Skip to content

Enforce UK consent check on aggregate endpoints, upgrade 403 assertions, fix build-script hang#2873

Open
hongwei1 wants to merge 9 commits into
OpenBankProject:developfrom
hongwei1:develop-obp
Open

Enforce UK consent check on aggregate endpoints, upgrade 403 assertions, fix build-script hang#2873
hongwei1 wants to merge 9 commits into
OpenBankProject:developfrom
hongwei1:develop-obp

Conversation

@hongwei1

@hongwei1 hongwei1 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Enforce the UK consent check on the aggregate AISP balances/transactions endpoints (GET /aisp/balances, GET /aisp/transactions) — previously only the per-account endpoints checked it, letting a token with no bound consent through to real data or a 500 instead of the expected 403. Also fixes createTransactionsJsonNew to take the AccountId from the request path instead of deriving it from the first transaction's bank account (returned null when the account had no transactions).
  • Upgrade the 3 checkUKConsent-gated v4.0.1 endpoints (getAccounts, getAccountsAccountIdBalances, getAccountsAccountIdTransactions) from a weak "authenticated -> not 401" test assertion to a real, deterministic 403 ConsentIdClaimMissing assertion — now that checkUKConsent reads the consent_id claim off the Bearer token directly (no external Hydra call), OAuth1-signed test requests deterministically fail the claim lookup.
  • Fix a hang in flushall_build_and_run.sh's background server launch: > >(tee "$RUNTIME_LOG") is a process substitution whose tee inherits the script's own stdout, so a caller capturing this script's output via out=$(...) never sees EOF (the server never exits, so neither does the tee backing the substitution) — even after the server started successfully. Redirect straight to the log file instead.
  • Print the actually-bound PORT from both flushall_build_and_run.sh and flushall_fast_build_and_run.sh's background-mode output (previously only PID was printed), so callers that parse the script's output (e.g. a local smoke-test wrapper) can find the right port to poll instead of failing with "port not printed" even on a successful start.
  • Remove stale "requires live Hydra" comments from the UK v4.0.1 test suite, left over after checkUKConsent moved off the Hydra dependency.

Test plan

  • run_tests_parallel.sh — all 4 shards passed, 3125 tests / 0 failures
  • UKOpenBankingV401AccountInfoTests — 61/61 passed after the consent-check + comment merge
  • Full 6-step build/run smoke test (full build + fast incremental build, both start the server and answer /root) — verified clean after the script fixes, twice
  • Verified the process-substitution hang fix in isolation (old pattern times out under a bounded wait; new pattern returns immediately)

hongwei1 added 9 commits July 15, 2026 12:55
… endpoints

GET /aisp/balances and GET /aisp/transactions fetched every private
account for the caller without validating the bearer token's UK
consent binding first, unlike every sibling AISP endpoint (including
their own single-account counterparts). A DirectLogin or OAuth2 token
with no bound consent fell through into the account-fetch path and
surfaced as a 500 Unknown Error instead of the expected 403
OBP-35035, and callers with real consent got real account data with
no consent enforcement at all.

Add the same checkUKConsent + passesPsd2Aisp guard already used by
getAccountsAccountIdBalances and getAccountsAccountIdTransactions so
all five real-data AISP endpoints share one consent contract.

Also fix createTransactionsJsonNew to take the AccountId from the
request path instead of deriving it from the first transaction's
bank account, which returned a null AccountId whenever the account
had no transactions.
# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
…ubstitution

Redirecting to > >(tee "$RUNTIME_LOG") makes the tee process inherit this
script's own stdout. A caller that captures this script's output with
out=$(./flushall_build_and_run.sh --background ...) never sees EOF, because
the long-running server (and the tee backing the substitution) never exits
on its own — the command substitution hangs forever even though the server
started successfully. Redirect straight to the log file instead.
checkUKConsent no longer needs a live Hydra introspection endpoint — it
checks the Bearer token's consent_id claim against an AUTHORISED consent.
Two comments describing the balances/transactions scenarios still referred
to the removed Hydra dependency; align them with the class doc above, which
was already corrected during the merge from Simon/develop.
… v4.0.1 endpoints

develop's Hydra removal (PR OpenBankProject#2866) rewrote ConsentUtil.checkUKConsent to read the
consent_id claim directly off the Bearer access token instead of calling an
external Hydra introspection endpoint. That was the only blocker keeping
getAccounts/getAccountsAccountIdBalances/getAccountsAccountIdTransactions on a
weak "authenticated -> not 401" assertion (mirroring the same limitation in
UKOpenBankingV310AisTests for the equivalent v3.1 endpoints).

The OAuth1-signed test requests carry no Bearer JWT, so the consent_id claim
lookup now fails deterministically with 403 ConsentIdClaimMissing — asserted
directly (status code + error message) instead of the previous placeholder.
…ent-403-assertions

# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
…tions' into develop-obp

# Conflicts:
#	obp-api/src/test/scala/code/api/UKOpenBanking/v4_0_1/UKOpenBankingV401AccountInfoTests.scala
Neither flushall_build_and_run.sh nor flushall_fast_build_and_run.sh printed
the port the server actually binds, only its PID. smoke_test.sh's
start_and_test() parses "PID: <n>" and "PORT: <n>" from the script's captured
output to know where to poll /root; with no PORT line it fails fast with
"未打印实际监听端口" even after the server started and bound successfully,
leaving the server running with nothing to verify it or clean it up.

Print the actual dev.port value read from props/default.props (falling back
to 8080) right after the PID line in both scripts' background-mode branch.
@sonarqubecloud

Copy link
Copy Markdown

@hongwei1 hongwei1 changed the title Develop obp Enforce UK consent check on aggregate endpoints, upgrade 403 assertions, fix build-script hang Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant