test: update test coverage

Author: ike-kottlowski

test/Api.Test/Auth/Controllers/WebAuthnControllerTests.cs

@@ -177,6 +177,25 @@ public async Task AssertionOptions_UserVerificationSuccess_ReturnsAssertionOptio
         Assert.NotNull(result);
         Assert.IsType<WebAuthnLoginAssertionOptionsResponseModel>(result);
     }
+
+    [Theory, BitAutoData]
+    public async Task AssertionOptions_Success_ProtectsTokenWithUpdateKeySetScope(SecretVerificationRequestModel requestModel, User user, SutProvider<WebAuthnController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(default).ReturnsForAnyArgs(user);
+        sutProvider.GetDependency<IUserService>().VerifySecretAsync(user, requestModel.Secret).Returns(true);
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .Protect(Arg.Any<WebAuthnLoginAssertionOptionsTokenable>()).Returns("token");
+
+        // Act
+        await sutProvider.Sut.AssertionOptions(requestModel);
+
+        // Assert
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .Received(1)
+            .Protect(Arg.Is<WebAuthnLoginAssertionOptionsTokenable>(t =>
+                t.Scope == Core.Auth.Enums.WebAuthnLoginAssertionOptionsScope.UpdateKeySet));
+    }
     #endregion
 
     [Theory, BitAutoData]
@@ -419,6 +438,30 @@ public async Task Put_TokenVerificationFailed_ThrowsBadRequestException(Assertio
         Assert.Equal(expectedMessage, exception.Message);
     }
 
+    [Theory, BitAutoData]
+    public async Task Put_TokenWithNullOptions_ThrowsBadRequestException(WebAuthnLoginCredentialUpdateRequestModel requestModel, SutProvider<WebAuthnController> sutProvider)
+    {
+        // Arrange - tokenable deserialized with correct scope but Options == null
+        var expectedMessage = "The token associated with your request is invalid or has expired. A valid token is required to continue.";
+        var token = new WebAuthnLoginAssertionOptionsTokenable
+        {
+            Scope = Core.Auth.Enums.WebAuthnLoginAssertionOptionsScope.UpdateKeySet,
+            Options = null,
+        };
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .Unprotect(requestModel.Token)
+            .Returns(token);
+
+        // Act
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateCredential(requestModel));
+
+        // Assert
+        Assert.Equal(expectedMessage, exception.Message);
+        await sutProvider.GetDependency<IAssertWebAuthnLoginCredentialCommand>()
+            .DidNotReceive()
+            .AssertWebAuthnLoginCredential(Arg.Any<AssertionOptions>(), Arg.Any<AuthenticatorAssertionRawResponse>());
+    }
+
     [Theory, BitAutoData]
     public async Task Put_CredentialNotFound_ThrowsBadRequestException(AssertionOptions assertionOptions, WebAuthnLoginCredentialUpdateRequestModel requestModel, SutProvider<WebAuthnController> sutProvider)
     {

test/Identity.Test/IdentityServer/RequestValidators/WebAuthnGrantValidatorTests.cs

@@ -68,6 +68,122 @@ public async Task ValidateAsync_InvalidToken_RejectsWithInvalidRequest(
         Assert.Equal("invalid_request", context.Result.Error);
     }
 
+    [Theory]
+    [BitAutoData("", "{}")]
+    [BitAutoData("   ", "{}")]
+    [BitAutoData("test-token", "")]
+    [BitAutoData("test-token", "   ")]
+    public async Task ValidateAsync_EmptyOrWhitespaceParameter_RejectsWithInvalidGrant(
+        string token,
+        string deviceResponse,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        SutProvider<WebAuthnGrantValidator> sutProvider)
+    {
+        // Arrange - one of token / deviceResponse is empty or whitespace
+        var context = CreateContext(tokenRequest, token, deviceResponse);
+
+        // Act
+        await sutProvider.Sut.ValidateAsync(context);
+
+        // Assert
+        Assert.Equal("invalid_grant", context.Result.Error);
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .DidNotReceive()
+            .TryUnprotect(Arg.Any<string>(), out Arg.Any<WebAuthnLoginAssertionOptionsTokenable>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_DeviceResponseDeserializesToNull_RejectsWithInvalidRequest(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        SutProvider<WebAuthnGrantValidator> sutProvider)
+    {
+        // Arrange
+        var options = new AssertionOptions { Challenge = [1, 2, 3, 4, 5, 6, 7, 8] };
+        var tokenable = new WebAuthnLoginAssertionOptionsTokenable(
+            WebAuthnLoginAssertionOptionsScope.Authentication, options);
+
+        var context = CreateContext(tokenRequest, deviceResponse: "null");
+
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .TryUnprotect(Arg.Any<string>(), out Arg.Any<WebAuthnLoginAssertionOptionsTokenable>())
+            .Returns(x =>
+            {
+                x[1] = tokenable;
+                return true;
+            });
+
+        // Act
+        await sutProvider.Sut.ValidateAsync(context);
+
+        // Assert
+        Assert.Equal("invalid_request", context.Result.Error);
+        await sutProvider.GetDependency<IAssertWebAuthnLoginCredentialCommand>()
+            .DidNotReceive()
+            .AssertWebAuthnLoginCredential(Arg.Any<AssertionOptions>(), Arg.Any<AuthenticatorAssertionRawResponse>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_TokenWithWrongScope_RejectsWithInvalidRequest(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        SutProvider<WebAuthnGrantValidator> sutProvider)
+    {
+        // Arrange
+        var options = new AssertionOptions { Challenge = [1, 2, 3, 4, 5, 6, 7, 8] };
+        var tokenable = new WebAuthnLoginAssertionOptionsTokenable(
+            WebAuthnLoginAssertionOptionsScope.PrfRegistration, options);
+
+        var context = CreateContext(tokenRequest);
+
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .TryUnprotect(Arg.Any<string>(), out Arg.Any<WebAuthnLoginAssertionOptionsTokenable>())
+            .Returns(x =>
+            {
+                x[1] = tokenable;
+                return true;
+            });
+
+        // Act
+        await sutProvider.Sut.ValidateAsync(context);
+
+        // Assert
+        Assert.Equal("invalid_request", context.Result.Error);
+        await sutProvider.GetDependency<IAssertWebAuthnLoginCredentialCommand>()
+            .DidNotReceive()
+            .AssertWebAuthnLoginCredential(Arg.Any<AssertionOptions>(), Arg.Any<AuthenticatorAssertionRawResponse>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_TokenWithNullOptions_RejectsWithInvalidRequest(
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
+        SutProvider<WebAuthnGrantValidator> sutProvider)
+    {
+        // Arrange
+        var tokenable = new WebAuthnLoginAssertionOptionsTokenable
+        {
+            Scope = WebAuthnLoginAssertionOptionsScope.Authentication,
+            Options = null,
+        };
+
+        var context = CreateContext(tokenRequest);
+
+        sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable>>()
+            .TryUnprotect(Arg.Any<string>(), out Arg.Any<WebAuthnLoginAssertionOptionsTokenable>())
+            .Returns(x =>
+            {
+                x[1] = tokenable;
+                return true;
+            });
+
+        // Act
+        await sutProvider.Sut.ValidateAsync(context);
+
+        // Assert
+        Assert.Equal("invalid_request", context.Result.Error);
+        await sutProvider.GetDependency<IAssertWebAuthnLoginCredentialCommand>()
+            .DidNotReceive()
+            .AssertWebAuthnLoginCredential(Arg.Any<AssertionOptions>(), Arg.Any<AuthenticatorAssertionRawResponse>());
+    }
+
     [Theory, BitAutoData]
     public async Task ValidateAsync_ValidToken_CallsAssertCommand(
         [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,