libeufin-cli - Interact with LibEuFin Sandbox and Nexus
libeufin-cli [-h | –help] [–version] COMMAND [ARGS…]
Commands: accounts, connections, facades, permissions, sandbox, users
libeufin-cli is the user interface program to interact
with libeufin-sandbox and libeufin-nexus when they are
operating as HTTP servers, listening on localhost ports.
Normally, you invoke them with their respective serve commands,
and in a separate shell, use libeufin-cli to send requests
and receive responses from them.
The interaction model is as follows:
For libeufin-cli to be able to communicate with libeufin-sandbox, the following environment variables need to be set:
LIBEUFIN_SANDBOX_USERNAMEadmin.LIBEUFIN_SANDBOX_PASSWORDLIBEUFIN_SANDBOX_URLhttp://localhost:PORT, where PORT is the
same port chosen when the sandbox was started.
This URL can also be specified with the --sandbox-url URL
option to the sandbox command (see below).
If both are given, the --sandbox-url option takes precedence.For libeufin-cli to be able to communicate with libeufin-nexus, the following environment variables need to be set:
LIBEUFIN_NEXUS_USERNAMEusers create), this must be the
same username chosen by the libeufin-nexus superuser command.LIBEUFIN_NEXUS_PASSWORDLIBEUFIN_NEXUS_URLhttp://localhost:PORT, where PORT is the
same port chosen when the nexus was started.Of the six commands, the sandbox command talks to the sandbox,
while the other five commands talk to the nexus.
The following sections describe each command and their subcommands in detail.
The libeufin-cli sandbox command is for managing the sandbox process
started by libeufin-sandbox serve.
It takes one option, --sandbox-url URL, to be specified before
the subcommands and their arguments.
This URL can also be specified with the LIBEUFIN_SANDBOX_URL
environment variable (see above).
If both are given, the --sandbox-url option takes precedence.
The following subcommands are available: bankaccount, check, demobank, ebicsbankaccount, ebicshost, ebicssubscriber.
The first command to use is check,
followed by ebicshost, ebicssubscriber,
and ebicsbankaccount, to configure the basic system.
You can then use the bankaccount command to generate (simulated)
transaction traffic.
After that, the demobank command and its subcommands
provide the same access to the API that Nexus itself uses.
You normally do not need to use those commands directly.
The check command attempts a simple aliveness check by
contacting the sandbox and displaying its returned message.
If all goes well, you should see something like:
$ libeufin-cli sandbox check
Hello, this is the Sandbox
The ebicshost command manages EBICS hosts.
It has two subcommands: create and list.
The ebicshost create command creates a EBICS host.
It takes one option, --host-id ID, where ID is used to
identify that host for all future commands.
The ebicshost list command lists the hosts in the system.
For example:
$ libeufin-cli sandbox ebicshost create --host-id testhost
$ libeufin-cli sandbox ebicshost list
{
"ebicsHosts" : [ "testhost" ]
}
Here, the ID is testhost.
The ebicssubscriber command manages EBICS subscribers.
It has two subcommands: create and list.
NB: This command is deprecated and will be removed at some point.
See sandbox demobank new-ebicssubscriber (below) for its replacement.
The ebicssubscriber create command creates a EBICS subscriber.
It takes three options, all of which are required:
--host-id TEXT Ebics host ID
--partner-id TEXT Ebics partner ID
--user-id TEXT Ebics user ID
The host ID should be the same one specified in ebicshost create
(see above).
For example:
$ libeufin-cli sandbox ebicssubscriber create \
--host-id testhost \
--partner-id partner01 \
--user-id user01
Note that testhost is the same as in the ebicshost create
example (see above).
The ebicssubscriber list command lists the EBICS subscribers
in the system.
For example:
$ libeufin-cli sandbox ebicssubscriber list
{
"subscribers" : [ {
"hostID" : "testhost",
"partnerID" : "partner01",
"userID" : "user01",
"systemID" : null,
"demobankAccountLabel" : "not associated yet"
} ]
}
Note that the output reflects the subscriber created in
the ebicssubscriber create example (see above).
The ebicsbankaccount command manages EBICS bank accounts.
It has one subcommand: create.
(To list accounts, see sandbox bankaccount below.)
The ebicsbankaccount create command takes several options, all required:
--iban TEXT IBAN
--bic TEXT BIC
--person-name TEXT bank account owner name
--account-name TEXT label of this bank account
--ebics-user-id TEXT user ID of the Ebics subscriber
--ebics-host-id TEXT host ID of the Ebics subscriber
--ebics-partner-id TEXT partner ID of the Ebics subscriber
At this time, although the --person-name option is required,
the sandbox does not remember the option value.
(When queried, it displays “Bank account owner’s name” instead.
See sandbox bankaccount below.)
For the sandbox, the important value is the --account-name option.
For example:
$ libeufin-cli sandbox ebicsbankaccount create \
--iban DE18500105172929531888 \
--bic INGDDEFFXXX \
--person-name "Jane Normal" \
--account-name testacct01 \
--ebics-host-id testhost \
--ebics-user-id user01 \
--ebics-partner-id partner01
Note that testhost is the same as in the ebicshost create
example, and that user01 and partner01 are the same as in the
ebicssubscriber create example (see above).
The bankaccount command manages bank accounts.
It has several subcommands: list, generate-transactions,
simulate-incoming-transaction, transactions.
The bankaccount list command lists the bank accounts in the system.
For example:
$ libeufin-cli sandbox bankaccount list
[ {
"label" : "bank",
"name" : "Bank account owner's name",
"iban" : "DE370758",
"bic" : "SANDBOXX"
}, {
"label" : "testacct01",
"name" : "Bank account owner's name",
"iban" : "DE18500105172929531888",
"bic" : "INGDDEFFXXX"
} ]
Note that testacct01, DE18500105172929531888, and INGDDEFFXXX
are the same as specified in the ebicsbankaccount create example
(see above).
The remaining bankaccount commands deal with transactions
to and from the bank accounts.
The bankaccount generate-transactions command generates
test transactions.
It takes one arg, the account label.
For example:
$ libeufin-cli sandbox bankaccount generate-transactions testacct01
Note that testacct01 is the account label shown in the bankaccount
list example (see above).
The bankaccount simulate-incoming-transaction books an
incoming payment in the sandbox.
It takes one arg, the account label, and several options.
--debtor-iban TEXT IBAN sending the payment
--debtor-bic TEXT BIC sending the payment
--debtor-name TEXT name of the person who is sending the payment
--amount TEXT amount, no currency
--subject TEXT payment subject
For example:
$ libeufin-cli sandbox bankaccount simulate-incoming-transaction
testacct01 \
--debtor-iban DE06500105174526623718 \
--debtor-bic INGDDEFFXXX \
--debtor-name "Joe Foo" \
--subject "Hello World" \
--amount 10.50
Note that testacct01 is the same as in previous examples (see above),
and that 10.50 is in X.Y format.
The bankaccount transactions command lists transactions.
It takes one arg, the account label.
For example:
$ libeufin-cli sandbox bankaccount transactions testacct01
{
"payments" : [ {
"accountLabel" : "testacct01",
"creditorIban" : "DE18500105172929531888",
"creditorBic" : "INGDDEFFXXX",
"creditorName" : "Creditor Name",
"debtorIban" : "DE64500105178797276788",
"debtorBic" : "DEUTDEBB101",
"debtorName" : "Max Mustermann",
"amount" : "5",
"currency" : "EUR",
"subject" : "sample transaction DILWBJHL",
"date" : "Wed, 26 Jan 2022 09:03:44 GMT",
"creditDebitIndicator" : "credit",
"accountServicerReference" : "DILWBJHL",
"paymentInformationId" : null
}, {
"accountLabel" : "testacct01",
"creditorIban" : "DE64500105178797276788",
"creditorBic" : "DEUTDEBB101",
"creditorName" : "Max Mustermann",
"debtorIban" : "DE18500105172929531888",
"debtorBic" : "INGDDEFFXXX",
"debtorName" : "Debitor Name",
"amount" : "12",
"currency" : "EUR",
"subject" : "sample transaction N7JSY17B",
"date" : "Wed, 26 Jan 2022 09:03:44 GMT",
"creditDebitIndicator" : "debit",
"accountServicerReference" : "N7JSY17B",
"paymentInformationId" : null
}, {
"accountLabel" : "testacct01",
"creditorIban" : "DE18500105172929531888",
"creditorBic" : "INGDDEFFXXX",
"creditorName" : "Creditor Name",
"debtorIban" : "DE06500105174526623718",
"debtorBic" : "INGDDEFFXXX",
"debtorName" : "Joe Foo",
"amount" : "10.50",
"currency" : "EUR",
"subject" : "Hello World",
"date" : "Wed, 26 Jan 2022 09:04:31 GMT",
"creditDebitIndicator" : "credit",
"accountServicerReference" : "sandbox-6UI2J3636J9EESXO",
"paymentInformationId" : null
} ]
}
Note that testacct01 is the same as in previous examples (see above),
and that the generated transactions from previous examples are listed,
as well.
The demobank command provides an interface to the Access API,
which includes three commands: register, info, new-transaction.
There is also a fourth demobank command, new-ebicssubscriber,
that does not use the Access API.
For all demobank commands, the sandbox URL must specify which
one bank the command applies to in the base URL.
Note that this URL cannot be used with other sandbox commands.
In other words:
--sandbox-url http://localhost:5016/demobanks/defaultThis base URL can be used for commands:
It specifies the default demobank.
--sandbox-url http://localhost:5016In the following examples, the base URL will be explicitly shown with
the --sandbox-url option for the demobank commands.
The demobank register command registers a new bank account.
Note that the username will be both the username to login at
the bank and the bank account label.
It takes the username and password from the
LIBEUFIN_SANDBOX_USERNAME and LIBEUFIN_SANDBOX_PASSWORD
environment variables.
The username need not be admin.
For example:
$ export LIBEUFIN_SANDBOX_USERNAME=jrluser
$ export LIBEUFIN_SANDBOX_PASSWORD=easy
$ libeufin-cli sandbox \
--sandbox-url http://localhost:5016/demobanks/default \
demobank register
The demobank info command returns basic information on a bank account.
It takes option --bank-account NAME.
For example:
$ libeufin-cli sandbox \
--sandbox-url http://localhost:5016/demobanks/default \
demobank info --bank-account jrluser
{
"balance" : {
"amount" : "EUR:100",
"credit_debit_indicator" : "credit"
},
"paytoUri" : "payto://iban/SANDBOXX/DE948559?receiver-name=admin"
}
Note that jrluser is the same username / bank account name
as in the register example (see above).
The demobank new-ebicssubscriber command associates a new Ebics
subscriber to an existing bank account.
It takes several options, all required:
--host-id TEXT Ebics host ID
--partner-id TEXT Ebics partner ID
--user-id TEXT Ebics user ID
--bank-account TEXT Label of the bank account to associate
with this Ebics subscriber
For example:
Note that testhost is the same as in the ebicshost create
example, and that partner01 is the same as in the
ebicssubscriber create example (see above).
The user02 is new.
The --bank-account jrluser is the same as in the
info example (see above).
You can see the effect of the new-ebicssubscriber command
with the sandbox ebicssubscriber list
and sandbox bankaccount list commands.
The demobank new-transaction command initiates a new transaction.
It takes several options, all required:
--bank-account TEXT Label of the bank account to be
debited for the transaction
--payto-with-subject TEXT Payto address including the
subject as a query parameter
--amount CUR:X.Y Amount to transfer
For example:
$ libeufin-cli sandbox \
--sandbox-url http://localhost:5016/demobanks/default \
demobank new-transaction \
--bank-account jrluser \
--payto-with-subject 'payto://FIXME/?message=1kg+coffee' \
--amount EUR:10.50
FIXME: Any output?
Note that --bank-account jrluser is the same as in the
info and new-ebicssubscriber command examples (see above).
The connections set of commands handle connections between
the bank(s) and Nexus.
It has several subcommands:
new-ebics-connection,
list-connections,
show-connection,
delete-connection,
export-backup,
restore-backup,
get-key-letter,
connect,
list-offered-bank-accounts,
download-bank-accounts,
import-bank-account.
Generally, you will create a connection, save its critical key information to a safe location, then use the connection to find and import a bank account, for further use.
Several commands take a CONNECTION_NAME argument.
In the following examples, we use conn01 for that.
Also, for demonstration purposes, we use the sandbox EBICS services,
so the EBICS_URL follows the previous examples in the sandbox
command, as the value of environment variable LIBEUFIN_SANDBOX_URL
suffixed with /ebicsweb, i.e., http://localhost:5016/ebicsweb.
The connections new-ebics-connection command creates a new connection
between an EBICS service and the Nexus.
It takes one arg, the CONNECTION_NAME, and four required options:
--ebics-url TEXT EBICS URL
--host-id TEXT Host ID
--partner-id TEXT Partner ID
--ebics-user-id TEXT Ebics user ID
For example:
$ libeufin-cli connections new-ebics-connection \
--ebics-url http://localhost:5016/ebicsweb \
--host-id testhost \
--partner-id partner01 \
--ebics-user-id user02 \
conn01
Note that the testhost, partner01, and user02 are the same as
in the sandbox demobank new-ebicssubscriber command (see above).
The connections list-connections command lists connections in Nexus.
For example:
$ libeufin-cli connections list-connections
{
"bankConnections" : [ {
"name" : "conn01",
"type" : "ebics"
} ]
}
The name of the connection is conn01 as in the
connections new-ebics-connection example (see above).
The connections show-connection command displays information
about a specific connection.
It takes one argument, the CONNECTION_NAME.
For example:
$ libeufin-cli connections show-connection conn01
{
"type" : "ebics",
"owner" : "foo",
"ready" : true,
"details" : {
"ebicsUrl" : "http://localhost:5016/ebicsweb",
"ebicsHostId" : "testhost",
"partnerId" : "partner01",
"userId" : "user02"
}
}
The details are the same as in the connections new-ebics-connections
example (see above).
The connections delete-connection command deletes a bank connection.
It takes one argument, the CONNECTION_NAME.
For example:
$ libeufin-cli connections delete-connection conn01
The connections export-backup command writes key and signature
information to a backup file (which you should take care to store
in a secure location).
It takes one argument, the CONNECTION_NAME and two required options:
--passphrase TEXT Passphrase for locking the backup
--output-file TEXT Where to store the backup
For example:
$ libeufin-cli connections export-backup \
--passphrase secret \
--output-file sig-and-key-info \
conn01
FIXME: Output?
WRITEME
The connections get-key-letter command creates a PDF file
that contains key information.
It takes two arguments, CONNECTION_NAME and OUTPUT_FILE.
For example:
$ libeufin-cli connections get-key-letter conn01 key-letter.pdf
This creates file key-letter.pdf in the current working directory.
WRITEME
WRITEME
WRITEME
WRITEME
The libeufin-cli users command manages users authorized to
operate Nexus.
It has several subcommands: self, list, create, change-password.
The create and change-password commands can only be issued
by the superuser
(as configured by the libeufin-nexus superuser command),
while the self and list commands can be issued by any user.
In the following users examples, we assume that previously
the command libeufin-nexus superuser foo was issued, and
that the current username and password are for that user
(via environment variables LIBEUFIN_NEXUS_USERNAME and
LIBEUFIN_NEXUS_PASSWORD, see above).
The users self command displays information for the current user.
For example:
$ libeufin-cli users self
{
"username" : "foo",
"superuser" : true
}
The users list command displays information for all the
users authorized to operate Nexus.
For example:
$ libeufin-cli users list
{
"users" : [ {
"username" : "foo",
"superuser" : true
} ]
}
In this example, there is only one user, the superuser foo.
The users create command creates a normal (non-superuser) user.
It takes one argument, the USERNAME and one option,
--password TEXT.
If you omit the option, libeufin-cli will prompt you for the password.
For example:
$ libeufin-cli users create --password easy jrluser
{
"message" : "New user 'jrluser' registered"
}
$ libeufin-cli users list
{
"users" : [ {
"username" : "foo",
"superuser" : true
}, {
"username" : "jrluser",
"superuser" : false
} ]
}
In this example, we create the same user as for the sandbox examples (see above). Note that the system now includes two users.
The users change-password command changes the password for a user.
It takes one argument, the USERNAME and one option,
--new-password TEXT.
If you omit the option, libeufin-cli will prompt you for the password.
For example:
$ libeufin-cli users change-password --new-password hard jrluser
{
"message" : "Password successfully changed"
}
The libeufin-cli permissions command manages permissions
for operations on Nexus.
It has three subcommands: list, grant, revoke.
All three commands can only be issued by the superuser.
The permissions list command lists the granted permissions.
At the beginning of a session, there are none:
$ libeufin-cli permissions list
{
"permissions" : [ ]
}
The permissions grant command adds a permission to the list
of granted permissions.
It takes five arguments: SUBJECT_TYPE, SUBJECT_ID,
RESOURCE_TYPE, RESOURCE_ID, PERMISSION_NAME.
FIXME: The subject type and id, resource type and id, are …
The PERMISSION_NAME is one of the following:
facade.talerwiregateway.historyfacade.talerwiregateway.transferfacade.anastasis.historyFor example:
$ libeufin-cli permissions grant \
some-subject-type some-subject-id \
some-resource-type some-resource-id \
facade.anastasis.history
{ }
$ libeufin-cli permissions list
{
"permissions" : [ {
"subjectType" : "some-subject-type",
"subjectId" : "some-subject-id",
"resourceType" : "some-resource-type",
"resourceId" : "some-resource-id",
"permissionName" : "facade.anastasis.history"
} ]
}
The permissions revoke command does the opposite of the
permissions grant command.
It takes the same arguments as the permissions grant command:
SUBJECT_TYPE, SUBJECT_ID, RESOURCE_TYPE, RESOURCE_ID,
PERMISSION_NAME.
For example:
$ libeufin-cli permissions revoke \
some-subject-type some-subject-id \
some-resource-type some-resource-id \
facade.anastasis.history
{ }
$ libeufin-cli permissions list
{
"permissions" : [ ]
}
This example undoes the effect of the previous (permissions grant) example.
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
WRITEME
Report bugs by using https://bugs.taler.net or by sending electronic mail to <taler@gnu.org>.