GithubHelp home page GithubHelp logo

consumerdataright / mock-data-holder Goto Github PK

View Code? Open in Web Editor NEW
17.0 16.0 22.0 13.88 MB

A mock version of a Consumer Data Right Data Holder solution that can be used in the development and testing of CDR solutions

License: MIT License

Batchfile 0.46% C# 96.86% Dockerfile 1.97% Shell 0.25% PowerShell 0.46%
cdr open-banking consumer-data-right

mock-data-holder's People

Contributors

cdr-amirm avatar cdr-andrewg avatar cdr-ct avatar cdr-davidr avatar cdr-daviesg avatar cdr-df avatar cdr-evanr avatar cdr-farooqk avatar dependabot[bot] avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

cdr-daviesg cdr-davidr cdr-ks kaichiuwong marinabasiq yanhernan mhechavarria jithin-sukumar paypalaustralia cloudentity jamesmbligh mark202 cdr-amirm perlboy cdr-df frednerk888 natepage abeheron1 cdr-andrewg ganesanshanmugamn devfaru

mock-data-holder's Issues

MockData response modes not advertised via OIDC discovery endpoint (and not equivalent to the default)

We have identified that the MockDataHolder currently only supports "form_post" and "fragment" for "response_mode" values. If we try to pass in "query" it returns an error via callback:  "Invalid response_mode for response_type".

When we view the MockDataHolder's OIDC discovery endpoint on the sandbox (https://dh-bank.idp.cdrsandbox.gov.au/.well-known/openid-configuration) the claim "response_modes_support" is not supplied. Based on RFC 8414 (https://www.rfc-editor.org/rfc/rfc8414.html) it is an optional field, but if omitted the default is ["query", "fragment"].

We suggest that to make MockDataHolder compliant, since it only supports "form_post" and "fragment", it should include the claim "response_modes_support" with the value ["form_post", "fragment"].

Energy API implementation?

Hi,

Do you know when the Energy API and FAPI 1.0 Advanced Final implementations will be available to utilise?

Thanks!

Improve Static Application Security Testing Results

Describe the bug

I notice you've got Sonarqube setup as a workflow action however none of the identified issues (which also pinged on our internal SAST analyser) appear to have been fixed.

Consequently, I've forked the code and produced a public version of Sonarqube analysis which provides an overall score of E.

Notable concerns are:

  1. Use of MD5 for seeding AES
  2. Disabling of TLS verification instead of using a local CA
  3. Apparent Redirect URLs based on User Input

I believe all 3 of these are OWASP baselines, there's a further 307 code smells noted: https://sonarcloud.io/project/issues?resolved=false&types=CODE_SMELL&id=perlboy_mock-data-holder

To Reproduce
Steps to reproduce the behavior:

  1. Enable Sonarqube
  2. Work through issues
  3. Fix code

Expected behaviour

Good code quality should be a prerequisite when promoting an example data holder within a highly secure ecosystem.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
image

Mismatch between the Docker command, Docker Compose and the hosts entry file

Hi Team,

Thanks for this wonderful mocks utility. It's really helping us a lot.

There are some typos or mismatch between the Docker command, Docker Compose and the hosts entry file.

Here in docker command we are setting host -h as "mock-cdr-data-holder" but in host and docker compose as "mock-data-holder". The same issues is with register and data recipient as well.

Docker Command:

docker run -d -h mock-cdr-data-holder -p 8000:8000 -p 8001:8001 -p 8002:8002 -p 8005:8005 --name mock-cdr-data-holder consumerdataright/mock-data-holder

Docker Compose:
docker run -d -h mock-data-holder -p 8000:8000 -p 8001:8001 -p 8002:8002 -p 8003:8003 -p 8004:8004 -p 8005:8005 --name mock-data-holder consumerdataright/mock-data-holder

Host Entry:
127.0.0.1 mock-data-holder
127.0.0.1 mock-data-recipient
127.0.0.1 mock-register

Thanks,
Daniel Jeganathan

Software Product Not Available

Describe the bug

I am receiving a 400 when hitting the PAR endpoint in the mock data holder:

{"error":"invalid_request","error_description":"Software Product Status is invalid"}

The logs are mentioning the software product is not available, but I run DCR immediately before the PAR.

To Reproduce
Steps to reproduce the behavior:

  1. Start the mock-register and mock-data-holder with docker compose and seed data (truncated) for my environment.
  2. Do everything required to get a client id with the mock data holder.
  3. Hit the par endpoint with my client assertions.
  4. See error

Expected behaviour

I don't think I should see an error?!

Additional context

I can hit the GET registration/{id} endpoint, so I assume my product should be active and available.

I can also get successful responses from the data recipients status endpoint.

Refresh token itself gets invalidated after refreshing access token

Describe the bug
When the token endpoint (/connect/token) is invoked with refresh_token grant for the first time, it returns a new access token but the subsequent calls with the returned refresh_token fails (since it isn't a rotating refreshing token, same refresh_token is returned). Apparently, the code is revoking the refresh token from PersistedGrant DB but returning the same refresh_token.

To Reproduce
Steps to reproduce the behavior:

  1. Generate a request_uri using pushed_authorization_request_endpoint (/connect/par)
  2. Follow the consequent OAuth flow and grant consent to bank account(s)
  3. Call the refresh token endpoint (/connect/token) with the refresh token received in step-2
  4. Repeat step-3 with the refresh_token received in step-3
  5. See error

Expected behaviour
Calling the token endpoint multiple times with the refresh token returned in step-3 should always generate a new access token unless the sharing_duration has expired.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
I am not completely aware of the mock-data-holder code base but I suspect that the issue is caused because the refresh token's key is being revoked from PersistedGrant database when handling the ProcessRefreshTokenRequestAsync. As a hot-fix, I made a small change for my local development environment and it works as expected but I am not completely sure if this is the appropriate way. Any comments or suggestions from the mock-data-holder maintainers will be appreciated.

Endpoint returns a 400 error but no error object

Describe the bug
The standard stipulates that if a http error code 400 is returned the body should contain an error object.

To Reproduce
Steps to reproduce the behavior:

  1. Follow the setup instructions as per ReadME file, then Run the mock-data-holder, mock-register, mock-data-recipient as Docker container
  2. Start at https://localhost:9001 and go through the process of "Discover Data Holders", "Get SSA", "Dynamic Client Registration", "Consent and Authorisation"
  3. Click on the Authorisation URI, login, verify, and then get an access token
  4. In the Postman collection run the Get Common Customer person request with the access token in the header. This will return an Http code 400 with an empty error object.

Expected behaviour
If a 400 code is returned the body should have an error object

Screenshots

ErrorCapture

Additional context
If you hit this endpoint and change the x-v version to a higher number, the result is as expected. That is a 406 is returned with an appropriate error message. If you hit that endpoint with an invalid access token, the result is as expected, ie a 401 is returned

UI configurable validity period for access token

It would be good to be able to configure the validity period of the access token (currently 5 minutes). Currently this is configured in the start up configuration. However, it would be useful if the could be set somewhere in the UI.

Docker image fails to build.

Describe the bug

Docker image fails to build.

To Reproduce

cd Source
docker build -t daty .

Expected behaviour

A docker image should be built. (Logs below)

Screenshots

➜  Source git:(main) docker build -t daty .
[+] Building 1.2s (30/87)                                                                                                    
 => [internal] load build definition from Dockerfile                                                                    0.0s
 => => transferring dockerfile: 8.08kB                                                                                  0.0s
 => [internal] load .dockerignore                                                                                       0.0s
 => => transferring context: 358B                                                                                       0.0s
 => [internal] load metadata for mcr.microsoft.com/dotnet/sdk:6.0                                                       0.2s
 => [internal] load metadata for mcr.microsoft.com/dotnet/aspnet:6.0                                                    0.2s
 => [internal] load metadata for docker.io/library/node:14-alpine                                                       0.7s
 => [build 1/3] FROM mcr.microsoft.com/dotnet/sdk:6.0@sha256:a3bbff689a86ba7f3ddcee5089a729b20e20e3b4dbfb9d0a43bb3284d  0.0s
 => [internal] load build context                                                                                       0.1s
 => => transferring context: 23.45kB                                                                                    0.1s
 => CACHED [base 1/6] FROM mcr.microsoft.com/dotnet/aspnet:6.0@sha256:f76f95813a87d711928c6b02335614f328cc1c9c53315137  0.0s
 => CANCELED [ui-build  1/14] FROM docker.io/library/node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822  0.2s
 => => resolve docker.io/library/node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b3  0.1s
 => => sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33 1.43kB / 1.43kB                          0.0s
 => => sha256:4e84c956cd276af9ed14a8b2939a734364c2b0042485e90e1b97175e73dfd548 1.16kB / 1.16kB                          0.0s
 => => sha256:0dac3dc27b1ad570e6c3a7f7cd29e88e7130ff0cad31b2ec5a0f222fbe971bdb 6.44kB / 6.44kB                          0.0s
 => CANCELED [base 2/6] RUN apt-get update                                                                              0.3s
 => CACHED [ui-build  2/14] WORKDIR /app                                                                                0.0s
 => CACHED [ui-build  3/14] RUN npm install react-scripts@latest -g                                                     0.0s
 => ERROR [ui-build  4/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/package.json package.json                     0.0s
 => ERROR [ui-build  5/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/package-lock.json package-lock.json           0.0s
 => ERROR [ui-build  6/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/craco.config.js craco.config.js               0.0s
 => ERROR [ui-build  7/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/.env.production .env.local                    0.0s
 => CACHED [ui-build  8/14] RUN npm ci                                                                                  0.0s
 => ERROR [ui-build  9/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/. .                                           0.0s
 => CACHED [ui-build 10/14] RUN npm run build                                                                           0.0s
 => ERROR [ui-build 11/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/nginx.conf /etc/nginx/conf.d/default.c  0.0s
 => ERROR [ui-build 12/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/nginx.gzip.conf /etc/nginx/conf.d/gzip  0.0s
 => ERROR [ui-build 13/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/ssl/authserver-ui.crt /etc/nginx/ssl/a  0.0s
 => ERROR [ui-build 14/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/ssl/authserver-ui.key /etc/nginx/ssl/a  0.0s
 => CACHED [build 2/3] WORKDIR /src                                                                                     0.0s
 => CACHED [build 3/3] COPY . ./                                                                                        0.0s
 => ERROR [publish  1/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Domain/. /app/CdrAuthServer.Domain                0.0s
 => ERROR [publish  2/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Repository/. /app/CdrAuthServer.Repository        0.0s
 => ERROR [publish  3/28] COPY ./cdr-auth-server/Source/CdrAuthServer/. /app/CdrAuthServer                              0.0s
 => ERROR [publish  4/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Infrastructure/. /app/CdrAuthServer.Infrastructu  0.0s
 => ERROR [publish  5/28] COPY ./cdr-auth-server/Source/CdrAuthServer.API.Logger/. /app/CdrAuthServer.API.Logger        0.0s
------
 > [ui-build  4/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/package.json package.json:
------
------
 > [ui-build  5/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/package-lock.json package-lock.json:
------
------
 > [ui-build  6/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/craco.config.js craco.config.js:
------
------
 > [ui-build  7/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/.env.production .env.local:
------
------
 > [ui-build  9/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/. .:
------
------
 > [ui-build 11/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/nginx.conf /etc/nginx/conf.d/default.conf:
------
------
 > [ui-build 12/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/nginx.gzip.conf /etc/nginx/conf.d/gzip.conf:
------
------
 > [ui-build 13/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/ssl/authserver-ui.crt /etc/nginx/ssl/authserver-ui.c
rt:
------
------
 > [ui-build 14/14] COPY ./cdr-auth-server/Source/CdrAuthServer.UI/nginx/ssl/authserver-ui.key /etc/nginx/ssl/authserver-ui.k
ey:
------
------
 > [publish  1/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Domain/. /app/CdrAuthServer.Domain:
------
------
 > [publish  2/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Repository/. /app/CdrAuthServer.Repository:
------
------
 > [publish  3/28] COPY ./cdr-auth-server/Source/CdrAuthServer/. /app/CdrAuthServer:
------
------
 > [publish  4/28] COPY ./cdr-auth-server/Source/CdrAuthServer.Infrastructure/. /app/CdrAuthServer.Infrastructure:
------
------
 > [publish  5/28] COPY ./cdr-auth-server/Source/CdrAuthServer.API.Logger/. /app/CdrAuthServer.API.Logger:
------
Dockerfile:61
--------------------
  59 |     COPY ./cdr-auth-server/Source/CdrAuthServer/. /app/CdrAuthServer
  60 |     COPY ./cdr-auth-server/Source/CdrAuthServer.Infrastructure/. /app/CdrAuthServer.Infrastructure
  61 | >>> COPY ./cdr-auth-server/Source/CdrAuthServer.API.Logger/. /app/CdrAuthServer.API.Logger
  62 |     
  63 |     COPY ./CDR.DataHolder.API.Infrastructure/. /app/CDR.DataHolder.API.Infrastructure
--------------------
ERROR: failed to solve: failed to compute cache key: failed to calculate checksum of ref b0441941-3dd2-46f7-8029-771f117b4352
::e9xuimlcijmziq6mydxpnm3x6: "/cdr-auth-server/Source/CdrAuthServer.API.Logger": not found

Additional context

Missing x-v header

Describe the bug
The mandatory header x-v is not being returned

To Reproduce
Steps to reproduce the behaviour:

  1. Call the discovery/status or the discovery/outages endpoint
  2. Examine the header being returned

Expected behaviour
Return the x-v header as per DSB published standard

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.