commit 191f5e9a543ba581e129783313a4a6e8ed598a07
parent 2ecfc99e7a9ec090179a051066431c4e2ebde9f5
Author: Christian Grothoff <christian@grothoff.org>
Date: Fri, 19 Jul 2024 14:16:49 +0200
add some first KYC commands for testing
Diffstat:
5 files changed, 254 insertions(+), 11 deletions(-)
diff --git a/src/kyclogic/Makefile.am b/src/kyclogic/Makefile.am
@@ -15,6 +15,8 @@ pkgcfg_DATA = \
kyclogic-persona.conf
bin_SCRIPTS = \
+ taler-exchange-helper-converter-oauth2-test-full_name \
+ taler-exchange-helper-measure-test-oauth \
taler-exchange-kyc-kycaid-converter.sh \
taler-exchange-kyc-persona-converter.sh \
taler-exchange-kyc-oauth2-test-converter.sh \
diff --git a/src/kyclogic/taler-exchange-helper-converter-oauth2-test-full_name b/src/kyclogic/taler-exchange-helper-converter-oauth2-test-full_name
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# This file is part of TALER
+# Copyright (C) 2014-2024 Taler Systems SA
+#
+# TALER is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3, or (at your option) any later version.
+#
+# TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# TALER; see the file COPYING. If not, If not, see <http://www.gnu.org/license>
+#
+
+# This is a converter that takes the output of an
+# OAuth2 service which is expected to yield a full_name
+# and a birthdate.
+#
+# The converter doesn't actually do anything, it
+# just restricts the output to exactly these values.
+
+
+# Hard error reporting on.
+set -eu
+
+if [ "${1:-no}" = "--list-outputs" ]
+then
+ # This converter produces a full name and birthdate.
+ echo "full_name"
+ echo "birthdate"
+ exit 0
+fi
+
+# First, check everything we expect is in stdin.
+J=$(jq -r 'def get($k):
+ if has($k)
+ then .[$k]
+ else error("attribute missing")
+ end;
+ {"full_name":get("full_name"),
+ "birthdate":get("birthdate")}')
+
+# Return the restricted values.
+echo "$J"
+
+exit 0
diff --git a/src/kyclogic/taler-exchange-helper-measure-freeze b/src/kyclogic/taler-exchange-helper-measure-freeze
@@ -0,0 +1,109 @@
+#!/bin/bash
+#
+# This file is part of TALER
+# Copyright (C) 2014-2024 Taler Systems SA
+#
+# TALER is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3, or (at your option) any later version.
+#
+# TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# TALER; see the file COPYING. If not, If not, see <http://www.gnu.org/license>
+#
+
+# Hard error reporting on.
+set -eu
+
+# This is a KYC measure program that freezes
+# the account and flags it for manual investigation.
+# This is the ultimate fallback measure.
+
+if [ "${1:-no}" = "--required-context" ]
+then
+ # No context is required.
+ exit 0
+fi
+
+if [ "${1:-no}" = "--required-attributes" ]
+then
+ # No required attributes.
+ exit 0
+fi
+
+# See https://docs.taler.net/taler-exchange-manual.html#tsref-type-AmlProgramInput
+# for the full JSON with possible inputs.
+
+# New rules apply for 30 days.
+EXPIRATION=$((3600 * 30 + $(date +%s)))
+
+# Finally, output the new rules.
+# See https://docs.taler.net/taler-exchange-manual.html#tsref-type-AmlOutcome
+# for the required output format.
+
+jq -n \
+ --arg expiration "$EXPIRATION" \
+ '{ "to_investigate": true,
+ "new_rules" : {
+ "expiration_time" : { "t_s": $expiration },
+ "rules" : [
+ {
+ "operation_type": "WITHDRAW",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ },
+ {
+ "operation_type": "DEPOSIT",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ },
+ {
+ "operation_type": "MERGE",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ },
+ {
+ "operation_type": "BALANCE",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ },
+ {
+ "operation_type": "CLOSE",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ },
+ {
+ "operation_type": "AGE-WITHDRAW",
+ "threshold" : "EUR:0",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : false,
+ "is_and_combinator" : true
+ }
+ ]
+ }
+ }' < /dev/null
diff --git a/src/kyclogic/taler-exchange-helper-measure-test-oauth b/src/kyclogic/taler-exchange-helper-measure-test-oauth
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# This file is part of TALER
+# Copyright (C) 2014-2024 Taler Systems SA
+#
+# TALER is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3, or (at your option) any later version.
+#
+# TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# TALER; see the file COPYING. If not, If not, see <http://www.gnu.org/license>
+#
+
+# Hard error reporting on.
+set -eu
+
+# This is a KYC measure program that checks the output
+# of an OAuth2 authentication, and if it passed,
+# increases the reserve CLOSE limit to EUR:1000.
+# (and doesn't impose any other limits)
+
+if [ "${1:-no}" = "--required-context" ]
+then
+ # No context is required.
+ exit 0
+fi
+
+if [ "${1:-no}" = "--required-attributes" ]
+then
+ # This AML program expects as inputs a full_name
+ # and a birthdate.
+ echo "full_name"
+ echo "birthdate"
+ exit 0
+fi
+
+# First, check everything we expect is in stdin.
+J=$(jq -r 'def get($k):
+ if has($k)
+ then .[$k]
+ else error("attribute missing")
+ end;
+ {"full_name":get("attributes.full_name"),
+ "birthdate":get("attributes.birthdate")}')
+
+# Here we could use those values...
+echo "$J" >> /dev/null
+
+# See https://docs.taler.net/taler-exchange-manual.html#tsref-type-AmlProgramInput
+# for the full JSON with possible inputs.
+
+# New rules apply for 30 days.
+EXPIRATION=$((3600 * 30 + $(date +%s)))
+
+# Finally, output the new rules.
+# See https://docs.taler.net/taler-exchange-manual.html#tsref-type-AmlOutcome
+# for the required output format.
+
+jq -n \
+ --arg expiration "$EXPIRATION" \
+ '{ "to_investigate": false,
+ "new_rules" : {
+ "expiration_time" : { "t_s": $expiration },
+ "rules" : [ {
+ "operation_type": "CLOSE",
+ "threshold" : "EUR:1000",
+ "timeframe" : { "d_us" : 3600000000 },
+ "measures" : [ "verboten" ],
+ "display_priority" : 1,
+ "exposed" : true,
+ "is_and_combinator" : true
+ } ]
+ }
+ }' < /dev/null
diff --git a/src/testing/test_exchange_api.conf b/src/testing/test_exchange_api.conf
@@ -98,8 +98,8 @@ WIRE_GATEWAY_URL = "http://localhost:8082/accounts/2/taler-wire-gateway/"
[kyc-provider-test-oauth2]
LOGIC = oauth2
-USER_TYPE = INDIVIDUAL
-PROVIDED_CHECKS = DUMMY
+CONVERTER = taler-exchange-helper-converter-oauth2-address
+# PROVIDED_CHECKS = DUMMY
KYC_OAUTH2_VALIDITY = forever
KYC_OAUTH2_TOKEN_URL = http://localhost:6666/oauth/v2/token
KYC_OAUTH2_AUTHORIZE_URL = http://localhost:6666/oauth/v2/login
@@ -108,7 +108,6 @@ KYC_OAUTH2_CLIENT_ID = taler-exchange
KYC_OAUTH2_CLIENT_SECRET = exchange-secret
KYC_OAUTH2_POST_URL = http://example.com/
KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-test-converter.sh
-CONVERTER = cat
[kyc-check-oauth-test-id]
VOLUNTARY = NO
@@ -119,7 +118,7 @@ DESCRIPTION_I18N = {}
# No context requirements
REQUIRES =
# Measure to execute if check failed.
-FALLBACK = manual
+FALLBACK = manual-freeze
# This check runs on oauth2
PROVIDER_ID = test-oauth2
@@ -133,31 +132,37 @@ DESCRIPTION = "Your account is frozen pending investigation"
DESCRIPTION_I18N = {}
# No context requirements
REQUIRES =
-FALLBACK = manual
+# Measure to execute if check failed. Well,
+# this check cannot really fail, but we stay
+# where we are: frozen.
+FALLBACK = manual-freeze
[aml-program-oauth-output-check]
-DESCRIPTION = Validates the output from OAauth2
-COMMAND = cat
+DESCRIPTION = "Validates the output from OAauth2 and then permits the reserve closing to proceed"
+# Command that runs on the output of the OAuth provider
+# to decide what rules should apply next.
+COMMAND = taler-exchange-helper-measure-test-oauth
# What measure to take if the COMMAND failed.
-FALLBACK = manual
+FALLBACK = manual-freeze
[kyc-measure-run-oauth]
# Get client ID via the OAuth test provider
CHECK_NAME = oauth-test-id
# AML program to run on the output of the OAuth provider
-# to decide what to do next.
-PROGRAM = taler-exchange-helper-measure-test-oauth-output
+# to decide what rules should apply next.
+PROGRAM = oauth-output-check
# Context to provide for check and program; empty.
CONTEXT = {}
# This is a base-measure that is being triggered
# whenever something goes wrong. We freeze the
# account and ask AML staff to investigate.
-[kyc-measure-manual]
+[kyc-measure-manual-freeze]
CHECK_NAME = info-frozen
# AML program that freezes the account and flags
# it for investigation.
PROGRAM = taler-exchange-helper-measure-freeze
+# Context to provide for check and program; empty.
CONTEXT = {}
# This rule requests that the users passes KYC
