Merge pull request #107 from Yubico/unrequested-extensions

Test that RP can opt into unrequested extensions

Author: emlun

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -118,6 +118,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with ScalaCheckDri
     allowCredentials: Option[java.util.List[PublicKeyCredentialDescriptor]] = Some(List(PublicKeyCredentialDescriptor.builder().id(Defaults.credentialId).build()).asJava),
     allowOriginPort: Boolean = false,
     allowOriginSubdomain: Boolean = false,
+    allowUnrequestedExtensions: Boolean = false,
     authenticatorData: ByteArray = Defaults.authenticatorData,
     callerTokenBindingId: Option[ByteArray] = None,
     challenge: ByteArray = Defaults.challenge,
@@ -192,6 +193,7 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with ScalaCheckDri
       .allowOriginPort(allowOriginPort)
       .allowOriginSubdomain(allowOriginSubdomain)
       .allowUntrustedAttestation(false)
+      .allowUnrequestedExtensions(allowUnrequestedExtensions)
       .validateSignatureCounter(validateSignatureCounter)
 
     origins.map(_.asJava).foreach(builder.origins _)
@@ -988,6 +990,23 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with ScalaCheckDri
               // }
             }
 
+            it("Succeeds if clientExtensionResults is not a subset of the extensions requested by the Relying Party, but the Relying Party has enabled allowing unrequested extensions.") {
+              val extensionInputs = AssertionExtensionInputs.builder().build()
+              val clientExtensionOutputs = ClientAssertionExtensionOutputs.builder().appid(true).build()
+
+              // forAll(unrequestedAssertionExtensions, minSuccessful(1)) { case (extensionInputs, clientExtensionOutputs) =>
+              val steps = finishAssertion(
+                allowUnrequestedExtensions = true,
+                requestedExtensions = extensionInputs,
+                clientExtensionResults = clientExtensionOutputs
+              )
+              val step: FinishAssertionSteps#Step14 = steps.begin.next.next.next.next.next.next.next.next.next.next.next.next.next.next
+
+              step.validations shouldBe a [Success[_]]
+              step.tryNext shouldBe a [Success[_]]
+              // }
+            }
+
             it("Succeeds if clientExtensionResults is a subset of the extensions requested by the Relying Party.") {
               forAll(subsetAssertionExtensions) { case (extensionInputs, clientExtensionOutputs) =>
                 val steps = finishAssertion(
@@ -1021,6 +1040,24 @@ class RelyingPartyAssertionSpec extends FunSpec with Matchers with ScalaCheckDri
               }
             }
 
+            it("Succeeds if authenticator extensions is not a subset of the extensions requested by the Relying Party, but the Relying Party has enabled allowing unrequested extensions.") {
+              forAll(anyAuthenticatorExtensions[AssertionExtensionInputs]) { case (extensionInputs: AssertionExtensionInputs, authenticatorExtensionOutputs: ObjectNode) =>
+                whenever(authenticatorExtensionOutputs.fieldNames().asScala.exists(id => !extensionInputs.getExtensionIds.contains(id))) {
+                  val steps = finishAssertion(
+                    allowUnrequestedExtensions = true,
+                    requestedExtensions = extensionInputs,
+                    authenticatorData = TestAuthenticator.makeAuthDataBytes(
+                      extensionsCborBytes = Some(new ByteArray(JacksonCodecs.cbor.writeValueAsBytes(authenticatorExtensionOutputs)))
+                    )
+                  )
+                  val step: FinishAssertionSteps#Step14 = steps.begin.next.next.next.next.next.next.next.next.next.next.next.next.next.next
+
+                  step.validations shouldBe a [Success[_]]
+                  step.tryNext shouldBe a [Success[_]]
+                }
+              }
+            }
+
             it("Succeeds if authenticator extensions is a subset of the extensions requested by the Relying Party.") {
               forAll(subsetAuthenticatorExtensions[AssertionExtensionInputs]) { case (extensionInputs: AssertionExtensionInputs, authenticatorExtensionOutputs: ObjectNode) =>
                 val steps = finishAssertion(

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -88,6 +88,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
   private def finishRegistration(
     allowOriginPort: Boolean = false,
     allowOriginSubdomain: Boolean = false,
+    allowUnrequestedExtensions: Boolean = false,
     allowUntrustedAttestation: Boolean = false,
     callerTokenBindingId: Option[ByteArray] = None,
     credentialId: Option[ByteArray] = None,
@@ -104,6 +105,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
       .preferredPubkeyParams(preferredPubkeyParams.asJava)
       .allowOriginPort(allowOriginPort)
       .allowOriginSubdomain(allowOriginSubdomain)
+      .allowUnrequestedExtensions(allowUnrequestedExtensions)
       .allowUntrustedAttestation(allowUntrustedAttestation)
       .metadataService(metadataService.asJava)
 
@@ -686,6 +688,24 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
               }
             }
 
+            ignore("Succeeds if clientExtensionResults is not a subset of the extensions requested by the Relying Party, but the Relying Party has enabled allowing unrequested extensions.") {
+              forAll(anyRegistrationExtensions) { case (extensionInputs, clientExtensionOutputs) =>
+                whenever(clientExtensionOutputs.getExtensionIds.asScala.exists(id => !extensionInputs.getExtensionIds.contains(id))) {
+                  val steps = finishRegistration(
+                    allowUnrequestedExtensions = true,
+                    testData = RegistrationTestData.Packed.BasicAttestation.copy(
+                      requestedExtensions = extensionInputs,
+                      clientExtensionResults = clientExtensionOutputs
+                    )
+                  )
+                  val step: FinishRegistrationSteps#Step12 = steps.begin.next.next.next.next.next.next.next.next.next.next.next
+
+                  step.validations shouldBe a [Success[_]]
+                  step.tryNext shouldBe a [Success[_]]
+                }
+              }
+            }
+
             it("Succeeds if clientExtensionResults is a subset of the extensions requested by the Relying Party.") {
               forAll(subsetRegistrationExtensions) { case (extensionInputs, clientExtensionOutputs) =>
                 val steps = finishRegistration(
@@ -725,6 +745,28 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
               }
             }
 
+            it("Succeeds if authenticator extensions is not a subset of the extensions requested by the Relying Party, but the Relying Party has enabled allowing unrequested extensions.") {
+              forAll(anyAuthenticatorExtensions[RegistrationExtensionInputs]) { case (extensionInputs: RegistrationExtensionInputs, authenticatorExtensionOutputs: ObjectNode) =>
+                whenever(authenticatorExtensionOutputs.fieldNames().asScala.exists(id => !extensionInputs.getExtensionIds.contains(id))) {
+                  val steps = finishRegistration(
+                    allowUnrequestedExtensions = true,
+                    testData = RegistrationTestData.Packed.BasicAttestation.copy(
+                      requestedExtensions = extensionInputs
+                    ).editAuthenticatorData(
+                      authData => new ByteArray(
+                        authData.getBytes.updated(32, (authData.getBytes()(32) | 0x80).toByte) ++
+                          JacksonCodecs.cbor.writeValueAsBytes(authenticatorExtensionOutputs)
+                      )
+                    )
+                  )
+                  val step: FinishRegistrationSteps#Step12 = steps.begin.next.next.next.next.next.next.next.next.next.next.next
+
+                  step.validations shouldBe a [Success[_]]
+                  step.tryNext shouldBe a [Success[_]]
+                }
+              }
+            }
+
             it("Succeeds if authenticator extensions is a subset of the extensions requested by the Relying Party.") {
               forAll(subsetAuthenticatorExtensions[RegistrationExtensionInputs]) { case (extensionInputs: RegistrationExtensionInputs, authenticatorExtensionOutputs: ObjectNode) =>
                 val steps = finishRegistration(