server/test/Core.Test/Auth/UserFeatures/WebAuthnLogin/AssertWebAuthnLoginCredentialCommandTests.cs at e08e34d2be3b667b851af6cc677854a3e46211cc · bitwarden/server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
using System.Text;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Repositories;
using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
using Bit.Core.Auth.UserFeatures.WebAuthnLogin.Implementations;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Fido2NetLib;
using Fido2NetLib.Objects;
using NSubstitute;
using NSubstitute.ReturnsExtensions;
using Xunit;

namespace Bit.Core.Test.Auth.UserFeatures.WebAuthnLogin;

[SutProviderCustomize]
public class AssertWebAuthnLoginCredentialCommandTests
{
    [Theory, BitAutoData]
    internal async Task ChallengeNotCacheable_ThrowsBadRequestException(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, AssertionOptions options, AuthenticatorAssertionRawResponse response)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge)
            .Returns(false);

        // Act
        var result = async () => await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        await Assert.ThrowsAsync<BadRequestException>(result);
    }

    [Theory, BitAutoData]
    internal async Task InvalidUserHandle_ThrowsBadRequestException(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, AssertionOptions options, AuthenticatorAssertionRawResponse response)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge).Returns(true);
        response.Response.UserHandle = Encoding.UTF8.GetBytes("invalid-user-handle");

        // Act
        var result = async () => await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        await Assert.ThrowsAsync<BadRequestException>(result);
    }

    [Theory, BitAutoData]
    internal async Task UserNotFound_ThrowsBadRequestException(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, User user, AssertionOptions options, AuthenticatorAssertionRawResponse response)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge).Returns(true);
        response.Response.UserHandle = user.Id.ToByteArray();
        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id).ReturnsNull();

        // Act
        var result = async () => await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        await Assert.ThrowsAsync<BadRequestException>(result);
    }

    [Theory, BitAutoData]
    internal async Task NoMatchingCredentialExists_ThrowsBadRequestException(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, User user, AssertionOptions options, AuthenticatorAssertionRawResponse response)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge).Returns(true);
        response.Response.UserHandle = user.Id.ToByteArray();
        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id).Returns(user);
        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new WebAuthnCredential[] { });

        // Act
        var result = async () => await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        await Assert.ThrowsAsync<BadRequestException>(result);
    }

    [Theory, BitAutoData]
    internal async Task AssertionFails_ThrowsBadRequestException(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, User user, AssertionOptions options, AuthenticatorAssertionRawResponse response, WebAuthnCredential credential, AssertionVerificationResult assertionResult)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge).Returns(true);
        var credentialId = Guid.NewGuid().ToByteArray();
        credential.CredentialId = CoreHelpers.Base64UrlEncode(credentialId);
        response.Id = credentialId;
        response.Response.UserHandle = user.Id.ToByteArray();
        assertionResult.Status = "Not ok";
        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id).Returns(user);
        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new WebAuthnCredential[] { credential });
        sutProvider.GetDependency<IFido2>().MakeAssertionAsync(response, options, Arg.Any<byte[]>(), Arg.Any<uint>(), Arg.Any<IsUserHandleOwnerOfCredentialIdAsync>())
            .Returns(assertionResult);

        // Act
        var result = async () => await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        await Assert.ThrowsAsync<BadRequestException>(result);
    }

    [Theory, BitAutoData]
    internal async Task AssertionSucceeds_ReturnsUserAndCredential(SutProvider<AssertWebAuthnLoginCredentialCommand> sutProvider, User user, AssertionOptions options, AuthenticatorAssertionRawResponse response, WebAuthnCredential credential, AssertionVerificationResult assertionResult)
    {
        // Arrange
        sutProvider.GetDependency<IWebAuthnChallengeCacheProvider>()
            .TryMarkChallengeAsUsedAsync(options.Challenge).Returns(true);
        var credentialId = Guid.NewGuid().ToByteArray();
        credential.CredentialId = CoreHelpers.Base64UrlEncode(credentialId);
        response.Id = credentialId;
        response.Response.UserHandle = user.Id.ToByteArray();
        assertionResult.Status = "ok";
        sutProvider.GetDependency<IUserRepository>().GetByIdAsync(user.Id).Returns(user);
        sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(new WebAuthnCredential[] { credential });
        sutProvider.GetDependency<IFido2>().MakeAssertionAsync(response, options, Arg.Any<byte[]>(), Arg.Any<uint>(), Arg.Any<IsUserHandleOwnerOfCredentialIdAsync>())
            .Returns(assertionResult);

        // Act
        var result = await sutProvider.Sut.AssertWebAuthnLoginCredential(options, response);

        // Assert
        var (userResult, credentialResult) = result;
        Assert.Equal(user, userResult);
        Assert.Equal(credential, credentialResult);
    }
}