From 946812691e5b9c6820060b2bfef95ecb69462c38 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:59:59 -0700
Subject: [PATCH] Make AuthenticatorAttestation Serializable

Issue gh-16481
---
 ...gSecurityCoreVersionSerializableTests.java |  10 +++++++++-
 ...thn.api.AuthenticatorAttachment.serialized | Bin 0 -> 130 bytes
 ...ebauthn.api.PublicKeyCredential.serialized | Bin 2078 -> 2272 bytes
 ...AuthnAuthenticationRequestToken.serialized | Bin 3891 -> 3974 bytes
 ...lyingPartyAuthenticationRequest.serialized | Bin 3196 -> 3279 bytes
 .../webauthn/api/AuthenticatorAttachment.java |  14 +++++++++++++-
 .../web/webauthn/api/PublicKeyCredential.java |   2 +-
 7 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized

diff --git a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
index 7f4d78f41b..2982d2a005 100644
--- a/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
+++ b/config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java
@@ -46,6 +46,7 @@ import jakarta.servlet.http.Cookie;
 import org.apereo.cas.client.validation.AssertionImpl;
 import org.instancio.Instancio;
 import org.instancio.InstancioApi;
+import org.instancio.InstancioOfClassApi;
 import org.instancio.Select;
 import org.instancio.generator.Generator;
 import org.junit.jupiter.api.Disabled;
@@ -55,6 +56,7 @@ import org.junit.jupiter.params.provider.MethodSource;
 
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
+import org.springframework.core.ResolvableType;
 import org.springframework.core.type.filter.AssignableTypeFilter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
@@ -214,6 +216,7 @@ import org.springframework.security.web.session.HttpSessionCreatedEvent;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 import org.springframework.security.web.webauthn.api.Bytes;
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
@@ -658,6 +661,7 @@ class SpringSecurityCoreVersionSerializableTests {
 		generatorByClassName.put(RelyingPartyAuthenticationRequest.class, (r) -> authRequest);
 		generatorByClassName.put(PublicKeyCredential.class, (r) -> credential);
 		generatorByClassName.put(WebAuthnAuthenticationRequestToken.class, (r) -> requestToken);
+		generatorByClassName.put(AuthenticatorAttachment.class, (r) -> AuthenticatorAttachment.PLATFORM);
 		// @formatter:on
 	}
 
@@ -768,7 +772,11 @@ class SpringSecurityCoreVersionSerializableTests {
 	}
 
 	private static InstancioApi<?> instancioWithDefaults(Class<?> clazz) {
-		InstancioApi<?> instancio = Instancio.of(clazz);
+		InstancioOfClassApi<?> instancio = Instancio.of(clazz);
+		ResolvableType[] generics = ResolvableType.forClass(clazz).getGenerics();
+		for (ResolvableType type : generics) {
+			instancio.withTypeParameters(type.resolve());
+		}
 		if (generatorByClassName.containsKey(clazz)) {
 			instancio.supply(Select.all(clazz), generatorByClassName.get(clazz));
 		}
diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.AuthenticatorAttachment.serialized
new file mode 100644
index 0000000000000000000000000000000000000000..449d5b9a9814420db1f69c3f4be1de49b487a2a1
GIT binary patch
literal 130
zcmWlSy$!-J6b2tikq{+=I2{dD3c7Sm@WpZ*ga7pWoWM>rjKl!!KvJA^SKa$ZO<}qw
zwyI=y(T<E@mc$QLjIQkDr4}=6pvn{#vQyn^CW_OL#GMHA6xOci&-6t)?rGOkGs9OS
Ybn5Sz(RxJN-efymo>}OSJ!DKA{-WA27XSbN

literal 0
HcmV?d00001

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.api.PublicKeyCredential.serialized
index 6b2e6a8cc3fe42db44a292e90f1a2cb5b39ee344..2edec67206b88d76f897e14a1ff2853be5f9881a 100644
GIT binary patch
delta 287
zcmbOy@IY`vupFBYgLq<TNk(d3NoI0lNq&)INl9XIMlO(F!r(qRky(G@d~RN3Ve5?{
zC5)3dvg<oJV%Jw{wlU*jVm=oW1EUWEYguAWX=))u9RqVkK?ws_XpnD!m$SQXq(^ZP
zL(JrZ%zB%@Gp=T~W$|GUL~(~pVo4%M8&HC?I5Ryjv81#JYz|O>tF$<^$RjZ?B?lrh
z`95npKTAbHF-U`CDTtJr9Lm<kiz@PuO^+QWYs?-1XLqr;2tZs{P@0sJnXH?gS_uH`
CR$S8n

delta 194
zcmaDLI8R_gFeB^69VLv6F_ZI{^){boTFvap?86|KSXz>inpcvUoLG`y<dRsDSjbSv
z0F>Y?&P>lsEGaEYg$i($7N-_@B<7{$Ktw8v7@UDdSx)}Irp3=(QBVw0Ct3<3B_?aK
ycgZ6QFfcGMGlyFv3r#-2uE!2j|CK!e&i3JG5n!q)C}H3#C{4=AOxDd#tposm%Q$-g

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationRequestToken.serialized
index 5945cd459a5a5ff2116d3128645c62c2a4e9832c..b7eda5a62d70b7c0ae5a54b7a07ddea7caa4be07 100644
GIT binary patch
delta 205
zcmdli*CxLqn?;(<he15Cv?L=nuOu@$u_V99v7{t1IU^UypWMi5H2EG6H!rfF_2wLw
zM8?f$ST8U$N=%;1DWM_Z!@yabnVy$eQd*Q+$WX@s6yPc?PA&3C%uC6Eh*T6YI8VOF
zsyCUN%amWDqM#V0PO}t5>P+_M>f%Ke`N5^f4wKd84uG*Yw{S}_GD>Wo&!fo*7dy|J
G!UzEE%s!|9

delta 186
zcmZpZ-z>Kwn}v~e^97bf#?3}-=b3HAeHa82OG`3R^GY(46HD@oToOwX3mNJdfD)X=
zndy0nC8b5FPyw#e;?yFK#JrRoh{$9+u5^C!ih^R0yhbUA)SkSBt4khPfPsO5nK|4V
kS!l91w;nr8eFJv@jJ^3fw-h6z_~uVMnv8HUCB76!08@-KSpWb4

diff --git a/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized b/config/src/test/resources/serialized/6.4.x/org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest.serialized
index 34f07eca8f47492278c841b45159bab6963056dc..ea313db10713c1763ccc703c91568a83e54f1a59 100644
GIT binary patch
delta 261
zcmew(ab9vmA)_3d4}*AOX-P(EUP)$hVo83HV@XM3az-wYU&7!%@x1=zy^P$v$imi}
zix>+TSqqAb7-A*|vgu9s<W}Eo!`#Bm$T9gKn}iC74+Cd$W_n&?Noi4PAwwMlP=Kqn
zIJL+lF)t+tA~N|eTRJ~SML{u0UaAyC%1$n3@8U%jk>Su|hsg$V1i;xVI9eFlC+l*y
z2=M|fOU_8l$w|#ihZ=pDGao2v%(WA){4>{VM&8N&-1qp|D+)>&I17qW(^89yQd0nn
C2v8&d

delta 263
zcmX>v`A1?yAtNK}=4*_Fj4Z`P3^9`vc=RUE;Z~n)&&0lY1#>O4BfAfSU}9-WMrvM3
zW^!UlevwOJNn#;G9RpB;vp6$7FR`SwC>1KeRa%@{<dK+{k^>Q`C}MC18|lr$J$XL6
z7C(DMK`}_JWGRT0nS6u2OCDK(fq{XUIoujqXmUP>9y?6^5{>{k`!`1mBirN#&K4ma
zpi`1F5_57=^U@&}PZs0K2THba?Sw0L<DSjPGx-tsJ$|-|f)WPKf}+&4)S{x)6aX^{
BOql=x

diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java
index b56371936d..e18f26fbaa 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttachment.java
@@ -16,6 +16,10 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import java.io.ObjectStreamException;
+import java.io.Serial;
+import java.io.Serializable;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#enumdef-authenticatorattachment">AuthenticatorAttachment</a>.
@@ -23,7 +27,10 @@ package org.springframework.security.web.webauthn.api;
  * @author Rob Winch
  * @since 6.4
  */
-public final class AuthenticatorAttachment {
+public final class AuthenticatorAttachment implements Serializable {
+
+	@Serial
+	private static final long serialVersionUID = 8446133215195918090L;
 
 	/**
 	 * Indicates <a href=
@@ -85,4 +92,9 @@ public final class AuthenticatorAttachment {
 		return new AuthenticatorAttachment[] { CROSS_PLATFORM, PLATFORM };
 	}
 
+	@Serial
+	private Object readResolve() throws ObjectStreamException {
+		return valueOf(this.value);
+	}
+
 }
diff --git a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java
index 541801b819..d8cdaf2319 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/api/PublicKeyCredential.java
@@ -40,7 +40,7 @@ public final class PublicKeyCredential<R extends AuthenticatorResponse> implemen
 
 	private final R response;
 
-	private final transient AuthenticatorAttachment authenticatorAttachment;
+	private final AuthenticatorAttachment authenticatorAttachment;
 
 	private final AuthenticationExtensionsClientOutputs clientExtensionResults;