public void LogoutFailTest_ChecksThatExceptionIsThrownWhenInvalidActivationKeyIsGiven_VerifiesAndAssertsTheReturnedValueAndQueriesDatabase()
{
// Register User
RegistrationController registrationController = (RegistrationController)_applicationContext["RegistrationController"];
IHttpActionResult httpActionResult = registrationController.Register(new SignUpParam("*****@*****.**", "user", "123", "Pakistan",
TimeZone.CurrentTimeZone, ""));
OkNegotiatedContentResult <string> okResponseMessage =
(OkNegotiatedContentResult <string>)httpActionResult;
string activationKey = okResponseMessage.Content;
Assert.IsNotNullOrEmpty(activationKey);
// Activate Account
UserController userController = (UserController)_applicationContext["UserController"];
httpActionResult = userController.ActivateUser(new UserActivationParam("user", "123", activationKey));
OkNegotiatedContentResult <string> okResponseMessage1 =
(OkNegotiatedContentResult <string>)httpActionResult;
Assert.AreEqual(okResponseMessage1.Content, "activated");
// Login
LoginController loginController = (LoginController)_applicationContext["LoginController"];
httpActionResult = loginController.Login(new LoginParams("user", "123"));
OkNegotiatedContentResult <UserValidationEssentials> keys =
(OkNegotiatedContentResult <UserValidationEssentials>)httpActionResult;
Assert.IsNotNullOrEmpty(keys.Content.ApiKey);
Assert.IsNotNullOrEmpty(keys.Content.SecretKey);
Assert.IsNotNullOrEmpty(keys.Content.SessionLogoutTime.ToString());
// Verify that Security Keys are in the database
ISecurityKeysRepository securityKeysRepository = (ISecurityKeysRepository)_applicationContext["SecurityKeysPairRepository"];
SecurityKeysPair securityKeysPair = securityKeysRepository.GetByApiKey(keys.Content.ApiKey);
Assert.IsNotNull(securityKeysPair);
Assert.AreEqual(keys.Content.SecretKey, securityKeysPair.SecretKey);
Assert.IsTrue(securityKeysPair.SystemGenerated);
LogoutController logoutController = (LogoutController)_applicationContext["LogoutController"];
logoutController.Request = new HttpRequestMessage(HttpMethod.Get, "");
logoutController.Request.Headers.Add("Auth", "123");
IHttpActionResult logoutResult = logoutController.Logout();
BadRequestErrorMessageResult logoutOkResponse = (BadRequestErrorMessageResult)logoutResult;
Assert.IsNotNull(logoutOkResponse);
// Verify that the Security Keys are not in the database
securityKeysPair = securityKeysRepository.GetByApiKey(keys.Content.ApiKey);
Assert.IsNotNull(securityKeysPair);
Assert.AreEqual(keys.Content.SecretKey, securityKeysPair.SecretKey);
Assert.IsTrue(securityKeysPair.SystemGenerated);
}
/// <summary>
/// Apply for tier 1 verification
/// </summary>
/// <param name="command"></param>
public void ApplyForTier1Verification(VerifyTier1Command command)
{
SecurityKeysPair securityKeysPair = _securityKeysRepository.GetByApiKey(command.SystemGeneratedApiKey);
User user = _userRepository.GetUserById(securityKeysPair.UserId);
if (user.GetTierLevelStatus(new Tier(TierLevelConstant.Tier0, TierLevelConstant.Tier0)) == Status.Verified.ToString())
{
if (user.GetTierLevelStatus(new Tier(TierLevelConstant.Tier1, TierLevelConstant.Tier1)) == Status.NonVerified.ToString())
{
//add user phone number
user.UpdateTier1Information(command.FullName, command.DateOfBirth, command.PhoneNumber);
//update user tier 1 status
user.UpdateTierStatus(TierLevelConstant.Tier1, Status.Preverified);
_persistenceRepository.SaveUpdate(user);
}
else
{
throw new InvalidOperationException("Tier 1 already verified or applied for verification");
}
}
else
{
throw new InvalidOperationException("Verify Tier Level 0 First");
}
}
public void ActivateAccountFailThenSeccussfulTest_ChecksIfUserCannotLoginUntilAccountIsNotActivatedAndTriesToActivateAgainAndThenLogsIn_VerifiesByExpectingExceptionAndReturnedValue()
{
IUserApplicationService userApplicationService = (IUserApplicationService)_applicationContext["UserApplicationService"];
IRegistrationApplicationService registrationApplicationService =
(IRegistrationApplicationService)_applicationContext["RegistrationApplicationService"];
IUserRepository userRepository = (IUserRepository)_applicationContext["UserRepository"];
ILoginApplicationService loginApplicationService = (ILoginApplicationService)_applicationContext["LoginApplicationService"];
ISecurityKeysRepository securityKeysRepository = (ISecurityKeysRepository)_applicationContext["SecurityKeysPairRepository"];
string username = "******";
string email = "*****@*****.**";
string password = "******";
string activationKey = registrationApplicationService.CreateAccount(new SignupUserCommand(email, username, password, "USA", TimeZone.CurrentTimeZone, ""));
loginApplicationService.Login(new LoginCommand(username, password));
bool accountActivated = userApplicationService.ActivateAccount(new ActivationCommand(activationKey, username, password));
Assert.IsTrue(accountActivated);
User userByUserName = userRepository.GetUserByUserName(username);
Assert.IsNotNull(userByUserName);
Assert.IsTrue(userByUserName.IsActivationKeyUsed.Value);
UserValidationEssentials userValidationEssentials = loginApplicationService.Login(new LoginCommand(username, password));
Assert.IsNotNull(userValidationEssentials);
SecurityKeysPair securityKeysPair = securityKeysRepository.GetByApiKey(userValidationEssentials.ApiKey);
Assert.IsNotNull(securityKeysPair);
User receivedUser = userRepository.GetUserByUserName(username);
Assert.IsTrue(receivedUser.IsActivationKeyUsed.Value);
}
/// <summary>
/// Authenticate the user using TFA if it is subscribed for the given action
/// Returns Tuple: Item1 = Response, Item2 = Error Message
/// </summary>
/// <param name="apiKey"> </param>
/// <param name="currentAction"></param>
/// <param name="mfaCode"></param>
/// <returns></returns>
public Tuple <bool, string> AuthorizeAccess(string apiKey, string currentAction, string mfaCode)
{
SecurityKeysPair securityKeysPair = _securityKeysRepository.GetByApiKey(apiKey);
if (securityKeysPair != null)
{
// If it is a system generated api key, then we verify it from the user's view point
if (securityKeysPair.SystemGenerated)
{
int userId = securityKeysPair.UserId;
// Get user from repository
User user = _userRepository.GetUserById(userId);
return(CheckSystemGeneratedKeySubscription(user, userId, currentAction, mfaCode));
}
// If it is a user generated api key, then we verify it from the api key's view point only
else
{
return(CheckUserGeneratedKeySubscription(securityKeysPair, currentAction, mfaCode));
}
}
else
{
//throw new NullReferenceException("No SecurityKeysPair instance found for Api Key = " + apiKey);
return(new Tuple <bool, string>(false, "No SecurityKeysPair instance found for Api Key = " + apiKey));
}
}
public void CreateSecurityKeyPair_PersistAndReadFromDatabaseByApiKey_SavedAndReadInfoShouldBeSame()
{
SecurityKeysPair digitalSignatureInfo = new SecurityKeysPair("1", "123456", "secretkey", 1, DateTime.Today.AddDays(1), DateTime.Today.AddDays(-20), DateTime.Today, DateTime.Now, true, null);
_persistenceRepository.SaveUpdate(digitalSignatureInfo);
var readInfo = _securityKeysPairRepository.GetByApiKey("123456");
Assert.NotNull(readInfo);
Assert.AreEqual(readInfo.KeyDescription, "1");
Assert.AreEqual(readInfo.ApiKey, "123456");
Assert.AreEqual(readInfo.SecretKey, "secretkey");
Assert.AreEqual(readInfo.UserId, digitalSignatureInfo.UserId);
Assert.AreEqual(readInfo.SystemGenerated, digitalSignatureInfo.SystemGenerated);
Assert.AreEqual(readInfo.ExpirationDate, digitalSignatureInfo.ExpirationDate);
Assert.AreEqual(readInfo.StartDate, digitalSignatureInfo.StartDate);
Assert.AreEqual(readInfo.EndDate, digitalSignatureInfo.EndDate);
}
public void CreateSystemGeneratedSecurityPair_IfUserNameIsProvided_VerifyKeyPairIsReturnedAndPersistedSuccessfully()
{
ISecurityKeysApplicationService registrationService =
(ISecurityKeysApplicationService)_applicationContext["SecurityKeysApplicationService"];
var keys = registrationService.CreateSystemGeneratedKey(1);
Assert.NotNull(keys);
Assert.IsNotNullOrEmpty(keys.Item1.Value);
Assert.IsNotNullOrEmpty(keys.Item2.Value);
SecurityKeysPair persistedKeysPair = _securityKeysRepository.GetByApiKey(keys.Item1.Value);
Assert.NotNull(persistedKeysPair);
Assert.AreEqual(persistedKeysPair.UserId, 1);
Assert.AreEqual(persistedKeysPair.SystemGenerated, true);
Assert.AreEqual(persistedKeysPair.ApiKey, keys.Item1.Value);
Assert.AreEqual(persistedKeysPair.SecretKey, keys.Item2.Value);
Assert.IsNotNullOrEmpty(persistedKeysPair.KeyDescription);
Assert.IsNotNullOrEmpty(persistedKeysPair.CreationDateTime.ToString());
}
/// <summary>
/// Authenticates a request
/// </summary>
/// <param name="command"></param>
/// <returns></returns>
public bool Authenticate(AuthenticateCommand command)
{
if (Nonce.IsValid(command.Nonce, command.Counter))
{
SecurityKeysPair securityKeysPair = _securityKeysRepository.GetByApiKey(command.Apikey);
string computedHash = CalculateHash(command.Apikey, command.Uri, securityKeysPair.SecretKey);
if (Log.IsDebugEnabled)
{
Log.Debug("Computed Hash:" + computedHash);
Log.Debug("Received Hash:" + command.Response);
}
if (String.CompareOrdinal(computedHash, command.Response) == 0)
{
return(ApiKeyValidation(command));
}
throw new InvalidCredentialException("API, URI and Secret Key Hash not found as expected.");
}
return(false);
}
public void SecurityKeysMfaVerification_ChecksIfMfaSubscriptionsAreAddedAsExpected_VerifiesByQueryingTheDatabase()
{
IIdentityAccessPersistenceRepository persistenceRepository = (IIdentityAccessPersistenceRepository)ContextRegistry.GetContext()["IdentityAccessPersistenceRepository"];
ISecurityKeysRepository securityKeysRepository = (ISecurityKeysRepository)ContextRegistry.GetContext()["SecurityKeysPairRepository"];
IMfaSubscriptionRepository mfaSubscriptionRepository = (IMfaSubscriptionRepository)ContextRegistry.GetContext()["MfaSubscriptionRepository"];
string apiKey = "123456";
SecurityKeysPair originalPair = new SecurityKeysPair("1", apiKey, "secretkey", 1, DateTime.Today.AddDays(1), DateTime.Today.AddDays(-20), DateTime.Today, DateTime.Now, false, null);
persistenceRepository.SaveUpdate(originalPair);
SecurityKeysPair retrievedPair = securityKeysRepository.GetByApiKey(apiKey);
Assert.IsNotNull(retrievedPair);
IList <MfaSubscription> allSubscriptions = mfaSubscriptionRepository.GetAllSubscriptions();
Assert.IsNotNull(allSubscriptions);
Assert.AreEqual(5, allSubscriptions.Count);
Assert.AreEqual("CancelOrder", allSubscriptions[0].MfaSubscriptionName);
Assert.AreEqual("Deposit", allSubscriptions[1].MfaSubscriptionName);
Assert.AreEqual("Login", allSubscriptions[2].MfaSubscriptionName);
Assert.AreEqual("PlaceOrder", allSubscriptions[3].MfaSubscriptionName);
Assert.AreEqual("Withdraw", allSubscriptions[4].MfaSubscriptionName);
IList <Tuple <string, string, bool> > subscriptionsStringList = new List <Tuple <string, string, bool> >();
foreach (var subscription in allSubscriptions)
{
subscriptionsStringList.Add(new Tuple <string, string, bool>(subscription.MfaSubscriptionId,
subscription.MfaSubscriptionName, true));
}
retrievedPair.AssignMfaSubscriptions(subscriptionsStringList);
persistenceRepository.SaveUpdate(retrievedPair);
retrievedPair = securityKeysRepository.GetByApiKey(apiKey);
Assert.IsNotNull(retrievedPair);
}
public void LogoutSuccessTest_TestsIfAUserGetsLogoutAsExpected_FailsIfDoesNot()
{
ILoginApplicationService loginApplicationService = (ILoginApplicationService)_applicationContext["LoginApplicationService"];
Assert.IsNotNull(loginApplicationService);
IRegistrationApplicationService registrationService = (IRegistrationApplicationService)_applicationContext["RegistrationApplicationService"];;
// Register
string username = "******";
string password = "******";
string activationKey = registrationService.CreateAccount(new SignupUserCommand(
"*****@*****.**", username, password, "Wonderland", TimeZone.CurrentTimeZone, ""));
Assert.IsNotNull(activationKey);
IUserApplicationService userApplicationService = (IUserApplicationService)_applicationContext["UserApplicationService"];
IUserRepository userRepository = (IUserRepository)_applicationContext["UserRepository"];
// Activate account
bool accountActivated = userApplicationService.ActivateAccount(new ActivationCommand(activationKey, username, password));
Assert.IsTrue(accountActivated);
User userByUserName = userRepository.GetUserByUserName(username);
Assert.IsNotNull(userByUserName);
Assert.IsTrue(userByUserName.IsActivationKeyUsed.Value);
// Login
UserValidationEssentials userValidationEssentials = loginApplicationService.Login(new LoginCommand(username, password));
Assert.IsNotNull(userValidationEssentials);
Assert.IsNotNull(userValidationEssentials.ApiKey);
Assert.IsNotNull(userValidationEssentials.SecretKey);
Assert.IsNotNull(userValidationEssentials.SessionLogoutTime);
// Logout
ILogoutApplicationService logoutApplicationService =
(ILogoutApplicationService)_applicationContext["LogoutApplicationService"];
Assert.IsNotNull(logoutApplicationService);
bool logout = logoutApplicationService.Logout(new LogoutCommand(userValidationEssentials.ApiKey));
Assert.IsTrue(logout);
ISecurityKeysRepository securityKeysRepository = (ISecurityKeysRepository)_applicationContext["SecurityKeysPairRepository"];
SecurityKeysPair securityKeysPair = securityKeysRepository.GetByApiKey(userValidationEssentials.ApiKey);
Assert.IsNull(securityKeysPair);
}
public void LoginSuccessfulAndCheckSecurityKeysPairTest_ChecksIfAfterUserLoginSecurityPairsValuesAreAsExpected_ChecksByGettingSecurityKeysFromRepo()
{
ILoginApplicationService loginApplicationService = (ILoginApplicationService)_applicationContext["LoginApplicationService"];
Assert.IsNotNull(loginApplicationService);
IRegistrationApplicationService registrationService = (IRegistrationApplicationService)_applicationContext["RegistrationApplicationService"];
IUserRepository userRepository = (IUserRepository)_applicationContext["UserRepository"];
ISecurityKeysRepository securityKeysRepository = (ISecurityKeysRepository)_applicationContext["SecurityKeysPairRepository"];
string username = "******";
string email = "*****@*****.**";
string password = "******";
string activationKey = registrationService.CreateAccount(new SignupUserCommand(
email, username, password, "Wonderland", TimeZone.CurrentTimeZone, ""));
Assert.IsNotNull(activationKey);
IUserApplicationService userApplicationService = (IUserApplicationService)_applicationContext["UserApplicationService"];
bool accountActivated = userApplicationService.ActivateAccount(new ActivationCommand(activationKey, "Bob", "alice"));
Assert.IsTrue(accountActivated);
UserValidationEssentials userValidationEssentials = loginApplicationService.Login(new LoginCommand(
username, password));
Assert.IsNotNull(userValidationEssentials);
Assert.IsNotNull(userValidationEssentials.ApiKey);
Assert.IsNotNull(userValidationEssentials.SecretKey);
Assert.IsNotNull(userValidationEssentials.SessionLogoutTime);
User user = userRepository.GetUserByUserName(username);
Assert.IsNotNull(user);
// Check that the user logged in this same minute and date, as we cannot check the seconds exactly
Assert.AreEqual(user.LastLogin.Date, DateTime.Today.Date);
Assert.AreEqual(user.LastLogin.Hour, DateTime.Now.Hour);
Assert.AreEqual(user.LastLogin.Minute, DateTime.Now.Minute);
Assert.AreEqual(userValidationEssentials.SessionLogoutTime, user.AutoLogout);
SecurityKeysPair securityKeysPair = securityKeysRepository.GetByApiKey(userValidationEssentials.ApiKey);
Assert.IsNotNull(securityKeysPair);
Assert.AreEqual(userValidationEssentials.SecretKey, securityKeysPair.SecretKey);
}
/// <summary>
/// Request to change Password
/// </summary>
/// <param name="changePasswordCommand"> </param>
/// <returns></returns>
public ChangePasswordResponse ChangePassword(ChangePasswordCommand changePasswordCommand)
{
// Get the SecurityKeyspair instance related to this API Key
SecurityKeysPair securityKeysPair = _securityKeysRepository.GetByApiKey(changePasswordCommand.ApiKey.Value);
// See if the SecurityKeysPair instance exists for this API Key
if (securityKeysPair != null)
{
// Get the User by specifying the Username in the SecurityKeysPair instance
User user = _userRepository.GetUserById(securityKeysPair.UserId);
if (user != null)
{
//// Make sure the session has not expired
//if (securityKeysPair.CreationDateTime.Add(user.AutoLogout) > DateTime.Now)
//{
// Check if the old password is the same as new one
if (_passwordEncryptionService.VerifyPassword(changePasswordCommand.OldPassword,
user.Password))
{
// Create new password and save for the user in the database
string newEncryptedPassword =
_passwordEncryptionService.EncryptPassword(changePasswordCommand.NewPassword);
user.Password = newEncryptedPassword;
_persistenceRepository.SaveUpdate(user);
_emailService.SendPasswordChangedEmail(user.Email, user.Username, user.AdminEmailsSubscribed);
return(new ChangePasswordResponse(true, "Password Change Successful"));
}
else
{
throw new InvalidCredentialException(string.Format("Current password incorrect."));
}
//}
//else
//{
// _securityKeysRepository.DeleteSecurityKeysPair(securityKeysPair);
// throw new InvalidOperationException("Session Timeout expired for this API Key.");
//}
}
else
{
throw new InstanceNotFoundException("User not found for the given SecurityKeysPair's Username.");
}
}
else
{
throw new InstanceNotFoundException("SecurityKeysPair not found for the given API Key");
}
}
/// <summary>
/// Logs the user out
/// </summary>
/// <returns></returns>
public bool Logout(LogoutCommand logoutCommand)
{
if (logoutCommand.ApiKey != null &&
!string.IsNullOrEmpty(logoutCommand.ApiKey.Value))
{
SecurityKeysPair securityKeysPair =
_securityKeysRepository.GetByApiKey(logoutCommand.ApiKey.Value);
if (securityKeysPair != null)
{
return(_securityKeysRepository.DeleteSecurityKeysPair(securityKeysPair));
}
else
{
throw new InstanceNotFoundException("No SecurityKeysPair found for the given API key.");
}
}
else
{
throw new InvalidCredentialException("Invalid or Incomplete Logout Credentials");
}
}
/// <summary>
/// create new key pair user generated
/// </summary>
/// <param name="command"></param>
/// <param name="apiKey"></param>
/// <returns></returns>
public SecurityKeyPair CreateUserGeneratedKey(CreateUserGeneratedSecurityKeyPair command, string apiKey)
{
if (command.Validate())
{
//get security key pair for user name
var getSecurityKeyPair = _securityKeysRepository.GetByApiKey(apiKey);
if (getSecurityKeyPair == null)
{
throw new ArgumentException("Invalid api key");
}
var keys = _securityKeysGenerationService.GenerateNewSecurityKeys();
List <SecurityKeysPermission> permissions = new List <SecurityKeysPermission>();
SecurityKeyPermissionsRepresentation[] securityKeyPermissionsRepresentations = this.GetPermissions();
foreach (SecurityKeyPermissionsRepresentation securityKeyPermissionsRepresentation in securityKeyPermissionsRepresentations)
{
// Check which permissions have been sent from the frontend that must be included with this User Generated Key
if (command.SecurityKeyPermissions.Contains(securityKeyPermissionsRepresentation.Permission.PermissionId))
{
securityKeyPermissionsRepresentation.Allowed = true;
}
}
for (int i = 0; i < securityKeyPermissionsRepresentations.Length; i++)
{
permissions.Add(new SecurityKeysPermission(keys.Item1, securityKeyPermissionsRepresentations[i].Permission,
securityKeyPermissionsRepresentations[i].Allowed));
}
var keysPair = SecurityKeysPairFactory.UserGeneratedSecurityPair(getSecurityKeyPair.UserId,
command.KeyDescription,
keys.Item1, keys.Item2, command.EnableExpirationDate, command.ExpirationDateTime,
command.EnableStartDate, command.StartDateTime, command.EnableEndDate, command.EndDateTime,
permissions,
_securityKeysRepository);
_persistRepository.SaveUpdate(keysPair);
return(new SecurityKeyPair(keys.Item1, keys.Item2));
}
throw new InvalidOperationException("Please assign atleast one permission.");
}
