[PM-12607] Move key rotation & validators to km ownership (#4941)

* Move key rotation & validators to km ownership * Fix build errors * Fix build errors * Fix import ordering * Update validator namespace * Move key rotation data to km ownership * Fix linting * Fix namespaces * Fix namespace * Fix namespaces * Move rotateuserkeycommandtests to km ownership
2025-06-30 15:42:48 -05:00 · 2024-11-21 10:17:04 -08:00
parent 92b94fd4ee
commit fae8692d2a
42 changed files with 66 additions and 71 deletions
--- a/test/Api.Test/KeyManagement/Validators/EmergencyAccessRotationValidatorTests.cs
+++ b/test/Api.Test/KeyManagement/Validators/EmergencyAccessRotationValidatorTests.cs
@ -0,0 +1,157 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.KeyManagement.Validators;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.KeyManagement.Validators;
+
+[SutProviderCustomize]
+public class EmergencyAccessRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_MissingEmergencyAccess_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.Add(new EmergencyAccessDetails { Id = Guid.NewGuid(), KeyEncrypted = "TestKey" });
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_EmergencyAccessDoesNotBelongToUser_NotIncluded(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        userEmergencyAccess.RemoveAt(0);
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserNotPremium_Success(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        // We want to allow users who have lost premium to rotate their key for any existing emergency access, as long
+        // as we restrict it to existing records and don't let them alter data
+        user.Premium = false;
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.Equal(userEmergencyAccess, result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NonConfirmedEmergencyAccess_NotReturned(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        emergencyAccessKeys.First().KeyEncrypted = null;
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        var result = await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys);
+
+        Assert.DoesNotContain(result, c => c.Id == emergencyAccessKeys.First().Id);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+        emergencyAccessKeys.First().KeyEncrypted = null;
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, emergencyAccessKeys));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_SentKeysAreEmptyButDatabaseIsNot_Throws(
+        SutProvider<EmergencyAccessRotationValidator> sutProvider, User user,
+        IEnumerable<EmergencyAccessWithIdRequestModel> emergencyAccessKeys)
+    {
+        sutProvider.GetDependency<IUserService>().CanAccessPremium(user).Returns(true);
+        var userEmergencyAccess = emergencyAccessKeys.Select(e => new EmergencyAccessDetails
+        {
+            Id = e.Id,
+            GrantorName = user.Name,
+            GrantorEmail = user.Email,
+            KeyEncrypted = e.KeyEncrypted,
+            Type = e.Type
+        }).ToList();
+        sutProvider.GetDependency<IEmergencyAccessRepository>().GetManyDetailsByGrantorIdAsync(user.Id)
+            .Returns(userEmergencyAccess);
+
+        await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<EmergencyAccessWithIdRequestModel>()));
+    }
+}