mirror of
https://github.com/OpenBankProject/OBP-API.git
synced 2026-02-06 15:06:50 +00:00
test/OBPv510 added the tests for AccountAccessTest
This commit is contained in:
hongwei
parent
f70207a2e3
commit
fda090c53b
@ -647,7 +647,7 @@ trait OBPRestHelper extends RestHelper with MdcLoggable {
|
||||
apiPrefix:OBPEndpoint => OBPEndpoint,
|
||||
autoValidateAll: Boolean = false): Unit = {
|
||||
|
||||
def isAutoValidate(doc: ResourceDoc): Boolean = { //note: only support v5.0.0 and v4.0.0 at the moment.
|
||||
def isAutoValidate(doc: ResourceDoc): Boolean = { //note: only support v5.1.0, v5.0.0 and v4.0.0 at the moment.
|
||||
doc.isValidateEnabled || (autoValidateAll && !doc.isValidateDisabled && List(OBPAPI5_1_0.version,OBPAPI5_0_0.version,OBPAPI4_0_0.version).contains(doc.implementedInApiVersion))
|
||||
}
|
||||
|
||||
|
||||
@ -5399,6 +5399,9 @@ object SwaggerDefinitionsJSON {
|
||||
val atmsJsonV510 = AtmsJsonV510(
|
||||
atms = List(atmJsonV510)
|
||||
)
|
||||
|
||||
val postAccountAccessJsonV510 = PostAccountAccessJsonV510(userIdExample.value,viewIdExample.value)
|
||||
|
||||
//The common error or success format.
|
||||
//Just some helper format to use in Json
|
||||
case class NotSupportedYet()
|
||||
|
||||
@ -4083,7 +4083,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
//1. if targetViewId is systemView. just compare all the permissions
|
||||
if(isValidSystemViewId(targetViewId.value)){
|
||||
val allCanGrantAccessToViewsPermissions: List[String] = permission
|
||||
.map(_.views.map(_.canGrantAccessToSystemViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
.map(_.views.map(_.canGrantAccessToViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
|
||||
allCanGrantAccessToViewsPermissions.contains(targetViewId.value)
|
||||
} else{
|
||||
@ -4101,7 +4101,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
|
||||
//2rd: f targetViewId is systemView. we need to check `view.canGrantAccessToSystemViews` field.
|
||||
if(isValidSystemViewId(targetViewId.value)){
|
||||
val canGrantAccessToSystemViews: Box[List[String]] = view.map(_.canGrantAccessToSystemViews.getOrElse(Nil))
|
||||
val canGrantAccessToSystemViews: Box[List[String]] = view.map(_.canGrantAccessToViews.getOrElse(Nil))
|
||||
canGrantAccessToSystemViews.getOrElse(Nil).contains(targetViewId.value)
|
||||
} else{
|
||||
//3rd. if targetViewId is customView, we need to check `view.canGrantAccessToCustomViews` field.
|
||||
@ -4115,7 +4115,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
val permissionBox = Views.views.vend.permission(BankIdAccountId(bankId, accountId), user)
|
||||
|
||||
//Retrieve all views from the 'canRevokeAccessToViews' list within each view from the permission views.
|
||||
val allCanGrantAccessToSystemViews: List[String] = permissionBox.map(_.views.map(_.canGrantAccessToSystemViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
val allCanGrantAccessToSystemViews: List[String] = permissionBox.map(_.views.map(_.canGrantAccessToViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
|
||||
val allSystemViewsIdsTobeGranted: List[String] = targetViewIds.map(_.value).distinct.filter(isValidSystemViewId)
|
||||
|
||||
@ -4139,7 +4139,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
|
||||
//2rd: f targetViewId is systemView. we need to check `view.canGrantAccessToSystemViews` field.
|
||||
if (isValidSystemViewId(targetViewId.value)) {
|
||||
val canRevokeAccessToSystemViews: Box[List[String]] = view.map(_.canRevokeAccessToSystemViews.getOrElse(Nil))
|
||||
val canRevokeAccessToSystemViews: Box[List[String]] = view.map(_.canRevokeAccessToViews.getOrElse(Nil))
|
||||
canRevokeAccessToSystemViews.getOrElse(Nil).contains(targetViewId.value)
|
||||
} else {
|
||||
//3rd. if targetViewId is customView, we need to check `view.canGrantAccessToCustomViews` field.
|
||||
@ -4155,7 +4155,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
//1. if targetViewId is systemView. just compare all the permissions
|
||||
if (isValidSystemViewId(targetViewId.value)) {
|
||||
val allCanRevokeAccessToSystemViews: List[String] = permission
|
||||
.map(_.views.map(_.canRevokeAccessToSystemViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
.map(_.views.map(_.canRevokeAccessToViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
|
||||
allCanRevokeAccessToSystemViews.contains(targetViewId.value)
|
||||
} else {
|
||||
@ -4172,7 +4172,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
|
||||
val permissionBox = Views.views.vend.permission(BankIdAccountId(bankId, accountId), user)
|
||||
|
||||
//Retrieve all views from the 'canRevokeAccessToViews' list within each view from the permission views.
|
||||
val allCanRevokeAccessToViews: List[String] = permissionBox.map(_.views.map(_.canRevokeAccessToSystemViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
val allCanRevokeAccessToViews: List[String] = permissionBox.map(_.views.map(_.canRevokeAccessToViews.getOrElse(Nil)).flatten).getOrElse(Nil).distinct
|
||||
|
||||
//All targetViewIds:
|
||||
val allTargetViewIds: List[String] = permissionBox.map(_.views.map(_.viewId.value)).getOrElse(Nil).distinct
|
||||
|
||||
@ -544,14 +544,14 @@ object NewStyle extends MdcLoggable{
|
||||
Future{
|
||||
APIUtil.checkViewAccessAndReturnView(viewId, bankAccountId, user, callContext)
|
||||
} map {
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView")
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView Current ViewId is ${viewId.value}")
|
||||
}
|
||||
}
|
||||
def checkAccountAccessAndGetView(viewId : ViewId, bankAccountId: BankIdAccountId, user: Option[User], callContext: Option[CallContext]) : Future[View] = {
|
||||
Future{
|
||||
APIUtil.checkViewAccessAndReturnView(viewId, bankAccountId, user, callContext)
|
||||
} map {
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView ${viewId.value}", 403)
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView Current ViewId is ${viewId.value}", 403)
|
||||
}
|
||||
}
|
||||
def checkViewsAccessAndReturnView(firstView : ViewId, secondView : ViewId, bankAccountId: BankIdAccountId, user: Option[User], callContext: Option[CallContext]) : Future[View] = {
|
||||
@ -560,7 +560,7 @@ object NewStyle extends MdcLoggable{
|
||||
APIUtil.checkViewAccessAndReturnView(secondView, bankAccountId, user, callContext)
|
||||
)
|
||||
} map {
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView")
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView Current ViewId is ${firstView.value} or ${secondView.value}")
|
||||
}
|
||||
}
|
||||
def checkBalancingTransactionAccountAccessAndReturnView(doubleEntryTransaction: DoubleEntryTransaction, user: Option[User], callContext: Option[CallContext]) : Future[View] = {
|
||||
@ -578,7 +578,7 @@ object NewStyle extends MdcLoggable{
|
||||
APIUtil.checkViewAccessAndReturnView(ownerViewId, creditBankAccountId, user, callContext)
|
||||
)
|
||||
} map {
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView")
|
||||
unboxFullOrFail(_, callContext, s"$UserNoPermissionAccessView Current ViewId is ${ownerViewId.value}")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -888,8 +888,8 @@ object JSONFactory500 {
|
||||
can_create_direct_debit = view.canCreateDirectDebit,
|
||||
can_create_standing_order = view.canCreateStandingOrder,
|
||||
// Version 5.0.0
|
||||
can_grant_access_to_views = view.canGrantAccessToSystemViews.getOrElse(Nil),
|
||||
can_revoke_access_to_views = view.canRevokeAccessToSystemViews.getOrElse(Nil),
|
||||
can_grant_access_to_views = view.canGrantAccessToViews.getOrElse(Nil),
|
||||
can_revoke_access_to_views = view.canRevokeAccessToViews.getOrElse(Nil),
|
||||
)
|
||||
}
|
||||
def createViewsJsonV500(views : List[View]) : ViewsJsonV500 = {
|
||||
|
||||
@ -1924,17 +1924,20 @@ trait APIMethods510 {
|
||||
implementedInApiVersion,
|
||||
nameOf(grantUserAccessToViewById),
|
||||
"POST",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/VIEW_ID/account-access/grant",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/views/VIEW_ID/account-access/grant",
|
||||
"Grant User access to View",
|
||||
s"""Grants the User identified by USER_ID access to the view identified by VIEW_ID.
|
||||
s"""Grants the User identified by USER_ID access to the view identified.
|
||||
|
|
||||
|${authenticationRequiredMessage(true)} and the user needs to be account holder.
|
||||
|
|
||||
|""",
|
||||
postAccountAccessJsonV400,
|
||||
postAccountAccessJsonV510,
|
||||
viewJsonV300,
|
||||
List(
|
||||
$UserNotLoggedIn,
|
||||
$BankNotFound,
|
||||
$BankAccountNotFound,
|
||||
$UserNoPermissionAccessView,
|
||||
UserLacksPermissionCanGrantAccessToSystemViewForTargetAccount,
|
||||
UserLacksPermissionCanGrantAccessToCustomViewForTargetAccount,
|
||||
InvalidJsonFormat,
|
||||
@ -1948,22 +1951,25 @@ trait APIMethods510 {
|
||||
|
||||
lazy val grantUserAccessToViewById: OBPEndpoint = {
|
||||
//add access for specific user to a specific system view
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) :: ViewId(viewId):: "account-access" :: "grant" :: Nil JsonPost json -> _ => {
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) ::"views":: ViewId(viewId):: "account-access" :: "grant" :: Nil JsonPost json -> _ => {
|
||||
cc =>
|
||||
implicit val ec = EndpointContext(Some(cc))
|
||||
val failMsg = s"$InvalidJsonFormat The Json body should be the $PostAccountAccessJsonV400 "
|
||||
val failMsg = s"$InvalidJsonFormat The Json body should be the $PostAccountAccessJsonV510 "
|
||||
for {
|
||||
(Full(u), callContext) <- SS.user
|
||||
postJson <- NewStyle.function.tryons(failMsg, 400, cc.callContext) {
|
||||
json.extract[PostAccountAccessJsonV400]
|
||||
json.extract[PostAccountAccessJsonV510]
|
||||
}
|
||||
targetViewId = ViewId(postJson.view.view_id)
|
||||
targetViewId = ViewId(postJson.view_id)
|
||||
msg = getUserLacksGrantPermissionErrorMessage(viewId, targetViewId)
|
||||
_ <- Helper.booleanToFuture(msg, cc = cc.callContext) {
|
||||
_ <- Helper.booleanToFuture(msg, 403, cc = cc.callContext) {
|
||||
APIUtil.canGrantAccessToView(BankIdAccountIdViewId(bankId,accountId,viewId),targetViewId, u, callContext)
|
||||
}
|
||||
(user, callContext) <- NewStyle.function.findByUserId(postJson.user_id, callContext)
|
||||
view <- JSONFactory400.getView(bankId, accountId, postJson.view, callContext)
|
||||
view <- isValidSystemViewId(targetViewId.value) match {
|
||||
case true => NewStyle.function.systemView(targetViewId, callContext)
|
||||
case false => NewStyle.function.customView(targetViewId, BankIdAccountId(bankId, accountId), callContext)
|
||||
}
|
||||
addedView <- JSONFactory400.grantAccountAccessToUser(bankId, accountId, user, view, callContext)
|
||||
|
||||
} yield {
|
||||
@ -1979,17 +1985,20 @@ trait APIMethods510 {
|
||||
implementedInApiVersion,
|
||||
nameOf(revokeUserAccessToViewById),
|
||||
"POST",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/VIEW_ID/account-access/revoke",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/views/VIEW_ID/account-access/revoke",
|
||||
"Revoke User access to View",
|
||||
s"""Revoke the User identified by USER_ID access to the view identified by VIEW_ID.
|
||||
s"""Revoke the User identified by USER_ID access to the view identified.
|
||||
|
|
||||
|${authenticationRequiredMessage(true)}.
|
||||
|
|
||||
|""",
|
||||
postAccountAccessJsonV400,
|
||||
postAccountAccessJsonV510,
|
||||
revokedJsonV400,
|
||||
List(
|
||||
$UserNotLoggedIn,
|
||||
$BankNotFound,
|
||||
$BankAccountNotFound,
|
||||
$UserNoPermissionAccessView,
|
||||
UserLacksPermissionCanRevokeAccessToCustomViewForTargetAccount,
|
||||
UserLacksPermissionCanRevokeAccessToSystemViewForTargetAccount,
|
||||
InvalidJsonFormat,
|
||||
@ -2004,28 +2013,28 @@ trait APIMethods510 {
|
||||
|
||||
lazy val revokeUserAccessToViewById: OBPEndpoint = {
|
||||
//add access for specific user to a specific system view
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) :: ViewId(viewId) :: "account-access" :: "revoke" :: Nil JsonPost json -> _ => {
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) :: "views" ::ViewId(viewId) :: "account-access" :: "revoke" :: Nil JsonPost json -> _ => {
|
||||
cc =>
|
||||
implicit val ec = EndpointContext(Some(cc))
|
||||
val failMsg = s"$InvalidJsonFormat The Json body should be the $PostAccountAccessJsonV400 "
|
||||
for {
|
||||
(Full(u), callContext) <- SS.user
|
||||
postJson <- NewStyle.function.tryons(failMsg, 400, cc.callContext) {
|
||||
json.extract[PostAccountAccessJsonV400]
|
||||
json.extract[PostAccountAccessJsonV510]
|
||||
}
|
||||
targetViewId = ViewId(postJson.view.view_id)
|
||||
targetViewId = ViewId(postJson.view_id)
|
||||
|
||||
msg = getUserLacksRevokePermissionErrorMessage(viewId, targetViewId)
|
||||
|
||||
_ <- Helper.booleanToFuture(msg, cc = cc.callContext) {
|
||||
_ <- Helper.booleanToFuture(msg, 403, cc = cc.callContext) {
|
||||
APIUtil.canRevokeAccessToView(BankIdAccountIdViewId(bankId, accountId, viewId),targetViewId, u, callContext)
|
||||
}
|
||||
(user, callContext) <- NewStyle.function.findByUserId(postJson.user_id, cc.callContext)
|
||||
view <- postJson.view.is_system match {
|
||||
view <- isValidSystemViewId(targetViewId.value) match {
|
||||
case true => NewStyle.function.systemView(targetViewId, callContext)
|
||||
case false => NewStyle.function.customView(targetViewId, BankIdAccountId(bankId, accountId), callContext)
|
||||
}
|
||||
revoked <- postJson.view.is_system match {
|
||||
revoked <- isValidSystemViewId(targetViewId.value) match {
|
||||
case true => NewStyle.function.revokeAccessToSystemView(bankId, accountId, view, user, callContext)
|
||||
case false => NewStyle.function.revokeAccessToCustomView(view, user, callContext)
|
||||
}
|
||||
@ -2040,7 +2049,7 @@ trait APIMethods510 {
|
||||
implementedInApiVersion,
|
||||
nameOf(createUserWithAccountAccessById),
|
||||
"POST",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/VIEW_ID/user-account-access",
|
||||
"/banks/BANK_ID/accounts/ACCOUNT_ID/views/VIEW_ID/user-account-access",
|
||||
"Create (DAuth) User with Account Access",
|
||||
s"""This endpoint is used as part of the DAuth solution to grant access to account and transaction data to a smart contract on the blockchain.
|
||||
|
|
||||
@ -2061,6 +2070,9 @@ trait APIMethods510 {
|
||||
List(viewJsonV300),
|
||||
List(
|
||||
$UserNotLoggedIn,
|
||||
$BankNotFound,
|
||||
$BankAccountNotFound,
|
||||
$UserNoPermissionAccessView,
|
||||
UserLacksPermissionCanGrantAccessToSystemViewForTargetAccount,
|
||||
UserLacksPermissionCanGrantAccessToCustomViewForTargetAccount,
|
||||
InvalidJsonFormat,
|
||||
@ -2072,7 +2084,7 @@ trait APIMethods510 {
|
||||
List(apiTagAccountAccess, apiTagView, apiTagAccount, apiTagUser, apiTagOwnerRequired, apiTagDAuth))
|
||||
|
||||
lazy val createUserWithAccountAccessById: OBPEndpoint = {
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) :: ViewId(viewId) :: "user-account-access" :: Nil JsonPost json -> _ => {
|
||||
case "banks" :: BankId(bankId) :: "accounts" :: AccountId(accountId) :: "views" ::ViewId(viewId) :: "user-account-access" :: Nil JsonPost json -> _ => {
|
||||
cc =>
|
||||
implicit val ec = EndpointContext(Some(cc))
|
||||
val failMsg = s"$InvalidJsonFormat The Json body should be the $PostCreateUserAccountAccessJsonV510 "
|
||||
@ -2085,18 +2097,18 @@ trait APIMethods510 {
|
||||
_ <- Helper.booleanToFuture(s"$InvalidUserProvider The user.provider must be start with 'dauth.'", cc = Some(cc)) {
|
||||
postJson.provider.startsWith("dauth.")
|
||||
}
|
||||
targetViewId = ViewId(postJson.view.view_id)
|
||||
targetViewId = ViewId(postJson.view_id)
|
||||
msg = getUserLacksGrantPermissionErrorMessage(viewId, targetViewId)
|
||||
|
||||
_ <- Helper.booleanToFuture(msg, 403, cc = Some(cc)) {
|
||||
APIUtil.canGrantAccessToView(BankIdAccountIdViewId(bankId, accountId, viewId) ,targetViewId, u, callContext)
|
||||
}
|
||||
(targetUser, callContext) <- NewStyle.function.getOrCreateResourceUser(postJson.provider, postJson.username, cc.callContext)
|
||||
view <- postJson.view.is_system match {
|
||||
view <- isValidSystemViewId(targetViewId.value) match {
|
||||
case true => NewStyle.function.systemView(targetViewId, callContext)
|
||||
case false => NewStyle.function.customView(targetViewId, BankIdAccountId(bankId, accountId), callContext)
|
||||
}
|
||||
addedView <- postJson.view.is_system match {
|
||||
addedView <- isValidSystemViewId(targetViewId.value) match {
|
||||
case true => NewStyle.function.grantAccessToSystemView(bankId, accountId, view, targetUser, callContext)
|
||||
case false => NewStyle.function.grantAccessToCustomView(view, targetUser, callContext)
|
||||
}
|
||||
|
||||
@ -307,7 +307,9 @@ case class ConsumerJsonV510(consumer_id: String,
|
||||
created: Date
|
||||
)
|
||||
|
||||
case class PostCreateUserAccountAccessJsonV510(username: String, provider:String, view: PostViewJsonV400)
|
||||
case class PostCreateUserAccountAccessJsonV510(username: String, provider:String, view_id:String)
|
||||
|
||||
case class PostAccountAccessJsonV510(user_id: String, view_id: String)
|
||||
|
||||
object JSONFactory510 extends CustomJsonFormats {
|
||||
|
||||
|
||||
@ -209,7 +209,7 @@ case class BankAccountExtended(val bankAccount: BankAccount) extends MdcLoggable
|
||||
customerList.toSet
|
||||
}
|
||||
|
||||
private def viewNotAllowed(view : View ) = Failure(s"${UserNoPermissionAccessView} Current VIEW_ID (${view.viewId.value})")
|
||||
private def viewNotAllowed(view : View) = Failure(s"${UserNoPermissionAccessView} Current ViewId is ${view.viewId.value}")
|
||||
|
||||
/**
|
||||
* @param user the user that wants to grant another user access to a view on this account
|
||||
|
||||
@ -472,7 +472,7 @@ class ViewDefinition extends View with LongKeyedMapper[ViewDefinition] with Many
|
||||
def hideOtherAccountMetadataIfAlias: Boolean = hideOtherAccountMetadataIfAlias_.get
|
||||
|
||||
//This current view can grant access to other views.
|
||||
override def canGrantAccessToSystemViews : Option[List[String]] = {
|
||||
override def canGrantAccessToViews : Option[List[String]] = {
|
||||
canGrantAccessToViews_.get == null || canGrantAccessToViews_.get.isEmpty() match {
|
||||
case true => None
|
||||
case _ => Some(canGrantAccessToViews_.get.split(",").toList.map(_.trim))
|
||||
@ -482,7 +482,7 @@ class ViewDefinition extends View with LongKeyedMapper[ViewDefinition] with Many
|
||||
def canGrantAccessToCustomViews : Boolean = canGrantAccessToCustomViews_.get
|
||||
|
||||
//the current view can revoke access to other views.
|
||||
override def canRevokeAccessToSystemViews : Option[List[String]] = {
|
||||
override def canRevokeAccessToViews : Option[List[String]] = {
|
||||
canRevokeAccessToViews_.get == null || canRevokeAccessToViews_.get.isEmpty() match {
|
||||
case true => None
|
||||
case _ => Some(canRevokeAccessToViews_.get.split(",").toList.map(_.trim))
|
||||
|
||||
@ -6505,7 +6505,7 @@ class API1_2_1Test extends ServerSetupWithTestData with DefaultUsers with Privat
|
||||
Then("we should get a 403 code")
|
||||
reply.code should equal (403)
|
||||
And("we should get an error message")
|
||||
reply.body.extract[ErrorMessage].message should equal (UserNoPermissionAccessView)
|
||||
reply.body.extract[ErrorMessage].message contains (UserNoPermissionAccessView) shouldBe (true)
|
||||
}
|
||||
|
||||
scenario("we will not get get the other bank account of a random transaction because the transaction does not exist", API1_2_1, GetTransactionAccount){
|
||||
|
||||
@ -5,10 +5,10 @@ import code.api.ResourceDocs1_4_0.SwaggerDefinitionsJSON
|
||||
import code.api.ResourceDocs1_4_0.SwaggerDefinitionsJSON.createViewJsonV300
|
||||
import code.api.util.APIUtil.OAuth._
|
||||
import code.api.util.ApiRole
|
||||
import code.api.util.ErrorMessages.{UserLacksPermissionCanGrantAccessToViewForTargetAccount, UserNotLoggedIn}
|
||||
import code.api.util.ErrorMessages.{UserLacksPermissionCanGrantAccessToCustomViewForTargetAccount, UserLacksPermissionCanGrantAccessToSystemViewForTargetAccount, UserLacksPermissionCanGrantAccessToViewForTargetAccount, UserLacksPermissionCanRevokeAccessToCustomViewForTargetAccount, UserLacksPermissionCanRevokeAccessToSystemViewForTargetAccount, UserLacksPermissionCanRevokeAccessToViewForTargetAccount, UserNotLoggedIn}
|
||||
import code.api.v3_0_0.ViewJsonV300
|
||||
import code.api.v3_1_0.CreateAccountResponseJsonV310
|
||||
import code.api.v4_0_0.{PostAccountAccessJsonV400, PostViewJsonV400}
|
||||
import code.api.v4_0_0.RevokedJsonV400
|
||||
import code.api.v5_1_0.OBPAPI5_1_0.Implementations5_1_0
|
||||
import code.entitlement.Entitlement
|
||||
import com.github.dwickern.macros.NameOf.nameOf
|
||||
@ -28,13 +28,16 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
*/
|
||||
object VersionOfApi extends Tag(ApiVersion.v5_1_0.toString)
|
||||
object ApiEndpoint1 extends Tag(nameOf(Implementations5_1_0.grantUserAccessToViewById))
|
||||
object ApiEndpoint2 extends Tag(nameOf(Implementations5_1_0.revokeUserAccessToViewById))
|
||||
object ApiEndpoint3 extends Tag(nameOf(Implementations5_1_0.createUserWithAccountAccessById))
|
||||
|
||||
|
||||
lazy val bankId = randomBankId
|
||||
lazy val bankAccount = randomPrivateAccountViaEndpoint(bankId)
|
||||
lazy val ownerView = SYSTEM_OWNER_VIEW_ID
|
||||
lazy val managerCustomView = SYSTEM_MANAGE_CUSTOM_VIEWS_VIEW_ID
|
||||
lazy val postAccountAccessJson = PostAccountAccessJsonV400(resourceUser2.userId, PostViewJsonV400("_test_view", false))
|
||||
lazy val postAccountAccessJson = PostAccountAccessJsonV510(resourceUser2.userId, "_test_view")
|
||||
lazy val postCreateUserAccountAccessJsonV510 = PostCreateUserAccountAccessJsonV510(resourceUser2.userId, "dauth."+resourceUser2.provider, "_test_view")
|
||||
lazy val postBodyViewJson = createViewJsonV300.toCreateViewJson
|
||||
|
||||
def createAnAccount(bankId: String, user: Option[(Consumer,Token)]): CreateAccountResponseJsonV310 = {
|
||||
@ -55,7 +58,7 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
|
||||
scenario("We will call the endpoint without user credentials", ApiEndpoint1, VersionOfApi) {
|
||||
When("We make a request v4.0.0")
|
||||
val request510 = (v5_1_0_Request / "banks" / bankId / "accounts" / bankAccount.id / ownerView /"account-access" / "grant").POST
|
||||
val request510 = (v5_1_0_Request / "banks" / bankId / "accounts" / bankAccount.id /"views" / ownerView /"account-access" / "grant").POST
|
||||
val response510 = makePostRequest(request510, write(postAccountAccessJson))
|
||||
Then("We should get a 401")
|
||||
response510.code should equal(401)
|
||||
@ -71,13 +74,13 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostAccountAccessJsonV400(resourceUser2.userId, PostViewJsonV400(view.id, view.is_system))
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, view.id)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id / ownerView / "account-access" / "grant").POST <@ (user1)
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "account-access" / "grant").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 400 and check the response body")
|
||||
response.code should equal(400)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToViewForTargetAccount)
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToCustomViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and managerCustomView view, but try to grant system view access", VersionOfApi, ApiEndpoint1) {
|
||||
@ -88,13 +91,13 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostAccountAccessJsonV400(resourceUser2.userId, PostViewJsonV400(SYSTEM_AUDITOR_VIEW_ID, true))
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, SYSTEM_AUDITOR_VIEW_ID)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id / managerCustomView / "account-access" / "grant").POST <@ (user1)
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "account-access" / "grant").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 400 and check the response body")
|
||||
response.code should equal(400)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToViewForTargetAccount)
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToSystemViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and system view permission", VersionOfApi, ApiEndpoint1) {
|
||||
@ -105,9 +108,9 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostAccountAccessJsonV400(resourceUser2.userId, PostViewJsonV400(SYSTEM_AUDITOR_VIEW_ID, true))
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, SYSTEM_AUDITOR_VIEW_ID)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id / ownerView / "account-access" / "grant").POST <@ (user1)
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "account-access" / "grant").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
@ -123,9 +126,190 @@ class AccountAccessTest extends V510ServerSetup {
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostAccountAccessJsonV400(resourceUser2.userId, PostViewJsonV400(view.id, view.is_system))
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, view.id)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id / managerCustomView / "account-access" / "grant").POST <@ (user1)
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "account-access" / "grant").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
response.body.extract[ViewJsonV300]
|
||||
}
|
||||
}
|
||||
|
||||
feature(s"test $ApiEndpoint2 Authorized access") {
|
||||
|
||||
scenario("We will call the endpoint without user credentials", ApiEndpoint2, VersionOfApi) {
|
||||
When("We make a request v4.0.0")
|
||||
val request510 = (v5_1_0_Request / "banks" / bankId / "accounts" / bankAccount.id /"views" / ownerView /"account-access" / "revoke").POST
|
||||
val response510 = makePostRequest(request510, write(postAccountAccessJson))
|
||||
Then("We should get a 401")
|
||||
response510.code should equal(401)
|
||||
response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and system view, but try to grant custom view access", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, view.id)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "account-access" / "revoke").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanRevokeAccessToCustomViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and managerCustomView view, but try to revoke system view access", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, SYSTEM_AUDITOR_VIEW_ID)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "account-access" / "revoke").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanRevokeAccessToSystemViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and system view permission", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, SYSTEM_AUDITOR_VIEW_ID)
|
||||
|
||||
When("We 1st grant the account access the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "account-access" / "grant").POST <@ (user1)
|
||||
val responseGrant = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
responseGrant.code should equal(201)
|
||||
responseGrant.body.extract[ViewJsonV300]
|
||||
|
||||
When("We send the Revoke request")
|
||||
val requestRevoke = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "account-access" / "revoke").POST <@ (user1)
|
||||
val response = makePostRequest(requestRevoke, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
response.body.extract[RevokedJsonV400].revoked should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and custom view permission", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostAccountAccessJsonV510(resourceUser2.userId, view.id)
|
||||
val requestGrant = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "account-access" / "grant").POST <@ (user1)
|
||||
|
||||
When("We 1st grant the account access the request")
|
||||
val responseGrant = makePostRequest(requestGrant, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
responseGrant.code should equal(201)
|
||||
responseGrant.body.extract[ViewJsonV300]
|
||||
|
||||
When("We send the Revoke request")
|
||||
val requestRevoke = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "account-access" / "revoke").POST <@ (user1)
|
||||
val response = makePostRequest(requestRevoke, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
response.body.extract[RevokedJsonV400].revoked should be (true)
|
||||
}
|
||||
}
|
||||
|
||||
feature(s"test $ApiEndpoint3 Authorized access") {
|
||||
|
||||
scenario("We will call the endpoint without user credentials", ApiEndpoint1, VersionOfApi) {
|
||||
When("We make a request v4.0.0")
|
||||
val request510 = (v5_1_0_Request / "banks" / bankId / "accounts" / bankAccount.id /"views" / ownerView /"user-account-access").POST
|
||||
val response510 = makePostRequest(request510, write(postAccountAccessJson))
|
||||
Then("We should get a 401")
|
||||
response510.code should equal(401)
|
||||
response510.body.extract[ErrorMessage].message should equal(UserNotLoggedIn)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and system view, but try to grant custom view access", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostCreateUserAccountAccessJsonV510(resourceUser2.userId, "dauth."+resourceUser2.provider, view.id)
|
||||
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "user-account-access").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToCustomViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and managerCustomView view, but try to grant system view access", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostCreateUserAccountAccessJsonV510(resourceUser2.userId, "dauth."+resourceUser2.provider, ownerView)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "user-account-access").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 403 and check the response body")
|
||||
response.code should equal(403)
|
||||
response.body.toString.contains(UserLacksPermissionCanGrantAccessToSystemViewForTargetAccount) should be (true)
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and system view permission", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val postJson = PostCreateUserAccountAccessJsonV510(resourceUser2.userId,"dauth."+resourceUser2.provider, SYSTEM_AUDITOR_VIEW_ID)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ ownerView / "user-account-access").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
response.body.extract[ViewJsonV300]
|
||||
}
|
||||
|
||||
scenario("We will call the endpoint with user credentials and custom view permission", VersionOfApi, ApiEndpoint1) {
|
||||
val addedEntitlement: Box[Entitlement] = Entitlement.entitlement.vend.addEntitlement(bankId, resourceUser1.userId, ApiRole.CanCreateAccount.toString)
|
||||
val account = try {
|
||||
createAnAccount(bankId, user1)
|
||||
} finally {
|
||||
Entitlement.entitlement.vend.deleteEntitlement(addedEntitlement)
|
||||
}
|
||||
|
||||
val view = createViewForAnAccount(bankId, account.account_id)
|
||||
val postJson = PostCreateUserAccountAccessJsonV510(resourceUser2.userId,"dauth."+resourceUser2.provider, view.id)
|
||||
When("We send the request")
|
||||
val request = (v5_1_0_Request / "banks" / bankId / "accounts" / account.account_id /"views"/ managerCustomView / "user-account-access").POST <@ (user1)
|
||||
val response = makePostRequest(request, write(postJson))
|
||||
Then("We should get a 201 and check the response body")
|
||||
response.code should equal(201)
|
||||
|
||||
@ -251,9 +251,10 @@ trait View {
|
||||
|
||||
def hideOtherAccountMetadataIfAlias: Boolean
|
||||
|
||||
def canGrantAccessToSystemViews : Option[List[String]] = None
|
||||
def canGrantAccessToViews : Option[List[String]] = None
|
||||
def canRevokeAccessToViews : Option[List[String]] = None
|
||||
|
||||
def canGrantAccessToCustomViews : Boolean // if this true, we can grant custom views, if it is false, no one can grant custom views.
|
||||
def canRevokeAccessToSystemViews : Option[List[String]] = None
|
||||
def canRevokeAccessToCustomViews : Boolean // if this true, we can revoke custom views,if it is false, no one can revoke custom views.
|
||||
|
||||
//reading access
|
||||
|
||||
Loading…
Reference in New Issue
Block a user