sepafm 0.0.2 → 0.1.0

data/lib/sepa/banks/danske/soap_danske.rb

@@ -0,0 +1,132 @@
+module Sepa
+  module DanskeSoapRequest
+
+    def find_correct_build
+      case @command
+      when :create_certificate
+        build_certificate_request
+      when :upload_file, :download_file, :get_user_info, :download_file_list
+        build_danske_generic_request
+      when :get_bank_certificate
+        build_get_bank_certificate_request
+      end
+    end
+
+    def encrypt_application_request
+      encryption_cert = OpenSSL::X509::Certificate.new(@enc_cert)
+      encryption_public_key = encryption_cert.public_key
+      encryption_cert = format_cert(encryption_cert)
+      encrypted_ar, key = encrypt_ar
+      encrypted_key = encrypt_key(key, encryption_public_key)
+      build_encrypted_ar(encryption_cert, encrypted_key, encrypted_ar)
+    end
+
+    # Encrypts a given symmetric encryption key with a public key and returns it in base64 encoded
+    # format
+    def encrypt_key(key, public_key)
+      encrypted_key = public_key.public_encrypt(key)
+      Base64.encode64(encrypted_key)
+    end
+
+    # Encrypts the application request and returns it in base64 encoded format.
+    # Also returns the key needed to decrypt it
+    def encrypt_ar
+      cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').encrypt
+
+      key = cipher.random_key
+      iv = cipher.random_iv
+
+      encrypted_data = cipher.update(@ar.to_xml)
+      encrypted_data << cipher.final
+      encrypted_data = iv + encrypted_data
+      encrypted_data = Base64.encode64(encrypted_data)
+
+      return encrypted_data, key
+    end
+
+    def build_encrypted_ar(cert, encrypted_data, encrypted_key)
+      ar = Nokogiri::XML File.open "#{AR_TEMPLATE_PATH}/encrypted_request.xml"
+      set_node(ar, 'dsig|X509Certificate', cert)
+      set_node(ar, 'dsig|KeyInfo xenc|CipherValue', encrypted_data)
+      set_node(ar, 'xenc|EncryptedData > xenc|CipherData > xenc|CipherValue', encrypted_key)
+      ar
+    end
+
+    def set_generic_request_contents
+      set_node(@template, 'bxd|SenderId', @customer_id)
+      set_node(@template, 'bxd|RequestId', request_id)
+      set_node(@template, 'bxd|Timestamp', iso_time)
+      set_node(@template, 'bxd|Language', @language)
+      set_node(@template, 'bxd|UserAgent', "Sepa Transfer Library version " + VERSION)
+      set_node(@template, 'bxd|ReceiverId', @target_id)
+    end
+
+    def set_create_cert_contents
+      set_node(@template, 'pkif|SenderId', @customer_id)
+      set_node(@template, 'pkif|CustomerId', @customer_id)
+      set_node(@template, 'pkif|RequestId', request_id)
+      set_node(@template, 'pkif|Timestamp', iso_time)
+      set_node(@template, 'pkif|InterfaceVersion', 1)
+      set_node(@template, 'pkif|Environment', @environment)
+    end
+
+    def set_bank_certificate_contents
+      set_node(@template, 'pkif|SenderId', @customer_id)
+      set_node(@template, 'pkif|CustomerId', @customer_id)
+      set_node(@template, 'pkif|RequestId', request_id)
+      set_node(@template, 'pkif|Timestamp', iso_time)
+      set_node(@template, 'pkif|InterfaceVersion', 1)
+    end
+
+    def build_danske_generic_request
+      set_generic_request_contents
+      encrypted_request = encrypt_application_request
+      add_encrypted_generic_request_to_soap(encrypted_request)
+
+      process_header
+      add_body_to_header
+    end
+
+    def build_certificate_request
+      set_create_cert_contents
+      encrypted_request = encrypt_application_request
+      add_encrypted_request_to_soap(encrypted_request)
+    end
+
+    def build_get_bank_certificate_request
+      set_bank_certificate_contents
+      add_bank_certificate_body_to_soap
+    end
+
+    def add_encrypted_request_to_soap(encrypted_request)
+      encrypted_request = Nokogiri::XML(encrypted_request.to_xml)
+      encrypted_request = encrypted_request.root
+      @template.at_css('pkif|CreateCertificateIn').add_child(encrypted_request)
+
+      @template
+    end
+
+    def add_encrypted_generic_request_to_soap(encrypted_request)
+      encrypted_request = Nokogiri::XML(encrypted_request.to_xml)
+      encrypted_request = encrypted_request.root
+      encrypted_request = Base64.encode64(encrypted_request.to_xml)
+      @template.at_css('bxd|ApplicationRequest').add_child(encrypted_request)
+
+      @template
+    end
+
+    def add_bank_certificate_body_to_soap
+      ar = @ar.to_nokogiri
+
+      ar = ar.at_css('elem|GetBankCertificateRequest')
+      @template.at_css('pkif|GetBankCertificateIn').add_child(ar)
+
+      @template
+    end
+
+    def request_id
+      SecureRandom.hex(5)
+    end
+
+  end
+end

data/lib/sepa/banks/nordea/nordea_response.rb

@@ -0,0 +1,20 @@
+module Sepa
+  class NordeaResponse < Response
+
+    def initialize(response, command: nil)
+      super
+
+      if @command == :get_certificate
+        @application_response = extract_application_response('http://bxd.fi/CertificateService')
+        @content = extract_own_cert
+      end
+    end
+
+    def extract_own_cert
+      node = Nokogiri::XML(@application_response)
+      .at('xmlns|Certificate > xmlns|Certificate', xmlns: 'http://filetransfer.nordea.com/xmldata/')
+
+      Base64.encode64(OpenSSL::X509::Certificate.new(process_cert_value(node.content)).to_s) if node
+    end
+  end
+end

data/lib/sepa/banks/nordea/soap_nordea.rb

@@ -0,0 +1,51 @@
+module Sepa
+  module NordeaSoapRequest
+
+    private
+
+      def find_correct_build
+        case @command
+        when :get_certificate
+          build_certificate_request
+        when :get_user_info, :download_file_list, :download_file, :upload_file
+          build_common_request
+        end
+      end
+
+      # Builds : Get Certificate
+      def build_certificate_request
+        set_body_contents
+      end
+
+      def set_body_contents
+        set_node(@template, 'cer|ApplicationRequest', @ar.to_base64)
+        set_node(@template, 'cer|SenderId', @customer_id)
+        set_node(@template, 'cer|RequestId', request_id)
+        set_node(@template, 'cer|Timestamp', iso_time)
+
+        @template
+      end
+
+      # Builds : Get User Info, Download File, Download File List, Upload File
+      def build_common_request
+        common_set_body_contents
+        process_header
+        add_body_to_header
+      end
+
+      def common_set_body_contents
+        set_node(@template, 'bxd|ApplicationRequest', @ar.to_base64)
+        set_node(@template, 'bxd|SenderId', @customer_id)
+        set_node(@template, 'bxd|RequestId', request_id)
+        set_node(@template, 'bxd|Timestamp', iso_time)
+        set_node(@template, 'bxd|Language', @language)
+        set_node(@template, 'bxd|UserAgent', "Sepa Transfer Library version #{VERSION}")
+        set_node(@template, 'bxd|ReceiverId', @target_id)
+      end
+
+      def request_id
+        SecureRandom.hex(17)
+      end
+
+  end
+end

data/lib/sepa/client.rb

@@ -1,79 +1,91 @@
 module Sepa
   class Client
-    # Check that parameters are valid, initialize savon client with them and
-    # construct soap message
-    def initialize(params)
-      check_params_hash(params)
-      check_bank(params.fetch(:bank))
-      bank = params.fetch(:bank)
-
-      wsdl = find_proper_wsdl(bank, params.fetch(:command))
-
-      @client = Savon.client(wsdl: wsdl) #log_level: :info
-      @command = params.fetch(:command)
-      # SoapBuilder creates a complete SOAP message structure
-      @soap = SoapBuilder.new(params).to_xml
+    include ActiveModel::Validations
+    include Utilities
+    include ErrorMessages
+    include AttributeChecks
+
+    attr_accessor :bank, :cert, :command, :content, :customer_id, :enc_cert,
+                  :encryption_cert_pkcs10, :environment, :file_reference,
+                  :file_type, :key_generator_type, :language, :pin, :private_key,
+                  :signing_cert_pkcs10, :status, :target_id, :csr, :service, :bank_root_cert_serial
+
+    BANKS = [:nordea, :danske]
+    LANGUAGES = ['FI', 'SE', 'EN']
+
+    validates :bank, inclusion: { in: BANKS }
+    validates :language, inclusion: { in: LANGUAGES }, allow_nil: true
+
+    validate :check_status
+    validate :check_customer_id
+    validate :check_file_type
+    validate :check_environment
+    validate :check_target_id
+    validate :check_content
+    validate :check_pin
+    validate :check_command
+    validate :check_wsdl
+    validate :check_keys
+    validate :check_enc_cert
+    validate :check_encryption_cert_request
+    validate :check_signing_cert
+    validate :check_bank_root_cert_serial
+    validate :check_file_reference
+
+    def initialize(hash = {})
+      self.attributes hash
+      self.environment ||= 'PRODUCTION'
     end
 
-    # Call savon to make the soap request with the correct command and the
-    # the constructed soap. The returned object will be a savon response.
-    def send
-      @client.call(@command, xml: @soap)
+    def bank=(value)
+      @bank = value.to_sym
     end
 
-    private
+    def command=(value)
+      @command = value.to_sym
+    end
 
-      def check_bank(bank)
-        unless [:nordea, :danske].include?(bank)
-          fail ArgumentError, "You didn't provide a proper bank. " \
-            "Acceptable values are nordea OR danske."
-        end
+    def attributes(hash)
+      hash.each do |name, value|
+        send("#{name}=", value)
       end
+    end
 
-      def find_proper_wsdl(bank, command)
-        wsdlpath = File.expand_path('../../../lib/sepa/wsdl', __FILE__)
-        case bank
-        when :nordea
-          if command == :get_certificate
-            path = "#{wsdlpath}/wsdl_nordea_cert.xml"
-          else
-            path = "#{wsdlpath}/wsdl_nordea.xml"
-          end
-        when :danske
-          if command == :get_bank_certificate
-            path = "#{wsdlpath}/wsdl_danske_cert.xml"
-          else
-            path = "#{wsdlpath}/wsdl_danske.xml"
-          end
-        end
-        check_wsdl(path)
-        path
-      end
+    def send_request
+      raise ArgumentError, errors.messages unless valid?
 
-      def check_params_hash(params)
-        unless params.respond_to?(:each_pair)
-          fail ArgumentError, "You didn't provide a proper hash"
-        end
+      soap = SoapBuilder.new(create_hash).to_xml
+      client = Savon.client(wsdl: wsdl)
+      response = client.call(command, xml: soap).doc
+
+      case bank
+      when :nordea
+        NordeaResponse.new response, command: command
+      when :danske
+        DanskeResponse.new response, command: command
       end
+    end
+
+    private
+
+      def create_hash
+        initialize_private_key
+        iv = {}
 
-      def check_wsdl(wsdl)
-        schema_file = File.expand_path('../../../lib/sepa/xml_schemas/wsdl.xml',
-                                       __FILE__)
-        xsd = Nokogiri::XML::Schema(File.read(schema_file))
+        # Create hash of all instance variables
+        instance_variables.map do |name|
+          key = name[1..-1].to_sym
+          value = instance_variable_get(name)
 
-        begin
-          wsdl_file = File.read(wsdl)
-        rescue
-          fail ArgumentError, "You didn't provide a wsdl file or the path is " \
-            "invalid"
+          iv[key] = value
         end
 
-        wsdl = Nokogiri::XML(wsdl_file)
+        iv
+      end
 
-        unless xsd.valid?(wsdl)
-          fail ArgumentError, "The wsdl file provided doesn't validate " \
-            "against the wsdl schema and thus was rejected."
-        end
+      def initialize_private_key
+        @private_key = OpenSSL::PKey::RSA.new(@private_key) if @private_key
       end
+
   end
 end

data/lib/sepa/error_messages.rb

@@ -0,0 +1,15 @@
+module Sepa
+  module ErrorMessages
+    CUSTOMER_ID_ERROR_MESSAGE = 'Customer Id needs to be present and needs to have a length of less than 17 characters'
+    ENVIRONMENT_ERROR_MESSAGE = 'Environment needs to be either PRODUCTION, TEST or customertest'
+    TARGET_ID_ERROR_MESSAGE = 'Target Id needs to be present and under 80 characters'
+    FILE_TYPE_ERROR_MESSAGE = 'File type needs to be present and under 35 characters'
+    CONTENT_ERROR_MESSAGE = 'Content needs to be present for this command'
+    SIGNING_CERT_REQUEST_ERROR_MESSAGE = 'Invalid signing certificate request'
+    ENCRYPTION_CERT_REQUEST_ERROR_MESSAGE = 'Invalid encryption certificate request'
+    PIN_ERROR_MESSAGE = 'Pin needs to be present for this command and cannot be more than 10 characters'
+    ENCRYPTION_CERT_ERROR_MESSAGE = 'Invalid encryption certificate'
+    STATUS_ERROR_MESSAGE = 'Status is required for this command and must be either NEW, DOWNLOADED or ALL'
+    FILE_REFERENCE_ERROR_MESSAGE = 'File reference is required for this command and must be under 33 characters'
+  end
+end

data/lib/sepa/response.rb

@@ -1,45 +1,28 @@
 module Sepa
   class Response
-    def initialize(response)
-      @response = response
-
-      if !@response.respond_to?(:canonicalize)
-        fail ArgumentError,
-          "The response you provided is not a valid Nokogiri::XML file."
-      elsif !valid_against_schema?(@response)
-        fail ArgumentError,
-          "The response you provided doesn't validate against soap schema."
-      end
-    end
+    include ActiveModel::Validations
+    include Utilities
 
-    # Returns the x509 certificate embedded in the soap as an
-    # OpenSSL::X509::Certificate
-    def certificate
-      cert_value = @response.at_css(
-        'wsse|BinarySecurityToken',
-        'wsse' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws' \
-        'security-secext-1.0.xsd'
-      ).content.gsub(/\s+/, "")
-
-      cert = process_cert_value(cert_value)
-
-      begin
-        cert = OpenSSL::X509::Certificate.new(cert)
-      rescue => e
-        fail OpenSSL::X509::CertificateError,
-          "The certificate embedded to the soap response could not be process" \
-          "ed. It's most likely corrupted. OpenSSL had this to say: #{e}."
-          end
-    end
+    attr_reader :soap, :application_response, :certificate, :content
+
+    validates :soap, presence: true
+    validate :validate_document_format
+    validate :document_must_validate_against_schema
+
+    GENERIC_COMMANDS = [:get_user_info, :download_file_list, :download_file, :upload_file]
+
+    def initialize(response, command: nil)
+      @soap = response
+      @command = command
 
-    # Verifies that the soap's certificate is trusted.
-    def cert_is_trusted?(root_cert)
-      if root_cert.subject == certificate.issuer
-        certificate.verify(root_cert.public_key)
-      else
-        fail SecurityError,
-          "The issuer of the certificate doesn't match the subject of the roo" \
-          "t certificate."
+      # Check if command is one of the generic commands which should behave the same way across
+      # different banks
+      if GENERIC_COMMANDS.include? command
+        xsd = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
+
+        @application_response = extract_application_response('http://model.bxd.fi')
+        @certificate = extract_cert(soap, 'BinarySecurityToken', xsd)
+        @content = extract_content
       end
     end
 
@@ -47,42 +30,39 @@ module Sepa
     # Takes an optional verbose parameter to show which digests didn't match
     # i.e. verbose: true
     def hashes_match?(options = {})
-      digests = find_digest_values(@response)
-      nodes = find_nodes_to_verify(@response, digests)
+      digests = find_digest_values
+      nodes = find_nodes_to_verify(soap, digests)
 
       verified_digests = digests.select do |uri, digest|
         uri = uri.sub(/^#/, '')
         digest == nodes[uri]
       end
 
-      if digests == verified_digests
-        true
-      else
-        unverified_digests = digests.select do |uri, digest|
-          uri = uri.sub(/^#/, '')
-          digest != nodes[uri]
-        end
+      return true if digests == verified_digests
 
-        if options[:verbose]
-          puts "These digests failed to verify: #{unverified_digests}."
-        end
+      unverified_digests = digests.select do |uri, digest|
+        uri = uri.sub(/^#/, '')
+        digest != nodes[uri]
+      end
 
-        false
+      if options[:verbose]
+        puts "These digests failed to verify: #{unverified_digests}."
       end
+
+      false
     end
 
     # Verifies the signature by extracting the public key from the certificate
     # embedded in the soap header and verifying the signature value with that.
     def signature_is_valid?
-      node = @response.at_css('xmlns|SignedInfo',
-                              'xmlns' => 'http://www.w3.org/2000/09/xmldsig#')
+      node = soap.at_css('xmlns|SignedInfo', 'xmlns' => 'http://www.w3.org/2000/09/xmldsig#')
 
       node = node.canonicalize(
-        mode=Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0,
-        inclusive_namespaces=nil,with_comments=false
+        mode = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0,
+        inclusive_namespaces = nil, with_comments = false
       )
 
-      signature = @response.at_css(
+      signature = soap.at_css(
         'xmlns|SignatureValue',
         'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
       ).content
@@ -95,18 +75,28 @@ module Sepa
     # Gets the application response from the response as an Nokogiri::XML
     # document
     def application_response
-      ar = @response.at_css('mod|ApplicationResponse').content
+      ar = soap.at_css('mod|ApplicationResponse').content
       ar = Base64.decode64(ar)
       Nokogiri::XML(ar)
     end
 
+    def file_references
+      return unless @command == :download_file_list
+
+      @file_references ||= begin
+        content = Nokogiri::XML @content
+        descriptors = content.css('FileDescriptor')
+        descriptors.map { |descriptor| descriptor.at('FileReference').content }
+      end
+    end
+
     private
 
       # Finds all reference nodes with digest values in the document and returns
       # a hash with uri as the key and digest as the value.
-      def find_digest_values(doc)
+      def find_digest_values
         references = {}
-        reference_nodes = @response.css(
+        reference_nodes = soap.css(
           'xmlns|Reference',
           'xmlns' => 'http://www.w3.org/2000/09/xmldsig#'
         )
@@ -128,12 +118,14 @@ module Sepa
       # references hash.
       def find_nodes_to_verify(doc, references)
         nodes = {}
+
         references.each do |uri, digest_value|
           uri = uri.sub(/^#/, '')
+          wsu = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+
           node = doc.at_css(
-            "[wsu|Id='" + uri + "']",
-            'wsu' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss' \
-            '-wssecurity-utility-1.0.xsd'
+            "[wsu|Id='#{uri}']",
+            'wsu' => wsu
           )
 
           nodes[uri] = calculate_digest(node)
@@ -142,36 +134,47 @@ module Sepa
         nodes
       end
 
-      def calculate_digest(node)
-        sha1 = OpenSSL::Digest::SHA1.new
+      def validate_document_format
+        unless soap.respond_to?(:canonicalize)
+          errors.add(:base, 'Document must be a Nokogiri XML file')
+        end
+      end
 
-        canon_node = node.canonicalize(
-          mode=Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0,
-          inclusive_namespaces=nil,with_comments=false
-        )
+      def document_must_validate_against_schema
+        check_validity_against_schema(soap, 'soap.xsd')
+      end
 
-        Base64.encode64(sha1.digest(canon_node)).gsub(/\s+/, "")
+      def extract_content
+        xml = Nokogiri::XML(@application_response)
+        xmlns = 'http://bxd.fi/xmldata/'
+
+        case @command
+        when :download_file
+          content_node = xml.at('xmlns|Content', xmlns: xmlns)
+          content_node.content if content_node
+        when :download_file_list
+          content_node = xml.remove_namespaces!.at('FileDescriptors')
+          content_node.to_xml if content_node
+        when :get_user_info
+          canonicalized_node(xml, xmlns, 'UserFileTypes')
+        when :upload_file
+          signature_node = xml.at('xmlns|Signature', xmlns: 'http://www.w3.org/2000/09/xmldsig#')
+          if signature_node
+            signature_node.remove
+            xml.canonicalize
+          end
+        end
       end
 
-      # Checks that the response is valid against soap schema.
-      def valid_against_schema?(doc)
-        schemas_path = File.expand_path('../../../lib/sepa/xml_schemas',
-                                        __FILE__)
+      def extract_application_response(namespace)
+        if soap.respond_to? :at_css
+          ar_node = soap.at_css('xmlns|ApplicationResponse', xmlns: namespace)
+        end
 
-        Dir.chdir(schemas_path) do
-          xsd = Nokogiri::XML::Schema(IO.read('soap.xsd'))
-          xsd.valid?(doc)
+        if ar_node
+          Base64.decode64(ar_node.content)
         end
       end
 
-      # Takes the certificate from the response, adds begin and end
-      # certificate texts and splits it into multiple lines so that OpenSSL
-      # can read it.
-      def process_cert_value(cert_value)
-        cert = "-----BEGIN CERTIFICATE-----\n"
-        cert += cert_value.to_s.gsub(/\s+/, "").scan(/.{1,64}/).join("\n")
-        cert += "\n"
-        cert += "-----END CERTIFICATE-----"
-      end
   end
 end