Refactor Symfony tests and introduce Webauthn authentication

Reorganized Symfony test configurations by splitting `config.yml` into modular files (`common.yml`, `badges.yml`, and `legacy_authenticator.yml`). Implemented a Webauthn authentication system with related classes (`WebauthnAuthenticator`, `WebauthnBadge`, etc.) and adapted test cases to utilize the new structure.

Author: Spomky

src/symfony/src/Resources/config/security.php

@@ -8,6 +8,7 @@
 use Webauthn\Bundle\DependencyInjection\Factory\Security\WebauthnFactory;
 use Webauthn\Bundle\Repository\PublicKeyCredentialSourceRepositoryInterface;
 use Webauthn\Bundle\Repository\PublicKeyCredentialUserEntityRepositoryInterface;
+use Webauthn\Bundle\Security\Authentication\WebauthnBadgeListener;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserPresentVoter;
 use Webauthn\Bundle\Security\Authorization\Voter\IsUserVerifiedVoter;
 use Webauthn\Bundle\Security\Guesser\CurrentUserEntityGuesser;
@@ -51,9 +52,7 @@
             service(PublicKeyCredentialUserEntityRepositoryInterface::class),
             service(SerializerInterface::class),
             abstract_arg('Authenticator Assertion Response Validator'),
-            abstract_arg(
-                'Authenticator Attestation Response Validator'
-            ), //service(AuthenticatorAttestationResponseValidator::class)
+            abstract_arg('Authenticator Attestation Response Validator'),
         ]);
     $service
         ->set(WebauthnFactory::FIREWALL_CONFIG_DEFINITION_ID, WebauthnFirewallConfig::class)
@@ -62,4 +61,5 @@
 
     $service->set(CurrentUserEntityGuesser::class);
     $service->set(RequestBodyUserEntityGuesser::class);
+    $service->set(WebauthnBadgeListener::class);
 };

src/symfony/src/Security/Authentication/WebauthnAuthenticator.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\Bundle\Security\Authentication\Token\WebauthnToken;
+use function assert;
+
+abstract class WebauthnAuthenticator extends AbstractLoginFormAuthenticator
+{
+    public function createToken(Passport $passport, string $firewallName): TokenInterface
+    {
+        assert($passport instanceof WebauthnPassport, 'Invalid passport');
+        $webauthnBadge = $passport->getBadge(WebauthnBadge::class);
+        assert($webauthnBadge instanceof WebauthnBadge, 'Invalid badge');
+        if ($webauthnBadge->getAuthenticatorResponse() instanceof AuthenticatorAssertionResponse) {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->authenticatorData;
+        } else {
+            $authData = $webauthnBadge->getAuthenticatorResponse()
+                ->attestationObject
+                ->authData;
+        }
+
+        $token = new WebauthnToken(
+            $webauthnBadge->getPublicKeyCredentialUserEntity(),
+            $webauthnBadge->getPublicKeyCredentialOptions(),
+            $webauthnBadge->getPublicKeyCredentialSource()
+                ->getPublicKeyCredentialDescriptor(),
+            $authData->isUserPresent(),
+            $authData->isUserVerified(),
+            $authData->getReservedForFutureUse1(),
+            $authData->getReservedForFutureUse2(),
+            $authData->signCount,
+            $authData->extensions,
+            $firewallName,
+            $webauthnBadge->getUser()
+                ->getRoles(),
+            $authData->isBackupEligible(),
+            $authData->isBackedUp(),
+        );
+        $token->setUser($webauthnBadge->getUser());
+
+        return $token;
+    }
+}

src/symfony/src/Security/Authentication/WebauthnBadge.php

@@ -0,0 +1,126 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use LogicException;
+use Symfony\Component\Security\Core\Exception\UserNotFoundException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\BadgeInterface;
+use Webauthn\AuthenticatorResponse;
+use Webauthn\PublicKeyCredentialOptions;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialUserEntity;
+use function sprintf;
+
+final class WebauthnBadge implements BadgeInterface
+{
+    private bool $isResolved = false;
+
+    private AuthenticatorResponse $authenticatorResponse;
+
+    private PublicKeyCredentialOptions $publicKeyCredentialOptions;
+
+    private PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity;
+
+    private PublicKeyCredentialSource $publicKeyCredentialSource;
+
+    private UserInterface $user;
+
+    /**
+     * @var callable|null
+     */
+    private $userLoader;
+
+    public function __construct(
+        public readonly string $host,
+        public readonly string $response,
+        ?callable $userLoader = null,
+        private readonly ?array $attributes = null,
+    ) {
+        $this->userLoader = $userLoader;
+    }
+
+    public function isResolved(): bool
+    {
+        return $this->isResolved;
+    }
+
+    public function getAuthenticatorResponse(): AuthenticatorResponse
+    {
+        if (! $this->isResolved) {
+            throw new LogicException('The badge is not resolved.');
+        }
+        return $this->authenticatorResponse;
+    }
+
+    public function getPublicKeyCredentialOptions(): PublicKeyCredentialOptions
+    {
+        if (! $this->isResolved) {
+            throw new LogicException('The badge is not resolved.');
+        }
+        return $this->publicKeyCredentialOptions;
+    }
+
+    public function getPublicKeyCredentialUserEntity(): PublicKeyCredentialUserEntity
+    {
+        if (! $this->isResolved) {
+            throw new LogicException('The badge is not resolved.');
+        }
+        return $this->publicKeyCredentialUserEntity;
+    }
+
+    public function getPublicKeyCredentialSource(): PublicKeyCredentialSource
+    {
+        if (! $this->isResolved) {
+            throw new LogicException('The badge is not resolved.');
+        }
+        return $this->publicKeyCredentialSource;
+    }
+
+    public function getUser(): UserInterface
+    {
+        if (! $this->isResolved) {
+            throw new LogicException('The badge is not resolved.');
+        }
+        return $this->user;
+    }
+
+    public function markResolved(
+        AuthenticatorResponse $authenticatorResponse,
+        PublicKeyCredentialOptions $publicKeyCredentialOptions,
+        PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity,
+        PublicKeyCredentialSource $publicKeyCredentialSource,
+    ): void {
+        if ($this->userLoader === null) {
+            throw new LogicException(sprintf(
+                'No user loader is configured, did you forget to register the "%s" listener?',
+                WebauthnBadgeListener::class
+            ));
+        }
+        $this->authenticatorResponse = $authenticatorResponse;
+        $this->publicKeyCredentialOptions = $publicKeyCredentialOptions;
+        $this->publicKeyCredentialUserEntity = $publicKeyCredentialUserEntity;
+        $this->publicKeyCredentialSource = $publicKeyCredentialSource;
+        $user = ($this->userLoader)($publicKeyCredentialUserEntity->name, $this->attributes);
+        if ($user === null) {
+            $exception = new UserNotFoundException();
+            $exception->setUserIdentifier($publicKeyCredentialSource->userHandle);
+
+            throw $exception;
+        }
+        $this->user = $user;
+        $this->isResolved = true;
+    }
+
+    public function setUserLoader(callable $userLoader): void
+    {
+        $this->userLoader = $userLoader;
+    }
+
+    public function getUserLoader(): ?callable
+    {
+        return $this->userLoader;
+    }
+}

src/symfony/src/Security/Authentication/WebauthnBadgeListener.php

@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Serializer\Encoder\JsonEncoder;
+use Symfony\Component\Serializer\SerializerInterface;
+use Throwable;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\AuthenticatorAssertionResponseValidator;
+use Webauthn\Bundle\Repository\CanSaveCredentialSource;
+use Webauthn\Bundle\Repository\PublicKeyCredentialSourceRepositoryInterface;
+use Webauthn\Bundle\Repository\PublicKeyCredentialUserEntityRepositoryInterface;
+use Webauthn\Bundle\Security\Storage\OptionsStorage;
+use Webauthn\PublicKeyCredential;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialUserEntity;
+
+final readonly class WebauthnBadgeListener implements EventSubscriberInterface
+{
+    public function __construct(
+        private OptionsStorage $optionsStorage,
+        private SerializerInterface $publicKeyCredentialLoader,
+        private PublicKeyCredentialUserEntityRepositoryInterface $credentialUserEntityRepository,
+        private PublicKeyCredentialSourceRepositoryInterface $publicKeyCredentialSourceRepository,
+        private AuthenticatorAssertionResponseValidator $assertionResponseValidator,
+        private UserProviderInterface $userProvider,
+    ) {
+    }
+
+    public function checkPassport(CheckPassportEvent $event): void
+    {
+        $passport = $event->getPassport();
+        if (! $passport->hasBadge(WebauthnBadge::class)) {
+            return;
+        }
+
+        /** @var WebauthnBadge $badge */
+        $badge = $passport->getBadge(WebauthnBadge::class);
+        if ($badge->isResolved()) {
+            return;
+        }
+        if ($badge->getUserLoader() === null) {
+            $badge->setUserLoader($this->userProvider->loadUserByIdentifier(...));
+        }
+
+        try {
+            $publicKeyCredential = $this->publicKeyCredentialLoader->deserialize(
+                $badge->response,
+                PublicKeyCredential::class,
+                JsonEncoder::FORMAT
+            );
+            $response = $publicKeyCredential->response;
+            if (! $response instanceof AuthenticatorAssertionResponse) {
+                return;
+            }
+            $data = $this->optionsStorage->get($response->clientDataJSON->challenge);
+            $publicKeyCredentialRequestOptions = $data->getPublicKeyCredentialOptions();
+            if (! $publicKeyCredentialRequestOptions instanceof PublicKeyCredentialRequestOptions) {
+                return;
+            }
+            $userEntity = $data->getPublicKeyCredentialUserEntity();
+
+            $publicKeyCredentialSource = $this->publicKeyCredentialSourceRepository->findOneByCredentialId(
+                $publicKeyCredential->rawId
+            );
+            if ($publicKeyCredentialSource === null) {
+                return;
+            }
+            $publicKeyCredentialSource = $this->assertionResponseValidator->check(
+                $publicKeyCredentialSource,
+                $response,
+                $publicKeyCredentialRequestOptions,
+                $badge->host,
+                $userEntity?->id
+            );
+            $userEntity = $this->credentialUserEntityRepository->findOneByUserHandle(
+                $publicKeyCredentialSource->userHandle
+            );
+            if (! $userEntity instanceof PublicKeyCredentialUserEntity) {
+                return;
+            }
+            if ($this->publicKeyCredentialSourceRepository instanceof CanSaveCredentialSource) {
+                $this->publicKeyCredentialSourceRepository->saveCredentialSource($publicKeyCredentialSource);
+            }
+            $badge->markResolved(
+                $response,
+                $publicKeyCredentialRequestOptions,
+                $userEntity,
+                $publicKeyCredentialSource,
+            );
+        } catch (Throwable $e) {
+            return;
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            CheckPassportEvent::class => ['checkPassport', 512],
+        ];
+    }
+}

src/symfony/src/Security/Authentication/WebauthnPassport.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Webauthn\Bundle\Security\Authentication;
+
+use LogicException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\BadgeInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+
+final class WebauthnPassport extends Passport
+{
+    /**
+     * @param BadgeInterface[] $badges
+     */
+    public function __construct(WebauthnBadge $webauthnBadge, array $badges = [])
+    {
+        $this->addBadge($webauthnBadge);
+        foreach ($badges as $badge) {
+            $this->addBadge($badge);
+        }
+    }
+
+    public function getUser(): UserInterface
+    {
+        $webauthnBadge = $this->getBadge(WebauthnBadge::class);
+        if ($webauthnBadge === null || ! $webauthnBadge instanceof WebauthnBadge) {
+            throw new LogicException('No WebauthnBadge found in the passport.');
+        }
+
+        return $webauthnBadge->getUser();
+    }
+}

tests/symfony/config/badges.yml

@@ -0,0 +1,22 @@
+imports:
+  - { resource: common.yml }
+
+security:
+  providers:
+    default:
+      id: 'Webauthn\Tests\Bundle\Functional\UserProvider'
+
+  firewalls:
+    main:
+      logout:
+        path: /logout
+        target: /
+
+  access_control:
+    - { path: '^/devices/add',  roles: 'ROLE_USER', requires_channel: 'https' }
+    - { path: '^/logout',  roles: 'PUBLIC_ACCESS' , requires_channel: 'https' }
+    - { path: '^/api/login',  roles: 'PUBLIC_ACCESS' , requires_channel: 'https' }
+    - { path: '^/api/register',  roles: 'PUBLIC_ACCESS' , requires_channel: 'https' }
+    - { path: '^/admin',  roles: 'ROLE_ADMIN', requires_channel: 'https' }
+    - { path: '^/page',   roles: 'ROLE_USER', requires_channel: 'https' }
+    - { path: '^/',       roles: 'PUBLIC_ACCESS' , requires_channel: 'https' }