| // Copyright 2018 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <memory> |
| #include <utility> |
| |
| #include "base/bind.h" |
| #include "base/bind_helpers.h" |
| #include "base/stl_util.h" |
| #include "base/test/scoped_task_environment.h" |
| #include "build/build_config.h" |
| #include "device/bluetooth/bluetooth_adapter_factory.h" |
| #include "device/bluetooth/test/mock_bluetooth_adapter.h" |
| #include "device/fido/authenticator_get_assertion_response.h" |
| #include "device/fido/ctap_get_assertion_request.h" |
| #include "device/fido/device_response_converter.h" |
| #include "device/fido/fake_fido_discovery.h" |
| #include "device/fido/fido_constants.h" |
| #include "device/fido/fido_device_authenticator.h" |
| #include "device/fido/fido_parsing_utils.h" |
| #include "device/fido/fido_test_data.h" |
| #include "device/fido/fido_transport_protocol.h" |
| #include "device/fido/get_assertion_request_handler.h" |
| #include "device/fido/hid/fake_hid_impl_for_testing.h" |
| #include "device/fido/make_credential_task.h" |
| #include "device/fido/mock_fido_device.h" |
| #include "device/fido/test_callback_receiver.h" |
| #include "device/fido/u2f_command_constructor.h" |
| #include "device/fido/virtual_fido_device_factory.h" |
| #include "testing/gmock/include/gmock/gmock.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| |
| #if defined(OS_WIN) |
| #include "device/fido/win/authenticator.h" |
| #include "device/fido/win/fake_webauthn_api.h" |
| #endif // defined(OS_WIN) |
| |
| namespace device { |
| |
| namespace { |
| |
| constexpr uint8_t kBogusCredentialId[] = {0x01, 0x02, 0x03, 0x04}; |
| |
| using TestGetAssertionRequestCallback = test::StatusAndValuesCallbackReceiver< |
| FidoReturnCode, |
| base::Optional<std::vector<AuthenticatorGetAssertionResponse>>, |
| base::Optional<FidoTransportProtocol>>; |
| |
| } // namespace |
| |
| using testing::_; |
| |
| // FidoGetAssertionHandlerTest allows testing GetAssertionRequestHandler against |
| // MockFidoDevices injected via a FakeFidoDiscoveryFactory. |
| class FidoGetAssertionHandlerTest : public ::testing::Test { |
| public: |
| FidoGetAssertionHandlerTest() { |
| mock_adapter_ = |
| base::MakeRefCounted<::testing::NiceMock<MockBluetoothAdapter>>(); |
| BluetoothAdapterFactory::SetAdapterForTesting(mock_adapter_); |
| } |
| |
| void ForgeDiscoveries() { |
| discovery_ = fake_discovery_factory_->ForgeNextHidDiscovery(); |
| ble_discovery_ = fake_discovery_factory_->ForgeNextBleDiscovery(); |
| cable_discovery_ = fake_discovery_factory_->ForgeNextCableDiscovery(); |
| nfc_discovery_ = fake_discovery_factory_->ForgeNextNfcDiscovery(); |
| } |
| |
| CtapGetAssertionRequest CreateTestRequestWithCableExtension() { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.cable_extension.emplace(); |
| return request; |
| } |
| |
| std::unique_ptr<GetAssertionRequestHandler> CreateGetAssertionHandlerU2f() { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.allow_list = {PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize(test_data::kU2fSignKeyHandle))}; |
| return CreateGetAssertionHandlerWithRequest(std::move(request)); |
| } |
| |
| std::unique_ptr<GetAssertionRequestHandler> CreateGetAssertionHandlerCtap() { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.allow_list = {PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId))}; |
| return CreateGetAssertionHandlerWithRequest(std::move(request)); |
| } |
| |
| std::unique_ptr<GetAssertionRequestHandler> |
| CreateGetAssertionHandlerWithRequest(CtapGetAssertionRequest request) { |
| ForgeDiscoveries(); |
| |
| auto handler = std::make_unique<GetAssertionRequestHandler>( |
| nullptr /* connector */, fake_discovery_factory_.get(), |
| supported_transports_, std::move(request), |
| get_assertion_cb_.callback()); |
| handler->SetPlatformAuthenticatorOrMarkUnavailable( |
| CreatePlatformAuthenticator()); |
| return handler; |
| } |
| |
| void ExpectAllowedTransportsForRequestAre( |
| GetAssertionRequestHandler* request_handler, |
| base::flat_set<FidoTransportProtocol> transports) { |
| using Transport = FidoTransportProtocol; |
| if (base::ContainsKey(transports, Transport::kUsbHumanInterfaceDevice)) |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| if (base::ContainsKey(transports, Transport::kBluetoothLowEnergy)) |
| ble_discovery()->WaitForCallToStartAndSimulateSuccess(); |
| if (base::ContainsKey(transports, |
| Transport::kCloudAssistedBluetoothLowEnergy)) |
| cable_discovery()->WaitForCallToStartAndSimulateSuccess(); |
| if (base::ContainsKey(transports, Transport::kNearFieldCommunication)) |
| nfc_discovery()->WaitForCallToStartAndSimulateSuccess(); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_FALSE(get_assertion_callback().was_called()); |
| |
| if (!base::ContainsKey(transports, Transport::kUsbHumanInterfaceDevice)) |
| EXPECT_FALSE(discovery()->is_start_requested()); |
| if (!base::ContainsKey(transports, Transport::kBluetoothLowEnergy)) |
| EXPECT_FALSE(ble_discovery()->is_start_requested()); |
| if (!base::ContainsKey(transports, |
| Transport::kCloudAssistedBluetoothLowEnergy)) |
| EXPECT_FALSE(cable_discovery()->is_start_requested()); |
| if (!base::ContainsKey(transports, Transport::kNearFieldCommunication)) |
| EXPECT_FALSE(nfc_discovery()->is_start_requested()); |
| |
| // Even with FidoTransportProtocol::kInternal allowed, unless the platform |
| // authenticator factory returns a FidoAuthenticator instance (which it will |
| // not be default), the transport will be marked `unavailable`. |
| transports.erase(Transport::kInternal); |
| |
| EXPECT_THAT( |
| request_handler->transport_availability_info().available_transports, |
| ::testing::UnorderedElementsAreArray(transports)); |
| } |
| |
| void ExpectAllTransportsAreAllowedForRequest( |
| GetAssertionRequestHandler* request_handler) { |
| ExpectAllowedTransportsForRequestAre(request_handler, |
| GetAllTransportProtocols()); |
| } |
| |
| test::FakeFidoDiscovery* discovery() const { return discovery_; } |
| test::FakeFidoDiscovery* ble_discovery() const { return ble_discovery_; } |
| test::FakeFidoDiscovery* cable_discovery() const { return cable_discovery_; } |
| test::FakeFidoDiscovery* nfc_discovery() const { return nfc_discovery_; } |
| TestGetAssertionRequestCallback& get_assertion_callback() { |
| return get_assertion_cb_; |
| } |
| |
| void set_mock_platform_device(std::unique_ptr<MockFidoDevice> device) { |
| pending_mock_platform_device_ = std::move(device); |
| } |
| |
| void set_supported_transports( |
| base::flat_set<FidoTransportProtocol> transports) { |
| supported_transports_ = std::move(transports); |
| } |
| |
| protected: |
| base::Optional<PlatformAuthenticatorInfo> CreatePlatformAuthenticator() { |
| if (!pending_mock_platform_device_) |
| return base::nullopt; |
| return PlatformAuthenticatorInfo( |
| std::make_unique<FidoDeviceAuthenticator>( |
| std::move(pending_mock_platform_device_)), |
| false /* has_recognized_mac_touch_id_credential_available */); |
| } |
| |
| base::test::ScopedTaskEnvironment scoped_task_environment_{ |
| base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME}; |
| std::unique_ptr<test::FakeFidoDiscoveryFactory> fake_discovery_factory_ = |
| std::make_unique<test::FakeFidoDiscoveryFactory>(); |
| test::FakeFidoDiscovery* discovery_; |
| test::FakeFidoDiscovery* ble_discovery_; |
| test::FakeFidoDiscovery* cable_discovery_; |
| test::FakeFidoDiscovery* nfc_discovery_; |
| scoped_refptr<::testing::NiceMock<MockBluetoothAdapter>> mock_adapter_; |
| std::unique_ptr<MockFidoDevice> pending_mock_platform_device_; |
| TestGetAssertionRequestCallback get_assertion_cb_; |
| base::flat_set<FidoTransportProtocol> supported_transports_ = |
| GetAllTransportProtocols(); |
| }; |
| |
| TEST_F(FidoGetAssertionHandlerTest, TransportAvailabilityInfo) { |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(CtapGetAssertionRequest( |
| test_data::kRelyingPartyId, test_data::kClientDataJson)); |
| |
| EXPECT_EQ(FidoRequestHandlerBase::RequestType::kGetAssertion, |
| request_handler->transport_availability_info().request_type); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, CtapRequestOnSingleDevice) { |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| |
| discovery()->AddDevice(std::move(device)); |
| get_assertion_callback().WaitForCallback(); |
| |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| } |
| |
| // Test a scenario where the connected authenticator is a U2F device. |
| TEST_F(FidoGetAssertionHandlerTest, TestU2fSign) { |
| auto request_handler = CreateGetAssertionHandlerU2f(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| |
| auto device = MockFidoDevice::MakeU2fWithGetInfoExpectation(); |
| device->ExpectRequestAndRespondWith( |
| test_data::kU2fSignCommandApdu, |
| test_data::kApduEncodedNoErrorSignResponse); |
| |
| discovery()->AddDevice(std::move(device)); |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, TestIncompatibleUserVerificationSetting) { |
| auto request = CtapGetAssertionRequest(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.user_verification = UserVerificationRequirement::kRequired; |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestGetInfoResponseWithoutUvSupport); |
| device->ExpectRequestAndRespondWith( |
| MockFidoDevice::EncodeCBORRequest(CtapMakeCredentialRequest::EncodeAsCBOR( |
| MakeCredentialTask::GetTouchRequest(device.get()))), |
| test_data::kTestMakeCredentialResponse); |
| |
| discovery()->AddDevice(std::move(device)); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_EQ(FidoReturnCode::kUserConsentButCredentialNotRecognized, |
| get_assertion_callback().status()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| TestU2fSignRequestWithUserVerificationRequired) { |
| auto request = CtapGetAssertionRequest(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.allow_list = {PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize(test_data::kU2fSignKeyHandle))}; |
| request.user_verification = UserVerificationRequirement::kRequired; |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| |
| auto device = MockFidoDevice::MakeU2fWithGetInfoExpectation(); |
| device->ExpectRequestAndRespondWith( |
| ConstructBogusU2fRegistrationCommand(), |
| test_data::kApduEncodedNoErrorRegisterResponse); |
| discovery()->AddDevice(std::move(device)); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_EQ(FidoReturnCode::kUserConsentButCredentialNotRecognized, |
| get_assertion_callback().status()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, IncorrectRpIdHash) { |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(CtapGetAssertionRequest( |
| test_data::kRelyingPartyId, test_data::kClientDataJson)); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponseWithIncorrectRpIdHash); |
| |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| EXPECT_EQ(FidoReturnCode::kAuthenticatorResponseInvalid, |
| get_assertion_callback().status()); |
| } |
| |
| // Tests a scenario where the authenticator responds with credential ID that |
| // is not included in the allowed list. |
| TEST_F(FidoGetAssertionHandlerTest, InvalidCredential) { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.allow_list = {PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize(test_data::kKeyHandleAlpha))}; |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| // Resident Keys must be disabled, otherwise allow list check is skipped. |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestGetInfoResponseWithoutResidentKeySupport); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| EXPECT_EQ(FidoReturnCode::kAuthenticatorResponseInvalid, |
| get_assertion_callback().status()); |
| } |
| |
| // Tests a scenario where the authenticator responds with an empty credential. |
| // When GetAssertion request only has a single credential in the allow list, |
| // this is a valid response. Check that credential is set by the client before |
| // the response is returned to the relying party. |
| TEST_F(FidoGetAssertionHandlerTest, ValidEmptyCredential) { |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| // Resident Keys must be disabled, otherwise allow list check is skipped. |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestGetInfoResponseWithoutResidentKeySupport); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponseWithEmptyCredential); |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| const auto& response = get_assertion_callback().value<0>(); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| ASSERT_TRUE(response); |
| ASSERT_EQ(1u, response->size()); |
| EXPECT_TRUE(response.value()[0].credential()); |
| EXPECT_THAT( |
| response.value()[0].raw_credential_id(), |
| ::testing::ElementsAreArray(test_data::kTestGetAssertionCredentialId)); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, TruncatedUTF8) { |
| // Webauthn says[1] that authenticators may truncate strings in user entities. |
| // Since authenticators aren't going to do UTF-8 processing, that means that |
| // they may truncate a multi-byte code point and thus produce an invalid |
| // string in the CBOR. This test exercises that case. |
| // |
| // [1] https://www.w3.org/TR/webauthn/#sctn-user-credential-params |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestCtap2OnlyAuthenticatorGetInfoResponse); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponseWithTruncatedUTF8); |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| const auto& response = get_assertion_callback().value<0>(); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| ASSERT_TRUE(response); |
| ASSERT_EQ(1u, response->size()); |
| ASSERT_TRUE(response.value()[0].user_entity()); |
| EXPECT_EQ(63u, response.value()[0].user_entity()->name->size()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, TruncatedAndInvalidUTF8) { |
| // This test exercises the case where a UTF-8 string is truncated in a |
| // response, and the UTF-8 string contains invalid code-points that |
| // |base::IsStringUTF8| will be unhappy with. |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestCtap2OnlyAuthenticatorGetInfoResponse); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponseWithTruncatedAndInvalidUTF8); |
| discovery()->AddDevice(std::move(device)); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_FALSE(get_assertion_callback().was_called()); |
| } |
| |
| // Tests a scenario where authenticator responds without user entity in its |
| // response but client is expecting a resident key credential. |
| TEST_F(FidoGetAssertionHandlerTest, IncorrectUserEntity) { |
| // Use a GetAssertion request with an empty allow list. |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(CtapGetAssertionRequest( |
| test_data::kRelyingPartyId, test_data::kClientDataJson)); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| EXPECT_EQ(FidoReturnCode::kAuthenticatorResponseInvalid, |
| get_assertion_callback().status()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| AllTransportsAllowedIfAllowCredentialsListUndefined) { |
| auto request = CreateTestRequestWithCableExtension(); |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllTransportsAreAllowedForRequest(request_handler.get()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| AllTransportsAllowedIfAllowCredentialsListIsEmpty) { |
| auto request = CreateTestRequestWithCableExtension(); |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllTransportsAreAllowedForRequest(request_handler.get()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| AllTransportsAllowedIfHasAllowedCredentialWithEmptyTransportsList) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kBluetoothLowEnergy}), |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize(kBogusCredentialId)), |
| }; |
| |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllTransportsAreAllowedForRequest(request_handler.get()); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| AllowedTransportsAreUnionOfTransportsLists) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kBluetoothLowEnergy}), |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize(kBogusCredentialId), |
| {FidoTransportProtocol::kInternal, |
| FidoTransportProtocol::kNearFieldCommunication}), |
| }; |
| |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllowedTransportsForRequestAre( |
| request_handler.get(), {FidoTransportProtocol::kBluetoothLowEnergy, |
| FidoTransportProtocol::kInternal, |
| FidoTransportProtocol::kNearFieldCommunication}); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| CableDisabledIfAllowCredentialsListUndefinedButCableExtensionMissing) { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| ASSERT_FALSE(!!request.cable_extension); |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllowedTransportsForRequestAre( |
| request_handler.get(), {FidoTransportProtocol::kBluetoothLowEnergy, |
| FidoTransportProtocol::kUsbHumanInterfaceDevice, |
| FidoTransportProtocol::kNearFieldCommunication, |
| FidoTransportProtocol::kInternal}); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| CableDisabledIfExplicitlyAllowedButCableExtensionMissing) { |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| ASSERT_FALSE(!!request.cable_extension); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kCloudAssistedBluetoothLowEnergy, |
| FidoTransportProtocol::kUsbHumanInterfaceDevice}), |
| }; |
| |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| ExpectAllowedTransportsForRequestAre( |
| request_handler.get(), {FidoTransportProtocol::kUsbHumanInterfaceDevice}); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, SupportedTransportsAreOnlyBleAndNfc) { |
| const base::flat_set<FidoTransportProtocol> kBleAndNfc = { |
| FidoTransportProtocol::kBluetoothLowEnergy, |
| FidoTransportProtocol::kNearFieldCommunication, |
| }; |
| |
| set_supported_transports(kBleAndNfc); |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = CreateGetAssertionHandlerWithRequest( |
| CreateTestRequestWithCableExtension()); |
| ExpectAllowedTransportsForRequestAre(request_handler.get(), kBleAndNfc); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, |
| SupportedTransportsAreOnlyCableAndInternal) { |
| const base::flat_set<FidoTransportProtocol> kCableAndInternal = { |
| FidoTransportProtocol::kCloudAssistedBluetoothLowEnergy, |
| FidoTransportProtocol::kInternal, |
| }; |
| |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| set_supported_transports(kCableAndInternal); |
| auto request_handler = CreateGetAssertionHandlerWithRequest( |
| CreateTestRequestWithCableExtension()); |
| ExpectAllowedTransportsForRequestAre(request_handler.get(), |
| kCableAndInternal); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, SuccessWithOnlyUsbTransportAllowed) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kUsbHumanInterfaceDevice}), |
| }; |
| |
| set_supported_transports({FidoTransportProtocol::kUsbHumanInterfaceDevice}); |
| |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_THAT( |
| request_handler->transport_availability_info().available_transports, |
| ::testing::UnorderedElementsAre( |
| FidoTransportProtocol::kUsbHumanInterfaceDevice)); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, SuccessWithOnlyBleTransportAllowed) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kBluetoothLowEnergy}), |
| }; |
| |
| set_supported_transports({FidoTransportProtocol::kBluetoothLowEnergy}); |
| EXPECT_CALL(*mock_adapter_, IsPresent()).WillOnce(::testing::Return(true)); |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->SetDeviceTransport(FidoTransportProtocol::kBluetoothLowEnergy); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| ble_discovery()->WaitForCallToStartAndSimulateSuccess(); |
| ble_discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_THAT( |
| request_handler->transport_availability_info().available_transports, |
| ::testing::UnorderedElementsAre( |
| FidoTransportProtocol::kBluetoothLowEnergy)); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, SuccessWithOnlyNfcTransportAllowed) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kNearFieldCommunication}), |
| }; |
| |
| set_supported_transports({FidoTransportProtocol::kNearFieldCommunication}); |
| |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->SetDeviceTransport(FidoTransportProtocol::kNearFieldCommunication); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| nfc_discovery()->WaitForCallToStartAndSimulateSuccess(); |
| nfc_discovery()->AddDevice(std::move(device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_THAT( |
| request_handler->transport_availability_info().available_transports, |
| ::testing::UnorderedElementsAre( |
| FidoTransportProtocol::kNearFieldCommunication)); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, SuccessWithOnlyInternalTransportAllowed) { |
| auto request = CreateTestRequestWithCableExtension(); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kInternal}), |
| }; |
| |
| set_supported_transports({FidoTransportProtocol::kInternal}); |
| |
| auto device = MockFidoDevice::MakeCtap( |
| ReadCTAPGetInfoResponse(test_data::kTestGetInfoResponsePlatformDevice)); |
| EXPECT_CALL(*device, GetId()).WillRepeatedly(testing::Return("device0")); |
| device->SetDeviceTransport(FidoTransportProtocol::kInternal); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetInfo, |
| test_data::kTestGetInfoResponsePlatformDevice); |
| device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| set_mock_platform_device(std::move(device)); |
| |
| auto request_handler = |
| CreateGetAssertionHandlerWithRequest(std::move(request)); |
| get_assertion_callback().WaitForCallback(); |
| |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| EXPECT_TRUE(get_assertion_callback().value<0>()); |
| EXPECT_TRUE(request_handler->is_complete()); |
| EXPECT_THAT( |
| request_handler->transport_availability_info().available_transports, |
| ::testing::UnorderedElementsAre(FidoTransportProtocol::kInternal)); |
| } |
| |
| // If a device with transport type kInternal returns a |
| // CTAP2_ERR_OPERATION_DENIED error, the request should complete with |
| // FidoReturnCode::kUserConsentDenied. Pending authenticators should be |
| // cancelled. |
| TEST_F(FidoGetAssertionHandlerTest, |
| TestRequestWithOperationDeniedErrorPlatform) { |
| auto platform_device = MockFidoDevice::MakeCtapWithGetInfoExpectation( |
| test_data::kTestGetInfoResponsePlatformDevice); |
| platform_device->SetDeviceTransport(FidoTransportProtocol::kInternal); |
| platform_device->ExpectCtap2CommandAndRespondWithError( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| CtapDeviceResponseCode::kCtap2ErrOperationDenied, |
| base::TimeDelta::FromMicroseconds(10)); |
| set_mock_platform_device(std::move(platform_device)); |
| |
| auto other_device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| other_device->ExpectCtap2CommandAndDoNotRespond( |
| CtapRequestCommand::kAuthenticatorGetAssertion); |
| EXPECT_CALL(*other_device, Cancel); |
| |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| discovery()->AddDevice(std::move(other_device)); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_TRUE(get_assertion_callback().was_called()); |
| EXPECT_EQ(FidoReturnCode::kUserConsentDenied, |
| get_assertion_callback().status()); |
| } |
| |
| // Like |TestRequestWithOperationDeniedErrorPlatform|, but with a |
| // cross-platform device. |
| TEST_F(FidoGetAssertionHandlerTest, |
| TestRequestWithOperationDeniedErrorCrossPlatform) { |
| auto device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| device->ExpectCtap2CommandAndRespondWithError( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| CtapDeviceResponseCode::kCtap2ErrOperationDenied); |
| |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| discovery()->AddDevice(std::move(device)); |
| |
| scoped_task_environment_.FastForwardUntilNoTasksRemain(); |
| EXPECT_TRUE(get_assertion_callback().was_called()); |
| EXPECT_EQ(FidoReturnCode::kUserConsentDenied, |
| get_assertion_callback().status()); |
| } |
| |
| MATCHER_P(IsCtap2Command, expected_command, "") { |
| return !arg.empty() && arg[0] == base::strict_cast<uint8_t>(expected_command); |
| } |
| |
| TEST_F(FidoGetAssertionHandlerTest, DeviceFailsImmediately) { |
| // Test that, when a device immediately returns an unexpected error, the |
| // request continues and waits for another device. |
| |
| auto broken_device = MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| EXPECT_CALL( |
| *broken_device, |
| DeviceTransactPtr( |
| IsCtap2Command(CtapRequestCommand::kAuthenticatorGetAssertion), _)) |
| .WillOnce(::testing::DoAll( |
| ::testing::WithArg<1>( |
| ::testing::Invoke([this](FidoDevice::DeviceCallback& callback) { |
| std::vector<uint8_t> response = {static_cast<uint8_t>( |
| CtapDeviceResponseCode::kCtap2ErrInvalidCBOR)}; |
| base::ThreadTaskRunnerHandle::Get()->PostTask( |
| FROM_HERE, |
| base::BindOnce(std::move(callback), std::move(response))); |
| |
| auto working_device = |
| MockFidoDevice::MakeCtapWithGetInfoExpectation(); |
| working_device->ExpectCtap2CommandAndRespondWith( |
| CtapRequestCommand::kAuthenticatorGetAssertion, |
| test_data::kTestGetAssertionResponse); |
| discovery()->AddDevice(std::move(working_device)); |
| })), |
| ::testing::Return(0))); |
| |
| auto request_handler = CreateGetAssertionHandlerCtap(); |
| discovery()->WaitForCallToStartAndSimulateSuccess(); |
| discovery()->AddDevice(std::move(broken_device)); |
| |
| get_assertion_callback().WaitForCallback(); |
| EXPECT_EQ(FidoReturnCode::kSuccess, get_assertion_callback().status()); |
| } |
| |
| // Tests a scenario where authenticator of incorrect transport type was used to |
| // conduct CTAP GetAssertion call. |
| // |
| // TODO(engedy): This should not happen, instead |allowCredentials| should be |
| // filtered to only contain items compatible with the transport actually used to |
| // talk to the authenticator. |
| TEST(GetAssertionRequestHandlerTest, IncorrectTransportType) { |
| base::test::ScopedTaskEnvironment scoped_task_environment{ |
| base::test::ScopedTaskEnvironment::MainThreadType::MOCK_TIME}; |
| device::test::VirtualFidoDeviceFactory virtual_device_factory; |
| virtual_device_factory.SetSupportedProtocol(device::ProtocolVersion::kCtap2); |
| ASSERT_TRUE(virtual_device_factory.mutable_state()->InjectRegistration( |
| fido_parsing_utils::Materialize(test_data::kTestGetAssertionCredentialId), |
| test_data::kRelyingPartyId)); |
| |
| // Request the correct credential ID, but set a different transport hint. |
| CtapGetAssertionRequest request(test_data::kRelyingPartyId, |
| test_data::kClientDataJson); |
| request.allow_list = { |
| PublicKeyCredentialDescriptor( |
| CredentialType::kPublicKey, |
| fido_parsing_utils::Materialize( |
| test_data::kTestGetAssertionCredentialId), |
| {FidoTransportProtocol::kBluetoothLowEnergy}), |
| }; |
| |
| TestGetAssertionRequestCallback cb; |
| auto request_handler = std::make_unique<GetAssertionRequestHandler>( |
| nullptr /* connector */, &virtual_device_factory, |
| base::flat_set<FidoTransportProtocol>( |
| {FidoTransportProtocol::kUsbHumanInterfaceDevice}), |
| std::move(request), cb.callback()); |
| request_handler->SetPlatformAuthenticatorOrMarkUnavailable(base::nullopt); |
| |
| scoped_task_environment.FastForwardUntilNoTasksRemain(); |
| EXPECT_FALSE(cb.was_called()); |
| } |
| |
| #if defined(OS_WIN) |
| |
| class TestObserver : public FidoRequestHandlerBase::Observer { |
| public: |
| TestObserver() {} |
| ~TestObserver() override {} |
| |
| void set_controls_dispatch(bool controls_dispatch) { |
| controls_dispatch_ = controls_dispatch; |
| } |
| |
| private: |
| // FidoRequestHandlerBase::Observer: |
| void OnTransportAvailabilityEnumerated( |
| FidoRequestHandlerBase::TransportAvailabilityInfo data) override {} |
| bool EmbedderControlsAuthenticatorDispatch( |
| const FidoAuthenticator&) override { |
| return controls_dispatch_; |
| } |
| void BluetoothAdapterPowerChanged(bool is_powered_on) override {} |
| void FidoAuthenticatorAdded(const FidoAuthenticator& authenticator) override { |
| } |
| void FidoAuthenticatorRemoved(base::StringPiece device_id) override {} |
| void FidoAuthenticatorIdChanged(base::StringPiece old_authenticator_id, |
| std::string new_authenticator_id) override {} |
| void FidoAuthenticatorPairingModeChanged(base::StringPiece authenticator_id, |
| bool is_in_pairing_mode) override {} |
| bool SupportsPIN() const override { return false; } |
| void CollectPIN( |
| base::Optional<int> attempts, |
| base::OnceCallback<void(std::string)> provide_pin_cb) override { |
| NOTREACHED(); |
| } |
| void FinishCollectPIN() override { NOTREACHED(); } |
| void SetMightCreateResidentCredential(bool v) override {} |
| |
| bool controls_dispatch_ = false; |
| }; |
| |
| // Verify that the request handler instantiates a HID device backed |
| // FidoDeviceAuthenticator or a WinNativeCrossPlatformAuthenticator, depending |
| // on API availability. |
| TEST(GetAssertionRequestHandlerWinTest, TestWinUsbDiscovery) { |
| base::test::ScopedTaskEnvironment scoped_task_environment; |
| ScopedFakeWinWebAuthnApi scoped_fake_win_webauthn_api; |
| for (const bool enable_api : {false, true}) { |
| SCOPED_TRACE(::testing::Message() << "enable_api=" << enable_api); |
| scoped_fake_win_webauthn_api.set_available(enable_api); |
| |
| // Simulate a connected HID device. |
| ScopedFakeHidManager fake_hid_manager; |
| fake_hid_manager.AddFidoHidDevice("guid"); |
| |
| TestGetAssertionRequestCallback cb; |
| FidoDiscoveryFactory fido_discovery_factory; |
| auto handler = std::make_unique<GetAssertionRequestHandler>( |
| fake_hid_manager.service_manager_connector(), &fido_discovery_factory, |
| base::flat_set<FidoTransportProtocol>( |
| {FidoTransportProtocol::kUsbHumanInterfaceDevice}), |
| CtapGetAssertionRequest(test_data::kRelyingPartyId, |
| test_data::kClientDataJson), |
| cb.callback()); |
| // Register an observer that disables automatic dispatch. Dispatch to the |
| // (unimplemented) fake Windows API would immediately result in an invalid |
| // response. |
| TestObserver observer; |
| observer.set_controls_dispatch(true); |
| handler->set_observer(&observer); |
| |
| scoped_task_environment.RunUntilIdle(); |
| |
| ASSERT_FALSE(cb.was_called()); |
| EXPECT_EQ(handler->AuthenticatorsForTesting().size(), 1u); |
| // Crudely distinguish authenticator type by FidoAuthenticator::GetId. |
| EXPECT_EQ( |
| enable_api ? WinWebAuthnApiAuthenticator::kAuthenticatorId : "hid:guid", |
| handler->AuthenticatorsForTesting().begin()->second->GetId()); |
| } |
| } |
| |
| #endif // defined(OS_WIN) |
| |
| } // namespace device |