From 0189952e1fcdbdc88848ce3d8fdd454826d93e29 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 30 May 2024 11:08:26 +0200
Subject: [PATCH] [PM-5938] Prevent permanent vault coruption on key-rotation
 with desycned vault (#4098)

* Add check to verify the vault state for rotation is not obviously desynced (empty)

* Add unit test for key rotation guardrail

* Move de-synced vault detection to validators

* Add tests
---
 .../OrganizationUserRotationValidator.cs      |  6 +-----
 .../EmergencyAccessRotationValidator.cs       |  6 +-----
 .../Tools/Validators/SendRotationValidator.cs |  6 +-----
 .../Validators/CipherRotationValidator.cs     |  6 +-----
 .../Validators/FolderRotationValidator.cs     |  6 +-----
 .../OrganizationUserRotationValidatorTests.cs | 21 +++++++++++++++++++
 .../EmergencyAccessRotationValidatorTests.cs  | 21 +++++++++++++++++++
 .../CipherRotationValidatorTests.cs           | 12 +++++++++++
 .../FolderRotationValidatorTests.cs           | 10 +++++++++
 .../UserKey/RotateUserKeyCommandTests.cs      |  1 +
 10 files changed, 70 insertions(+), 25 deletions(-)

diff --git a/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs b/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs
index ad3913435b..c9cf39ae04 100644
--- a/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs
+++ b/src/Api/AdminConsole/Validators/OrganizationUserRotationValidator.cs
@@ -27,13 +27,9 @@ public class OrganizationUserRotationValidator : IRotationValidator<IEnumerable<
         }
 
         var result = new List<OrganizationUser>();
-        if (resetPasswordKeys == null || !resetPasswordKeys.Any())
-        {
-            return result;
-        }
 
         var existing = await _organizationUserRepository.GetManyByUserAsync(user.Id);
-        if (existing == null || !existing.Any())
+        if (existing == null || existing.Count == 0)
         {
             return result;
         }
diff --git a/src/Api/Auth/Validators/EmergencyAccessRotationValidator.cs b/src/Api/Auth/Validators/EmergencyAccessRotationValidator.cs
index dd75f6a761..5a038730e3 100644
--- a/src/Api/Auth/Validators/EmergencyAccessRotationValidator.cs
+++ b/src/Api/Auth/Validators/EmergencyAccessRotationValidator.cs
@@ -24,13 +24,9 @@ public class EmergencyAccessRotationValidator : IRotationValidator<IEnumerable<E
         IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
     {
         var result = new List<EmergencyAccess>();
-        if (emergencyAccessKeys == null || !emergencyAccessKeys.Any())
-        {
-            return result;
-        }
 
         var existing = await _emergencyAccessRepository.GetManyDetailsByGrantorIdAsync(user.Id);
-        if (existing == null || !existing.Any())
+        if (existing == null || existing.Count == 0)
         {
             return result;
         }
diff --git a/src/Api/Tools/Validators/SendRotationValidator.cs b/src/Api/Tools/Validators/SendRotationValidator.cs
index a8dc493e0d..f177d6b7fe 100644
--- a/src/Api/Tools/Validators/SendRotationValidator.cs
+++ b/src/Api/Tools/Validators/SendRotationValidator.cs
@@ -30,13 +30,9 @@ public class SendRotationValidator : IRotationValidator<IEnumerable<SendWithIdRe
     public async Task<IReadOnlyList<Send>> ValidateAsync(User user, IEnumerable<SendWithIdRequestModel> sends)
     {
         var result = new List<Send>();
-        if (sends == null || !sends.Any())
-        {
-            return result;
-        }
 
         var existingSends = await _sendRepository.GetManyByUserIdAsync(user.Id);
-        if (existingSends == null || !existingSends.Any())
+        if (existingSends == null || existingSends.Count == 0)
         {
             return result;
         }
diff --git a/src/Api/Vault/Validators/CipherRotationValidator.cs b/src/Api/Vault/Validators/CipherRotationValidator.cs
index 2f5ae36ef4..d6c12b96e9 100644
--- a/src/Api/Vault/Validators/CipherRotationValidator.cs
+++ b/src/Api/Vault/Validators/CipherRotationValidator.cs
@@ -26,13 +26,9 @@ public class CipherRotationValidator : IRotationValidator<IEnumerable<CipherWith
     public async Task<IEnumerable<Cipher>> ValidateAsync(User user, IEnumerable<CipherWithIdRequestModel> ciphers)
     {
         var result = new List<Cipher>();
-        if (ciphers == null || !ciphers.Any())
-        {
-            return result;
-        }
 
         var existingCiphers = await _cipherRepository.GetManyByUserIdAsync(user.Id, UseFlexibleCollections);
-        if (existingCiphers == null || !existingCiphers.Any())
+        if (existingCiphers == null || existingCiphers.Count == 0)
         {
             return result;
         }
diff --git a/src/Api/Vault/Validators/FolderRotationValidator.cs b/src/Api/Vault/Validators/FolderRotationValidator.cs
index b79c38e7a0..4290c08b13 100644
--- a/src/Api/Vault/Validators/FolderRotationValidator.cs
+++ b/src/Api/Vault/Validators/FolderRotationValidator.cs
@@ -19,13 +19,9 @@ public class FolderRotationValidator : IRotationValidator<IEnumerable<FolderWith
     public async Task<IEnumerable<Folder>> ValidateAsync(User user, IEnumerable<FolderWithIdRequestModel> folders)
     {
         var result = new List<Folder>();
-        if (folders == null || !folders.Any())
-        {
-            return result;
-        }
 
         var existingFolders = await _folderRepository.GetManyByUserIdAsync(user.Id);
-        if (existingFolders == null || !existingFolders.Any())
+        if (existingFolders == null || existingFolders.Count == 0)
         {
             return result;
         }
diff --git a/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs b/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
index ea429b33ee..5d4ffeef60 100644
--- a/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
+++ b/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
@@ -140,4 +140,25 @@ public class OrganizationUserRotationValidatorTests
         await Assert.ThrowsAsync<BadRequestException>(async () =>
             await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NoOrganizationsInRequestButInDatabase_Throws(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<ResetPasswordWithOrgIdRequestModel>()));
+    }
 }
diff --git a/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs b/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs
index 7e9cf6a6b3..c75ccd6437 100644
--- a/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs
+++ b/test/Api.Test/Auth/Validators/EmergencyAccessRotationValidatorTests.cs
@@ -133,4 +133,25 @@ public class EmergencyAccessRotationValidatorTests
         await Assert.ThrowsAsync<BadRequestException>(async () =>
             await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_SentKeysAreEmptyButDatabaseIsNot_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<EmergencyAccessWithIdRequestModel>()));
+    }
 }
diff --git a/test/Api.Test/Vault/Validators/CipherRotationValidatorTests.cs b/test/Api.Test/Vault/Validators/CipherRotationValidatorTests.cs
index 50e5879dc5..632bb49676 100644
--- a/test/Api.Test/Vault/Validators/CipherRotationValidatorTests.cs
+++ b/test/Api.Test/Vault/Validators/CipherRotationValidatorTests.cs
@@ -42,4 +42,16 @@ public class CipherRotationValidatorTests
 
         Assert.DoesNotContain(result, c => c.Id == ciphers.First().Id);
     }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentCiphersAreEmptyButDatabaseCiphersAreNot_Throws(
+        SutProvider<CipherRotationValidator> sutProvider, User user, IEnumerable<CipherWithIdRequestModel> ciphers)
+    {
+        var userCiphers = ciphers.Select(c => new CipherDetails { Id = c.Id.GetValueOrDefault(), Type = c.Type })
+            .ToList();
+        sutProvider.GetDependency<ICipherRepository>().GetManyByUserIdAsync(user.Id, Arg.Any<bool>())
+            .Returns(userCiphers);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<CipherWithIdRequestModel>()));
+    }
 }
diff --git a/test/Api.Test/Vault/Validators/FolderRotationValidatorTests.cs b/test/Api.Test/Vault/Validators/FolderRotationValidatorTests.cs
index acf987862b..0888fd32d4 100644
--- a/test/Api.Test/Vault/Validators/FolderRotationValidatorTests.cs
+++ b/test/Api.Test/Vault/Validators/FolderRotationValidatorTests.cs
@@ -39,4 +39,14 @@ public class FolderRotationValidatorTests
 
         Assert.DoesNotContain(result, c => c.Id == folders.First().Id);
     }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentFoldersAreEmptyButDatabaseFoldersAreNot_Throws(
+        SutProvider<FolderRotationValidator> sutProvider, User user, IEnumerable<FolderWithIdRequestModel> folders)
+    {
+        var userFolders = folders.Select(f => f.ToFolder(new Folder())).ToList();
+        sutProvider.GetDependency<IFolderRepository>().GetManyByUserIdAsync(user.Id).Returns(userFolders);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<FolderWithIdRequestModel>()));
+    }
 }
diff --git a/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs b/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
index d95d957915..f97e55a674 100644
--- a/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
@@ -49,4 +49,5 @@ public class RotateUserKeyCommandTests
         await sutProvider.GetDependency<IPushNotificationService>().ReceivedWithAnyArgs()
             .PushLogOutAsync(default, default);
     }
+
 }