[PM-8107] Remove Duo v2 from server (#4934)

refactor(TwoFactorAuthentication): Remove references to old Duo SDK version 2 code and replace them with the Duo SDK version 4 supported library DuoUniversal code. Increased unit test coverage in the Two Factor Authentication code space. We opted to use DI instead of Inheritance for the Duo and OrganizaitonDuo two factor tokens to increase testability, since creating a testing mock of the Duo.Client was non-trivial. Reviewed-by: @JaredSnider-Bitwarden
2025-06-30 15:42:48 -05:00 · 2024-11-18 15:58:05 -08:00
parent e16cad50b1
commit ab5d4738d6
36 changed files with 1412 additions and 1369 deletions
--- a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
@ -1,8 +1,6 @@
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
-using Bit.Core.Auth.Identity;
-using Bit.Core.Auth.Models;
+using Bit.Core.Auth.Identity.TokenProviders;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Context;
 using Bit.Core.Entities;
@ -28,8 +26,7 @@ public class TwoFactorAuthenticationValidatorTests
 {
    private readonly IUserService _userService;
    private readonly UserManagerTestWrapper<User> _userManager;
-    private readonly IOrganizationDuoWebTokenProvider _organizationDuoWebTokenProvider;
-    private readonly ITemporaryDuoWebV4SDKService _temporaryDuoWebV4SDKService;
+    private readonly IOrganizationDuoUniversalTokenProvider _organizationDuoUniversalTokenProvider;
    private readonly IFeatureService _featureService;
    private readonly IApplicationCacheService _applicationCacheService;
    private readonly IOrganizationUserRepository _organizationUserRepository;
@ -42,8 +39,7 @@ public class TwoFactorAuthenticationValidatorTests
    {
        _userService = Substitute.For<IUserService>();
        _userManager = SubstituteUserManager();
-        _organizationDuoWebTokenProvider = Substitute.For<IOrganizationDuoWebTokenProvider>();
-        _temporaryDuoWebV4SDKService = Substitute.For<ITemporaryDuoWebV4SDKService>();
+        _organizationDuoUniversalTokenProvider = Substitute.For<IOrganizationDuoUniversalTokenProvider>();
        _featureService = Substitute.For<IFeatureService>();
        _applicationCacheService = Substitute.For<IApplicationCacheService>();
        _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
@ -54,8 +50,7 @@ public class TwoFactorAuthenticationValidatorTests
        _sut = new TwoFactorAuthenticationValidator(
                    _userService,
                    _userManager,
-                    _organizationDuoWebTokenProvider,
-                    _temporaryDuoWebV4SDKService,
+                    _organizationDuoUniversalTokenProvider,
                    _featureService,
                    _applicationCacheService,
                    _organizationUserRepository,
@ -439,7 +434,7 @@ public class TwoFactorAuthenticationValidatorTests
        string token)
    {
        // Arrange
-        _organizationDuoWebTokenProvider.ValidateAsync(
+        _organizationDuoUniversalTokenProvider.ValidateAsync(
            token, organization, user).Returns(true);

        _userManager.TWO_FACTOR_ENABLED = true;
@ -457,70 +452,6 @@ public class TwoFactorAuthenticationValidatorTests
        Assert.True(result);
    }

-    [Theory]
-    [BitAutoData(TwoFactorProviderType.Duo)]
-    [BitAutoData(TwoFactorProviderType.OrganizationDuo)]
-    public async void VerifyTwoFactorAsync_TemporaryDuoService_ValidToken_ReturnsTrue(
-        TwoFactorProviderType providerType,
-        User user,
-        Organization organization,
-        string token)
-    {
-        // Arrange
-        _featureService.IsEnabled(FeatureFlagKeys.DuoRedirect).Returns(true);
-        _userService.TwoFactorProviderIsEnabledAsync(providerType, user).Returns(true);
-        _temporaryDuoWebV4SDKService.ValidateAsync(
-            token, Arg.Any<TwoFactorProvider>(), user).Returns(true);
-
-        user.TwoFactorProviders = GetTwoFactorIndividualProviderJson(providerType);
-        organization.Use2fa = true;
-        organization.TwoFactorProviders = GetTwoFactorOrganizationDuoProviderJson();
-        organization.Enabled = true;
-
-        _userManager.TWO_FACTOR_ENABLED = true;
-        _userManager.TWO_FACTOR_TOKEN = token;
-        _userManager.TWO_FACTOR_TOKEN_VERIFIED = true;
-
-        // Act
-        var result = await _sut.VerifyTwoFactor(
-            user, organization, providerType, token);
-
-        // Assert
-        Assert.True(result);
-    }
-
-    [Theory]
-    [BitAutoData(TwoFactorProviderType.Duo)]
-    [BitAutoData(TwoFactorProviderType.OrganizationDuo)]
-    public async void VerifyTwoFactorAsync_TemporaryDuoService_InvalidToken_ReturnsFalse(
-    TwoFactorProviderType providerType,
-    User user,
-    Organization organization,
-    string token)
-    {
-        // Arrange
-        _featureService.IsEnabled(FeatureFlagKeys.DuoRedirect).Returns(true);
-        _userService.TwoFactorProviderIsEnabledAsync(providerType, user).Returns(true);
-        _temporaryDuoWebV4SDKService.ValidateAsync(
-            token, Arg.Any<TwoFactorProvider>(), user).Returns(true);
-
-        user.TwoFactorProviders = GetTwoFactorIndividualProviderJson(providerType);
-        organization.Use2fa = true;
-        organization.TwoFactorProviders = GetTwoFactorOrganizationDuoProviderJson();
-        organization.Enabled = true;
-
-        _userManager.TWO_FACTOR_ENABLED = true;
-        _userManager.TWO_FACTOR_TOKEN = token;
-        _userManager.TWO_FACTOR_TOKEN_VERIFIED = false;
-
-        // Act
-        var result = await _sut.VerifyTwoFactor(
-            user, organization, providerType, token);
-
-        // Assert
-        Assert.True(result);
-    }
-
    private static UserManagerTestWrapper<User> SubstituteUserManager()
    {
        return new UserManagerTestWrapper<User>(