OPENIG-9667 Investigation into OB FT failures (#626)

- Rework of RepoApiClient to operate in an async way as this route/script is frequently called.
- Rework RepoUser to behave async too.
- Rework AddDetachedSig to behave async too

Author: wmorrison365fr

config/7.3.0/securebanking/ig/scripts/groovy/AddDetachedSig.groovy

@@ -1,11 +1,20 @@
+import static org.forgerock.http.protocol.Response.newResponsePromise
+import static org.forgerock.http.protocol.Status.OK
+import static org.forgerock.http.protocol.Status.INTERNAL_SERVER_ERROR
+import static org.forgerock.secrets.Purpose.purposeOf
+
 import org.forgerock.secrets.keys.SigningKey
 import org.forgerock.json.jose.jws.SigningManager
 import org.forgerock.json.jose.jwt.JwtClaimsSet
 import org.forgerock.json.jose.builders.JwtBuilderFactory
+import org.forgerock.json.jose.exceptions.InvalidJwtException
 import org.forgerock.secrets.Purpose
 import org.forgerock.json.jose.jws.JwsAlgorithm
 import org.forgerock.http.protocol.Status
 
+import org.forgerock.util.promise.NeverThrowsException
+import org.forgerock.json.JsonValue
+
 /**
  * Add detached signature to HTTP response
  *
@@ -24,77 +33,91 @@ IAT_CRIT_CLAIM = "http://openbanking.org.uk/iat"
 ISS_CRIT_CLAIM = "http://openbanking.org.uk/iss"
 TAN_CRIT_CLAIM = "http://openbanking.org.uk/tan"
 
-next.handle(context, request).thenOnResult({ response ->
-    logger.debug(SCRIPT_NAME + "Running...")
-    logger.debug(SCRIPT_NAME + "routeArgSecretId: " + routeArgSecretId)
-    logger.debug(SCRIPT_NAME + "routeArgKid: " + routeArgKid)
+return filter(context, request, next)
 
-    JwsAlgorithm signAlgorithm = JwsAlgorithm.parseAlgorithm(routeArgAlgorithm)
-    logger.debug(SCRIPT_NAME + "Algorithm initialised: " + signAlgorithm)
+/**
+ * Filter implementation to add the detached signature.
+ * @param context the Context
+ * @param request the request
+ * @param next the next Handler
+ * @return Promise of a Response containing the API client
+ */
+Promise<Response, NeverThrowsException> filter(final Context context,
+                                               final Request request,
+                                               final Handler next) {
+    return next.handle(context, request).thenOnResult({ response ->
+        logger.debug(SCRIPT_NAME + "Running... routeArgSecretId: {}, routeArgKid: {}", routeArgSecretId, routeArgKid)
+        return getJwtClaimsSet(response)
+                .thenAsync(jwtClaimSet -> buildEncodedJwt(jwtClaimSet),
+                      exception -> newResponsePromise(fail(INTERNAL_SERVER_ERROR, exception.getMessage())))
+                .then(encodedJwt -> addDetachedSignature(encodedJwt, response),
+                      exception -> {
+                          return fail(INTERNAL_SERVER_ERROR, "Error creating signature JWT")
+                      })
+                .thenCatch(exception -> fail(INTERNAL_SERVER_ERROR, exception.getMessage()))
+    })
+}
 
+private Promise<JwtClaimsSet, Exception> getJwtClaimsSet(Response response) {
+    if (response.getEntity().isRawContentEmpty()) {
+        // We get content empty on submit file payment API
+        logger.debug("Response entity has raw content")
+        return newResultPromise(new JwtClaimsSet())
+    }
+    return response.getEntity()
+                   .getJsonAsync()
+                   .then(jsonContent -> new JsonValue(jsonContent).expect(Map.class))
+                   .then(jsonContent -> new JwtClaimsSet(jsonContent.asMap()),
+                         exception -> {
+                             throw new IOException("Evaluation response has malformed response JSON");
+                         })
+}
+
+private Promise<String, Exception> buildEncodedJwt(JwtClaimsSet jwtClaimsSet) {
+    logger.debug(SCRIPT_NAME + "Building encoded JWT for claims set: {}", jwtClaimsSet)
     Purpose<SigningKey> purpose = new JsonValue(routeArgSecretId).as(purposeOf(SigningKey.class))
-
     SigningManager signingManager = new SigningManager(routeArgSecretsProvider)
-
-    signingManager.newSigningHandler(purpose).then({ signingHandler ->
+    return signingManager.newSigningHandler(purpose).then({ signingHandler ->
         logger.debug(SCRIPT_NAME + "Building of the JWT started")
-
-        JwtClaimsSet jwtClaimsSet
-        // We get content empty on submit file payment API
-        if (response.getEntity().isRawContentEmpty()) {
-            jwtClaimsSet = new JwtClaimsSet()
-        } else {
-            jwtClaimsSet = new JwtClaimsSet(response.getEntity().getJson())
-        }
-        logger.debug(SCRIPT_NAME + "jwtClaimsSet: " + jwtClaimsSet)
-
-        List<String> critClaims = new ArrayList<String>();
-        critClaims.add(IAT_CRIT_CLAIM);
-        critClaims.add(ISS_CRIT_CLAIM);
-        critClaims.add(TAN_CRIT_CLAIM);
-
-        String jwt
-        try {
-            jwt = new JwtBuilderFactory()
-                    .jws(signingHandler)
-                    .headers()
-                    .alg(signAlgorithm)
-                    .kid(routeArgKid)
-                    .header(IAT_CRIT_CLAIM, System.currentTimeMillis() / 1000)
-                    .header(ISS_CRIT_CLAIM, obAspspOrgId) // For an ASPSP the ISS_CRIT_CLAIM is the OB Issued orgId
-                    .header(TAN_CRIT_CLAIM, routeArgTrustedAnchor)
-                    .crit(critClaims)
-                    .done()
-                    .claims(jwtClaimsSet)
-                    .build()
-        } catch (java.lang.Exception e) {
-            logger.debug(SCRIPT_NAME + "Error building JWT: " + e)
-        }
-
-        logger.debug(SCRIPT_NAME + "Signed JWT [" + jwt + "]")
-
-        if (jwt == null || jwt.length() == 0) {
-            message = "Error creating signature JWT"
-            logger.error(SCRIPT_NAME + message)
-            response.status = Status.INTERNAL_SERVER_ERROR
-            response.entity = "{ \"error\":\"" + message + "\"}"
-            return response
-        }
-
-        String[] jwtElements = jwt.split("\\.")
-
-        if (jwtElements.length != 3) {
-            message = "Wrong number of dots on outbound detached signature"
-            logger.error(SCRIPT_NAME + message)
-            response.status = Status.INTERNAL_SERVER_ERROR
-            response.entity = "{ \"error\":\"" + message + "\"}"
-            return response
-        }
-
-        String detachedSig = jwtElements[0] + ".." + jwtElements[2]
-        logger.debug(SCRIPT_NAME + "Adding detached signature [" + detachedSig + "]")
-
-        response.getHeaders().add(routeArgHeaderName, detachedSig);
-        return response
+        List<String> critClaims = List.of(IAT_CRIT_CLAIM, ISS_CRIT_CLAIM, TAN_CRIT_CLAIM);
+        JwsAlgorithm signAlgorithm = JwsAlgorithm.parseAlgorithm(routeArgAlgorithm)
+        logger.debug(SCRIPT_NAME + "Algorithm initialised: " + signAlgorithm)
+        String encodedJwt = new JwtBuilderFactory()
+                .jws(signingHandler)
+                .headers()
+                .alg(signAlgorithm)
+                .kid(routeArgKid)
+                .header(IAT_CRIT_CLAIM, System.currentTimeMillis() / 1000)
+                // For an ASPSP the ISS_CRIT_CLAIM is the OB Issued orgId
+                .header(ISS_CRIT_CLAIM, obAspspOrgId)
+                .header(TAN_CRIT_CLAIM, routeArgTrustedAnchor)
+                .crit(critClaims)
+                .done()
+                .claims(jwtClaimsSet)
+                .build()
+        return encodedJwt
     })
-})
+}
+
+private Response addDetachedSignature(String encodedJwt, Response response) {
+    logger.debug(SCRIPT_NAME + "Adding detached signature - encodedJwt {}", encodedJwt)
+    String[] jwtElements = encodedJwt.split("\\.")
+    if (jwtElements.length != 3) {
+        message = "Wrong number of dots on outbound detached signature"
+        logger.error(SCRIPT_NAME + message)
+        throw new InvalidJwtException(message) as Throwable
+    }
+    // Create JWT with detached sig
+    String detachedSig = "%s..%s".formatted(jwtElements[0], jwtElements[2])
+    logger.debug(SCRIPT_NAME + "Adding detached signature [{}]", detachedSig)
+    response.getHeaders().add(routeArgHeaderName, detachedSig);
+    return response
+}
+
+private Response fail(Status errorStatus, String errorMessage) {
+    Response response = new Response(OK)
+    response.headers['Content-Type'] = "application/json"
+    response.status = errorStatus
+    response.entity = json(object(field("error", errorMessage)))
+    return response
+}

config/7.3.0/securebanking/ig/scripts/groovy/RepoApiClient.groovy

@@ -1,63 +1,116 @@
-import groovy.json.JsonOutput
+import static org.forgerock.http.protocol.Response.newResponsePromise
+import static org.forgerock.http.protocol.Status.OK
+import static org.forgerock.json.JsonValue.field
+import static org.forgerock.json.JsonValue.json
+import static org.forgerock.json.JsonValue.object
+import static org.forgerock.util.Closeables.closeSilently
 
+import org.forgerock.util.promise.NeverThrowsException
+import org.forgerock.json.JsonValue
+
+/**
+ * Scripted Handler implementation to fetch an API client from the repo.
+ */
+
+// FAPI logging
 def fapiInteractionId = request.getHeaders().getFirst("x-fapi-interaction-id");
 if(fapiInteractionId == null) fapiInteractionId = "No x-fapi-interaction-id";
 SCRIPT_NAME = "[RepoApiClient] (" + fapiInteractionId + ") - ";
 logger.debug(SCRIPT_NAME + "Running...")
 
-// Fetch the API Client from IDM
-Request apiClientRequest = new Request();
-apiClientRequest.setMethod('GET');
-
-// response object
-response = new Response(Status.OK)
-response.headers['Content-Type'] = "application/json"
+return handle(context, request)
+
+/**
+ * Fetch the API client from the repo.
+ * @param unusedContext Context is unused
+ * @param request Request to obtain API client
+ * @return Promise of a Response containing the API client
+ */
+Promise<Response, NeverThrowsException> handle(final Context unusedContext, final Request request) {
+    def apiClientId = extractApiClientId(request)
+    if (apiClientId == null) {
+        message = "Can't parse api client ID from inbound request"
+        logger.error(SCRIPT_NAME + message)
+        return newResponsePromise(fail(BAD_REQUEST, message))
+    }
 
-def splitUri =  request.uri.path.split("/")
+    // Fetch the API Client from the repo (IDM)
+    Request apiClientRequest = new Request();
+    def apiClientUri = routeArgIdmBaseUri + "/openidm/managed/" + routeArgObjApiClient + "/" + apiClientId
+    apiClientRequest.setMethod('GET');
+    apiClientRequest.setUri(apiClientUri)
 
-if (splitUri.length == 0) {
-    message = "Can't parse api client ID from inbound request"
-    logger.error(SCRIPT_NAME + message)
-    response.status = Status.BAD_REQUEST
-    response.entity = "{ \"error\":\"" + message + "\"}"
-    return response
+    logger.debug(SCRIPT_NAME + "Obtaining API client data from repo {}", apiClientUri)
+    return http.send(apiClientRequest)
+               .thenAlways(() -> closeSilently(apiClientRequest))
+               .thenAsync(apiClientResponse -> handleApiClientResponse(apiClientResponse))
 }
 
-def apiClientId = splitUri[splitUri.length - 1];
-
-logger.debug(SCRIPT_NAME + "Looking up API Client {}",apiClientId)
-
-apiClientRequest.setUri(routeArgIdmBaseUri + "/openidm/managed/" + routeArgObjApiClient + "/" + apiClientId)
-
-http.send(apiClientRequest).then(apiClientResponse -> {
-    apiClientRequest.close()
-    logger.debug(SCRIPT_NAME + "Back from IDM")
+private String extractApiClientId(Request request) {
+    // Extract the API client ID from the REST request
+    def splitUri = request.uri.path.split("/")
+    if (splitUri.length == 0) {
+        return null
+    }
+    def apiClientId = splitUri[splitUri.length - 1]
+    logger.debug(SCRIPT_NAME + "Looking up API Client {}", apiClientId)
+    return apiClientId
+}
 
-    def apiClientResponseStatus = apiClientResponse.getStatus();
+private Promise<Response, NeverThrowsException> handleApiClientResponse(Response apiClientResponse) {
+    logger.debug(SCRIPT_NAME + "Handling API client response")
+    return processResponseContent(apiClientResponse)
+            .thenAlways(() -> closeSilently(apiClientResponse))
+            .then(apiClientResponseJson -> transformApiClientResponse(apiClientResponseJson),
+                  exception -> {
+                      fail(apiClientResponseStatus, exception.getMessage())
+                  })
+}
 
-    if (apiClientResponseStatus != Status.OK) {
-        message = "Failed to get API Client details"
-        logger.error(message)
-        response.status = apiClientResponseStatus
-        response.entity = "{ \"error\":\"" + message + "\"}"
-        return response
+private Promise<JsonValue, Exception> processResponseContent(final Response apiClientResponse) {
+    if (!(OK.equals(apiClientResponse.getStatus()))) {
+        logger.error("Unable to communicate with API client endpoint - status code {}",
+                     apiClientResponse.getStatus().getCode())
+        return newExceptionPromise(
+                new IOException("Failed to get API Client details - problem communicating with repo"))
     }
+    ContentTypeHeader contentTypeHeader = ContentTypeHeader.valueOf(apiClientResponse)
+    String contentType = contentTypeHeader != null ? contentTypeHeader.getType() : null
+    if (contentType == null || !contentType.toLowerCase(Locale.ROOT).startsWith("application/json")) {
+        logger.error("API client endpoint response has unexpected content-type {}", contentType)
+        return newExceptionPromise(
+                new IOException("Failed to get API Client details - unexpected content " + contentType))
+    }
+    return getJsonContentAsync(apiClientResponse)
+}
 
-    def apiClientResponseContent = apiClientResponse.getEntity();
-    def apiClientResponseObject = apiClientResponseContent.getJson();
-
-    def responseObj = [
-            "id": apiClientResponseObject.id,
-            "name": apiClientResponseObject.name,
-            "officialName": apiClientResponseObject.name,
-            "oauth2ClientId": apiClientResponseObject.oauth2ClientId,
-            "logoUri": apiClientResponseObject.logoUri
-    ]
+private static Promise<JsonValue, Exception> getJsonContentAsync(final Response response) {
+    return response.getEntity()
+                   .getJsonAsync()
+                   .then(jsonContent -> new JsonValue(jsonContent).expect(Map.class))
+                   .thenCatch(exception -> {
+                       throw new IOException("Evaluation response has malformed response JSON");
+                   })
+}
 
-    def responseJson = JsonOutput.toJson(responseObj);
-    logger.debug(SCRIPT_NAME + "Final JSON " + responseJson)
+private Response transformApiClientResponse(JsonValue apiClientResponseJson) {
+    JsonValue transformedResponseJson = json(object(
+            field("id", apiClientResponseJson.get("id")),
+            field("name", apiClientResponseJson.get("name")),
+            field("officialName", apiClientResponseJson.get("name")),
+            field("oauth2ClientId", apiClientResponseJson.get("oauth2ClientId")),
+            field("logoUri", apiClientResponseJson.get("logoUri"))))
+    logger.debug(SCRIPT_NAME + "Transformed JSON {}", transformedResponseJson)
+    Response transformedResponse = new Response(Status.OK)
+    transformedResponse.getEntity().setJson(transformedResponseJson);
+    return transformedResponse
+}
 
-    response.entity = responseJson;
+private Response fail(Status errorStatus, String errorMessage) {
+    Response response = new Response(OK)
+    response.headers['Content-Type'] = "application/json"
+    response.status = errorStatus
+    response.entity = json(object(field("error", errorMessage)))
     return response
+}
 
-}).then(response -> { return response })