1
0
mirror of https://github.com/bitwarden/server.git synced 2025-01-22 21:51:22 +01:00
bitwarden-server/test/Api.Test/AdminConsole/Validators/OrganizationUserRotationValidatorTests.cs
Bernd Schoolmann 0189952e1f
[PM-5938] Prevent permanent vault coruption on key-rotation with desycned vault (#4098)
* Add check to verify the vault state for rotation is not obviously desynced (empty)

* Add unit test for key rotation guardrail

* Move de-synced vault detection to validators

* Add tests
2024-05-30 11:08:26 +02:00

165 lines
6.1 KiB
C#

using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.AdminConsole.Validators;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;
namespace Bit.Api.Test.AdminConsole.Validators;
[SutProviderCustomize]
public class OrganizationUserRotationValidatorTests
{
[Theory]
[BitAutoData]
public async Task ValidateAsync_Success_ReturnsValid(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
var existingUserResetPassword = resetPasswordKeys
.Select(a =>
new OrganizationUser
{
Id = new Guid(),
ResetPasswordKey = a.ResetPasswordKey,
OrganizationId = a.OrganizationId
}).ToList();
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(existingUserResetPassword);
var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
Assert.Equal(result.Select(r => r.OrganizationId), resetPasswordKeys.Select(a => a.OrganizationId));
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_NullResetPasswordKeys_ReturnsEmptyList(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user)
{
// Arrange
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys = null;
// Act
var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
// Assert
Assert.NotNull(result);
Assert.Empty(result);
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_NoOrgUsers_ReturnsEmptyList(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
// Arrange
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(new List<OrganizationUser>()); // Return an empty list
// Act
var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
// Assert
Assert.NotNull(result);
Assert.Empty(result);
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_MissingResetPassword_Throws(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
var existingUserResetPassword = resetPasswordKeys
.Select(a =>
new OrganizationUser
{
Id = new Guid(),
ResetPasswordKey = a.ResetPasswordKey,
OrganizationId = a.OrganizationId
}).ToList();
existingUserResetPassword.Add(new OrganizationUser
{
Id = Guid.NewGuid(),
ResetPasswordKey = "Missing ResetPasswordKey"
});
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(existingUserResetPassword);
await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_ResetPasswordDoesNotBelongToUser_NotReturned(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
var existingUserResetPassword = resetPasswordKeys
.Select(a =>
new OrganizationUser
{
Id = new Guid(),
ResetPasswordKey = a.ResetPasswordKey,
OrganizationId = a.OrganizationId
}).ToList();
existingUserResetPassword.RemoveAt(0);
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(existingUserResetPassword);
var result = await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys);
Assert.DoesNotContain(result, c => c.Id == resetPasswordKeys.First().OrganizationId);
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_AttemptToSetKeyToNull_Throws(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
var existingUserResetPassword = resetPasswordKeys
.Select(a =>
new OrganizationUser
{
Id = new Guid(),
ResetPasswordKey = a.ResetPasswordKey,
OrganizationId = a.OrganizationId
}).ToList();
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(existingUserResetPassword);
resetPasswordKeys.First().ResetPasswordKey = null;
await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, resetPasswordKeys));
}
[Theory]
[BitAutoData]
public async Task ValidateAsync_NoOrganizationsInRequestButInDatabase_Throws(
SutProvider<OrganizationUserRotationValidator> sutProvider, User user,
IEnumerable<ResetPasswordWithOrgIdRequestModel> resetPasswordKeys)
{
var existingUserResetPassword = resetPasswordKeys
.Select(a =>
new OrganizationUser
{
Id = new Guid(),
ResetPasswordKey = a.ResetPasswordKey,
OrganizationId = a.OrganizationId
}).ToList();
sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(user.Id)
.Returns(existingUserResetPassword);
await Assert.ThrowsAsync<BadRequestException>(async () =>
await sutProvider.Sut.ValidateAsync(user, Enumerable.Empty<ResetPasswordWithOrgIdRequestModel>()));
}
}