Merge branch 'gdm-UID2-1526-add-cstg-to-decryptionresponse' of github.com:IABTechLab/uid2-client-net into gdm-UID2-1526-add-cstg-to-decryptionresponse

Author: gmsdelmundo

src/UID2.Client/IUID2Client.cs

@@ -38,7 +38,18 @@ public interface IUID2Client
         [Obsolete("Please use Decrypt(string token) instead.")]
         DecryptionResponse Decrypt(string token, DateTime utcNow);
         DecryptionResponse Decrypt(string token);
-        DecryptionResponse Decrypt(string token, string expectedDomainName);
+        /// <summary>
+        /// Decrypt advertising token to extract UID2 details and does a domain name check with the provided domainNameFromBidRequest param
+        /// for tokens from Client Side Token Generation 
+        /// </summary>
+        /// <param name="token">The UID2 Token </param>
+        /// <param name="domainNameFromBidRequest">The domain name from bid request which should match the domain name of the publisher (registered with UID2 admin)
+        /// generating this token previously using Client Side Token Generation
+        /// </param>
+        /// <returns>Response showing if decryption is successful and the resulting UID if successful.
+        /// Or it could return error codes/string indicating what went wrong (such as DecryptionStatus.DomainNameCheckFailed)
+        /// </returns>
+        DecryptionResponse Decrypt(string token, string domainNameFromBidRequest);
 
         EncryptionDataResponse Encrypt(string rawUid);
         [Obsolete("Please use Encrypt(string rawUid) instead.")]

src/UID2.Client/UID2Client.cs

@@ -34,20 +34,20 @@ public UID2Client(string endpoint, string authKey, string secretKey, IdentitySco
 
         public DecryptionResponse Decrypt(string token)
         {
-            return Decrypt(token, DateTime.UtcNow, expectedDomainName: null);
+            return Decrypt(token, DateTime.UtcNow, null, false);
         }
 
         public DecryptionResponse Decrypt(string token, DateTime utcNow)
         {
-            return Decrypt(token, utcNow, expectedDomainName: null);
+            return Decrypt(token, utcNow, null, false);
         }
 
-        public DecryptionResponse Decrypt(string token, string expectedDomainName)
+        public DecryptionResponse Decrypt(string token, string domainNameFromBidRequest)
         {
-            return Decrypt(token, DateTime.UtcNow, expectedDomainName);
+            return Decrypt(token, DateTime.UtcNow, domainNameFromBidRequest, true);
         }
 
-        public DecryptionResponse Decrypt(string token, DateTime now, string expectedDomainName)
+        private DecryptionResponse Decrypt(string token, DateTime now, string domainNameFromBidRequest, bool enableDomainNameCheck)
         {
             var container = Volatile.Read(ref _container);
             if (container == null)
@@ -62,7 +62,7 @@ public DecryptionResponse Decrypt(string token, DateTime now, string expectedDom
 
             try
             {
-                return UID2Encryption.Decrypt(token, container, now, expectedDomainName, _identityScope);
+                return UID2Encryption.Decrypt(token, container, now, domainNameFromBidRequest, _identityScope, enableDomainNameCheck);
             }
             catch (Exception)
             {

src/UID2.Client/UID2Encryption.cs

@@ -15,7 +15,7 @@ internal static class UID2Encryption
         public const int GCM_IV_LENGTH = 12;
         private static char[] BASE64_URL_SPECIAL_CHARS = { '-', '_' };
 
-        internal static DecryptionResponse Decrypt(string token, KeyContainer keys, DateTime now, string domainName, IdentityScope identityScope)
+        internal static DecryptionResponse Decrypt(string token, KeyContainer keys, DateTime now, string domainName, IdentityScope identityScope, bool enableDomainNameCheck)
         {
             if (token.Length < 4)
             {
@@ -28,24 +28,24 @@ internal static DecryptionResponse Decrypt(string token, KeyContainer keys, Date
 
             if (data[0] == 2)
             {
-                return DecryptV2(Convert.FromBase64String(token), keys, now, domainName);
+                return DecryptV2(Convert.FromBase64String(token), keys, now, domainName, enableDomainNameCheck);
             }
 
             if (data[1] == (int)AdvertisingTokenVersion.V3)
             {
-                return DecryptV3(Convert.FromBase64String(token), keys, now, identityScope, 3, domainName);
+                return DecryptV3(Convert.FromBase64String(token), keys, now, identityScope, 3, domainName, enableDomainNameCheck);
             }
 
             if (data[1] == (int)AdvertisingTokenVersion.V4)
             {
                 //same as V3 but use Base64URL encoding
-                return DecryptV3(UID2Base64UrlCoder.Decode(token), keys, now, identityScope, 4, domainName);
+                return DecryptV3(UID2Base64UrlCoder.Decode(token), keys, now, identityScope, 4, domainName, enableDomainNameCheck);
             }
 
             return DecryptionResponse.MakeError(DecryptionStatus.VersionNotSupported);
         }
 
-        private static DecryptionResponse DecryptV2(byte[] encryptedId, KeyContainer keys, DateTime now, string domainName)
+        private static DecryptionResponse DecryptV2(byte[] encryptedId, KeyContainer keys, DateTime now, string domainName, bool enableDomainNameCheck)
         {
             var reader = new BigEndianByteReader(new MemoryStream(encryptedId));
 
@@ -101,15 +101,15 @@ private static DecryptionResponse DecryptV2(byte[] encryptedId, KeyContainer key
                 return new DecryptionResponse(DecryptionStatus.UserOptedOut, null, established, siteId, siteKey.SiteId, null, 2, privacyBits.IsClientSideGenerated);
             }
 
-            if (!IsDomainNameAllowedForSite(privacyBits, siteId, domainName, keys))
+            if (enableDomainNameCheck && !IsDomainNameAllowedForSite(privacyBits, siteId, domainName, keys))
             {
                 return new DecryptionResponse(DecryptionStatus.DomainNameCheckFailed, null, established, siteId, siteKey.SiteId, null, 2, privacyBits.IsClientSideGenerated);
             }
 
             return new DecryptionResponse(DecryptionStatus.Success, idString, established, siteId, siteKey.SiteId, null, 2, privacyBits.IsClientSideGenerated);
         }
 
-        private static DecryptionResponse DecryptV3(byte[] encryptedId, KeyContainer keys, DateTime now, IdentityScope identityScope, int advertisingTokenVersion, string domainName)
+        private static DecryptionResponse DecryptV3(byte[] encryptedId, KeyContainer keys, DateTime now, IdentityScope identityScope, int advertisingTokenVersion, string domainName,  bool enableDomainNameCheck)
         {
             IdentityType identityType = GetIdentityType(encryptedId);
 
@@ -178,7 +178,7 @@ private static DecryptionResponse DecryptV3(byte[] encryptedId, KeyContainer key
                 return new DecryptionResponse(DecryptionStatus.UserOptedOut, null, established, siteId, siteKey.SiteId, identityType, advertisingTokenVersion, privacyBits.IsClientSideGenerated);
             }
 
-            if (!IsDomainNameAllowedForSite(privacyBits, siteId, domainName, keys))
+            if (enableDomainNameCheck && !IsDomainNameAllowedForSite(privacyBits, siteId, domainName, keys))
             {
                 return new DecryptionResponse(DecryptionStatus.DomainNameCheckFailed, null, established, siteId, siteKey.SiteId, identityType, advertisingTokenVersion,
                     privacyBits.IsClientSideGenerated);
@@ -270,9 +270,8 @@ internal static EncryptionDataResponse EncryptData(EncryptionDataRequest request
                 {
                     try
                     {
-                        // Decryption will fail if the token is a CSTG-derived token.
-                        // In that case the caller would have to provide siteId as part of the EncryptionDataRequest.
-                        DecryptionResponse decryptedToken = Decrypt(request.AdvertisingToken, keys, now, domainName: null, identityScope);
+                        // if the enableDomainNameCheck param is enabled , the caller would have to provide siteId as part of the EncryptionDataRequest.
+                        DecryptionResponse decryptedToken = Decrypt(request.AdvertisingToken, keys, now, domainName: null, identityScope, false);
                         if (!decryptedToken.Success)
                         {
                             return EncryptionDataResponse.MakeError(EncryptionStatus.TokenDecryptFailure);

test/UID2.Client.Test/EncryptionTestsV2.cs

@@ -47,7 +47,7 @@ public void TokenIsCstgDerivedTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);
@@ -67,12 +67,30 @@ public void TokenIsCstgDerivedDomainNameFailTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.False(res.Success);
             Assert.Equal(DecryptionStatus.DomainNameCheckFailed, res.Status);
             Assert.Null(res.Uid);
         }
+        
+        // if there is domain name associated with sites but we explicitly call 
+        // DecryptionResponse Decrypt(string token) or DecryptionResponse Decrypt(string token, DateTime utcNow)
+        // and we do not want to do domain name check
+        // the Decrypt function would still decrypt successfully
+        // in case DSP does not want to enable domain name check
+        [Fact]
+        public void TokenIsCstgDerivedNoDomainNameTest()
+        {
+            _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
+            var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
+            var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
+            var res = _client.Decrypt(advertisingToken);
+            Assert.True(res.IsClientSideGenerated);
+            Assert.True(res.Success);
+            Assert.Equal(DecryptionStatus.Success, res.Status);
+            Assert.Equal(EXAMPLE_EMAIL_RAW_UID2_V2, res.Uid);
+        }
 
         [Theory]
         // Any domain name is OK, because the token is not client-side generated.
@@ -85,7 +103,7 @@ public void TokenIsNotCstgDerivedDomainNameSuccessTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(false).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.False(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);

test/UID2.Client.Test/EncryptionTestsV3.cs

@@ -67,7 +67,7 @@ public void TokenIsCstgDerivedTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);
@@ -87,12 +87,30 @@ public void TokenIsCstgDerivedDomainNameFailTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.False(res.Success);
             Assert.Equal(DecryptionStatus.DomainNameCheckFailed, res.Status);
             Assert.Null(res.Uid);
         }
+        
+        // if there is domain name associated with sites but we explicitly call 
+        // DecryptionResponse Decrypt(string token) or DecryptionResponse Decrypt(string token, DateTime utcNow)
+        // and we do not want to do domain name check
+        // the Decrypt function would still decrypt successfully
+        // in case DSP does not want to enable domain name check
+        [Fact]
+        public void TokenIsCstgDerivedNoDomainNameTest()
+        {
+            _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
+            var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
+            var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
+            var res = _client.Decrypt(advertisingToken);
+            Assert.True(res.IsClientSideGenerated);
+            Assert.True(res.Success);
+            Assert.Equal(DecryptionStatus.Success, res.Status);
+            Assert.Equal(EXAMPLE_EMAIL_RAW_UID2_V2, res.Uid);
+        }
 
         [Theory]
         // Any domain name is OK, because the token is not client-side generated.
@@ -105,7 +123,7 @@ public void TokenIsNotCstgDerivedDomainNameSuccessTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(false).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.False(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);

test/UID2.Client.Test/EncryptionTestsV4.cs

@@ -185,7 +185,7 @@ public void TokenIsCstgDerivedTest(string domainName)
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             string advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
             ValidateAdvertisingToken(advertisingToken, IdentityScope.UID2, IdentityType.Email);
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);
@@ -205,12 +205,30 @@ public void TokenIsCstgDerivedDomainNameFailTest(string domainName)
             _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
             var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.True(res.IsClientSideGenerated);
             Assert.False(res.Success);
             Assert.Equal(DecryptionStatus.DomainNameCheckFailed, res.Status);
             Assert.Null(res.Uid);
         }
+        
+        // if there is domain name associated with sites but we explicitly call 
+        // DecryptionResponse Decrypt(string token) or DecryptionResponse Decrypt(string token, DateTime utcNow)
+        // and we do not want to do domain name check
+        // the Decrypt function would still decrypt successfully
+        // in case DSP does not want to enable domain name check
+        [Fact]
+        public void TokenIsCstgDerivedNoDomainNameTest()
+        {
+            _client.RefreshJson(KeySharingResponse(new [] { MASTER_KEY, SITE_KEY }));
+            var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(true).Build();
+            var advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
+            var res = _client.Decrypt(advertisingToken);
+            Assert.True(res.IsClientSideGenerated);
+            Assert.True(res.Success);
+            Assert.Equal(DecryptionStatus.Success, res.Status);
+            Assert.Equal(EXAMPLE_EMAIL_RAW_UID2_V2, res.Uid);
+        }
 
         [Theory]
         // Any domain name is OK, because the token is not client-side generated.
@@ -224,7 +242,7 @@ public void TokenIsNotCstgDerivedDomainNameSuccessTest(string domainName)
             var privacyBits = PrivacyBitsBuilder.Builder().WithClientSideGenerated(false).Build();
             string advertisingToken = _tokenBuilder.WithPrivacyBits(privacyBits).Build();
             ValidateAdvertisingToken(advertisingToken, IdentityScope.UID2, IdentityType.Email);
-            var res = _client.Decrypt(advertisingToken, NOW, domainName);
+            var res = _client.Decrypt(advertisingToken, domainName);
             Assert.False(res.IsClientSideGenerated);
             Assert.True(res.Success);
             Assert.Equal(DecryptionStatus.Success, res.Status);