public ActionResult <string> Webhooks(NotificationRequest notificationRequest) { var hmacValidator = new HmacValidator(); _logger.LogInformation($"Webhook received::\n{notificationRequest}\n"); foreach (NotificationRequestItemContainer container in notificationRequest.NotificationItemContainers) { // We recommend to activate HMAC validation in the webhooks for security reasons //try //{ //if (hmacValidator.IsValidHmac(container.NotificationItem, _hmac_key)) //{ _logger.LogInformation($"Received webhook with event::\n" + $"Merchant Reference ::{container.NotificationItem.MerchantReference} \n" + $"PSP Reference ::{container.NotificationItem.PspReference} \n" ); // } // else // { // _logger.LogError($"Error while validating HMAC Key"); // } //} //catch (Exception e) //{ // _logger.LogError($"Error while calculating HMAC signature::\n{e}\n"); // throw; //} } return("[accepted]"); }
public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)) { return; } IHmacConfiguration configuration = _configurationManager.Get("Example"); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); IHmacValidator validator = new HmacValidator(configuration, signer); HmacValidationResult result = validator.ValidateHttpRequest(filterContext.HttpContext.Request); if (result.ResultCode == HmacValidationResultCode.Ok) { return; } HttpResponseBase response = filterContext.HttpContext.Response; validator.AddWwwAuthenticateHeader(response, configuration.AuthorizationScheme); response.Headers.Add("X-Auth-ErrorCode", result.ResultCode.ToString()); response.StatusCode = (int)HttpStatusCode.Unauthorized; response.Write(result.ErrorMessage); response.End(); }
public void TestNotificationRequestItemHmac() { string key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00"; var expectedSign = "ipnxGCaUZ4l8TUW75a71/ghd2Fe5ffvX0pV4TLTntIc="; var additionalData = new Dictionary <string, string> { { Constants.AdditionalData.HmacSignature, expectedSign } }; var notificationRequestItem = new NotificationRequestItem { PspReference = "pspReference", OriginalReference = "originalReference", MerchantAccountCode = "merchantAccount", MerchantReference = "reference", Amount = new Model.Amount("EUR", 1000), EventCode = "EVENT", Success = true, AdditionalData = additionalData }; var hmacValidator = new HmacValidator(); var data = hmacValidator.GetDataToSign(notificationRequestItem); Assert.AreEqual("pspReference:originalReference:merchantAccount:reference:1000:EUR:EVENT:true", data); var encrypted = hmacValidator.CalculateHmac(notificationRequestItem, key); Assert.AreEqual(expectedSign, encrypted); notificationRequestItem.AdditionalData[Constants.AdditionalData.HmacSignature] = expectedSign; Assert.IsTrue(hmacValidator.IsValidHmac(notificationRequestItem, key)); notificationRequestItem.AdditionalData[Constants.AdditionalData.HmacSignature] = "notValidSign"; Assert.IsFalse(hmacValidator.IsValidHmac(notificationRequestItem, key)); }
public void ShouldFailValidationDueToMissingDate() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3); string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture); HttpRequestBase request = CreateRequest(dateString); HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request); string signature = signer.CreateSignature(signatureData); request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format( HmacConstants.AuthorizationHeaderFormat, configuration.AuthorizationScheme, signature); request.Headers.Remove(HmacConstants.DateHeaderName); // Act HmacValidationResult result = validator.ValidateHttpRequest(request); // Assert Assert.IsNotNull(result); Assert.IsNotNull(result.ErrorMessage); Assert.AreEqual(result.ResultCode, HmacValidationResultCode.DateMissing); }
public void ShouldFailToValidateContentMd5() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); const string incorrectBody = Body + "Modified"; byte[] incorrectBodyBytes = Encoding.UTF8.GetBytes(incorrectBody); Stream incorrectBodyStream = new MemoryStream(incorrectBodyBytes); // Act bool stringIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBody, Encoding.UTF8); bool stringIsValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBody, Encoding.UTF8); bool bytesAreValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBodyBytes); bool bytesAreValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBodyBytes); bool streamIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBodyStream); bool streamIsValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBodyStream); incorrectBodyStream.Dispose(); // Assert Assert.IsFalse(stringIsValidBase64); Assert.IsFalse(stringIsValidByteArray); Assert.IsFalse(bytesAreValidBase64); Assert.IsFalse(bytesAreValidByteArray); Assert.IsFalse(streamIsValidBase64); Assert.IsFalse(streamIsValidByteArray); }
public void ShouldFailValidationDueToMissingKey() { // Arrange Mock <IHmacKeyRepository> mockKeyRepo = new Mock <IHmacKeyRepository>(); mockKeyRepo.Setup(r => r.GetHmacKeyForUsername(It.IsAny <string>())).Returns((string)null); IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, mockKeyRepo.Object); HmacValidator validator = new HmacValidator(configuration, signer); DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3); string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture); HttpRequestBase request = CreateRequest(dateString); HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request); signatureData.Key = "TestKey"; string signature = signer.CreateSignature(signatureData); request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format( HmacConstants.AuthorizationHeaderFormat, configuration.AuthorizationScheme, signature); // Act HmacValidationResult result = validator.ValidateHttpRequest(request); // Assert Assert.IsNotNull(result); Assert.IsNotNull(result.ErrorMessage); Assert.AreEqual(result.ResultCode, HmacValidationResultCode.KeyMissing); }
public IActionResult GenerateSignature([FromQuery] GenerateSignatureRequest request) { var hmacValidator = new HmacValidator(); var stringToSign = hmacValidator.BuildSigningString(GetDictonaryFromRequest(request)); var signature = hmacValidator.CalculateSignature(stringToSign, request.SigningKey); return(Ok(signature)); }
public void TestHmac() { var data = "countryCode:currencyCode:merchantAccount:merchantReference:paymentAmount:sessionValidity:skinCode:NL:EUR:MagentoMerchantTest2:TEST-PAYMENT-2017-02-01-14\\:02\\:05:199:2017-02-02T14\\:02\\:05+01\\:00:PKz2KML1"; var key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00"; var hmacValidator = new HmacValidator(); var ecnrypted = hmacValidator.CalculateHmac(data, key); Assert.IsTrue(string.Equals(ecnrypted, "34oR8T1whkQWTv9P+SzKyp8zhusf9n0dpqrm9nsqSJs=")); }
public Dictionary <string, string> GetPostParametersFromDlRequest(DirectoryLookupRequest request) { var config = this.Client.Config; var postParameters = new Dictionary <string, string> { { Fields.CurrencyCode, request.CurrencyCode }, { Fields.MerchantReference, request.MerchantReference }, { Fields.SessionValidity, request.SessionValidity }, { Fields.CountryCode, request.CountryCode } }; if (!string.IsNullOrEmpty(request.MerchantAccount)) { postParameters.Add(Fields.MerchantAccount, request.MerchantAccount); } else { postParameters.Add(Fields.MerchantAccount, config.MerchantAccount); } postParameters.Add(Fields.PaymentAmount, request.PaymentAmount); if (!string.IsNullOrEmpty(request.SkinCode)) { postParameters.Add(Fields.SkinCode, request.SkinCode); } else { postParameters.Add(Fields.SkinCode, config.SkinCode); } var hmacValidator = new HmacValidator(); var dataToSign = hmacValidator.BuildSigningString(postParameters); string hmacKey; if (!string.IsNullOrEmpty(request.HmacKey)) { hmacKey = request.HmacKey; } else { hmacKey = config.HmacKey; } var merchantSig = hmacValidator.CalculateHmac(dataToSign, hmacKey); postParameters.Add(Fields.MerchantSig, merchantSig); return(postParameters); }
public void TestHmacCalculationNotificationRequestWithSpecialChars() { string key = "66B61474A0AA3736BA8789EDC6D6CD9EBA0C4F414A554E32A407F849C045C69D"; var mockPath = GetMockFilePath("Mocks/notification-response-refund-fail.json"); var response = MockFileToString(mockPath); var hmacValidator = new HmacValidator(); var notificationRequest = JsonOperation.Deserialize <NotificationRequest>(response); var notificationItem = notificationRequest.NotificationItemContainers[0].NotificationItem; var isValidHmac = hmacValidator.IsValidHmac(notificationItem, key); Assert.IsTrue(isValidHmac); }
public void GivenWrongSigningKey_WhenIsValidIsCalled_ThenReturnIsFalse() { var val = new HmacValidator(); var fields = new Dictionary <string, string> { { "Field1", "Value1" }, { "Field2", "Value2" }, { "Field3", "Value3" } }; var key = "DifferentDFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00"; var originalSignature = "oWZFUUcY8F9RzjHpNIGd8kEfIkEdKGSbTqeOt2ScocA="; val.IsValidSignature(fields, originalSignature, key).Should().BeFalse(); }
private string CalculateSignature(ProcessPaymentRequest request) { var parametrs = new Dictionary <string, string> { { nameof(request.MerchantTransactionId), request.MerchantTransactionId }, { nameof(request.Amount), request.Amount.ToString("F", CultureInfo.InvariantCulture) }, { nameof(request.CardNumber), request.CardNumber }, { nameof(request.ExpiryMonth), request.ExpiryMonth.ToString() }, { nameof(request.ExpiryYear), request.ExpiryYear.ToString() }, { nameof(request.Cvv), request.Cvv }, { nameof(request.Currency), request.Currency } }; var hmacGenerator = new HmacValidator(); return(hmacGenerator.CalculateSignature(hmacGenerator.BuildSigningString(parametrs), _testMerchant.SigningKey)); }
public void ShouldAddWwwAuthenticateHeader() { // Arrange const string headerValue = "HMAC_TEST"; IHmacConfiguration configuration = CreateConfiguration(); HttpResponseBase response = CreateResponse(string.Empty); HmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); // Act validator.AddWwwAuthenticateHeader(response, headerValue); string actualHeaderValue = response.Headers["WWW-Authenticate"]; // Assert Assert.IsNotNull(actualHeaderValue); Assert.AreEqual(headerValue, actualHeaderValue); }
public void ShouldFailValidationDueToInvalidAuthorization() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3); string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture); HttpRequestBase request = CreateRequest(dateString); request.Headers[HmacConstants.AuthorizationHeaderName] = "blahblah"; // Act HmacValidationResult result = validator.ValidateHttpRequest(request); // Assert Assert.IsNotNull(result); Assert.IsNotNull(result.ErrorMessage); Assert.AreEqual(result.ResultCode, HmacValidationResultCode.AuthorizationInvalid); }
public void GivenValidSignature_WhenIsValidIsCalled_ThenReturnIsTrue() { var validator = new HmacValidator(); var fields = new Dictionary <string, string> { { "MerchantTransactionId", "12345678901" }, { "Amount", "10.00" }, { "CardNumber", "1234123412341234" }, { "ExpiryMonth", "10" }, { "ExpiryYear", "2022" }, { "Cvv", "123" }, { "Currency", "EUR" } }; var key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00"; var originalSignature = "j6Ze59AWImB/ka9AySkvCxbOhvdX0P9yqiojz3vfVlE="; validator.IsValidSignature(fields, originalSignature, key).Should().BeTrue(); }
public void ShouldFailToValidateSignature() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); const string signatureString1 = "SIGNATURE_STRING"; const string signatureString2 = "SIGNATURE_STRING_DIFFERENT"; byte[] signatureBytes1 = Encoding.UTF8.GetBytes(signatureString1); byte[] signatureBytes2 = Encoding.UTF8.GetBytes(signatureString2); // Act bool isValidString = validator.IsValidSignature(signatureString1, signatureString2); bool isValidByteArray = validator.IsValidSignature(signatureBytes1, signatureBytes2); // Assert Assert.IsFalse(isValidString); Assert.IsFalse(isValidByteArray); }
public void TestDataSign() { var postParameters = new Dictionary <string, string> { { Constants.HPPConstants.Fields.MerchantAccount, "ACC" }, { Constants.HPPConstants.Fields.CurrencyCode, "EUR" } }; var hmacValidator = new HmacValidator(); var buildSigningString = hmacValidator.BuildSigningString(postParameters); Assert.IsTrue(string.Equals("currencyCode:merchantAccount:EUR:ACC", buildSigningString)); postParameters = new Dictionary <string, string> { { Constants.HPPConstants.Fields.CurrencyCode, "EUR" }, { Constants.HPPConstants.Fields.MerchantAccount, "ACC:\\" } }; buildSigningString = hmacValidator.BuildSigningString(postParameters); Assert.IsTrue(string.Equals("currencyCode:merchantAccount:EUR:ACC\\:\\\\", buildSigningString)); }
public void ShouldFailToValidateRequestDate() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-6); string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture); DateTime dateTime = dateTimeOffset.UtcDateTime; // Act bool isValidDateTimeOffset = validator.IsValidRequestDate(dateTimeOffset); bool isValidDateString = validator.IsValidRequestDate(dateString, HmacConstants.DateHeaderFormat); bool isValidDateTime = validator.IsValidRequestDate(dateTime); // Assert Assert.IsFalse(isValidDateString); Assert.IsFalse(isValidDateTime); Assert.IsFalse(isValidDateTimeOffset); }
public void ShouldValidateContentMd5() { // Arrange IHmacConfiguration configuration = CreateConfiguration(); IHmacSigner signer = new HmacSigner(configuration, _keyRepository); HmacValidator validator = new HmacValidator(configuration, signer); // Act bool stringIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, Body, Encoding.UTF8); bool stringIsValidByteArray = validator.IsValidContentMd5(_md5Hash, Body, Encoding.UTF8); bool bytesAreValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, _bodyBytes); bool bytesAreValidByteArray = validator.IsValidContentMd5(_md5Hash, _bodyBytes); bool streamIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, _bodyStream); bool streamIsValidByteArray = validator.IsValidContentMd5(_md5Hash, _bodyStream); // Assert Assert.IsTrue(stringIsValidBase64); Assert.IsTrue(stringIsValidByteArray); Assert.IsTrue(bytesAreValidBase64); Assert.IsTrue(bytesAreValidByteArray); Assert.IsTrue(streamIsValidBase64); Assert.IsTrue(streamIsValidByteArray); }