Added MFA support for PasswordCredentials. Closes #52

docs/design-principles/0000-all-use-cases.md

@@ -16,9 +16,11 @@ Legend:
 
 * <sup>OPS</sup> denotes a support API that is only accessible to operations team of the platform
 
-### Cars
+### Cars (Sample)
 
-1. Register a new car <sup>$$</sup>
+> This is sample subdomain, and is expected to be deleted when this product goes to production
+
+1. Register a new car <sup>$$$</sup>
 2. Delete a car <sup>$$$</sup>
 3. Schedule the car for "maintenance" <sup>$$$</sup>
 4. Take a car "offline" <sup>$$$</sup>
@@ -27,7 +29,9 @@ Legend:
 7. Find all the cars on the platform <sup>$$$</sup>
 8. Find all the available cars for a specific time frame <sup>$$$</sup>
 
-### Bookings
+### Bookings (Sample)
+
+> This is sample subdomain, and is expected to be deleted when this product goes to production
 
 1. Make a booking for a specific car and time frame <sup>$$$</sup>
 2. Cancel an existing booking <sup>$$$</sup>
@@ -109,6 +113,10 @@ These are the end users on the platform.
 
 ### Identities
 
+Identity is the way that a user can authenticate with the platform.
+
+1. Fetch the identity characteristics about the authenticated user
+
 #### API Keys
 
 API Key are the way a user (person or machine) can authenticate with the platform using an API key.

src/Application.Resources.Shared/Identity.cs

@@ -2,6 +2,15 @@
 
 namespace Application.Resources.Shared;
 
+public class Identity : IIdentifiableResource
+{
+    public required bool IsMfaEnabled { get; set; }
+
+    public required bool HasCredentials { get; set; }
+
+    public required string Id { get; set; }
+}
+
 public class AuthenticateTokens
 {
     public required AuthenticationToken AccessToken { get; set; }
@@ -62,7 +71,7 @@ public AuthToken(TokenType type, string value, DateTime? expiresOn)
 
 public enum TokenType
 {
-    OtherToken = 0,
-    AccessToken = 1,
-    RefreshToken = 2
+    OtherToken = 0, // e.g. idToken
+    AccessToken = 1, // access_token
+    RefreshToken = 2 // refresh_token
 }

src/Application.Resources.Shared/PasswordCredential.cs

@@ -36,7 +36,7 @@ public class PasswordCredentialMfaAuthenticator : IIdentifiableResource
     public required string Id { get; set; }
 }
 
-public class PasswordCredentialMfaAssociation
+public class PasswordCredentialMfaAuthenticatorAssociation
 {
     public string? BarCodeUri { get; set; }
 
@@ -49,14 +49,14 @@ public class PasswordCredentialMfaAssociation
     public required PasswordCredentialMfaAuthenticatorType Type { get; set; }
 }
 
-public class PasswordCredentialMfaChallenge
+public class PasswordCredentialMfaAuthenticatorChallenge
 {
     public string? OobCode { get; set; }
 
     public PasswordCredentialMfaAuthenticatorType Type { get; set; }
 }
 
-public class PasswordCredentialMfaConfirmation
+public class PasswordCredentialMfaAuthenticatorConfirmation
 {
     public AuthenticateTokens? Tokens { get; set; }
 

src/Application.Services.Shared/ISSOService.cs

@@ -4,12 +4,32 @@
 
 namespace Application.Services.Shared;
 
+/// <summary>
+///     Defines a service to access and manage the SSO AuthTokens for a user
+/// </summary>
 public interface ISSOService
 {
+    /// <summary>
+    ///     Retrieves the list of tokens for the current user
+    /// </summary>
     Task<Result<IReadOnlyList<ProviderAuthenticationTokens>, Error>> GetTokensAsync(ICallerContext caller,
-        string userId,
         CancellationToken cancellationToken);
 
-    Task<Result<ProviderAuthenticationTokens, Error>> RefreshTokenAsync(ICallerContext caller, string userId,
+    /// <summary>
+    ///     Retrieves the list of tokens for the specified user
+    /// </summary>
+    Task<Result<IReadOnlyList<ProviderAuthenticationTokens>, Error>> GetTokensOnBehalfOfUserAsync(ICallerContext caller,
+        string userId, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Refreshes the specified <see cref="refreshToken" /> for the current user
+    /// </summary>
+    Task<Result<ProviderAuthenticationTokens, Error>> RefreshTokenAsync(ICallerContext caller,
         string providerName, string refreshToken, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Refreshes the specified <see cref="refreshToken" /> for the specified user
+    /// </summary>
+    Task<Result<ProviderAuthenticationTokens, Error>> RefreshTokenOnBehalfOfUserAsync(ICallerContext caller,
+        string userId, string providerName, string refreshToken, CancellationToken cancellationToken);
 }

src/Common/Error.cs

@@ -105,6 +105,15 @@ public bool Is(ErrorCode code, string? message = null)
         return code == Code && (message == null || message == Message);
     }
 
+    /// <summary>
+    ///     Whether this error is notof the specified <see cref="code" />
+    ///     and optional <see cref="message" />
+    /// </summary>
+    public bool IsNot(ErrorCode code, string? message = null)
+    {
+        return !Is(code, message);
+    }
+
     /// <summary>
     ///     Creates a <see cref="ErrorCode.NoError" /> error
     /// </summary>

src/IdentityApplication.UnitTests/IdentityApplicationSpec.cs

@@ -0,0 +1,65 @@
+using Application.Interfaces;
+using Application.Resources.Shared;
+using Common;
+using FluentAssertions;
+using IdentityApplication.ApplicationServices;
+using Moq;
+using UnitTesting.Common;
+using Xunit;
+
+namespace IdentityApplication.UnitTests;
+
+[Trait("Category", "Unit")]
+public class IdentityApplicationSpec
+{
+    private readonly IdentityApplication _application;
+    private readonly Mock<ICallerContext> _caller;
+    private readonly Mock<IPasswordCredentialsService> _passwordCredentialsService;
+
+    public IdentityApplicationSpec()
+    {
+        _caller = new Mock<ICallerContext>();
+        _caller.Setup(c => c.CallerId)
+            .Returns("acallerid");
+        _passwordCredentialsService = new Mock<IPasswordCredentialsService>();
+        _application = new IdentityApplication(_passwordCredentialsService.Object);
+    }
+
+    [Fact]
+    public async Task WhenGetIdentityAsyncAndCredentialNotExist_ThenReturnsIdentity()
+    {
+        _passwordCredentialsService.Setup(pcs =>
+                pcs.GetCredentialsPrivateAsync(It.IsAny<ICallerContext>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(Error.EntityNotFound());
+
+        var result = await _application.GetIdentityAsync(_caller.Object, CancellationToken.None);
+
+        result.Should().BeSuccess();
+        result.Value.Id.Should().Be("acallerid");
+        result.Value.IsMfaEnabled.Should().BeFalse();
+        result.Value.HasCredentials.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task WhenGetIdentityAsyncAndCredentialExists_ThenReturnsIdentity()
+    {
+        _passwordCredentialsService.Setup(pcs =>
+                pcs.GetCredentialsPrivateAsync(It.IsAny<ICallerContext>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new PasswordCredential
+            {
+                Id = "auserid",
+                User = new EndUser
+                {
+                    Id = "auserid"
+                },
+                IsMfaEnabled = true
+            });
+
+        var result = await _application.GetIdentityAsync(_caller.Object, CancellationToken.None);
+
+        result.Should().BeSuccess();
+        result.Value.Id.Should().Be("acallerid");
+        result.Value.IsMfaEnabled.Should().BeTrue();
+        result.Value.HasCredentials.Should().BeTrue();
+    }
+}

src/IdentityApplication.UnitTests/PasswordCredentialsApplicationSpec.cs

@@ -29,6 +29,7 @@ public class PasswordCredentialsApplicationSpec
     private readonly Mock<IAuthTokensService> _authTokensService;
     private readonly Mock<ICallerContext> _caller;
     private readonly Mock<IEmailAddressService> _emailAddressService;
+    private readonly Mock<IEncryptionService> _encryptionService;
     private readonly Mock<IEndUsersService> _endUsersService;
     private readonly Mock<IIdentifierFactory> _idFactory;
     private readonly Mock<IMfaService> _mfaService;
@@ -39,7 +40,6 @@ public class PasswordCredentialsApplicationSpec
     private readonly Mock<IConfigurationSettings> _settings;
     private readonly Mock<ITokensService> _tokensService;
     private readonly Mock<IUserProfilesService> _userProfilesService;
-    private readonly Mock<IEncryptionService> _encryptionService;
 
     public PasswordCredentialsApplicationSpec()
     {
@@ -580,6 +580,46 @@ public async Task WhenConfirmPersonRegistrationAsync_ThenReturnsSuccess()
         ), It.IsAny<CancellationToken>()));
     }
 
+    [Fact]
+    public async Task WhenGetPasswordCredentialAsyncAndNotFound_ThenReturnsError()
+    {
+        _repository.Setup(s => s.FindCredentialsByUserIdAsync(It.IsAny<Identifier>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(Optional<PasswordCredentialRoot>
+                .None);
+
+        var result = await _application.GetPasswordCredentialAsync(_caller.Object, CancellationToken.None);
+
+        result.Should().BeError(ErrorCode.EntityNotFound);
+    }
+
+    [Fact]
+    public async Task WhenGetPasswordCredentialAsync_ThenReturnsCredentials()
+    {
+        _caller.Setup(cc => cc.CallerId)
+            .Returns("auserid");
+        var credential = CreateVerifiedCredential();
+        _repository.Setup(s =>
+                s.FindCredentialsByUserIdAsync(It.IsAny<Identifier>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(credential.ToOptional());
+        _endUsersService.Setup(eus =>
+                eus.GetUserPrivateAsync(It.IsAny<ICallerContext>(), It.IsAny<string>(),
+                    It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new EndUser
+            {
+                Id = "auserid",
+                Classification = EndUserClassification.Person
+            });
+
+        var result = await _application.GetPasswordCredentialAsync(_caller.Object, CancellationToken.None);
+
+        result.Value.Id.Should().Be("anid");
+
+        result.Value.IsMfaEnabled.Should().BeFalse();
+        _endUsersService.Verify(eus =>
+            eus.GetUserPrivateAsync(_caller.Object, "auserid",
+                It.IsAny<CancellationToken>()));
+    }
+
     private PasswordCredentialRoot CreateUnVerifiedCredential()
     {
         var credential = CreateCredential();

src/IdentityApplication.UnitTests/SSOProvidersServiceSpec.cs

@@ -341,7 +341,8 @@ public async Task WhenGetTokensAsyncAndNoTokens_ThenReturnsNone()
                         It.IsAny<CancellationToken>()))
                 .ReturnsAsync(ssoUser.ToOptional());
 
-            var result = await _service.GetTokensAsync(_caller.Object, "auserid".ToId(), CancellationToken.None);
+            var result =
+                await _service.GetTokensOnBehalfOfUserAsync(_caller.Object, "auserid".ToId(), CancellationToken.None);
 
             result.Should().BeSuccess();
             result.Value.Count.Should().Be(0);
@@ -367,7 +368,8 @@ public async Task WhenGetTokensAsync_ThenReturnsError()
                         It.IsAny<CancellationToken>()))
                 .ReturnsAsync(ssoUser.ToOptional());
 
-            var result = await _service.GetTokensAsync(_caller.Object, "auserid".ToId(), CancellationToken.None);
+            var result =
+                await _service.GetTokensOnBehalfOfUserAsync(_caller.Object, "auserid".ToId(), CancellationToken.None);
 
             result.Should().BeSuccess();
             result.Value.Count.Should().Be(1);