commit 08026a7069b870471221d62993104044e573c1f2
parent 3983d0b17d1c98227fcba744152a7d8d447699ae
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Thu, 23 Oct 2025 10:03:05 +0200
backend work for #10525
Diffstat:
5 files changed, 131 insertions(+), 6 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
@@ -131,6 +131,12 @@ char *TMH_helper_email;
char *TMH_helper_sms;
+char *TMH_allowed_payment_targets;
+
+char *TMH_payment_target_regex;
+
+regex_t TMH_payment_target_re;
+
int TMH_force_audit;
struct TALER_MERCHANTDB_Plugin *TMH_db;
@@ -673,6 +679,11 @@ do_shutdown (void *cls)
GNUNET_CURL_gnunet_rc_destroy (merchant_curl_rc);
merchant_curl_rc = NULL;
}
+ if (NULL != TMH_payment_target_regex)
+ {
+ regfree (&TMH_payment_target_re);
+ GNUNET_free (TMH_payment_target_regex);
+ }
}
@@ -2841,6 +2852,47 @@ run (void *cls,
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_string (cfg,
"merchant",
+ "PAYMENT_TARGET_TYPES",
+ &TMH_allowed_payment_targets))
+ {
+ TMH_allowed_payment_targets = GNUNET_strdup ("*");
+ }
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_string (cfg,
+ "merchant",
+ "PAYMENT_TARGET_REGEX",
+ &TMH_payment_target_regex))
+ {
+ TMH_payment_target_regex = NULL;
+ }
+ else
+ {
+ if (0 == strlen (TMH_payment_target_regex))
+ {
+ GNUNET_free (TMH_payment_target_regex);
+ }
+ else
+ {
+ if (0 != regcomp (&TMH_payment_target_re,
+ TMH_payment_target_regex,
+ REG_NOSUB | REG_EXTENDED))
+ {
+ GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+ "merchant",
+ "PAYMENT_TARGET_REGEX",
+ "malformed regular expression");
+ global_ret = EXIT_NOTCONFIGURED;
+ GNUNET_free (TMH_payment_target_regex);
+ GNUNET_SCHEDULER_shutdown ();
+ return;
+ }
+ }
+ }
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_string (cfg,
+ "merchant",
"HELPER_SMS",
&TMH_helper_sms))
{
diff --git a/src/backend/taler-merchant-httpd.h b/src/backend/taler-merchant-httpd.h
@@ -26,6 +26,8 @@
#include <taler/taler_mhd_lib.h>
#include <gnunet/gnunet_mhd_compat.h>
#include "taler_merchant_bank_lib.h"
+#include <regex.h>
+
/**
* Shorthand for exit jumps.
@@ -733,6 +735,24 @@ extern char *TMH_helper_email;
extern char *TMH_helper_sms;
/**
+ * Space-separated list of allowed payment target types.
+ * "*" for "all" (no restriction).
+ */
+extern char *TMH_allowed_payment_targets;
+
+/**
+ * Regular expression further restricting payment target types.
+ * Can be NULL/empty for no restrictions.
+ */
+extern char *TMH_payment_target_regex;
+
+/**
+ * Compiled regular expression, only valid if
+ * #TMH_payment_target_regex is not NULL!
+ */
+extern regex_t TMH_payment_target_re;
+
+/**
* Length of the TMH_cspecs array.
*/
extern unsigned int TMH_num_cspecs;
diff --git a/src/backend/taler-merchant-httpd_config.c b/src/backend/taler-merchant-httpd_config.c
@@ -1,6 +1,6 @@
/*
This file is part of TALER
- (C) 2019, 2020, 2021, 2023, 2024 Taler Systems SA
+ (C) 2019, 2020, 2021, 2023, 2024, 2025 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU Affero General Public License as published by the Free Software
@@ -41,9 +41,9 @@
*
* When changing this version, you likely want to also update
* #MERCHANT_PROTOCOL_CURRENT and #MERCHANT_PROTOCOL_AGE in
- * merchant_api_config.c!
+ * merchant_api_get_config.c!
*/
-#define MERCHANT_PROTOCOL_VERSION "21:1:9"
+#define MERCHANT_PROTOCOL_VERSION "22:0:10"
/**
@@ -120,6 +120,11 @@ MH_handler_config (const struct TMH_RequestHandler *rh,
response = TALER_MHD_MAKE_JSON_PACK (
GNUNET_JSON_pack_string ("currency",
TMH_currency),
+ GNUNET_JSON_pack_string ("payment_target_types",
+ TMH_allowed_payment_targets),
+ GNUNET_JSON_pack_allow_null (
+ GNUNET_JSON_pack_string ("payment_target_regex",
+ TMH_payment_target_regex)),
GNUNET_JSON_pack_bool ("have_self_provisioning",
GNUNET_YES ==
TMH_have_self_provisioning),
diff --git a/src/backend/taler-merchant-httpd_private-post-account.c b/src/backend/taler-merchant-httpd_private-post-account.c
@@ -29,6 +29,7 @@
#include <taler/taler_dbevents.h>
#include <taler/taler_json_lib.h>
#include "taler-merchant-httpd_mfa.h"
+#include <regex.h>
MHD_RESULT
@@ -84,6 +85,53 @@ TMH_private_post_account (const struct TMH_RequestHandler *rh,
return mret;
}
}
+ {
+ char *apt = GNUNET_strdup (TMH_allowed_payment_targets);
+ char *method = TALER_payto_get_method (uri.full_payto);
+ bool ok;
+
+ ok = false;
+ for (const char *tok = strtok (apt,
+ " ");
+ NULL != tok;
+ tok = strtok (NULL,
+ " "))
+ {
+ if (0 == strcmp ("*",
+ tok))
+ ok = true;
+ if (0 == strcmp (method,
+ tok))
+ ok = true;
+ if (ok)
+ break;
+ }
+ GNUNET_free (method);
+ GNUNET_free (apt);
+ if (! ok)
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PAYTO_URI_MALFORMED,
+ "The payment target type is forbidden by policy");
+ }
+ }
+
+ if ( (NULL != TMH_payment_target_regex) &&
+ (0 !=
+ regexec (&TMH_payment_target_re,
+ uri.full_payto,
+ 0,
+ NULL,
+ 0)) )
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PAYTO_URI_MALFORMED,
+ "The specific account is forbidden by policy");
+ }
if ( (NULL == credit_facade_url) !=
(NULL == credit_facade_credentials) )
diff --git a/src/lib/merchant_api_get_config.c b/src/lib/merchant_api_get_config.c
@@ -1,6 +1,6 @@
/*
This file is part of TALER
- Copyright (C) 2014-2024 Taler Systems SA
+ Copyright (C) 2014-2025 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU Lesser General Public License as published by the Free Software
@@ -34,12 +34,12 @@
* Which version of the Taler protocol is implemented
* by this library? Used to determine compatibility.
*/
-#define MERCHANT_PROTOCOL_CURRENT 21
+#define MERCHANT_PROTOCOL_CURRENT 22
/**
* How many configs are we backwards-compatible with?
*/
-#define MERCHANT_PROTOCOL_AGE 9
+#define MERCHANT_PROTOCOL_AGE 10
/**
* How many exchanges do we allow at most per merchant?
