From 851f963be64f35a80b5af2161e1571f108a96b92 Mon Sep 17 00:00:00 2001 From: Patrick Pimentel Date: Thu, 20 Nov 2025 13:54:14 -0500 Subject: [PATCH] test(auth-validator): [PM-22975] Client Version Validator - Fixed tests a little. --- src/Core/KeyManagement/Utilities/EncryptionParsing.cs | 1 - .../RequestValidators/BaseRequestValidator.cs | 9 ++++++--- .../IdentityServer/BaseRequestValidatorTests.cs | 5 ++++- .../RequestValidators/ClientVersionValidatorTests.cs | 2 +- .../Wrappers/BaseRequestValidatorTestWrapper.cs | 4 ++-- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs index 269ff51228..ffe8cb3134 100644 --- a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs +++ b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs @@ -6,7 +6,6 @@ public static class EncryptionParsing { /// /// Helper method to convert an encryption type string to an enum value. - /// Accepts formats like "Header.iv|ct|mac" or "Header" COSE format. /// public static EncryptionType GetEncryptionType(string encString) { diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs index 54e432de84..b1bff766a4 100644 --- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs +++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs @@ -111,7 +111,8 @@ public abstract class BaseRequestValidator where T : class } else { - // 1. We need to check if the user is legitimate via the appropriate mechanism through. + // 1. We need to check if the user is legitimate via the contextually appropriate mechanism + // (webauthn, password, custom token, etc.). var valid = await ValidateContextAsync(context, validatorContext); var user = validatorContext.User; if (!valid) @@ -123,8 +124,10 @@ public abstract class BaseRequestValidator where T : class } // 1.5 Now check the version number of the client. Do this after ValidateContextAsync so that - // we prevent account enumeration. If we were to do this before we would validate that a given user - // could exist + // we prevent account enumeration. If we were to do this before ValidateContextAsync, then attackers + // could use a known invalid client version and make a request for a user (before we know if they have + // demonstrated ownership of the account via correct credentials) and identify if they exist by getting + // an error response back from the validator saying the user is not compatible with the client. await ValidateClientVersionAsync(context, validatorContext); // 2. Decide if this user belongs to an organization that requires SSO. diff --git a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs index e78c7d161c..9a3d4dd711 100644 --- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs +++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs @@ -55,6 +55,7 @@ public class BaseRequestValidatorTests private readonly IAuthRequestRepository _authRequestRepository; private readonly IMailService _mailService; private readonly IUserAccountKeysQuery _userAccountKeysQuery; + private readonly IClientVersionValidator _clientVersionValidator; private readonly BaseRequestValidatorTestWrapper _sut; @@ -78,6 +79,7 @@ public class BaseRequestValidatorTests _authRequestRepository = Substitute.For(); _mailService = Substitute.For(); _userAccountKeysQuery = Substitute.For(); + _clientVersionValidator = Substitute.For(); _sut = new BaseRequestValidatorTestWrapper( _userManager, @@ -97,7 +99,8 @@ public class BaseRequestValidatorTests _policyRequirementQuery, _authRequestRepository, _mailService, - _userAccountKeysQuery); + _userAccountKeysQuery, + _clientVersionValidator); } private void SetupRecoveryCodeSupportForSsoRequiredUsersFeatureFlag(bool recoveryCodeSupportEnabled) diff --git a/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs b/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs index 45fd26169a..65a9904246 100644 --- a/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs +++ b/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs @@ -40,7 +40,7 @@ public class ClientVersionValidatorTests Assert.False(ok); Assert.NotNull(ctx.ValidationErrorResult); Assert.True(ctx.ValidationErrorResult.IsError); - Assert.Equal("invalid_grant", ctx.ValidationErrorResult.Error); + Assert.Equal("invalid_client_version", ctx.ValidationErrorResult.Error); } [Fact] diff --git a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs index dc6d80a730..bd8fcd4bda 100644 --- a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs +++ b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs @@ -66,8 +66,8 @@ IBaseRequestValidatorTestWrapper IPolicyRequirementQuery policyRequirementQuery, IAuthRequestRepository authRequestRepository, IMailService mailService, - IClientVersionValidator clientVersionValidator, - IUserAccountKeysQuery userAccountKeysQuery) : + IUserAccountKeysQuery userAccountKeysQuery, + IClientVersionValidator clientVersionValidator) : base( userManager, userService,