code merge from develop to release-1201 branch.

Signed-off-by: Mahammed Taheer <[email protected]>
mosip · Jan 3, 2024 · cb69aff · cb69aff
2 parents 00308c1 + 720a099
commit cb69aff
Show file tree

Hide file tree

Showing 81 changed files with 3,630 additions and 1,354 deletions.
diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml
@@ -43,7 +43,7 @@ jobs:
     secrets:
       OSSRH_USER: ${{ secrets.OSSRH_USER }}
       OSSRH_SECRET: ${{ secrets.OSSRH_SECRET }}
-      OSSRH_URL: ${{ secrets.RELEASE_URL }}
+      OSSRH_URL: ${{ secrets.OSSRH_SNAPSHOT_URL }}
       OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
       GPG_SECRET: ${{ secrets.GPG_SECRET }}
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

diff --git a/...-common/src/main/java/io/mosip/authentication/common/service/config/IDAMappingConfig.java b/...-common/src/main/java/io/mosip/authentication/common/service/config/IDAMappingConfig.java
@@ -126,4 +126,7 @@ public class IDAMappingConfig implements MappingConfig {
 	/** The dynamic attributes. */
 	private Map<String, List<String>> dynamicAttributes;
 
+	/** The password. */
+	private List<String> password;
+
 }
diff --git a/...on-common/src/main/java/io/mosip/authentication/common/service/facade/AuthFacadeImpl.java b/...on-common/src/main/java/io/mosip/authentication/common/service/facade/AuthFacadeImpl.java
@@ -29,6 +29,7 @@
 import io.mosip.authentication.common.service.helper.AuditHelper;
 import io.mosip.authentication.common.service.helper.AuthTransactionHelper;
 import io.mosip.authentication.common.service.helper.IdInfoHelper;
+import io.mosip.authentication.common.service.impl.match.IdaIdMapping;
 import io.mosip.authentication.common.service.integration.TokenIdManager;
 import io.mosip.authentication.common.service.transaction.manager.IdAuthSecurityManager;
 import io.mosip.authentication.common.service.util.AuthTypeUtil;
@@ -47,6 +48,7 @@
 import io.mosip.authentication.core.indauth.dto.AuthStatusInfo;
 import io.mosip.authentication.core.indauth.dto.IdType;
 import io.mosip.authentication.core.indauth.dto.IdentityInfoDTO;
+import io.mosip.authentication.core.indauth.dto.KycAuthRequestDTO;
 import io.mosip.authentication.core.indauth.dto.EkycAuthRequestDTO;
 import io.mosip.authentication.core.logger.IdaLogger;
 import io.mosip.authentication.core.partner.dto.PartnerPolicyResponseDTO;
@@ -58,6 +60,7 @@
 import io.mosip.authentication.core.spi.indauth.service.BioAuthService;
 import io.mosip.authentication.core.spi.indauth.service.DemoAuthService;
 import io.mosip.authentication.core.spi.indauth.service.OTPAuthService;
+import io.mosip.authentication.core.spi.indauth.service.PasswordAuthService;
 import io.mosip.authentication.core.spi.notification.service.NotificationService;
 import io.mosip.authentication.core.spi.partner.service.PartnerService;
 import io.mosip.kernel.core.logger.spi.Logger;
@@ -129,6 +132,9 @@ public class AuthFacadeImpl implements AuthFacade {
 
 	@Autowired
 	private KeyBindedTokenAuthService keyBindedTokenAuthService;
+
+	@Autowired
+	private PasswordAuthService passwordAuthService;
 
 	/*
 	 * (non-Javadoc)
@@ -161,6 +167,14 @@ public AuthResponseDTO authenticateIndividual(AuthRequestDTO authRequestDTO, boo
 
 			addKycPolicyAttributes(filterAttributes, kycAuthRequestDTO);
 		}
+
+		if(authRequestDTO instanceof KycAuthRequestDTO) {
+			KycAuthRequestDTO kycAuthRequestDTO = (KycAuthRequestDTO) authRequestDTO;
+			// In case of kyc-auth request and password auth is requested
+			if(AuthTypeUtil.isPassword(kycAuthRequestDTO)) {
+				filterAttributes.add(IdaIdMapping.PASSWORD.getIdname());
+			}
+		}
 
 		Map<String, Object> idResDTO = idService.processIdType(idvIdType, idvid, idInfoHelper.isBiometricDataNeeded(authRequestDTO),
 				markVidConsumed, filterAttributes);
@@ -312,6 +326,11 @@ private List<AuthStatusInfo> processAuthType(AuthRequestDTO authRequestDTO,
 					authTxnBuilder, idvidHash);
 		}
 
+		if (!isMatchFailed(authStatusList)) {
+			processPasswordAuth(authRequestDTO, idInfo, token, isAuth, authStatusList, idType, authTokenId, partnerId,
+					authTxnBuilder, idvidHash);
+		}
+
 		return authStatusList;
 	}
 
@@ -383,7 +402,7 @@ private void processDemoAuth(AuthRequestDTO authRequestDTO, Map<String, List<Ide
 				statusInfo = demoValidationStatus;
 
 				boolean isStatus = statusInfo != null && statusInfo.isStatus();
-				auditHelper.audit(AuditModules.DEMO_AUTH, getAuditEvent(isAuth), idvidHash,
+				auditHelper.audit(AuditModules.DEMO_AUTH, getAuditEvent(isAuth), authRequestDTO.getTransactionID(),
 						idType, "authenticateApplicant status : " + isStatus);
 			} catch (IdAuthUncheckedException e) {
 				throw new IdAuthenticationBusinessException(e.getErrorCode(), e.getErrorText());
@@ -423,7 +442,7 @@ private void processOTPAuth(AuthRequestDTO authRequestDTO, String token, boolean
 				authStatusList.add(otpValidationStatus);
 
 				boolean isStatus = otpValidationStatus != null && otpValidationStatus.isStatus();
-				auditHelper.audit(AuditModules.OTP_AUTH, getAuditEvent(isAuth), idvidHash,
+				auditHelper.audit(AuditModules.OTP_AUTH, getAuditEvent(isAuth), authRequestDTO.getTransactionID(),
 						idType, "authenticateApplicant status : " + isStatus);
 			} finally {
 				boolean isStatus = otpValidationStatus != null && otpValidationStatus.isStatus();
@@ -464,16 +483,16 @@ private void saveAndAuditBioAuthTxn(AuthRequestDTO authRequestDTO, String token,
 		String status = "authenticateApplicant status : " + isStatus;
 		if (AuthTransactionHelper.isFingerAuth(authRequestDTO, env)) {
 			auditHelper.audit(AuditModules.FINGERPRINT_AUTH, getAuditEvent(!isInternal),
-				idvidHash, idType, status);
+				authRequestDTO.getTransactionID(), idType, status);
 			authTxnBuilder.addRequestType(RequestType.FINGER_AUTH);
 		}
 		if (AuthTransactionHelper.isIrisAuth(authRequestDTO, env)) {
-			auditHelper.audit(AuditModules.IRIS_AUTH, getAuditEvent(!isInternal), idvidHash,
+			auditHelper.audit(AuditModules.IRIS_AUTH, getAuditEvent(!isInternal), authRequestDTO.getTransactionID(),
 					idType, status);
 			authTxnBuilder.addRequestType(RequestType.IRIS_AUTH);
 		}
 		if (AuthTransactionHelper.isFaceAuth(authRequestDTO, env)) {
-			auditHelper.audit(AuditModules.FACE_AUTH, getAuditEvent(!isInternal), idvidHash,
+			auditHelper.audit(AuditModules.FACE_AUTH, getAuditEvent(!isInternal), authRequestDTO.getTransactionID(),
 					idType, status);
 			authTxnBuilder.addRequestType(RequestType.FACE_AUTH);
 		}
@@ -503,7 +522,7 @@ private void processTokenAuth(AuthRequestDTO authRequestDTO, Map<String, List<Id
 				authStatusList.add(tokenValidationStatus);
 
 				boolean isStatus = tokenValidationStatus != null && tokenValidationStatus.isStatus();
-				auditHelper.audit(AuditModules.TOKEN_AUTH, getAuditEvent(isAuth), idvidHash,
+				auditHelper.audit(AuditModules.TOKEN_AUTH, getAuditEvent(isAuth), authRequestDTO.getTransactionID(),
 						idType, "authenticateApplicant status : " + isStatus);
 			} finally {
 				boolean isStatus = tokenValidationStatus != null && tokenValidationStatus.isStatus();
@@ -513,5 +532,39 @@ private void processTokenAuth(AuthRequestDTO authRequestDTO, Map<String, List<Id
 			}
 		}
 	}
+
+	/**
+	 *
+	 * @param authRequestDTO
+	 * @param token
+	 * @param isAuth
+	 * @param authStatusList
+	 * @param idType
+	 * @param authTokenId
+	 * @param partnerId
+	 * @param authTxnBuilder
+	 * @param idvidHash
+	 * @throws IdAuthenticationBusinessException
+	 */
+	private void processPasswordAuth(AuthRequestDTO authRequestDTO, Map<String, List<IdentityInfoDTO>> idInfo, String token,
+								  boolean isAuth, List<AuthStatusInfo> authStatusList, IdType idType, String authTokenId, String partnerId,
+								  AuthTransactionBuilder authTxnBuilder, String idvidHash) throws IdAuthenticationBusinessException {
+		if (AuthTypeUtil.isPassword(authRequestDTO)) {
+			AuthStatusInfo passwordMatchStatus = null;
+			try {
+				passwordMatchStatus = passwordAuthService.authenticate(authRequestDTO, token, idInfo, partnerId);
+				authStatusList.add(passwordMatchStatus);
+
+				boolean isStatus = passwordMatchStatus != null && passwordMatchStatus.isStatus();
+				auditHelper.audit(AuditModules.PASSWORD_AUTH, AuditEvents.PASSWORD_BASED_AUTH_REQUEST, authRequestDTO.getTransactionID(),
+						idType, "authenticateApplicant status(Password) : " + isStatus);
+			} finally {
+				boolean isStatus = passwordMatchStatus != null && passwordMatchStatus.isStatus();
+				logger.info(IdAuthCommonConstants.SESSION_ID, EnvUtil.getAppId(),
+						AUTH_FACADE, "Password Authentication status : " + isStatus);
+				authTxnBuilder.addRequestType(RequestType.PASSWORD_AUTH);
+			}
+		}
+	}
 
 }
diff --git a/...ion-common/src/main/java/io/mosip/authentication/common/service/filter/BaseIDAFilter.java b/...ion-common/src/main/java/io/mosip/authentication/common/service/filter/BaseIDAFilter.java
@@ -465,6 +465,12 @@ protected String consumeResponse(ResettableStreamHttpServletRequest requestWrapp
 			String requestSignature = requestWrapper.getHeader(SIGNATURE);
 			String responseSignature = null;
 			if(isSigningRequired()) {
+				if (Objects.isNull(responseAsString) || responseAsString.trim().length() == 0) {
+					mosipLogger.error(IdAuthCommonConstants.SESSION_ID, EVENT_FILTER, BASE_IDA_FILTER,
+									" Response String is null or empty for response (JWT) signing");
+					throw new IdAuthenticationAppException(IdAuthenticationErrorConstants.UNABLE_TO_PROCESS.getErrorCode(), 
+								IdAuthenticationErrorConstants.UNABLE_TO_PROCESS.getErrorMessage());
+				}
 				responseSignature = keyManager.signResponse(responseAsString);
 				responseWrapper.setHeader(EnvUtil.getSignResponse(), responseSignature);
 			}

diff --git a/...tion-common/src/main/java/io/mosip/authentication/common/service/filter/IdAuthFilter.java b/...tion-common/src/main/java/io/mosip/authentication/common/service/filter/IdAuthFilter.java
@@ -28,6 +28,8 @@
 import javax.servlet.ServletException;
 
 import io.mosip.authentication.core.indauth.dto.KeyBindedTokenDTO;
+import io.mosip.authentication.core.indauth.dto.KycAuthRequestDTO;
+
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
@@ -843,6 +845,7 @@ protected void checkAllowedAuthTypeForKeyBindedToken(Map<String, Object> request
 		Object value = Optional.ofNullable(requestBody.get(IdAuthCommonConstants.REQUEST))
 				.filter(obj -> obj instanceof Map).map(obj -> ((Map<String, Object>) obj).get(KEY_BINDED_TOKEN))
 				.filter(obj -> obj instanceof List).orElse(Collections.emptyMap());
+
 		List<KeyBindedTokenDTO> list = mapper.readValue(mapper.writeValueAsBytes(value),
 				new TypeReference<List<KeyBindedTokenDTO>>() {
 				});
@@ -861,6 +864,19 @@ protected void checkAllowedAuthTypeForKeyBindedToken(Map<String, Object> request
 		}
 	}
 
+	protected void checkAllowedAuthTypeForPassword(Map<String, Object> requestBody, List<AuthPolicy> authPolicies)
+			throws IdAuthenticationAppException, IOException {
+		KycAuthRequestDTO authRequestDTO = mapper.readValue(mapper.writeValueAsBytes(requestBody),
+					KycAuthRequestDTO.class);
+
+		if (AuthTypeUtil.isPassword(authRequestDTO) && !isAllowedAuthType(MatchType.Category.PWD.getType(), authPolicies)) {
+			throw new IdAuthenticationAppException(
+			IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorCode(),
+			String.format(IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
+					MatchType.Category.PWD.name()));
+		}
+	}
+
 	/**
 	 * Check allowed auth type for bio.
 	 *
@@ -1042,16 +1058,25 @@ private void checkAllowedAMRBasedOnClientConfig(Map<String, Object> requestBody,
 
 				if (AuthTypeUtil.isPin(authRequestDTO)  && !allowedAMRs.contains(MatchType.Category.SPIN.getType())) {
 					throw new IdAuthenticationAppException(
-							IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorCode(),
-							String.format(IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
+							IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorCode(),
+							String.format(IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
 									MatchType.Category.SPIN.name()));
 				}
 				if (AuthTypeUtil.isOtp(authRequestDTO)  && !allowedAMRs.contains(MatchType.Category.OTP.getType())) {
 					throw new IdAuthenticationAppException(
-							IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorCode(),
-							String.format(IdAuthenticationErrorConstants.AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
+							IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorCode(),
+							String.format(IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
 									MatchType.Category.OTP.name()));
 				}
+
+				KycAuthRequestDTO kycAuthRequestDTO = mapper.readValue(mapper.writeValueAsBytes(requestBody),
+										KycAuthRequestDTO.class);
+				if (AuthTypeUtil.isPassword(kycAuthRequestDTO)  && !allowedAMRs.contains(MatchType.Category.PWD.getType())) {
+					throw new IdAuthenticationAppException(
+							IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorCode(),
+							String.format(IdAuthenticationErrorConstants.OIDC_CLIENT_AUTHTYPE_NOT_ALLOWED.getErrorMessage(),
+									MatchType.Category.PWD.name()));
+				}
 				checkAllowedAMRForKBT(requestBody, allowedAMRs);
 			}
 		} catch (IOException e) {
@@ -1119,19 +1144,28 @@ private Set<String> getAuthenticationFactors(PartnerPolicyResponseDTO partnerPol
 	 * @param requestWrapper the request wrapper
 	 * @return the auth part
 	 */
-	protected Map<String, String> getAuthPart(ResettableStreamHttpServletRequest requestWrapper) {
+	protected Map<String, String> getAuthPart(ResettableStreamHttpServletRequest requestWrapper) throws IdAuthenticationAppException{
 		Map<String, String> params = new HashMap<>();
 		String url = requestWrapper.getRequestURL().toString();
 		String contextPath = requestWrapper.getContextPath();
 		if ((Objects.nonNull(url) && !url.isEmpty()) && (Objects.nonNull(contextPath) && !contextPath.isEmpty())) {
 			String[] splitedUrlByContext = url.split(contextPath);
 			String[] paramsArray = Stream.of(splitedUrlByContext[1].split("/")).filter(str -> !str.isEmpty())
-					.toArray(size -> new String[size]);
+									.toArray(size -> new String[size]);
+			mosipLogger.info(IdAuthCommonConstants.SESSION_ID, this.getClass().getCanonicalName(), "getAuthPart", 
+					"List of Path Parameters received in url: " + Stream.of(paramsArray).collect(Collectors.joining(", ")));
 
 			if (paramsArray.length >= 3) {
 				params.put(MISPLICENSE_KEY, paramsArray[paramsArray.length - 3]);
 				params.put(PARTNER_ID, paramsArray[paramsArray.length - 2]);
 				params.put(API_KEY, paramsArray[paramsArray.length - 1]);
+			} else {
+				mosipLogger.error(IdAuthCommonConstants.SESSION_ID, this.getClass().getCanonicalName(), "getAuthPart", 
+					"Required Number of Path Parameters are not available in URL.");
+				throw new IdAuthenticationAppException(
+					IdAuthenticationErrorConstants.URI_PATH_PARAMS_MISSING.getErrorCode(), 
+					IdAuthenticationErrorConstants.URI_PATH_PARAMS_MISSING.getErrorMessage());
+
 			}
 		}
 		return params;