Changeset 291625 in webkit

Timestamp:

Mar 22, 2022 10:12:15 AM (4 months ago)

Author:

J Pascoe

Message:

[WebAuthn] Pass along timeout to ASA and ignore timeout for conditional mediation requests
​https://bugs.webkit.org/show_bug.cgi?id=238147
rdar://90509464

Reviewed by Brent Fulgham.

Source/WebKit:

Currently we don't pass the timeout from the rp into ASA, so the default timeout is always used.
This patch starts passing along the timeout to ASA, and creates a place for ASA to specify the
mediation of the request, so we can ignore the timeout for requests using conditional mediation.

Modified API test.

• Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:

(toWebCore):
(-[_WKWebAuthenticationPanel makeCredentialWithMediationRequirement:clientDataHash:options:completionHandler:]):
(-[_WKWebAuthenticationPanel makeCredentialWithClientDataHash:options:completionHandler:]):
(-[_WKWebAuthenticationPanel getAssertionWithMediationRequirement:clientDataHash:options:completionHandler:]):
(-[_WKWebAuthenticationPanel getAssertionWithClientDataHash:options:completionHandler:]):

• UIProcess/WebAuthentication/AuthenticatorManager.cpp:

(WebKit::AuthenticatorManager::respondReceived):
(WebKit::AuthenticatorManager::initTimeOutTimer):

• UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:

(WebKit::configureRegistrationRequestContext):
(WebKit::configureAssertionOptions):

Tools:

Modify API test to use new SPI.

• TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (modified) (6 diffs)
• Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm (modified) (3 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-03-22  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Pass along timeout to ASA and ignore timeout for conditional mediation requests
+        https://bugs.webkit.org/show_bug.cgi?id=238147
+        rdar://90509464
+
+        Reviewed by Brent Fulgham.
+
+        Currently we don't pass the timeout from the rp into ASA, so the default timeout is always used.
+        This patch starts passing along the timeout to ASA, and creates a place for ASA to specify the
+        mediation of the request, so we can ignore the timeout for requests using conditional mediation.
+
+        Modified API test.
+
+        * Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (toWebCore):
+        (-[_WKWebAuthenticationPanel makeCredentialWithMediationRequirement:clientDataHash:options:completionHandler:]):
+        (-[_WKWebAuthenticationPanel makeCredentialWithClientDataHash:options:completionHandler:]):
+        (-[_WKWebAuthenticationPanel getAssertionWithMediationRequirement:clientDataHash:options:completionHandler:]):
+        (-[_WKWebAuthenticationPanel getAssertionWithClientDataHash:options:completionHandler:]):
+        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+        (WebKit::AuthenticatorManager::respondReceived):
+        (WebKit::AuthenticatorManager::initTimeOutTimer):
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
+        (WebKit::configureRegistrationRequestContext):
+        (WebKit::configureAssertionOptions):
+
 2022-03-22  J Pascoe  <j_pascoe@apple.com>
 

trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h

@@ -165 +165 @@
 @property (nonatomic, nullable, readonly, copy) NSString *userVerificationPreference;
 @property (nonatomic, nullable, copy) ASCWebAuthenticationExtensionsClientInputs *extensions;
+@property (nonatomic, nullable, copy) NSNumber *timeout;
 
 @property (nonatomic, nullable, readonly, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *allowedCredentials;
@@ -195 +196 @@
 @property (nonatomic, nullable, copy) NSString *attestationPreference;
 @property (nonatomic, nullable, copy) ASCWebAuthenticationExtensionsClientInputs *extensions;
+@property (nonatomic, nullable, copy) NSNumber *timeout;
 
 @property (nonatomic) BOOL shouldRequireResidentKey;

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h

@@ -87 +87 @@
 } WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
+typedef NS_ENUM(NSInteger, _WKWebAuthenticationMediationRequirement) {
+    _WKWebAuthenticationMediationRequirementSilent,
+    _WKWebAuthenticationMediationRequirementOptional,
+    _WKWebAuthenticationMediationRequirementRequired,
+    _WKWebAuthenticationMediationRequirementConditional,
+} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
 WK_EXPORT extern NSString * const _WKLocalAuthenticatorCredentialNameKey;
 WK_EXPORT extern NSString * const _WKLocalAuthenticatorCredentialDisplayNameKey;
@@ -142 +149 @@
 - (void)makeCredentialWithChallenge:(NSData *)challenge origin:(NSString *)origin options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(12.0), ios(15.0));
 - (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)makeCredentialWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 - (void)getAssertionWithChallenge:(NSData *)challenge origin:(NSString *)origin options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(12.0), ios(15.0));
 - (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)getAssertionWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 - (void)cancel;
 

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@@ -49 +49 @@
 #import <WebCore/CBORReader.h>
 #import <WebCore/CBORWriter.h>
+#import <WebCore/CredentialRequestOptions.h>
 #import <WebCore/DeviceRequestConverter.h>
 #import <WebCore/FidoConstants.h>
@@ -787 +788 @@
     return result;
 }
+
+static WebCore::CredentialRequestOptions::MediationRequirement toWebCore(_WKWebAuthenticationMediationRequirement mediation)
+{
+    switch (mediation) {
+    case _WKWebAuthenticationMediationRequirementSilent:
+        return WebCore::CredentialRequestOptions::MediationRequirement::Silent;
+    case _WKWebAuthenticationMediationRequirementOptional:
+        return WebCore::CredentialRequestOptions::MediationRequirement::Optional;
+    case _WKWebAuthenticationMediationRequirementRequired:
+        return WebCore::CredentialRequestOptions::MediationRequirement::Required;
+    case _WKWebAuthenticationMediationRequirementConditional:
+        return WebCore::CredentialRequestOptions::MediationRequirement::Conditional;
+    default:
+        ASSERT_NOT_REACHED();
+        return WebCore::CredentialRequestOptions::MediationRequirement::Optional;
+    }
+}
 #endif
 
@@ -845 +863 @@
 }
 
-- (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
+- (void)makeCredentialWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
 {
 #if ENABLE(WEB_AUTHN)
@@ -855 +873 @@
         });
     };
-    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
-#endif
+    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, toWebCore(mediation), std::nullopt }, WTFMove(callback));
+#endif
+}
+
+- (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
+{
+    [self makeCredentialWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:clientDataHash options:options completionHandler:handler];
 }
 
@@ -909 +932 @@
 }
 
-- (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
+- (void)getAssertionWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
 {
 #if ENABLE(WEB_AUTHN)
@@ -919 +942 @@
         });
     };
-    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
-#endif
+    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, toWebCore(mediation), std::nullopt }, WTFMove(callback));
+#endif
+}
+
+- (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
+{
+    [self getAssertionWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:clientDataHash options:options completionHandler:handler];
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

@@ -282 +282 @@
 {
     ASSERT(RunLoop::isMain());
-    if (!m_requestTimeOutTimer.isActive())
+    if (!m_requestTimeOutTimer.isActive() && (m_pendingRequestData.mediation != WebCore::CredentialRequestOptions::MediationRequirement::Conditional || !m_pendingCompletionHandler))
         return;
     ASSERT(m_pendingCompletionHandler);
@@ -426 +426 @@
 void AuthenticatorManager::initTimeOutTimer()
 {
+    if (m_pendingRequestData.mediation == WebCore::CredentialRequestOptions::MediationRequirement::Conditional)
+        return;
     std::optional<unsigned> timeOutInMs;
     WTF::switchOn(m_pendingRequestData.options, [&](const PublicKeyCredentialCreationOptions& options) {

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm

@@ -242 +242 @@
         [requestContext setSecurityKeyCredentialCreationOptions:credentialCreationOptions.get()];
 
-    if (options.extensions && [credentialCreationOptions respondsToSelector:@selector(setExtensions:)])
+    if (options.extensions)
         [credentialCreationOptions setExtensions:toASCExtensions(*options.extensions).get()];
+
+    if (options.timeout && [credentialCreationOptions respondsToSelector:@selector(setTimeout:)])
+        credentialCreationOptions.get().timeout = [NSNumber numberWithUnsignedInt:*options.timeout];
 
     return requestContext;
@@ -258 +261 @@
         [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
     }
-    if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
+    if (options.extensions)
         [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
     if (parentOrigin && [assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
@@ -264 +267 @@
     else if (parentOrigin && ![assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
         return nil;
+    if (options.timeout && [assertionOptions respondsToSelector:@selector(setTimeout:)])
+        assertionOptions.get().timeout = [NSNumber numberWithUnsignedInt:*options.timeout];
     return assertionOptions;
 }

trunk/Tools/ChangeLog

@@ +1 @@
+2022-03-22  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Pass along timeout to ASA and ignore timeout for conditional mediation requests
+        https://bugs.webkit.org/show_bug.cgi?id=238147
+        rdar://90509464
+
+        Reviewed by Brent Fulgham.
+
+        Modify API test to use new SPI.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (TestWebKitAPI::TEST):
+
 2022-03-21  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@ -1868 +1868 @@
 }
 
-TEST(WebAuthenticationPanel, MakeCredentialLAClientDataHash)
+TEST(WebAuthenticationPanel, MakeCredentialLAClientDataHashMediation)
 {
     reset();
@@ -1889 +1889 @@
     [panel setDelegate:delegate.get()];
 
-    [panel makeCredentialWithClientDataHash:nsHash.get() options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
+    [panel makeCredentialWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:nsHash.get() options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
         webAuthenticationPanelRan = true;
         cleanUpKeychain("example.com");
@@ -2089 +2089 @@
 }
 
-TEST(WebAuthenticationPanel, GetAssertionLAClientDataHash)
+TEST(WebAuthenticationPanel, GetAssertionLAClientDataHashMediation)
 {
     reset();
@@ -2106 +2106 @@
     [panel setDelegate:delegate.get()];
 
-    [panel getAssertionWithClientDataHash:nsHash options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
+    [panel getAssertionWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:nsHash options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
         webAuthenticationPanelRan = true;
         cleanUpKeychain("example.com");