Origo Tests

.gitignore

@@ -34,4 +34,4 @@ application-test.properties*
 downloaded-photos
 summary
 
-lib/
+lib/

README.md

@@ -263,6 +263,45 @@ The downloader supports going through a proxy when using the CloudCardPhotoServi
 - `TouchNetClient.originId`
     - provided by CloudCard
 
+#### Origo Storage Service Settings
+*Note: `downloader.storageService` must be set to `OrigoStorageService` for these to have any effect.*
+*Note: This integration does NOT YET support PKI authentication for Origo's production APIs.*
+*Visit Origo's Mobile Access documentation for more information https://doc.origo.hidglobal.com/api/*
+
+- `Origo.eventManagementApi`
+    - URI for accessing events in Mobile Access, such as user creation events.
+- `Origo.mobileIdentitiesApi`
+    - URI for user and photo related requests.
+- `Origo.certIdpApi`
+    - URI for Authentication requests.
+- `Origo.organizationId`
+    - Provided by origo. First half of clientId.
+- `Origo.accessToken`
+    - Temporary token obtained through authentication request. Only needs to be specified in certain development situations.
+- `Origo.clientSecret`
+    - System account password or PKI token. 
+    - Required for authentication.
+- `Origo.clientId`
+    - Provided by Origo.
+    - Available in Origo Management Portal.
+- `Origo.contentType`
+    - Used for request headers - see documentation.
+- `Origo.applicationVersion`
+    - Origo API version (2.2 as of Aug 2024).
+    - Used for request headers.
+- `Origo.applicationId`
+    - Used for request headers.
+    - Provided by Origo.
+- `Origo.replaceExistingPhotos`
+    - Set to true to automatically replace existing Photo ID.
+    - NOTE: Default is true if left unspecified. 
+- `Origo.usePkiAuth`
+    - PKI Auth is recommended for Production applications.
+    - This application accepts an unencrypted RSA / PEM-encoded PKCS#8 Private key.
+    - Service Account with certificate must be created in HID Origo Management Studio.
+- `Origo.tokenUrl`
+    - Token URL is generated from HID Origo Management Studio when a PKI-authenticated service account is created. 
+
 ### File Name Resolver Settings
 
 - downloader.fileNameResolver

build.gradle

@@ -29,6 +29,9 @@ dependencies {
     implementation 'software.amazon.awssdk:sqs:2.20.148'
     implementation 'org.apache.groovy:groovy-json:4.0.15'
     implementation 'org.apache.commons:commons-csv:1.8'
+    implementation 'io.jsonwebtoken:jjwt-api:0.12.6'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.6'
+    runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.12.6'
 
     implementation 'com.papertrailapp:logback-syslog4j:1.0.0'
 

src/main/groovy/com/cloudcard/photoDownloader/AuthException.groovy

@@ -0,0 +1,16 @@
+package com.cloudcard.photoDownloader
+
+class AuthException extends Exception {
+
+    public static final String MESSAGE = "Error while attempting to authenticate"
+
+    AuthException() {
+
+        super(MESSAGE);
+    }
+
+    AuthException(String message) {
+
+        super("$message $MESSAGE")
+    }
+}

src/main/groovy/com/cloudcard/photoDownloader/OrigoClient.groovy

@@ -0,0 +1,286 @@
+package com.cloudcard.photoDownloader
+
+import io.jsonwebtoken.Jwts
+import jakarta.annotation.PostConstruct
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
+import org.springframework.stereotype.Component
+import com.fasterxml.jackson.databind.ObjectMapper
+
+import java.security.Key
+import java.security.KeyFactory
+import java.security.spec.PKCS8EncodedKeySpec
+
+import static com.cloudcard.photoDownloader.ApplicationPropertiesValidator.throwIfBlank
+
+@Component
+@ConditionalOnProperty(value = "downloader.storageService", havingValue = "OrigoStorageService")
+class OrigoClient {
+    // Makes requests to Origo API
+
+    private static final Logger log = LoggerFactory.getLogger(OrigoClient.class)
+
+    @Autowired
+    UnirestWrapper unirestWrapper
+
+    @Autowired
+    SimpleResponseLogger simpleResponseLogger
+
+    @Value('${Origo.eventManagementApi}')
+    String eventManagementApi
+
+    @Value('${Origo.mobileIdentitiesApi}')
+    String mobileIdentitiesApi
+
+    @Value('${Origo.certIdpApi}')
+    String certIdpApi
+
+    @Value('${Origo.organizationId}')
+    String organizationId
+
+    @Value('${Origo.contentType}')
+    String contentType
+
+    @Value('${Origo.applicationVersion}')
+    String applicationVersion
+
+    @Value('${Origo.applicationId}')
+    String applicationId
+
+    @Value('${Origo.clientId}')
+    String clientId
+
+    @Value('${Origo.clientSecret}')
+    String clientSecret
+
+    @Value('${Origo.usePkiAuth}')
+    boolean usePkiAuth
+
+    @Value('${Origo.tokenUrl}')
+    String tokenUrl
+
+    @Value('${Origo.privateKey}')
+    String privateKey
+
+    String accessToken
+
+    boolean isAuthenticated = false
+
+    Map<String, String> requestHeaders
+
+    @PostConstruct
+    init() {
+        throwIfBlank(eventManagementApi, "The Origo Event Management API URL must be specified.")
+        throwIfBlank(mobileIdentitiesApi, "The Origo Mobile Identities API URL must be specified.")
+        throwIfBlank(organizationId, "The Origo organization ID must be specified.")
+        throwIfBlank(clientSecret, "The Origo client secret must be specified.")
+        throwIfBlank(clientId, "The Origo client ID must be specified.")
+        throwIfBlank(contentType, "The Origo content-type header must be specified.")
+        throwIfBlank(applicationVersion, "The Origo application version must be specified.")
+        throwIfBlank(applicationId, "Your organization's Origo Application ID must be specified.")
+        throwIfBlank(usePkiAuth.toString(), "Authentication Preference must be specified.")
+        if (usePkiAuth) {
+            throwIfBlank((tokenUrl).toString(), "Token URL must be specified.")
+        }
+
+        log.info('=================== Initializing Origo Client ===================')
+        log.info("          Origo Event Management API URL : $eventManagementApi")
+        log.info("         Origo Mobile Identities API URL : $mobileIdentitiesApi")
+        log.info("                   Origo organization ID : $organizationId")
+        log.info("               Origo content type header : $contentType")
+        log.info("               Origo application version : $applicationVersion")
+        log.info("                    Origo application ID : $applicationId")
+        log.info("               Authentication Preference : ${usePkiAuth ? "PKI" : "Password"}")
+
+        simpleResponseLogger.source = this.class.simpleName
+
+    }
+
+    void authenticate(ResponseWrapper responseWithToken) {
+        // Stores token for future requests
+
+        String token = ""
+
+        if (responseWithToken.success) {
+            token = responseWithToken.body.access_token
+            accessToken = token
+            requestHeaders = [
+                    'Authorization'      : "Bearer $token" as String,
+                    'Content-Type'       : contentType,
+                    'Application-Version': applicationVersion,
+                    'Application-ID'     : applicationId
+            ]
+            isAuthenticated = true
+        } else {
+            log.error("Error while authenticating with Origo.")
+            isAuthenticated = false
+        }
+
+    }
+
+    ResponseWrapper makeAuthenticatedRequest(Closure request) {
+
+        ResponseWrapper response
+
+        if (!isAuthenticated && authenticate(requestAccessToken()) || isAuthenticated) {
+            response = request()
+        } else {
+            response = new ResponseWrapper(new AuthException())
+        }
+
+        response
+    }
+
+    String getJswt(String keyStr) {
+        // Input is an UNENCRYPTED RSA / PEM-encoded PKCS#8 private key.
+
+        if (!keyStr) {
+            throw new IllegalArgumentException("Key string not provided")
+        }
+
+        keyStr = keyStr.replaceAll("-----BEGIN PRIVATE KEY-----", "").replaceAll("-----END PRIVATE KEY-----", "").replaceAll("\\s", "")
+                .replaceAll("\\n", "").trim()
+
+        byte[] keyBytes = Base64.getDecoder().decode(keyStr)
+        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes)
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA")
+        Key key = keyFactory.generatePrivate(keySpec)
+
+        long currentTimeMils = System.currentTimeMillis() - 5
+        Date currentTime = new Date(currentTimeMils)
+        Date expiration = new Date(currentTimeMils + 3600000)
+
+        Jwts.builder()
+                .subject(clientId)
+                .issuer(clientId)
+                .audience().add(tokenUrl).and()
+                .notBefore(currentTime)
+                .issuedAt(currentTime)
+                .expiration(expiration)
+                .id(UUID.randomUUID().toString())
+                .signWith(key)
+                .compact()
+    }
+
+    ResponseWrapper requestAccessToken() {
+        if (usePkiAuth) requestAccessTokenPki()
+        else requestAccessTokenPassword()
+    }
+
+    ResponseWrapper requestAccessTokenPki() {
+        // https://doc.origo.hidglobal.com/api/authentication/
+
+        String pkiCredentials = getJswt(privateKey)
+
+        String url = "$certIdpApi/authentication/customer/$organizationId/token"
+        Map<String, String> headers = ["Content-Type": "application/x-www-form-urlencoded"]
+        String body = "grant_type=client_credentials&client_assertion=$pkiCredentials"
+
+        ResponseWrapper response
+        try {
+            response = new ResponseWrapper(unirestWrapper.post(url, headers, body))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+        simpleResponseLogger.log("requestAccessTokenPki", response, "Error while authenticating with Origo.")
+
+        return response
+
+    }
+
+    ResponseWrapper requestAccessTokenPassword() {
+        // https://doc.origo.hidglobal.com/api/authentication/
+
+        String url = "$certIdpApi/authentication/customer/$organizationId/token"
+        Map<String, String> headers = ["Content-Type": "application/x-www-form-urlencoded"]
+        String body = "client_id=${clientId}&client_secret=${clientSecret}&grant_type=client_credentials"
+
+        ResponseWrapper response
+        try {
+            response = new ResponseWrapper(unirestWrapper.post(url, headers, body))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+        simpleResponseLogger.log("requestAccessTokenPassword", response, "Error while authenticating with Origo.")
+
+        return response
+
+    }
+
+    ResponseWrapper uploadUserPhoto(Photo photo, String fileType) {
+        // https://doc.origo.hidglobal.com/api/mobile-identities/#/Photo%20ID/post-customer-organization_id-users-user_id-photo
+        ResponseWrapper response
+
+        String url = "$mobileIdentitiesApi/customer/$organizationId/users/${photo.person.identifier}/photo"
+        Map<String, String> headers = requestHeaders.clone() as Map
+        headers["Content-Type"] = "application/vnd.assaabloy.ma.credential-management-2.2+$fileType" as String
+
+        try {
+            response = new ResponseWrapper(unirestWrapper.post(url, headers, photo.bytes))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+
+        simpleResponseLogger.log("uploadUserPhoto", response)
+
+        return response
+    }
+
+    ResponseWrapper accountPhotoApprove(String userId, String id) {
+        // https://doc.origo.hidglobal.com/api/mobile-identities/#/Photo%20ID/put-customer-organization_id-users-user_id-photo-photo_id-status
+
+        ResponseWrapper response
+
+        String url = "$mobileIdentitiesApi/customer/$organizationId/users/$userId/photo/$id/status"
+        String serializedBody = new ObjectMapper().writeValueAsString([status: "APPROVE"])
+
+        try {
+            response = new ResponseWrapper(unirestWrapper.put(url, requestHeaders, serializedBody))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+
+        simpleResponseLogger.log("accountPhotoApprove", response)
+
+        return response
+    }
+
+    ResponseWrapper getUserDetails(String userId) {
+        // https://doc.origo.hidglobal.com/api/mobile-identities/#/Users/get-customer-organization_id-users-user_id
+
+        ResponseWrapper response
+
+        String url = "$mobileIdentitiesApi/customer/$organizationId/users/$userId"
+
+        try {
+            response = new ResponseWrapper(unirestWrapper.get(url, requestHeaders))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+
+        simpleResponseLogger.log("getUserDetails", response)
+
+        return response
+    }
+
+    ResponseWrapper deletePhoto(String userId, String photoId) {
+        // https://doc.origo.hidglobal.com/api/mobile-identities/#/Photo%20ID/delete-customer-organization_id-users-user_id-photo-photo_id
+
+        ResponseWrapper response
+
+        String url = "$mobileIdentitiesApi/customer/$organizationId/users/$userId/photo/$photoId"
+
+        try {
+            response = new ResponseWrapper(unirestWrapper.delete(url, requestHeaders))
+        } catch (Exception e) {
+            response = new ResponseWrapper(e)
+        }
+
+        simpleResponseLogger.log("deletePhoto", response)
+
+        return response
+    }
+}