Environment variables for TAN script in libeufin-bank config

4 files changed, 35 insertions, 13 deletions

diff --git a/bank/src/main/kotlin/tech/libeufin/bank/Config.kt b/bank/src/main/kotlin/tech/libeufin/bank/Config.kt
index 45c370d5..cba29656 100644
--- a/bank/src/main/kotlin/tech/libeufin/bank/Config.kt
+++ b/bank/src/main/kotlin/tech/libeufin/bank/Config.kt
@@ -44,7 +44,7 @@ data class BankConfig(
     val fiatCurrency: String?,
     val fiatCurrencySpec: CurrencySpecification?,
     val spaPath: Path?,
-    val tanChannels: Map<TanChannel, Path>,
+    val tanChannels: Map<TanChannel, Pair<Path, Map<String, String>>>,
     val payto: BankPaytoCtx,
     val wireMethod: WireMethod
 )
@@ -97,7 +97,13 @@ fun TalerConfig.loadBankConfig(): BankConfig {
     val tanChannels = buildMap {
         for (channel in TanChannel.entries) {
             lookupPath("libeufin-bank", "tan_$channel")?.let {
-                put(channel, it)
+                val variables = lookupString("libeufin-bank", "tan_${channel}_env")?.let { env ->
+                    env.split(' ').map { variable -> 
+                        variable.splitOnce("=") ?:
+                            throw TalerConfigError.invalid("environment variables", "libeufin-bank", "tan_${channel}_env", "expected NAME=VALUE got '$variable'")
+                    }.toMap()
+                } ?: mapOf()
+                put(channel, Pair(it, variables))
             }
         }
     }
diff --git a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
index 11508407..dbb550ac 100644
--- a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
+++ b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
@@ -662,17 +662,29 @@ private fun Routing.coreBankTanApi(db: Database, ctx: BankConfig) {
                 )
                 is TanSendResult.Success -> {
                     res.tanCode?.run {
-                        val tanScript = ctx.tanChannels.get(res.tanChannel) 
+                        val (tanScript, tanEnv) = ctx.tanChannels.get(res.tanChannel) 
                             ?: throw unsupportedTanChannel(res.tanChannel)
                         val exitValue = withContext(Dispatchers.IO) {
-                            val process = ProcessBuilder(tanScript.toString(), res.tanInfo).start()
+                            val builder = ProcessBuilder(tanScript.toString(), res.tanInfo)
+                            builder.redirectErrorStream(true)
+                            for ((name, value) in tanEnv) {
+                                builder.environment()[name] = value
+                            }
+                            val process = builder.start()
                             try {
                                 process.outputWriter().use { it.write(res.tanCode) }
                                 process.onExit().await()
                             } catch (e: Exception) {
                                 process.destroy()
                             }
-                            process.exitValue()
+                            val exitValue =  process.exitValue()
+                            if (exitValue != 0) {
+                                val out = process.getInputStream().reader().readText() 
+                                if (out.isNotEmpty()) {
+                                    logger.error("TAN ${res.tanChannel} - ${tanScript}: $out")
+                                }
+                            }
+                            exitValue
                         }
                         if (exitValue != 0) {
                             throw libeufinError(
diff --git a/contrib/bank.conf b/contrib/bank.conf
index 72791fd3..af7fb252 100644
--- a/contrib/bank.conf
+++ b/contrib/bank.conf
@@ -42,6 +42,12 @@ WIRE_TYPE =
 # Path to TAN challenge transmission script via email. If not specified, this TAN channel will not be supported.
 # TAN_EMAIL = libeufin-tan-email.sh
 
+# Environment variables for the sms TAN script.
+# TAN_SMS_ENV = AUTH_TOKEN=secret-token
+
+# Environment variables for the email TAN script.
+# TAN_EMAIL_ENV = AUTH_TOKEN=secret-token
+
 # How "libeufin-bank serve" serves its API, this can either be tcp or unix
 SERVE = tcp
 
diff --git a/contrib/libeufin-tan-sms.sh b/contrib/libeufin-tan-sms.sh
index ae33bad3..63c427ff 100755
--- a/contrib/libeufin-tan-sms.sh
+++ b/contrib/libeufin-tan-sms.sh
@@ -1,20 +1,18 @@
 #!/bin/sh
-
 # This file is in the public domain.
-
 set -eu
-
-. telesign-secrets # need to be found in the PATH
-# Set CUSTOMER_ID and API_KEY
+# Set AUTH_TOKEN=...
 
 MESSAGE=`cat -`
 TMPFILE=`mktemp /tmp/sms-loggingXXXXXX`
 PHONE_NUMBER=$(echo $1 | sed 's/^+//') # Telesign refuses the leading +
 STATUS=$(curl --request POST \
-     --user "$CUSTOMER_ID:$API_KEY" \
      --url https://rest-api.telesign.com/v1/messaging \
-     --data "message_type=OTP" \
+     --header "authorization: Basic $AUTH_TOKEN" \
+     --header 'content-type: application/x-www-form-urlencoded' \
+     --data account_livecycle_event=transact \
      --data "message=$MESSAGE" \
+     --data message_type=OTP \
      --data "phone_number=$PHONE_NUMBER" \
      -w "%{http_code}" -s -o $TMPFILE)
 echo `cat $TMPFILE` >> $HOME/sms.log
@@ -27,4 +25,4 @@ case $STATUS in
         exit 1;
         ;;
 esac
-exit 1
+exit 1
\ No newline at end of file