From 83e06c924100f4384e746d9a793d1486e60f8130 Mon Sep 17 00:00:00 2001
From: Jake Fink <jfink@bitwarden.com>
Date: Thu, 3 Apr 2025 11:57:51 -0400
Subject: [PATCH] [PM-19523] Filter expected webauthn keys for rotations by prf
 enabled (#5566)

* filter expected webauthn keys for rotations by prf enabled

* fix and add tests

* format
---
 .../WebAuthnLoginKeyRotationValidator.cs      | 16 +++---
 .../WebauthnLoginKeyRotationValidatorTests.cs | 56 +++++++++++++++++++
 2 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
index 1706aebd78..9c7efe0fbe 100644
--- a/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
+++ b/src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
@@ -17,20 +17,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
 
     public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
     {
-        // 2024-06: Remove after 3 releases, for backward compatibility
-        if (keysToRotate == null)
-        {
-            return new List<WebAuthnLoginRotateKeyData>();
-        }
-
         var result = new List<WebAuthnLoginRotateKeyData>();
         var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
-        if (existing == null || !existing.Any())
+        if (existing == null)
         {
             return result;
         }
 
-        foreach (var ea in existing)
+        var validCredentials = existing.Where(credential => credential.SupportsPrf);
+        if (!validCredentials.Any())
+        {
+            return result;
+        }
+
+        foreach (var ea in validCredentials)
         {
             var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
             if (keyToRotate == null)
diff --git a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
index de661497e4..93652735ef 100644
--- a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
@@ -14,6 +14,59 @@ namespace Bit.Api.Test.KeyManagement.Validators;
 [SutProviderCustomize]
 public class WebAuthnLoginKeyRotationValidatorTests
 {
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_Succeeds_ReturnsValidCredentials(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+            EncryptedUserKey = e.EncryptedUserKey
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            SupportsPrf = true,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(new List<WebAuthnCredential> { data });
+
+        var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
+        Assert.Single(result);
+        Assert.Equal(guid, result.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_DoesNotSupportPRF_Ignores(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedUserKey = e.EncryptedUserKey,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" };
+
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
+            .Returns(new List<WebAuthnCredential> { data });
+
+        var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
+        Assert.Empty(result);
+    }
+
     [Theory]
     [BitAutoData]
     public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
@@ -30,6 +83,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };
@@ -55,6 +109,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = guid,
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };
@@ -81,6 +136,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
         var data = new WebAuthnCredential
         {
             Id = guid,
+            SupportsPrf = true,
             EncryptedPublicKey = "TestKey",
             EncryptedUserKey = "Test"
         };