diff options
author | Christian Grothoff <christian@grothoff.org> | 2024-08-05 20:51:23 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2024-08-05 20:51:44 +0200 |
commit | d2eaf3bf7c9d6a0d86c92f2205d4a8b7969a1848 (patch) | |
tree | db6f3ce7be73b5c18d3defa53f74b899b027ee15 /src | |
parent | a67d5495784b055e2fd3d7e3e7df262f40242195 (diff) |
also allow kyc-proof authentication with most recent reserve_pub transfer subject key
Diffstat (limited to 'src')
-rw-r--r-- | src/exchange/taler-exchange-httpd_kyc-check.c | 13 | ||||
-rw-r--r-- | src/exchangedb/exchange_do_lookup_kyc_requirement_by_row.sql | 96 | ||||
-rw-r--r-- | src/exchangedb/pg_lookup_kyc_requirement_by_row.c | 60 | ||||
-rw-r--r-- | src/exchangedb/pg_lookup_kyc_requirement_by_row.h | 5 | ||||
-rw-r--r-- | src/exchangedb/procedures.sql.in | 1 | ||||
-rw-r--r-- | src/include/taler_exchangedb_plugin.h | 5 |
6 files changed, 151 insertions, 29 deletions
diff --git a/src/exchange/taler-exchange-httpd_kyc-check.c b/src/exchange/taler-exchange-httpd_kyc-check.c index d321e357a..9481ea002 100644 --- a/src/exchange/taler-exchange-httpd_kyc-check.c +++ b/src/exchange/taler-exchange-httpd_kyc-check.c @@ -187,6 +187,7 @@ TEH_handler_kyc_check ( json_t *jrules = NULL; json_t *jlimits = NULL; union TALER_AccountPublicKeyP account_pub; + union TALER_AccountPublicKeyP reserve_pub; struct TALER_AccountAccessTokenP access_token; bool aml_review; bool kyc_required; @@ -251,6 +252,7 @@ TEH_handler_kyc_check ( TEH_plugin->cls, kyp->requirement_row, &account_pub, + &reserve_pub.reserve_pub, &access_token, &jrules, &aml_review, @@ -274,9 +276,14 @@ TEH_handler_kyc_check ( } } - if (GNUNET_OK != - TALER_account_kyc_auth_verify (&account_pub, - &kyp->account_sig)) + if ( (GNUNET_is_zero (&account_pub) || + (GNUNET_OK != + TALER_account_kyc_auth_verify (&account_pub, + &kyp->account_sig)) ) && + (GNUNET_is_zero (&reserve_pub) || + (GNUNET_OK != + TALER_account_kyc_auth_verify (&reserve_pub, + &kyp->account_sig)) ) ) { char *diag; MHD_RESULT mret; diff --git a/src/exchangedb/exchange_do_lookup_kyc_requirement_by_row.sql b/src/exchangedb/exchange_do_lookup_kyc_requirement_by_row.sql new file mode 100644 index 000000000..9c7f8f081 --- /dev/null +++ b/src/exchangedb/exchange_do_lookup_kyc_requirement_by_row.sql @@ -0,0 +1,96 @@ +-- +-- This file is part of TALER +-- Copyright (C) 2024 Taler Systems SA +-- +-- TALER is free software; you can redistribute it and/or modify it under the +-- terms of the GNU General Public License as published by the Free Software +-- Foundation; either version 3, or (at your option) any later version. +-- +-- TALER is distributed in the hope that it will be useful, but WITHOUT ANY +-- WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +-- A PARTICULAR PURPOSE. See the GNU General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License along with +-- TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> +-- +-- @author: Christian Grothoff + +CREATE OR REPLACE FUNCTION exchange_do_lookup_kyc_requirement_by_row( + IN in_legitimization_serial_id INT8, + OUT out_account_pub BYTEA, -- NULL allowed + OUT out_reserve_pub BYTEA, -- NULL allowed + OUT out_access_token BYTEA, -- NULL if 'out_not_found' + OUT out_jrules TEXT, -- NULL allowed + OUT out_not_found BOOLEAN, + OUT out_aml_review BOOLEAN, -- NULL allowed + OUT out_kyc_required BOOLEAN) +LANGUAGE plpgsql +AS $$ +DECLARE + my_h_payto BYTEA; + my_wtrec RECORD; + my_lorec RECORD; +BEGIN + +-- Find the access token. +SELECT access_token + INTO out_access_token + FROM legitimization_measures + WHERE legitimization_measure_serial_id=in_legitimization_serial_id; + +IF NOT FOUND +THEN + out_not_found = TRUE; + out_kyc_required = FALSE; + RETURN; +END IF; +out_not_found = FALSE; + +-- Find the payto hash and the current account public key. +SELECT target_pub + ,wire_target_h_payto + INTO my_wtrec + FROM wire_targets + WHERE access_token=out_access_token; + +out_account_pub = my_wtrec.target_pub; +my_h_payto = my_wtrec.wire_target_h_payto; + +-- Check if there are active measures for the account. +SELECT NOT is_finished + INTO out_kyc_required + FROM legitimization_measures + WHERE access_token=out_access_token + ORDER BY start_time DESC + LIMIT 1; + +IF NOT FOUND +THEN + out_kyc_required=TRUE; +END IF; + +-- Get currently applicable rules. +-- Only one should ever be active per account. +SELECT jnew_rules + ,to_investigate + INTO my_lorec + FROM legitimization_outcomes + WHERE h_payto=my_h_payto + AND is_active; + +IF FOUND +THEN + out_jrules=my_lorec.jnew_rules; + out_aml_review=my_lorec.to_investigate; +END IF; + +-- Get most recent reserve_in wire transfer, we also +-- allow that one for authentication! +SELECT reserve_pub + INTO out_reserve_pub + FROM reserves_in + WHERE wire_source_h_payto=my_h_payto + ORDER BY execution_date DESC + LIMIT 1; + +END $$; diff --git a/src/exchangedb/pg_lookup_kyc_requirement_by_row.c b/src/exchangedb/pg_lookup_kyc_requirement_by_row.c index 0079bf43b..e4a5ecbca 100644 --- a/src/exchangedb/pg_lookup_kyc_requirement_by_row.c +++ b/src/exchangedb/pg_lookup_kyc_requirement_by_row.c @@ -31,6 +31,7 @@ TEH_PG_lookup_kyc_requirement_by_row ( void *cls, uint64_t requirement_row, union TALER_AccountPublicKeyP *account_pub, + struct TALER_ReservePublicKeyP *reserve_pub, struct TALER_AccountAccessTokenP *access_token, json_t **jrules, bool *aml_review, @@ -41,13 +42,20 @@ TEH_PG_lookup_kyc_requirement_by_row ( GNUNET_PQ_query_param_uint64 (&requirement_row), GNUNET_PQ_query_param_end }; + bool not_found; struct GNUNET_PQ_ResultSpec rs[] = { GNUNET_PQ_result_spec_allow_null ( GNUNET_PQ_result_spec_auto_from_type ("account_pub", account_pub), NULL), - GNUNET_PQ_result_spec_auto_from_type ("access_token", - access_token), + GNUNET_PQ_result_spec_allow_null ( + GNUNET_PQ_result_spec_auto_from_type ("reserve_pub", + reserve_pub), + NULL), + GNUNET_PQ_result_spec_allow_null ( + GNUNET_PQ_result_spec_auto_from_type ("access_token", + access_token), + NULL), GNUNET_PQ_result_spec_allow_null ( /* can be NULL due to LEFT JOIN */ TALER_PQ_result_spec_json ("jrules", @@ -60,43 +68,43 @@ TEH_PG_lookup_kyc_requirement_by_row ( NULL), GNUNET_PQ_result_spec_bool ("kyc_required", kyc_required), + GNUNET_PQ_result_spec_bool ("not_found", + ¬_found), GNUNET_PQ_result_spec_end }; + enum GNUNET_DB_QueryStatus qs; *jrules = NULL; *aml_review = false; memset (account_pub, 0, sizeof (*account_pub)); + memset (reserve_pub, + 0, + sizeof (*reserve_pub)); + memset (access_token, + 0, + sizeof (*access_token)); PREPARE (pg, "lookup_kyc_requirement_by_row", "SELECT " - " wt.target_pub AS account_pub" - ",lm.access_token" - ",lo.jnew_rules AS jrules" - ",lo.to_investigate AS aml_review" - ",NOT COALESCE(lm2.is_finished,TRUE)" - " AS kyc_required" - " FROM legitimization_measures lm" - " JOIN wire_targets wt" - " ON (lm.access_token = wt.access_token)" - /* Select *unfinished* and more recent lm2 - for the same account - if one exists */ - " LEFT JOIN legitimization_measures lm2" - " ON ( (lm.access_token = lm2.access_token)" - " AND (lm2.start_time >= lm.start_time)" - " AND NOT lm2.is_finished)" - " LEFT JOIN legitimization_outcomes lo" - " ON (wt.wire_target_h_payto = lo.h_payto)" - " WHERE lm.legitimization_measure_serial_id=$1" - /* Select the *currently active* lo, if any */ - " AND ( (lo.is_active IS NULL)" - " OR lo.is_active)" - " ORDER BY lo.is_active DESC NULLS LAST" - " LIMIT 1;"); - return GNUNET_PQ_eval_prepared_singleton_select ( + " out_account_pub AS account_pub" + ",out_reserve_pub AS reserve_pub" + ",out_access_token AS access_token" + ",out_jrules AS jrules" + ",out_not_found AS not_found" + ",out_aml_review AS aml_review" + ",out_kyc_required AS kyc_required" + " FROM exchange_do_lookup_kyc_requirement_by_row" + " ($1);"); + qs = GNUNET_PQ_eval_prepared_singleton_select ( pg->conn, "lookup_kyc_requirement_by_row", params, rs); + if (qs <= 0) + return qs; + if (not_found) + return GNUNET_DB_STATUS_SUCCESS_NO_RESULTS; + return qs; } diff --git a/src/exchangedb/pg_lookup_kyc_requirement_by_row.h b/src/exchangedb/pg_lookup_kyc_requirement_by_row.h index e3cceebbd..05bab2e54 100644 --- a/src/exchangedb/pg_lookup_kyc_requirement_by_row.h +++ b/src/exchangedb/pg_lookup_kyc_requirement_by_row.h @@ -33,6 +33,10 @@ * @param requirement_row identifies requirement to look up (in legitimization_measures table) * @param[out] account_pub set to public key of the account * needed to authorize access, all zeros if not known + * @param[out] reserve_pub set to last reserve public key + * used for a wire transfer from the account to the + * exchange; alternatively used to authorize access, + * all zeros if not known * @param[out] access_token set to the access token to begin * work on KYC processes for this account * @param[out] jrules set to active ``LegitimizationRuleSet`` @@ -48,6 +52,7 @@ TEH_PG_lookup_kyc_requirement_by_row ( void *cls, uint64_t requirement_row, union TALER_AccountPublicKeyP *account_pub, + struct TALER_ReservePublicKeyP *reserve_pub, struct TALER_AccountAccessTokenP *access_token, json_t **jrules, bool *aml_review, diff --git a/src/exchangedb/procedures.sql.in b/src/exchangedb/procedures.sql.in index 1c8f05b24..a92ae77d6 100644 --- a/src/exchangedb/procedures.sql.in +++ b/src/exchangedb/procedures.sql.in @@ -51,5 +51,6 @@ SET search_path TO exchange; #include "exchange_do_batch_coin_known.sql" #include "exchange_do_kycauth_in_insert.sql" #include "exchange_do_trigger_kyc_rule_for_account.sql" +#include "exchange_do_lookup_kyc_requirement_by_row.sql" COMMIT; diff --git a/src/include/taler_exchangedb_plugin.h b/src/include/taler_exchangedb_plugin.h index 21b6a0e21..aa0339d0b 100644 --- a/src/include/taler_exchangedb_plugin.h +++ b/src/include/taler_exchangedb_plugin.h @@ -6978,6 +6978,10 @@ struct TALER_EXCHANGEDB_Plugin * @param requirement_row identifies requirement to look up (in legitimization_measures table) * @param[out] account_pub set to public key of the account * needed to authorize access, all zeros if not known + * @param[out] reserve_pub set to last reserve public key + * used for a wire transfer from the account to the + * exchange; alternatively used to authorize access, + * all zeros if not known * @param[out] access_token set to the access token to begin * work on KYC processes for this account * @param[out] jrules set to active ``LegitimizationRuleSet`` @@ -6993,6 +6997,7 @@ struct TALER_EXCHANGEDB_Plugin void *cls, uint64_t requirement_row, union TALER_AccountPublicKeyP *account_pub, + struct TALER_ReservePublicKeyP *reserve_pub, struct TALER_AccountAccessTokenP *access_token, json_t **jrules, bool *aml_review, |