|
| 1 | +use std::time::Duration; |
| 2 | + |
| 3 | +use async_trait::async_trait; |
| 4 | +use tracing::warn; |
| 5 | + |
| 6 | +use crate::pin::persistent_token::recognize_authenticator; |
| 7 | +use crate::proto::ctap2::Ctap2; |
| 8 | +use crate::transport::Channel; |
| 9 | +use crate::webauthn::error::Error; |
| 10 | + |
| 11 | +#[async_trait] |
| 12 | +pub trait AuthenticatorReset { |
| 13 | + /// Reset the authenticator to factory defaults, evicting any stored persistent token. |
| 14 | + async fn reset(&mut self, timeout: Duration) -> Result<(), Error>; |
| 15 | +} |
| 16 | + |
| 17 | +#[async_trait] |
| 18 | +impl<C> AuthenticatorReset for C |
| 19 | +where |
| 20 | + C: Channel, |
| 21 | +{ |
| 22 | + async fn reset(&mut self, timeout: Duration) -> Result<(), Error> { |
| 23 | + // Recognize before reset, while the device identifier is still derivable. |
| 24 | + let record_id = match self.persistent_token_store() { |
| 25 | + Some(store) => match self.ctap2_get_info().await { |
| 26 | + Ok(info) => recognize_authenticator(store.as_ref(), &info) |
| 27 | + .await |
| 28 | + .map(|(id, _)| id), |
| 29 | + Err(error) => { |
| 30 | + warn!( |
| 31 | + ?error, |
| 32 | + "getInfo before reset failed; cannot evict persistent token" |
| 33 | + ); |
| 34 | + None |
| 35 | + } |
| 36 | + }, |
| 37 | + None => None, |
| 38 | + }; |
| 39 | + |
| 40 | + self.ctap2_authenticator_reset(timeout).await?; |
| 41 | + |
| 42 | + if let (Some(store), Some(id)) = (self.persistent_token_store(), record_id) { |
| 43 | + store.delete(&id).await; |
| 44 | + } |
| 45 | + Ok(()) |
| 46 | + } |
| 47 | +} |
| 48 | + |
| 49 | +#[cfg(test)] |
| 50 | +mod tests { |
| 51 | + use std::sync::Arc; |
| 52 | + use std::time::Duration; |
| 53 | + |
| 54 | + use serde_bytes::ByteBuf; |
| 55 | + |
| 56 | + use super::AuthenticatorReset; |
| 57 | + use crate::pin::persistent_token::{ |
| 58 | + build_enc_identifier, MemoryPersistentTokenStore, PersistentTokenRecord, |
| 59 | + PersistentTokenStore, |
| 60 | + }; |
| 61 | + use crate::proto::ctap2::cbor::{CborRequest, CborResponse}; |
| 62 | + use crate::proto::ctap2::{Ctap2CommandCode, Ctap2GetInfoResponse, Ctap2PinUvAuthProtocol}; |
| 63 | + use crate::transport::mock::channel::MockChannel; |
| 64 | + use crate::webauthn::error::{CtapError, Error}; |
| 65 | + |
| 66 | + const TIMEOUT: Duration = Duration::from_secs(1); |
| 67 | + |
| 68 | + fn ok_response(data: Option<Vec<u8>>) -> CborResponse { |
| 69 | + CborResponse { |
| 70 | + status_code: CtapError::Ok, |
| 71 | + data, |
| 72 | + } |
| 73 | + } |
| 74 | + |
| 75 | + #[tokio::test] |
| 76 | + async fn reset_evicts_recognized_persistent_token() { |
| 77 | + let token = vec![0x07; 32]; |
| 78 | + let device_identifier = [0x42; 16]; |
| 79 | + |
| 80 | + let store = MemoryPersistentTokenStore::new(); |
| 81 | + store |
| 82 | + .put( |
| 83 | + &"id-1".to_string(), |
| 84 | + &PersistentTokenRecord { |
| 85 | + persistent_token: token.clone(), |
| 86 | + pin_uv_auth_protocol: Ctap2PinUvAuthProtocol::Two, |
| 87 | + device_identifier, |
| 88 | + aaguid: [0x22; 16], |
| 89 | + }, |
| 90 | + ) |
| 91 | + .await; |
| 92 | + |
| 93 | + let info = Ctap2GetInfoResponse { |
| 94 | + enc_identifier: Some(ByteBuf::from(build_enc_identifier( |
| 95 | + &token, |
| 96 | + &device_identifier, |
| 97 | + &[0x33; 16], |
| 98 | + ))), |
| 99 | + ..Default::default() |
| 100 | + }; |
| 101 | + let info_bytes = crate::proto::ctap2::cbor::to_vec(&info).unwrap(); |
| 102 | + |
| 103 | + let mut channel = MockChannel::new(); |
| 104 | + channel.set_persistent_token_store(Arc::new(store.clone())); |
| 105 | + channel.push_command_pair( |
| 106 | + CborRequest::new(Ctap2CommandCode::AuthenticatorGetInfo), |
| 107 | + ok_response(Some(info_bytes)), |
| 108 | + ); |
| 109 | + channel.push_command_pair( |
| 110 | + CborRequest::new(Ctap2CommandCode::AuthenticatorReset), |
| 111 | + ok_response(None), |
| 112 | + ); |
| 113 | + |
| 114 | + channel.reset(TIMEOUT).await.unwrap(); |
| 115 | + |
| 116 | + assert!( |
| 117 | + store.list().await.is_empty(), |
| 118 | + "reset must evict the recognized persistent token record" |
| 119 | + ); |
| 120 | + } |
| 121 | + |
| 122 | + #[tokio::test] |
| 123 | + async fn reset_propagates_non_ok_status() { |
| 124 | + let mut channel = MockChannel::new(); |
| 125 | + channel.push_command_pair( |
| 126 | + CborRequest::new(Ctap2CommandCode::AuthenticatorReset), |
| 127 | + CborResponse { |
| 128 | + status_code: CtapError::OperationDenied, |
| 129 | + data: None, |
| 130 | + }, |
| 131 | + ); |
| 132 | + |
| 133 | + let result = channel.reset(TIMEOUT).await; |
| 134 | + assert_eq!(result.err(), Some(Error::Ctap(CtapError::OperationDenied))); |
| 135 | + } |
| 136 | +} |
0 commit comments