chore(tests): added 12 more end-to-end tests

Author: AlfioEmanueleFresta

libwebauthn/src/tests/cred_props.rs

@@ -0,0 +1,106 @@
+use crate::ops::webauthn::{
+    CredentialPropsExtension, MakeCredentialsRequestExtensions, ResidentKeyRequirement,
+    UserVerificationRequirement,
+};
+use crate::transport::hid::get_virtual_device;
+use crate::transport::{Channel, Device};
+use test_log::test;
+use tokio::sync::broadcast::error::TryRecvError;
+
+use super::helpers::*;
+
+#[test(tokio::test)]
+async fn test_cred_props_rk_required() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![ExpectedUpdate::PresenceRequired],
+    ));
+
+    let extensions = MakeCredentialsRequestExtensions {
+        cred_props: Some(true),
+        ..Default::default()
+    };
+    let mc_resp = make_credential(
+        &mut channel,
+        b"cred-props-rk-required",
+        ResidentKeyRequirement::Required,
+        UserVerificationRequirement::Discouraged,
+        Some(extensions),
+    )
+    .await
+    .expect("MakeCredential failed");
+
+    assert_eq!(
+        mc_resp.unsigned_extensions_output.cred_props,
+        Some(CredentialPropsExtension { rk: Some(true) })
+    );
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}
+
+#[test(tokio::test)]
+async fn test_cred_props_rk_discouraged() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![ExpectedUpdate::PresenceRequired],
+    ));
+
+    let extensions = MakeCredentialsRequestExtensions {
+        cred_props: Some(true),
+        ..Default::default()
+    };
+    let mc_resp = make_credential(
+        &mut channel,
+        b"cred-props-rk-discouraged",
+        ResidentKeyRequirement::Discouraged,
+        UserVerificationRequirement::Discouraged,
+        Some(extensions),
+    )
+    .await
+    .expect("MakeCredential failed");
+
+    // FIDO 2.1 authenticator: platform can definitively say rk=false
+    assert_eq!(
+        mc_resp.unsigned_extensions_output.cred_props,
+        Some(CredentialPropsExtension { rk: Some(false) })
+    );
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}
+
+#[test(tokio::test)]
+async fn test_cred_props_not_requested() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![ExpectedUpdate::PresenceRequired],
+    ));
+
+    let mc_resp = make_credential(
+        &mut channel,
+        b"cred-props-not-requested",
+        ResidentKeyRequirement::Discouraged,
+        UserVerificationRequirement::Discouraged,
+        None,
+    )
+    .await
+    .expect("MakeCredential failed");
+
+    assert_eq!(mc_resp.unsigned_extensions_output.cred_props, None);
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}

libwebauthn/src/tests/cred_protect.rs

@@ -0,0 +1,201 @@
+use ctap_types::ctap2::credential_management::CredentialProtectionPolicy as Ctap2CredentialProtectionPolicy;
+
+use crate::ops::webauthn::{
+    CredentialProtectionExtension, CredentialProtectionPolicy, MakeCredentialsRequestExtensions,
+    ResidentKeyRequirement, UserVerificationRequirement,
+};
+use crate::pin::PinManagement;
+use crate::proto::CtapError;
+use crate::transport::hid::get_virtual_device;
+use crate::transport::{Channel, Device};
+use crate::webauthn::Error;
+use test_log::test;
+use tokio::sync::broadcast::error::TryRecvError;
+
+use super::helpers::*;
+
+fn cred_protect_extensions(policy: CredentialProtectionPolicy) -> MakeCredentialsRequestExtensions {
+    MakeCredentialsRequestExtensions {
+        cred_protect: Some(CredentialProtectionExtension {
+            policy,
+            enforce_policy: true,
+        }),
+        ..Default::default()
+    }
+}
+
+/// Level 1: userVerificationOptional — discoverable assertion without UV succeeds.
+#[test(tokio::test)]
+async fn test_cred_protect_level1() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+    channel.change_pin(PIN.to_owned(), TIMEOUT).await.unwrap();
+
+    let user_id = b"cp-level1-user";
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![
+            ExpectedUpdate::PinRequired,     // MakeCredential PIN
+            ExpectedUpdate::PresenceRequired, // MakeCredential touch
+            ExpectedUpdate::PresenceRequired, // GetAssertion touch
+        ],
+    ));
+
+    let extensions =
+        cred_protect_extensions(CredentialProtectionPolicy::UserVerificationOptional);
+    let mc_resp = make_credential(
+        &mut channel,
+        user_id,
+        ResidentKeyRequirement::Required,
+        UserVerificationRequirement::Preferred,
+        Some(extensions),
+    )
+    .await
+    .expect("MakeCredential with credProtect level 1 failed");
+
+    assert_eq!(
+        mc_resp
+            .authenticator_data
+            .extensions
+            .as_ref()
+            .and_then(|e| e.cred_protect),
+        Some(Ctap2CredentialProtectionPolicy::Optional)
+    );
+
+    // Discoverable assertion without UV should succeed at level 1
+    get_assertion(
+        &mut channel,
+        vec![],
+        UserVerificationRequirement::Discouraged,
+        None,
+    )
+    .await
+    .expect("Level 1: discoverable assertion without UV should succeed");
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}
+
+/// Level 2: userVerificationOptionalWithCredentialIDList —
+/// with UV provided (cached PIN token), discoverable assertion succeeds.
+/// Without UV it would fail, but the platform caches the PIN token from MakeCredential.
+#[test(tokio::test)]
+async fn test_cred_protect_level2() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+    channel.change_pin(PIN.to_owned(), TIMEOUT).await.unwrap();
+
+    let user_id = b"cp-level2-user";
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![
+            ExpectedUpdate::PinRequired,     // MakeCredential PIN
+            ExpectedUpdate::PresenceRequired, // MakeCredential touch
+            ExpectedUpdate::PresenceRequired, // GetAssertion touch (UV via cached token)
+        ],
+    ));
+
+    let extensions = cred_protect_extensions(
+        CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIDList,
+    );
+    let mc_resp = make_credential(
+        &mut channel,
+        user_id,
+        ResidentKeyRequirement::Required,
+        UserVerificationRequirement::Preferred,
+        Some(extensions),
+    )
+    .await
+    .expect("MakeCredential with credProtect level 2 failed");
+
+    assert_eq!(
+        mc_resp
+            .authenticator_data
+            .extensions
+            .as_ref()
+            .and_then(|e| e.cred_protect),
+        Some(Ctap2CredentialProtectionPolicy::OptionalWithCredentialIdList)
+    );
+
+    // Discoverable assertion succeeds because cached PIN token provides UV
+    let ga_resp = get_assertion(
+        &mut channel,
+        vec![],
+        UserVerificationRequirement::Discouraged,
+        None,
+    )
+    .await
+    .expect("Level 2: discoverable with UV (cached token) should succeed");
+
+    assert_eq!(ga_resp.assertions.len(), 1);
+    let user = ga_resp.assertions[0]
+        .user
+        .as_ref()
+        .expect("Discoverable assertion should include user entity");
+    assert_eq!(user.id.as_ref(), user_id);
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}
+
+/// Level 3: userVerificationRequired — assertion without UV fails
+/// even with the credential ID in the allow list.
+#[test(tokio::test)]
+async fn test_cred_protect_level3() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+    channel.change_pin(PIN.to_owned(), TIMEOUT).await.unwrap();
+
+    let user_id = b"cp-level3-user";
+    let state_recv = channel.get_ux_update_receiver();
+    let uv_handle = tokio::spawn(handle_updates(
+        state_recv,
+        vec![
+            ExpectedUpdate::PinRequired,     // MakeCredential PIN
+            ExpectedUpdate::PresenceRequired, // MakeCredential touch
+            ExpectedUpdate::PresenceRequired, // GetAssertion (preflight filters credential, dummy touch)
+        ],
+    ));
+
+    let extensions =
+        cred_protect_extensions(CredentialProtectionPolicy::UserVerificationRequired);
+    let mc_resp = make_credential(
+        &mut channel,
+        user_id,
+        ResidentKeyRequirement::Required,
+        UserVerificationRequirement::Required,
+        Some(extensions),
+    )
+    .await
+    .expect("MakeCredential with credProtect level 3 failed");
+
+    assert_eq!(
+        mc_resp
+            .authenticator_data
+            .extensions
+            .as_ref()
+            .and_then(|e| e.cred_protect),
+        Some(Ctap2CredentialProtectionPolicy::Required)
+    );
+
+    // Assertion without UV should fail at level 3
+    // (preflight cannot discover this credential without UV)
+    let credential = credential_from(&mc_resp);
+    let result = get_assertion(
+        &mut channel,
+        vec![credential],
+        UserVerificationRequirement::Discouraged,
+        None,
+    )
+    .await;
+    assert!(
+        matches!(result, Err(Error::Ctap(CtapError::NoCredentials))),
+        "Level 3: assertion without UV should fail, got: {:?}",
+        result
+    );
+
+    let mut rx = uv_handle.await.unwrap();
+    assert_eq!(rx.try_recv(), Err(TryRecvError::Empty));
+}