bitwarden-server/test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs

using Bit.Core;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Auth.Models.Data;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Identity.IdentityServer;
using Bit.Identity.Utilities;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;

namespace Bit.Identity.Test.IdentityServer;

public class UserDecryptionOptionsBuilderTests
{
    private readonly ICurrentContext _currentContext;
    private readonly IFeatureService _featureService;
    private readonly IDeviceRepository _deviceRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly UserDecryptionOptionsBuilder _builder;

    public UserDecryptionOptionsBuilderTests()
    {
        _currentContext = Substitute.For<ICurrentContext>();
        _featureService = Substitute.For<IFeatureService>();
        _deviceRepository = Substitute.For<IDeviceRepository>();
        _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
        _builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
    }

    [Theory]
    [BitAutoData(true, true, true)]    // All keys are non-null
    [BitAutoData(false, false, false)] // All keys are null
    [BitAutoData(false, false, true)]  // EncryptedUserKey is non-null, others are null
    [BitAutoData(false, true, false)]  // EncryptedPublicKey is non-null, others are null
    [BitAutoData(true, false, false)]  // EncryptedPrivateKey is non-null, others are null
    [BitAutoData(true, false, true)]   // EncryptedPrivateKey and EncryptedUserKey are non-null, EncryptedPublicKey is null
    [BitAutoData(true, true, false)]   // EncryptedPrivateKey and EncryptedPublicKey are non-null, EncryptedUserKey is null
    [BitAutoData(false, true, true)]   // EncryptedPublicKey and EncryptedUserKey are non-null, EncryptedPrivateKey is null
    public async Task WithWebAuthnLoginCredential_VariousKeyCombinations_ShouldReturnCorrectPrfOption(
        bool hasEncryptedPrivateKey,
        bool hasEncryptedPublicKey,
        bool hasEncryptedUserKey,
        WebAuthnCredential credential)
    {
        credential.EncryptedPrivateKey = hasEncryptedPrivateKey ? "encryptedPrivateKey" : null;
        credential.EncryptedPublicKey = hasEncryptedPublicKey ? "encryptedPublicKey" : null;
        credential.EncryptedUserKey = hasEncryptedUserKey ? "encryptedUserKey" : null;

        var result = await _builder.WithWebAuthnLoginCredential(credential).BuildAsync();

        if (credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled)
        {
            Assert.NotNull(result.WebAuthnPrfOption);
            Assert.Equal(credential.EncryptedPrivateKey, result.WebAuthnPrfOption!.EncryptedPrivateKey);
            Assert.Equal(credential.EncryptedUserKey, result.WebAuthnPrfOption!.EncryptedUserKey);
        }
        else
        {
            Assert.Null(result.WebAuthnPrfOption);
        }
    }

    [Theory, BitAutoData]
    public async Task Build_WhenKeyConnectorIsEnabled_ShouldReturnKeyConnectorOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData)
    {
        configurationData.MemberDecryptionType = MemberDecryptionType.KeyConnector;
        ssoConfig.Data = configurationData.Serialize();

        var result = await _builder.WithSso(ssoConfig).BuildAsync();

        Assert.NotNull(result.KeyConnectorOption);
        Assert.Equal(configurationData.KeyConnectorUrl, result.KeyConnectorOption!.KeyConnectorUrl);
    }

    [Theory, BitAutoData]
    public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();

        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();

        Assert.NotNull(result.TrustedDeviceOption);
        Assert.False(result.TrustedDeviceOption!.HasAdminApproval);
        Assert.False(result.TrustedDeviceOption!.HasLoginApprovingDevice);
        Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
    }

    // TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
    [Theory, BitAutoData]
    public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();

        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();

        Assert.Null(result.TrustedDeviceOption);
    }

    [Theory, BitAutoData]
    public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();
        device.EncryptedPrivateKey = "encryptedPrivateKey";
        device.EncryptedPublicKey = "encryptedPublicKey";
        device.EncryptedUserKey = "encryptedUserKey";

        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();

        Assert.Equal(device.EncryptedPrivateKey, result.TrustedDeviceOption?.EncryptedPrivateKey);
        Assert.Equal(device.EncryptedUserKey, result.TrustedDeviceOption?.EncryptedUserKey);
    }

    [Theory, BitAutoData]
    public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();
        approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
        _deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice });

        var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync();

        Assert.True(result.TrustedDeviceOption?.HasLoginApprovingDevice);
    }

    [Theory, BitAutoData]
    public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue(
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
        CurrentContextOrganization organization)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();
        ssoConfig.OrganizationId = organization.Id;
        _currentContext.Organizations.Returns(new List<CurrentContextOrganization>(new CurrentContextOrganization[] { organization }));
        _currentContext.ManageResetPassword(organization.Id).Returns(true);

        var result = await _builder.WithSso(ssoConfig).BuildAsync();

        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
    }

    [Theory, BitAutoData]
    public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
        SsoConfig ssoConfig,
        SsoConfigurationData configurationData,
        OrganizationUser organizationUser,
        User user)
    {
        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
        ssoConfig.Data = configurationData.Serialize();
        organizationUser.ResetPasswordKey = "resetPasswordKey";
        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);

        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();

        Assert.True(result.TrustedDeviceOption?.HasAdminApproval);
    }
}
-												[PM-2032] Server endpoints to support authentication with a passkey (#3361)

* [PM-2032] feat: add assertion options tokenable

* [PM-2032] feat: add request and response models

* [PM-2032] feat: implement `assertion-options` identity endpoint

* [PM-2032] feat: implement authentication with passkey

* [PM-2032] chore: rename to `WebAuthnGrantValidator`

* [PM-2032] fix: add missing subsitute

* [PM-2032] feat: start adding builder

* [PM-2032] feat: add support for KeyConnector

* [PM-2032] feat: add first version of TDE

* [PM-2032] chore: refactor WithSso

* [PM-2023] feat: add support for TDE feature flag

* [PM-2023] feat: add support for approving devices

* [PM-2023] feat: add support for hasManageResetPasswordPermission

* [PM-2032] feat: add support for hasAdminApproval

* [PM-2032] chore: don't supply device if not necessary

* [PM-2032] chore: clean up imports

* [PM-2023] feat: extract interface

* [PM-2023] chore: add clarifying comment

* [PM-2023] feat: use new builder in production code

* [PM-2032] feat: add support for PRF

* [PM-2032] chore: clean-up todos

* [PM-2023] chore: remove token which is no longer used

* [PM-2032] chore: remove todo

* [PM-2032] feat: improve assertion error handling

* [PM-2032] fix: linting issues

* [PM-2032] fix: revert changes to `launchSettings.json`

* [PM-2023] chore: clean up assertion endpoint

* [PM-2032] feat: bypass 2FA

* [PM-2032] fix: rename prf option to singular

* [PM-2032] fix: lint

* [PM-2032] fix: typo

* [PM-2032] chore: improve builder tests

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

* [PM-2032] chore: clarify why we don't require 2FA

* [PM-2023] feat: move `identityProvider` constant to common class

* [PM-2032] fix: lint

* [PM-2023] fix: move `IdentityProvider` to core.Constants

* [PM-2032] fix: missing import

* [PM-2032] chore: refactor token timespan to use `TimeSpan`

* [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync

* [PM-2032] chore: use `FromMinutes`

* [PM-2032] fix: change to 17 minutes to cover webauthn assertion

* [PM-2032] chore: do not use `async void`

* [PM-2032] fix: comment saying wrong amount of minutes

* [PM-2032] feat: put validator behind feature flag

* [PM-2032] fix: lint

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
											
										
										
											2023-11-20 15:55:31 +01:00
+								using Bit.Core;
 								using Bit.Core.Auth.Entities;
 								using Bit.Core.Auth.Enums;
 								using Bit.Core.Auth.Models.Data;
 								using Bit.Core.Context;
 								using Bit.Core.Entities;
 								using Bit.Core.Repositories;
 								using Bit.Core.Services;
 								using Bit.Identity.IdentityServer;
 								using Bit.Identity.Utilities;
 								using Bit.Test.Common.AutoFixture.Attributes;
 								using NSubstitute;
 								using Xunit;
 								namespace Bit.Identity.Test.IdentityServer;
 								public class UserDecryptionOptionsBuilderTests
 								{
 								    private readonly ICurrentContext _currentContext;
 								    private readonly IFeatureService _featureService;
 								    private readonly IDeviceRepository _deviceRepository;
 								    private readonly IOrganizationUserRepository _organizationUserRepository;
 								    private readonly UserDecryptionOptionsBuilder _builder;
 								    public UserDecryptionOptionsBuilderTests()
 								    {
 								        _currentContext = Substitute.For<ICurrentContext>();
 								        _featureService = Substitute.For<IFeatureService>();
 								        _deviceRepository = Substitute.For<IDeviceRepository>();
 								        _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
 								        _builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
 								    }
 								    [Theory]
 								    [BitAutoData(true, true, true)]    // All keys are non-null
 								    [BitAutoData(false, false, false)] // All keys are null
 								    [BitAutoData(false, false, true)]  // EncryptedUserKey is non-null, others are null
 								    [BitAutoData(false, true, false)]  // EncryptedPublicKey is non-null, others are null
 								    [BitAutoData(true, false, false)]  // EncryptedPrivateKey is non-null, others are null
 								    [BitAutoData(true, false, true)]   // EncryptedPrivateKey and EncryptedUserKey are non-null, EncryptedPublicKey is null
 								    [BitAutoData(true, true, false)]   // EncryptedPrivateKey and EncryptedPublicKey are non-null, EncryptedUserKey is null
 								    [BitAutoData(false, true, true)]   // EncryptedPublicKey and EncryptedUserKey are non-null, EncryptedPrivateKey is null
 								    public async Task WithWebAuthnLoginCredential_VariousKeyCombinations_ShouldReturnCorrectPrfOption(
 								        bool hasEncryptedPrivateKey,
 								        bool hasEncryptedPublicKey,
 								        bool hasEncryptedUserKey,
 								        WebAuthnCredential credential)
 								    {
 								        credential.EncryptedPrivateKey = hasEncryptedPrivateKey ? "encryptedPrivateKey" : null;
 								        credential.EncryptedPublicKey = hasEncryptedPublicKey ? "encryptedPublicKey" : null;
 								        credential.EncryptedUserKey = hasEncryptedUserKey ? "encryptedUserKey" : null;
 								        var result = await _builder.WithWebAuthnLoginCredential(credential).BuildAsync();
 								        if (credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled)
 								        {
 								            Assert.NotNull(result.WebAuthnPrfOption);
 								            Assert.Equal(credential.EncryptedPrivateKey, result.WebAuthnPrfOption!.EncryptedPrivateKey);
 								            Assert.Equal(credential.EncryptedUserKey, result.WebAuthnPrfOption!.EncryptedUserKey);
 								        }
 								        else
 								        {
 								            Assert.Null(result.WebAuthnPrfOption);
 								        }
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenKeyConnectorIsEnabled_ShouldReturnKeyConnectorOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData)
 								    {
 								        configurationData.MemberDecryptionType = MemberDecryptionType.KeyConnector;
 								        ssoConfig.Data = configurationData.Serialize();
 								        var result = await _builder.WithSso(ssoConfig).BuildAsync();
 								        Assert.NotNull(result.KeyConnectorOption);
 								        Assert.Equal(configurationData.KeyConnectorUrl, result.KeyConnectorOption!.KeyConnectorUrl);
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
 								        Assert.NotNull(result.TrustedDeviceOption);
 								        Assert.False(result.TrustedDeviceOption!.HasAdminApproval);
 								        Assert.False(result.TrustedDeviceOption!.HasLoginApprovingDevice);
 								        Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
 								    }
 								    // TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
 								        Assert.Null(result.TrustedDeviceOption);
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        device.EncryptedPrivateKey = "encryptedPrivateKey";
 								        device.EncryptedPublicKey = "encryptedPublicKey";
 								        device.EncryptedUserKey = "encryptedUserKey";
 								        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
 								        Assert.Equal(device.EncryptedPrivateKey, result.TrustedDeviceOption?.EncryptedPrivateKey);
 								        Assert.Equal(device.EncryptedUserKey, result.TrustedDeviceOption?.EncryptedUserKey);
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
 								        _deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice });
 								        var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync();
 								        Assert.True(result.TrustedDeviceOption?.HasLoginApprovingDevice);
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue(
 								        SsoConfig ssoConfig,
 								        SsoConfigurationData configurationData,
 								        CurrentContextOrganization organization)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        ssoConfig.OrganizationId = organization.Id;
 								        _currentContext.Organizations.Returns(new List<CurrentContextOrganization>(new CurrentContextOrganization[] { organization }));
 								        _currentContext.ManageResetPassword(organization.Id).Returns(true);
 								        var result = await _builder.WithSso(ssoConfig).BuildAsync();
 								        Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
 								    }
 								    [Theory, BitAutoData]
 								    public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
 								        SsoConfig ssoConfig,
 								        SsoConfigurationData configurationData,
 								        OrganizationUser organizationUser,
 								        User user)
 								    {
 								        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
 								        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
 								        ssoConfig.Data = configurationData.Serialize();
 								        organizationUser.ResetPasswordKey = "resetPasswordKey";
 								        _organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
 								        var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
 								        Assert.True(result.TrustedDeviceOption?.HasAdminApproval);
 								    }
 								}