Try out RelyingPartyV2 in demo

Author: emlun

webauthn-server-demo/src/main/java/demo/webauthn/InMemoryRegistrationStorage.java

@@ -26,10 +26,9 @@
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
-import com.yubico.internal.util.CollectionUtil;
-import com.yubico.webauthn.AssertionResult;
-import com.yubico.webauthn.CredentialRepository;
-import com.yubico.webauthn.RegisteredCredential;
+import com.yubico.webauthn.AssertionResultV2;
+import com.yubico.webauthn.CredentialRepositoryV2;
+import com.yubico.webauthn.UsernameRepository;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
 import demo.webauthn.data.CredentialRegistration;
@@ -44,20 +43,21 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class InMemoryRegistrationStorage implements CredentialRepository {
+public class InMemoryRegistrationStorage
+    implements CredentialRepositoryV2<CredentialRegistration>, UsernameRepository {
 
   private final Cache<String, Set<CredentialRegistration>> storage =
       CacheBuilder.newBuilder().maximumSize(1000).expireAfterAccess(1, TimeUnit.DAYS).build();
 
   private static final Logger logger = LoggerFactory.getLogger(InMemoryRegistrationStorage.class);
 
   ////////////////////////////////////////////////////////////////////////////////
-  // The following methods are required by the CredentialRepository interface.
+  // The following methods are required by the CredentialRepositoryV2 interface.
   ////////////////////////////////////////////////////////////////////////////////
 
   @Override
-  public Set<PublicKeyCredentialDescriptor> getCredentialIdsForUsername(String username) {
-    return getRegistrationsByUsername(username).stream()
+  public Set<PublicKeyCredentialDescriptor> getCredentialIdsForUserHandle(ByteArray userHandle) {
+    return getRegistrationsByUserHandle(userHandle).stream()
         .map(
             registration ->
                 PublicKeyCredentialDescriptor.builder()
@@ -68,63 +68,53 @@ public Set<PublicKeyCredentialDescriptor> getCredentialIdsForUsername(String use
   }
 
   @Override
-  public Optional<String> getUsernameForUserHandle(ByteArray userHandle) {
-    return getRegistrationsByUserHandle(userHandle).stream()
-        .findAny()
-        .map(CredentialRegistration::getUsername);
-  }
-
-  @Override
-  public Optional<ByteArray> getUserHandleForUsername(String username) {
-    return getRegistrationsByUsername(username).stream()
-        .findAny()
-        .map(reg -> reg.getUserIdentity().getId());
-  }
-
-  @Override
-  public Optional<RegisteredCredential> lookup(ByteArray credentialId, ByteArray userHandle) {
+  public Optional<CredentialRegistration> lookup(ByteArray credentialId, ByteArray userHandle) {
     Optional<CredentialRegistration> registrationMaybe =
         storage.asMap().values().stream()
             .flatMap(Collection::stream)
-            .filter(credReg -> credentialId.equals(credReg.getCredential().getCredentialId()))
+            .filter(
+                credReg ->
+                    credentialId.equals(credReg.getCredential().getCredentialId())
+                        && userHandle.equals(credReg.getUserHandle()))
             .findAny();
 
     logger.debug(
         "lookup credential ID: {}, user handle: {}; result: {}",
         credentialId,
         userHandle,
         registrationMaybe);
-    return registrationMaybe.map(
-        registration ->
-            RegisteredCredential.builder()
-                .credentialId(registration.getCredential().getCredentialId())
-                .userHandle(registration.getUserIdentity().getId())
-                .publicKeyCose(registration.getCredential().getPublicKeyCose())
-                .signatureCount(registration.getCredential().getSignatureCount())
-                .build());
+
+    return registrationMaybe;
   }
 
   @Override
-  public Set<RegisteredCredential> lookupAll(ByteArray credentialId) {
-    return CollectionUtil.immutableSet(
-        storage.asMap().values().stream()
-            .flatMap(Collection::stream)
-            .filter(reg -> reg.getCredential().getCredentialId().equals(credentialId))
-            .map(
-                reg ->
-                    RegisteredCredential.builder()
-                        .credentialId(reg.getCredential().getCredentialId())
-                        .userHandle(reg.getUserIdentity().getId())
-                        .publicKeyCose(reg.getCredential().getPublicKeyCose())
-                        .signatureCount(reg.getCredential().getSignatureCount())
-                        .build())
-            .collect(Collectors.toSet()));
+  public boolean credentialIdExists(ByteArray credentialId) {
+    return storage.asMap().values().stream()
+        .flatMap(Collection::stream)
+        .anyMatch(reg -> reg.getCredential().getCredentialId().equals(credentialId));
+  }
+
+  ////////////////////////////////////////////////////////////////////////////////
+  // The following methods are required by the UsernameRepository interface.
+  ////////////////////////////////////////////////////////////////////////////////
+
+  @Override
+  public Optional<ByteArray> getUserHandleForUsername(String username) {
+    return getRegistrationsByUsername(username).stream()
+        .findAny()
+        .map(reg -> reg.getUserIdentity().getId());
   }
 
   ////////////////////////////////////////////////////////////////////////////////
   // The following methods are specific to this demo application.
   ////////////////////////////////////////////////////////////////////////////////
 
+  public Optional<String> getUsernameForUserHandle(ByteArray userHandle) {
+    return getRegistrationsByUserHandle(userHandle).stream()
+        .findAny()
+        .map(CredentialRegistration::getUsername);
+  }
+
   public boolean addRegistrationByUsername(String username, CredentialRegistration reg) {
     try {
       return storage.get(username, HashSet::new).add(reg);
@@ -152,18 +142,19 @@ public Collection<CredentialRegistration> getRegistrationsByUserHandle(ByteArray
         .collect(Collectors.toList());
   }
 
-  public void updateSignatureCount(AssertionResult result) {
+  public void updateSignatureCount(AssertionResultV2<CredentialRegistration> result) {
     CredentialRegistration registration =
         getRegistrationByUsernameAndCredentialId(
-                result.getUsername(), result.getCredential().getCredentialId())
+                result.getCredential().getUsername(), result.getCredential().getCredentialId())
             .orElseThrow(
                 () ->
                     new NoSuchElementException(
                         String.format(
                             "Credential \"%s\" is not registered to user \"%s\"",
-                            result.getCredential().getCredentialId(), result.getUsername())));
+                            result.getCredential().getCredentialId(),
+                            result.getCredential().getUsername())));
 
-    Set<CredentialRegistration> regs = storage.getIfPresent(result.getUsername());
+    Set<CredentialRegistration> regs = storage.getIfPresent(result.getCredential().getUsername());
     regs.remove(registration);
     regs.add(
         registration.withCredential(

webauthn-server-demo/src/main/java/demo/webauthn/WebAuthnServer.java

@@ -39,12 +39,13 @@
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.JacksonCodecs;
 import com.yubico.util.Either;
-import com.yubico.webauthn.AssertionResult;
+import com.yubico.webauthn.AssertionResultV2;
 import com.yubico.webauthn.FinishAssertionOptions;
 import com.yubico.webauthn.FinishRegistrationOptions;
 import com.yubico.webauthn.RegisteredCredential;
 import com.yubico.webauthn.RegistrationResult;
 import com.yubico.webauthn.RelyingParty;
+import com.yubico.webauthn.RelyingPartyV2;
 import com.yubico.webauthn.StartAssertionOptions;
 import com.yubico.webauthn.StartRegistrationOptions;
 import com.yubico.webauthn.attestation.YubicoJsonMetadataService;
@@ -144,7 +145,7 @@ private static MetadataService getMetadataService()
   private final Clock clock = Clock.systemDefaultZone();
   private final ObjectMapper jsonMapper = JacksonCodecs.json();
 
-  private final RelyingParty rp;
+  private final RelyingPartyV2<CredentialRegistration> rp;
 
   public WebAuthnServer()
       throws CertificateException,
@@ -191,6 +192,7 @@ public WebAuthnServer(
         RelyingParty.builder()
             .identity(rpIdentity)
             .credentialRepository(this.userStorage)
+            .usernameRepository(this.userStorage)
             .origins(origins)
             .attestationConveyancePreference(Optional.of(AttestationConveyancePreference.DIRECT))
             .attestationTrustSource(metadataService)
@@ -488,7 +490,7 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
       return Either.left(Arrays.asList("Assertion failed!", "No such assertion in progress."));
     } else {
       try {
-        AssertionResult result =
+        AssertionResultV2<CredentialRegistration> result =
             rp.finishAssertion(
                 FinishAssertionOptions.builder()
                     .request(request.getRequest())
@@ -501,7 +503,7 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
           } catch (Exception e) {
             logger.error(
                 "Failed to update signature count for user \"{}\", credential \"{}\"",
-                result.getUsername(),
+                result.getCredential().getUsername(),
                 response.getCredential().getId(),
                 e);
           }
@@ -510,8 +512,8 @@ public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication
               new SuccessfulAuthenticationResult(
                   request,
                   response,
-                  userStorage.getRegistrationsByUsername(result.getUsername()),
-                  result.getUsername(),
+                  userStorage.getRegistrationsByUsername(result.getCredential().getUsername()),
+                  result.getCredential().getUsername(),
                   sessions.createSession(result.getCredential().getUserHandle())));
         } else {
           return Either.left(Collections.singletonList("Assertion failed: Invalid assertion."));

webauthn-server-demo/src/main/java/demo/webauthn/data/CredentialRegistration.java

@@ -26,20 +26,23 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.yubico.webauthn.CredentialRecord;
 import com.yubico.webauthn.RegisteredCredential;
 import com.yubico.webauthn.data.AuthenticatorTransport;
+import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.UserIdentity;
 import java.time.Instant;
 import java.util.Optional;
 import java.util.SortedSet;
 import lombok.Builder;
+import lombok.NonNull;
 import lombok.Value;
 import lombok.With;
 
 @Value
 @Builder
 @With
-public class CredentialRegistration {
+public class CredentialRegistration implements CredentialRecord {
 
   UserIdentity userIdentity;
   Optional<String> credentialNickname;
@@ -58,4 +61,34 @@ public String getRegistrationTimestamp() {
   public String getUsername() {
     return userIdentity.getName();
   }
+
+  @Override
+  public @NonNull ByteArray getCredentialId() {
+    return credential.getCredentialId();
+  }
+
+  @Override
+  public @NonNull ByteArray getUserHandle() {
+    return userIdentity.getId();
+  }
+
+  @Override
+  public @NonNull ByteArray getPublicKeyCose() {
+    return credential.getPublicKeyCose();
+  }
+
+  @Override
+  public long getSignatureCount() {
+    return credential.getSignatureCount();
+  }
+
+  @Override
+  public Optional<Boolean> isBackupEligible() {
+    return credential.isBackupEligible();
+  }
+
+  @Override
+  public Optional<Boolean> isBackedUp() {
+    return credential.isBackedUp();
+  }
 }