java-webauthn-server/webauthn-server-attestation/src/integrationTest/scala/com/yubico/fido/metadata/FidoMetadataServiceIntegrationTest.scala at 17de2d868a5cb40788dff602fc30b25ed8b0ef4c · Yubico/java-webauthn-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
package com.yubico.fido.metadata

import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_EXTERNAL
import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_INTERNAL
import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_NFC
import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRED
import com.yubico.fido.metadata.AttachmentHint.ATTACHMENT_HINT_WIRELESS
import com.yubico.fido.metadata.TestCaches.cachedDefaultSettingsDownloader
import com.yubico.internal.util.CertificateParser
import com.yubico.webauthn.FinishRegistrationOptions
import com.yubico.webauthn.RelyingParty
import com.yubico.webauthn.TestWithEachProvider
import com.yubico.webauthn.test.Helpers
import com.yubico.webauthn.test.RealExamples
import org.bouncycastle.jce.provider.BouncyCastleProvider
import org.junit.runner.RunWith
import org.scalatest.BeforeAndAfter
import org.scalatest.funspec.AnyFunSpec
import org.scalatest.matchers.should.Matchers
import org.scalatest.tags.Network
import org.scalatest.tags.Slow
import org.scalatestplus.junit.JUnitRunner

import java.time.Clock
import java.time.ZoneOffset
import scala.jdk.CollectionConverters.SetHasAsJava
import scala.jdk.CollectionConverters.SetHasAsScala
import scala.jdk.OptionConverters.RichOptional
import scala.util.Try

@Slow
@Network
@RunWith(classOf[JUnitRunner])
class FidoMetadataServiceIntegrationTest
    extends AnyFunSpec
    with Matchers
    with BeforeAndAfter
    with TestWithEachProvider {

  describe("FidoMetadataService") {

    describe("downloaded with default settings") {
      val downloader = cachedDefaultSettingsDownloader.build()
      val fidoMds =
        Try(
          FidoMetadataService
            .builder()
            .useBlob(
              TestCaches.cacheSynchronized(
                // Since the integration tests cache downloads to file:
                // Use refreshBlob() here to always exercise the HTTP part of the downloader,
                // and loadCachedBlob() elsewhere to not cause unnecessary server load.
                downloader.refreshBlob()
              )
            )
            .build()
        )

      val attachmentHintsUsb =
        Set(ATTACHMENT_HINT_EXTERNAL, ATTACHMENT_HINT_WIRED)
      val attachmentHintsNfc =
        attachmentHintsUsb ++ Set(ATTACHMENT_HINT_WIRELESS, ATTACHMENT_HINT_NFC)

      describe("correctly identifies and trusts") {
        def check(
            expectedDescriptionRegex: String,
            testData: RealExamples.Example,
            attachmentHints: Set[AttachmentHint],
        ): Unit = {

          val rp = RelyingParty
            .builder()
            .identity(testData.rp)
            .credentialRepository(Helpers.CredentialRepository.empty)
            .origins(
              Set(testData.attestation.collectedClientData.getOrigin).asJava
            )
            .allowUntrustedAttestation(false)
            .attestationTrustSource(fidoMds.get)
            .clock(
              Clock.fixed(
                CertificateParser
                  .parseDer(testData.attestationCert.getBytes)
                  .getNotBefore
                  .toInstant,
                ZoneOffset.UTC,
              )
            )
            .build()

          val registrationResult = rp.finishRegistration(
            FinishRegistrationOptions
              .builder()
              .request(testData.asRegistrationTestData.request)
              .response(testData.attestation.credential)
              .build()
          )

          registrationResult.isAttestationTrusted should be(true)

          val entries = fidoMds.get
            .findEntries(registrationResult)
            .asScala
          entries should not be empty
          val metadataStatements =
            entries.flatMap(_.getMetadataStatement.toScala)

          val descriptions =
            metadataStatements.flatMap(_.getDescription.toScala).toSet
          for { desc <- descriptions } {
            desc should (fullyMatch regex expectedDescriptionRegex)
          }

          metadataStatements
            .flatMap(_.getAttachmentHint.toScala.map(_.asScala))
            .flatten
            .toSet should equal(attachmentHints)
        }

        it("a YubiKey NEO.") {
          check("YubiKey NEO", RealExamples.YubiKeyNeo, attachmentHintsNfc)
        }

        it("a YubiKey 4.") {
          check(
            "YK4 Series Key by Yubico",
            RealExamples.YubiKey4,
            attachmentHintsUsb,
          )
        }

        it("a YubiKey 5 NFC.") {
          check(
            "YubiKey 5 Series with NFC",
            RealExamples.YubiKey5,
            attachmentHintsNfc,
          )
        }

        it("an early YubiKey 5 NFC.") {
          check(
            "YubiKey 5 Series with NFC",
            RealExamples.YubiKey5Nfc,
            attachmentHintsNfc,
          )
        }

        it("a newer YubiKey 5 NFC.") {
          check(
            "YubiKey 5 Series with NFC",
            RealExamples.YubiKey5NfcPost5cNfc,
            attachmentHintsNfc,
          )
        }

        it("a YubiKey 5C NFC.") {
          check(
            "YubiKey 5 Series with NFC",
            RealExamples.YubiKey5cNfc,
            attachmentHintsNfc,
          )
        }

        it("a YubiKey 5 Nano.") {
          check(
            "YubiKey 5 Series",
            RealExamples.YubiKey5Nano,
            attachmentHintsUsb,
          )
        }

        it("a YubiKey 5Ci.") {
          check(
            "YubiKey 5 .*Lightning",
            RealExamples.YubiKey5Ci,
            attachmentHintsUsb,
          )
        }

        it("a Security Key by Yubico.") {
          check(
            "Security Key by Yubico",
            RealExamples.SecurityKey,
            attachmentHintsUsb,
          )
        }

        it("a Security Key 2 by Yubico.") {
          check(
            "Security Key by Yubico",
            RealExamples.SecurityKey2,
            attachmentHintsUsb,
          )
        }

        it("a Security Key NFC by Yubico.") {
          check(
            "Security Key by Yubico with NFC",
            RealExamples.SecurityKeyNfc,
            attachmentHintsNfc,
          )
        }

        it("a YubiKey 5.4 NFC FIPS.") {
          withProviderContext(List(new BouncyCastleProvider)) { // Needed for JDK<14 because this example uses EdDSA
            check(
              "YubiKey 5 FIPS Series with NFC",
              RealExamples.YubikeyFips5Nfc,
              attachmentHintsNfc,
            )
          }
        }

        it("a YubiKey 5.4 Ci FIPS.") {
          check(
            "YubiKey 5 FIPS .*Lightning",
            RealExamples.Yubikey5ciFips,
            attachmentHintsUsb,
          )
        }

        it("a YubiKey Bio.") {
          check(
            "YubiKey Bio Series - FIDO Edition",
            RealExamples.YubikeyBio_5_5_4,
            attachmentHintsUsb,
          )
          check(
            "YubiKey Bio Series - FIDO Edition",
            RealExamples.YubikeyBio_5_5_5,
            attachmentHintsUsb,
          )
          withProviderContext(List(new BouncyCastleProvider)) { // Needed for JDK<14 because this example uses EdDSA
            check(
              "YubiKey Bio Series - FIDO Edition",
              RealExamples.YubikeyBio_5_5_6,
              attachmentHintsUsb,
            )
          }
        }

        it("a Windows Hello attestation.") {
          check(
            "Windows Hello.*",
            RealExamples.WindowsHelloTpm,
            Set(ATTACHMENT_HINT_INTERNAL),
          )
        }
      }
    }
  }
}