test(credmgmt): GetNext requests carry only the subcommand

Author: AlfioEmanueleFresta

libwebauthn/src/management/credential_management.rs

@@ -333,9 +333,11 @@ mod test {
     use crate::proto::ctap2::cbor::{self, CborRequest, CborResponse};
     use crate::proto::ctap2::{
         Ctap2CommandCode, Ctap2CredentialManagementRequest, Ctap2GetInfoResponse,
-        Ctap2PublicKeyCredentialRpEntity,
+        Ctap2PublicKeyCredentialDescriptor, Ctap2PublicKeyCredentialRpEntity,
+        Ctap2PublicKeyCredentialType, Ctap2PublicKeyCredentialUserEntity,
     };
     use crate::transport::mock::channel::MockChannel;
+    use std::collections::BTreeMap;
 
     const TIMEOUT: Duration = Duration::from_secs(1);
 
@@ -379,4 +381,82 @@ mod test {
         assert_eq!(rp_data.rp_id_hash.len(), 32);
         assert_eq!(rp_data.rp_id_hash, hash.to_vec());
     }
+
+    // GetNextRP returns only rp (0x03) and rpIDHash (0x04).
+    #[derive(SerializeIndexed)]
+    struct EnumerateRpsNextResponse {
+        #[serde(index = 0x03)]
+        rp: Ctap2PublicKeyCredentialRpEntity,
+        #[serde(index = 0x04)]
+        rp_id_hash: ByteBuf,
+    }
+
+    // GetNextCredential returns user (0x06), credentialID (0x07), publicKey (0x08), credProtect (0x0A).
+    #[derive(SerializeIndexed)]
+    struct EnumerateCredsNextResponse {
+        #[serde(index = 0x06)]
+        user: Ctap2PublicKeyCredentialUserEntity,
+        #[serde(index = 0x07)]
+        credential_id: Ctap2PublicKeyCredentialDescriptor,
+        #[serde(index = 0x08)]
+        public_key: BTreeMap<i8, i8>,
+        #[serde(index = 0x0A)]
+        cred_protect: u64,
+    }
+
+    #[tokio::test]
+    async fn enumerate_rps_next_rp_sends_only_the_subcommand() {
+        let req = Ctap2CredentialManagementRequest::new_enumerate_rps_next_rp();
+        let cbor_req: CborRequest = (&req).try_into().unwrap();
+        assert_eq!(
+            cbor_req.command,
+            Ctap2CommandCode::AuthenticatorCredentialManagement
+        );
+        // CTAP 2.1 §6.8.3: {subCommand: enumerateRPsGetNextRP}, no pinUvAuth keys.
+        assert_eq!(cbor_req.encoded_data, vec![0xA1, 0x01, 0x03]);
+
+        let hash = [0xCD_u8; 32];
+        let fixture = EnumerateRpsNextResponse {
+            rp: Ctap2PublicKeyCredentialRpEntity::new("example.org", "Example"),
+            rp_id_hash: ByteBuf::from(hash.to_vec()),
+        };
+        let resp = CborResponse::new_success_from_slice(&cbor::to_vec(&fixture).unwrap());
+        // Queue only the GetNext exchange: any interleaved command panics the mock.
+        let mut channel = MockChannel::new();
+        channel.push_command_pair(cbor_req, resp);
+
+        let rp_data = channel.enumerate_rps_next_rp(TIMEOUT).await.unwrap();
+        assert_eq!(rp_data.rp_id_hash, hash.to_vec());
+    }
+
+    #[tokio::test]
+    async fn enumerate_credentials_next_sends_only_the_subcommand() {
+        let req = Ctap2CredentialManagementRequest::new_enumerate_credentials_next();
+        let cbor_req: CborRequest = (&req).try_into().unwrap();
+        assert_eq!(
+            cbor_req.command,
+            Ctap2CommandCode::AuthenticatorCredentialManagement
+        );
+        // CTAP 2.1 §6.8.4: {subCommand: enumerateCredentialsGetNextCredential}, no pinUvAuth keys.
+        assert_eq!(cbor_req.encoded_data, vec![0xA1, 0x01, 0x05]);
+
+        let fixture = EnumerateCredsNextResponse {
+            user: Ctap2PublicKeyCredentialUserEntity::new(&[0x0B; 16], "bob", "bob"),
+            credential_id: Ctap2PublicKeyCredentialDescriptor {
+                id: ByteBuf::from(vec![0x1D; 32]),
+                r#type: Ctap2PublicKeyCredentialType::PublicKey,
+                transports: None,
+            },
+            public_key: BTreeMap::from([(1, 2), (3, -7)]),
+            cred_protect: 1,
+        };
+        let resp = CborResponse::new_success_from_slice(&cbor::to_vec(&fixture).unwrap());
+        let mut channel = MockChannel::new();
+        channel.push_command_pair(cbor_req, resp);
+
+        let cred = channel.enumerate_credentials_next(TIMEOUT).await.unwrap();
+        assert_eq!(cred.user.id, ByteBuf::from(vec![0x0B; 16]));
+        assert_eq!(cred.cred_protect, 1);
+        assert!(cred.large_blob_key.is_none());
+    }
 }