refactor(webauthn): use RequestOrigin instead of RelyingPartyId in WebAuthnIDL (fix #185) (#188)

## Motivation

Closes #185.

`WebAuthnIDL::from_json` currently takes a `&RelyingPartyId`, which
forces callers (e.g. credentialsd) to override `request.origin` and
`request.cross_origin` after parsing because the bare host is not a
valid origin string and we have no place to record the top-level origin.
This replaces that parameter with a `RequestOrigin` that carries the
actual origin context, so the parsed request comes out correct without a
post-parse fixup.

## What changes

- New `Origin` and `RequestOrigin` types in
`libwebauthn::ops::webauthn`. `Origin` is a struct with `host:
OriginHost` and `port: Option<u16>`; `RequestOrigin` wraps it with an
optional `top_origin`. Convenience constructors:
`RequestOrigin::new(origin)`, `RequestOrigin::new_cross_origin(origin,
top_origin)`, `RequestOrigin::try_from(&str | String)` for one-shot
parsing of `"https://host[:port]"`.
- Host validation goes through `url::Host` so we follow the WHATWG URL
Standard host parser (domain / IPv4 / bracketed IPv6). Errors are
wrapped into a local `HostParseError` / `OriginParseError` so the `url`
crate's error type does not leak into the public API.
- `WebAuthnIDL::from_json` and `FromIdlModel::from_idl_model` now take
`&RequestOrigin`. The parsed `request.origin` is the full URL string
(`"https://example.org"`, no longer the bare host), and
`request.top_origin: Option<String>` replaces the old `cross_origin:
Option<bool>`.
- `ClientData` drops `cross_origin: Option<bool>` and derives
`crossOrigin` in the JSON from `top_origin.is_some()`. `topOrigin` is
now emitted when present.
- Bumps libwebauthn to `0.4.0` since the public `from_json` signature
and the request struct fields are breaking changes.

## Intentional non-changes

- `Origin` is a plain struct, not an enum. We only support `https`. If
we need to support a second scheme later it can become an enum without
breaking call-site field access.
- `rp.id` validation against the origin is still strict equality. The
spec actually wants a registrable-suffix check (WebAuthn L3 §5.1.3 /
§5.1.7); that is tracked separately in #187 and can build on the PSL
helpers from #173.

## Test plan

- [x] `cargo build -p libwebauthn` and `cargo build -p libwebauthn
--features virt`
- [x] `cargo build --workspace --all-targets --all-features`
- [x] `cargo fmt --all -- --check`
- [x] `cargo clippy --workspace --all-targets --all-features -- -D
warnings`
- [x] `cargo test --workspace` (149 tests, 14 new origin parser tests)
- [x] `cargo publish --dry-run -p libwebauthn` (no working-tree hacks)

Author: AlfioEmanueleFresta

Cargo.lock

@@ -40,7 +40,7 @@ async fn test_webauthn_basic_ctap2() {
     let make_credentials_request = MakeCredentialRequest {
         challenge: Vec::from(challenge),
         origin: "example.org".to_owned(),
-        cross_origin: None,
+        top_origin: None,
         relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
         user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
         resident_key: Some(ResidentKeyRequirement::Discouraged),
@@ -66,7 +66,7 @@ async fn test_webauthn_basic_ctap2() {
         relying_party_id: "example.org".to_owned(),
         challenge: Vec::from(challenge),
         origin: "example.org".to_string(),
-        cross_origin: None,
+        top_origin: None,
         allow: vec![credential],
         user_verification: UserVerificationRequirement::Discouraged,
         extensions: Some(GetAssertionRequestExtensions::default()),

libwebauthn-tests/tests/basic_ctap2.rs

@@ -49,7 +49,7 @@ async fn make_credential_call(
         exclude: exclude_list,
         extensions: None,
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     let response = channel
@@ -71,7 +71,7 @@ async fn get_assertion_call(
         user_verification: UserVerificationRequirement::Discouraged,
         extensions: None,
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     channel.webauthn_get_assertion(&get_assertion).await

libwebauthn-tests/tests/preflight.rs

@@ -116,7 +116,7 @@ async fn run_test_battery(channel: &mut HidChannel<'_>, using_pin: bool) {
         exclude: None,
         extensions: Some(extensions),
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     let state_recv = channel.get_ux_update_receiver();
@@ -175,7 +175,7 @@ async fn run_test_battery(channel: &mut HidChannel<'_>, using_pin: bool) {
         user_verification: UserVerificationRequirement::Preferred,
         extensions: None,
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     let _response = channel
@@ -494,7 +494,7 @@ async fn run_success_test(
             ..Default::default()
         }),
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     let response = channel
@@ -561,7 +561,7 @@ async fn run_failed_test(
             ..Default::default()
         }),
         timeout: TIMEOUT,
-        cross_origin: None,
+        top_origin: None,
     };
 
     let response: Result<(), WebAuthnError> = loop {

libwebauthn-tests/tests/prf.rs

@@ -1,7 +1,7 @@
 [package]
 name = "libwebauthn"
 description = "FIDO2 (WebAuthn) and FIDO U2F platform library for Linux written in Rust "
-version = "0.3.1"
+version = "0.4.0"
 authors = ["Alfie Fresta <alfie.fresta@gmail.com>"]
 edition = "2021"
 license-file = "../COPYING"
@@ -32,6 +32,7 @@ base64-url = "3.0.0"
 dbus = "0.9.5"
 tracing = "0.1.29"
 idna = "1.0.3"
+url = "2.5"
 maplit = "1.0.2"
 sha2 = "0.10.2"
 uuid = { version = "1.5.0", features = ["serde", "v4"] }

libwebauthn/Cargo.toml

@@ -149,7 +149,7 @@ async fn run_success_test(
         relying_party_id: "demo.yubico.com".to_owned(),
         challenge: Vec::from(challenge),
         origin: "demo.yubico.com".to_string(),
-        cross_origin: None,
+        top_origin: None,
         allow: vec![credential.clone()],
         user_verification: UserVerificationRequirement::Preferred,
         extensions: Some(GetAssertionRequestExtensions {

libwebauthn/examples/prf_test.rs

@@ -130,7 +130,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let make_credentials_request = MakeCredentialRequest {
             challenge: Vec::from(challenge),
             origin: "example.org".to_owned(),
-            cross_origin: None,
+            top_origin: None,
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
             resident_key: Some(ResidentKeyRequirement::Discouraged),
@@ -170,7 +170,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         relying_party_id: "example.org".to_owned(),
         challenge: Vec::from(challenge),
         origin: "example.org".to_string(),
-        cross_origin: None,
+        top_origin: None,
         allow: vec![credential],
         user_verification: UserVerificationRequirement::Discouraged,
         extensions: Some(GetAssertionRequestExtensions::default()),

libwebauthn/examples/webauthn_cable.rs

@@ -109,7 +109,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let make_credentials_request = MakeCredentialRequest {
             challenge: Vec::from(challenge),
             origin: "example.org".to_owned(),
-            cross_origin: None,
+            top_origin: None,
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
             resident_key: Some(ResidentKeyRequirement::Required),
@@ -149,7 +149,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             relying_party_id: "example.org".to_owned(),
             challenge: Vec::from(challenge),
             origin: "example.org".to_string(),
-            cross_origin: None,
+            top_origin: None,
             allow: vec![credential],
             user_verification: UserVerificationRequirement::Discouraged,
             extensions: Some(GetAssertionRequestExtensions {

libwebauthn/examples/webauthn_extensions_hid.rs

@@ -121,7 +121,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let make_credentials_request = MakeCredentialRequest {
             challenge: Vec::from(challenge),
             origin: "example.org".to_owned(),
-            cross_origin: None,
+            top_origin: None,
             relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
             user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
             resident_key: Some(ResidentKeyRequirement::Discouraged),
@@ -160,7 +160,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
             relying_party_id: "example.org".to_owned(),
             challenge: Vec::from(challenge),
             origin: "example.org".to_string(),
-            cross_origin: None,
+            top_origin: None,
             allow: vec![credential],
             user_verification: UserVerificationRequirement::Discouraged,
             extensions: Some(GetAssertionRequestExtensions::default()),

libwebauthn/examples/webauthn_hid.rs

@@ -8,7 +8,7 @@ use tokio::sync::broadcast::Receiver;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
-    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RelyingPartyId, WebAuthnIDL as _,
+    GetAssertionRequest, JsonFormat, MakeCredentialRequest, RequestOrigin, WebAuthnIDL as _,
     WebAuthnIDLResponse as _,
 };
 use libwebauthn::pin::PinRequestReason;
@@ -79,7 +79,8 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         let mut channel = device.channel().await?;
         channel.wink(TIMEOUT).await?;
 
-        let rpid = RelyingPartyId("example.org".to_owned());
+        let request_origin: RequestOrigin =
+            "https://example.org".try_into().expect("Invalid origin");
         let request_json = r#"
                 {
                     "rp": {
@@ -105,7 +106,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 }
                 "#;
         let make_credentials_request: MakeCredentialRequest =
-            MakeCredentialRequest::from_json(&rpid, request_json)
+            MakeCredentialRequest::from_json(&request_origin, request_json)
                 .expect("Failed to parse request JSON");
         println!(
             "WebAuthn MakeCredential request: {:?}",
@@ -157,7 +158,7 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
                 }
                 "#;
         let get_assertion: GetAssertionRequest =
-            GetAssertionRequest::from_json(&rpid, request_json)
+            GetAssertionRequest::from_json(&request_origin, request_json)
                 .expect("Failed to parse request JSON");
         println!("WebAuthn GetAssertion request: {:?}", get_assertion);