Almost done with API keys

Author: gauffininteractive

src/Server/OneTrueError.Api.Client/OneTrueClient.cs

@@ -1,52 +1,77 @@
 using System;
-using System.Collections.Specialized;
 using System.Net;
+using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
 using DotNetCqs;
 using Newtonsoft.Json;
 using OneTrueError.Api.Client.Json;
-using OneTrueError.Api.Client.Tests;
 
 namespace OneTrueError.Api.Client
 {
     /// <summary>
-    /// Client for the OneTrueError server API
+    ///     Client for the OneTrueError server API
     /// </summary>
     public class OneTrueClient : IQueryBus, ICommandBus, IEventBus
     {
-        private CookieContainer _cookies;
-        private Encoding _basicAuthEncoding = Encoding.GetEncoding("ISO-8859-1");
+        private readonly string _apiKey;
 
         private readonly JsonSerializerSettings _jsonSerializerSettings = new JsonSerializerSettings
         {
             ConstructorHandling = ConstructorHandling.AllowNonPublicDefaultConstructor,
             Formatting = Formatting.Indented
         };
 
+        private readonly string _sharedSecret;
         private Uri _uri;
 
 
-        public OneTrueClient()
+        /// <summary>
+        ///     Creates a new instance of <see cref="OneTrueClient" />.
+        /// </summary>
+        /// <param name="apiKey">Api key from the admin area in OneTrueError web</param>
+        /// <param name="sharedSecret">Shared secret from the admin area in OneTrueError web</param>
+        public OneTrueClient(string apiKey, string sharedSecret)
         {
+            if (apiKey == null) throw new ArgumentNullException(nameof(apiKey));
+            if (sharedSecret == null) throw new ArgumentNullException(nameof(sharedSecret));
+
+            _apiKey = apiKey;
+            _sharedSecret = sharedSecret;
             _jsonSerializerSettings.ContractResolver = new IncludeNonPublicMembersContractResolver();
         }
 
-        public NetworkCredential Credentials { get; set; }
-
+        /// <summary>
+        ///     Execute a command
+        /// </summary>
+        /// <typeparam name="T">type of query (from the <c>OneTrueError.Api</c> class library)</typeparam>
+        /// <param name="command">command to execute</param>
+        /// <returns>task</returns>
         public async Task ExecuteAsync<T>(T command) where T : Command
         {
             var response = await RequestAsync("POST", "command", command);
             response.Close();
         }
 
+        /// <summary>
+        ///     Publish an event
+        /// </summary>
+        /// <typeparam name="TApplicationEvent">type of event (from the <c>OneTrueError.Api</c> class library)</typeparam>
+        /// <param name="e">event to publish</param>
+        /// <returns>task</returns>
         public async Task PublishAsync<TApplicationEvent>(TApplicationEvent e)
             where TApplicationEvent : ApplicationEvent
         {
             var response = await RequestAsync("POST", "event", e);
             response.Close();
         }
 
+        /// <summary>
+        ///     Make a query
+        /// </summary>
+        /// <typeparam name="TResult">Result from a query (a class from the <c>OneTrueError.Api</c> library)</typeparam>
+        /// <param name="query"></param>
+        /// <returns></returns>
         public async Task<TResult> QueryAsync<TResult>(Query<TResult> query)
         {
             //TODO: Unwrap the cqs object to query parameters instead
@@ -55,12 +80,15 @@ public async Task<TResult> QueryAsync<TResult>(Query<TResult> query)
             return await DeserializeResponse<TResult>(response);
         }
 
+        /// <summary>
+        ///     Open a channel
+        /// </summary>
+        /// <param name="uri">Root URL to the OneTrueError web</param>
         public void Open(Uri uri)
         {
             if (uri == null) throw new ArgumentNullException(nameof(uri));
 
             _uri = uri;
-            _cookies = new CookieContainer();
         }
 
         private async Task<TResult> DeserializeResponse<TResult>(HttpWebResponse response)
@@ -70,44 +98,29 @@ private async Task<TResult> DeserializeResponse<TResult>(HttpWebResponse respons
             await responseStream.ReadAsync(jsonBuf, 0, jsonBuf.Length);
             var jsonStr = Encoding.UTF8.GetString(jsonBuf);
             var responseObj = JsonConvert.DeserializeObject(jsonStr, typeof(TResult), _jsonSerializerSettings);
-            return (TResult)responseObj;
+            return (TResult) responseObj;
         }
 
         private async Task<HttpWebResponse> RequestAsync(string httpMethod, string cqsType, object cqsObject)
         {
-            if (_cookies.Count == 0)
-            {
-                var sb = new StringBuilder();
-                sb.AppendUrlEncoded("username", Credentials.UserName);
-                sb.AppendUrlEncoded("password", Credentials.Password);
-                var data = Encoding.UTF8.GetBytes(sb.ToString());
-
-                var authRequest = WebRequest.CreateHttp(_uri + "/account/login");
-                authRequest.Method = "POST";
-                authRequest.CookieContainer = _cookies;
-                authRequest.ContentType = "application/x-www-form-urlencoded";
-                authRequest.ContentLength = data.Length;
-                var authReqStream = await authRequest.GetRequestStreamAsync();
-                await authReqStream.WriteAsync(data, 0, data.Length);
-                var resp = authRequest.GetResponse();
-
-            }
-            string authInfo = Credentials.UserName + ":" + Credentials.Password;
-            authInfo = Convert.ToBase64String(_basicAuthEncoding.GetBytes(authInfo));
-
             var request = WebRequest.CreateHttp(_uri + "api/cqs");
             request.Method = httpMethod;
-            request.Headers.Add("Authorization", "Basic " + authInfo);
+            request.Headers.Add("X-Api-Key", _apiKey);
             request.Headers.Add("X-Cqs-Name", cqsObject.GetType().Name);
-            //request.PreAuthenticate = true;
-            request.CookieContainer = _cookies;
 
             var stream = await request.GetRequestStreamAsync();
             var json = JsonConvert.SerializeObject(cqsObject, _jsonSerializerSettings);
             var buffer = Encoding.UTF8.GetBytes(json);
+
+var hamc = new HMACSHA256(Encoding.UTF8.GetBytes(_sharedSecret.ToLower()));
+var hash = hamc.ComputeHash(buffer);
+var signature = Convert.ToBase64String(hash);
+
             await stream.WriteAsync(buffer, 0, buffer.Length);
 
-            return (HttpWebResponse)await request.GetResponseAsync();
+            request.Headers.Add("X-Api-Signature", signature);
+
+            return (HttpWebResponse) await request.GetResponseAsync();
         }
     }
 }

src/Server/OneTrueError.Api/AuthorizeAttribute.cs

@@ -0,0 +1,16 @@
+using System;
+
+namespace OneTrueError.Api
+{
+    [AttributeUsage(AttributeTargets.Class)]
+    public class AuthorizeAttribute : Attribute
+    {
+        public AuthorizeAttribute(params string[] roles)
+        {
+            if (roles == null) throw new ArgumentNullException("roles");
+            Roles = roles;
+        }
+
+        public string[] Roles { get; set; }
+    }
+}

src/Server/OneTrueError.Api/Core/ApiKeys/Commands/CreateApiKey.cs

@@ -0,0 +1,58 @@
+using System;
+using DotNetCqs;
+
+namespace OneTrueError.Api.Core.ApiKeys.Commands
+{
+    /// <summary>
+    /// Create a new api key
+    /// </summary>
+    [Authorize("SysAdmin")]
+    public class CreateApiKey : Command
+    {
+        /// <summary>
+        /// Creates a new instance of <see cref="CreateApiKey"/>.
+        /// </summary>
+        /// <param name="applicationName"><see cref="ApplicationName"/></param>
+        /// <param name="apiKey"><see cref="ApiKey"/></param>
+        /// <param name="sharedSecret"><see cref="SharedSecret"/></param>
+        /// <param name="applicationIds"><see cref="ApplicationIds"/></param>
+        public CreateApiKey(string applicationName, string apiKey, string sharedSecret, int[] applicationIds)
+        {
+            if (applicationName == null) throw new ArgumentNullException("applicationName");
+            if (apiKey == null) throw new ArgumentNullException("apiKey");
+            if (sharedSecret == null) throw new ArgumentNullException("sharedSecret");
+            if (applicationIds == null) throw new ArgumentNullException("applicationIds");
+
+            ApplicationName = applicationName;
+            ApiKey = apiKey;
+            SharedSecret = sharedSecret;
+            ApplicationIds = applicationIds;
+        }
+
+
+        /// <summary>
+        /// Must always be the one that creates the key (will be assigned by the CommandBus per convention)
+        /// </summary>
+        public int AccountId { get; set; }
+
+        /// <summary>
+        /// Generated api key
+        /// </summary>
+        public string ApiKey { get; set; }
+
+        /// <summary>
+        /// applications that this key may modify. Empty = allow for all applications.
+        /// </summary>
+        public int[] ApplicationIds { get; set; }
+
+        /// <summary>
+        /// Application that uses this api key
+        /// </summary>
+        public string ApplicationName { get; set; }
+
+        /// <summary>
+        /// Used to sign all requests.
+        /// </summary>
+        public string SharedSecret { get; set; }
+    }
+}

src/Server/OneTrueError.Api/Core/ApiKeys/Commands/DeleteApiKey.cs

@@ -0,0 +1,52 @@
+using System;
+using DotNetCqs;
+
+namespace OneTrueError.Api.Core.ApiKeys.Commands
+{
+    /// <summary>
+    ///     Delete an API key.
+    /// </summary>
+    public class DeleteApiKey : Command
+    {
+        /// <summary>
+        ///     Serialization constructor
+        /// </summary>
+        protected DeleteApiKey()
+        {
+        }
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="DeleteApiKey" />.
+        /// </summary>
+        /// <param name="id">PK</param>
+        public DeleteApiKey(int id)
+        {
+            Id = id;
+        }
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="DeleteApiKey" />.
+        /// </summary>
+        /// <param name="apiKey">The generated ApiKey</param>
+        public DeleteApiKey(string apiKey)
+        {
+            if (apiKey == null) throw new ArgumentNullException("apiKey");
+            Guid guid;
+            if (!Guid.TryParse(apiKey, out guid))
+                throw new ArgumentException("Not a valid api key: " + apiKey, "apiKey");
+
+            ApiKey = apiKey;
+        }
+
+        /// <summary>
+        ///     generated api key (if specified)
+        /// </summary>
+        public string ApiKey { get; private set; }
+
+        /// <summary>
+        ///     PK (if specified)
+        /// </summary>
+        public int Id { get; private set; }
+    }
+}
+

src/Server/OneTrueError.Api/Core/ApiKeys/Queries/GetApiKey.cs

@@ -0,0 +1,51 @@
+using System;
+using DotNetCqs;
+
+namespace OneTrueError.Api.Core.ApiKeys.Queries
+{
+    /// <summary>
+    ///     Get information about an API key
+    /// </summary>
+    public class GetApiKey : Query<GetApiKeyResult>
+    {
+        /// <summary>
+        ///     Serialization constructor
+        /// </summary>
+        protected GetApiKey()
+        {
+        }
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="GetApiKey" />.
+        /// </summary>
+        /// <param name="id">PK</param>
+        public GetApiKey(int id)
+        {
+            Id = id;
+        }
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="GetApiKey" />.
+        /// </summary>
+        /// <param name="apiKey">The generated ApiKey</param>
+        public GetApiKey(string apiKey)
+        {
+            if (apiKey == null) throw new ArgumentNullException("apiKey");
+            Guid guid;
+            if (!Guid.TryParse(apiKey, out guid))
+                throw new ArgumentException("Not a valid api key: " + apiKey, "apiKey");
+
+            ApiKey = apiKey;
+        }
+
+        /// <summary>
+        ///     generated api key (if specified)
+        /// </summary>
+        public string ApiKey { get; private set; }
+
+        /// <summary>
+        ///     PK (if specified)
+        /// </summary>
+        public int Id { get; private set; }
+    }
+}

src/Server/OneTrueError.Api/Core/ApiKeys/Queries/GetApiKeyResult.cs

@@ -0,0 +1,48 @@
+using System;
+
+namespace OneTrueError.Api.Core.ApiKeys.Queries
+{
+    /// <summary>
+    ///     Result for <see cref="GetApiKey" />.
+    /// </summary>
+    public class GetApiKeyResult
+    {
+        /// <summary>
+        ///     Application ids that we've been granted to work with
+        /// </summary>
+        public GetApiKeyResultApplication[] AllowedApplications { get; set; }
+
+        /// <summary>
+        ///     Application that will be using this key
+        /// </summary>
+        public string ApplicationName { get; set; }
+
+
+        /// <summary>
+        ///     When this key was generated
+        /// </summary>
+        public DateTime CreatedAtUtc { get; set; }
+
+        /// <summary>
+        ///     AccountId that generated this key
+        /// </summary>
+        public int CreatedById { get; set; }
+
+        /// <summary>
+        ///     Api key
+        /// </summary>
+        public string GeneratedKey { get; set; }
+
+
+        /// <summary>
+        ///     PK
+        /// </summary>
+        public int Id { get; set; }
+
+
+        /// <summary>
+        ///     Used when generating signatures.
+        /// </summary>
+        public string SharedSecret { get; set; }
+    }
+}