ofxgo/vanguard_client.go

package ofxgo

import (
	"crypto/tls"
	"errors"
	"io"
	"net/http"
	"strings"
)

// VanguardClient provides a Client implementation which handles Vanguard's
// cookie-passing requirements and also enables older, disabled-by-default
// cipher suites. VanguardClient uses default, non-zero settings, if its fields
// are not initialized.
type VanguardClient struct {
	*BasicClient
}

// NewVanguardClient returns a Client interface configured to handle Vanguard's
// brand of idiosyncrasy
func NewVanguardClient(bc *BasicClient) Client {
	return &VanguardClient{bc}
}

// vanguardHttpClient returns an http.Client with the default supported
// ciphers plus the insecure ciphers Vanguard still uses.
func vanguardHttpClient() *http.Client {
	var clientCiphers []uint16

	vanguardCiphers := []uint16{
		tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
	}
	defaultCiphers := tls.CipherSuites()
	for _, cipher := range defaultCiphers {
		clientCiphers = append(clientCiphers, cipher.ID)
	}
	clientCiphers = append(clientCiphers, vanguardCiphers...)

	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				CipherSuites: clientCiphers,
			},
		},
	}
	return client
}

// RawRequest is a copy of BasicClient RawRequest with a custom http.Client
// that enables older cipher suites.
func (c *VanguardClient) RawRequest(URL string, r io.Reader) (*http.Response, error) {
	if !strings.HasPrefix(URL, "https://") {
		return nil, errors.New("Refusing to send OFX request with possible plain-text password over non-https protocol")
	}

	request, err := http.NewRequest("POST", URL, r)
	if err != nil {
		return nil, err
	}
	request.Header.Set("Content-Type", "application/x-ofx")
	if c.UserAgent != "" {
		request.Header.Set("User-Agent", c.UserAgent)
	}
	client := vanguardHttpClient()
	response, err := client.Do(request)
	if err != nil {
		return nil, err
	}

	if response.StatusCode != 200 {
		return response, errors.New("OFXQuery request status: " + response.Status)
	}

	return response, nil
}

// rawRequestCookiesInsecureCiphers is RawRequest with the added features of
// sending cookies and using a custom http.Client that enables older cipher
// suites which are disabled by default
func rawRequestCookiesInsecureCiphers(URL string, r io.Reader, cookies []*http.Cookie) (*http.Response, error) {
	if !strings.HasPrefix(URL, "https://") {
		return nil, errors.New("Refusing to send OFX request with possible plain-text password over non-https protocol")
	}

	request, err := http.NewRequest("POST", URL, r)
	if err != nil {
		return nil, err
	}
	request.Header.Set("Content-Type", "application/x-ofx")
	for _, cookie := range cookies {
		request.AddCookie(cookie)
	}

	client := vanguardHttpClient()
	response, err := client.Do(request)
	if err != nil {
		return nil, err
	}

	if response.StatusCode != 200 {
		return nil, errors.New("OFXQuery request status: " + response.Status)
	}

	return response, nil
}

// RequestNoParse marshals a Request to XML, makes an HTTP request, and returns
// the raw HTTP response
func (c *VanguardClient) RequestNoParse(r *Request) (*http.Response, error) {
	r.SetClientFields(c)

	b, err := r.Marshal()
	if err != nil {
		return nil, err
	}

	response, err := c.RawRequest(r.URL, b)

	// Some financial institutions (cough, Vanguard, cough), require a cookie
	// to be set on the http request, or they return empty responses.
	// Fortunately, the initial response contains the cookie we need, so if we
	// detect an empty response with cookies set that didn't have any errors,
	// re-try the request while sending their cookies back to them.
	if response != nil && response.ContentLength <= 0 && len(response.Cookies()) > 0 {
		b, err = r.Marshal()
		if err != nil {
			return nil, err
		}

		return rawRequestCookiesInsecureCiphers(r.URL, b, response.Cookies())
	}

	return response, err
}

// Request marshals a Request to XML, makes an HTTP request, and then
// unmarshals the response into a Response object.
func (c *VanguardClient) Request(r *Request) (*Response, error) {
	return clientRequest(c, r)
}
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`package ofxgo`

			`import (`
Vanguard: Allow deprecated SSL ciphers This is unfortunately required to interact with Vanguard because their OFX servers still have not moved to newer ciphers. 2024-10-10 21:15:11 -04:00			`"crypto/tls"`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`"errors"`
			`"io"`
			`"net/http"`
			`"strings"`
			`)`

			`// VanguardClient provides a Client implementation which handles Vanguard's`
Vanguard: Allow deprecated SSL ciphers This is unfortunately required to interact with Vanguard because their OFX servers still have not moved to newer ciphers. 2024-10-10 21:15:11 -04:00			`// cookie-passing requirements and also enables older, disabled-by-default`
			`// cipher suites. VanguardClient uses default, non-zero settings, if its fields`
			`// are not initialized.`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`type VanguardClient struct {`
			`*BasicClient`
			`}`

			`// NewVanguardClient returns a Client interface configured to handle Vanguard's`
Fix spelling error 2020-10-06 23:09:45 -04:00			`// brand of idiosyncrasy`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`func NewVanguardClient(bc *BasicClient) Client {`
			`return &VanguardClient{bc}`
			`}`

Vanguard: Allow deprecated SSL ciphers This is unfortunately required to interact with Vanguard because their OFX servers still have not moved to newer ciphers. 2024-10-10 21:15:11 -04:00			`// vanguardHttpClient returns an http.Client with the default supported`
			`// ciphers plus the insecure ciphers Vanguard still uses.`
			`func vanguardHttpClient() *http.Client {`
			`var clientCiphers []uint16`

			`vanguardCiphers := []uint16{`
			`tls.TLS_RSA_WITH_AES_128_CBC_SHA256,`
			`tls.TLS_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_RSA_WITH_AES_256_GCM_SHA384,`
			`}`
			`defaultCiphers := tls.CipherSuites()`
			`for _, cipher := range defaultCiphers {`
			`clientCiphers = append(clientCiphers, cipher.ID)`
			`}`
			`clientCiphers = append(clientCiphers, vanguardCiphers...)`

			`client := &http.Client{`
			`Transport: &http.Transport{`
			`TLSClientConfig: &tls.Config{`
			`CipherSuites: clientCiphers,`
			`},`
			`},`
			`}`
			`return client`
			`}`

			`// RawRequest is a copy of BasicClient RawRequest with a custom http.Client`
			`// that enables older cipher suites.`
			`func (c VanguardClient) RawRequest(URL string, r io.Reader) (http.Response, error) {`
			`if !strings.HasPrefix(URL, "https://") {`
			`return nil, errors.New("Refusing to send OFX request with possible plain-text password over non-https protocol")`
			`}`

			`request, err := http.NewRequest("POST", URL, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`request.Header.Set("Content-Type", "application/x-ofx")`
			`if c.UserAgent != "" {`
			`request.Header.Set("User-Agent", c.UserAgent)`
			`}`
			`client := vanguardHttpClient()`
			`response, err := client.Do(request)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if response.StatusCode != 200 {`
			`return response, errors.New("OFXQuery request status: " + response.Status)`
			`}`

			`return response, nil`
			`}`

			`// rawRequestCookiesInsecureCiphers is RawRequest with the added features of`
			`// sending cookies and using a custom http.Client that enables older cipher`
			`// suites which are disabled by default`
			`func rawRequestCookiesInsecureCiphers(URL string, r io.Reader, cookies []http.Cookie) (http.Response, error) {`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`if !strings.HasPrefix(URL, "https://") {`
			`return nil, errors.New("Refusing to send OFX request with possible plain-text password over non-https protocol")`
			`}`

			`request, err := http.NewRequest("POST", URL, r)`
			`if err != nil {`
			`return nil, err`
			`}`
			`request.Header.Set("Content-Type", "application/x-ofx")`
			`for _, cookie := range cookies {`
			`request.AddCookie(cookie)`
			`}`

Vanguard: Allow deprecated SSL ciphers This is unfortunately required to interact with Vanguard because their OFX servers still have not moved to newer ciphers. 2024-10-10 21:15:11 -04:00			`client := vanguardHttpClient()`
			`response, err := client.Do(request)`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`if err != nil {`
			`return nil, err`
			`}`

			`if response.StatusCode != 200 {`
			`return nil, errors.New("OFXQuery request status: " + response.Status)`
			`}`

			`return response, nil`
			`}`

Add comments to a few exported methods 2020-10-06 23:08:02 -04:00			`// RequestNoParse marshals a Request to XML, makes an HTTP request, and returns`
			`// the raw HTTP response`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`func (c VanguardClient) RequestNoParse(r Request) (*http.Response, error) {`
			`r.SetClientFields(c)`

			`b, err := r.Marshal()`
			`if err != nil {`
			`return nil, err`
			`}`

			`response, err := c.RawRequest(r.URL, b)`

			`// Some financial institutions (cough, Vanguard, cough), require a cookie`
			`// to be set on the http request, or they return empty responses.`
			`// Fortunately, the initial response contains the cookie we need, so if we`
			`// detect an empty response with cookies set that didn't have any errors,`
			`// re-try the request while sending their cookies back to them.`
Vanguard client: Accept 500 errors on initial response Though their server returns a 500 HTTP status code, it still sets the required cookies on the response that we can use to make a second request. 2020-11-17 09:18:40 -05:00			`if response != nil && response.ContentLength <= 0 && len(response.Cookies()) > 0 {`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`b, err = r.Marshal()`
			`if err != nil {`
			`return nil, err`
			`}`

Vanguard: Allow deprecated SSL ciphers This is unfortunately required to interact with Vanguard because their OFX servers still have not moved to newer ciphers. 2024-10-10 21:15:11 -04:00			`return rawRequestCookiesInsecureCiphers(r.URL, b, response.Cookies())`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`}`

			`return response, err`
			`}`

Add comments to a few exported methods 2020-10-06 23:08:02 -04:00			`// Request marshals a Request to XML, makes an HTTP request, and then`
			`// unmarshals the response into a Response object.`
Make Client an interface instead of a struct This makes it easier to maintain per-institution hacks that start interacting with each other if you try to do them all in the same client code. This commit also breaks out the existing Vanguard hack into its own Client implementation. 2018-10-03 09:59:04 -04:00			`func (c VanguardClient) Request(r Request) (*Response, error) {`
			`return clientRequest(c, r)`
			`}`