bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-06-01 01:55:55 -05:00
Code Issues Packages Projects Releases 211 Wiki Activity
Files
ci/github-code-coverage-upload
server/test/Api.Test/Auth/Utilities/MasterPasswordPayloadVariantValidatorTests.cs
Dave 25e78ceba3 [PM-35393] MasterPasswordService auth integration (#7575) 
* feat(mp-service) Wire commands to MasterPasswordService.

* feat(self-service) Add logout-and-log to self-service command.

* feat(mp-service) Add dual-path request models and wire controller
routing.

Add structured cryptographic data support to all Auth password endpoints,
routing new payloads to MasterPasswordService-backed commands while
preserving legacy paths for backward compatibility (PM-33141 removal).

* refactor(mp-service) Mark legacy password entry points [Obsolete].

* test(mp-service) Add testing.

* refactor(mp-service) Rename ReplaceTemporaryPasswordAsync to be more descriptive.

* refactor(mp-service) Add variant validator and tests.

* fix(mp-service) Adjust payload variance validation.

* test(mp-service) Update integration tests to support payload variants and model validation returns.

* fix(password-request): Restore KDF regression guard.

* refactor(data-models): Collapse RequestHasNewDataTypes into local check.

* test(emergency-access): Update Emergency Access tests.

* refactor(mp-payload-variant-validator): Move to Auth utilities.

* test(self-service): Combine side-effects and password change into single test.

* feat(validation): Add kdf-salt agreement-only validation.

* refactor(password-request-model): consolidate onto ValidateKdfAndSaltAgreement.

* test(auth): Cover ValidateKdfAndSaltAgreement and enshrine legacy KDF acceptance.

* feat(validate-exclusivity): Throw on both payload variants present.

* test(accounts-controller): Update tests for exclusivity validation at the boundary.

* fix(request-models): Request models must accept both payload variants.

* PM-35393 - Add V2 dual-payload integration tests for password-modification flows

End-to-end coverage for the new AuthenticationData / UnlockData payload
across every endpoint that mutates a master password:

- POST /accounts/password — legacy-KDF acceptance, mismatch rejection,
  auth, current-password check.
- PUT /accounts/update-temp-password — legacy-KDF acceptance, mismatch
  rejection, auth, ForcePasswordReset precondition.
- PUT /accounts/update-tde-offboarding-password — sub-minimum KDF
  rejection (this flow intentionally enforces range), mismatch rejection,
  auth.
- POST /emergency-access/{id}/password — legacy-KDF acceptance, mismatch
  rejection, no-payload rejection, non-RecoveryApproved precondition.

Also extracts BuildAuthData / BuildUnlockData / BuildMismatchedAuthAndUnlock
helpers in AccountsControllerTest and rewrites the existing PostKdf_* tests
to use them (no behavior change).

15 new test methods, 41 cases. 155/155 controller-suite tests pass.

---------

Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
2026-05-20 12:28:30 -04:00

64 lines
1.9 KiB
C#
Raw Permalink Blame History

using Bit.Core.Auth.Utilities;
using Xunit;
namespace Bit.Api.Test.Auth.Utilities;
public class MasterPasswordPayloadVariantValidatorTests
{
[Fact]
public void ValidateExclusivity_WhenOnlyNewVariantPresent_ReturnsNoErrors()
{
var results = MasterPasswordPayloadVariantValidator
.ValidatePresence(hasNewPayloads: true, hasLegacyPayloads: false)
.ToList();
Assert.Empty(results);
}
[Fact]
public void ValidateExclusivity_WhenOnlyLegacyVariantPresent_ReturnsNoErrors()
{
var results = MasterPasswordPayloadVariantValidator
.ValidatePresence(hasNewPayloads: false, hasLegacyPayloads: true)
.ToList();
Assert.Empty(results);
}
[Fact]
public void ValidateExclusivity_WhenBothVariantsPresent_ReturnsNoErrors()
{
var results = MasterPasswordPayloadVariantValidator
.ValidatePresence(hasNewPayloads: true, hasLegacyPayloads: true)
.ToList();
Assert.Empty(results);
}
[Fact]
public void ValidateExclusivity_WhenNeitherVariantPresent_ReturnsMissingVariantError()
{
var results = MasterPasswordPayloadVariantValidator
.ValidatePresence(hasNewPayloads: false, hasLegacyPayloads: false)
.ToList();
Assert.Single(results);
Assert.Equal(
"Must provide either new payloads (UnlockData/AuthenticationData) or legacy payloads (NewMasterPasswordHash/Key).",
results[0].ErrorMessage);
}
[Fact]
public void ValidateExclusivity_ValidationResultIncludesExpectedMemberNames()
{
var results = MasterPasswordPayloadVariantValidator
.ValidatePresence(hasNewPayloads: false, hasLegacyPayloads: false)
.ToList();
Assert.Single(results);
Assert.Equal(
new[] { "AuthenticationData", "UnlockData", "NewMasterPasswordHash", "Key" },
results[0].MemberNames);
}
}
Reference in New Issue View Git Blame Copy Permalink