#nullable enable using System.Security.Claims; using Bit.Api.AdminConsole.Models.Request.Organizations; using Bit.Api.Auth.Models.Request; using Bit.Api.Auth.Models.Request.WebAuthn; using Bit.Api.KeyManagement.Controllers; using Bit.Api.KeyManagement.Models.Requests; using Bit.Api.KeyManagement.Validators; using Bit.Api.Tools.Models.Request; using Bit.Api.Vault.Models.Request; using Bit.Core; using Bit.Core.Auth.Entities; using Bit.Core.Auth.Models.Data; using Bit.Core.Entities; using Bit.Core.Exceptions; using Bit.Core.KeyManagement.Commands.Interfaces; using Bit.Core.KeyManagement.Models.Data; using Bit.Core.KeyManagement.UserKey; using Bit.Core.Repositories; using Bit.Core.Services; using Bit.Core.Tools.Entities; using Bit.Core.Vault.Entities; using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture.Attributes; using Microsoft.AspNetCore.Identity; using NSubstitute; using NSubstitute.ReturnsExtensions; using Xunit; namespace Bit.Api.Test.KeyManagement.Controllers; [ControllerCustomize(typeof(AccountsKeyManagementController))] [SutProviderCustomize] [JsonDocumentCustomize] public class AccountsKeyManagementControllerTests { [Theory] [BitAutoData] public async Task RegenerateKeysAsync_FeatureFlagOff_Throws( SutProvider sutProvider, KeyRegenerationRequestModel data) { sutProvider.GetDependency().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration)) .Returns(false); sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).ReturnsNull(); await Assert.ThrowsAsync(() => sutProvider.Sut.RegenerateKeysAsync(data)); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .GetManyByUserAsync(Arg.Any()); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .GetManyDetailsByGranteeIdAsync(Arg.Any()); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .RegenerateKeysAsync(Arg.Any(), Arg.Any>(), Arg.Any>()); } [Theory] [BitAutoData] public async Task RegenerateKeysAsync_UserNull_Throws(SutProvider sutProvider, KeyRegenerationRequestModel data) { sutProvider.GetDependency().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration)) .Returns(true); sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).ReturnsNull(); await Assert.ThrowsAsync(() => sutProvider.Sut.RegenerateKeysAsync(data)); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .GetManyByUserAsync(Arg.Any()); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .GetManyDetailsByGranteeIdAsync(Arg.Any()); await sutProvider.GetDependency().ReceivedWithAnyArgs(0) .RegenerateKeysAsync(Arg.Any(), Arg.Any>(), Arg.Any>()); } [Theory] [BitAutoData] public async Task RegenerateKeysAsync_Success(SutProvider sutProvider, KeyRegenerationRequestModel data, User user, ICollection orgUsers, ICollection accessDetails) { sutProvider.GetDependency().IsEnabled(Arg.Is(FeatureFlagKeys.PrivateKeyRegeneration)) .Returns(true); sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).Returns(user); sutProvider.GetDependency().GetManyByUserAsync(Arg.Is(user.Id)).Returns(orgUsers); sutProvider.GetDependency().GetManyDetailsByGranteeIdAsync(Arg.Is(user.Id)) .Returns(accessDetails); await sutProvider.Sut.RegenerateKeysAsync(data); await sutProvider.GetDependency().Received(1) .GetManyByUserAsync(Arg.Is(user.Id)); await sutProvider.GetDependency().Received(1) .GetManyDetailsByGranteeIdAsync(Arg.Is(user.Id)); await sutProvider.GetDependency().Received(1) .RegenerateKeysAsync( Arg.Is(u => u.UserId == user.Id && u.PublicKey == data.UserPublicKey && u.UserKeyEncryptedPrivateKey == data.UserKeyEncryptedUserPrivateKey), Arg.Is(orgUsers), Arg.Is(accessDetails)); } [Theory] [BitAutoData] public async Task RotateUserAccountKeysSuccess(SutProvider sutProvider, RotateUserAccountKeysAndDataRequestModel data, User user) { sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).Returns(user); sutProvider.GetDependency().RotateUserAccountKeysAsync(Arg.Any(), Arg.Any()) .Returns(IdentityResult.Success); await sutProvider.Sut.RotateUserAccountKeysAsync(data); await sutProvider.GetDependency, IEnumerable>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountUnlockData.EmergencyAccessUnlockData)); await sutProvider.GetDependency, IReadOnlyList>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountUnlockData.OrganizationAccountRecoveryUnlockData)); await sutProvider.GetDependency, IEnumerable>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountUnlockData.PasskeyUnlockData)); await sutProvider.GetDependency, IEnumerable>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountData.Ciphers)); await sutProvider.GetDependency, IEnumerable>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountData.Folders)); await sutProvider.GetDependency, IReadOnlyList>>().Received(1) .ValidateAsync(Arg.Any(), Arg.Is(data.AccountData.Sends)); await sutProvider.GetDependency().Received(1) .RotateUserAccountKeysAsync(Arg.Is(user), Arg.Is(d => d.OldMasterKeyAuthenticationHash == data.OldMasterKeyAuthenticationHash && d.MasterPasswordUnlockData.KdfType == data.AccountUnlockData.MasterPasswordUnlockData.KdfType && d.MasterPasswordUnlockData.KdfIterations == data.AccountUnlockData.MasterPasswordUnlockData.KdfIterations && d.MasterPasswordUnlockData.KdfMemory == data.AccountUnlockData.MasterPasswordUnlockData.KdfMemory && d.MasterPasswordUnlockData.KdfParallelism == data.AccountUnlockData.MasterPasswordUnlockData.KdfParallelism && d.MasterPasswordUnlockData.Email == data.AccountUnlockData.MasterPasswordUnlockData.Email && d.MasterPasswordUnlockData.MasterKeyAuthenticationHash == data.AccountUnlockData.MasterPasswordUnlockData.MasterKeyAuthenticationHash && d.MasterPasswordUnlockData.MasterKeyEncryptedUserKey == data.AccountUnlockData.MasterPasswordUnlockData.MasterKeyEncryptedUserKey && d.AccountPublicKey == data.AccountKeys.AccountPublicKey && d.UserKeyEncryptedAccountPrivateKey == data.AccountKeys.UserKeyEncryptedAccountPrivateKey )); } [Theory] [BitAutoData] public async Task RotateUserKeyNoUser_Throws(SutProvider sutProvider, RotateUserAccountKeysAndDataRequestModel data) { User? user = null; sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).Returns(user); sutProvider.GetDependency().RotateUserAccountKeysAsync(Arg.Any(), Arg.Any()) .Returns(IdentityResult.Success); await Assert.ThrowsAsync(() => sutProvider.Sut.RotateUserAccountKeysAsync(data)); } [Theory] [BitAutoData] public async Task RotateUserKeyWrongData_Throws(SutProvider sutProvider, RotateUserAccountKeysAndDataRequestModel data, User user, IdentityErrorDescriber _identityErrorDescriber) { sutProvider.GetDependency().GetUserByPrincipalAsync(Arg.Any()).Returns(user); sutProvider.GetDependency().RotateUserAccountKeysAsync(Arg.Any(), Arg.Any()) .Returns(IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch())); try { await sutProvider.Sut.RotateUserAccountKeysAsync(data); Assert.Fail("Should have thrown"); } catch (BadRequestException ex) { Assert.NotEmpty(ex.ModelState.Values); } } }