} // decrypted user
public UserControllerIntegrationTest(WebApplicationFactory <SafeAccountsAPI.Startup> fixture)
{
_client = fixture.CreateClient();
// get reference to app settings and local db
_config = new ConfigurationBuilder().AddJsonFile("appsettings.Development.json").Build();
DbContextOptions <APIContext> options = new DbContextOptions <APIContext>();
_context = new APIContext(options, _config);
// set default header for our api_key... Development key only, doesnt work with online api
_client.DefaultRequestHeaders.Add("ApiKey", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiYXBpX2tleSIsImV4cCI6MTY1MzkxODQyNiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIn0.ZBagEGyp7dJBozJ7HoQ8nZVNpK-h-rzjXL9SmEvIYgA");
// set reference to our user for testing
string[] keyAndIV = { _config.GetValue <string>("UserEncryptionKey"), _config.GetValue <string>("UserEncryptionIV") }; // for user encryption there is a single key
_testUser = _context.Users.Single(a => a.Email.SequenceEqual(HelperMethods.EncryptStringToBytes_Aes("*****@*****.**", keyAndIV)));
_retTestUser = new ReturnableUser(_testUser, keyAndIV);
// if we dont have the keys file, lets copy it over for testing
if (!File.Exists(HelperMethods.keys_file))
{
// Use static Path methods to extract only the file name from the path.
string destFile = System.IO.Path.Combine(Directory.GetCurrentDirectory(), HelperMethods.keys_file);
System.IO.File.Copy("../../../../SafeAccountsAPI/" + HelperMethods.keys_file, destFile, true);
}
}
public async Task GET_Should_Retrieve_User_information()
{
/*
* HttpGet("users/{id}")
* Get the user information and validate that what is returned is as expected.
*/
using (var requestMessage = new HttpRequestMessage(HttpMethod.Get, _client.BaseAddress + "users/" + _testUser.ID))
{
// add cookie, make request and validate status code
requestMessage.Headers.Add("AccessToken", _accessToken);
var response = await _client.SendAsync(requestMessage);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
// expected and returned users
ReturnableUser returnedUser = JsonConvert.DeserializeObject <ReturnableUser>(response.Content.ReadAsStringAsync().Result);
// check that the returned user is the user we were expecting.. checking for the correct hex strings
Assert.Equal(_retTestUser.ID, returnedUser.ID);
Assert.Equal(_retTestUser.Email, returnedUser.Email);
Assert.Equal(_retTestUser.Role, returnedUser.Role);
Assert.Equal(_retTestUser.First_Name, returnedUser.First_Name);
Assert.Equal(_retTestUser.Last_Name, returnedUser.Last_Name);
}
}
public async Task GET_Should_Retrieve_User_information()
{
/*
* HttpGet("users/{id}")
* Get the user information and validate that what is returned is as expected.
*/
using (var requestMessage = new HttpRequestMessage(HttpMethod.Get, _client.BaseAddress + "users/" + _testUser.ID))
{
// generate access code and set header
string accessToken = HelperMethods.GenerateJWTAccessToken(_testUser.ID, _config["UserJwtTokenKey"]);
string cookie = "AccessToken=" + accessToken;
requestMessage.Headers.Add("Cookie", cookie);
// make request and validate status code
var response = await _client.SendAsync(requestMessage);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
// expected and returned users
ReturnableUser returnedUser = JsonConvert.DeserializeObject <ReturnableUser>(response.Content.ReadAsStringAsync().Result);
// check that the returned user is the user we were expecting
Assert.Equal(_retTestUser.ID, returnedUser.ID);
Assert.Equal(_retTestUser.Email, returnedUser.Email);
Assert.Equal(_retTestUser.Role, returnedUser.Role);
Assert.Equal(_retTestUser.First_Name, returnedUser.First_Name);
Assert.Equal(_retTestUser.Last_Name, returnedUser.Last_Name);
}
}
[HttpGet] //working
public IActionResult GetAllUsers()
{
try
{
if (!HelperMethods.ValidateIsAdmin(_httpContextAccessor))
{
ErrorMessage error = new ErrorMessage("Invalid Role", "Caller must have admin role.");
return(new UnauthorizedObjectResult(error));
}
// get and return all users
List <ReturnableUser> users = new List <ReturnableUser>();
foreach (User user in _context.Users.ToArray())
{
ReturnableUser retUser = new ReturnableUser(user);
users.Add(retUser);
}
return(new OkObjectResult(users));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error retrieving users.", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public JsonResult OnPost()
{
if (!_context.User.Any())
{
var returnable = new ReturnableUser("", "", "", "", "No users in Database.");
return(new JsonResult(returnable));
}
string error = string.Empty;
string is_observing = "";
string group_name = "";
User userObj = new User();
try
{
string username = Request.Form["username"];
string passwordHash = Request.Form["passwordHash"];
userObj = _context.User.Where(x => x.UserName == username).First();
}
catch (Exception e)
{
error = "Username or password not found";
var returnableError = new ReturnableUser(userObj.UserName, userObj.Salt, is_observing, group_name, error);
return(new JsonResult(returnableError));
}
is_observing = userObj.IsObserver;
group_name = _context.Group.First(x => x.ID == userObj.GroupID).Name;
var returnableUser = new ReturnableUser(userObj.UserName, userObj.Salt, is_observing, group_name, error);
return(new JsonResult(returnableUser));
}
//[BindProperty]
//public User createUser { get; set; }
// To protect from overposting attacks, enable the specific properties you want to bind to, for
// more details, see https://aka.ms/RazorPagesCRUD.
public JsonResult OnPost()
{
string username = Request.Form["username"].First();
string passwordHash = Request.Form["passwordHash"].First();
string salt = Request.Form["salt"].First();
string group_name = Request.Form["group_name"];
string is_observer = Request.Form["is_observer"];
var userObjArray = _context.User.Where(x => x.UserName == username);
string error = "";
var any_group = _context.Group.Where(x => x.Name == group_name);
Group group;
if (any_group.Count() == 0 || !any_group.Any())
{
group = new Group
{
Name = group_name,
};
}
else
{
group = _context.Group.First(x => x.Name == group_name);
}
if (userObjArray.Any())
{
error = "Username already exists.";
}
else
{
//if (group == null)
//{
// group = new Group
// {
// Name = group_name,
// };
//}
User createdUser = new User
{
UserName = username,
PasswordHash = passwordHash,
Salt = salt,
IsObserver = is_observer,
GroupID = group.ID,
Group = group
};
_context.User.Add(createdUser);
_context.SaveChanges();
}
var returnableUser = new ReturnableUser("", "", "", "", error);
return(new JsonResult(returnableUser));
}
public IActionResult User_GetUser(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// strips out private data that is never to be sent back and returns user info
ReturnableUser retUser = new ReturnableUser(_context.Users.Where(a => a.ID == id).Single(), _keyAndIV);
return(new OkObjectResult(retUser));
}
[HttpGet("{id:int}")] // working
public string User_GetUser(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
//format response
JObject message = JObject.Parse(SuccessMessage._result);
ReturnableUser retUser = new ReturnableUser(_context.Users.Where(a => a.ID == id).Single()); // strips out private data that is never to be sent back
message.Add(new JProperty("user", JToken.FromObject(retUser)));
return(message.ToString());
}
/// <summary>
/// this function is called to save time entries to the database
/// </summary>
public JsonResult OnPostSubmitTime()
{
DateTime tempStartTime = new DateTime();
DateTime tempEndTime = new DateTime();
string error = "";
try
{
tempStartTime = DateTime.Parse(Request.Form["StartTime"].First());
tempEndTime = DateTime.Parse(Request.Form["EndTime"].First());
}
catch (FormatException)
{
Console.WriteLine("Unable to parse the specified date");
error = "Unable to parse the specified date";
}
int index = 0;
for (int j = 0; j < _context.User.Count(); j++)
{
if (_context.User.ToArray()[j].UserName == Request.Form["name"].First())
{
index = j;
break;
}
}
TimeLog newTimeEntry = new TimeLog
{
StarTime = tempStartTime,
EndTime = tempEndTime,
UserID = _context.User.ToArray()[index].ID,
User = _context.User.ToArray()[index],
Description = Request.Form["Description"].First()
};
_context.TimeLog.Add(newTimeEntry);
_context.SaveChanges();
var returnableUser = new ReturnableUser("", "", "", "", error);
return(new JsonResult(returnableUser));
}
public IActionResult GetAllUsers()
{
if (!HelperMethods.ValidateIsAdmin(_context, int.Parse(_httpContextAccessor.HttpContext.User.FindFirst(ClaimTypes.Actor).Value), _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid Role", "Caller must have admin role.");
return(new UnauthorizedObjectResult(error));
}
// get and return all users
List <ReturnableUser> users = new List <ReturnableUser>();
foreach (User user in _context.Users.ToArray())
{
ReturnableUser retUser = new ReturnableUser(user, _keyAndIV);
users.Add(retUser);
}
return(new OkObjectResult(users));
}
[HttpGet] //working
public string GetAllUsers()
{
if (!HelperMethods.ValidateIsAdmin(_httpContextAccessor))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid Role", "n/a", "Caller must have admin role.")).ToString()); // n/a for no args there
}
// format success response.. maybe could be done better but not sure yet
JObject message = JObject.Parse(SuccessMessage._result);
JArray users = new JArray();
foreach (User user in _context.Users.ToArray())
{
ReturnableUser retUser = new ReturnableUser(user);
users.Add(JToken.FromObject(retUser));
}
message.Add(new JProperty("users", users));
return(message.ToString());
}
/// <summary>
///
/// </summary>
/// <param name="user"></param>
/// <remarks>TODO Move this to the helpers</remarks>
private void SendConfirmationEmail(User user)
{
ReturnableUser retUser = new ReturnableUser(user, _keyAndIV); // decrypt user data
// generate token
string token = HelperMethods.GenerateJWTEmailConfirmationToken(retUser.ID, _configuration.GetValue <string>("EmailConfirmationTokenKey"));
// handle to our smtp client
var smtpClient = new SmtpClient(_configuration.GetValue <string>("Smtp:Host"))
{
Port = int.Parse(_configuration.GetValue <string>("Smtp:Port")),
Credentials = new NetworkCredential(_configuration.GetValue <string>("Smtp:Username"), _configuration.GetValue <string>("Smtp:Password")),
EnableSsl = true,
};
// format the body of the message
string body = "Hello " + retUser.First_Name + ",\n\n";
body += "A new account has been registered with SafeAccounts using your email address.\n\n";
body += "To confirm your new account, please go to this web address:\n\n";
body += _configuration.GetValue <string>("WebsiteUrl") + "emailconfirmation/?token=" + token + "&email=" + retUser.Email;
body += "\n\nThis should appear as a blue link which you can just click on. If that doesn't work,";
body += "then cut and paste the address into the address line at the top of your web browser window.\n\n";
body += "If you need help, please contact the site administrator.\n\n";
body += "SafeAccounts Administrator,\n";
body += _configuration.GetValue <string>("Smtp:Username");
// handle to our message settings
var mailMessage = new MailMessage
{
From = new MailAddress(_configuration.GetValue <string>("Smtp:Username")),
Subject = "Confirm Your SafeAccounts Registration",
Body = body,
IsBodyHtml = false,
};
mailMessage.To.Add(retUser.Email);
// send message
smtpClient.Send(mailMessage);
}
} // encryption key and iv used for all users base data,, this key cannot unluck user stored passwords/accounts
public UserControllerIntegrationTest(WebApplicationFactory <SafeAccountsAPI.Startup> fixture)
{
_client = fixture.CreateClient();
// get reference to app settings and local db
_config = new ConfigurationBuilder().AddJsonFile("appsettings.Development.json").Build();
DbContextOptions <APIContext> options = new DbContextOptions <APIContext>();
_context = new APIContext(options, _config);
// set default header for our api_key... Development key only, doesnt work with online api
_client.DefaultRequestHeaders.Add("ApiKey", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiYXBpX2tleSIsImV4cCI6MTY2Mjk4NzA4MywiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNjYiLCJhdWQiOiJodHRwczovL2xvY2FsaG9zdDo0NDM2NiJ9.NUf-fL3g72Z8XqihXJIuaG_z8_NEHmSwckb94VgVK3Q");
// set reference to our user for testing
_keyAndIv = new string[] { _config.GetValue <string>("UserEncryptionKey"), _config.GetValue <string>("UserEncryptionIV") }; // for user encryption there is a single key
_testUser = _context.Users.Single(a => a.Email.SequenceEqual(HelperMethods.EncryptStringToBytes_Aes("*****@*****.**", _keyAndIv))); // encrypted user
_retTestUser = new ReturnableUser(_testUser, _keyAndIv); // decrypted user
// generate access code and refresh token for use with endpoints that need to be logged in
_accessToken = HelperMethods.GenerateJWTAccessToken(_testUser.ID, _config["UserJwtTokenKey"], _config.GetValue <string>("ApiUrl"));
_refreshToken = new ReturnableRefreshToken(HelperMethods.GenerateRefreshToken(_testUser, _context, _keyAndIv), _keyAndIv).Token;
}
