nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-04 20:50:21 -05:00
Code

[PM-19523] Filter expected webauthn keys for rotations by prf enabled (#5566)

Browse Source 
* filter expected webauthn keys for rotations by prf enabled

* fix and add tests

* format
This commit is contained in:
Jake Fink 2025-04-03 11:57:51 -04:00 committed by GitHub
parent 38ae5ff885
commit 83e06c9241
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 64 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/Api/KeyManagement/Validators/WebAuthnLoginKeyRotationValidator.cs
View File

@ -17,20 +17,20 @@ public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<
public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate) public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
{ {
// 2024-06: Remove after 3 releases, for backward compatibility
if (keysToRotate == null)
{
return new List<WebAuthnLoginRotateKeyData>();
}
var result = new List<WebAuthnLoginRotateKeyData>(); var result = new List<WebAuthnLoginRotateKeyData>();
var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id); var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
if (existing == null || !existing.Any()) if (existing == null)
{ {
return result; return result;
} }
foreach (var ea in existing) var validCredentials = existing.Where(credential => credential.SupportsPrf);
if (!validCredentials.Any())
{
return result;
}
foreach (var ea in validCredentials)
{ {
var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id); var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
if (keyToRotate == null) if (keyToRotate == null)

56
test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
View File

@ -14,6 +14,59 @@ namespace Bit.Api.Test.KeyManagement.Validators;
[SutProviderCustomize] [SutProviderCustomize]
public class WebAuthnLoginKeyRotationValidatorTests public class WebAuthnLoginKeyRotationValidatorTests
{ {
[Theory]
[BitAutoData]
public async Task ValidateAsync_Succeeds_ReturnsValidCredentials(
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
{
var guid = Guid.NewGuid();
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
{
Id = guid,
EncryptedPublicKey = e.EncryptedPublicKey,
EncryptedUserKey = e.EncryptedUserKey
}).ToList();
var data = new WebAuthnCredential
{
Id = guid,
SupportsPrf = true,
EncryptedPublicKey = "TestKey",
EncryptedUserKey = "Test"
};
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data });
var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
Assert.Single(result);
Assert.Equal(guid, result.First().Id);
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_DoesNotSupportPRF_Ignores(
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
{
var guid = Guid.NewGuid();
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
{
Id = guid,
EncryptedUserKey = e.EncryptedUserKey,
EncryptedPublicKey = e.EncryptedPublicKey,
}).ToList();
var data = new WebAuthnCredential { Id = guid, EncryptedUserKey = "Test", EncryptedPublicKey = "TestKey" };
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id)
.Returns(new List<WebAuthnCredential> { data });
var result = await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate);
Assert.Empty(result);
}
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task ValidateAsync_WrongWebAuthnKeys_Throws( public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
@ -30,6 +83,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
var data = new WebAuthnCredential var data = new WebAuthnCredential
{ {
Id = Guid.Parse("00000000-0000-0000-0000-000000000002"), Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestKey",
EncryptedUserKey = "Test" EncryptedUserKey = "Test"
}; };
@ -55,6 +109,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
var data = new WebAuthnCredential var data = new WebAuthnCredential
{ {
Id = guid, Id = guid,
SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestKey",
EncryptedUserKey = "Test" EncryptedUserKey = "Test"
}; };
@ -81,6 +136,7 @@ public class WebAuthnLoginKeyRotationValidatorTests
var data = new WebAuthnCredential var data = new WebAuthnCredential
{ {
Id = guid, Id = guid,
SupportsPrf = true,
EncryptedPublicKey = "TestKey", EncryptedPublicKey = "TestKey",
EncryptedUserKey = "Test" EncryptedUserKey = "Test"
}; };