mirror of
https://github.com/bitwarden/server.git
synced 2024-11-22 12:15:36 +01:00
80740aa4ba
* [PM-2032] feat: add assertion options tokenable * [PM-2032] feat: add request and response models * [PM-2032] feat: implement `assertion-options` identity endpoint * [PM-2032] feat: implement authentication with passkey * [PM-2032] chore: rename to `WebAuthnGrantValidator` * [PM-2032] fix: add missing subsitute * [PM-2032] feat: start adding builder * [PM-2032] feat: add support for KeyConnector * [PM-2032] feat: add first version of TDE * [PM-2032] chore: refactor WithSso * [PM-2023] feat: add support for TDE feature flag * [PM-2023] feat: add support for approving devices * [PM-2023] feat: add support for hasManageResetPasswordPermission * [PM-2032] feat: add support for hasAdminApproval * [PM-2032] chore: don't supply device if not necessary * [PM-2032] chore: clean up imports * [PM-2023] feat: extract interface * [PM-2023] chore: add clarifying comment * [PM-2023] feat: use new builder in production code * [PM-2032] feat: add support for PRF * [PM-2032] chore: clean-up todos * [PM-2023] chore: remove token which is no longer used * [PM-2032] chore: remove todo * [PM-2032] feat: improve assertion error handling * [PM-2032] fix: linting issues * [PM-2032] fix: revert changes to `launchSettings.json` * [PM-2023] chore: clean up assertion endpoint * [PM-2032] feat: bypass 2FA * [PM-2032] fix: rename prf option to singular * [PM-2032] fix: lint * [PM-2032] fix: typo * [PM-2032] chore: improve builder tests Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> * [PM-2032] chore: clarify why we don't require 2FA * [PM-2023] feat: move `identityProvider` constant to common class * [PM-2032] fix: lint * [PM-2023] fix: move `IdentityProvider` to core.Constants * [PM-2032] fix: missing import * [PM-2032] chore: refactor token timespan to use `TimeSpan` * [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync * [PM-2032] chore: use `FromMinutes` * [PM-2032] fix: change to 17 minutes to cover webauthn assertion * [PM-2032] chore: do not use `async void` * [PM-2032] fix: comment saying wrong amount of minutes * [PM-2032] feat: put validator behind feature flag * [PM-2032] fix: lint --------- Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
173 lines
8.5 KiB
C#
173 lines
8.5 KiB
C#
using Bit.Core;
|
|
using Bit.Core.Auth.Entities;
|
|
using Bit.Core.Auth.Enums;
|
|
using Bit.Core.Auth.Models.Data;
|
|
using Bit.Core.Context;
|
|
using Bit.Core.Entities;
|
|
using Bit.Core.Repositories;
|
|
using Bit.Core.Services;
|
|
using Bit.Identity.IdentityServer;
|
|
using Bit.Identity.Utilities;
|
|
using Bit.Test.Common.AutoFixture.Attributes;
|
|
using NSubstitute;
|
|
using Xunit;
|
|
|
|
namespace Bit.Identity.Test.IdentityServer;
|
|
|
|
public class UserDecryptionOptionsBuilderTests
|
|
{
|
|
private readonly ICurrentContext _currentContext;
|
|
private readonly IFeatureService _featureService;
|
|
private readonly IDeviceRepository _deviceRepository;
|
|
private readonly IOrganizationUserRepository _organizationUserRepository;
|
|
private readonly UserDecryptionOptionsBuilder _builder;
|
|
|
|
public UserDecryptionOptionsBuilderTests()
|
|
{
|
|
_currentContext = Substitute.For<ICurrentContext>();
|
|
_featureService = Substitute.For<IFeatureService>();
|
|
_deviceRepository = Substitute.For<IDeviceRepository>();
|
|
_organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
|
|
_builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
|
|
}
|
|
|
|
[Theory]
|
|
[BitAutoData(true, true, true)] // All keys are non-null
|
|
[BitAutoData(false, false, false)] // All keys are null
|
|
[BitAutoData(false, false, true)] // EncryptedUserKey is non-null, others are null
|
|
[BitAutoData(false, true, false)] // EncryptedPublicKey is non-null, others are null
|
|
[BitAutoData(true, false, false)] // EncryptedPrivateKey is non-null, others are null
|
|
[BitAutoData(true, false, true)] // EncryptedPrivateKey and EncryptedUserKey are non-null, EncryptedPublicKey is null
|
|
[BitAutoData(true, true, false)] // EncryptedPrivateKey and EncryptedPublicKey are non-null, EncryptedUserKey is null
|
|
[BitAutoData(false, true, true)] // EncryptedPublicKey and EncryptedUserKey are non-null, EncryptedPrivateKey is null
|
|
public async Task WithWebAuthnLoginCredential_VariousKeyCombinations_ShouldReturnCorrectPrfOption(
|
|
bool hasEncryptedPrivateKey,
|
|
bool hasEncryptedPublicKey,
|
|
bool hasEncryptedUserKey,
|
|
WebAuthnCredential credential)
|
|
{
|
|
credential.EncryptedPrivateKey = hasEncryptedPrivateKey ? "encryptedPrivateKey" : null;
|
|
credential.EncryptedPublicKey = hasEncryptedPublicKey ? "encryptedPublicKey" : null;
|
|
credential.EncryptedUserKey = hasEncryptedUserKey ? "encryptedUserKey" : null;
|
|
|
|
var result = await _builder.WithWebAuthnLoginCredential(credential).BuildAsync();
|
|
|
|
if (credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled)
|
|
{
|
|
Assert.NotNull(result.WebAuthnPrfOption);
|
|
Assert.Equal(credential.EncryptedPrivateKey, result.WebAuthnPrfOption!.EncryptedPrivateKey);
|
|
Assert.Equal(credential.EncryptedUserKey, result.WebAuthnPrfOption!.EncryptedUserKey);
|
|
}
|
|
else
|
|
{
|
|
Assert.Null(result.WebAuthnPrfOption);
|
|
}
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenKeyConnectorIsEnabled_ShouldReturnKeyConnectorOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData)
|
|
{
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.KeyConnector;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
|
|
var result = await _builder.WithSso(ssoConfig).BuildAsync();
|
|
|
|
Assert.NotNull(result.KeyConnectorOption);
|
|
Assert.Equal(configurationData.KeyConnectorUrl, result.KeyConnectorOption!.KeyConnectorUrl);
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
|
|
var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
|
|
|
|
Assert.NotNull(result.TrustedDeviceOption);
|
|
Assert.False(result.TrustedDeviceOption!.HasAdminApproval);
|
|
Assert.False(result.TrustedDeviceOption!.HasLoginApprovingDevice);
|
|
Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
|
|
}
|
|
|
|
// TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
|
|
var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
|
|
|
|
Assert.Null(result.TrustedDeviceOption);
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
device.EncryptedPrivateKey = "encryptedPrivateKey";
|
|
device.EncryptedPublicKey = "encryptedPublicKey";
|
|
device.EncryptedUserKey = "encryptedUserKey";
|
|
|
|
var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
|
|
|
|
Assert.Equal(device.EncryptedPrivateKey, result.TrustedDeviceOption?.EncryptedPrivateKey);
|
|
Assert.Equal(device.EncryptedUserKey, result.TrustedDeviceOption?.EncryptedUserKey);
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
|
|
_deviceRepository.GetManyByUserIdAsync(user.Id).Returns(new Device[] { approvingDevice });
|
|
|
|
var result = await _builder.ForUser(user).WithSso(ssoConfig).WithDevice(device).BuildAsync();
|
|
|
|
Assert.True(result.TrustedDeviceOption?.HasLoginApprovingDevice);
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenManageResetPasswordPermissions_ShouldReturnHasManageResetPasswordPermissionTrue(
|
|
SsoConfig ssoConfig,
|
|
SsoConfigurationData configurationData,
|
|
CurrentContextOrganization organization)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
ssoConfig.OrganizationId = organization.Id;
|
|
_currentContext.Organizations.Returns(new List<CurrentContextOrganization>(new CurrentContextOrganization[] { organization }));
|
|
_currentContext.ManageResetPassword(organization.Id).Returns(true);
|
|
|
|
var result = await _builder.WithSso(ssoConfig).BuildAsync();
|
|
|
|
Assert.True(result.TrustedDeviceOption?.HasManageResetPasswordPermission);
|
|
}
|
|
|
|
[Theory, BitAutoData]
|
|
public async Task Build_WhenUserHasEnrolledIntoPasswordReset_ShouldReturnHasAdminApprovalTrue(
|
|
SsoConfig ssoConfig,
|
|
SsoConfigurationData configurationData,
|
|
OrganizationUser organizationUser,
|
|
User user)
|
|
{
|
|
_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
|
|
configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
|
|
ssoConfig.Data = configurationData.Serialize();
|
|
organizationUser.ResetPasswordKey = "resetPasswordKey";
|
|
_organizationUserRepository.GetByOrganizationAsync(ssoConfig.OrganizationId, user.Id).Returns(organizationUser);
|
|
|
|
var result = await _builder.ForUser(user).WithSso(ssoConfig).BuildAsync();
|
|
|
|
Assert.True(result.TrustedDeviceOption?.HasAdminApproval);
|
|
}
|
|
}
|