mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[PM-12607] Move key rotation & validators to km ownership (#4941)
* Move key rotation & validators to km ownership * Fix build errors * Fix build errors * Fix import ordering * Update validator namespace * Move key rotation data to km ownership * Fix linting * Fix namespaces * Fix namespace * Fix namespaces * Move rotateuserkeycommandtests to km ownership
This commit is contained in:
Bernd Schoolmann
@ -4,7 +4,7 @@ using Bit.Api.Auth.Controllers;
|
||||
using Bit.Api.Auth.Models.Request;
|
||||
using Bit.Api.Auth.Models.Request.Accounts;
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Api.Auth.Validators;
|
||||
using Bit.Api.KeyManagement.Validators;
|
||||
using Bit.Api.Tools.Models.Request;
|
||||
using Bit.Api.Vault.Models.Request;
|
||||
using Bit.Core;
|
||||
@ -14,12 +14,12 @@ using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Models.Api.Request.Accounts;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Auth.UserFeatures.TdeOffboardingPassword.Interfaces;
|
||||
using Bit.Core.Auth.UserFeatures.UserKey;
|
||||
using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
|
||||
using Bit.Core.Billing.Services;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.KeyManagement.UserKey;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Settings;
|
||||
|
||||
@ -1,157 +0,0 @@
|
||||
using Bit.Api.Auth.Models.Request;
|
||||
using Bit.Api.Auth.Validators;
|
||||
using Bit.Core.Auth.Models.Data;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.Auth.Validators;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class EmergencyAccessRotationValidatorTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_MissingEmergencyAccess_Throws(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
userEmergencyAccess.Add(new EmergencyAccessDetails { Id = Guid.NewGuid(), KeyEncrypted = "TestKey" });
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_EmergencyAccessDoesNotBelongToUser_NotIncluded(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
userEmergencyAccess.RemoveAt(0);
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
|
||||
var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
|
||||
|
||||
Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_UserNotPremium_Success(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
// We want to allow users who have lost premium to rotate their key for any existing emergency access, as long
|
||||
// as we restrict it to existing records and don't let them alter data
|
||||
user.Premium = false;
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
|
||||
var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
|
||||
|
||||
Assert.Equal(userEmergencyAccess, result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_NonConfirmedEmergencyAccess_NotReturned(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
emergencyAccessKeys.First().KeyEncrypted = null;
|
||||
sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
|
||||
var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
|
||||
|
||||
Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
emergencyAccessKeys.First().KeyEncrypted = null;
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_SentKeysAreEmptyButDatabaseIsNot_Throws(
|
||||
SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
|
||||
IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
|
||||
var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
|
||||
{
|
||||
Id = e.Id,
|
||||
GrantorName = user.Name,
|
||||
GrantorEmail = user.Email,
|
||||
KeyEncrypted = e.KeyEncrypted,
|
||||
Type = e.Type
|
||||
}).ToList();
|
||||
sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
|
||||
.Returns(userEmergencyAccess);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<EmergencyAccessWithIdRequestModel>()));
|
||||
}
|
||||
}
|
||||
@ -1,93 +0,0 @@
|
||||
using Bit.Api.Auth.Models.Request.WebAuthn;
|
||||
using Bit.Api.Auth.Validators;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.Auth.Validators;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class WebAuthnLoginKeyRotationValidatorTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
|
||||
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
Id = Guid.Parse("00000000-0000-0000-0000-000000000001"),
|
||||
EncryptedPublicKey = e.EncryptedPublicKey,
|
||||
EncryptedUserKey = e.EncryptedUserKey
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_NullUserKey_Throws(
|
||||
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
var guid = Guid.NewGuid();
|
||||
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedPublicKey = e.EncryptedPublicKey,
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
}
|
||||
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task ValidateAsync_NullPublicKey_Throws(
|
||||
SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
|
||||
IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
|
||||
{
|
||||
var guid = Guid.NewGuid();
|
||||
var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedUserKey = e.EncryptedUserKey,
|
||||
}).ToList();
|
||||
|
||||
var data = new WebAuthnCredential
|
||||
{
|
||||
Id = guid,
|
||||
EncryptedPublicKey = "TestKey",
|
||||
EncryptedUserKey = "Test"
|
||||
};
|
||||
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(async () =>
|
||||
await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user