[PM-5963] Fix tde offboarding vault corruption (#4144)

* Attempt to fix tde to mp flow * Move tde offboarding to dedicated flag * Add tde offboarding password request * Validate tde offboarding input * Correctly check whether tde is active when building trusted device options * Refactor Tde offboarding into a separate command * Add unit tests for tde offboarding * Update tde offboarding request model * Fix tests * Fix further tests * Fix documentation * Add validation for updatetdepasswordasync key/newmasterpassword * Add comment explaining test * Remove unrelated changes
2025-06-30 23:52:50 -05:00 · 2024-07-23 20:53:08 +02:00
parent 48f9d09f4e
commit ce185eb3df
11 changed files with 283 additions and 2 deletions
--- a/test/Core.Test/Auth/UserFeatures/TdeOffboarding/TdeOffboardingPasswordCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/TdeOffboarding/TdeOffboardingPasswordCommandTests.cs
@ -0,0 +1,99 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.UserFeatures.UserMasterPassword;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Identity;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Auth.UserFeatures.UserMasterPassword;
+
+[SutProviderCustomize]
+public class TdeOffboardingPasswordTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task TdeOffboardingPasswordCommand_Success(SutProvider<TdeOffboardingPasswordCommand> sutProvider,
+        User user, string masterPassword, string key, string hint, OrganizationUserOrganizationDetails orgUserDetails, SsoUser ssoUser)
+    {
+        // Arrange
+        user.MasterPassword = null;
+
+        sutProvider.GetDependency<IUserService>()
+            .UpdatePasswordHash(Arg.Any<User>(), Arg.Any<string>())
+            .Returns(IdentityResult.Success);
+
+        orgUserDetails.UseSso = true;
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByUserAsync(user.Id)
+            .Returns(new List<OrganizationUserOrganizationDetails> { orgUserDetails });
+
+        sutProvider.GetDependency<ISsoUserRepository>()
+            .GetByUserIdOrganizationIdAsync(orgUserDetails.OrganizationId, user.Id)
+            .Returns(ssoUser);
+
+        var ssoConfig = new SsoConfig();
+        var ssoConfigData = ssoConfig.GetData();
+        ssoConfigData.MemberDecryptionType = MemberDecryptionType.MasterPassword;
+        ssoConfig.SetData(ssoConfigData);
+        sutProvider.GetDependency<ISsoConfigRepository>()
+            .GetByOrganizationIdAsync(orgUserDetails.OrganizationId)
+            .Returns(ssoConfig);
+
+        // Act
+        var result = await sutProvider.Sut.UpdateTdeOffboardingPasswordAsync(user, masterPassword, key, hint);
+
+        // Assert
+        Assert.Equal(IdentityResult.Success, result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task TdeOffboardingPasswordCommand_RejectWithTdeEnabled(SutProvider<TdeOffboardingPasswordCommand> sutProvider,
+        User user, string masterPassword, string key, string hint, OrganizationUserOrganizationDetails orgUserDetails, SsoUser ssoUser)
+    {
+        // Arrange
+        user.MasterPassword = null;
+
+        sutProvider.GetDependency<IUserService>()
+            .UpdatePasswordHash(Arg.Any<User>(), Arg.Any<string>(), true, false)
+            .Returns(IdentityResult.Success);
+
+        orgUserDetails.UseSso = true;
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByUserAsync(user.Id)
+            .Returns(new List<OrganizationUserOrganizationDetails> { orgUserDetails });
+
+        sutProvider.GetDependency<ISsoUserRepository>()
+            .GetByUserIdOrganizationIdAsync(orgUserDetails.OrganizationId, user.Id)
+            .Returns(ssoUser);
+
+        var ssoConfig = new SsoConfig();
+        var ssoConfigData = ssoConfig.GetData();
+        ssoConfigData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
+        ssoConfig.SetData(ssoConfigData);
+        sutProvider.GetDependency<ISsoConfigRepository>()
+            .GetByOrganizationIdAsync(orgUserDetails.OrganizationId)
+            .Returns(ssoConfig);
+
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateTdeOffboardingPasswordAsync(user, masterPassword, key, hint));
+    }
+
+
+    [Theory]
+    [BitAutoData]
+    public async Task TdeOffboardingPasswordCommand_RejectWithMasterPassword(SutProvider<TdeOffboardingPasswordCommand> sutProvider,
+        User user, string masterPassword, string key, string hint)
+    {
+        // the user already has a master password, so the off-boarding request should fail, since off-boarding only applies to passwordless TDE users
+        await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateTdeOffboardingPasswordAsync(user, masterPassword, key, hint));
+    }
+
+}