[PAYMTS-1728] Add account updater look up service #442
Conversation
larky/src/main/java/com/verygood/security/larky/modules/vgs/aus/LarkyAccountUpdater.java
Outdated
Show resolved
Hide resolved
larky/src/main/java/com/verygood/security/larky/modules/vgs/aus/LarkyAccountUpdater.java
Show resolved
Hide resolved
| StarlarkInt expireYear, | ||
| String name, | ||
| String clientId, | ||
| String clientSecret, |
There was a problem hiding this comment.
please see my comment at #442 (comment) explaining the rationale
|
|
||
| @Data | ||
| @Builder | ||
| class Card { |
There was a problem hiding this comment.
consider making record instead of class
There was a problem hiding this comment.
I tried to put record syntax here, but my IDE is showing red font. It seems like record is supported only in Java 14, are we using Java 14 in this larky project?
There was a problem hiding this comment.
You should be using JDK 17 here
| * @param clientSecret client secret of service account to access calm API | ||
| * @return the updated card | ||
| */ | ||
| Card lookupCard( |
There was a problem hiding this comment.
Not sure of the point of this method since it returns what it was passed in
There was a problem hiding this comment.
Or does it return a different card? 🤔
There was a problem hiding this comment.
A card could be expired, exp date changed, or stolen, so the number changed. It's still the same card, but a different number or exp date. So this service and this method is for looking up the given card number and see if there's updates for the card. The customer would like to use the new card number is there's one in case of the original one is expired.
| Integer expireMonth, | ||
| Integer expireYear, | ||
| String name, | ||
| String clientId, |
There was a problem hiding this comment.
wonder why these need to be passed in and why they are env vars or something
There was a problem hiding this comment.
these are per merchant/vault credentials for calm's service account
larky/src/main/java/com/verygood/security/larky/ModuleSupplier.java
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| @StarlarkMethod( | ||
| name = "lookup_card", |
There was a problem hiding this comment.
should this change to lookup PAN instead of lookup card to match the documentation?
There was a problem hiding this comment.
I think lookup card makes more sense as the updated info could be just expiring month or year as well, not just PAN. So more accurately, we are looking up a whole card's update info.
| doc = "Lookup account updates for a given PAN.", | ||
| useStarlarkThread = true, | ||
| parameters = { | ||
| @Param( |
There was a problem hiding this comment.
Are all of these parameters required? If we pass None, this code will throw an error. Is this the desired behavior?
There was a problem hiding this comment.
yeah, those are meant to be required, so passing None will result in error, that's desired behavior
larky/src/main/java/com/verygood/security/larky/modules/AccountUpdaterModule.java
Outdated
Show resolved
Hide resolved
larky/src/main/java/com/verygood/security/larky/modules/AccountUpdaterModule.java
Outdated
Show resolved
Hide resolved
| doc = | ||
| "Card owner name. Used to pass to the network for retrieving the corresponding card information", | ||
| allowedTypes = {@ParamType(type = String.class)}), | ||
| @Param( |
There was a problem hiding this comment.
For me, this immediately stood out as 'hmm.' as the credentials are passed in via method call. Is this what we are intending?
There was a problem hiding this comment.
Yes, that's what we are intending.
This is for our needs in payments team to make it possible for our customer to get the latest card number from account updater service (provided by visa or mastercard). And to achieve that, we need to make a call to public API of calm. I envisioned this could be used like this
if use_account_updater(input.headers):
card = aus.lookup_card(
pan=body.cardNumber,
exp_month=body.expMon,
exp_year=body.expYear,
name=body.name,
client_id="<CALM SERVICE ACCOUNT CLIENT ID>",
client_secret="<CALM SERVICE ACCOUNT CLIENT SECRET>",
)
if card is not None and card.number != input.cardNumber or ...:
input.cardNumber = card.number
# update card
# proceed to PSP with or without new card infoAs you can see the challenge here is to authenticate with calm API server. The easiest way right now is to hardwire the service account credentials in the larky script. I know this may not be the best way in the world to authenticate to our own API service in VGS, but considering we need this feature in short time, it's the best way. If there's a concern for hardwiring the credentials in the larky script, we can actually ask the merchant to put their service account credentials in the vault and use reveal function to get the actual credential secret values. Like this
card = aus.lookup_card(
# ...
client_id=vault.reveal("<CALM SERVICE ACCOUNT CLIENT ID>"),
client_secret=vault.reveal("<CALM SERVICE ACCOUNT CLIENT SECRET>"),
)And if we don't want the possibility of merchant putting their service account credentials in larky script and force them to use vault, we can even reveal the secret in module and reject the request if the provided values are not alias.
In a perfect world, if we have enough time to build this feature and some major changes to vault is allowed, I was thinking about providing something like OIDC auth token like the ones from Kubernetes pod for authenticating with Calm server. Since the larky script environment is kind of already a trusted environment, I don't see why we need to authenticate again. So requests coming from larky can be trusted as long as there's a policy says that we trust calm API requests coming from our own vault proxy. Then the API call can be simplified as just
card = aus.lookup_card(
pan=body.cardNumber,
exp_month=body.expMon,
exp_year=body.expYear,
name=body.name,
)The account updater module will create a OIDC auth token for making the request and calm can authenticate and accept that automatically based on a pre-defined policy.
Regardless, that's too much effort for now, as we want this feature to be done ASAP, provides if keeping calm's service account credentials in vault (or even hardwiring in larky script) is acceptable, I think this is the best approach for now.
There was a problem hiding this comment.
To me the ability to use account updater should be done through a module. I don't feel that we should be using credentials like this for service to service calls. Here is my thinking.
Create a Vault Preference called "Account Updater" that is default false.
If that preference is false - horizon, simply does not allow the call to the service be completed.
If that preference is true - it goes through
The preference can only be set by someone/something with permissions to do so. ( this is something that the new Vault Management spec intends to support)
There was a problem hiding this comment.
so it sounds like we only want to enable this feature for customers who really need it, is my understanding correct?
is this vault preference feature something we can use right now, or is this a new feature and not yet implemented? I did a quick search in the code base and cannot find something looks like vault preference. If it's already there, can you please point that to me where's it and if there's an example of it?
There was a problem hiding this comment.
Yes, it's there... @sharifelgamal or @Iapetus999 can point you in the right direction. We made it so that preferences for the vault are available in horizon. Adding a new preference - 🤷🏼 not sure about. but I am going to hope it can be quick to add one🤞🏼 .
There was a problem hiding this comment.
note that we never actually added the ability to read preferences from horizon, it would involve the proxy (or operation pipeline as it were) passing in the preference as a header into larky
Fixes PAYMTS-1728
Description of changes in release / Impact of release:
Add account updater look up service
Documentation
Add account updater look up service
Risks of this release
Is this a breaking change?
If you answered Yes then describe why is it so
(insert text here if applicable)
Is there a way to disable the change?
Additional details go here
(insert text here if applicable)