V2.0.0 json + if (isSuperAdmin(userId)) { + // If the user is SuperAdmin add it to the list + json = EntitlementJSONs(JSONFactory200.createEntitlementJSONs(entitlements).list:::List(EntitlementJSON("", "SuperAdmin", ""))) + } else { + json = JSONFactory200.createEntitlementJSONs(entitlements) + } + (json, HttpCode.`200`(callContext)) + } + } + } + + } diff --git a/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala b/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala index 796d9d95a..7a9e75c23 100644 --- a/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala +++ b/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala @@ -161,7 +161,7 @@ object OBPAPI4_0_0 extends OBPRestHelper with APIMethods130 with APIMethods140 w //now in V300 Implementations2_0_0.getCoreAccountById :: //now in V300 Implementations2_0_0.getCoreTransactionsForBankAccount :: // Implementations2_0_0.getCurrentUser :: - Implementations2_0_0.getEntitlements :: + // Implementations2_0_0.getEntitlements :: Implementations2_0_0.getKycChecks :: Implementations2_0_0.getKycDocuments :: Implementations2_0_0.getKycMedia :: @@ -393,6 +393,7 @@ object OBPAPI4_0_0 extends OBPRestHelper with APIMethods130 with APIMethods140 w Implementations4_0_0.genericEndpoint :: Implementations4_0_0.resetPasswordUrl :: Implementations4_0_0.root :: + Implementations4_0_0.getEntitlements :: Nil def allResourceDocs = MockerConnector.doc ++ diff --git a/obp-api/src/test/scala/code/api/v4_0_0/EntitlementTests.scala b/obp-api/src/test/scala/code/api/v4_0_0/EntitlementTests.scala new file mode 100644 index 000000000..95e7bff92 --- /dev/null +++ b/obp-api/src/test/scala/code/api/v4_0_0/EntitlementTests.scala @@ -0,0 +1,68 @@ +package code.api.v4_0_0 + +import code.api.ErrorMessage +import code.api.util.ApiRole.CanGetEntitlementsForAnyUserAtAnyBank +import code.api.util.ErrorMessages.{UserHasMissingRoles, _} +import code.api.util.{ApiRole, ApiVersion, ErrorMessages} +import code.entitlement.Entitlement +import code.setup.DefaultUsers +import code.api.util.APIUtil.OAuth._ +import code.api.v4_0_0.APIMethods400.Implementations4_0_0 +import com.github.dwickern.macros.NameOf.nameOf +import org.scalatest.Tag + +class EntitlementTests extends V400ServerSetup with DefaultUsers { + + override def beforeAll() { + super.beforeAll() + } + + override def afterAll() { + super.afterAll() + } + + /** + * Test tags + * Example: To run tests with tag "getPermissions": + * mvn test -D tagsToInclude + * + * This is made possible by the scalatest maven plugin + */ + object VersionOfApi extends Tag(ApiVersion.v4_0_0.toString) + object ApiEndpoint1 extends Tag(nameOf(Implementations4_0_0.getEntitlements)) + + feature("Assuring that endpoint getEntitlements works as expected - v4.0.0") { + + scenario("We try to get entitlements without login - getEntitlements", ApiEndpoint1, VersionOfApi) { + When("We make the request") + val requestGet = (v4_0_0_Request / "users" / resourceUser1.userId / "entitlements").GET + val responseGet = makeGetRequest(requestGet) + Then("We should get a 400") + responseGet.code should equal(400) + And("We should get a message: " + ErrorMessages.UserNotLoggedIn) + responseGet.body.extract[ErrorMessage].message should equal (ErrorMessages.UserNotLoggedIn) + } + + scenario("We try to get entitlements without credentials - getEntitlements", ApiEndpoint1, VersionOfApi) { + When("We make the request") + val requestGet = (v4_0_0_Request / "users" / resourceUser1.userId / "entitlements").GET <@ (user1) + val responseGet = makeGetRequest(requestGet) + Then("We should get a 40") + responseGet.code should equal(403) + And("We should get a message: " + s"$CanGetEntitlementsForAnyUserAtAnyBank entitlement required") + responseGet.body.extract[ErrorMessage].message should equal (UserHasMissingRoles + CanGetEntitlementsForAnyUserAtAnyBank) + } + + scenario("We try to get entitlements with credentials - getEntitlements", ApiEndpoint1, VersionOfApi) { + When("We add required entitlement") + Entitlement.entitlement.vend.addEntitlement("", resourceUser1.userId, ApiRole.CanGetEntitlementsForAnyUserAtAnyBank.toString) + And("We make the request") + val requestGet = (v4_0_0_Request / "users" / resourceUser1.userId / "entitlements").GET <@ (user1) + val responseGet = makeGetRequest(requestGet) + Then("We should get a 200") + responseGet.code should equal(200) + } + } + + + } \ No newline at end of file