Changeset 257877 in webkit

Timestamp:

Mar 4, 2020 1:42:39 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI
​https://bugs.webkit.org/show_bug.cgi?id=208533
<rdar://problem/60010184>

Reviewed by Alex Christensen.

Source/WebCore:

Covered by new tests within existing test files.

• en.lproj/Localizable.strings:
• platform/LocalizedStrings.cpp:

(WebCore::touchIDPromptTitle):
(WebCore::biometricFallbackPromptTitle):

• platform/LocalizedStrings.h:

Adds localized strings to support the customized LocalAuthentication dialog.

Source/WebKit:

This patch implements the above SPI to replace -[_WKWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:].
The original SPI is designed on the premise that Safari is going to highly customize the LocalAuthentication UI, and that is not happening
anymore. Therefore, WebKit takes back the invocation of LocalAuthentication and offer a new SPI to tell clients when WebKit is about to
show LocalAuthentication UI. Clients then have the trigger to pull at their pleasure.

This patch implements all plumbings to replace the SPI. Besides that, this patch also:
1) enhances the LocalConnection::verifyUser with a slightly customized LocalAuthentication dialog;
2) adds the SPI used above into the SPI header;
3) makes _WKWebAuthenticationPanelDelegate.transports as a NSSet instead of a NSArray;
4) lets LocalService::isAvailable return false if Apple attestation is not available.

• Platform/spi/Cocoa/LocalAuthenticationSPI.h:
• UIProcess/API/APIWebAuthenticationPanelClient.h:

(API::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):
(API::WebAuthenticationPanelClient::verifyUser const): Deleted.

• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:

(-[_WKWebAuthenticationPanel transports]):

• UIProcess/WebAuthentication/Authenticator.h:
• UIProcess/WebAuthentication/AuthenticatorManager.cpp:

(WebKit::AuthenticatorManager::decidePolicyForLocalAuthenticator):
(WebKit::AuthenticatorManager::verifyUser): Deleted.

• UIProcess/WebAuthentication/AuthenticatorManager.h:
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:

(WebKit::LocalAuthenticator::makeCredential):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterDecidePolicy):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
(WebKit::LocalAuthenticator::getAssertion):
(WebKit::LocalAuthenticator::continueGetAssertionAfterResponseSelected):
(WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented): Deleted.
(WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented): Deleted.

• UIProcess/WebAuthentication/Cocoa/LocalConnection.h:
• UIProcess/WebAuthentication/Cocoa/LocalConnection.mm:

(WebKit::LocalConnection::verifyUser const):
(WebKit::LocalConnection::isUnlocked const): Deleted.

• UIProcess/WebAuthentication/Cocoa/LocalService.mm:

(WebKit::LocalService::isAvailable):

• UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:
• UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:

(WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):
(WebKit::localAuthenticatorPolicy):
(WebKit::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):
(WebKit::WebAuthenticationPanelClient::verifyUser const): Deleted.

• UIProcess/WebAuthentication/Mock/MockLocalConnection.h:
• UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:

(WebKit::MockLocalConnection::verifyUser const):
(WebKit::MockLocalConnection::isUnlocked const): Deleted.

• UIProcess/WebAuthentication/WebAuthenticationFlags.h:

Tools:

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

(-[TestWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:]):
(TestWebKitAPI::TEST):
(-[TestWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:]): Deleted.

• TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-la.html: Removed.

Location:

trunk

Files:

• LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/en.lproj/Localizable.strings (modified) (2 diffs)
• Source/WebCore/platform/LocalizedStrings.cpp (modified) (1 diff)
• Source/WebCore/platform/LocalizedStrings.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Platform/spi/Cocoa/LocalAuthenticationSPI.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h (modified) (3 diffs)
• Source/WebKit/UIProcess/API/C/WKPage.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h (modified) (3 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Authenticator.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (modified) (7 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.h (modified) (3 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.mm (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm (modified) (4 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationFlags.h (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (4 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (5 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-la.html (deleted)

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html

@@ -99 +99 @@
                 }
             };
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't get user consent.");
+            return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't verify user.");
         }, "PublicKeyCredential's [[create]] without user consent in a mock local authenticator.");
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html

@@ -56 +56 @@
             if (window.testRunner)
                 testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);
-            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't get user consent.").then(() => {
+            return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't verify user.").then(() => {
                 if (window.testRunner)
                     testRunner.cleanUpKeychain(testRpId, userhandleBase64);

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI
+        https://bugs.webkit.org/show_bug.cgi?id=208533
+        <rdar://problem/60010184>
+
+        Reviewed by Alex Christensen.
+
+        Covered by new tests within existing test files.
+
+        * en.lproj/Localizable.strings:
+        * platform/LocalizedStrings.cpp:
+        (WebCore::touchIDPromptTitle):
+        (WebCore::biometricFallbackPromptTitle):
+        * platform/LocalizedStrings.h:
+        Adds localized strings to support the customized LocalAuthentication dialog.
+
 2020-03-04  Antoine Quint  <graouts@apple.com>
 

trunk/Source/WebCore/en.lproj/Localizable.strings

@@ -311 +311 @@
 "Enter Full Screen" = "Enter Full Screen";
 
+/* Use passcode as a fallback to sign into this website */
+"Enter passcode to sign into this website." = "Enter passcode to sign into this website.";
+
 /* menu item */
 "Enter Picture in Picture" = "Enter Picture in Picture";
@@ -878 +881 @@
 "To view this page, you must log in to this area on %@:" = "To view this page, you must log in to this area on %@:";
 
+/* Use Touch ID to sign into this website */
+"Touch ID to sign into this website." = "Touch ID to sign into this website.";
+
 /* Transformations context sub-menu item */
 "Transformations" = "Transformations";

trunk/Source/WebCore/platform/LocalizedStrings.cpp

@@ -1208 +1208 @@
 #endif
 
+#if ENABLE(WEB_AUTHN)
+String touchIDPromptTitle()
+{
+    return WEB_UI_STRING("Touch ID to sign into this website.", "Use Touch ID to sign into this website");
+}
+
+String biometricFallbackPromptTitle()
+{
+    return WEB_UI_STRING("Enter passcode to sign into this website.", "Use passcode as a fallback to sign into this website");
+}
+#endif
+
 } // namespace WebCore

trunk/Source/WebCore/platform/LocalizedStrings.h

@@ -340 +340 @@
 #endif
 
+#if ENABLE(WEB_AUTHN)
+    WEBCORE_EXPORT String touchIDPromptTitle();
+    WEBCORE_EXPORT String biometricFallbackPromptTitle();
+#endif
+
 #if USE(GLIB) && defined(GETTEXT_PACKAGE)
 #define WEB_UI_STRING(string, description) WebCore::localizedString(_(string))

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI
+        https://bugs.webkit.org/show_bug.cgi?id=208533
+        <rdar://problem/60010184>
+
+        Reviewed by Alex Christensen.
+
+        This patch implements the above SPI to replace -[_WKWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:].
+        The original SPI is designed on the premise that Safari is going to highly customize the LocalAuthentication UI, and that is not happening
+        anymore. Therefore, WebKit takes back the invocation of LocalAuthentication and offer a new SPI to tell clients when WebKit is about to
+        show LocalAuthentication UI. Clients then have the trigger to pull at their pleasure.
+
+        This patch implements all plumbings to replace the SPI. Besides that, this patch also:
+        1) enhances the LocalConnection::verifyUser with a slightly customized LocalAuthentication dialog;
+        2) adds the SPI used above into the SPI header;
+        3) makes _WKWebAuthenticationPanelDelegate.transports as a NSSet instead of a NSArray;
+        4) lets LocalService::isAvailable return false if Apple attestation is not available.
+
+        * Platform/spi/Cocoa/LocalAuthenticationSPI.h:
+        * UIProcess/API/APIWebAuthenticationPanelClient.h:
+        (API::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):
+        (API::WebAuthenticationPanelClient::verifyUser const): Deleted.
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (-[_WKWebAuthenticationPanel transports]):
+        * UIProcess/WebAuthentication/Authenticator.h:
+        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+        (WebKit::AuthenticatorManager::decidePolicyForLocalAuthenticator):
+        (WebKit::AuthenticatorManager::verifyUser): Deleted.
+        * UIProcess/WebAuthentication/AuthenticatorManager.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticator::makeCredential):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterDecidePolicy):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
+        (WebKit::LocalAuthenticator::getAssertion):
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterResponseSelected):
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented): Deleted.
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented): Deleted.
+        * UIProcess/WebAuthentication/Cocoa/LocalConnection.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalConnection.mm:
+        (WebKit::LocalConnection::verifyUser const):
+        (WebKit::LocalConnection::isUnlocked const): Deleted.
+        * UIProcess/WebAuthentication/Cocoa/LocalService.mm:
+        (WebKit::LocalService::isAvailable):
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:
+        (WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):
+        (WebKit::localAuthenticatorPolicy):
+        (WebKit::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):
+        (WebKit::WebAuthenticationPanelClient::verifyUser const): Deleted.
+        * UIProcess/WebAuthentication/Mock/MockLocalConnection.h:
+        * UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:
+        (WebKit::MockLocalConnection::verifyUser const):
+        (WebKit::MockLocalConnection::isUnlocked const): Deleted.
+        * UIProcess/WebAuthentication/WebAuthenticationFlags.h:
+
 2020-03-04  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebKit/Platform/spi/Cocoa/LocalAuthenticationSPI.h

@@ -35 +35 @@
 
 typedef NS_ENUM(NSInteger, LAOption) {
-    LAOptionNotInteractive,
+    LAOptionAuthenticationTitle,
+    LAOptionPasscodeTitle,
 };
 
 @interface LAContext(Private) <NSSecureCoding>
 
-- (NSDictionary *)evaluatePolicy:(LAPolicy)policy options:(NSDictionary *)options error:(NSError **)error;
+- (void)evaluateAccessControl:(SecAccessControlRef)accessControl operation:(LAAccessControlOperation)operation options:(NSDictionary *)options reply:(void(^)(NSDictionary *result, NSError *error))reply;
 
 @end

trunk/Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h

@@ -28 +28 @@
 #if ENABLE(WEB_AUTHN)
 
+#include "WebAuthenticationFlags.h"
 #include <wtf/CompletionHandler.h>
 #include <wtf/HashSet.h>
@@ -38 +39 @@
 namespace WebCore {
 class AuthenticatorAssertionResponse;
-}
-
-namespace WebKit {
-enum class WebAuthenticationStatus : uint8_t;
-enum class WebAuthenticationResult : bool;
 }
 
@@ -56 +52 @@
     virtual void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&& completionHandler) const { completionHandler(emptyString()); }
     virtual void selectAssertionResponse(Vector<Ref<WebCore::AuthenticatorAssertionResponse>>&& responses, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&& completionHandler) const { ASSERT(!responses.isEmpty()); completionHandler(responses[0]); }
-    virtual void verifyUser(SecAccessControlRef, CompletionHandler<void(LAContext *)>&& completionHandler) const { completionHandler(nullptr); }
+    virtual void decidePolicyForLocalAuthenticator(CompletionHandler<void(WebKit::LocalAuthenticatorPolicy)>&& completionHandler) const { completionHandler(WebKit::LocalAuthenticatorPolicy::Disallow); }
 };
 

trunk/Source/WebKit/UIProcess/API/C/WKPage.cpp

@@ -48 +48 @@
 #include "APISessionState.h"
 #include "APIUIClient.h"
+#include "APIWebAuthenticationPanel.h"
+#include "APIWebAuthenticationPanelClient.h"
 #include "APIWebsitePolicies.h"
 #include "APIWindowFeatures.h"
@@ -2080 +2082 @@
 #if ENABLE(WEB_AUTHN)
         // The current method is specialized for WebKitTestRunner.
-        void runWebAuthenticationPanel(WebPageProxy&, API::WebAuthenticationPanel&, WebFrameProxy&, FrameInfoData&&, CompletionHandler<void(WebKit::WebAuthenticationPanelResult)>&& completionHandler) final
-        {
+        void runWebAuthenticationPanel(WebPageProxy&, API::WebAuthenticationPanel& panel, WebFrameProxy&, FrameInfoData&&, CompletionHandler<void(WebKit::WebAuthenticationPanelResult)>&& completionHandler) final
+        {
+            class PanelClient : public API::WebAuthenticationPanelClient {
+            public:
+                void decidePolicyForLocalAuthenticator(CompletionHandler<void(WebKit::LocalAuthenticatorPolicy)>&& completionHandler) const { completionHandler(WebKit::LocalAuthenticatorPolicy::Allow); }
+            };
+
             if (!m_client.runWebAuthenticationPanel) {
                 completionHandler(WebKit::WebAuthenticationPanelResult::Unavailable);
                 return;
             }
+
+            panel.setClient(WTF::makeUniqueRef<PanelClient>());
             completionHandler(WebKit::WebAuthenticationPanelResult::Presented);
         }

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h

@@ -69 +69 @@
 } WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
+typedef NS_ENUM(NSInteger, _WKLocalAuthenticatorPolicy) {
+    _WKLocalAuthenticatorPolicyAllow,
+    _WKLocalAuthenticatorPolicyDisallow,
+} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
 @protocol _WKWebAuthenticationPanelDelegate <NSObject>
 
@@ -77 +82 @@
 - (void)panel:(_WKWebAuthenticationPanel *)panel requestPINWithRemainingRetries:(NSUInteger)retries completionHandler:(void (^)(NSString *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 - (void)panel:(_WKWebAuthenticationPanel *)panel selectAssertionResponse:(NSArray < _WKWebAuthenticationAssertionResponse *> *)responses completionHandler:(void (^)(_WKWebAuthenticationAssertionResponse *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
-- (void)panel:(_WKWebAuthenticationPanel *)panel verifyUserWithAccessControl:(SecAccessControlRef)accessControl completionHandler:(void (^)(LAContext *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)panel:(_WKWebAuthenticationPanel *)panel decidePolicyForLocalAuthenticatorWithCompletionHandler:(void (^)(_WKLocalAuthenticatorPolicy policy))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
 
 @end
@@ -86 +91 @@
 @property (nullable, nonatomic, weak) id <_WKWebAuthenticationPanelDelegate> delegate;
 @property (nonatomic, readonly, copy) NSString *relyingPartyID;
-@property (nonatomic, readonly, copy) NSArray *transports;
+@property (nonatomic, readonly, copy) NSSet *transports;
 @property (nonatomic, readonly) _WKWebAuthenticationType type;
 

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@@ -34 +34 @@
 #if ENABLE(WEB_AUTHN)
     WeakPtr<WebKit::WebAuthenticationPanelClient> _client;
-    RetainPtr<NSMutableArray> _transports;
+    RetainPtr<NSMutableSet> _transports;
 #endif
 }
@@ -82 +82 @@
 }
 
-- (NSArray *)transports
+- (NSSet *)transports
 {
     if (_transports)
@@ -88 +88 @@
 
     auto& transports = _panel->transports();
-    _transports = [[NSMutableArray alloc] initWithCapacity:transports.size()];
+    _transports = [[NSMutableSet alloc] initWithCapacity:transports.size()];
     for (auto& transport : transports)
         [_transports addObject:adoptNS([[NSNumber alloc] initWithInt:wkWebAuthenticationTransport(transport)]).get()];

trunk/Source/WebKit/UIProcess/WebAuthentication/Authenticator.h

@@ -57 +57 @@
         virtual void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) = 0;
         virtual void selectAssertionResponse(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) = 0;
-        virtual void verifyUser(SecAccessControlRef, CompletionHandler<void(LAContext *)>&&) = 0;
+        virtual void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) = 0;
     };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

@@ -296 +296 @@
 }
 
-void AuthenticatorManager::verifyUser(SecAccessControlRef accessControlRef, CompletionHandler<void(LAContext *)>&& completionHandler)
-{
-    RetainPtr<SecAccessControlRef> accessControl = accessControlRef;
-    dispatchPanelClientCall([accessControl = WTFMove(accessControl), completionHandler = WTFMove(completionHandler)] (const API::WebAuthenticationPanel& panel) mutable {
-        panel.client().verifyUser(accessControl.get(), WTFMove(completionHandler));
+void AuthenticatorManager::decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&& completionHandler)
+{
+    dispatchPanelClientCall([completionHandler = WTFMove(completionHandler)] (const API::WebAuthenticationPanel& panel) mutable {
+        panel.client().decidePolicyForLocalAuthenticator(WTFMove(completionHandler));
     });
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h

@@ -84 +84 @@
     void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) final;
     void selectAssertionResponse(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) final;
-    void verifyUser(SecAccessControlRef, CompletionHandler<void(LAContext *)>&&) final;
+    void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) final;
 
     // Overriden by MockAuthenticatorManager.

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h

@@ -39 +39 @@
 public:
     // Here is the FSM.
-    // MakeCredential: Init => RequestReceived => UserConsented => Attested => End
-    // GetAssertion: Init => RequestReceived => ResponseSelected => UserConsented => End
+    // MakeCredential: Init => RequestReceived => PolicyDecided => UserVerified => Attested => End
+    // GetAssertion: Init => RequestReceived => ResponseSelected => UserVerified => End
     enum class State {
         Init,
         RequestReceived,
-        UserConsented,
+        UserVerified,
         Attested,
-        ResponseSelected
+        ResponseSelected,
+        PolicyDecided,
     };
 
@@ -58 +59 @@
 
     void makeCredential() final;
-    void continueMakeCredentialAfterUserConsented(SecAccessControlRef, LAContext *);
+    void continueMakeCredentialAfterDecidePolicy(LocalAuthenticatorPolicy);
+    void continueMakeCredentialAfterUserVerification(SecAccessControlRef, LocalConnection::UserVerification, LAContext *);
     void continueMakeCredentialAfterAttested(SecKeyRef, Vector<uint8_t>&& credentialId, Vector<uint8_t>&& authData, NSArray *certificates, NSError *);
 
     void getAssertion() final;
     void continueGetAssertionAfterResponseSelected(Ref<WebCore::AuthenticatorAssertionResponse>&&);
-    void continueGetAssertionAfterUserConsented(LAContext *, Ref<WebCore::AuthenticatorAssertionResponse>&&);
+    void continueGetAssertionAfterUserVerification(Ref<WebCore::AuthenticatorAssertionResponse>&&, LocalConnection::UserVerification, LAContext *);
 
     void receiveException(WebCore::ExceptionData&&, WebAuthenticationStatus = WebAuthenticationStatus::LAError) const;

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

@@ -161 +161 @@
     // Step 6.
     // Get user consent.
+    if (auto* observer = this->observer()) {
+        auto callback = [weakThis = makeWeakPtr(*this)] (LocalAuthenticatorPolicy policy) {
+            ASSERT(RunLoop::isMain());
+            if (!weakThis)
+                return;
+
+            weakThis->continueMakeCredentialAfterDecidePolicy(policy);
+        };
+        observer->decidePolicyForLocalAuthenticator(WTFMove(callback));
+    }
+}
+
+void LocalAuthenticator::continueMakeCredentialAfterDecidePolicy(LocalAuthenticatorPolicy policy)
+{
+    ASSERT(m_state == State::RequestReceived);
+    m_state = State::PolicyDecided;
+
+    if (policy == LocalAuthenticatorPolicy::Disallow) {
+        receiveRespond(ExceptionData { UnknownError, "Disallow local authenticator."_s });
+        return;
+    }
+
     RetainPtr<SecAccessControlRef> accessControl;
     {
@@ -172 +194 @@
     }
 
-    if (auto* observer = this->observer()) {
-        SecAccessControlRef accessControlRef = accessControl.get();
-        auto callback = [accessControl = WTFMove(accessControl), weakThis = makeWeakPtr(*this)] (LAContext *context) {
-            ASSERT(RunLoop::isMain());
-            if (!weakThis)
-                return;
-
-            weakThis->continueMakeCredentialAfterUserConsented(accessControl.get(), context);
-        };
-        observer->verifyUser(accessControlRef, WTFMove(callback));
-    }
-}
-
-void LocalAuthenticator::continueMakeCredentialAfterUserConsented(SecAccessControlRef accessControlRef, LAContext *context)
+    SecAccessControlRef accessControlRef = accessControl.get();
+    auto callback = [accessControl = WTFMove(accessControl), weakThis = makeWeakPtr(*this)] (LocalConnection::UserVerification verification, LAContext *context) {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+
+        weakThis->continueMakeCredentialAfterUserVerification(accessControl.get(), verification, context);
+    };
+    m_connection->verifyUser(accessControlRef, WTFMove(callback));
+}
+
+void LocalAuthenticator::continueMakeCredentialAfterUserVerification(SecAccessControlRef accessControlRef, LocalConnection::UserVerification verification, LAContext *context)
 {
     using namespace LocalAuthenticatorInternal;
 
-    ASSERT(m_state == State::RequestReceived);
-    m_state = State::UserConsented;
+    ASSERT(m_state == State::PolicyDecided);
+    m_state = State::UserVerified;
     auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
 
-    if (!m_connection->isUnlocked(context)) {
-        receiveRespond(ExceptionData { NotAllowedError, "Couldn't get user consent."_s });
+    if (verification == LocalConnection::UserVerification::No) {
+        receiveException({ NotAllowedError, "Couldn't verify user."_s });
         return;
     }
@@ -310 +330 @@
     using namespace LocalAuthenticatorInternal;
 
-    ASSERT(m_state == State::UserConsented);
+    ASSERT(m_state == State::UserVerified);
     m_state = State::Attested;
     auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
@@ -393 +413 @@
     }
 
-    // Step 6.
+    // Step 6-7. User consent is implicitly acquired by selecting responses.
     for (NSDictionary *attribute : intersectedCredentialsAttributes) {
         auto addResult = m_assertionResponses.add(AuthenticatorAssertionResponse::create(
@@ -423 +443 @@
     m_state = State::ResponseSelected;
 
-    // Step 7. Get user consent.
-    if (auto* observer = this->observer()) {
-        auto accessControlRef = response->accessControl();
-        auto callback = [weakThis = makeWeakPtr(*this), response = WTFMove(response)] (LAContext *context) mutable {
-            ASSERT(RunLoop::isMain());
-            if (!weakThis)
-                return;
-
-            weakThis->continueGetAssertionAfterUserConsented(context, WTFMove(response));
-        };
-        observer->verifyUser(accessControlRef, WTFMove(callback));
-    }
-}
-
-void LocalAuthenticator::continueGetAssertionAfterUserConsented(LAContext *context, Ref<WebCore::AuthenticatorAssertionResponse>&& response)
+    auto accessControlRef = response->accessControl();
+    auto callback = [
+        weakThis = makeWeakPtr(*this),
+        response = WTFMove(response)
+    ] (LocalConnection::UserVerification verification, LAContext *context) mutable {
+        ASSERT(RunLoop::isMain());
+        if (!weakThis)
+            return;
+
+        weakThis->continueGetAssertionAfterUserVerification(WTFMove(response), verification, context);
+    };
+    m_connection->verifyUser(accessControlRef, WTFMove(callback));
+}
+
+void LocalAuthenticator::continueGetAssertionAfterUserVerification(Ref<WebCore::AuthenticatorAssertionResponse>&& response, LocalConnection::UserVerification verification, LAContext *context)
 {
     using namespace LocalAuthenticatorInternal;
     ASSERT(m_state == State::ResponseSelected);
-    m_state = State::UserConsented;
-
-    if (!m_connection->isUnlocked(context)) {
-        receiveRespond(ExceptionData { NotAllowedError, "Couldn't get user consent."_s });
+    m_state = State::UserVerified;
+
+    if (verification == LocalConnection::UserVerification::No) {
+        receiveException({ NotAllowedError, "Couldn't verify user."_s });
         return;
     }
@@ -457 +477 @@
     RetainPtr<CFDataRef> signature;
     {
-        auto query = adoptNS([[NSMutableDictionary alloc] init]);
-        [query addEntriesFromDictionary:@{
+        NSDictionary *query = @{
             (id)kSecClass: (id)kSecClassKey,
             (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
             (id)kSecAttrApplicationLabel: toNSData(response->rawId()).get(),
+            (id)kSecUseAuthenticationContext: context,
             (id)kSecReturnRef: @YES,
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
@@ -468 +488 @@
             (id)kSecAttrNoLegacy: @YES
 #endif
-        }];
-        // context is nullptr in mock testing.
-        if (context)
-            [query setObject:context forKey:(id)kSecUseAuthenticationContext];
+        };
         CFTypeRef privateKeyRef = nullptr;
-        OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query.get(), &privateKeyRef);
+        OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &privateKeyRef);
         if (status) {
             receiveException({ UnknownError, makeString("Couldn't get the private key reference: ", status) });

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.h

@@ -37 +37 @@
 
 namespace WebCore {
-
 class AuthenticatorAssertionResponse;
-
 }
 
@@ -53 +51 @@
     WTF_MAKE_NONCOPYABLE(LocalConnection);
 public:
+    enum class UserVerification : bool {
+        No,
+        Yes
+    };
+
     using AttestationCallback = CompletionHandler<void(NSArray *, NSError *)>;
+    using UserVerificationCallback = CompletionHandler<void(UserVerification, LAContext *)>;
 
     LocalConnection() = default;
@@ -59 +63 @@
 
     // Overrided by MockLocalConnection.
-    virtual bool isUnlocked(LAContext *) const;
+    virtual void verifyUser(SecAccessControlRef, UserVerificationCallback&&) const;
     virtual RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const;
     virtual void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const;

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.mm

@@ -29 +29 @@
 #if ENABLE(WEB_AUTHN)
 
+#import <WebCore/LocalizedStrings.h>
 #import <wtf/BlockPtr.h>
 #import <wtf/RunLoop.h>
@@ -40 +41 @@
 namespace WebKit {
 
-bool LocalConnection::isUnlocked(LAContext *context) const
+void LocalConnection::verifyUser(SecAccessControlRef accessControl, UserVerificationCallback&& completionHandler) const
 {
-    NSError *error = nil;
-    auto result = [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics options:@{ @(LAOptionNotInteractive): @YES } error:&error];
-    if (!result)
-        LOG_ERROR("Couldn't get user consent: %@", error);
-    return !!result;
+    auto context = adoptNS([allocLAContextInstance() init]);
+
+    auto options = adoptNS([[NSMutableDictionary alloc] init]);
+    if ([context biometryType] == LABiometryTypeTouchID)
+        [options setObject:WebCore::touchIDPromptTitle() forKey:@(LAOptionAuthenticationTitle)];
+    [options setObject:WebCore::biometricFallbackPromptTitle() forKey:@(LAOptionPasscodeTitle)];
+
+    auto reply = makeBlockPtr([context, completionHandler = WTFMove(completionHandler)] (NSDictionary *, NSError *error) mutable {
+        ASSERT(!RunLoop::isMain());
+
+        UserVerification verification = UserVerification::Yes;
+        if (error) {
+            LOG_ERROR("Couldn't authenticate with biometrics: %@", error);
+            verification = UserVerification::No;
+        }
+        RunLoop::main().dispatch([completionHandler = WTFMove(completionHandler), verification, context = WTFMove(context)] () mutable {
+            completionHandler(verification, context.get());
+        });
+    });
+
+    [context evaluateAccessControl:accessControl operation:LAAccessControlOperationUseKeySign options:options.get() reply:reply.get()];
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm

@@ -56 +56 @@
 #if defined(LOCALSERVICE_ADDITIONS)
 LOCALSERVICE_ADDITIONS
+#else
+    return false;
 #endif
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h

@@ -51 +51 @@
     void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&&) const final;
     void selectAssertionResponse(Vector<Ref<WebCore::AuthenticatorAssertionResponse>>&&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) const final;
-    void verifyUser(SecAccessControlRef, CompletionHandler<void(LAContext *)>&&) const final;
+    void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) const final;
 
     _WKWebAuthenticationPanel *m_panel;
@@ -61 +61 @@
         bool panelRequestPinWithRemainingRetriesCompletionHandler : 1;
         bool panelSelectAssertionResponseCompletionHandler : 1;
-        bool panelVerifyUserWithAccessControlCompletionHandler : 1;
+        bool panelDecidePolicyForLocalAuthenticatorCompletionHandler : 1;
     } m_delegateMethods;
 };

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm

@@ -33 +33 @@
 #import "CompletionHandlerCallChecker.h"
 #import "WKNSArray.h"
-#import "WebAuthenticationFlags.h"
 #import "_WKWebAuthenticationAssertionResponseInternal.h"
 #import "_WKWebAuthenticationPanel.h"
@@ -51 +50 @@
     m_delegateMethods.panelRequestPinWithRemainingRetriesCompletionHandler = [delegate respondsToSelector:@selector(panel:requestPINWithRemainingRetries:completionHandler:)];
     m_delegateMethods.panelSelectAssertionResponseCompletionHandler = [delegate respondsToSelector:@selector(panel:selectAssertionResponse:completionHandler:)];
-    m_delegateMethods.panelVerifyUserWithAccessControlCompletionHandler = [delegate respondsToSelector:@selector(panel:verifyUserWithAccessControl:completionHandler:)];
+    m_delegateMethods.panelDecidePolicyForLocalAuthenticatorCompletionHandler = [delegate respondsToSelector:@selector(panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:)];
 }
 
@@ -168 +167 @@
 }
 
-void WebAuthenticationPanelClient::verifyUser(SecAccessControlRef accessControl, CompletionHandler<void(LAContext *)>&& completionHandler) const
-{
-    if (!m_delegateMethods.panelVerifyUserWithAccessControlCompletionHandler) {
-        completionHandler(adoptNS([allocLAContextInstance() init]).get());
+static LocalAuthenticatorPolicy localAuthenticatorPolicy(_WKLocalAuthenticatorPolicy result)
+{
+    switch (result) {
+    case _WKLocalAuthenticatorPolicyAllow:
+        return LocalAuthenticatorPolicy::Allow;
+    case _WKLocalAuthenticatorPolicyDisallow:
+        return LocalAuthenticatorPolicy::Disallow;
+    }
+    ASSERT_NOT_REACHED();
+    return LocalAuthenticatorPolicy::Allow;
+}
+
+void WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&& completionHandler) const
+{
+    if (!m_delegateMethods.panelDecidePolicyForLocalAuthenticatorCompletionHandler) {
+        completionHandler(LocalAuthenticatorPolicy::Disallow);
         return;
     }
@@ -177 +188 @@
     auto delegate = m_delegate.get();
     if (!delegate) {
-        completionHandler(adoptNS([allocLAContextInstance() init]).get());
-        return;
-    }
-
-    auto checker = CompletionHandlerCallChecker::create(delegate.get(), @selector(panel:verifyUserWithAccessControl:completionHandler:));
-    [delegate panel:m_panel verifyUserWithAccessControl:accessControl completionHandler:makeBlockPtr([completionHandler = WTFMove(completionHandler), checker = WTFMove(checker)](LAContext *context) mutable {
+        completionHandler(LocalAuthenticatorPolicy::Disallow);
+        return;
+    }
+
+    auto checker = CompletionHandlerCallChecker::create(delegate.get(), @selector(panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:));
+    [delegate panel:m_panel decidePolicyForLocalAuthenticatorWithCompletionHandler:makeBlockPtr([completionHandler = WTFMove(completionHandler), checker = WTFMove(checker)](_WKLocalAuthenticatorPolicy policy) mutable {
         if (checker->completionHandlerHasBeenCalled())
             return;
         checker->didCallCompletionHandler();
-        completionHandler(context);
+        completionHandler(localAuthenticatorPolicy(policy));
     }).get()];
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.h

@@ -38 +38 @@
 
 private:
-    bool isUnlocked(LAContext *) const final;
+    void verifyUser(SecAccessControlRef, UserVerificationCallback&&) const final;
     RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const final;
     void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const final;

trunk/Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm

@@ -45 +45 @@
 }
 
-bool MockLocalConnection::isUnlocked(LAContext *context) const
+void MockLocalConnection::verifyUser(SecAccessControlRef, UserVerificationCallback&& callback) const
 {
-    return m_configuration.local->acceptAuthentication;
+    // Mock async operations.
+    RunLoop::main().dispatch([configuration = m_configuration, callback = WTFMove(callback)]() mutable {
+        ASSERT(configuration.local);
+        if (!configuration.local->acceptAuthentication) {
+            callback(UserVerification::No, nil);
+            return;
+        }
+        callback(UserVerification::Yes, adoptNS([allocLAContextInstance() init]).get());
+    });
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationFlags.h

@@ -52 +52 @@
 };
 
+enum class LocalAuthenticatorPolicy : bool {
+    Allow,
+    Disallow
+};
+
 } // namespace WebKit
 

trunk/Tools/ChangeLog

@@ +1 @@
+2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI
+        https://bugs.webkit.org/show_bug.cgi?id=208533
+        <rdar://problem/60010184>
+
+        Reviewed by Alex Christensen.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (-[TestWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:]):
+        (TestWebKitAPI::TEST):
+        (-[TestWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:]): Deleted.
+        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-la.html: Removed.
+
 2020-03-04  Alex Christensen  <achristensen@webkit.org>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -354 +354 @@
                 574217882400AC25002B303D /* web-authentication-make-credential-la-error.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 574217872400ABFD002B303D /* web-authentication-make-credential-la-error.html */; };
                 5742178A2400AED8002B303D /* web-authentication-make-credential-la-duplicate-credential.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 574217892400AED0002B303D /* web-authentication-make-credential-la-duplicate-credential.html */; };
-                5742178C2400CD47002B303D /* web-authentication-get-assertion-la.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */; };
                 5742178E2400D2DF002B303D /* web-authentication-make-credential-la.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5742178D2400D26C002B303D /* web-authentication-make-credential-la.html */; };
                 574F55D2204D47F0002948C6 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 574F55D0204D471C002948C6 /* Security.framework */; };
@@ -1530 +1529 @@
                                 570D26FC23C3F87000D5CF67 /* web-authentication-get-assertion-hid-pin.html in Copy Resources */,
                                 57663DEC234F1F9300E85E09 /* web-authentication-get-assertion-hid.html in Copy Resources */,
-                                5742178C2400CD47002B303D /* web-authentication-get-assertion-la.html in Copy Resources */,
                                 579833922368FA37008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html in Copy Resources */,
                                 57663DEA234EA66D00E85E09 /* web-authentication-get-assertion-nfc.html in Copy Resources */,
@@ -1983 +1981 @@
                 574217872400ABFD002B303D /* web-authentication-make-credential-la-error.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la-error.html"; sourceTree = "<group>"; };
                 574217892400AED0002B303D /* web-authentication-make-credential-la-duplicate-credential.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la-duplicate-credential.html"; sourceTree = "<group>"; };
-                5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-get-assertion-la.html"; sourceTree = "<group>"; };
                 5742178D2400D26C002B303D /* web-authentication-make-credential-la.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la.html"; sourceTree = "<group>"; };
                 5742178F2400D54D002B303D /* web-authentication-make-credential.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential.html"; sourceTree = "<group>"; };
@@ -3615 +3612 @@
                                 570D26FB23C3F86500D5CF67 /* web-authentication-get-assertion-hid-pin.html */,
                                 57663DEB234F1F8000E85E09 /* web-authentication-get-assertion-hid.html */,
-                                5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */,
                                 5798337B235EB65C008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html */,
                                 57663DE9234EA60B00E85E09 /* web-authentication-get-assertion-nfc.html */,

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@ -56 +56 @@
 static bool webAuthenticationPanelUpdateLANoCredential = false;
 static bool webAuthenticationPanelCancelImmediately = false;
-static bool webAuthenticationPanelVerifyUser = false;
+static _WKLocalAuthenticatorPolicy localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyDisallow;
 static String webAuthenticationPanelPin;
 static BOOL webAuthenticationPanelNullUserHandle = NO;
@@ -152 +152 @@
 }
 
-- (void)panel:(_WKWebAuthenticationPanel *)panel verifyUserWithAccessControl:(SecAccessControlRef)accessControl completionHandler:(void (^)(LAContext *))completionHandler
-{
-    webAuthenticationPanelVerifyUser = true;
-    auto context = adoptNS([[LAContext alloc] init]);
-    completionHandler(context.get());
+- (void)panel:(_WKWebAuthenticationPanel *)panel decidePolicyForLocalAuthenticatorWithCompletionHandler:(void (^)(_WKLocalAuthenticatorPolicy policy))completionHandler
+{
+    completionHandler(localAuthenticatorPolicy);
 }
 
@@ -301 +299 @@
     webAuthenticationPanelPin = emptyString();
     webAuthenticationPanelNullUserHandle = NO;
-    webAuthenticationPanelVerifyUser = false;
+    localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyDisallow;
 }
 
@@ -308 +306 @@
     EXPECT_WK_STREQ(panel.relyingPartyID, relyingPartyID);
 
-    // Brute force given the maximum size of the array is 4.
-    auto *theTransports = panel.transports;
-    EXPECT_EQ(theTransports.count, transports.count);
+    EXPECT_EQ(panel.transports.count, transports.count);
     size_t count = 0;
     for (NSNumber *transport : transports) {
-        for (NSNumber *theTransport : theTransports) {
-            if (transport == theTransport) {
-                count++;
-                break;
-            }
-        }
+        if ([panel.transports containsObject:transport])
+            count++;
     }
     EXPECT_EQ(count, transports.count);
@@ -1260 +1252 @@
 
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
-    [webView waitForMessage:@"Succeeded!"];
+    [webView waitForMessage:@"Disallow local authenticator."];
+}
+
+TEST(WebAuthenticationPanel, LAMakeCredentialDisallowLocalAuthenticator)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Disallow local authenticator."];
+}
+
+TEST(WebAuthenticationPanel, LAMakeCredentialAllowLocalAuthenticator)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+
+    localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyAllow;
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Succeeded!"];
+    checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeCreate);
     cleanUpKeychain("");
 }
 
-TEST(WebAuthenticationPanel, LAMakeCredential)
-{
-    reset();
-    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
-
-    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
-    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
-    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()];
-
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
-    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
-    [webView setUIDelegate:delegate.get()];
-
-    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
-    Util::run(&webAuthenticationPanelVerifyUser);
-    checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeCreate);
-    [webView waitForMessage:@"Succeeded!"];
-}
-
-TEST(WebAuthenticationPanel, LAGetAssertion)
-{
-    reset();
-    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
-
-    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
-    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
-    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationLocalAuthenticatorExperimentalFeature()];
-
-    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
-    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
-    [webView setUIDelegate:delegate.get()];
-
-    ASSERT_TRUE(addKeyToKeychain(testES256PrivateKeyBase64, "", testUserhandleBase64));
-    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
-    Util::run(&webAuthenticationPanelVerifyUser);
-    checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeGet);
-    [webView waitForMessage:@"Succeeded!"];
-    cleanUpKeychain("");
-}
-
 #endif // USE(APPLE_INTERNAL_SDK) || PLATFORM(IOS)