[PM-22696] send enumeration protection (#6352)

* feat: add static enumeration helper class * test: add enumeration helper class unit tests * feat: implement NeverAuthenticateValidator * test: unit and integration tests SendNeverAuthenticateValidator * test: use static class for common integration test setup for Send Access unit and integration tests * test: update tests to use static helper
2025-12-20 18:23:44 +00:00 · 2025-09-23 06:38:22 -04:00
parent c6f5d5e36e
commit 3b54fea309
19 changed files with 989 additions and 290 deletions
--- a/test/Identity.Test/IdentityServer/SendAccess/SendAccessTestUtilities.cs
+++ b/test/Identity.Test/IdentityServer/SendAccess/SendAccessTestUtilities.cs
@@ -0,0 +1,50 @@
+using System.Collections.Specialized;
+using Bit.Core.Auth.IdentityServer;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Bit.Identity.IdentityServer.Enums;
+using Bit.Identity.IdentityServer.RequestValidators.SendAccess;
+using Duende.IdentityModel;
+
+namespace Bit.Identity.Test.IdentityServer.SendAccess;
+
+public static class SendAccessTestUtilities
+{
+    public static NameValueCollection CreateValidatedTokenRequest(
+        Guid sendId,
+        string sendEmail = null,
+        string otpCode = null,
+        params string[] passwordHash)
+    {
+        var sendIdBase64 = CoreHelpers.Base64UrlEncode(sendId.ToByteArray());
+
+        var rawRequestParameters = new NameValueCollection
+        {
+            { OidcConstants.TokenRequest.GrantType, CustomGrantTypes.SendAccess },
+            { OidcConstants.TokenRequest.ClientId, BitwardenClient.Send },
+            { OidcConstants.TokenRequest.Scope, ApiScopes.ApiSendAccess },
+            { "device_type", ((int)DeviceType.FirefoxBrowser).ToString() },
+            { SendAccessConstants.TokenRequest.SendId, sendIdBase64 }
+        };
+
+        if (sendEmail != null)
+        {
+            rawRequestParameters.Add(SendAccessConstants.TokenRequest.Email, sendEmail);
+        }
+
+        if (otpCode != null && sendEmail != null)
+        {
+            rawRequestParameters.Add(SendAccessConstants.TokenRequest.Otp, otpCode);
+        }
+
+        if (passwordHash != null && passwordHash.Length > 0)
+        {
+            foreach (var hash in passwordHash)
+            {
+                rawRequestParameters.Add(SendAccessConstants.TokenRequest.ClientB64HashedPassword, hash);
+            }
+        }
+
+        return rawRequestParameters;
+    }
+}