public ActionResult <string> Webhooks(NotificationRequest notificationRequest)
{
var hmacValidator = new HmacValidator();
_logger.LogInformation($"Webhook received::\n{notificationRequest}\n");
foreach (NotificationRequestItemContainer container in notificationRequest.NotificationItemContainers)
{
// We recommend to activate HMAC validation in the webhooks for security reasons
//try
//{
//if (hmacValidator.IsValidHmac(container.NotificationItem, _hmac_key))
//{
_logger.LogInformation($"Received webhook with event::\n" +
$"Merchant Reference ::{container.NotificationItem.MerchantReference} \n" +
$"PSP Reference ::{container.NotificationItem.PspReference} \n"
);
// }
// else
// {
// _logger.LogError($"Error while validating HMAC Key");
// }
//}
//catch (Exception e)
//{
// _logger.LogError($"Error while calculating HMAC signature::\n{e}\n");
// throw;
//}
}
return("[accepted]");
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true))
{
return;
}
IHmacConfiguration configuration = _configurationManager.Get("Example");
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
IHmacValidator validator = new HmacValidator(configuration, signer);
HmacValidationResult result = validator.ValidateHttpRequest(filterContext.HttpContext.Request);
if (result.ResultCode == HmacValidationResultCode.Ok)
{
return;
}
HttpResponseBase response = filterContext.HttpContext.Response;
validator.AddWwwAuthenticateHeader(response, configuration.AuthorizationScheme);
response.Headers.Add("X-Auth-ErrorCode", result.ResultCode.ToString());
response.StatusCode = (int)HttpStatusCode.Unauthorized;
response.Write(result.ErrorMessage);
response.End();
}
public void TestNotificationRequestItemHmac()
{
string key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00";
var expectedSign = "ipnxGCaUZ4l8TUW75a71/ghd2Fe5ffvX0pV4TLTntIc=";
var additionalData = new Dictionary <string, string>
{
{ Constants.AdditionalData.HmacSignature, expectedSign }
};
var notificationRequestItem = new NotificationRequestItem
{
PspReference = "pspReference",
OriginalReference = "originalReference",
MerchantAccountCode = "merchantAccount",
MerchantReference = "reference",
Amount = new Model.Amount("EUR", 1000),
EventCode = "EVENT",
Success = true,
AdditionalData = additionalData
};
var hmacValidator = new HmacValidator();
var data = hmacValidator.GetDataToSign(notificationRequestItem);
Assert.AreEqual("pspReference:originalReference:merchantAccount:reference:1000:EUR:EVENT:true", data);
var encrypted = hmacValidator.CalculateHmac(notificationRequestItem, key);
Assert.AreEqual(expectedSign, encrypted);
notificationRequestItem.AdditionalData[Constants.AdditionalData.HmacSignature] = expectedSign;
Assert.IsTrue(hmacValidator.IsValidHmac(notificationRequestItem, key));
notificationRequestItem.AdditionalData[Constants.AdditionalData.HmacSignature] = "notValidSign";
Assert.IsFalse(hmacValidator.IsValidHmac(notificationRequestItem, key));
}
public void ShouldFailValidationDueToMissingDate()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
HttpRequestBase request = CreateRequest(dateString);
HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request);
string signature = signer.CreateSignature(signatureData);
request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format(
HmacConstants.AuthorizationHeaderFormat,
configuration.AuthorizationScheme,
signature);
request.Headers.Remove(HmacConstants.DateHeaderName);
// Act
HmacValidationResult result = validator.ValidateHttpRequest(request);
// Assert
Assert.IsNotNull(result);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(result.ResultCode, HmacValidationResultCode.DateMissing);
}
public void ShouldFailToValidateContentMd5()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
const string incorrectBody = Body + "Modified";
byte[] incorrectBodyBytes = Encoding.UTF8.GetBytes(incorrectBody);
Stream incorrectBodyStream = new MemoryStream(incorrectBodyBytes);
// Act
bool stringIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBody, Encoding.UTF8);
bool stringIsValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBody, Encoding.UTF8);
bool bytesAreValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBodyBytes);
bool bytesAreValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBodyBytes);
bool streamIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, incorrectBodyStream);
bool streamIsValidByteArray = validator.IsValidContentMd5(_md5Hash, incorrectBodyStream);
incorrectBodyStream.Dispose();
// Assert
Assert.IsFalse(stringIsValidBase64);
Assert.IsFalse(stringIsValidByteArray);
Assert.IsFalse(bytesAreValidBase64);
Assert.IsFalse(bytesAreValidByteArray);
Assert.IsFalse(streamIsValidBase64);
Assert.IsFalse(streamIsValidByteArray);
}
public void ShouldFailValidationDueToMissingKey()
{
// Arrange
Mock <IHmacKeyRepository> mockKeyRepo = new Mock <IHmacKeyRepository>();
mockKeyRepo.Setup(r => r.GetHmacKeyForUsername(It.IsAny <string>())).Returns((string)null);
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, mockKeyRepo.Object);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
HttpRequestBase request = CreateRequest(dateString);
HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request);
signatureData.Key = "TestKey";
string signature = signer.CreateSignature(signatureData);
request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format(
HmacConstants.AuthorizationHeaderFormat,
configuration.AuthorizationScheme,
signature);
// Act
HmacValidationResult result = validator.ValidateHttpRequest(request);
// Assert
Assert.IsNotNull(result);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(result.ResultCode, HmacValidationResultCode.KeyMissing);
}
public IActionResult GenerateSignature([FromQuery] GenerateSignatureRequest request)
{
var hmacValidator = new HmacValidator();
var stringToSign = hmacValidator.BuildSigningString(GetDictonaryFromRequest(request));
var signature = hmacValidator.CalculateSignature(stringToSign, request.SigningKey);
return(Ok(signature));
}
public void TestHmac()
{
var data = "countryCode:currencyCode:merchantAccount:merchantReference:paymentAmount:sessionValidity:skinCode:NL:EUR:MagentoMerchantTest2:TEST-PAYMENT-2017-02-01-14\\:02\\:05:199:2017-02-02T14\\:02\\:05+01\\:00:PKz2KML1";
var key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00";
var hmacValidator = new HmacValidator();
var ecnrypted = hmacValidator.CalculateHmac(data, key);
Assert.IsTrue(string.Equals(ecnrypted, "34oR8T1whkQWTv9P+SzKyp8zhusf9n0dpqrm9nsqSJs="));
}
public Dictionary <string, string> GetPostParametersFromDlRequest(DirectoryLookupRequest request)
{
var config = this.Client.Config;
var postParameters = new Dictionary <string, string>
{
{ Fields.CurrencyCode, request.CurrencyCode },
{ Fields.MerchantReference, request.MerchantReference },
{ Fields.SessionValidity, request.SessionValidity },
{ Fields.CountryCode, request.CountryCode }
};
if (!string.IsNullOrEmpty(request.MerchantAccount))
{
postParameters.Add(Fields.MerchantAccount, request.MerchantAccount);
}
else
{
postParameters.Add(Fields.MerchantAccount, config.MerchantAccount);
}
postParameters.Add(Fields.PaymentAmount, request.PaymentAmount);
if (!string.IsNullOrEmpty(request.SkinCode))
{
postParameters.Add(Fields.SkinCode, request.SkinCode);
}
else
{
postParameters.Add(Fields.SkinCode, config.SkinCode);
}
var hmacValidator = new HmacValidator();
var dataToSign = hmacValidator.BuildSigningString(postParameters);
string hmacKey;
if (!string.IsNullOrEmpty(request.HmacKey))
{
hmacKey = request.HmacKey;
}
else
{
hmacKey = config.HmacKey;
}
var merchantSig = hmacValidator.CalculateHmac(dataToSign, hmacKey);
postParameters.Add(Fields.MerchantSig, merchantSig);
return(postParameters);
}
public void TestHmacCalculationNotificationRequestWithSpecialChars()
{
string key = "66B61474A0AA3736BA8789EDC6D6CD9EBA0C4F414A554E32A407F849C045C69D";
var mockPath = GetMockFilePath("Mocks/notification-response-refund-fail.json");
var response = MockFileToString(mockPath);
var hmacValidator = new HmacValidator();
var notificationRequest = JsonOperation.Deserialize <NotificationRequest>(response);
var notificationItem = notificationRequest.NotificationItemContainers[0].NotificationItem;
var isValidHmac = hmacValidator.IsValidHmac(notificationItem, key);
Assert.IsTrue(isValidHmac);
}
public void GivenWrongSigningKey_WhenIsValidIsCalled_ThenReturnIsFalse()
{
var val = new HmacValidator();
var fields = new Dictionary <string, string>
{
{ "Field1", "Value1" },
{ "Field2", "Value2" },
{ "Field3", "Value3" }
};
var key = "DifferentDFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00";
var originalSignature = "oWZFUUcY8F9RzjHpNIGd8kEfIkEdKGSbTqeOt2ScocA=";
val.IsValidSignature(fields, originalSignature, key).Should().BeFalse();
}
private string CalculateSignature(ProcessPaymentRequest request)
{
var parametrs = new Dictionary <string, string>
{
{ nameof(request.MerchantTransactionId), request.MerchantTransactionId },
{ nameof(request.Amount), request.Amount.ToString("F", CultureInfo.InvariantCulture) },
{ nameof(request.CardNumber), request.CardNumber },
{ nameof(request.ExpiryMonth), request.ExpiryMonth.ToString() },
{ nameof(request.ExpiryYear), request.ExpiryYear.ToString() },
{ nameof(request.Cvv), request.Cvv },
{ nameof(request.Currency), request.Currency }
};
var hmacGenerator = new HmacValidator();
return(hmacGenerator.CalculateSignature(hmacGenerator.BuildSigningString(parametrs), _testMerchant.SigningKey));
}
public void ShouldAddWwwAuthenticateHeader()
{
// Arrange
const string headerValue = "HMAC_TEST";
IHmacConfiguration configuration = CreateConfiguration();
HttpResponseBase response = CreateResponse(string.Empty);
HmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
// Act
validator.AddWwwAuthenticateHeader(response, headerValue);
string actualHeaderValue = response.Headers["WWW-Authenticate"];
// Assert
Assert.IsNotNull(actualHeaderValue);
Assert.AreEqual(headerValue, actualHeaderValue);
}
public void ShouldFailValidationDueToInvalidAuthorization()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
HttpRequestBase request = CreateRequest(dateString);
request.Headers[HmacConstants.AuthorizationHeaderName] = "blahblah";
// Act
HmacValidationResult result = validator.ValidateHttpRequest(request);
// Assert
Assert.IsNotNull(result);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(result.ResultCode, HmacValidationResultCode.AuthorizationInvalid);
}
public void GivenValidSignature_WhenIsValidIsCalled_ThenReturnIsTrue()
{
var validator = new HmacValidator();
var fields = new Dictionary <string, string>
{
{ "MerchantTransactionId", "12345678901" },
{ "Amount", "10.00" },
{ "CardNumber", "1234123412341234" },
{ "ExpiryMonth", "10" },
{ "ExpiryYear", "2022" },
{ "Cvv", "123" },
{ "Currency", "EUR" }
};
var key = "DFB1EB5485895CFA84146406857104ABB4CBCABDC8AAF103A624C8F6A3EAAB00";
var originalSignature = "j6Ze59AWImB/ka9AySkvCxbOhvdX0P9yqiojz3vfVlE=";
validator.IsValidSignature(fields, originalSignature, key).Should().BeTrue();
}
public void ShouldFailToValidateSignature()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
const string signatureString1 = "SIGNATURE_STRING";
const string signatureString2 = "SIGNATURE_STRING_DIFFERENT";
byte[] signatureBytes1 = Encoding.UTF8.GetBytes(signatureString1);
byte[] signatureBytes2 = Encoding.UTF8.GetBytes(signatureString2);
// Act
bool isValidString = validator.IsValidSignature(signatureString1, signatureString2);
bool isValidByteArray = validator.IsValidSignature(signatureBytes1, signatureBytes2);
// Assert
Assert.IsFalse(isValidString);
Assert.IsFalse(isValidByteArray);
}
public void TestDataSign()
{
var postParameters = new Dictionary <string, string>
{
{ Constants.HPPConstants.Fields.MerchantAccount, "ACC" },
{ Constants.HPPConstants.Fields.CurrencyCode, "EUR" }
};
var hmacValidator = new HmacValidator();
var buildSigningString = hmacValidator.BuildSigningString(postParameters);
Assert.IsTrue(string.Equals("currencyCode:merchantAccount:EUR:ACC", buildSigningString));
postParameters = new Dictionary <string, string>
{
{ Constants.HPPConstants.Fields.CurrencyCode, "EUR" },
{ Constants.HPPConstants.Fields.MerchantAccount, "ACC:\\" }
};
buildSigningString = hmacValidator.BuildSigningString(postParameters);
Assert.IsTrue(string.Equals("currencyCode:merchantAccount:EUR:ACC\\:\\\\", buildSigningString));
}
public void ShouldFailToValidateRequestDate()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-6);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
DateTime dateTime = dateTimeOffset.UtcDateTime;
// Act
bool isValidDateTimeOffset = validator.IsValidRequestDate(dateTimeOffset);
bool isValidDateString = validator.IsValidRequestDate(dateString, HmacConstants.DateHeaderFormat);
bool isValidDateTime = validator.IsValidRequestDate(dateTime);
// Assert
Assert.IsFalse(isValidDateString);
Assert.IsFalse(isValidDateTime);
Assert.IsFalse(isValidDateTimeOffset);
}
public void ShouldValidateContentMd5()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
// Act
bool stringIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, Body, Encoding.UTF8);
bool stringIsValidByteArray = validator.IsValidContentMd5(_md5Hash, Body, Encoding.UTF8);
bool bytesAreValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, _bodyBytes);
bool bytesAreValidByteArray = validator.IsValidContentMd5(_md5Hash, _bodyBytes);
bool streamIsValidBase64 = validator.IsValidContentMd5(_base64Md5Hash, _bodyStream);
bool streamIsValidByteArray = validator.IsValidContentMd5(_md5Hash, _bodyStream);
// Assert
Assert.IsTrue(stringIsValidBase64);
Assert.IsTrue(stringIsValidByteArray);
Assert.IsTrue(bytesAreValidBase64);
Assert.IsTrue(bytesAreValidByteArray);
Assert.IsTrue(streamIsValidBase64);
Assert.IsTrue(streamIsValidByteArray);
}
