[PM-4371] Implement PRF key rotation (#4157)

* Send rotateable keyset on list webauthn keys * Implement basic prf key rotation * Add validator for webauthn rotation * Fix accounts controller tests * Add webauthn rotation validator tests * Introduce separate request model * Fix tests * Remove extra empty line * Remove filtering in validator * Don't send encrypted private key * Fix tests * Implement delegated webauthn db transactions * Add backward compatibility * Fix query not working * Update migration sql * Update dapper query * Remove unused helper * Rename webauthn to WebAuthnLogin * Fix linter errors * Fix tests * Fix tests
2025-02-22 02:51:33 +01:00 · 2024-06-17 20:46:57 +02:00 · 2024-06-17 20:46:57 +02:00 · 3ad4bc1cab
commit 3ad4bc1cab
parent a556462685
19 changed files with 347 additions and 11 deletions
--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@ -2,6 +2,7 @@
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.Auth.Validators;
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Request.Accounts;
@ -81,6 +82,8 @@ public class AccountsController : Controller
    private readonly IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
            IReadOnlyList<OrganizationUser>>
        _organizationUserValidator;
+    private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+        _webauthnKeyValidator;


    public AccountsController(
@ -109,7 +112,8 @@ public class AccountsController : Controller
        IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>, IEnumerable<EmergencyAccess>>
            emergencyAccessValidator,
        IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
-            organizationUserValidator
+            organizationUserValidator,
+        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator
        )
    {
        _cipherRepository = cipherRepository;
@ -136,6 +140,7 @@ public class AccountsController : Controller
        _sendValidator = sendValidator;
        _emergencyAccessValidator = emergencyAccessValidator;
        _organizationUserValidator = organizationUserValidator;
+        _webauthnKeyValidator = webAuthnKeyValidator;
    }

    #region DEPRECATED (Moved to Identity Service)
@ -442,7 +447,8 @@ public class AccountsController : Controller
            Folders = await _folderValidator.ValidateAsync(user, model.Folders),
            Sends = await _sendValidator.ValidateAsync(user, model.Sends),
            EmergencyAccesses = await _emergencyAccessValidator.ValidateAsync(user, model.EmergencyAccessKeys),
-            OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.ResetPasswordKeys)
+            OrganizationUsers = await _organizationUserValidator.ValidateAsync(user, model.ResetPasswordKeys),
+            WebAuthnKeys = await _webauthnKeyValidator.ValidateAsync(user, model.WebAuthnKeys)
        };

        var result = await _rotateUserKeyCommand.RotateUserKeyAsync(user, dataModel);
--- a/src/Api/Auth/Controllers/WebAuthnController.cs
+++ b/src/Api/Auth/Controllers/WebAuthnController.cs
@ -1,5 +1,5 @@
 using Bit.Api.Auth.Models.Request.Accounts;
-using Bit.Api.Auth.Models.Request.Webauthn;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.Auth.Models.Response.WebAuthn;
 using Bit.Api.Models.Response;
 using Bit.Core;
--- a/src/Api/Auth/Models/Request/Accounts/UpdateKeyRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/UpdateKeyRequestModel.cs
@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models.Request;

@ -19,5 +20,6 @@ public class UpdateKeyRequestModel
    public IEnumerable<SendWithIdRequestModel> Sends { get; set; }
    public IEnumerable<EmergencyAccessWithIdRequestModel> EmergencyAccessKeys { get; set; }
    public IEnumerable<ResetPasswordWithOrgIdRequestModel> ResetPasswordKeys { get; set; }
+    public IEnumerable<WebAuthnLoginRotateKeyRequestModel> WebAuthnKeys { get; set; }

 }
--- a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginCredentialCreatelRequestModel.cs
+++ b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginCredentialCreatelRequestModel.cs
@ -2,7 +2,7 @@
 using Bit.Core.Utilities;
 using Fido2NetLib;

-namespace Bit.Api.Auth.Models.Request.Webauthn;
+namespace Bit.Api.Auth.Models.Request.WebAuthn;

 public class WebAuthnLoginCredentialCreateRequestModel
 {
--- a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginCredentialUpdateRequestModel.cs
+++ b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginCredentialUpdateRequestModel.cs
@ -2,7 +2,7 @@
 using Bit.Core.Utilities;
 using Fido2NetLib;

-namespace Bit.Api.Auth.Models.Request.Webauthn;
+namespace Bit.Api.Auth.Models.Request.WebAuthn;

 public class WebAuthnLoginCredentialUpdateRequestModel
 {
--- a/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginRotateKeyRequestModel.cs
+++ b/src/Api/Auth/Models/Request/WebAuthn/WebAuthnLoginRotateKeyRequestModel.cs
@ -0,0 +1,32 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request.WebAuthn;
+
+public class WebAuthnLoginRotateKeyRequestModel
+{
+    [Required]
+    public Guid Id { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+
+    public WebAuthnLoginRotateKeyData ToWebAuthnRotateKeyData()
+    {
+        return new WebAuthnLoginRotateKeyData
+        {
+            Id = Id,
+            EncryptedUserKey = EncryptedUserKey,
+            EncryptedPublicKey = EncryptedPublicKey
+        };
+    }
+
+}
--- a/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
+++ b/src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
@ -1,6 +1,7 @@
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Models.Api;
+using Bit.Core.Utilities;

 namespace Bit.Api.Auth.Models.Response.WebAuthn;

@ -13,9 +14,17 @@ public class WebAuthnCredentialResponseModel : ResponseModel
        Id = credential.Id.ToString();
        Name = credential.Name;
        PrfStatus = credential.GetPrfStatus();
+        EncryptedUserKey = credential.EncryptedUserKey;
+        EncryptedPublicKey = credential.EncryptedPublicKey;
    }

    public string Id { get; set; }
    public string Name { get; set; }
    public WebAuthnPrfStatus PrfStatus { get; set; }
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
 }
--- a/src/Api/Auth/Validators/WebAuthnLoginKeyRotationValidator.cs
+++ b/src/Api/Auth/Validators/WebAuthnLoginKeyRotationValidator.cs
@ -0,0 +1,55 @@
+using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+
+namespace Bit.Api.Auth.Validators;
+
+public class WebAuthnLoginKeyRotationValidator : IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+{
+    private readonly IWebAuthnCredentialRepository _webAuthnCredentialRepository;
+
+    public WebAuthnLoginKeyRotationValidator(IWebAuthnCredentialRepository webAuthnCredentialRepository)
+    {
+        _webAuthnCredentialRepository = webAuthnCredentialRepository;
+    }
+
+    public async Task<IEnumerable<WebAuthnLoginRotateKeyData>> ValidateAsync(User user, IEnumerable<WebAuthnLoginRotateKeyRequestModel> keysToRotate)
+    {
+        // 2024-06: Remove after 3 releases, for backward compatibility
+        if (keysToRotate == null)
+        {
+            return new List<WebAuthnLoginRotateKeyData>();
+        }
+
+        var result = new List<WebAuthnLoginRotateKeyData>();
+        var existing = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
+        if (existing == null || !existing.Any())
+        {
+            return result;
+        }
+
+        foreach (var ea in existing)
+        {
+            var keyToRotate = keysToRotate.FirstOrDefault(c => c.Id == ea.Id);
+            if (keyToRotate == null)
+            {
+                throw new BadRequestException("All existing webauthn prf keys must be included in the rotation.");
+            }
+
+            if (keyToRotate.EncryptedUserKey == null)
+            {
+                throw new BadRequestException("WebAuthn prf keys must have user-key during rotation.");
+            }
+            if (keyToRotate.EncryptedPublicKey == null)
+            {
+                throw new BadRequestException("WebAuthn prf keys must have public-key during rotation.");
+            }
+
+            result.Add(keyToRotate.ToWebAuthnRotateKeyData());
+        }
+
+        return result;
+    }
+}
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -30,6 +30,8 @@ using Bit.Core.Billing.Extensions;
 using Bit.Core.OrganizationFeatures.OrganizationSubscriptions;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Vault.Entities;
+using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Core.Auth.Models.Data;

 #if !OSS
 using Bit.Commercial.Core.SecretsManager;
@ -163,7 +165,9 @@ public class Startup
            .AddScoped<IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
                    IReadOnlyList<OrganizationUser>>
                , OrganizationUserRotationValidator>();
-
+        services
+            .AddScoped<IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>,
+                WebAuthnLoginKeyRotationValidator>();

        // Services
        services.AddBaseServices(globalSettings);
--- a/src/Core/Auth/Models/Data/RotateUserKeyData.cs
+++ b/src/Core/Auth/Models/Data/RotateUserKeyData.cs
@ -15,4 +15,5 @@ public class RotateUserKeyData
    public IReadOnlyList<Send> Sends { get; set; }
    public IEnumerable<EmergencyAccess> EmergencyAccesses { get; set; }
    public IReadOnlyList<OrganizationUser> OrganizationUsers { get; set; }
+    public IEnumerable<WebAuthnLoginRotateKeyData> WebAuthnKeys { get; set; }
 }
--- a/src/Core/Auth/Models/Data/WebAuthnLoginRotateKeyData.cs
+++ b/src/Core/Auth/Models/Data/WebAuthnLoginRotateKeyData.cs
@ -0,0 +1,21 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Models.Data;
+
+public class WebAuthnLoginRotateKeyData
+{
+    [Required]
+    public Guid Id { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedUserKey { get; set; }
+
+    [Required]
+    [EncryptedString]
+    [EncryptedStringLength(2000)]
+    public string EncryptedPublicKey { get; set; }
+
+}
--- a/src/Core/Auth/Repositories/IWebAuthnCredentialRepository.cs
+++ b/src/Core/Auth/Repositories/IWebAuthnCredentialRepository.cs
@ -1,4 +1,6 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Repositories;

 namespace Bit.Core.Auth.Repositories;
@ -8,4 +10,5 @@ public interface IWebAuthnCredentialRepository : IRepository<WebAuthnCredential,
    Task<WebAuthnCredential> GetByIdAsync(Guid id, Guid userId);
    Task<ICollection<WebAuthnCredential>> GetManyByUserIdAsync(Guid userId);
    Task<bool> UpdateAsync(WebAuthnCredential credential);
+    UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<WebAuthnLoginRotateKeyData> credentials);
 }
--- a/src/Core/Auth/UserFeatures/UserKey/Implementations/RotateUserKeyCommand.cs
+++ b/src/Core/Auth/UserFeatures/UserKey/Implementations/RotateUserKeyCommand.cs
@ -1,4 +1,5 @@
 using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -20,6 +21,7 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IPushNotificationService _pushService;
    private readonly IdentityErrorDescriber _identityErrorDescriber;
+    private readonly IWebAuthnCredentialRepository _credentialRepository;

    /// <summary>
    /// Instantiates a new <see cref="RotateUserKeyCommand"/>
@ -35,7 +37,7 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
    public RotateUserKeyCommand(IUserService userService, IUserRepository userRepository,
        ICipherRepository cipherRepository, IFolderRepository folderRepository, ISendRepository sendRepository,
        IEmergencyAccessRepository emergencyAccessRepository, IOrganizationUserRepository organizationUserRepository,
-        IPushNotificationService pushService, IdentityErrorDescriber errors)
+        IPushNotificationService pushService, IdentityErrorDescriber errors, IWebAuthnCredentialRepository credentialRepository)
    {
        _userService = userService;
        _userRepository = userRepository;
@ -46,6 +48,7 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
        _organizationUserRepository = organizationUserRepository;
        _pushService = pushService;
        _identityErrorDescriber = errors;
+        _credentialRepository = credentialRepository;
    }

    /// <inheritdoc />
@ -68,7 +71,7 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
        user.Key = model.Key;
        user.PrivateKey = model.PrivateKey;
        if (model.Ciphers.Any() || model.Folders.Any() || model.Sends.Any() || model.EmergencyAccesses.Any() ||
-            model.OrganizationUsers.Any())
+            model.OrganizationUsers.Any() || model.WebAuthnKeys.Any())
        {
            List<UpdateEncryptedDataForKeyRotation> saveEncryptedDataActions = new();

@ -99,6 +102,11 @@ public class RotateUserKeyCommand : IRotateUserKeyCommand
                    _organizationUserRepository.UpdateForKeyRotation(user.Id, model.OrganizationUsers));
            }

+            if (model.WebAuthnKeys.Any())
+            {
+                saveEncryptedDataActions.Add(_credentialRepository.UpdateKeysForRotationAsync(user.Id, model.WebAuthnKeys));
+            }
+
            await _userRepository.UpdateUserKeyAndEncryptedDataAsync(user, saveEncryptedDataActions);
        }
        else
--- a/src/Infrastructure.Dapper/Auth/Repositories/WebAuthnCredentialRepository.cs
+++ b/src/Infrastructure.Dapper/Auth/Repositories/WebAuthnCredentialRepository.cs
@ -1,7 +1,10 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Settings;
+using Bit.Core.Utilities;
 using Bit.Infrastructure.Dapper.Repositories;
 using Dapper;
 using Microsoft.Data.SqlClient;
@ -55,4 +58,37 @@ public class WebAuthnCredentialRepository : Repository<WebAuthnCredential, Guid>

        return affectedRows > 0;
    }
+
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<WebAuthnLoginRotateKeyData> credentials)
+    {
+        return async (SqlConnection connection, SqlTransaction transaction) =>
+        {
+            const string sql = @"
+                UPDATE WC
+                SET
+                    WC.[EncryptedPublicKey] = UW.[encryptedPublicKey],
+                    WC.[EncryptedUserKey] = UW.[encryptedUserKey]
+                FROM
+                    [dbo].[WebAuthnCredential] WC
+                INNER JOIN
+                    OPENJSON(@JsonCredentials)
+                    WITH (
+                        id UNIQUEIDENTIFIER,
+                        encryptedPublicKey NVARCHAR(MAX),
+                        encryptedUserKey NVARCHAR(MAX)
+                    ) UW
+                    ON UW.id = WC.Id
+                WHERE
+                    WC.[UserId] = @UserId";
+
+            var jsonCredentials = CoreHelpers.ClassToJsonData(credentials);
+
+            await connection.ExecuteAsync(
+                sql,
+                new { UserId = userId, JsonCredentials = jsonCredentials },
+                transaction: transaction,
+                commandType: CommandType.Text);
+        };
+    }
+
 }
--- a/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/WebAuthnCredentialRepository.cs
@ -1,5 +1,7 @@
 using AutoMapper;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Microsoft.EntityFrameworkCore;
@ -56,4 +58,30 @@ public class WebAuthnCredentialRepository : Repository<Core.Auth.Entities.WebAut
            return true;
        }
    }
+
+    public UpdateEncryptedDataForKeyRotation UpdateKeysForRotationAsync(Guid userId, IEnumerable<WebAuthnLoginRotateKeyData> credentials)
+    {
+        return async (_, _) =>
+        {
+            var newCreds = credentials.ToList();
+            using var scope = ServiceScopeFactory.CreateScope();
+            var dbContext = GetDatabaseContext(scope);
+            var userWebauthnCredentials = await GetDbSet(dbContext)
+                .Where(wc => wc.Id == wc.Id)
+                .ToListAsync();
+            var validUserWebauthnCredentials = userWebauthnCredentials
+                .Where(wc => newCreds.Any(nwc => nwc.Id == wc.Id))
+                .Where(wc => wc.UserId == userId);
+
+            foreach (var wc in validUserWebauthnCredentials)
+            {
+                var nwc = newCreds.First(eak => eak.Id == wc.Id);
+                wc.EncryptedPublicKey = nwc.EncryptedPublicKey;
+                wc.EncryptedUserKey = nwc.EncryptedUserKey;
+            }
+
+            await dbContext.SaveChangesAsync();
+        };
+    }
+
 }
--- a/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/AccountsControllerTests.cs
@ -3,6 +3,7 @@ using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Auth.Controllers;
 using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Api.Auth.Validators;
 using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models.Request;
@ -11,6 +12,7 @@ using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Services;
 using Bit.Core.Auth.UserFeatures.UserKey;
 using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
@ -67,6 +69,8 @@ public class AccountsControllerTests : IDisposable
    private readonly IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
            IReadOnlyList<OrganizationUser>>
        _resetPasswordValidator;
+    private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+        _webauthnKeyRotationValidator;


    public AccountsControllerTests()
@ -97,6 +101,7 @@ public class AccountsControllerTests : IDisposable
        _sendValidator = Substitute.For<IRotationValidator<IEnumerable<SendWithIdRequestModel>, IReadOnlyList<Send>>>();
        _emergencyAccessValidator = Substitute.For<IRotationValidator<IEnumerable<EmergencyAccessWithIdRequestModel>,
            IEnumerable<EmergencyAccess>>>();
+        _webauthnKeyRotationValidator = Substitute.For<IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>>();
        _resetPasswordValidator = Substitute
            .For<IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>,
                IReadOnlyList<OrganizationUser>>>();
@ -125,7 +130,8 @@ public class AccountsControllerTests : IDisposable
            _folderValidator,
            _sendValidator,
            _emergencyAccessValidator,
-            _resetPasswordValidator
+            _resetPasswordValidator,
+            _webauthnKeyRotationValidator
        );
    }

--- a/test/Api.Test/Auth/Controllers/WebAuthnControllerTests.cs
+++ b/test/Api.Test/Auth/Controllers/WebAuthnControllerTests.cs
@ -1,6 +1,6 @@
 using Bit.Api.Auth.Controllers;
 using Bit.Api.Auth.Models.Request.Accounts;
-using Bit.Api.Auth.Models.Request.Webauthn;
+using Bit.Api.Auth.Models.Request.WebAuthn;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Auth.Entities;
--- a/test/Api.Test/Auth/Validators/WebauthnLoginKeyRotationValidatorTests.cs
+++ b/test/Api.Test/Auth/Validators/WebauthnLoginKeyRotationValidatorTests.cs
@ -0,0 +1,93 @@
+using Bit.Api.Auth.Models.Request.WebAuthn;
+using Bit.Api.Auth.Validators;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Auth.Validators;
+
+[SutProviderCustomize]
+public class WebAuthnLoginKeyRotationValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WrongWebAuthnKeys_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = Guid.Parse("00000000-0000-0000-0000-000000000001"),
+            EncryptedPublicKey = e.EncryptedPublicKey,
+            EncryptedUserKey = e.EncryptedUserKey
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = Guid.Parse("00000000-0000-0000-0000-000000000002"),
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NullUserKey_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedPublicKey = e.EncryptedPublicKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_NullPublicKey_Throws(
+        SutProvider<WebAuthnLoginKeyRotationValidator> sutProvider, User user,
+        IEnumerable<WebAuthnLoginRotateKeyRequestModel> webauthnRotateCredentialData)
+    {
+        var guid = Guid.NewGuid();
+        var webauthnKeysToRotate = webauthnRotateCredentialData.Select(e => new WebAuthnLoginRotateKeyRequestModel
+        {
+            Id = guid,
+            EncryptedUserKey = e.EncryptedUserKey,
+        }).ToList();
+
+        var data = new WebAuthnCredential
+        {
+            Id = guid,
+            EncryptedPublicKey = "TestKey",
+            EncryptedUserKey = "Test"
+        };
+        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new List<WebAuthnCredential> { data });
+
+        await Assert.ThrowsAsync<BadRequestException>(async () =>
+            await sutProvider.Sut.ValidateAsync(user, webauthnKeysToRotate));
+    }
+
+}
--- a/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/UserKey/RotateUserKeyCommandTests.cs
@ -1,4 +1,6 @@
-using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.UserFeatures.UserKey.Implementations;
 using Bit.Core.Entities;
 using Bit.Core.Services;
@ -19,6 +21,16 @@ public class RotateUserKeyCommandTests
    {
        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(true);
+        foreach (var webauthnCred in model.WebAuthnKeys)
+        {
+            var dbWebauthnCred = new WebAuthnCredential
+            {
+                EncryptedPublicKey = "encryptedPublicKey",
+                EncryptedUserKey = "encryptedUserKey"
+            };
+            sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetByIdAsync(webauthnCred.Id, user.Id)
+                .Returns(dbWebauthnCred);
+        }

        var result = await sutProvider.Sut.RotateUserKeyAsync(user, model);

@ -31,6 +43,16 @@ public class RotateUserKeyCommandTests
    {
        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(false);
+        foreach (var webauthnCred in model.WebAuthnKeys)
+        {
+            var dbWebauthnCred = new WebAuthnCredential
+            {
+                EncryptedPublicKey = "encryptedPublicKey",
+                EncryptedUserKey = "encryptedUserKey"
+            };
+            sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetByIdAsync(webauthnCred.Id, user.Id)
+                .Returns(dbWebauthnCred);
+        }

        var result = await sutProvider.Sut.RotateUserKeyAsync(user, model);

@ -43,6 +65,16 @@ public class RotateUserKeyCommandTests
    {
        sutProvider.GetDependency<IUserService>().CheckPasswordAsync(user, model.MasterPasswordHash)
            .Returns(true);
+        foreach (var webauthnCred in model.WebAuthnKeys)
+        {
+            var dbWebauthnCred = new WebAuthnCredential
+            {
+                EncryptedPublicKey = "encryptedPublicKey",
+                EncryptedUserKey = "encryptedUserKey"
+            };
+            sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetByIdAsync(webauthnCred.Id, user.Id)
+                .Returns(dbWebauthnCred);
+        }

        await sutProvider.Sut.RotateUserKeyAsync(user, model);