Derive rpId from NavigationContext in gateway

Author: AlfioEmanueleFresta

credentialsd/src/gateway/mod.rs

@@ -85,7 +85,7 @@ impl GatewayService {
         context: RequestContext,
         parent_window: Option<WindowHandle>,
     ) -> Result<CreateCredentialResponse, WebAuthnError> {
-        let _request_environment = validate_request(&context)?;
+        let request_environment = validate_request(&context)?;
 
         if let ("publicKey", Some(_)) = (request.r#type.as_ref(), &request.public_key) {
             // TODO: assert that RP ID is bound to origin:
@@ -95,7 +95,7 @@ impl GatewayService {
             //    - query for related origins, if supported
             //    - fail if not supported, or if RP ID doesn't match any related origins.
             let (make_cred_request, client_data_json) =
-                create_credential_request_try_into_ctap2(&request)
+                create_credential_request_try_into_ctap2(&request, &request_environment)
                     .inspect_err(|_| {
                         tracing::error!(
                             "Could not parse passkey creation request. Rejecting request."
@@ -143,7 +143,7 @@ impl GatewayService {
         context: RequestContext,
         parent_window: Option<WindowHandle>,
     ) -> Result<GetCredentialResponse, WebAuthnError> {
-        let _request_environment = validate_request(&context)?;
+        let request_environment = validate_request(&context)?;
 
         if request.public_key.is_some() {
             // Setup request
@@ -155,10 +155,12 @@ impl GatewayService {
             //    - query for related origins, if supported
             //    - fail if not supported, or if RP ID doesn't match any related origins.
             let (get_cred_request, client_data_json) =
-                get_credential_request_try_into_ctap2(&request).map_err(|e| {
-                    tracing::error!("Could not parse passkey assertion request: {e:?}");
-                    WebAuthnError::TypeError
-                })?;
+                get_credential_request_try_into_ctap2(&request, &request_environment).map_err(
+                    |e| {
+                        tracing::error!("Could not parse passkey assertion request: {e:?}");
+                        WebAuthnError::TypeError
+                    },
+                )?;
             let cred_request = CredentialRequest::GetPublicKeyCredentialRequest(get_cred_request);
 
             let response = self

credentialsd/src/gateway/util.rs

@@ -13,87 +13,91 @@ use credentialsd_common::{
 use crate::model::{GetAssertionResponseInternal, MakeCredentialResponseInternal};
 use crate::webauthn::{
     self, GetAssertionRequest, GetPublicKeyCredentialUnsignedExtensionsResponse,
-    MakeCredentialRequest, RelyingPartyId, WebAuthnIDL,
+    MakeCredentialRequest, NavigationContext, Origin, RelyingPartyId, WebAuthnIDL,
 };
 
-/// Parses a WebAuthn create credential request from D-Bus into a CTAP2 MakeCredentialRequest.
-///
-/// Uses libwebauthn's `WebAuthnIDL::from_json()` for parsing, which handles:
-/// - Challenge decoding from base64url
-/// - User entity parsing with base64url-encoded user ID
-/// - Relying party entity parsing
-/// - Extension parsing (credProps, credBlob, largeBlobSupport, prf, etc.)
-/// - Authenticator selection criteria (residentKey, userVerification)
-/// - Excluded credentials list
-/// - Public key credential parameters
+/// Reads the rpId from a create-credential request JSON (`rp.id`).
 ///
-/// Returns the parsed request and the client data JSON (needed for response serialization).
-pub(super) fn create_credential_request_try_into_ctap2(
-    request: &CreateCredentialRequest,
-) -> std::result::Result<(MakeCredentialRequest, String), WebAuthnError> {
-    if request.public_key.is_none() {
-        return Err(WebAuthnError::NotSupportedError);
-    }
-    let options = request.public_key.as_ref().ok_or_else(|| {
-        tracing::info!("Invalid request: missing public_key");
+/// Used as a fallback when the origin is an AppId and the effective domain
+/// cannot be derived from the origin alone.
+// TODO(libwebauthn#185)
+fn peek_make_credential_rp_id(request_json: &str) -> Result<RelyingPartyId, WebAuthnError> {
+    let value = serde_json::from_str::<serde_json::Value>(request_json).map_err(|err| {
+        tracing::info!("Invalid request JSON: {err}");
         WebAuthnError::TypeError
     })?;
-
-    // Get origin and determine relying party ID
-    let (origin, _is_cross_origin) =
-        match (request.origin.as_ref(), request.is_same_origin.as_ref()) {
-            (Some(origin), Some(is_same_origin)) => (origin.to_string(), !is_same_origin),
-            (Some(origin), None) => (origin.to_string(), true),
-            (None, _) => {
-                tracing::info!("Error reading origin from request.");
-                return Err(WebAuthnError::TypeError);
-            }
-        };
-
-    // Extract rpId from JSON for RelyingPartyId construction
-    // libwebauthn validates that the rpId in the request matches this
-    let request_value =
-        serde_json::from_str::<serde_json::Value>(&options.request_json).map_err(|err| {
-            tracing::info!("Invalid request JSON: {err}");
-            WebAuthnError::TypeError
-        })?;
-    let json = request_value.as_object().ok_or_else(|| {
-        tracing::info!("Invalid request JSON: not an object");
-        WebAuthnError::TypeError
-    })?;
-
-    // Get rpId from the request, or derive from origin
-    let rp_id_str = json
+    let rp_id_str = value
         .get("rp")
         .and_then(|rp| rp.get("id"))
         .and_then(|id| id.as_str())
-        .map(|s| s.to_string())
-        .unwrap_or_else(|| {
-            // Default to effective domain from origin
-            origin
-                .strip_prefix("https://")
-                .map(|rest| rest.split_once('/').map(|(d, _)| d).unwrap_or(rest))
-                .unwrap_or(&origin)
-                .to_string()
-        });
+        .ok_or_else(|| {
+            tracing::info!("RP ID required if using app ID as origin");
+            WebAuthnError::SecurityError
+        })?;
+    RelyingPartyId::try_from(rp_id_str).map_err(|_| {
+        tracing::info!("Invalid relying party ID");
+        WebAuthnError::TypeError
+    })
+}
 
-    let rp_id = RelyingPartyId::try_from(rp_id_str.as_str()).map_err(|_| {
+/// Reads the rpId from a get-credential request JSON (`rpId`).
+///
+/// Used as a fallback when the origin is an AppId and the effective domain
+/// cannot be derived from the origin alone.
+// TODO(libwebauthn#185)
+fn peek_get_assertion_rp_id(request_json: &str) -> Result<RelyingPartyId, WebAuthnError> {
+    let value = serde_json::from_str::<serde_json::Value>(request_json).map_err(|err| {
+        tracing::info!("Invalid request JSON: {err}");
+        WebAuthnError::TypeError
+    })?;
+    let rp_id_str = value
+        .get("rpId")
+        .and_then(|id| id.as_str())
+        .ok_or_else(|| {
+            tracing::info!("RP ID required if using app ID as origin");
+            WebAuthnError::SecurityError
+        })?;
+    RelyingPartyId::try_from(rp_id_str).map_err(|_| {
         tracing::info!("Invalid relying party ID");
         WebAuthnError::TypeError
+    })
+}
+
+/// Parses a WebAuthn create credential request from D-Bus into a CTAP2 MakeCredentialRequest.
+///
+/// Uses libwebauthn's `WebAuthnIDL::from_json()` for parsing. The relying party ID is derived
+/// from the request's origin; libwebauthn validates that any rpId in the JSON matches it.
+pub(super) fn create_credential_request_try_into_ctap2(
+    request: &CreateCredentialRequest,
+    request_environment: &NavigationContext,
+) -> std::result::Result<(MakeCredentialRequest, String), WebAuthnError> {
+    let options = request.public_key.as_ref().ok_or_else(|| {
+        tracing::info!("Invalid request: missing public_key");
+        WebAuthnError::NotSupportedError
     })?;
 
-    // Use libwebauthn's JSON parsing
+    let origin = request_environment.origin();
+    let rp_id = match origin {
+        Origin::Https { .. } => RelyingPartyId::try_from(origin).map_err(|err| {
+            tracing::info!("Cannot derive relying party ID from origin: {err}");
+            WebAuthnError::SecurityError
+        })?,
+        Origin::AppId(_) => peek_make_credential_rp_id(&options.request_json)?,
+    };
+
     let mut make_cred_request = MakeCredentialRequest::from_json(&rp_id, &options.request_json)
         .map_err(|err| {
             tracing::info!("Failed to parse MakeCredential request JSON: {err}");
             WebAuthnError::TypeError
         })?;
 
-    // Set origin and cross_origin from D-Bus request context
-    make_cred_request.origin = origin;
-    make_cred_request.cross_origin = request.is_same_origin.as_ref().map(|same| !same);
+    // TODO(libwebauthn#185)
+    make_cred_request.origin = origin.to_string();
+    make_cred_request.cross_origin = Some(matches!(
+        request_environment,
+        NavigationContext::CrossOrigin(_)
+    ));
 
-    // Get the client data JSON from the request for response serialization
     let client_data_json = make_cred_request.client_data_json();
 
     Ok((make_cred_request, client_data_json))
@@ -143,77 +147,39 @@ pub(super) fn create_credential_response_try_from_ctap2(
 
 /// Parses a WebAuthn get credential request from D-Bus into a CTAP2 GetAssertionRequest.
 ///
-/// Uses libwebauthn's `WebAuthnIDL::from_json()` for parsing, which handles:
-/// - Challenge decoding from base64url
-/// - Allowed credentials list with transports
-/// - Extension parsing (getCredBlob, largeBlob, prf, hmac-secret)
-/// - User verification requirement
-///
-/// Returns the parsed request and the client data JSON (needed for response serialization).
+/// Uses libwebauthn's `WebAuthnIDL::from_json()` for parsing. The relying party ID is derived
+/// from the request's origin; libwebauthn validates that any rpId in the JSON matches it.
 pub(super) fn get_credential_request_try_into_ctap2(
     request: &GetCredentialRequest,
+    request_environment: &NavigationContext,
 ) -> std::result::Result<(GetAssertionRequest, String), WebAuthnError> {
-    if request.public_key.is_none() {
-        return Err(WebAuthnError::NotSupportedError);
-    }
     let options = request.public_key.as_ref().ok_or_else(|| {
         tracing::info!("Invalid request: no \"publicKey\" options specified.");
-        WebAuthnError::TypeError
+        WebAuthnError::NotSupportedError
     })?;
 
-    // Get origin
-    let (origin, _is_cross_origin) =
-        match (request.origin.as_ref(), request.is_same_origin.as_ref()) {
-            (Some(origin), Some(is_same_origin)) => (origin.to_string(), !is_same_origin),
-            (Some(origin), None) => (origin.to_string(), true),
-            (None, _) => {
-                tracing::info!("Error reading origin from client request.");
-                return Err(WebAuthnError::TypeError);
-            }
-        };
-
-    // Extract rpId from JSON for RelyingPartyId construction
-    let request_value =
-        serde_json::from_str::<serde_json::Value>(&options.request_json).map_err(|err| {
-            tracing::info!("Invalid request JSON: {err}");
-            WebAuthnError::TypeError
-        })?;
-    let json = request_value.as_object().ok_or_else(|| {
-        tracing::info!("Invalid request JSON: not an object");
-        WebAuthnError::TypeError
-    })?;
-
-    // Get rpId from the request, or derive from origin
-    let rp_id_str = json
-        .get("rpId")
-        .and_then(|id| id.as_str())
-        .map(|s| s.to_string())
-        .unwrap_or_else(|| {
-            // Default to effective domain from origin
-            origin
-                .strip_prefix("https://")
-                .map(|rest| rest.split_once('/').map(|(d, _)| d).unwrap_or(rest))
-                .unwrap_or(&origin)
-                .to_string()
-        });
-
-    let rp_id = RelyingPartyId::try_from(rp_id_str.as_str()).map_err(|_| {
-        tracing::info!("Invalid relying party ID");
-        WebAuthnError::TypeError
-    })?;
+    let origin = request_environment.origin();
+    let rp_id = match origin {
+        Origin::Https { .. } => RelyingPartyId::try_from(origin).map_err(|err| {
+            tracing::info!("Cannot derive relying party ID from origin: {err}");
+            WebAuthnError::SecurityError
+        })?,
+        Origin::AppId(_) => peek_get_assertion_rp_id(&options.request_json)?,
+    };
 
-    // Use libwebauthn's JSON parsing
     let mut get_assertion_request = GetAssertionRequest::from_json(&rp_id, &options.request_json)
         .map_err(|err| {
-        tracing::info!("Failed to parse GetAssertion request JSON: {err}");
-        WebAuthnError::TypeError
-    })?;
+            tracing::info!("Failed to parse GetAssertion request JSON: {err}");
+            WebAuthnError::TypeError
+        })?;
 
-    // Set origin and cross_origin from D-Bus request context
-    get_assertion_request.origin = origin;
-    get_assertion_request.cross_origin = request.is_same_origin.as_ref().map(|same| !same);
+    // TODO(libwebauthn#185)
+    get_assertion_request.origin = origin.to_string();
+    get_assertion_request.cross_origin = Some(matches!(
+        request_environment,
+        NavigationContext::CrossOrigin(_)
+    ));
 
-    // Get the client data JSON from the request for response serialization
     let client_data_json = get_assertion_request.client_data_json();
 
     Ok((get_assertion_request, client_data_json))

credentialsd/src/webauthn.rs

@@ -510,6 +510,23 @@ impl Display for Origin {
     }
 }
 
+impl TryFrom<&Origin> for RelyingPartyId {
+    type Error = OriginParseError;
+
+    /// Derives the relying party ID (effective domain) from an origin.
+    ///
+    /// AppId origins have no effective domain and must be mapped to an rpId
+    /// out-of-band, so this conversion fails for them.
+    fn try_from(origin: &Origin) -> Result<Self, Self::Error> {
+        match origin {
+            Origin::Https { host, .. } => {
+                RelyingPartyId::try_from(host.as_str()).map_err(|_| OriginParseError::InvalidHost)
+            }
+            Origin::AppId(_) => Err(OriginParseError::InvalidScheme),
+        }
+    }
+}
+
 impl FromStr for Origin {
     type Err = OriginParseError;