From 53d941126a75765f2e03fddccefea87ba34fbca1 Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Wed, 13 Nov 2024 16:56:38 +0530
Subject: [PATCH] Fix par client assersion mandatory params validation issue

---
 ...SBasePrivateKeyJWTClientAuthenticator.java |  9 ++-----
 .../dcr/constants/CDSValidationConstants.java |  5 ++++
 .../CDSPushAuthRequestValidator.java          | 24 +++++++++++++++++++
 3 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/authenticator/CDSBasePrivateKeyJWTClientAuthenticator.java b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/authenticator/CDSBasePrivateKeyJWTClientAuthenticator.java
index 222a3bb5..2c89f8a0 100644
--- a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/authenticator/CDSBasePrivateKeyJWTClientAuthenticator.java
+++ b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/authenticator/CDSBasePrivateKeyJWTClientAuthenticator.java
@@ -31,6 +31,7 @@
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.openbanking.cds.identity.authenticator.util.CDSJWTValidator;
 import org.wso2.openbanking.cds.identity.authenticator.util.Constants;
+import org.wso2.openbanking.cds.identity.dcr.constants.CDSValidationConstants;
 
 import java.text.ParseException;
 import java.util.ArrayList;
@@ -182,13 +183,7 @@ private CDSJWTValidator createJWTValidator(String accessedEndpoint, boolean prev
 
     private List<String> populateMandatoryClaims() {
 
-        List<String> mandatoryClaims = new ArrayList<>();
-        mandatoryClaims.add(Constants.ISSUER_CLAIM);
-        mandatoryClaims.add(Constants.SUBJECT_CLAIM);
-        mandatoryClaims.add(Constants.AUDIENCE_CLAIM);
-        mandatoryClaims.add(Constants.EXPIRATION_TIME_CLAIM);
-        mandatoryClaims.add(Constants.JWT_ID_CLAIM);
-        return mandatoryClaims;
+        return CDSValidationConstants.MANDATORY_ASSERTION_PARAMS_LIST;
     }
 
     /**
diff --git a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/dcr/constants/CDSValidationConstants.java b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/dcr/constants/CDSValidationConstants.java
index 6b6d03cf..c40b2f3d 100644
--- a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/dcr/constants/CDSValidationConstants.java
+++ b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/dcr/constants/CDSValidationConstants.java
@@ -17,6 +17,8 @@
  */
 package org.wso2.openbanking.cds.identity.dcr.constants;
 
+import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.Constants;
+
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -35,6 +37,7 @@ public class CDSValidationConstants {
     public static final String SSA_POLICY_URI = "policy_uri";
     public static final String SSA_TOS_URI = "tos_uri";
     public static final String SSA_CLIENT_URI = "client_uri";
+    public static final String CLIENT_ASSERTION = "client_assertion";
     public static final String DATA_RECIPIENT_SOFTWARE_PRODUCT = "data-recipient-software-product";
     public static final List<String> VALID_SSA_SCOPES = Collections.unmodifiableList(Arrays.asList(
             "openid", "profile", "bank:accounts.basic:read", "bank:accounts.detail:read", "bank:transactions:read",
@@ -53,4 +56,6 @@ public class CDSValidationConstants {
     public static final String DCR_VALIDATE_SECTOR_IDENTIFIER_URI = "DCR.EnableSectorIdentifierUriValidation";
     public static final String JTI = "jti";
     public static final String JTI_REPLAYED = "JTI value of the registration request has been replayed";
+    public static final List<String> MANDATORY_ASSERTION_PARAMS_LIST = List.of(Constants.ISSUER_CLAIM,
+            Constants.SUBJECT_CLAIM, Constants.AUDIENCE_CLAIM, Constants.EXPIRATION_TIME_CLAIM, Constants.JWT_ID_CLAIM);
 }
diff --git a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/push/auth/extension/request/validator/CDSPushAuthRequestValidator.java b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/push/auth/extension/request/validator/CDSPushAuthRequestValidator.java
index a91b38ee..c624f9d2 100644
--- a/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/push/auth/extension/request/validator/CDSPushAuthRequestValidator.java
+++ b/components/org.wso2.openbanking.cds.identity/src/main/java/org/wso2/openbanking/cds/identity/push/auth/extension/request/validator/CDSPushAuthRequestValidator.java
@@ -19,6 +19,7 @@
 package org.wso2.openbanking.cds.identity.push.auth.extension.request.validator;
 
 import com.wso2.openbanking.accelerator.common.exception.ConsentManagementException;
+import com.wso2.openbanking.accelerator.common.util.JWTUtils;
 import com.wso2.openbanking.accelerator.consent.mgt.dao.models.DetailedConsentResource;
 import com.wso2.openbanking.accelerator.consent.mgt.service.impl.ConsentCoreServiceImpl;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator;
@@ -29,8 +30,10 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.http.HttpStatus;
+import org.wso2.openbanking.cds.identity.dcr.constants.CDSValidationConstants;
 import org.wso2.openbanking.cds.identity.utils.CDSIdentityConstants;
 
+import java.text.ParseException;
 import java.time.OffsetDateTime;
 import java.time.ZoneOffset;
 import java.util.Map;
@@ -61,6 +64,27 @@ public CDSPushAuthRequestValidator(ConsentCoreServiceImpl consentCoreService) {
     @Override
     public void validateAdditionalParams(Map<String, Object> parameters) throws PushAuthRequestValidatorException {
 
+        // Validate client assertion
+        if (parameters.containsKey(CDSValidationConstants.CLIENT_ASSERTION)) {
+            JSONObject assertionClaims;
+            try {
+                assertionClaims = JWTUtils.decodeRequestJWT(parameters
+                        .get(CDSValidationConstants.CLIENT_ASSERTION).toString(), "body");
+            } catch (ParseException e) {
+                log.error("Error while parsing JWT assertion", e);
+                throw new PushAuthRequestValidatorException(HttpStatus.SC_BAD_REQUEST,
+                        PushAuthRequestConstants.INVALID_REQUEST_OBJECT,
+                        CDSIdentityConstants.INVALID_PUSH_AUTH_REQUEST);
+            }
+            for (String key : CDSValidationConstants.MANDATORY_ASSERTION_PARAMS_LIST) {
+                if (!assertionClaims.containsKey(key)) {
+                    throw new PushAuthRequestValidatorException(HttpStatus.SC_BAD_REQUEST,
+                            PushAuthRequestConstants.INVALID_REQUEST, "Mandatory field :" + key
+                            + " is missing in the JWT assertion.");
+                }
+            }
+        }
+
         JSONObject requestObjectJsonBody;
         if (parameters.containsKey(PushAuthRequestConstants.DECODED_JWT_BODY) &&
                 parameters.get(PushAuthRequestConstants.DECODED_JWT_BODY) instanceof JSONObject) {