Merge pull request #19006 from rwinch/main-CredentialRecordOwnerAuthorizationManager

Merge Add CredentialRecordOwnerAuthorizationManager

Author: rwinch

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -39,6 +39,7 @@
 import org.springframework.security.web.webauthn.authentication.PublicKeyCredentialRequestOptionsFilter;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider;
+import org.springframework.security.web.webauthn.management.CredentialRecordOwnerAuthorizationManager;
 import org.springframework.security.web.webauthn.management.MapPublicKeyCredentialUserEntityRepository;
 import org.springframework.security.web.webauthn.management.MapUserCredentialRepository;
 import org.springframework.security.web.webauthn.management.PublicKeyCredentialUserEntityRepository;
@@ -180,6 +181,8 @@ public void configure(H http) {
 		webAuthnAuthnFilter = postProcess(webAuthnAuthnFilter);
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);
+		webAuthnRegistrationFilter.setDeleteCredentialAuthorizationManager(
+				new CredentialRecordOwnerAuthorizationManager(userCredentials, userEntities));
 		PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter(
 				rpOperations);
 		if (creationOptionsRepository != null) {

config/src/test/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurerTests.java

@@ -43,9 +43,16 @@
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
+import org.springframework.security.web.webauthn.api.TestCredentialRecords;
 import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
 import org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter;
+import org.springframework.security.web.webauthn.management.MapPublicKeyCredentialUserEntityRepository;
+import org.springframework.security.web.webauthn.management.MapUserCredentialRepository;
+import org.springframework.security.web.webauthn.management.PublicKeyCredentialUserEntityRepository;
+import org.springframework.security.web.webauthn.management.UserCredentialRepository;
 import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations;
 import org.springframework.security.web.webauthn.registration.HttpSessionPublicKeyCredentialCreationOptionsRepository;
 import org.springframework.test.web.servlet.MockMvc;
@@ -58,6 +65,7 @@
 import static org.mockito.Mockito.mock;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
@@ -257,6 +265,24 @@ public void webauthnWhenConfiguredMessageConverter() throws Exception {
 			.andExpect(content().string(expectedBody));
 	}
 
+	@Test
+	void webauthnWhenDeleteAndCredentialBelongsToUserThenNoContent() throws Exception {
+		this.spring.register(DeleteCredentialConfiguration.class).autowire();
+		this.mvc
+			.perform(delete("/webauthn/register/" + DeleteCredentialConfiguration.CREDENTIAL_ID_BASE64URL)
+				.with(authentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"))))
+			.andExpect(status().isNoContent());
+	}
+
+	@Test
+	void webauthnWhenDeleteAndCredentialBelongsToDifferentUserThenForbidden() throws Exception {
+		this.spring.register(DeleteCredentialConfiguration.class).autowire();
+		this.mvc
+			.perform(delete("/webauthn/register/" + DeleteCredentialConfiguration.CREDENTIAL_ID_BASE64URL)
+				.with(authentication(new TestingAuthenticationToken("other-user", "password", "ROLE_USER"))))
+			.andExpect(status().isForbidden());
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class ConfigCredentialCreationOptionsRepository {
@@ -475,4 +501,47 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class DeleteCredentialConfiguration {
+
+		static final String CREDENTIAL_ID_BASE64URL = "NauGCN7bZ5jEBwThcde51g";
+
+		static final Bytes USER_ENTITY_ID = Bytes.fromBase64("vKBFhsWT3gQnn-gHdT4VXIvjDkVXVYg5w8CLGHPunMM");
+
+		@Bean
+		UserDetailsService userDetailsService() {
+			return new InMemoryUserDetailsManager();
+		}
+
+		@Bean
+		WebAuthnRelyingPartyOperations webAuthnRelyingPartyOperations() {
+			return mock(WebAuthnRelyingPartyOperations.class);
+		}
+
+		@Bean
+		UserCredentialRepository userCredentialRepository() {
+			MapUserCredentialRepository repository = new MapUserCredentialRepository();
+			repository.save(TestCredentialRecords.userCredential().build());
+			return repository;
+		}
+
+		@Bean
+		PublicKeyCredentialUserEntityRepository userEntityRepository() {
+			MapPublicKeyCredentialUserEntityRepository repository = new MapPublicKeyCredentialUserEntityRepository();
+			repository.save(ImmutablePublicKeyCredentialUserEntity.builder()
+				.name("user")
+				.id(USER_ENTITY_ID)
+				.displayName("User")
+				.build());
+			return repository;
+		}
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			return http.csrf(AbstractHttpConfigurer::disable).webAuthn(Customizer.withDefaults()).build();
+		}
+
+	}
+
 }

webauthn/src/main/java/org/springframework/security/web/webauthn/management/CredentialRecordOwnerAuthorizationManager.java

@@ -0,0 +1,95 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.management;
+
+import java.util.function.Supplier;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.CredentialRecord;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthorizationManager} that grants access when the {@link CredentialRecord}
+ * identified by the provided credential id is owned by the currently authenticated user.
+ *
+ * <p>
+ * Per the <a href="https://www.w3.org/TR/webauthn-3/#credential-id">WebAuthn
+ * specification</a>, a credential id must contain at least 16 bytes with at least 100
+ * bits of entropy, making it practically unguessable. The specification also advises that
+ * credential ids should be kept private, as exposing them can leak personally identifying
+ * information (see
+ * <a href="https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak">§ 14.6.3
+ * Privacy leak via credential IDs</a>). This {@link AuthorizationManager} is therefore
+ * intended as defense in depth: even if a credential id were somehow exposed, an
+ * unauthorized user could not delete another user's credential.
+ *
+ * @author Rob Winch
+ * @since 6.5.10
+ */
+public final class CredentialRecordOwnerAuthorizationManager implements AuthorizationManager<Bytes> {
+
+	private final AuthenticatedAuthorizationManager<Bytes> authenticatedAuthorizationManager = AuthenticatedAuthorizationManager
+		.authenticated();
+
+	private final UserCredentialRepository userCredentials;
+
+	private final PublicKeyCredentialUserEntityRepository userEntities;
+
+	/**
+	 * Creates a new instance.
+	 * @param userCredentials the {@link UserCredentialRepository} to use
+	 * @param userEntities the {@link PublicKeyCredentialUserEntityRepository} to use
+	 */
+	public CredentialRecordOwnerAuthorizationManager(UserCredentialRepository userCredentials,
+			PublicKeyCredentialUserEntityRepository userEntities) {
+		Assert.notNull(userCredentials, "userCredentials cannot be null");
+		Assert.notNull(userEntities, "userEntities cannot be null");
+		this.userCredentials = userCredentials;
+		this.userEntities = userEntities;
+	}
+
+	@Override
+	public AuthorizationResult authorize(Supplier<? extends @Nullable Authentication> authentication,
+			Bytes credentialId) {
+		AuthorizationResult decision = this.authenticatedAuthorizationManager.authorize(authentication, credentialId);
+		if (!decision.isGranted()) {
+			return decision;
+		}
+		Authentication auth = authentication.get();
+		CredentialRecord credential = this.userCredentials.findByCredentialId(credentialId);
+		if (credential == null) {
+			return new AuthorizationDecision(false);
+		}
+		if (credential.getUserEntityUserId() == null) {
+			return new AuthorizationDecision(false);
+		}
+		PublicKeyCredentialUserEntity userEntity = this.userEntities.findByUsername(auth.getName());
+		if (userEntity == null) {
+			return new AuthorizationDecision(false);
+		}
+		return new AuthorizationDecision(credential.getUserEntityUserId().equals(userEntity.getId()));
+	}
+
+}

webauthn/src/main/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationFilter.java

@@ -17,6 +17,7 @@
 package org.springframework.security.web.webauthn.registration;
 
 import java.io.IOException;
+import java.util.function.Supplier;
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -35,6 +36,12 @@
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpRequest;
 import org.springframework.http.server.ServletServerHttpResponse;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.SingleResultAuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.webauthn.api.Bytes;
@@ -88,6 +95,9 @@ public class WebAuthnRegistrationFilter extends OncePerRequestFilter {
 
 	private final UserCredentialRepository userCredentials;
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+		.getContextHolderStrategy();
+
 	private HttpMessageConverter<Object> converter = new JacksonJsonHttpMessageConverter(
 			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
 
@@ -99,6 +109,9 @@ public class WebAuthnRegistrationFilter extends OncePerRequestFilter {
 	private RequestMatcher removeCredentialMatcher = PathPatternRequestMatcher.withDefaults()
 		.matcher(HttpMethod.DELETE, "/webauthn/register/{id}");
 
+	private AuthorizationManager<Bytes> deleteCredentialAuthorizationManager = SingleResultAuthorizationManager
+		.denyAll();
+
 	public WebAuthnRegistrationFilter(UserCredentialRepository userCredentials,
 			WebAuthnRelyingPartyOperations rpOptions) {
 		Assert.notNull(userCredentials, "userCredentials must not be null");
@@ -133,6 +146,42 @@ public void setRemoveCredentialMatcher(RequestMatcher removeCredentialMatcher) {
 		this.removeCredentialMatcher = removeCredentialMatcher;
 	}
 
+	/**
+	 * Sets the {@link AuthorizationManager} used to authorize the delete credential
+	 * operation. The object being authorized is the credential id as {@link Bytes}. By
+	 * default, all delete requests are denied.
+	 *
+	 * <p>
+	 * Per the <a href="https://www.w3.org/TR/webauthn-3/#credential-id">WebAuthn
+	 * specification</a>, a credential id must contain at least 16 bytes with at least 100
+	 * bits of entropy, making it practically unguessable. The specification also advises
+	 * that credential ids should be kept private, as exposing them can leak personally
+	 * identifying information (see
+	 * <a href="https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak">§
+	 * 14.6.3 Privacy leak via credential IDs</a>). This {@link AuthorizationManager} is
+	 * therefore intended as defense in depth: even if a credential id were somehow
+	 * exposed, an unauthorized user could not delete another user's credential.
+	 * @param deleteCredentialAuthorizationManager the {@link AuthorizationManager} to use
+	 * @since 6.5.10
+	 */
+	public void setDeleteCredentialAuthorizationManager(
+			AuthorizationManager<Bytes> deleteCredentialAuthorizationManager) {
+		Assert.notNull(deleteCredentialAuthorizationManager, "deleteCredentialAuthorizationManager cannot be null");
+		this.deleteCredentialAuthorizationManager = deleteCredentialAuthorizationManager;
+	}
+
+	/**
+	 * Sets the {@link SecurityContextHolderStrategy} to use. The default is
+	 * {@link SecurityContextHolder#getContextHolderStrategy()}.
+	 * @param securityContextHolderStrategy the {@link SecurityContextHolderStrategy} to
+	 * use
+	 * @since 6.5.10
+	 */
+	public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
@@ -204,7 +253,15 @@ private void registerCredential(HttpServletRequest request, HttpServletResponse
 
 	private void removeCredential(HttpServletRequest request, HttpServletResponse response, @Nullable String id)
 			throws IOException {
-		this.userCredentials.delete(Bytes.fromBase64(id));
+		Bytes credentialId = Bytes.fromBase64(id);
+		Supplier<Authentication> authentication = () -> this.securityContextHolderStrategy.getContext()
+			.getAuthentication();
+		AuthorizationResult result = this.deleteCredentialAuthorizationManager.authorize(authentication, credentialId);
+		if (result != null && !result.isGranted()) {
+			response.setStatus(HttpStatus.FORBIDDEN.value());
+			return;
+		}
+		this.userCredentials.delete(credentialId);
 		response.setStatus(HttpStatus.NO_CONTENT.value());
 	}