public PasswordVerifier Build()
{
_passwordVerifier = new PasswordVerifier(_password);
_passwordVerifier.Ensure_lowercase = false;
_passwordVerifier.Ensure_Number = false;
return(_passwordVerifier);
}
public void ResetPasswordTest()
{
UserAccountRecoveryController usersController = CreateFakeUserAccountRecoveryController();
//Set up recovery token on user
TokenCreatorValidator tokenCreatorValidator = new TokenCreatorValidator(_testApiSecret);
TokenCreationParams tokenCreationParams = tokenCreatorValidator.CreateToken(_users[0].Id, 30);
_users[0].RecoverySalt = tokenCreationParams.SaltBytes;
_usersService.Update(_users[0]);
//Call endpoint with wrong token
var response = usersController.ResetPassword(new PasswordResetModel(
_users[0].Email, "wrong-token", "new-password-u1")
);
Assert.IsType <BadRequestObjectResult>(response);
Assert.True(PasswordVerifier.VerifyPasswordHash("password-u1", _users[0].PasswordHash, _users[0].PasswordSalt));
//Call endpoint and check Ok and user modifications
response = usersController.ResetPassword(new PasswordResetModel(
_users[0].Email, tokenCreationParams.TokenStr, "new-password-u1")
);
Assert.IsType <OkResult>(response);
Assert.True(PasswordVerifier.VerifyPasswordHash("new-password-u1", _users[0].PasswordHash, _users[0].PasswordSalt));
Assert.Null(_users[0].RecoverySalt);
}
public User Create(User user, string password)
{
// validation
if (string.IsNullOrWhiteSpace(password))
{
throw new RequestException(UserExceptionCodes.BadPassword);
}
if (_context.Users.Any(x => x.Email == user.Email))
{
throw new RequestException(UserExceptionCodes.EmailAlreadyExists);
}
byte[] passwordHash, passwordSalt;
PasswordVerifier.CreatePasswordHash(password, out passwordHash, out passwordSalt);
user.PasswordHash = passwordHash;
user.PasswordSalt = passwordSalt;
user.Location = null;
_context.Users.Add(user);
_context.SaveChanges();
return(user);
}
public void Verify_PasswordHasNoNumber_ShouldThrow()
{
var sut = new PasswordVerifier();
var exception = Assert.Throws <ArgumentException>(() => sut.Verify("ABcDEFGHIJ"));
Assert.That(exception.Message, Does.StartWith("Should contain at least one number"));
}
public void Verify_PasswordHasNoLowerCase_ShouldThrow()
{
var sut = new PasswordVerifier();
var exception = Assert.Throws <ArgumentException>(() => sut.Verify("ABCDEFGHIJ"));
Assert.That(exception.Message, Does.StartWith("Should contain lowercase"));
}
public void ThrowExceptionIfPasswordConditionsAreNotSatisfied(string password)
{
var verifier = new PasswordVerifier();
Action result = () => verifier.Verify(Password.From(password));
result.Should().Throw <ArgumentException>();
}
public void ThrowExceptionIfPasswordDoesntHaveLowerCase(string password)
{
var verifier = new PasswordVerifier();
Action result = () => verifier.Verify(Password.From(password));
result.Should().Throw <ArgumentException>().WithMessage("Password must have at least one lower case letter.");
}
public void ThrowExceptionIfPasswordIsNullOrEmptyString(string password)
{
var verifier = new PasswordVerifier();
Action result = () => verifier.Verify(Password.From(password));
result.Should().Throw <ArgumentException>().WithMessage("Password must be provided.");
}
public void Verify_ThreeOk_ShouldReturnTrue()
{
var sut = new PasswordVerifier();
var result = sut.Verify("Abcdefgh1");
Assert.IsTrue(result);
}
public void Verify_PasswordIsNull_ShouldThrow()
{
var sut = new PasswordVerifier();
var exception = Assert.Throws <ArgumentException>(() => sut.Verify(null));
Assert.That(exception.Message, Does.StartWith("Value cannot be null."));
}
public void GivenMinMaxConstraintsStringMatches(int min, int max, char c, string testString, bool expected)
{
var passwordVerifier = new PasswordVerifier();
var answer = passwordVerifier.IsMinMaxValidPassword(min, max, c, testString);
Assert.Equal(expected, answer);
}
public void Verify_PasswordNotEightLong_ShouldThrow()
{
var sut = new PasswordVerifier();
var exception = Assert.Throws <ArgumentException>(() => sut.Verify("abc"));
Assert.That(exception.Message, Does.StartWith("Not long enough"));
}
public void TestBadMultiple(string password)
{
PasswordVerifier p = new PasswordVerifier();
string actual = p.Verify(password);
string expected = "INVALID password";
Assert.Equal(expected, actual);
}
public void Verify_PasswordHasNoCapital_ShouldThrow()
{
var sut = new PasswordVerifier();
var exception = Assert.Throws <ArgumentException>(() => sut.Verify("abcdefghij"));
Assert.That(exception.Message, Does.StartWith("Should contain uppercase"));
}
public static void SuccessfullyVerifyPasswordGeneratedForTheSpecifiedIterationNumber(string password, ulong iterationNumber)
{
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator);
var(isVerified, synchronizationValue) = verifier.VerifyCounterBasedPassword(password, Secret, iterationNumber);
Assert.True(isVerified && synchronizationValue == iterationNumber);
}
public void TestWeakOK()
{
PasswordVerifier p = new PasswordVerifier();
string actual = p.Verify("coregame");
string expected = "VALID password";
Assert.Equal(expected, actual);
}
public void TestWeakBAD2()
{
PasswordVerifier p = new PasswordVerifier();
string actual = p.Verify("c");
string expected = "INVALID password";
Assert.Equal(expected, actual);
}
private void createUserButton_Click(object sender, EventArgs e)
{
string createdUsername = username.Text;
string createdPassword = password.Text;
// Check if the username already exists
try
{
var matchingUserTable = dataManager
.Execute($"SELECT * FROM LoginInfo WHERE username = '******'");
if (matchingUserTable.Rows.Count != 0)
{
MessageBox.Show("That username already exists.");
return;
}
}
catch (InvalidOperationException exception)
{
Console.WriteLine(exception.Message);
MessageBox.Show("Something went wrong.");
return;
}
// Validate username and password
if (createdUsername == "" || createdPassword == "")
{
// Not enough data; exit
MessageBox.Show("One of the fields is empty.");
return;
}
else if (!PasswordVerifier.IsValidPassword(createdPassword))
{
// Invalid password; exit
MessageBox.Show("Password must be at least 8 characters and contain at least one number.");
return;
}
// Hash the password for storage
String hashedPassword = BCrypt.HashPassword(createdPassword, BCrypt.GenerateSalt());
// Add user to database
try
{
String query = "INSERT INTO LoginInfo (username, password) " +
"VALUES ('" + createdUsername + "', '" + hashedPassword + "')";
dataManager.Execute(query);
MessageBox.Show("Login credentials added:\n" + createdUsername + "\n" + hashedPassword);
username.Text = "";
password.Text = "";
}
catch (InvalidOperationException exception)
{
Console.WriteLine(exception.Message);
MessageBox.Show("Fatal Error: Something went wrong. Try again");
}
}
public void GivenPositionalConstraintsStringMatches(int posA, int posB, char c, string testString,
bool expected)
{
var passwordVerifier = new PasswordVerifier();
var answer = passwordVerifier.IsPositionalValidPassword(posA, posB, c, testString);
Assert.Equal(expected, answer);
}
public void Verify_PassNonNullArg_ReturnResultOfVerification()
{
PasswordVerifier verifier = new PasswordVerifier();
string arg = Convert.ToString(TestContext.DataRow["arg"]);
bool expectedResult = Convert.ToBoolean(TestContext.DataRow["result"]);
bool actualResult = verifier.Verify(arg);
Assert.AreEqual(expectedResult, actualResult, "expected and actual results are not equal.\n arg = " + arg + "\nexpected = " + expectedResult + "\nactual = " + actualResult);
}
protected void CreateUserButton_Clicked(object sender, EventArgs e)
{
string userName = UserNameTextBox.Text;
string password = PasswordTextBox.Text;
string emailAddress = EmailAddressTextBox.Text;
if (userName == "" || password == "" || emailAddress == "")
{
return;
}
//Check if user exists
if (CuplexLib.User.UserNameExists(userName))
{
ShowModalMessage(Utils.GetResourceText("RegisterUserUsernameTaken"));
return;
}
else if (!Utils.ValidateEmail(emailAddress))
{
ShowModalMessage(Utils.GetResourceText("RegisterUserIncorrectEmailAddress"));
return;
}
else if (password != PasswordConfirmTextBox.Text)
{
ShowModalMessage(Utils.GetResourceText("RegisterUserPasswordMissmatch"));
return;
}
//Verify password strength
PasswordVerifier passwordVerifier = new PasswordVerifier();
PasswordVerifier.PasswordVerifierResult passwordVerificationResult = passwordVerifier.VerifyPassword(password);
if (passwordVerificationResult != PasswordVerifier.PasswordVerifierResult.PasswordIsOk)
{
string errorMessage = "<b>" + Utils.GetResourceText(Enum.GetName(typeof(PasswordVerifier.PasswordVerifierResult), passwordVerificationResult)) + "</b>";
errorMessage += "<BR/>" + string.Format(Utils.GetResourceText("PasswordRules"), passwordVerifier.MinimumPasswordLength, passwordVerifier.MinimumPasswordCapitalLetters, passwordVerifier.MinimumPasswordDigits);
ShowModalMessage(errorMessage);
return;
}
//Verify UserName
if (!UserNameVerifier.VerifyUserName(userName))
{
ShowModalMessage(Utils.GetResourceText("IncorrectUserName"));
return;
}
CuplexLib.User createdUser = CuplexLib.User.CreateUser(userName, password, emailAddress);
if (createdUser != null)
{
AccessControl.CreateUserSession(createdUser.UserName);
Response.Redirect(cms.Current.GetRootPath);
}
}
public static void SuccessfullyVerifyPasswordGeneratedWithinTheConfiguredSynchronizationWindow(string password, ulong iterationNumber)
{
var counterValue = 0uL; // 0 is not one of the input values for iterationNumber
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator, options => options.SynchronizationWindowSize = 13);
var(isVerified, synchronizationValue) = verifier.VerifyCounterBasedPassword(password, Secret, counterValue);
Assert.True(isVerified && synchronizationValue == iterationNumber);
}
// User wants to verify password against stored hash.
private void PasswordVerify_Click(object sender, EventArgs e)
{
if (PasswordVerifier.PasswordVerify(this.txtPassword.Text, this.txtFullHash.Text))
{
this.lblVerify.Text = "Verified successfully";
}
else
{
this.lblVerify.Text = "Verification failed!";
}
}
[InlineData("520489")] // 9
public static void FailToVerifyPasswordGeneratedOutsideTheConfiguredSynchronizationWindow(string password)
{
var counterValue = 0uL;
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator, options => options.SynchronizationWindowSize = 7);
var(isVerified, synchronizationValue) = verifier.VerifyCounterBasedPassword(password, Secret, counterValue);
Assert.False(isVerified);
}
public static void FailToVerifyPasswordGeneratedForAnIterationBeforeTheCounterValue()
{
var password = "******"; // iterationNumber = 7
var counterValue = 9uL;
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator);
var(isVerified, synchronizationValue) = verifier.VerifyCounterBasedPassword(password, Secret, counterValue);
Assert.False(isVerified);
}
public static void SuccessfullyVerifyPasswordGeneratedWithinTheServerTimeStepOrTheDefaultBackwardAndForwardTimeSteps(string password, int drift)
{
var unixEpoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var now = unixEpoch.AddSeconds(1234567890);
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator);
var(isVerified, timeStepDrift) = verifier.VerifyTimeBasedPassword(password, Secret, () => now);
Assert.True(isVerified && timeStepDrift == drift);
}
[InlineData("992085")] // +3
public static void FailToVerifyPasswordGeneratedOutsideTheServerTimeStepAndTheDefaultBackwardAndForwardTimeSteps(string password)
{
var unixEpoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var now = unixEpoch.AddSeconds(1234567890);
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator);
var(isVerified, timeStepDrift) = verifier.VerifyTimeBasedPassword(password, Secret, () => now);
Assert.False(isVerified);
}
public async Task <UserViewModel> GetVerifiedUserAsync(LoginViewModel model, CancellationToken ct)
{
var user = await _userRepository.GetByEmailAsync(model.Email, ct : ct);
if (user is null)
{
return(null);
}
return(PasswordVerifier.VerifyPassword(model.Password,
new PasswordSecret(user))
? user.Adapt <UserViewModel>()
: null);
}
public void CreateAndVerifyPasswordHashTest()
{
string password;
byte[] passwordHash, passwordSalt;
for (int i = 0; i < 100; i++)
{
password = RandomString(Random.Next(1, 33));
PasswordVerifier.CreatePasswordHash(password, out passwordHash, out passwordSalt);
Assert.True(PasswordVerifier.VerifyPasswordHash(password, passwordHash, passwordSalt));
}
}
public static void PropertiesAreSetToTheirDefaultValueIfOptionsParameterIsNotSet()
{
const uint defaultSynchronizationWindowSize = 10;
const uint defaultNumberOfBackwardTimeSteps = 2;
const uint defaultNumberOfForwardTimeSteps = 2;
var authenticator = new Authenticator();
var verifier = new PasswordVerifier(authenticator);
Assert.Equal(defaultSynchronizationWindowSize, verifier.SynchronizationWindowSize);
Assert.Equal(defaultNumberOfBackwardTimeSteps, verifier.NumberOfPastTimeSteps);
Assert.Equal(defaultNumberOfForwardTimeSteps, verifier.NumberOfFutureTimeSteps);
}
