using Bit.Core.Entities; using Bit.Core.KeyManagement.Models.Data; using Bit.Core.KeyManagement.UserKey.Implementations; using Bit.Core.Services; using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture.Attributes; using Microsoft.AspNetCore.Identity; using NSubstitute; using Xunit; namespace Bit.Core.Test.KeyManagement.UserKey; [SutProviderCustomize] public class RotateUserAccountKeysCommandTests { [Theory, BitAutoData] public async Task RejectsWrongOldMasterPassword(SutProvider sutProvider, User user, RotateUserAccountKeysData model) { user.Email = model.MasterPasswordUnlockData.Email; sutProvider.GetDependency().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash) .Returns(false); var result = await sutProvider.Sut.RotateUserAccountKeysAsync(user, model); Assert.NotEqual(IdentityResult.Success, result); } [Theory, BitAutoData] public async Task ThrowsWhenUserIsNull(SutProvider sutProvider, RotateUserAccountKeysData model) { await Assert.ThrowsAsync(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(null, model)); } [Theory, BitAutoData] public async Task RejectsEmailChange(SutProvider sutProvider, User user, RotateUserAccountKeysData model) { user.Kdf = Enums.KdfType.Argon2id; user.KdfIterations = 3; user.KdfMemory = 64; user.KdfParallelism = 4; model.MasterPasswordUnlockData.Email = user.Email + ".different-domain"; model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id; model.MasterPasswordUnlockData.KdfIterations = 3; model.MasterPasswordUnlockData.KdfMemory = 64; model.MasterPasswordUnlockData.KdfParallelism = 4; sutProvider.GetDependency().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash) .Returns(true); await Assert.ThrowsAsync(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model)); } [Theory, BitAutoData] public async Task RejectsKdfChange(SutProvider sutProvider, User user, RotateUserAccountKeysData model) { user.Kdf = Enums.KdfType.Argon2id; user.KdfIterations = 3; user.KdfMemory = 64; user.KdfParallelism = 4; model.MasterPasswordUnlockData.Email = user.Email; model.MasterPasswordUnlockData.KdfType = Enums.KdfType.PBKDF2_SHA256; model.MasterPasswordUnlockData.KdfIterations = 600000; model.MasterPasswordUnlockData.KdfMemory = null; model.MasterPasswordUnlockData.KdfParallelism = null; sutProvider.GetDependency().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash) .Returns(true); await Assert.ThrowsAsync(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model)); } [Theory, BitAutoData] public async Task RejectsPublicKeyChange(SutProvider sutProvider, User user, RotateUserAccountKeysData model) { user.PublicKey = "old-public"; user.Kdf = Enums.KdfType.Argon2id; user.KdfIterations = 3; user.KdfMemory = 64; user.KdfParallelism = 4; model.AccountPublicKey = "new-public"; model.MasterPasswordUnlockData.Email = user.Email; model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id; model.MasterPasswordUnlockData.KdfIterations = 3; model.MasterPasswordUnlockData.KdfMemory = 64; model.MasterPasswordUnlockData.KdfParallelism = 4; sutProvider.GetDependency().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash) .Returns(true); await Assert.ThrowsAsync(async () => await sutProvider.Sut.RotateUserAccountKeysAsync(user, model)); } [Theory, BitAutoData] public async Task RotatesCorrectly(SutProvider sutProvider, User user, RotateUserAccountKeysData model) { user.Kdf = Enums.KdfType.Argon2id; user.KdfIterations = 3; user.KdfMemory = 64; user.KdfParallelism = 4; model.MasterPasswordUnlockData.Email = user.Email; model.MasterPasswordUnlockData.KdfType = Enums.KdfType.Argon2id; model.MasterPasswordUnlockData.KdfIterations = 3; model.MasterPasswordUnlockData.KdfMemory = 64; model.MasterPasswordUnlockData.KdfParallelism = 4; model.AccountPublicKey = user.PublicKey; sutProvider.GetDependency().CheckPasswordAsync(user, model.OldMasterKeyAuthenticationHash) .Returns(true); var result = await sutProvider.Sut.RotateUserAccountKeysAsync(user, model); Assert.Equal(IdentityResult.Success, result); } }