commit b4c28743d751f00b8d0c5f5e3b1fd2cba2d4426e
parent 5119a75cbc5473498a17855745a991df95e746d5
Author: Christian Grothoff <christian@grothoff.org>
Date: Mon, 2 Sep 2024 16:37:07 +0200
add logic to check that merchant_pub matches on deposit if KYC AUTH is in use/required
Diffstat:
4 files changed, 45 insertions(+), 22 deletions(-)
diff --git a/src/exchange/taler-exchange-httpd_common_kyc.c b/src/exchange/taler-exchange-httpd_common_kyc.c
@@ -1580,11 +1580,16 @@ amount_iterator_wrapper_cb (
{
struct TEH_LegitimizationCheckHandle *lch = cls;
+ GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ "KYC: Checking amounts until %s\n",
+ GNUNET_TIME_absolute2s (limit));
if (lch->bad_kyc_auth)
{
/* We *do* have applicable KYC rules *and* the
target_pub does not match the merchant_pub,
so we indeed have a problem! */
+ GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ "KYC: Mismatch between merchant_pub and target_pub is relevant!\n");
lch->lcr.bad_kyc_auth = true;
}
return lch->ai (lch->ai_cls,
@@ -1628,7 +1633,6 @@ legitimization_check_run (
{
json_t *jrules;
-
qs = TEH_plugin->get_kyc_rules (TEH_plugin->cls,
&lch->h_payto,
&lch->lcr.kyc.account_pub,
@@ -1644,16 +1648,25 @@ legitimization_check_run (
GNUNET_async_scope_restore (&old_scope);
return;
case GNUNET_DB_STATUS_SUCCESS_NO_RESULTS:
- if (lch->have_merchant_pub)
- {
- // FIXME: not quite correct: the absence of custom *jrules* does NOT
- // imply that we had no target_pub!
- lch->lcr.bad_kyc_auth = true;
- }
- break;
case GNUNET_DB_STATUS_SUCCESS_ONE_RESULT:
- lch->lcr.kyc.have_account_pub
- = ! GNUNET_is_zero (&lch->lcr.kyc.account_pub);
+ break;
+ }
+ lch->lcr.kyc.have_account_pub
+ = ! GNUNET_is_zero (&lch->lcr.kyc.account_pub);
+ if ( (NULL == jrules) &&
+ (lch->have_merchant_pub) &&
+ (0 != GNUNET_memcmp (&lch->merchant_pub,
+ &lch->lcr.kyc.account_pub.merchant_pub)) )
+ {
+ /* We do not have custom rules, defer enforcing merchant_pub
+ match until we actually have deposit constraints */
+ GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ "KYC: merchant_pub given but no target_pub known!\n");
+ lch->bad_kyc_auth = true;
+ }
+ if (NULL != jrules)
+ {
+ /* We have custom KYC rules */
if ( (lch->have_merchant_pub) &&
(0 != GNUNET_memcmp (&lch->merchant_pub,
&lch->lcr.kyc.account_pub.merchant_pub)) )
@@ -1661,6 +1674,8 @@ legitimization_check_run (
/* We have custom rules, but the target_pub for
those custom rules does not match the
merchant_pub. Fail the KYC process! */
+ GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ "KYC: merchant_pub does not match target_pub of custom rules!\n");
fail_kyc_auth (lch);
return;
}
@@ -1668,7 +1683,6 @@ legitimization_check_run (
GNUNET_break (NULL != lrs);
/* Fall back to default rules on parse error! */
json_decref (jrules);
- break;
}
}
diff --git a/src/exchange/taler-exchange-httpd_spa.c b/src/exchange/taler-exchange-httpd_spa.c
@@ -103,6 +103,10 @@ TEH_spa_init ()
}
+/* Suppresses warning */
+void __attribute__ ((destructor))
+get_spa_fini (void);
+
/**
* Nicely shut down.
*/
diff --git a/src/exchangedb/exchange_do_trigger_kyc_rule_for_account.sql b/src/exchangedb/exchange_do_trigger_kyc_rule_for_account.sql
@@ -38,7 +38,7 @@ BEGIN
SELECT
access_token
- ,account_pub
+ ,target_pub
INTO
my_rec
FROM wire_targets
@@ -48,7 +48,7 @@ IF FOUND
THEN
-- Extract details, determine if KYC auth matches.
my_access_token = my_rec.access_token;
- my_account_pub = my_rec.account_pub;
+ my_account_pub = my_rec.target_pub;
IF in_merchant_pub IS NULL
THEN
out_bad_kyc_auth = FALSE;
diff --git a/src/exchangedb/pg_get_kyc_rules.c b/src/exchangedb/pg_get_kyc_rules.c
@@ -42,13 +42,18 @@ TEH_PG_get_kyc_rules (
GNUNET_PQ_query_param_end
};
struct GNUNET_PQ_ResultSpec rs[] = {
- GNUNET_PQ_result_spec_auto_from_type ("target_pub",
- account_pub),
- TALER_PQ_result_spec_json ("jnew_rules",
- jrules),
+ GNUNET_PQ_result_spec_allow_null (
+ GNUNET_PQ_result_spec_auto_from_type ("target_pub",
+ account_pub),
+ NULL),
+ GNUNET_PQ_result_spec_allow_null (
+ TALER_PQ_result_spec_json ("jnew_rules",
+ jrules),
+ NULL),
GNUNET_PQ_result_spec_end
};
+ *jrules = NULL;
memset (account_pub,
0,
sizeof (*account_pub));
@@ -57,12 +62,12 @@ TEH_PG_get_kyc_rules (
"SELECT"
" wt.target_pub"
" ,lo.jnew_rules"
- " FROM legitimization_outcomes lo"
- " JOIN wire_targets wt"
+ " FROM wire_targets wt"
+ " LEFT JOIN legitimization_outcomes lo"
" ON (lo.h_payto = wt.wire_target_h_payto)"
- " WHERE h_payto=$1"
- " AND expiration_time >= $2"
- " AND is_active;");
+ " WHERE wt.wire_target_h_payto=$1"
+ " AND lo.expiration_time >= $2"
+ " AND lo.is_active;");
return GNUNET_PQ_eval_prepared_singleton_select (
pg->conn,
"get_kyc_rules",
