Merge branch 'develop' of github.com:OpenBankProject/OBP-API into develop

Author: simonredfern

.gitignore

@@ -8,7 +8,9 @@
 .settings
 .metals
 .vscode
+*.code-workspace
 .zed
+.cursor
 .classpath
 .project
 .cache
@@ -35,5 +37,4 @@ marketing_diagram_generation/outputs/*
 .bsp
 .specstory
 project/project
-coursier
-*.code-workspace
+coursier

.sdkmanrc

@@ -0,0 +1,3 @@
+# Enable auto-env through the sdkman_auto_env config
+# Add key=value pairs of SDKs to use below
+java=11.0.28-tem

README.md

@@ -43,6 +43,21 @@ This project is dual licensed under the AGPL V3 (see NOTICE) and commercial lice
 
 ## Setup
 
+### Installing JDK
+#### With sdkman
+
+A good way to manage JDK versions and install the correct version for OBP is [sdkman](https://sdkman.io/). If you have this installed then you can install the correct JDK easily using:
+```
+sdk env install
+```
+
+#### Manually
+
+- OracleJDK: 1.8, 13
+- OpenJdk: 11
+
+OpenJDK 11 is available for download here: [https://jdk.java.net/archive/](https://jdk.java.net/archive/).
+
 The project uses Maven 3 as its build tool.
 
 To compile and run Jetty, install Maven 3, create your configuration in `obp-api/src/main/resources/props/default.props` and execute:
@@ -753,13 +768,6 @@ The same as `Frozen APIs`, if a related unit test fails, make sure whether the m
 
 - A good book on Lift: "Lift in Action" by Timothy Perrett published by Manning.
 
-## Supported JDK Versions
-
-- OracleJDK: 1.8, 13
-- OpenJdk: 11
-
-OpenJDK 11 is available for download here: [https://jdk.java.net/archive/](https://jdk.java.net/archive/).
-
 ## Endpoint Request and Response Example
 
 ```log

obp-api/src/main/scala/code/api/berlin/group/v1_3/BgSpecValidation.scala

@@ -36,10 +36,10 @@ object BgSpecValidation {
 
       if (date.isBefore(today)) {
         Left(s"$InvalidDateFormat The `validUntil` date ($dateStr) cannot be in the past!")
-      } else if (date.isEqual(MaxValidDays) || date.isAfter(MaxValidDays)) {
+      } else if (date.isAfter(MaxValidDays)) {
         Left(s"$InvalidDateFormat The `validUntil` date ($dateStr) exceeds the maximum allowed period of 180 days (until $MaxValidDays).")
       } else {
-        Right(date) // Valid date
+        Right(date) // Valid date (inclusive of 180 days)
       }
     } catch {
       case _: DateTimeParseException =>
@@ -55,23 +55,4 @@ object BgSpecValidation {
     }
   }
 
-  // Example usage
-  def main(args: Array[String]): Unit = {
-    val testDates = Seq(
-      "2025-05-10",  // More than 180 days ahead
-      "9999-12-31",  // Exceeds max allowed
-      "2015-01-01",  // In the past
-      "invalid-date", // Invalid format
-      LocalDate.now().plusDays(90).toString,  // Valid (within 180 days)
-      LocalDate.now().plusDays(180).toString, // Valid (exactly 180 days)
-      LocalDate.now().plusDays(181).toString  // More than 180 days
-    )
-
-    testDates.foreach { date =>
-      validateValidUntil(date) match {
-        case Right(validDate) => println(s"Valid date: $validDate")
-        case Left(error)      => println(s"Error: $error")
-      }
-    }
-  }
 }

obp-api/src/main/scala/code/api/berlin/group/v1_3/JSONFactory_BERLIN_GROUP_1_3.scala

@@ -346,7 +346,7 @@ object JSONFactory_BERLIN_GROUP_1_3 extends CustomJsonFormats with MdcLoggable{
           Some(balances.filter(_.accountId.equals(x.accountId)).flatMap(balance => (List(CoreAccountBalanceJson(
             balanceAmount = AmountOfMoneyV13(x.currency, balance.balanceAmount.toString()),
             balanceType = balance.balanceType,
-            lastChangeDateTime = balance.lastChangeDateTime.map(APIUtil.DateWithMsAndTimeZoneOffset.format(_))
+            lastChangeDateTime = balance.lastChangeDateTime.map(APIUtil.DateWithMsFormat.format(_))
           )))))
         }else{
           None
@@ -432,7 +432,7 @@ object JSONFactory_BERLIN_GROUP_1_3 extends CustomJsonFormats with MdcLoggable{
       Some(balances.filter(_.accountId.equals(bankAccount.accountId)).flatMap(balance => (List(CoreAccountBalanceJson(
         balanceAmount = AmountOfMoneyV13(bankAccount.currency, balance.balanceAmount.toString()),
         balanceType = balance.balanceType,
-        lastChangeDateTime = balance.lastChangeDateTime.map(APIUtil.DateWithMsAndTimeZoneOffset.format(_))
+        lastChangeDateTime = balance.lastChangeDateTime.map(APIUtil.DateWithMsFormat.format(_))
       )))))
     } else {
       None
@@ -477,7 +477,7 @@ object JSONFactory_BERLIN_GROUP_1_3 extends CustomJsonFormats with MdcLoggable{
       `balances` = accountBalances.map(accountBalance => AccountBalance(
         balanceAmount = AmountOfMoneyV13(bankAccount.currency, accountBalance.balanceAmount.toString()),
         balanceType = accountBalance.balanceType,
-        lastChangeDateTime = accountBalance.lastChangeDateTime.map(APIUtil.DateWithMsAndTimeZoneOffset.format(_)),
+        lastChangeDateTime = accountBalance.lastChangeDateTime.map(APIUtil.DateWithMsFormat.format(_)),
         referenceDate = accountBalance.referenceDate,
       ) 
     ))
@@ -614,8 +614,8 @@ object JSONFactory_BERLIN_GROUP_1_3 extends CustomJsonFormats with MdcLoggable{
             else
               transaction.amount.get.toString()
           ),
-          bookingDate = transaction.startDate.map(APIUtil.DateWithMsAndTimeZoneOffset.format(_)).getOrElse(""),
-          valueDate = transaction.finishDate.map(APIUtil.DateWithMsAndTimeZoneOffset.format(_)).getOrElse(""),
+          bookingDate = transaction.startDate.map(APIUtil.DateWithMsFormat.format(_)).getOrElse(""),
+          valueDate = transaction.finishDate.map(APIUtil.DateWithMsFormat.format(_)).getOrElse(""),
           remittanceInformationUnstructured = transaction.description.getOrElse(""),
           bankTransactionCode ="",
         )

obp-api/src/main/scala/code/api/util/APIUtil.scala

@@ -130,8 +130,11 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
   val DateWithMonthFormat = new SimpleDateFormat(DateWithMonth)
   val DateWithDayFormat = new SimpleDateFormat(DateWithDay)
   val DateWithSecondsFormat = new SimpleDateFormat(DateWithSeconds)
-  val DateWithMsFormat = new SimpleDateFormat(DateWithMs)
+  // If you need UTC Z format, please continue to use DateWithMsFormat. eg: 2025-01-01T01:01:01.000Z
+  val DateWithMsFormat = new SimpleDateFormat(DateWithMs) 
+  // If you need a format with timezone offset (+0000), please use DateWithMsRollbackFormat, eg: 2025-01-01T01:01:01.000+0000
   val DateWithMsRollbackFormat = new SimpleDateFormat(DateWithMsAndTimeZoneOffset)
+  
   val rfc7231Date = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.ENGLISH)
 
   val DateWithYearExampleString: String = "1100"
@@ -967,7 +970,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
     if(date == null)
       None
     else
-      Some(APIUtil.DateWithMsAndTimeZoneOffset.format(date))
+      Some(APIUtil.DateWithMsRollbackFormat.format(date))
 
   def stringOrNull(text : String) =
     if(text == null || text.isEmpty)
@@ -3209,8 +3212,10 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
 
     // COMMON POST AUTHENTICATION CODE GOES BELOW
 
+    // Check is it Consumer disabled
+    val consumerIsDisabled: Future[(Box[User], Option[CallContext])] = AfterApiAuth.checkConsumerIsDisabled(res)
     // Check is it a user deleted or locked
-    val userIsLockedOrDeleted: Future[(Box[User], Option[CallContext])] = AfterApiAuth.checkUserIsDeletedOrLocked(res)
+    val userIsLockedOrDeleted: Future[(Box[User], Option[CallContext])] = AfterApiAuth.checkUserIsDeletedOrLocked(consumerIsDisabled)
     // Check Rate Limiting
     val resultWithRateLimiting: Future[(Box[User], Option[CallContext])] = AfterApiAuth.checkRateLimiting(userIsLockedOrDeleted)
     // User init actions
@@ -4012,17 +4017,22 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
         val consumerName = cc.flatMap(_.consumer.map(_.name.get)).getOrElse("")
         val certificate = getCertificateFromTppSignatureCertificate(requestHeaders)
         for {
-          tpp <- BerlinGroupSigning.getTppByCertificate(certificate, cc)
+          tpps <- BerlinGroupSigning.getRegulatedEntityByCertificate(certificate, cc)
         } yield {
-          if (tpp.nonEmpty) {
-            val hasRole = tpp.exists(_.services.contains(serviceProvider))
-            if (hasRole) {
-              Full(true)
-            } else {
-              Failure(X509ActionIsNotAllowed)
-            }
-          } else {
-            Failure("No valid Tpp")
+          tpps match {
+            case Nil =>
+              Failure(RegulatedEntityNotFoundByCertificate)
+            case single :: Nil =>
+              // Only one match, proceed to role check
+              if (single.services.contains(serviceProvider)) {
+                Full(true)
+              } else {
+                Failure(X509ActionIsNotAllowed)
+              }
+            case multiple =>
+              // Ambiguity detected: more than one TPP matches the certificate
+              val names = multiple.map(e => s"'${e.entityName}' (Code: ${e.entityCode})").mkString(", ")
+              Failure(s"$RegulatedEntityAmbiguityByCertificate: multiple TPPs found: $names")
           }
         }
       case value if value.toUpperCase == "CERTIFICATE" => Future {

obp-api/src/main/scala/code/api/util/AfterApiAuth.scala

@@ -6,7 +6,7 @@ import code.accountholders.AccountHolders
 import code.api.Constant
 import code.api.util.APIUtil.getPropsAsBoolValue
 import code.api.util.ApiRole.{CanCreateAccount, CanCreateHistoricalTransactionAtBank}
-import code.api.util.ErrorMessages.{UserIsDeleted, UsernameHasBeenLocked}
+import code.api.util.ErrorMessages.{ConsumerIsDisabled, UserIsDeleted, UsernameHasBeenLocked}
 import code.api.util.RateLimitingJson.CallLimit
 import code.bankconnectors.{Connector, LocalMappedConnectorInternal}
 import code.entitlement.Entitlement
@@ -78,6 +78,18 @@ object AfterApiAuth extends MdcLoggable{
       }
     }
   }
+  def checkConsumerIsDisabled(res: Future[(Box[User], Option[CallContext])]): Future[(Box[User], Option[CallContext])] = {
+    for {
+      (user: Box[User], cc) <- res
+    } yield {
+      cc.map(_.consumer) match {
+        case Some(Full(consumer)) if !consumer.isActive.get => // There is a consumer. Check it.
+          (Failure(ConsumerIsDisabled), cc) // The Consumer is DISABLED.
+        case _ => // There is no Consumer. Just forward the result.
+          (user, cc)
+      }
+    }
+  }
 
   /**
    * This block of code needs to update Call Context with Rate Limiting

obp-api/src/main/scala/code/api/util/ApiSession.scala

@@ -30,6 +30,7 @@ case class CallContext(
                         dauthResponseHeader: Option[String] = None,
                         spelling: Option[String] = None,
                         user: Box[User] = Empty,
+                        onBehalfOfUser: Option[User] = None,
                         consenter: Box[User] = Empty,
                         consumer: Box[Consumer] = Empty,
                         ipAddress: String = "",

obp-api/src/main/scala/code/api/util/BerlinGroupSigning.scala

@@ -8,7 +8,7 @@ import code.consumer.Consumers
 import code.model.Consumer
 import code.util.Helper.MdcLoggable
 import com.openbankproject.commons.ExecutionContext.Implicits.global
-import com.openbankproject.commons.model.{RegulatedEntityTrait, User}
+import com.openbankproject.commons.model.{RegulatedEntityAttributeSimple, RegulatedEntityTrait, User}
 import net.liftweb.common.{Box, Empty, Failure, Full}
 import net.liftweb.http.provider.HTTPParam
 import net.liftweb.util.Helpers
@@ -111,29 +111,40 @@ object BerlinGroupSigning extends MdcLoggable {
     certificate
   }
 
-  def getTppByCertificate(certificate: X509Certificate, callContext: Option[CallContext]): Future[List[RegulatedEntityTrait]] = {
-    // Use the regular expression to find the value of CN
-    val extractedCN = cnPattern.findFirstMatchIn(certificate.getIssuerDN.getName) match {
-      case Some(m) => m.group(1) // Extract the value of CN
-      case None => "CN not found"
-    }
-    val issuerCommonName = extractedCN // Certificate.caCert
+  def getRegulatedEntityByCertificate(certificate: X509Certificate, callContext: Option[CallContext]): Future[List[RegulatedEntityTrait]] = {
+    val issuerCN = cnPattern.findFirstMatchIn(certificate.getIssuerDN.getName)
+      .map(_.group(1).trim)
+      .getOrElse("CN not found")
+
     val serialNumber = certificate.getSerialNumber.toString
-    val regulatedEntities: Future[List[RegulatedEntityTrait]] = for {
+
+    for {
       (entities, _) <- getRegulatedEntitiesNewStyle(callContext)
     } yield {
-      logger.debug("Regulated Entities: " + entities)
       entities.filter { entity =>
-        val hasSerialNumber = entity.attributes.exists(_.exists(a =>
-          a.name == "CERTIFICATE_SERIAL_NUMBER" && a.value == serialNumber
-        ))
-        val hasCaName = entity.attributes.exists(_.exists(a =>
-          a.name == "CERTIFICATE_CA_NAME" && a.value == issuerCommonName
-        ))
-        hasSerialNumber && hasCaName
+        val attrs = entity.attributes.getOrElse(Nil)
+
+        // Extract serial number and CA name from attributes
+        val serialOpt = attrs.collectFirst { case a if a.name.equalsIgnoreCase("CERTIFICATE_SERIAL_NUMBER") => a.value.trim }
+        val caNameOpt = attrs.collectFirst { case a if a.name.equalsIgnoreCase("CERTIFICATE_CA_NAME") => a.value.trim }
+
+        val serialMatches = serialOpt.contains(serialNumber)
+        val caNameMatches = caNameOpt.exists(_.equalsIgnoreCase(issuerCN))
+
+        val isMatch = serialMatches && caNameMatches
+
+        // Log everything for debugging
+        val serialLog = serialOpt.getOrElse("N/A")
+        val caNameLog = caNameOpt.getOrElse("N/A")
+        val allAttrsLog = attrs.map(a => s"${a.name}='${a.value}'").mkString(", ")
+
+        if (isMatch)
+          logger.debug(s"[MATCH] Entity '${entity.entityName}' (Code: ${entity.entityCode}) matches CN='$issuerCN', Serial='$serialNumber' " +
+            s"(Attributes found: Serial='$serialLog', CA Name='$caNameLog', All Attributes: [$allAttrsLog])")
+
+        isMatch
       }
     }
-    regulatedEntities
   }
 
 
@@ -280,7 +291,7 @@ object BerlinGroupSigning extends MdcLoggable {
       }
 
       for {
-        entities <- getTppByCertificate(certificate, forwardResult._2) // Find TPP via certificate
+        entities <- getRegulatedEntityByCertificate(certificate, forwardResult._2) // Find Regulated Entity via certificate
       } yield {
         // Certificate can be changed but this value is permanent per Regulated entity
         val idno = entities.map(_.entityCode).headOption.getOrElse("")

obp-api/src/main/scala/code/api/util/ConsentUtil.scala

@@ -431,6 +431,10 @@ object Consent extends MdcLoggable {
 
     def applyConsentRules(consent: ConsentJWT): Future[(Box[User], Option[CallContext])] = {
       val cc = callContext
+      if(consent.createdByUserId.nonEmpty) {
+        val onBehalfOfUser = Users.users.vend.getUserByUserId(consent.createdByUserId)
+        cc.copy(onBehalfOfUser = onBehalfOfUser.toOption)
+      }
       // 1. Get or Create a User
       getOrCreateUser(consent.sub, consent.iss, Some(consent.jti), None, None) map {
         case (Full(user), newUser) =>