diff --git a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala index 4dd639ddb..ee5cb701f 100644 --- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala +++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala @@ -5,7 +5,7 @@ import java.util.regex.Pattern import com.openbankproject.commons.model.enums.TransactionRequestStatus._ import code.api.Constant._ -import code.api.util.ApiRole.CanCreateAnyTransactionRequest +import code.api.util.ApiRole.{CanCreateAnyTransactionRequest, canCreateEntitlementAtAnyBank, canCreateEntitlementAtOneBank} object ErrorMessages { import code.api.util.APIUtil._ @@ -511,6 +511,7 @@ object ErrorMessages { val ConsumerKeyIsInvalid = "OBP-35030: The Consumer Key must be alphanumeric. (A-Z, a-z, 0-9)" val ConsumerKeyIsToLong = "OBP-35031: The Consumer Key max length <= 512" val ConsentHeaderValueInvalid = "OBP-35032: The Consent's Request Header value is not formatted as UUID or JWT." + val RolesForbiddenInConsent = s"OBP-35033: Consents cannot contain Roles: ${canCreateEntitlementAtOneBank} and ${canCreateEntitlementAtAnyBank}." //Authorisations val AuthorisationNotFound = "OBP-36001: Authorisation not found. Please specify valid values for PAYMENT_ID and AUTHORISATION_ID. " diff --git a/obp-api/src/main/scala/code/api/v5_0_0/APIMethods500.scala b/obp-api/src/main/scala/code/api/v5_0_0/APIMethods500.scala index 737888e61..d72e38c4d 100644 --- a/obp-api/src/main/scala/code/api/v5_0_0/APIMethods500.scala +++ b/obp-api/src/main/scala/code/api/v5_0_0/APIMethods500.scala @@ -831,6 +831,14 @@ trait APIMethods500 { } requestedEntitlements = consentRequestJson.entitlements.getOrElse(Nil) myEntitlements <- Entitlement.entitlement.vend.getEntitlementsByUserIdFuture(user.userId) + _ <- Helper.booleanToFuture(RolesForbiddenInConsent, cc=callContext){ + requestedEntitlements.map(_.role_name) + .intersect( + List( + canCreateEntitlementAtOneBank.toString(), + canCreateEntitlementAtAnyBank.toString()) + ).length == 0 + } _ <- Helper.booleanToFuture(RolesAllowedInConsent, cc=callContext){ requestedEntitlements.forall( re => myEntitlements.getOrElse(Nil).exists( @@ -838,7 +846,6 @@ trait APIMethods500 { ) ) } - postConsentViewJsons <- Future.sequence( consentRequestJson.account_access.map( access => diff --git a/obp-api/src/test/scala/code/api/v5_0_0/ConsentRequestTest.scala b/obp-api/src/test/scala/code/api/v5_0_0/ConsentRequestTest.scala index fbd2cc4dd..9c1ebfbb8 100644 --- a/obp-api/src/test/scala/code/api/v5_0_0/ConsentRequestTest.scala +++ b/obp-api/src/test/scala/code/api/v5_0_0/ConsentRequestTest.scala @@ -62,6 +62,8 @@ class ConsentRequestTest extends V500ServerSetupAsync with PropsReset{ object ApiEndpoint5 extends Tag(nameOf(Implementations4_0_0.getUsers)) lazy val entitlements = List(PostConsentEntitlementJsonV310("", CanGetAnyUser.toString())) + lazy val forbiddenEntitlementOneBank = List(PostConsentEntitlementJsonV310(testBankId1.value, CanCreateEntitlementAtOneBank.toString())) + lazy val forbiddenEntitlementAnyBank = List(PostConsentEntitlementJsonV310("", CanCreateEntitlementAtAnyBank.toString())) lazy val accountAccess = List(AccountAccessV500( account_routing = AccountRoutingJsonV121( scheme = "AccountId", @@ -160,6 +162,40 @@ class ConsentRequestTest extends V500ServerSetupAsync with PropsReset{ responseGetUsersWrong.body.extract[ErrorMessage].message contains (ConsentHeaderValueInvalid) should be (true) } + scenario(s"Check the forbidden roles ${CanCreateEntitlementAtAnyBank.toString()}", ApiEndpoint1, ApiEndpoint2, ApiEndpoint3, ApiEndpoint4, ApiEndpoint5, VersionOfApi) { + When(s"We try $ApiEndpoint1 v5.0.0") + val postJsonForbiddenEntitlementAtAnyBank = postConsentRequestJsonV310.copy(entitlements = Some(forbiddenEntitlementAnyBank)) + val createConsentResponse = makePostRequest(createConsentRequestUrl, write(postJsonForbiddenEntitlementAtAnyBank)) + Then("We should get a 201") + createConsentResponse.code should equal(201) + val createConsentRequestResponseJson = createConsentResponse.body.extract[ConsentRequestResponseJson] + val consentRequestId = createConsentRequestResponseJson.consent_request_id + + // Role CanCreateEntitlementAtAnyBank MUST be forbidden + val forbiddenRoleResponse = makePostRequest(createConsentByConsentRequestIdEmail(consentRequestId), write("")) + Then("We should get a 400") + forbiddenRoleResponse.code should equal(400) + forbiddenRoleResponse.code should equal(400) + forbiddenRoleResponse.body.extract[ErrorMessage].message should equal (RolesForbiddenInConsent) + } + + scenario(s"Check the forbidden roles ${CanCreateEntitlementAtOneBank.toString()}", ApiEndpoint1, ApiEndpoint2, ApiEndpoint3, ApiEndpoint4, ApiEndpoint5, VersionOfApi) { + When(s"We try $ApiEndpoint1 v5.0.0") + val postJsonForbiddenEntitlementAtOneBank = postConsentRequestJsonV310.copy(entitlements = Some(forbiddenEntitlementOneBank)) + val createConsentResponse = makePostRequest(createConsentRequestUrl, write(postJsonForbiddenEntitlementAtOneBank)) + Then("We should get a 201") + createConsentResponse.code should equal(201) + val createConsentRequestResponseJson = createConsentResponse.body.extract[ConsentRequestResponseJson] + val consentRequestId = createConsentRequestResponseJson.consent_request_id + + // Role CanCreateEntitlementAtOneBank MUST be forbidden + val forbiddenRoleResponse = makePostRequest(createConsentByConsentRequestIdEmail(consentRequestId), write("")) + Then("We should get a 400") + forbiddenRoleResponse.code should equal(400) + forbiddenRoleResponse.code should equal(400) + forbiddenRoleResponse.body.extract[ErrorMessage].message should equal (RolesForbiddenInConsent) + } + } }