summaryrefslogtreecommitdiff
path: root/libeufin/nexus-tutorial.rst
blob: 6e65228d128cc0cea8503946e198f06f19d311f8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
LibEuFin How-To
###############

.. contents:: Table of Contents

The LibEuFin Nexus is a Web service that provides a JSON abstraction layer to
access bank accounts.  It does **not** itself offer banking services, but is a
translator between JSON requests and other banking protocols (such as EBICS),
that are offered by banks.

This document explains how to set up Nexus to access a bank account
via the EBICS protocol.

In order to follow all the steps below, the reader should either
have access to a bank account with EBICS support or follow the
steps in "Setting up the Sandbox".


Installing LibEuFin
===================

LibEuFin has the following run-time dependencies:

* OpenJDK 11
* Python 3.8
* python3-click (can be installed via ``pip3 install click``)
* python3-requests (can be installed via ``pip3 install requests``)

Downloading prebuilt binaries
-----------------------------

Pre-built packages can be obtained from the `taler.net website
<https://taler.net/files/libeufin>`__.

Unpack the ``libeufin-$version.zip`` file to
your desired location (typically ``/opt`` or ``~/opt``) and make sure that your ``$PATH``
variable contains the ``bin/`` directory of the unpacked archive.

Building from source
--------------------

Nexus belongs to the LibEuFin project, and can be downloaded via Git:

.. code-block:: console

  $ git clone git://git.taler.net/libeufin

Note that Kotlin+Gradle should already work on the host system.

Navigate into the *libeufin* local repository, and from top-level run:

.. code-block:: console

  $ ./bootstrap
  $ ./configure --prefix=$PREFIX
  $ make install

Verifying your installation
---------------------------

In case of success, the two following commands should be found:

.. code-block:: console

  $ which libeufin-nexus
  $ which libeufin-cli


(Optional) Configuring the Sandbox
==================================

If you don't have access to a real bank account with an EBICS API, you can set
up the sandbox.  The sandbox is a simplistic and incomplete implementation of a
core banking system with EBICS access to bank accounts.

For the following commands, the sandbox service must be running.
The sandbox service is started with the following command:

.. code-block:: console

   $ libeufin-sandbox serve --port 5000

To reset the state of the sandbox, delete the database.  By default,
the database is a SQLite3 file in ``/tmp/libeufin-sandbox.sqlite3``.

For invocations of the LibEuFin command line interface tool (``libeufin-cli``),
the following environment variable must be set to the URL of the sandbox
service:

.. code-block:: console

   export LIBEUFIN_SANDBOX_URL=http://localhost:5000/

Verify that the sandbox is running:

.. code-block:: console

   $ libeufin-cli sandbox check

Now an EBICS host can be created:

.. code-block:: console

   $ libeufin-cli sandbox ebicshost create --host-id testhost

Note that most ``libeufin-cli`` subcommands will ask for input interactively if
the respective value is not specified as a command line option.

Next, create an EBICS subscriber (identified by the partner ID and user ID) for the host:

.. code-block:: console

   $ libeufin-cli sandbox ebicssubscriber create \
       --host-id testhost --partner-id partner01 --user-id user01

Create a bank account for the subscriber and add a sample transaction:

.. code-block:: console

   $ libeufin-cli sandbox ebicsbankaccount create \
       --currency EUR \
       --iban DE18500105172929531888 \
       --bic INGDDEFFXXX \
       --person-name "Jane Normal" \
       --account-name "testacct01" \
       --ebics-host-id testhost \
       --ebics-user-id user01 \
       --ebics-partner-id partner01

The account name "testacct01" is the unique identifier of the account within
the sandbox.  The EBICS parameters identify the subscriber that should have
access to the bank account via EBICS.

To populate the account with some test transactions, run the following command
(note that we use the *bankaccount* subcommand, because there is no need to rely
on EBICS):

.. code-block:: console

   $ libeufin-cli sandbox bankaccount generate-transactions testacct01

Payments to a sandbox bank account can be listed as follows:

.. code-block:: console

   $ libeufin-cli sandbox bankaccount transactions testacct01

.. note::

   The sandbox is intended as a testing tool and thus not stable.

   For more information on the available commands, use the built-in ``--help`` flag.

   The full functionality of the sandbox is available via the API. (FIXME(TTN): specify which API)


Connect Nexus with an EBICS account
===================================

Use the following command to run the nexus service:

.. code-block:: console

  $ libeufin-nexus serve --port 5001

By default, the SQLite3 database ``/tmp/libeufin-nexus.sqlite3`` will be used.

We recommend using the ``--db-conn-string=$DBCONN`` option.  It instructs Nexus
to reach the database addressed by the JDBC connection URI.  Only *SQLite* and
*PostgreSQL (only via TCP)* are supported right now.

For example:

.. code-block:: console

  $ libeufin-nexus serve --db-conn-string=jdbc:postgresql://127.0.0.1:5433/libeufindb?user=foo&password=secret

At this point a superuser account needs to be created:

.. code-block:: console

  $ libeufin-nexus superuser --db-conn-string=jdbc:postgresql://127.0.0.1:5433/libeufindb?user=foo&password=secret foo # Will interactively ask for password

For simplicity, a superuser can as well act as a normal user, but an API
to create less privileged users is offered.

.. note::

  Privilege separation is not fully implemented yet.

The command line interface needs the following three values
to be defined in the environment: ``LIBEUFIN_NEXUS_URL``, ``LIBEUFIN_NEXUS_USERNAME``,
and ``LIBEUFIN_NEXUS_PASSWORD``.  In this example, ``LIBEUFIN_NEXUS_USERNAME`` should be
set to ``foo``, and ``LIBEUFIN_NEXUS_PASSWORD`` to the value given for its password
in step (2).

Next, we will create an EBICS *bank connection* that
nexus can use to communicate with the bank.

.. note::

   For the sandbox set up in this guide, the EBICS base URL
   is ``http://localhost:5000/ebicsweb``.

.. code-block:: console

  $ libeufin-cli \
      connections \
        new-ebics-connection \
          --ebics-url $EBICS_BASE_URL \
          --host-id $EBICS_HOST_ID \
          --partner-id $EBICS_PARTNER_ID \
          --ebics-user-id $EBICS_USER_ID \
          $CONNECTION_NAME

If the step above executed correctly, Nexus created all the cryptographic
material that is needed on the client side; in this EBICS example, it created
the signature and identification keys.  It is therefore advisable to *(4) make
a backup copy* of such keys.

.. code-block:: console

  $ libeufin-cli \
      connections \
        export-backup \
          --passphrase $SECRET \
          --output-file $BACKUP_FILE \
          $CONNECTION_NAME

At this point, Nexus must communicate all the details to the bank.  Therefore,
it will synchronize the connection.  In this EBICS example, Nexus will send
the *INI* and *HIA* messages to the bank.

Now that the bank has received the public keys of the subscriber electronically,
it also needs to verify them offline.  For this, the nexus can generate a key letter:

.. code-block:: console

  $ libeufin-cli connections get-key-letter $CONNECTION_NAME out.pdf

.. note::

   The resulting PDF should be sent to the bank, which will verify
   that the keys printed in it match the keys sent electronically.

   When using the LibEuFin sandbox, subscribers are automatically
   activated after keys are received electronically.

.. code-block:: console

  $ libeufin-cli \
      connections \
        sync \
          $CONNECTION_NAME

Once the connection is synchronized, Nexus needs to import locally the data
corresponding to the bank accounts offered by the bank connection just made.
The command below downloads the list of the bank accounts offered by ``$CONNECTION_NAME``.

.. code-block:: console

  $ libeufin-cli \
      connections \
        download-bank-accounts \
          $CONNECTION_NAME

It is now possible to list the accounts offered by the connection.

.. code-block:: console

  $ libeufin-cli \
      connections \
        list-offered-bank-accounts \
          $CONNECTION_NAME

Nexus now needs an explicit import of the accounts it should to manage.  This
step is needed to let the user pick a custom name for such accounts.

.. code-block:: console

  $ libeufin-cli
      connections \
        import-bank-account \
          --offered-account-id $ACCOUNT_NATIVE_NAME \
          --nexus-bank-account-id $CUSTOM_RENAMING_FOR_ACCOUNT \
          $CONNECTION_NAME

Once a Nexus user imported a bank account (``$CUSTOM_RENAMING_FOR_ACCOUNT``)
under a certain connection (``$CONNECTION_NAME``), it is possible
to accomplish the usual operations for any bank account: asking for the
list of transactions, and making a payment.

Request history of transactions
===============================

..

  FIXME: explain why requesting the history
  goes through these two-phases.

It is first needed to tell Nexus to download the latest news
from the bank, and then ask it again to return the results.

This command asks Nexus to *download the latest bank statements*:

.. code-block:: console

  $ libeufin-cli \
      accounts \
        fetch-transactions \
          $CUSTOM_RENAMING_FOR_ACCOUNT

.. note::

   By default, the latest available transactions are fetched.  It is also
   possible to specify a custom data range (or even all available transactions)
   and the type of transactions to fetch ( inter-day statements or intra-day
   reports).

Once Nexus stored all the information in the database, the
client can ask to actually **see** the transactions:

.. code-block:: console

  $ libeufin-cli accounts \
      transactions \
        $CUSTOM_RENAMING_FOR_ACCOUNT

Make a payment
==============

..

  FIXME: explain why payments go through these two-phases.

Payments pass through two phases: preparation and submission.

The following command prepares a payment:

.. code-block:: console

  $ libeufin-cli \
      accounts \
        prepare-payment \
          --creditor-iban $IBAN_TO_SEND_MONEY_TO \
          --creditor-bic $BIC_TO_SEND_MONEY_TO \
          --creditor-name $CREDITOR_NAME \
          --payment-amount $AMOUNT \
          --payment-subject $SUBJECT \
          $CUSTOM_RENAMING_FOR_ACCOUNT

Note: the ``$AMOUNT`` value needs the format ``X.Y:CURRENCY``; for example
``10:EUR``, or ``1.01:EUR``.

The previous command should return a value (``$UUID``) that uniquely
identifies the prepared payment in the Nexus system.  It'll be needed
in the next step, to **send the payment instructions to the bank**:

.. code-block:: console

  $ libeufin-cli \
      accounts \
        submit-payment \
          --payment-uuid $UUID \
          $CUSTOM_RENAMING_FOR_ACCOUNT

Automatic scheduling
====================

With an EBICS bank connection, the LibEuFin nexus needs to regularly query for
new transactions and (re-)submit prepared payments.

It is possible to schedule these tasks via an external task scheduler such as
cron.  However, the nexus also has an internal task scheduling mechanism for
accounts.


The following two create a schedule for submitting payments hourly,
fetching transactions (intra-day reports) every 5 minutes and once at 11am every
day (inter-day statements):

.. code-block:: console

   $ libeufin-cli accounts task-schedule myacct \
       --task-type="submit"
       --task-name='submit-payments-hourly'
       --task-cronspec='0 0 *'

   $ libeufin-cli accounts task-schedule myacct \
       --task-type="fetch" \
       --task-name='fetch-5min' \
       --task-cronspec='0 */5 *' \
       --task-param-level=report \
       --task-param-range-type=latest

   $ libeufin-cli accounts task-schedule myacct \
       --task-type="fetch" \
       --task-name='fetch-daily' \
       --task-cronspec='0 0 23' \
       --task-param-level=statement \
       --task-param-range-type=latest

The cronspec has the following format, which is slightly non-standard due to
the ``SECONDS`` field

.. code-block:: none

  SECONDS MINUTES HOURS DAY-OF-MONTH[optional] MONTH[optional] DAY-OF-WEEK[optional]


Restore the backup
==================

The following command shows how to restore all the details
associated with one bank connection subscription.  For EBICS,
this means that the INI and HIA secret keys will be restored
for the requesting user.

.. code-block:: console

  $ libeufin-cli \
      connection \
        restore-backup \
          --passphrase $SECRET \
          --outputfile $BACKUP_FILE \
          $CONNECTION_NAME

Creating a Taler facade
=======================

Facades are additional abstraction layers that can serve
specific purposes.  For example, one application might need
a filtered version of the transaction history, or it might
want to refuse payments that do not conform to certain rules.

At this moment, only the *Taler facade type* is implemented
in the Nexus, and the command below will show how to instantiate
one under an existing bank account.

.. code-block:: console

  $ libeufin-cli \
      taler-facade \
        new-facade \
          --facade-name $FACADE_NAME \
          $CONNECTION_NAME \
          $CUSTOM_RENAMING_FOR_ACCOUNT

At this point, the additional *taler-wire-gateway* (link here) API
becomes offered by the Nexus.  The purpose is to let a Taler exchange
to rely on Nexus to manage its bank account.