commit 5b75a2f086fce8cdcf42df22ff7f5197605d06fe parent c953f5cf5db0a5878baaae2631194f58325668f8 Author: Florian Dold <florian@dold.me> Date: Mon, 7 Apr 2025 00:43:03 +0200 tops-style AML/KYC config Diffstat:
| M | Dockerfile | | | 1 | + |
| A | data/kyc-rules-tops.conf | | | 428 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | data/setup-kyc-simple.sh | | | 119 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | data/setup-kyc-tops.sh | | | 64 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| M | overrides/talerkyc.localhost | | | 3 | ++- |
| M | scripts/demo/setup-sandcastle.sh | | | 128 | ++++--------------------------------------------------------------------------- |
6 files changed, 620 insertions(+), 123 deletions(-)
diff --git a/Dockerfile b/Dockerfile @@ -274,3 +274,4 @@ RUN systemctl enable setup-sandcastle.service # Disable potentially problem-causing services RUN systemctl disable postgresql && \ systemctl disable apache2 || true +RUN sed -i /etc/postgresql/15/main/postgresql.conf -e 's/^port[ ]*=.*$/port = 5432/' diff --git a/data/kyc-rules-tops.conf b/data/kyc-rules-tops.conf @@ -0,0 +1,428 @@ +[exchange] + +# Better enable KYC. +ENABLE_KYC = YES + +# Hard limits +[kyc-rule-withdraw-limit-monthly] +OPERATION_TYPE = WITHDRAW +NEXT_MEASURES = verboten +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:2500 +TIMEFRAME = "30 days" + +[kyc-rule-withdraw-limit-annually] +OPERATION_TYPE = WITHDRAW +NEXT_MEASURES = verboten +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:15000 +TIMEFRAME = "365 days" + +# Limit on merchant transactions +[kyc-rule-transaction-limit] +OPERATION_TYPE = TRANSACTION +NEXT_MEASURES = verboten +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:1000 +TIMEFRAME = "1 days" + +[kyc-rule-balance-limit] +OPERATION_TYPE = BALANCE +NEXT_MEASURES = verboten +EXPOSED = YES +# Note: Disabled, kept in case we ever want to impose a limit on wallet balances. +ENABLED = NO +THRESHOLD = CHF:1000 +TIMEFRAME = "1 days" + +# Note: For *testing* KYC processes. +[kyc-rule-balance-testing-limit1] +OPERATION_TYPE = BALANCE +NEXT_MEASURES = sms-registration +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:1 +TIMEFRAME = "1 days" + +# Note: For *testing* KYC processes. +[kyc-rule-balance-testing-limit5] +OPERATION_TYPE = BALANCE +NEXT_MEASURES = kyx +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:5 +TIMEFRAME = "1 days" + +# Note: For *testing* KYC processes. +[kyc-rule-balance-testing-limit10] +OPERATION_TYPE = BALANCE +NEXT_MEASURES = sms-registration postal-registration +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:10 +TIMEFRAME = "1 days" + +# SMS identification limit on withdraw (voluntary rule) +[kyc-rule-withdraw-limit-low] +OPERATION_TYPE = WITHDRAW +NEXT_MEASURES = sms-registration +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:200 +TIMEFRAME = "30 days" + +# Deposit requires ToS acceptance, this way we ensure bank account is confirmed! +[kyc-rule-deposit-limit-zero] +OPERATION_TYPE = DEPOSIT +NEXT_MEASURES = accept-tos +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:0 +TIMEFRAME = "1 days" + +# Aggregation limits +[kyc-rule-deposit-limit-monthly] +OPERATION_TYPE = AGGREGATE +NEXT_MEASURES = kyx +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:2500 +TIMEFRAME = "30 days" + +[kyc-rule-deposit-limit-annually] +OPERATION_TYPE = AGGREGATE +NEXT_MEASURES = kyx +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:15000 +TIMEFRAME = "365 days" + +# P2P limits +[kyc-rule-p2p-limit-monthly] +OPERATION_TYPE = MERGE +NEXT_MEASURES = verboten +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:2500 +TIMEFRAME = "30 days" + +[kyc-rule-p2p-limit-annually] +OPERATION_TYPE = MERGE +NEXT_MEASURES = verboten +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:15000 +TIMEFRAME = "365 days" + +[kyc-rule-p2p-domestic-identification-requirement] +OPERATION_TYPE = MERGE +NEXT_MEASURES = sms-registration postal-registration +IS_AND_COMBINATOR = NO +EXPOSED = YES +ENABLED = YES +THRESHOLD = CHF:0 +TIMEFRAME = "30 days" + +# #################### KYC measures ####################### + +# Fallback measure on errors. +[kyc-measure-freeze-investigate] +CHECK_NAME = skip +PROGRAM = freeze-investigate +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-sms-registration] +CHECK_NAME = sms-registration +PROGRAM = tops-sms-check +VOLUNTARY = YES +# 63072000000000 is 2 years (in microseconds) +CONTEXT = {"expiration_time":{"d_us": 63072000000000}} + +[kyc-measure-postal-registration] +CHECK_NAME = postal-registration +PROGRAM = tops-postal-check +VOLUNTARY = YES +# 157680000000000 is 5 years (in microseconds) +CONTEXT = {"expiration_time":{"d_us": 157680000000000}} + +[kyc-measure-accept-tos] +CHECK_NAME = form-accept-tos +PROGRAM = check-tos +# 157680000000000 is 5 years (in microseconds) +CONTEXT = {"tos_url":"https://exchange.taler-ops.ch/terms","provider_name":"Taler Operations AG", "expiration_time":{"d_us": 157680000000000}, "successor_measure":"accept-tos"} +VOLUNTARY = NO + +[kyc-measure-kyx] +CHECK_NAME = form-vqf-902.1 +PROGRAM = tops-kyx-check +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-form-902.9] +CHECK_NAME = form-vqf-902.9 +# FIXME: address validation via PIN instead! +PROGRAM = preserve-investigate +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-form-902.11] +CHECK_NAME = form-vqf-902.11 +PROGRAM = preserve-investigate +# FIXME: in the future, change to: +# PROGRAM = tops-check-controlling-entity +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-form-902.12] +CHECK_NAME = form-vqf-902.12 +# FIXME: address validation via PIN instead! +PROGRAM = preserve-investigate +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-form-902.13] +CHECK_NAME = form-vqf-902.13 +# FIXME: address validation via PIN instead! +PROGRAM = preserve-investigate +VOLUNTARY = NO +CONTEXT = {} + +[kyc-measure-form-902.15] +CHECK_NAME = form-vqf-902.15 +# FIXME: address validation via PIN instead! +PROGRAM = preserve-investigate +VOLUNTARY = NO +CONTEXT = {} + +# ##################### KYC checks ########################### + +[kyc-check-form-info-internal-error] +TYPE = INFO +DESCRIPTION = "We encountered an internal error. Staff has been notified. Please be patient." +DESCRIPTION_I18N = {"de":"Interner Fehler. Mitarbeiter wurden informiert. Bitte warten."} +FALLBACK = default-investigate + +[kyc-check-form-info-investigation] +TYPE = INFO +DESCRIPTION = "Staff is checking your case. Please be patient." +DESCRIPTION_I18N = {"de":"Mitarbeiter prüfen ihren Fall. Bitte warten."} +FALLBACK = default-investigate + +[kyc-check-sms-registration] +TYPE = LINK +PROVIDER_ID = sms-challenger +DESCRIPTION = "Confirm Swiss mobile phone number via SMS TAN" +DESCRIPTION_I18N = {"de":"Schweizer Mobiltelefonnummer via SMS TAN bestätigen"} +OUTPUTS = "CONTACT_PHONE" +FALLBACK = default-investigate + +[kyc-check-email-registration] +TYPE = LINK +PROVIDER_ID = email-challenger +DESCRIPTION = "Confirm email address via TAN" +DESCRIPTION_I18N = {"de":"Email addresse via TAN bestätigen"} +OUTPUTS = "CONTACT_EMAIL" +FALLBACK = default-investigate + +[kyc-check-postal-registration] +TYPE = LINK +PROVIDER_ID = postal-challenger +DESCRIPTION = "Register Swiss postal address via TAN letter" +DESCRIPTION_I18N = {"de":"Schweizer Addresse via TAN Brief bestätigen"} +OUTPUTS = "PERSON_FULL_NAME ADDRESS_STREET ADDRESS_TOWN_LOCATION ADDRESS_ZIPCODE ADDRESS_COUNTRY_CC" +FALLBACK = default-investigate + +# This check can be triggered by AML programs and/or AML officers, +# it do not appear directly in this configuration as it is triggered +# only indirectly. +[kyc-check-kycaid-individual] +TYPE = LINK +PROVIDER_ID = kycaid-individual +DESCRIPTION = "Provider personal identification data via KYCAID provider" +DESCRIPTION_I18N = {"de":"Persönliche Identifikation via KYCAID Service druchführen"} +OUTPUTS = "PERSON_FULL_NAME PERSON_DATE_OF_BIRTH PERSON_NATIONALITY_CC ADDRESS_STREET ADDRESS_TOWN_LOCATION ADDRESS_ZIPCODE ADDRESS_COUNTRY_CC PERSON_NATIONAL_ID_SCAN TAX_ID" +FALLBACK = default-investigate + +# This check can be triggered by AML programs and/or AML officers, +# it do not appear directly in this configuration as it is triggered +# only indirectly. +[kyc-check-kycaid-business] +TYPE = LINK +PROVIDER_ID = kycaid-business +DESCRIPTION = "Provide business identification via KYCAID provider" +DESCRIPTION_I18N = {"de":"Geschäftsidentifikation via KYCAID durchführen"} +# FIXME: correct output labels? FIXME: questionable we can get those from KYCAID... +# FIXME: lower case names are missing in GANA +OUTPUTS = "BUSINESS_NAME ADDRESS_STREET ADDRESS_TOWN_LOCATION ADDRESS_ZIPCODE ADDRESS_COUNTRY_CC company_identification_document power_of_atorney_document BUSINESS_REGISTRATION_ID business_registration_document registration_authority_name tops_controlling_owner_identifications" +FALLBACK = default-investigate + +# FIXME: consider moving these into the exchange default config! +[kyc-check-form-accept-tos] +TYPE = FORM +FORM_NAME = accept-tos +DESCRIPTION = "Ask user to accept Taler Operations terms of service" +DESCRIPTION_I18N = {"de":"Geschäftsbedingungen akzeptieren"} +# This form field must be set to the etag (!) of the accepted /terms! +OUTPUTS = ACCEPTED_TERMS_OF_SERVICE +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.1] +TYPE = FORM +FORM_NAME = vqf_902_1_customer +DESCRIPTION = "Ask user to supply VQF form 902.1" +DESCRIPTION_I18N = {"de":"Formular VQF 902.1 hochladen"} +OUTPUTS = CUSTOMER_TYPE CUSTOMER_TYPE_VQF +# OPTIONAL: NAME, ADDRESS, ID DOCS, ETC. DEPENDING ON LEGAL ENEITYT TYPE +# => aml program will decide on legal entity type between no more forms +# or vqf_902_9, 11, 12, 13, 15. => after that, AML officer +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.9] +TYPE = FORM +FORM_NAME = vqf_902_9 +DESCRIPTION = "Ask user to supply VQF form 902.9" +DESCRIPTION_I18N = {"de":"Formular VQF 902.9 hochladen"} +OUTPUTS = SUBMITTED_BY CONTRACTING_PARTY BENEFICIAL_OWNER_LIST +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.11] +TYPE = FORM +FORM_NAME = vqf_902_11 +DESCRIPTION = "Ask user to supply VQF form 902.11" +DESCRIPTION_I18N = {"de":"Formular VQF 902.11 hochladen"} +OUTPUTS = SUBMITTED_BY CONTRACTING_PARTY CONTROL_REASON CONTROLLING_LIST THIRD_PARTY_OWNERSHIP +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.12] +TYPE = FORM +# FIXME : This form will not be supported for the TOPS MVP +FORM_NAME = vqf_902_12 +DESCRIPTION = "Ask user to supply VQF form 902.12" +DESCRIPTION_I18N = {"de":"Formular VQF 902.12 hochladen"} +# FIXME: list correct outputs for each form here (and update GANA) +OUTPUTS = LEGAL_ENTITY_TYPE +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.13] +TYPE = FORM +# FIXME : This form will not be supported for the TOPS MVP +FORM_NAME = vqf_902_13 +DESCRIPTION = "Ask user to supply VQF form 902.13" +DESCRIPTION_I18N = {"de":"Formular VQF 902.13 hochladen"} +# FIXME: list correct outputs for each form here (and update GANA) +OUTPUTS = LEGAL_ENTITY_TYPE +FALLBACK = preserve-investigate + +[kyc-check-form-vqf-902.15] +TYPE = FORM +# FIXME : This form will not be supported for the TOPS MVP +FORM_NAME = vqf_902_15 +DESCRIPTION = "Ask user to supply VQF form 902.15" +DESCRIPTION_I18N = {"de":"Formular VQF 902.15 hochladen"} +# FIXME: list correct outputs for each form here (and update GANA) +OUTPUTS = LEGAL_ENTITY_TYPE +FALLBACK = preserve-investigate + +#[kyc-measure-tops-check-controlling-entity] +#TYPE = SKIP +#CONTEXT = {} +#PROGRAM = tops-check-controlling-entity + +[kyc-measure-preserve-investigate] +TYPE = SKIP +CONTEXT = {} +PROGRAM = preserve-investigate + +[kyc-measure-default-investigate] +TYPE = SKIP +CONTEXT = {} +PROGRAM = default-investigate + + +# ##################### AML programs ######################### + +[aml-program-freeze-investigate] +DESCRIPTION = "Fallback measure on errors that freezes the account and asks AML staff to investigate the system failure." +COMMAND = taler-exchange-helper-measure-freeze +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-default-investigate] +DESCRIPTION = "Fallback measure on errors that keeps default rules on the account but asks AML staff to investigate the system failure." +COMMAND = taler-exchange-helper-measure-defaults-but-investigate +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-preserve-investigate] +DESCRIPTION = "Fallback measure on errors that preserves current rules on the account but asks AML staff to investigate the system failure." +COMMAND = taler-exchange-helper-measure-preserve-but-investigate +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-inform-investigate] +DESCRIPTION = "Measure that asks AML staff to investigate an account and informs the account owner about it." +COMMAND = taler-exchange-helper-measure-inform-investigate +ENABLED = YES +FALLBACK = freeze-investigate + +# this program should require context 'tos_url' and 'provider_name' +# and require attribute "ACCEPTED_TERMS_OF_SERVICE" +[aml-program-check-tos] +DESCRIPTION = "Measure that enables deposits after the ToS have been accepted." +COMMAND = taler-exchange-helper-measure-enable-deposits +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-preserve-set-expire-from-context] +DESCRIPTION = "Measure that preserves the current rules but sets them to expire based on the context. The successor measure to activate on expiration can also be specified in the context. Useful when AML staff merely wants to set an expiration date." +COMMAND = taler-exchange-helper-measure-preserve-set-expiration +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-preserve-set-expire-from-context] +DESCRIPTION = "Measure that modifies the current rules by combining them with those from the context. The expiration time and successor measure to activate on expiration can also be specified in the context. Useful when AML staff merely wants to update rules." +COMMAND = taler-exchange-helper-measure-update-from-context +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-tops-sms-check] +DESCRIPTION = "Program that checks that the user was able to receive an SMS at a Swiss mobile phone number. Enables receiving P2P payments by lifiting kyc-rule-p2p-domestic-identification-requirement and also lifts the kyc-rule-withdraw-limit-low. The new rules expire after 2 years." +COMMAND = taler-exchange-helper-measure-tops-sms-check +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-tops-postal-check] +DESCRIPTION = "Program that checks that the user was able to postal mail at a Swiss postal address. Enables receiving P2P payments by lifiting kyc-rule-p2p-domestic-identification-requirement and also lifts the kyc-rule-withdraw-limit-low. The new rules expire after 5 years." +COMMAND = taler-exchange-helper-measure-tops-postal-check +ENABLED = YES +FALLBACK = freeze-investigate + +[aml-program-tops-kyx-check] +DESCRIPTION = "Program that determines what kind of KYC/KYB process should be run based on a first form supplied by the user. Determines the next checks to run. Always concludes by passing all results to an AML officer. Rules are preserved." +COMMAND = taler-exchange-helper-measure-tops-kyx-check +ENABLED = YES +FALLBACK = freeze-investigate + +# FIXME: enable with new debian package... +#[aml-program-tops-check-controlling-entity] +#DESCRIPTION = "Program that checks if the 'Controlling entity 3rd persion' checkbox was set, and if so triggers the optional form VQF 902.9. Then in either case ensures we run the address validation logic. Always concludes by passing all results to an AML officer. Rules are preserved." +# COMMAND = taler-exchange-helper-measure-tops-3rdparty-check +#ENABLED = YES +#FALLBACK = freeze-investigate + + +########### +# GLS Forms +########### + +[kyc-check-form-gls-onboarding] +TYPE = FORM +FORM_NAME = gls-onboarding +DESCRIPTION = "testing gls onboarding" +DESCRIPTION_I18N = {"de":"w"} +OUTPUTS = PERSON_FULL_NAME PERSON_LAST_NAME CONTACT_PHONE CONTACT_EMAIL ACCEPTED_TERMS_OF_SERVICE BUSINESS_DISPLAY_NAME BUSINESS_REGISTRATION_ID BUSINESS_LEGAL_JURISDICTION BUSINESS_REGISTRATION_DATE BUSINESS_IS_NON_PROFIT BUSINESS_INDUSTRY ADDRESS_STREET_NAME ADDRESS_STREET_NUMBER ADDRESS_COUNTRY_CC TAX_COUNTRY_CC TAX_IS_USA_LAW TAX_IS_ACTIVE TAX_IS_DEDUCTED BUSINESS_LEGAL_REPRESENTATIVES +FALLBACK = preserve-investigate diff --git a/data/setup-kyc-simple.sh b/data/setup-kyc-simple.sh @@ -0,0 +1,119 @@ +cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-kyc.conf +[exchange] +enable_kyc = yes + +AML_SPA_DIALECT = $AML_SPA_DIALECT + +[kyc-rule-r1] +OPERATION_TYPE = withdraw +ENABLED = yes +EXPOSED = yes +IS_AND_COMBINATOR = YES +THRESHOLD = $CURRENCY:10 +TIMEFRAME = 1h +NEXT_MEASURES = m1 m2 + +[kyc-rule-r2] +OPERATION_TYPE = balance +ENABLED = yes +EXPOSED = yes +IS_AND_COMBINATOR = YES +THRESHOLD = $CURRENCY:100 +TIMEFRAME = forever +NEXT_MEASURES = m1 m2 + +[kyc-measure-m1] +CHECK_NAME = c1 +CONTEXT = {} +PROGRAM = p1 + +[aml-program-p1] +COMMAND = /data/sandcastle-amp-form +ENABLED = true +DESCRIPTION = test p1 +FALLBACK = freeze + +[kyc-check-c1] +TYPE = FORM +FORM_NAME = name_and_dob +DESCRIPTION = name and date of birth +OUTPUTS = full_name birthdate +FALLBACK = freeze + +[kyc-measure-m2] +CHECK_NAME = c2 +CONTEXT = {} +PROGRAM = p2 + +[kyc-measure-freeze] +CHECK_NAME = SKIP +CONTEXT = {} +PROGRAM = freeze + +[aml-program-freeze] +COMMAND = taler-exchange-helper-measure-freeze +ENABLED = true +DESCRIPTION = freeze all operations on the account +FALLBACK = freeze + +[aml-program-p2] +COMMAND = /data/sandcastle-amp-email +ENABLED = true +DESCRIPTION = check for validated email address in attributes +FALLBACK = freeze + +[kyc-check-c2] +TYPE = LINK +PROVIDER_ID = mychallenger +DESCRIPTION = email verification via challenger +OUTPUTS = email +FALLBACK = freeze + +# +# GLS KYC +# + +[aml-program-nop] +COMMAND = /bin/true +ENABLED = true +DESCRIPTION = do nothing +FALLBACK = freeze + +[kyc-measure-test-gls] +CHECK_NAME = form-gls-onboarding +PROGRAM = nop +CONTEXT = {} +VOLUNTARY = NO + + +[kyc-check-form-gls-onboarding] +TYPE = FORM +FORM_NAME = gls-onboarding +DESCRIPTION = "testing gls onboarding" +DESCRIPTION_I18N = {"de":"w"} +OUTPUTS = +FALLBACK = freeze + +[kyc-rule-test1] +OPERATION_TYPE = BALANCE +NEXT_MEASURES = test-gls +IS_AND_COMBINATOR = NO +EXPOSED = YES +THRESHOLD = $CURRENCY:1000010 +TIMEFRAME = forever +ENABLED = YES + +# end of GLS-style KYC + +[kyc-provider-mychallenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh +EOF + diff --git a/data/setup-kyc-tops.sh b/data/setup-kyc-tops.sh @@ -0,0 +1,64 @@ +cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-kyc.conf +[exchange] +enable_kyc = yes + +AML_SPA_DIALECT = $AML_SPA_DIALECT + +[kyc-provider-sms-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh + +[kyc-provider-email-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh + +[kyc-provider-postal-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh + +[kyc-provider-kycaid-individual] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh + +[kyc-provider-kycaid-business] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2d +KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID +KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET +KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" +KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" +KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" +KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" +KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh +EOF + + +sed -e "s/CHF:/$CURRENCY:/g" /data/kyc-rules-tops.conf >>/etc/taler-exchange/conf.d/sandcastle-kyc.conf diff --git a/overrides/talerkyc.localhost b/overrides/talerkyc.localhost @@ -6,5 +6,6 @@ ALT_UNIT_NAME=KYCS NAME=Kycdos ENABLE_KYC=1 - +KYC_DIALECT=tops AML_SPA_DIALECT=gls + diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh @@ -700,129 +700,13 @@ taler-harness deployment provision-bank-account "${BANK_BASEURL}" \ ## Configure KYC if enabled ## -if [[ ${ENABLE_KYC:-0} == 1 ]]; then +if [[ ${ENABLE_KYC:-0} = 1 ]]; then # KYC config - cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-kyc.conf -[exchange] -enable_kyc = yes - -AML_SPA_DIALECT = $AML_SPA_DIALECT - -[kyc-rule-r1] -OPERATION_TYPE = withdraw -ENABLED = yes -EXPOSED = yes -IS_AND_COMBINATOR = YES -THRESHOLD = $CURRENCY:10 -TIMEFRAME = 1h -NEXT_MEASURES = m1 m2 - -[kyc-rule-r2] -OPERATION_TYPE = balance -ENABLED = yes -EXPOSED = yes -IS_AND_COMBINATOR = YES -THRESHOLD = $CURRENCY:100 -TIMEFRAME = forever -NEXT_MEASURES = m1 m2 - -[kyc-measure-m1] -CHECK_NAME = c1 -CONTEXT = {} -PROGRAM = p1 - -[aml-program-p1] -COMMAND = /data/sandcastle-amp-form -ENABLED = true -DESCRIPTION = test p1 -FALLBACK = freeze - -[kyc-check-c1] -TYPE = FORM -FORM_NAME = name_and_dob -DESCRIPTION = name and date of birth -OUTPUTS = full_name birthdate -FALLBACK = freeze - -[kyc-measure-m2] -CHECK_NAME = c2 -CONTEXT = {} -PROGRAM = p2 - -[kyc-measure-freeze] -CHECK_NAME = SKIP -CONTEXT = {} -PROGRAM = freeze - -[aml-program-freeze] -COMMAND = taler-exchange-helper-measure-freeze -ENABLED = true -DESCRIPTION = freeze all operations on the account -FALLBACK = freeze - -[aml-program-p2] -COMMAND = /data/sandcastle-amp-email -ENABLED = true -DESCRIPTION = check for validated email address in attributes -FALLBACK = freeze - -[kyc-check-c2] -TYPE = LINK -PROVIDER_ID = mychallenger -DESCRIPTION = email verification via challenger -OUTPUTS = email -FALLBACK = freeze - -# -# GLS KYC -# - -[aml-program-nop] -COMMAND = /bin/true -ENABLED = true -DESCRIPTION = do nothing -FALLBACK = freeze - -[kyc-measure-test-gls] -CHECK_NAME = form-gls-onboarding -PROGRAM = nop -CONTEXT = {} -VOLUNTARY = NO - - -[kyc-check-form-gls-onboarding] -TYPE = FORM -FORM_NAME = gls-onboarding -DESCRIPTION = "testing gls onboarding" -DESCRIPTION_I18N = {"de":"w"} -OUTPUTS = -FALLBACK = freeze - -[kyc-rule-test1] -OPERATION_TYPE = BALANCE -NEXT_MEASURES = test-gls -IS_AND_COMBINATOR = NO -EXPOSED = YES -THRESHOLD = $CURRENCY:1000010 -TIMEFRAME = forever -ENABLED = YES - -# end of GLS-style KYC - -[kyc-provider-mychallenger] -LOGIC = oauth2 -# This does not seem to be used, but required and documented?! -CONVERTER = /bin/true -KYC_OAUTH2_VALIDITY = 2d -KYC_OAUTH2_CLIENT_ID = $CHALLENGER_CLIENT_ID -KYC_OAUTH2_CLIENT_SECRET = $CHALLENGER_CLIENT_SECRET -KYC_OAUTH2_AUTHORIZE_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/authorize#setup" -KYC_OAUTH2_TOKEN_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/token" -KYC_OAUTH2_INFO_URL = "$PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/info" -KYC_OAUTH2_POST_URL = "https://taler.net/en/kyc-done.html" -KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh -EOF - + if [[ ${KYC_DIALECT:-simple} = simple ]]; then + source /data/setup-kyc-simple.sh + elif [[ ${KYC_DIALECT:-simple} = tops ]]; then + source /data/setup-kyc-tops.sh + fi else rm -f /etc/taler-exchange/conf.d/sandcastle-kyc.conf fi