From a6b5c05da919fb2a5cab02852cd186149a5cdb66 Mon Sep 17 00:00:00 2001 From: Rob Winch <362503+rwinch@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:52:40 -0500 Subject: [PATCH] Additional WebAuthn4jRelyingPartyOperationTests - verify that anonymous users not saved - verify that when user found the CredentialRecord is allowed Issue gh-16385 --- ...Webauthn4jRelyingPartyOperationsTests.java | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java index f1b3eb7ded..733d7ec98b 100644 --- a/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java +++ b/web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java @@ -42,6 +42,8 @@ import org.mockito.junit.jupiter.MockitoExtension; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse; import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.AuthenticatorAttestationResponseBuilder; import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria; @@ -66,6 +68,7 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatRuntimeException; import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.verifyNoInteractions; @ExtendWith(MockitoExtension.class) class Webauthn4jRelyingPartyOperationsTests { @@ -546,15 +549,38 @@ class Webauthn4jRelyingPartyOperationsTests { .createCredentialRequestOptions(createRequest); assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty(); + // verify anonymous user not saved + verifyNoInteractions(this.userEntities); } @Test void createCredentialRequestOptionsWhenNullAuthentication() { - PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest(null); + PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest( + null); PublicKeyCredentialRequestOptions credentialRequestOptions = this.rpOperations .createCredentialRequestOptions(createRequest); assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty(); + // verify anonymous user not saved + verifyNoInteractions(this.userEntities); + } + + @Test + void createCredentialRequestOptionsWhenAuthenticated() { + UserDetails user = PasswordEncodedUser.user(); + UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user, null, + user.getAuthorities()); + PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity().build(); + CredentialRecord credentialRecord = TestCredentialRecord.userCredential().build(); + given(this.userEntities.findByUsername(user.getUsername())).willReturn(userEntity); + given(this.userCredentials.findByUserId(userEntity.getId())).willReturn(Arrays.asList(credentialRecord)); + PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest( + auth); + PublicKeyCredentialRequestOptions credentialRequestOptions = this.rpOperations + .createCredentialRequestOptions(createRequest); + + assertThat(credentialRequestOptions.getAllowCredentials()).extracting(PublicKeyCredentialDescriptor::getId) + .containsExactly(credentialRecord.getCredentialId()); } private static AuthenticatorAttestationResponse setFlag(byte... flags) throws Exception {