[PM-5938] Prevent permanent vault coruption on key-rotation with desycned vault (#4098)

* Add check to verify the vault state for rotation is not obviously desynced (empty) * Add unit test for key rotation guardrail * Move de-synced vault detection to validators * Add tests
2025-07-03 00:52:49 -05:00 · 2024-05-30 11:08:26 +02:00
parent f73b7c7fa8
commit 0189952e1f
10 changed files with 70 additions and 25 deletions
--- a/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
+++ b/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
@ -140,4 +140,25 @@ public class OrganizationUserRotationValidatorTests
        await Assert.ThrowsAsync<BadRequestException>(async () =>
            await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NoOrganizationsInRequestButInDatabase_Throws(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<ResetPasswordWithOrgIdRequestModel>()));
+    }
 }