Don't enforce enforceCredentialPolicy when policy set to UV_OPTIONAL

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java

@@ -242,9 +242,11 @@ public static class CredentialProtectionInput {
       private final CredentialProtectionPolicy credentialProtectionPolicy;
 
       /**
-       * If <code>true</code>, {@link RelyingParty#finishRegistration(FinishRegistrationOptions)}
-       * will validate that the policy set in {@link #getCredentialProtectionPolicy()} was satisfied
-       * and the browser is requested to fail the registration if the policy cannot be satisfied.
+       * If this is <code>true</code> and {@link #getCredentialProtectionPolicy()
+       * credentialProtectionPolicy} is not {@link CredentialProtectionPolicy#UV_OPTIONAL}, {@link
+       * RelyingParty#finishRegistration(FinishRegistrationOptions)} will validate that the policy
+       * set in {@link #getCredentialProtectionPolicy()} was satisfied and the browser is requested
+       * to fail the registration if the policy cannot be satisfied.
        *
        * <p>{@link CredentialProtectionInput#prefer(CredentialProtectionPolicy)} sets this to <code>
        * false</code>. {@link CredentialProtectionInput#require(CredentialProtectionPolicy)} sets
@@ -300,10 +302,11 @@ public static CredentialProtectionInput prefer(
        * Create a Credential Protection (<code>credProtect</code>) extension input that requires the
        * given policy.
        *
-       * <p>If the policy cannot be satisfied, the browser is requested to abort the registration
-       * instead of proceeding. {@link RelyingParty#finishRegistration(FinishRegistrationOptions)}
-       * will validate that the policy returned in the authenticator extension output equals this
-       * input policy, and throw an exception otherwise. You can also use {@link
+       * <p>If the policy is not {@link CredentialProtectionPolicy#UV_OPTIONAL} and cannot be
+       * satisfied, the browser is requested to abort the registration instead of proceeding. {@link
+       * RelyingParty#finishRegistration(FinishRegistrationOptions)} will validate that the policy
+       * returned in the authenticator extension output equals this input policy, and throw an
+       * exception otherwise. You can also use {@link
        * AuthenticatorRegistrationExtensionOutputs#getCredProtect()} to inspect the extension output
        * yourself.
        *
@@ -337,30 +340,34 @@ public static CredentialProtectionInput require(
      * RegistrationExtensionInputs.RegistrationExtensionInputsBuilder#credProtect(CredentialProtectionInput)
      * credProtect} extension is set in the request with {@link
      * CredentialProtectionInput#isEnforceCredentialProtectionPolicy()
-     * enforceCredentialProtectionPolicy} set to <code>false</code>, this has no effect.
+     * enforceCredentialProtectionPolicy} set to <code>false</code> or {@link
+     * CredentialProtectionInput#getCredentialProtectionPolicy() credentialProtectionPolicy} set to
+     * {@link CredentialProtectionPolicy#UV_OPTIONAL}, this has no effect.
      *
      * <p>If the {@link
      * RegistrationExtensionInputs.RegistrationExtensionInputsBuilder#credProtect(CredentialProtectionInput)
      * credProtect} extension is set in the request with {@link
      * CredentialProtectionInput#isEnforceCredentialProtectionPolicy()
-     * enforceCredentialProtectionPolicy} set to <code>true</code>, then this throws an {@link
+     * enforceCredentialProtectionPolicy} set to <code>true</code> and {@link
+     * CredentialProtectionInput#getCredentialProtectionPolicy() credentialProtectionPolicy} is not
+     * set to {@link CredentialProtectionPolicy#UV_OPTIONAL}, then this throws an {@link
      * IllegalArgumentException} if the <code>credProtect</code> authenticator extension output does
      * not equal the {@link CredentialProtectionInput#getCredentialProtectionPolicy()
      * credentialProtectionPolicy} set in the request.
      *
      * <p>This function is called automatically in {@link
-     * RelyingParty#finishRegistration(FinishRegistrationOptions)} when the request has {@link
-     * CredentialProtectionInput#isEnforceCredentialProtectionPolicy()
-     * enforceCredentialProtectionPolicy} is set to <code>true</code>; you should not need to call
-     * it yourself.
+     * RelyingParty#finishRegistration(FinishRegistrationOptions)}; you should not need to call it
+     * yourself.
      *
      * @param request the arguments to start the registration ceremony.
      * @param response the response from the registration ceremony.
      * @throws IllegalArgumentException if the {@link
      *     RegistrationExtensionInputs.RegistrationExtensionInputsBuilder#credProtect(CredentialProtectionInput)
      *     credProtect} extension is set in the request with {@link
      *     CredentialProtectionInput#isEnforceCredentialProtectionPolicy()
-     *     enforceCredentialProtectionPolicy} set to <code>true</code> and the <code>credProtect
+     *     enforceCredentialProtectionPolicy} set to <code>true</code> and {@link
+     *     CredentialProtectionInput#getCredentialProtectionPolicy() credentialProtectionPolicy} not
+     *     set to {@link CredentialProtectionPolicy#UV_OPTIONAL}, and the <code>credProtect
      *     </code> authenticator extension output does not equal the {@link
      *     CredentialProtectionInput#getCredentialProtectionPolicy() credentialProtectionPolicy} set
      *     in the request.
@@ -376,18 +383,21 @@ public static void validateExtensionOutput(
           .getExtensions()
           .getCredProtect()
           .ifPresent(
-              credProtect -> {
-                if (credProtect.isEnforceCredentialProtectionPolicy()) {
+              credProtectInput -> {
+                if (credProtectInput.isEnforceCredentialProtectionPolicy()
+                    && credProtectInput.getCredentialProtectionPolicy()
+                        != CredentialProtectionPolicy.UV_OPTIONAL) {
                   Optional<CredentialProtectionPolicy> outputPolicy =
                       response
                           .getResponse()
                           .getParsedAuthenticatorData()
                           .getExtensions()
                           .flatMap(CredentialProtection::parseAuthenticatorExtensionOutput);
                   ExceptionUtil.assertTrue(
-                      outputPolicy.equals(Optional.of(credProtect.getCredentialProtectionPolicy())),
+                      outputPolicy.equals(
+                          Optional.of(credProtectInput.getCredentialProtectionPolicy())),
                       "Unsatisfied credProtect policy: required %s, got: %s",
-                      credProtect.getCredentialProtectionPolicy(),
+                      credProtectInput.getCredentialProtectionPolicy(),
                       outputPolicy);
                 }
               });

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -1134,8 +1134,12 @@ class RelyingPartyRegistrationSpec
             }
           }
 
-          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and no output policy is returned.") {
-            forAll { policy: CredentialProtectionPolicy =>
+          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and credProtectPolicy!=userVerificationOptional and no output policy is returned.") {
+            forAll(
+              arbitrary[CredentialProtectionPolicy].suchThat(
+                _ != CredentialProtectionPolicy.UV_OPTIONAL
+              )
+            ) { policy: CredentialProtectionPolicy =>
               val steps = finishRegistration(
                 testData = RegistrationTestData.Packed.BasicAttestation
                   .copy(
@@ -1153,47 +1157,63 @@ class RelyingPartyRegistrationSpec
             }
           }
 
-          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and the output policy does not match the input policy.") {
-            forAll(arbitrary[CredentialProtectionPolicy], Gen.oneOf(1, 2)) {
-              (policy: CredentialProtectionPolicy, diff) =>
-                val authenticatorExtensionOutputs = CBORObject.NewMap()
-                authenticatorExtensionOutputs.set(
-                  "credProtect",
-                  CBORObject.FromObject(
-                    ((ReexportHelpers.credProtectPolicyCborValue(
-                      policy
-                    ) + diff - 1) % 3) + 1
-                  ),
-                )
-                val steps = finishRegistration(
-                  testData = RegistrationTestData.Packed.BasicAttestation
-                    .copy(
-                      requestedExtensions = RegistrationExtensionInputs
-                        .builder()
-                        .credProtect(CredentialProtectionInput.require(policy))
-                        .build()
-                    )
-                    .editAuthenticatorData(authData =>
-                      new ByteArray(
-                        authData.getBytes.updated(
-                          32,
-                          (authData.getBytes()(32) | 0x80).toByte,
-                        ) ++ authenticatorExtensionOutputs.EncodeToBytes()
-                      )
+          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and credProtectPolicy!=userVerificationOptional and the output policy does not match the input policy.") {
+            forAll(
+              arbitrary[CredentialProtectionPolicy].suchThat(
+                _ != CredentialProtectionPolicy.UV_OPTIONAL
+              ),
+              Gen.oneOf(1, 2),
+            ) { (policy: CredentialProtectionPolicy, diff) =>
+              val authenticatorExtensionOutputs = CBORObject.NewMap()
+              authenticatorExtensionOutputs.set(
+                "credProtect",
+                CBORObject.FromObject(
+                  ((ReexportHelpers.credProtectPolicyCborValue(
+                    policy
+                  ) + diff - 1) % 3) + 1
+                ),
+              )
+              val steps = finishRegistration(
+                testData = RegistrationTestData.Packed.BasicAttestation
+                  .copy(
+                    requestedExtensions = RegistrationExtensionInputs
+                      .builder()
+                      .credProtect(CredentialProtectionInput.require(policy))
+                      .build()
+                  )
+                  .editAuthenticatorData(authData =>
+                    new ByteArray(
+                      authData.getBytes.updated(
+                        32,
+                        (authData.getBytes()(32) | 0x80).toByte,
+                      ) ++ authenticatorExtensionOutputs.EncodeToBytes()
                     )
-                )
-                val stepAfter: Try[FinishRegistrationSteps#Step18] =
-                  steps.begin.next.next.next.next.next.next.next.next.next.next.next.tryNext
+                  )
+              )
+              val stepAfter: Try[FinishRegistrationSteps#Step18] =
+                steps.begin.next.next.next.next.next.next.next.next.next.next.next.tryNext
 
-                stepAfter shouldBe a[Failure[_]]
-                stepAfter.failed.get shouldBe an[IllegalArgumentException]
+              stepAfter shouldBe a[Failure[_]]
+              stepAfter.failed.get shouldBe an[IllegalArgumentException]
             }
           }
 
-          it("Succeeds regardless of output credProtect policy if credProtect is set with enforceCredentialProtectionPolicy=false.") {
-            forAll {
+          it("Succeeds regardless of output credProtect policy if credProtect is set with enforceCredentialProtectionPolicy=false or credProtectPolicy=userVerificationOptional.") {
+            val genCredPropsInput = for {
+              enforce <- arbitrary[Boolean]
+              policy <-
+                if (enforce) Gen.const(CredentialProtectionPolicy.UV_OPTIONAL)
+                else arbitrary[CredentialProtectionPolicy]
+            } yield {
+              if (enforce) CredentialProtectionInput.require(policy)
+              else CredentialProtectionInput.prefer(policy)
+            }
+            forAll(
+              genCredPropsInput,
+              arbitrary[Option[CredentialProtectionPolicy]],
+            ) {
               (
-                  inputPolicy: CredentialProtectionPolicy,
+                  credPropsInput: CredentialProtectionInput,
                   outputPolicy: Option[CredentialProtectionPolicy],
               ) =>
                 val authenticatorExtensionOutputs =
@@ -1212,9 +1232,7 @@ class RelyingPartyRegistrationSpec
                     .copy(
                       requestedExtensions = RegistrationExtensionInputs
                         .builder()
-                        .credProtect(
-                          CredentialProtectionInput.prefer(inputPolicy)
-                        )
+                        .credProtect(credPropsInput)
                         .build()
                     )
                     .editAuthenticatorData(authData =>

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2RegistrationSpec.scala

@@ -1126,8 +1126,12 @@ class RelyingPartyV2RegistrationSpec
             }
           }
 
-          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and no output policy is returned.") {
-            forAll { policy: CredentialProtectionPolicy =>
+          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and credProtectPolicy!=userVerificationOptional and no output policy is returned.") {
+            forAll(
+              arbitrary[CredentialProtectionPolicy].suchThat(
+                _ != CredentialProtectionPolicy.UV_OPTIONAL
+              )
+            ) { policy: CredentialProtectionPolicy =>
               val steps = finishRegistration(
                 testData = RegistrationTestData.Packed.BasicAttestation
                   .copy(
@@ -1145,47 +1149,63 @@ class RelyingPartyV2RegistrationSpec
             }
           }
 
-          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and the output policy does not match the input policy.") {
-            forAll(arbitrary[CredentialProtectionPolicy], Gen.oneOf(1, 2)) {
-              (policy: CredentialProtectionPolicy, diff) =>
-                val authenticatorExtensionOutputs = CBORObject.NewMap()
-                authenticatorExtensionOutputs.set(
-                  "credProtect",
-                  CBORObject.FromObject(
-                    ((ReexportHelpers.credProtectPolicyCborValue(
-                      policy
-                    ) + diff - 1) % 3) + 1
-                  ),
-                )
-                val steps = finishRegistration(
-                  testData = RegistrationTestData.Packed.BasicAttestation
-                    .copy(
-                      requestedExtensions = RegistrationExtensionInputs
-                        .builder()
-                        .credProtect(CredentialProtectionInput.require(policy))
-                        .build()
-                    )
-                    .editAuthenticatorData(authData =>
-                      new ByteArray(
-                        authData.getBytes.updated(
-                          32,
-                          (authData.getBytes()(32) | 0x80).toByte,
-                        ) ++ authenticatorExtensionOutputs.EncodeToBytes()
-                      )
+          it("Fails if credProtect is set with enforceCredentialProtectionPolicy=true and credProtectPolicy!=userVerificationOptional and the output policy does not match the input policy.") {
+            forAll(
+              arbitrary[CredentialProtectionPolicy].suchThat(
+                _ != CredentialProtectionPolicy.UV_OPTIONAL
+              ),
+              Gen.oneOf(1, 2),
+            ) { (policy: CredentialProtectionPolicy, diff) =>
+              val authenticatorExtensionOutputs = CBORObject.NewMap()
+              authenticatorExtensionOutputs.set(
+                "credProtect",
+                CBORObject.FromObject(
+                  ((ReexportHelpers.credProtectPolicyCborValue(
+                    policy
+                  ) + diff - 1) % 3) + 1
+                ),
+              )
+              val steps = finishRegistration(
+                testData = RegistrationTestData.Packed.BasicAttestation
+                  .copy(
+                    requestedExtensions = RegistrationExtensionInputs
+                      .builder()
+                      .credProtect(CredentialProtectionInput.require(policy))
+                      .build()
+                  )
+                  .editAuthenticatorData(authData =>
+                    new ByteArray(
+                      authData.getBytes.updated(
+                        32,
+                        (authData.getBytes()(32) | 0x80).toByte,
+                      ) ++ authenticatorExtensionOutputs.EncodeToBytes()
                     )
-                )
-                val stepAfter: Try[FinishRegistrationSteps#Step18] =
-                  steps.begin.next.next.next.next.next.next.next.next.next.next.next.tryNext
+                  )
+              )
+              val stepAfter: Try[FinishRegistrationSteps#Step18] =
+                steps.begin.next.next.next.next.next.next.next.next.next.next.next.tryNext
 
-                stepAfter shouldBe a[Failure[_]]
-                stepAfter.failed.get shouldBe an[IllegalArgumentException]
+              stepAfter shouldBe a[Failure[_]]
+              stepAfter.failed.get shouldBe an[IllegalArgumentException]
             }
           }
 
-          it("Succeeds regardless of output credProtect policy if credProtect is set with enforceCredentialProtectionPolicy=false.") {
-            forAll {
+          it("Succeeds regardless of output credProtect policy if credProtect is set with enforceCredentialProtectionPolicy=false or credProtectPolicy=userVerificationOptional.") {
+            val genCredPropsInput = for {
+              enforce <- arbitrary[Boolean]
+              policy <-
+                if (enforce) Gen.const(CredentialProtectionPolicy.UV_OPTIONAL)
+                else arbitrary[CredentialProtectionPolicy]
+            } yield {
+              if (enforce) CredentialProtectionInput.require(policy)
+              else CredentialProtectionInput.prefer(policy)
+            }
+            forAll(
+              genCredPropsInput,
+              arbitrary[Option[CredentialProtectionPolicy]],
+            ) {
               (
-                  inputPolicy: CredentialProtectionPolicy,
+                  credPropsInput: CredentialProtectionInput,
                   outputPolicy: Option[CredentialProtectionPolicy],
               ) =>
                 val authenticatorExtensionOutputs =
@@ -1204,9 +1224,7 @@ class RelyingPartyV2RegistrationSpec
                     .copy(
                       requestedExtensions = RegistrationExtensionInputs
                         .builder()
-                        .credProtect(
-                          CredentialProtectionInput.prefer(inputPolicy)
-                        )
+                        .credProtect(credPropsInput)
                         .build()
                     )
                     .editAuthenticatorData(authData =>