diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala index 924093e8e..609b73d64 100644 --- a/obp-api/src/main/scala/code/api/util/APIUtil.scala +++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala @@ -4748,13 +4748,8 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{ val user = AuthUser.getCurrentUser val result = tryo { - val headers: List[HTTPParam] = addlParams.get(RequestHeader.`Consent-Id`) - .map(consentId => List(HTTPParam(RequestHeader.`Consent-Id`, List(consentId)))) - .getOrElse(Nil) - endpoint(newRequest)(CallContext( - user = user, - requestHeaders = headers)) + endpoint(newRequest)(CallContext(user = user)) } val func: ((=> LiftResponse) => Unit) => Unit = result match { diff --git a/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala b/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala index 5121f0dd1..0d8c671fa 100644 --- a/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala +++ b/obp-api/src/main/scala/code/api/v4_0_0/OBPAPI4_0_0.scala @@ -28,7 +28,7 @@ package code.api.v4_0_0 import code.api.OBPRestHelper import code.api.util.APIUtil.{OBPEndpoint, getAllowedEndpoints} -import code.api.util.{APIUtil, VersionedOBPApis} +import code.api.util.VersionedOBPApis import code.api.v1_3_0.APIMethods130 import code.api.v1_4_0.APIMethods140 import code.api.v2_0_0.APIMethods200 @@ -39,7 +39,7 @@ import code.api.v3_0_0.custom.CustomAPIMethods300 import code.api.v3_1_0.{APIMethods310, OBPAPI3_1_0} import code.util.Helper.MdcLoggable import com.github.dwickern.macros.NameOf.nameOf -import com.openbankproject.commons.util.{ApiVersion,ApiVersionStatus} +import com.openbankproject.commons.util.{ApiVersion, ApiVersionStatus} import net.liftweb.common.{Box, Full} import net.liftweb.http.{LiftResponse, PlainTextResponse} import org.apache.http.HttpStatus @@ -63,6 +63,7 @@ object OBPAPI4_0_0 extends OBPRestHelper with APIMethods130 with APIMethods140 w nameOf(Implementations1_2_1.addPermissionForUserForBankAccountForOneView) :: nameOf(Implementations1_2_1.removePermissionForUserForBankAccountForOneView) :: nameOf(Implementations3_1_0.createAccount) :: + nameOf(Implementations3_1_0.revokeConsent) :://this endpoint is not restful, we do not support it in V510. Nil // if old version ResourceDoc objects have the same name endpoint with new version, omit old version ResourceDoc. diff --git a/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala b/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala index 861cd342a..405b7e097 100644 --- a/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala +++ b/obp-api/src/main/scala/code/api/v5_1_0/APIMethods510.scala @@ -14,17 +14,17 @@ import code.api.util.NewStyle.HttpCode import code.api.util.NewStyle.function.extractQueryParams import code.api.util.X509.{getCommonName, getEmailAddress, getOrganization} import code.api.util._ -import code.api.util.newstyle.{BalanceNewStyle, RegulatedEntityAttributeNewStyle} import code.api.util.newstyle.Consumer.createConsumerNewStyle import code.api.util.newstyle.RegulatedEntityNewStyle.{createRegulatedEntityNewStyle, deleteRegulatedEntityNewStyle, getRegulatedEntitiesNewStyle, getRegulatedEntityByEntityIdNewStyle} +import code.api.util.newstyle.{BalanceNewStyle, RegulatedEntityAttributeNewStyle} import code.api.v2_0_0.AccountsHelper.{accountTypeFilterText, getFilteredCoreAccounts} import code.api.v2_1_0.{ConsumerRedirectUrlJSON, JSONFactory210} import code.api.v3_0_0.JSONFactory300 import code.api.v3_0_0.JSONFactory300.createAggregateMetricJson -import code.api.v3_1_0.{ConsentChallengeJsonV310, ConsentJsonV310, PostConsentBodyCommonJson, PostConsentEmailJsonV310, PostConsentPhoneJsonV310} -import code.api.v3_1_0.JSONFactory310.{createBadLoginStatusJson, createConsumerJSON, createRefreshUserJson} +import code.api.v3_1_0.JSONFactory310.{createBadLoginStatusJson, createConsumerJSON} +import code.api.v3_1_0._ import code.api.v4_0_0.JSONFactory400.{createAccountBalancesJson, createBalancesJson, createNewCoreBankAccountJson} -import code.api.v4_0_0.{JSONFactory400, PostAccountAccessJsonV400, PostApiCollectionJson400, PutConsentStatusJsonV400, PutConsentUserJsonV400, RevokedJsonV400} +import code.api.v4_0_0._ import code.api.v5_0_0.JSONFactory500 import code.api.v5_1_0.JSONFactory510.{createConsentsInfoJsonV510, createConsentsJsonV510, createRegulatedEntitiesJson, createRegulatedEntityJson} import code.atmattribute.AtmAttribute @@ -34,9 +34,8 @@ import code.consumer.Consumers import code.entitlement.Entitlement import code.loginattempts.LoginAttempt import code.metrics.APIMetrics -import code.metrics.MappedMetric.userId -import code.model.{AppType, Consumer} import code.model.dataAccess.{AuthUser, MappedBankAccount} +import code.model.{AppType, Consumer} import code.regulatedentities.MappedRegulatedEntityProvider import code.userlocks.UserLocksProvider import code.users.Users @@ -47,7 +46,7 @@ import code.views.system.{AccountAccess, ViewDefinition} import com.github.dwickern.macros.NameOf.nameOf import com.openbankproject.commons.ExecutionContext.Implicits.global import com.openbankproject.commons.model._ -import com.openbankproject.commons.model.enums.{AtmAttributeType, ConsentType, RegulatedEntityAttributeType, StrongCustomerAuthentication, TransactionRequestStatus, UserAttributeType} +import com.openbankproject.commons.model.enums.{TransactionRequestStatus, _} import com.openbankproject.commons.util.{ApiVersion, ScannedApiVersion} import net.liftweb.common.Full import net.liftweb.http.rest.RestHelper @@ -57,7 +56,6 @@ import net.liftweb.mapper.By import net.liftweb.util.Helpers.tryo import net.liftweb.util.{Helpers, Props, StringHelpers} -import java.text.SimpleDateFormat import java.time.{LocalDate, ZoneId} import java.util.Date import scala.collection.immutable.{List, Nil} @@ -1882,7 +1880,56 @@ trait APIMethods510 { } } + resourceDocs += ResourceDoc( + revokeMyConsent, + implementedInApiVersion, + nameOf(revokeMyConsent), + "Delete", + "/my/consents/CONSENT_ID", + "Revoke My Consent", + s""" + |Revoke Consent for current user specified by CONSENT_ID + | + |There are a few reasons you might need to revoke an application’s access to a user’s account: + | - The user explicitly wishes to revoke the application’s access + | - You as the service provider have determined an application is compromised or malicious, and want to disable it + | - etc. + | + |Please note that this endpoint only supports the case:: "The user explicitly wishes to revoke the application’s access" + | + |OBP as a resource server stores access tokens in a database, then it is relatively easy to revoke some token that belongs to a particular user. + |The status of the token is changed to "REVOKED" so the next time the revoked client makes a request, their token will fail to validate. + | + |${userAuthenticationMessage(true)} + | + """.stripMargin, + EmptyBody, + revokedConsentJsonV310, + List( + $UserNotLoggedIn, + UnknownError + ), + List(apiTagConsent, apiTagPSD2AIS, apiTagPsd2)) + lazy val revokeMyConsent: OBPEndpoint = { + case "my" :: "consents" :: consentId :: Nil JsonDelete _ => { + cc => implicit val ec = EndpointContext(Some(cc)) + for { + (Full(user), callContext) <- authenticatedAccess(cc) + consent <- Future(Consents.consentProvider.vend.getConsentByConsentId(consentId)) map { + unboxFullOrFail(_, callContext, ConsentNotFound, 404) + } + _ <- Helper.booleanToFuture(failMsg = ConsentNotFound, cc=callContext) { + consent.mUserId == user.userId + } + consent <- Future(Consents.consentProvider.vend.revoke(consentId)) map { + i => connectorEmptyResponse(i, callContext) + } + } yield { + (ConsentJsonV310(consent.consentId, consent.jsonWebToken, consent.status), HttpCode.`200`(callContext)) + } + } + } val generalObpConsentText: String = s""" | diff --git a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala index d4c0d4edb..1871517b4 100644 --- a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala +++ b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala @@ -26,7 +26,6 @@ TESOBE (http://www.tesobe.com/) */ package code.snippet -import code.api.RequestHeader import code.api.util.APIUtil.callEndpoint import code.api.util.CustomJsonFormats import code.api.v5_1_0.OBPAPI5_1_0.Implementations5_1_0 @@ -123,9 +122,8 @@ class ConsentScreen extends MdcLoggable { } - private def selfRevokeConsent(consentId: String): Either[(String, Int), String] = { - val addlParams = Map(RequestHeader.`Consent-Id` -> consentId) - callEndpoint(Implementations5_1_0.selfRevokeConsent, List("my", "consent", "current"), DeleteRequest, addlParams = addlParams) + private def callRevokeMyConsent(consentId: String): Either[(String, Int), String] = { + callEndpoint(Implementations5_1_0.revokeMyConsent, List("my", "consents", consentId), DeleteRequest) } private def refreshTable(): JsCmd = { @@ -159,7 +157,7 @@ class ConsentScreen extends MdcLoggable { { SHtml.ajaxButton("Revoke", () => { - val result = selfRevokeConsent(consent.consent_id) + val result = callRevokeMyConsent(consent.consent_id) val message = result match { case Left((msg, _)) => ShowMessage(msg, isError = true) case Right(_) => ShowMessage(s"Consent (reference_id ${consent.consent_reference_id}) successfully revoked.", isError = false) diff --git a/obp-api/src/main/webapp/templates-hidden/default.html b/obp-api/src/main/webapp/templates-hidden/default.html index e7193429d..16d92c555 100644 --- a/obp-api/src/main/webapp/templates-hidden/default.html +++ b/obp-api/src/main/webapp/templates-hidden/default.html @@ -119,11 +119,6 @@ Berlin 13359, Germany API Explorer -
  • - - Consents - -
  • Link name. Has class "selected" if it's the current page.
    • diff --git a/obp-api/src/main/webapp/user-information.html b/obp-api/src/main/webapp/user-information.html index 122c9fd82..e8e2cd3bb 100644 --- a/obp-api/src/main/webapp/user-information.html +++ b/obp-api/src/main/webapp/user-information.html @@ -61,6 +61,9 @@ Berlin 13359, Germany +
    + +
    diff --git a/obp-api/src/test/scala/code/api/v5_1_0/ConsentsTest.scala b/obp-api/src/test/scala/code/api/v5_1_0/ConsentsTest.scala index 01bd74e7f..15746321e 100644 --- a/obp-api/src/test/scala/code/api/v5_1_0/ConsentsTest.scala +++ b/obp-api/src/test/scala/code/api/v5_1_0/ConsentsTest.scala @@ -31,7 +31,7 @@ import code.api.util.APIUtil.OAuth._ import code.api.util.ApiRole._ import code.api.util.Consent import code.api.util.ErrorMessages._ -import code.api.v3_1_0.{PostConsentChallengeJsonV310, PostConsentEntitlementJsonV310} +import code.api.v3_1_0.{ConsentJsonV310, PostConsentChallengeJsonV310, PostConsentEntitlementJsonV310} import code.api.v4_0_0.OBPAPI4_0_0.Implementations4_0_0 import code.api.v4_0_0.{PutConsentStatusJsonV400, UsersJsonV400} import code.api.v5_0_0.OBPAPI5_0_0.Implementations5_0_0 @@ -71,6 +71,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ object GetConsents extends Tag(nameOf(Implementations5_1_0.getConsents)) object UpdateConsentStatusByConsent extends Tag(nameOf(Implementations5_1_0.updateConsentStatusByConsent)) object UpdateConsentAccountAccessByConsentId extends Tag(nameOf(Implementations5_1_0.updateConsentAccountAccessByConsentId)) + object revokeMyConsent extends Tag(nameOf(Implementations5_1_0.revokeMyConsent)) lazy val entitlements = List(PostConsentEntitlementJsonV310("", CanGetAnyUser.toString())) lazy val bankId = testBankId1.value @@ -99,6 +100,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ def getConsents(consentId: String) = (v5_1_0_Request / "management"/ "consents").GET def updateConsentStatusByConsent(consentId: String) = (v5_1_0_Request / "management" / "banks" / bankId / "consents" / consentId).PUT def updateConsentPayloadByConsent(consentId: String) = (v5_1_0_Request / "management" / "banks" / bankId / "consents" / consentId / "account-access").PUT + def revokeMyConsentUrl(consentId: String) = (v5_1_0_Request / "my" / "consents" / consentId ).DELETE feature(s"test $ApiEndpoint6 version $VersionOfApi - Unauthorized access") { scenario("We will call the endpoint without user credentials", ApiEndpoint6, VersionOfApi) { @@ -119,7 +121,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ } } - feature(s"test $ApiEndpoint8 version $VersionOfApi - Unautenticated access") { + feature(s"test $ApiEndpoint8 version $VersionOfApi - Unauthenticated access") { scenario("We will call the endpoint without user credentials", ApiEndpoint8, VersionOfApi) { When(s"We make a request $ApiEndpoint8") val response510 = makeGetRequest(getMyConsentAtBank("whatever")) @@ -128,7 +130,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn) } } - feature(s"test $ApiEndpoint8 version $VersionOfApi - Autenticated access") { + feature(s"test $ApiEndpoint8 version $VersionOfApi - Authenticated access") { scenario("We will call the endpoint with user credentials", ApiEndpoint8, VersionOfApi) { When(s"We make a request $ApiEndpoint1") val response510 = makeGetRequest(getMyConsentAtBank("whatever")<@(user1)) @@ -137,7 +139,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ } } - feature(s"test $getMyConsents version $VersionOfApi - Unautenticated access") { + feature(s"test $getMyConsents version $VersionOfApi - Unauthenticated access") { scenario("We will call the endpoint without user credentials", getMyConsents, VersionOfApi) { When(s"We make a request $getMyConsents") val response510 = makeGetRequest(getMyConsent("whatever")) @@ -146,7 +148,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn) } } - feature(s"test $getMyConsents version $VersionOfApi - Autenticated access") { + feature(s"test $getMyConsents version $VersionOfApi - Authenticated access") { scenario("We will call the endpoint with user credentials", getMyConsents, VersionOfApi) { When(s"We make a request $ApiEndpoint1") val response510 = makeGetRequest(getMyConsent("whatever")<@(user1)) @@ -156,7 +158,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ } - feature(s"test $ApiEndpoint9 version $VersionOfApi - Unautenticated access") { + feature(s"test $ApiEndpoint9 version $VersionOfApi - Unauthenticated access") { scenario("We will call the endpoint without user credentials", ApiEndpoint9, VersionOfApi) { When(s"We make a request $ApiEndpoint9") val response510 = makeGetRequest(getConsentsAtBAnk("whatever")) @@ -165,7 +167,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn) } } - feature(s"test $ApiEndpoint9 version $VersionOfApi - Autenticated access") { + feature(s"test $ApiEndpoint9 version $VersionOfApi - Authenticated access") { scenario("We will call the endpoint with user credentials", ApiEndpoint9, VersionOfApi) { When(s"We make a request $ApiEndpoint1") val response510 = makeGetRequest(getConsentsAtBAnk("whatever") <@ (user1)) @@ -213,6 +215,17 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn) } } + + feature(s"test $revokeMyConsent version $VersionOfApi- Unauthenticated access") { + scenario("We will call the endpoint with user credentials", revokeMyConsent, VersionOfApi) { + When(s"We make a request $revokeMyConsent") + val response510 = makeDeleteRequest(revokeMyConsentUrl("xxxx")) + Then("We should get a 401") + response510.code should equal(401) + response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn) + } + } + feature(s"test $UpdateConsentStatusByConsent version $VersionOfApi - Authenticated access") { scenario("We will call the endpoint with user credentials", UpdateConsentStatusByConsent, VersionOfApi) { When(s"We make a request $UpdateConsentStatusByConsent") @@ -262,6 +275,15 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ response510.body.extract[ErrorMessage].message should startWith(ConsentNotFound) } } + feature(s"test $revokeMyConsent version $VersionOfApi") { + scenario("We will call the endpoint with user credentials", revokeMyConsent, VersionOfApi) { + When(s"We make a request $revokeMyConsent") + val response510 = makeDeleteRequest(revokeMyConsentUrl("xxxx")<@(user1)) + Then("We should get a 404") + response510.code should equal(404) + response510.body.extract[ErrorMessage].message should startWith(ConsentNotFound) + } + } feature(s"Create/Use/Revoke Consent $VersionOfApi") { scenario("We will call the Create, Get and Delete endpoints with user credentials ", ApiEndpoint1, ApiEndpoint2, ApiEndpoint3, ApiEndpoint4, ApiEndpoint5, ApiEndpoint6, ApiEndpoint7, VersionOfApi) { @@ -283,7 +305,7 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ Then("We grant the role and test it again") Entitlement.entitlement.vend.addEntitlement("", resourceUser1.userId, CanGetAnyUser.toString) val createConsentByRequestResponse = makePostRequest(createConsentByConsentRequestIdEmail(consentRequestId), write("")) - Then("We should get a 200") + Then("We should get a 201") createConsentByRequestResponse.code should equal(201) val consentId = createConsentByRequestResponse.body.extract[ConsentJsonV500].consent_id val consentJwt = createConsentByRequestResponse.body.extract[ConsentJsonV500].jwt @@ -353,6 +375,37 @@ class ConsentsTest extends V510ServerSetup with PropsReset{ // We cannot get all users anymore makeGetRequest(requestGetUsers, List(consentIdRequestHeader)).code should equal(401) + + { + + When(s"We try $ApiEndpoint1 v5.0.0") + val createConsentResponse = makePostRequest(createConsentRequestUrl, write(postConsentRequestJsonV310)) + Then("We should get a 201") + createConsentResponse.code should equal(201) + val createConsentRequestResponseJson = createConsentResponse.body.extract[ConsentRequestResponseJson] + val consentRequestId = createConsentRequestResponseJson.consent_request_id + + When("We try to make the GET request v5.0.0") + Then("We grant the role and test it again") + Entitlement.entitlement.vend.addEntitlement("", resourceUser1.userId, CanGetAnyUser.toString) + val createConsentByRequestResponse = makePostRequest(createConsentByConsentRequestIdEmail(consentRequestId), write("")) + Then("We should get a 201") + createConsentByRequestResponse.code should equal(201) + val consentId = createConsentByRequestResponse.body.extract[ConsentJsonV500].consent_id + + + When(s"We make a request $revokeMyConsent") + val response510 = makeDeleteRequest(revokeMyConsentUrl(consentId)<@(user1)) + Then("We should get a 200") + response510.code should equal(200) + response510.body.extract[ConsentJsonV310].status shouldBe("REVOKED") + + When("We try to make the GET request v5.0.0") + // We cannot get all users anymore + makeGetRequest(requestGetUsers, List(consentIdRequestHeader)).code should equal(401) + + + } } }