[PM-12607] Move key rotation & validators to km ownership (#4941)

* Move key rotation & validators to km ownership * Fix build errors * Fix build errors * Fix import ordering * Update validator namespace * Move key rotation data to km ownership * Fix linting * Fix namespaces * Fix namespace * Fix namespaces * Move rotateuserkeycommandtests to km ownership
2025-06-30 07:36:14 -05:00 · 2024-11-21 10:17:04 -08:00
parent 92b94fd4ee
commit fae8692d2a
42 changed files with 66 additions and 71 deletions
--- a/test/Api.Test/KeyManagement/Validators/CipherRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/CipherRotationValidatorTests.cs
@ -0,0 +1,57 @@
+using Bit.Api.KeyManagement.Validators;
+using Bit.Api.Vault.Models.Request;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class CipherRotationValidatorTests
+{
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_MissingCipher_Throws(SutProvider<CipherRotationValidator> sutProvider, User user,
+        IEnumerable<CipherWithIdRequestModel> ciphers)
+    {
+        var userCiphers = ciphers.Select(c => new CipherDetails { Id = c.Id.GetValueOrDefault(), Type = c.Type })
+            .ToList();
+        userCiphers.Add(new CipherDetails { Id = Guid.NewGuid(), Type = Core.Vault.Enums.CipherType.Login });
+        sutProvider.GetDependency<ICipherRepository>().GetManyByUserIdAsync(user.Id, Arg.Any<bool>())
+            .Returns(userCiphers);
+
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, ciphers));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_CipherDoesNotBelongToUser_NotIncluded(
+        SutProvider<CipherRotationValidator> sutProvider, User user, IEnumerable<CipherWithIdRequestModel> ciphers)
+    {
+        var userCiphers = ciphers.Select(c => new CipherDetails { Id = c.Id.GetValueOrDefault(), Type = c.Type })
+            .ToList();
+        userCiphers.RemoveAt(0);
+        sutProvider.GetDependency<ICipherRepository>().GetManyByUserIdAsync(user.Id, Arg.Any<bool>())
+            .Returns(userCiphers);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, ciphers);
+
+        Assert.DoesNotContain(result, c => c.Id == ciphers.First().Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentCiphersAreEmptyButDatabaseCiphersAreNot_Throws(
+        SutProvider<CipherRotationValidator> sutProvider, User user, IEnumerable<CipherWithIdRequestModel> ciphers)
+    {
+        var userCiphers = ciphers.Select(c => new CipherDetails { Id = c.Id.GetValueOrDefault(), Type = c.Type })
+            .ToList();
+        sutProvider.GetDependency<ICipherRepository>().GetManyByUserIdAsync(user.Id, Arg.Any<bool>())
+            .Returns(userCiphers);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<CipherWithIdRequestModel>()));
+    }
+}
--- a/test/Api.Test/KeyManagement/Validators/EmergencyAccessRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/EmergencyAccessRotationValidatorTests.cs
@ -0,0 +1,157 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class EmergencyAccessRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_MissingEmergencyAccess_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.Add(new EmergencyAccessDetails { Id = Guid.NewGuid(), KeyEncrypted = "TestKey" });
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_EmergencyAccessDoesNotBelongToUser_NotIncluded(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.RemoveAt(0);
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserNotPremium_Success(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        // We want to allow users who have lost premium to rotate their key for any existing emergency access, as long
+        // as we restrict it to existing records and don't let them alter data
+        user.Premium = false;
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.Equal(userEmergencyAccess, result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NonConfirmedEmergencyAccess_NotReturned(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        emergencyAccessKeys.First().KeyEncrypted = null;
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+        emergencyAccessKeys.First().KeyEncrypted = null;
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_SentKeysAreEmptyButDatabaseIsNot_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<EmergencyAccessWithIdRequestModel>()));
+    }
+}
--- a/test/Api.Test/KeyManagement/Validators/FolderRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/FolderRotationValidatorTests.cs
@ -0,0 +1,52 @@
+using Bit.Api.KeyManagement.Validators;
+using Bit.Api.Vault.Models.Request;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class FolderRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_MissingFolder_Throws(SutProvider<FolderRotationValidator> sutProvider, User user,
+        IEnumerable<FolderWithIdRequestModel> folders)
+    {
+        var userFolders = folders.Select(f => f.ToFolder(new Folder())).ToList();
+        userFolders.Add(new Folder { Id = Guid.NewGuid(), Name = "Missing Folder" });
+        sutProvider.GetDependency<IFolderRepository>().GetManyByUserIdAsync(user.Id).Returns(userFolders);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, folders));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_FolderDoesNotBelongToUser_NotReturned(
+        SutProvider<FolderRotationValidator> sutProvider, User user, IEnumerable<FolderWithIdRequestModel> folders)
+    {
+        var userFolders = folders.Select(f => f.ToFolder(new Folder())).ToList();
+        userFolders.RemoveAt(0);
+        sutProvider.GetDependency<IFolderRepository>().GetManyByUserIdAsync(user.Id).Returns(userFolders);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, folders);
+
+        Assert.DoesNotContain(result, c => c.Id == folders.First().Id);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_SentFoldersAreEmptyButDatabaseFoldersAreNot_Throws(
+        SutProvider<FolderRotationValidator> sutProvider, User user, IEnumerable<FolderWithIdRequestModel> folders)
+    {
+        var userFolders = folders.Select(f => f.ToFolder(new Folder())).ToList();
+        sutProvider.GetDependency<IFolderRepository>().GetManyByUserIdAsync(user.Id).Returns(userFolders);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<FolderWithIdRequestModel>()));
+    }
+}
--- a/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/OrganizationUserRotationValidatorTests.cs
@ -0,0 +1,164 @@
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class OrganizationUserRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_Success_ReturnsValid(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
+
+        Assert.Equal(result.Select(r => r.OrganizationId), resetPasswordKeys.Select(a => a.OrganizationId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NullResetPasswordKeys_ReturnsEmptyList(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user)
+    {
+        // Arrange
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys = null;
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Empty(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NoOrgUsers_ReturnsEmptyList(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(new List<OrganizationUser>()); // Return an empty list
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Empty(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_MissingResetPassword_Throws(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        existingUserResetPassword.Add(new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            ResetPasswordKey = "Missing ResetPasswordKey"
+        });
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_ResetPasswordDoesNotBelongToUser_NotReturned(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        existingUserResetPassword.RemoveAt(0);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == resetPasswordKeys.First().OrganizationId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+        resetPasswordKeys.First().ResetPasswordKey = null;
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NoOrganizationsInRequestButInDatabase_Throws(
+        SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
+        IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
+    {
+        var existingUserResetPassword = resetPasswordKeys
+            .Select(a =>
+                new OrganizationUser
+                {
+                    Id = new Guid(),
+                    ResetPasswordKey = a.ResetPasswordKey,
+                    OrganizationId = a.OrganizationId
+                }).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
+            .Returns(existingUserResetPassword);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<ResetPasswordWithOrgIdRequestModel>()));
+    }
+}
--- a/test/Api.Test/KeyManagement/Validators/SendRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/SendRotationValidatorTests.cs
@ -0,0 +1,184 @@
+using System.Text.Json;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Api.Tools.Models;
+using Bit.Api.Tools.Models.Request;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Tools.Entities;
+using Bit.Core.Tools.Enums;
+using Bit.Core.Tools.Models.Data;
+using Bit.Core.Tools.Repositories;
+using Bit.Core.Tools.Services;
+using Bit.Core.Utilities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class SendRotationValidatorTests
+{
+    [Fact]
+    public async Task ValidateAsync_Success()
+    {
+        // Arrange
+        var sendService = Substitute.For<ISendService>();
+        var sendRepository = Substitute.For<ISendRepository>();
+
+        var sut = new SendRotationValidator(
+            sendService,
+            sendRepository
+        );
+
+        var user = new User { Id = new Guid() };
+        var sends = CreateInputSendRequests();
+
+        sendRepository.GetManyByUserIdAsync(user.Id).Returns(MockUserSends(user));
+
+        // Act
+        var result = await sut.ValidateAsync(user, sends);
+
+        // Assert
+        var sendIds = new Guid[]
+        {
+            new("72e9ac6d-05f4-4227-ae0d-8a5207623a1a"), new("6b55836c-9280-4589-8762-01b0d8172c97"),
+            new("9a65bbfb-8138-4aa5-a572-e5c0a41b540e"),
+        };
+        Assert.All(result, c => Assert.Contains(c.Id, sendIds));
+    }
+
+    [Fact]
+    public async Task ValidateAsync_SendNotReturnedFromRepository_NotIncludedInOutput()
+    {
+        // Arrange
+        var sendService = Substitute.For<ISendService>();
+        var sendRepository = Substitute.For<ISendRepository>();
+
+        var sut = new SendRotationValidator(
+            sendService,
+            sendRepository
+        );
+
+        var user = new User { Id = new Guid() };
+        var sends = CreateInputSendRequests();
+
+        var userSends = MockUserSends(user);
+        userSends.RemoveAll(c => c.Id == new Guid("72e9ac6d-05f4-4227-ae0d-8a5207623a1a"));
+        sendRepository.GetManyByUserIdAsync(user.Id).Returns(userSends);
+
+        var result = await sut.ValidateAsync(user, sends);
+
+        Assert.DoesNotContain(result, c => c.Id == new Guid("72e9ac6d-05f4-4227-ae0d-8a5207623a1a"));
+    }
+
+    [Fact]
+    public async Task ValidateAsync_InputMissingUserSend_Throws()
+    {
+        // Arrange
+        var sendService = Substitute.For<ISendService>();
+        var sendRepository = Substitute.For<ISendRepository>();
+
+        var sut = new SendRotationValidator(
+            sendService,
+            sendRepository
+        );
+
+        var user = new User { Id = new Guid() };
+        var sends = CreateInputSendRequests();
+
+        var userSends = MockUserSends(user);
+        userSends.Add(new Send { Id = new Guid(), Data = "{}" });
+        sendRepository.GetManyByUserIdAsync(user.Id).Returns(userSends);
+
+        // Act, Assert
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sut.ValidateAsync(user, sends));
+    }
+
+    private IEnumerable<SendWithIdRequestModel> CreateInputSendRequests()
+    {
+        return new[]
+        {
+            new SendWithIdRequestModel
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = false,
+                Id = new Guid("72e9ac6d-05f4-4227-ae0d-8a5207623a1a"),
+                Key = "Send1Key",
+                Name = "Send 1",
+                Type = SendType.Text,
+                Text = new SendTextModel(new SendTextData("Text name", "Notes", "Encrypted text for Send 1", false))
+            },
+            new SendWithIdRequestModel
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = true,
+                Id = new Guid("6b55836c-9280-4589-8762-01b0d8172c97"),
+                Key = "Send2Key",
+                Name = "Send 2",
+                Type = SendType.Text,
+                Text = new SendTextModel(new SendTextData("Text name", "Notes", "Encrypted text for Send 2",
+                    false)),
+            },
+            new SendWithIdRequestModel
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = false,
+                Id = new Guid("9a65bbfb-8138-4aa5-a572-e5c0a41b540e"),
+                Key = "Send3Key",
+                Name = "Send 3",
+                Type = SendType.File,
+                File = new SendFileModel(new SendFileData("File name", "Notes", "File name here")),
+                HideEmail = true
+            }
+        };
+    }
+
+    private List<Send> MockUserSends(User user)
+    {
+        return new List<Send>(new[]
+        {
+            new Send
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = false,
+                Id = new Guid("72e9ac6d-05f4-4227-ae0d-8a5207623a1a"),
+                UserId = user.Id,
+                Key = "Send1Key",
+                Type = SendType.Text,
+                Data = JsonSerializer.Serialize(
+                    new SendTextModel(new SendTextData("Text name", "Notes", "Encrypted text for Send 1", false)),
+                    JsonHelpers.IgnoreWritingNull),
+            },
+            new Send
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = true,
+                Id = new Guid("6b55836c-9280-4589-8762-01b0d8172c97"),
+                UserId = user.Id,
+                Key = "Send2Key",
+                Type = SendType.Text,
+                Data = JsonSerializer.Serialize(
+                    new SendTextModel(new SendTextData("Text name", "Notes", "Encrypted text for Send 2",
+                        false)),
+                    JsonHelpers.IgnoreWritingNull),
+            },
+            new Send
+            {
+                DeletionDate = new DateTime(2080, 12, 31),
+                Disabled = false,
+                Id = new Guid("9a65bbfb-8138-4aa5-a572-e5c0a41b540e"),
+                UserId = user.Id,
+                Key = "Send3Key",
+                Type = SendType.File,
+                Data = JsonSerializer.Serialize(
+                    new SendFileModel(new SendFileData("File name", "Notes", "File name here")),
+                    JsonHelpers.IgnoreWritingNull),
+                HideEmail = true
+            }
+        });
+    }
+
+
+}
--- a/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/WebauthnLoginKeyRotationValidatorTests.cs
@ -0,0 +1,93 @@
+using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class WebAuthnLoginKeyRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = Guid.Parse("00000000-0000-0000-0000-000000000001"),
+            EncryptedPublicKey = e.EncryptedPublicKey,
+            EncryptedUserKey = e.EncryptedUserKey
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NullUserKey_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NullPublicKey_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedUserKey = e.EncryptedUserKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+}