Redesign not to expose WebAuthn4J types

Author: ynojima

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/config/WebSecurityBeanConfig.java

@@ -16,44 +16,60 @@
 
 package org.springframework.security.webauthn.sample.app.config;
 
-import com.webauthn4j.validator.WebAuthnAuthenticationContextValidator;
-import com.webauthn4j.validator.WebAuthnRegistrationContextValidator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.webauthn.WebAuthnRegistrationRequestValidator;
-import org.springframework.security.webauthn.challenge.ChallengeRepository;
-import org.springframework.security.webauthn.challenge.HttpSessionChallengeRepository;
-import org.springframework.security.webauthn.options.OptionsProvider;
-import org.springframework.security.webauthn.options.OptionsProviderImpl;
-import org.springframework.security.webauthn.server.ServerPropertyProvider;
-import org.springframework.security.webauthn.server.ServerPropertyProviderImpl;
+import org.springframework.security.webauthn.*;
+import org.springframework.security.webauthn.challenge.HttpSessionWebAuthnChallengeRepository;
+import org.springframework.security.webauthn.challenge.WebAuthnChallengeRepository;
+import org.springframework.security.webauthn.server.EffectiveRpIdProvider;
+import org.springframework.security.webauthn.server.WebAuthnServerPropertyProvider;
+import org.springframework.security.webauthn.server.WebAuthnServerPropertyProviderImpl;
+import org.springframework.security.webauthn.userdetails.InMemoryWebAuthnAndPasswordUserDetailsManager;
 import org.springframework.security.webauthn.userdetails.WebAuthnUserDetailsService;
 
 @Configuration
 public class WebSecurityBeanConfig {
 
 	@Bean
-	public WebAuthnRegistrationRequestValidator webAuthnRegistrationRequestValidator(ServerPropertyProvider serverPropertyProvider) {
-		WebAuthnRegistrationContextValidator webAuthnRegistrationContextValidator = WebAuthnRegistrationContextValidator.createNonStrictRegistrationContextValidator();
-		return new WebAuthnRegistrationRequestValidator(webAuthnRegistrationContextValidator, serverPropertyProvider);
+	public WebAuthnServerPropertyProvider webAuthnServerPropertyProvider(EffectiveRpIdProvider effectiveRpIdProvider, WebAuthnChallengeRepository challengeRepository){
+		return new WebAuthnServerPropertyProviderImpl(effectiveRpIdProvider, challengeRepository);
 	}
 
 	@Bean
-	public ServerPropertyProvider serverPropertyProvider(WebAuthnUserDetailsService webAuthnUserDetailsService) {
-		ChallengeRepository challengeRepository = new HttpSessionChallengeRepository();
-		OptionsProvider optionsProvider = new OptionsProviderImpl(webAuthnUserDetailsService, challengeRepository);
-		return new ServerPropertyProviderImpl(optionsProvider, challengeRepository);
+	public WebAuthnChallengeRepository webAuthnChallengeRepository(){
+		return new HttpSessionWebAuthnChallengeRepository();
 	}
 
 	@Bean
-	public WebAuthnAuthenticationContextValidator webAuthnAuthenticationContextValidator() {
-		return new WebAuthnAuthenticationContextValidator();
+	public InMemoryWebAuthnAndPasswordUserDetailsManager webAuthnUserDetailsService(){
+		return new InMemoryWebAuthnAndPasswordUserDetailsManager();
 	}
 
+	@Bean
+	public WebAuthnOptionWebHelper webAuthnOptionWebHelper(WebAuthnChallengeRepository challengeRepository, WebAuthnUserDetailsService userDetailsService){
+		return new WebAuthnOptionWebHelper(challengeRepository, userDetailsService);
+	}
+
+	@Bean
+	public WebAuthnManager webAuthnAuthenticationManager(){
+		return new WebAuthn4JWebAuthnManager();
+	}
+
+	@Bean
+	public WebAuthnDataConverter webAuthnDataConverter(){
+		return new WebAuthnDataConverter();
+	}
+
+	@Bean
+	public WebAuthnRegistrationRequestValidator webAuthnRegistrationRequestValidator(WebAuthnManager webAuthnManager, WebAuthnServerPropertyProvider webAuthnServerPropertyProvider){
+		return new WebAuthnRegistrationRequestValidator(webAuthnManager, webAuthnServerPropertyProvider);
+	}
+
+
 	@Bean
 	public PasswordEncoder passwordEncoder() {
 		return new BCryptPasswordEncoder();

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -16,10 +16,6 @@
 
 package org.springframework.security.webauthn.sample.app.config;
 
-import com.webauthn4j.data.AttestationConveyancePreference;
-import com.webauthn4j.data.PublicKeyCredentialType;
-import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
-import com.webauthn4j.validator.WebAuthnAuthenticationContextValidator;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -32,6 +28,7 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.webauthn.WebAuthnManager;
 import org.springframework.security.webauthn.authenticator.WebAuthnAuthenticatorService;
 import org.springframework.security.webauthn.config.configurers.WebAuthnAuthenticationProviderConfigurer;
 import org.springframework.security.webauthn.userdetails.WebAuthnUserDetailsService;
@@ -57,11 +54,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	private WebAuthnAuthenticatorService authenticatorService;
 
 	@Autowired
-	private WebAuthnAuthenticationContextValidator webAuthnAuthenticationContextValidator;
+	private WebAuthnManager webAuthnManager;
 
 	@Override
 	public void configure(AuthenticationManagerBuilder builder) throws Exception {
-		builder.apply(new WebAuthnAuthenticationProviderConfigurer<>(userDetailsService, authenticatorService, webAuthnAuthenticationContextValidator));
+		builder.apply(new WebAuthnAuthenticationProviderConfigurer<>(userDetailsService, authenticatorService, webAuthnManager));
 		builder.apply(new MultiFactorAuthenticationProviderConfigurer<>(daoAuthenticationProvider));
 	}
 
@@ -83,12 +80,6 @@ protected void configure(HttpSecurity http) throws Exception {
 
 		// WebAuthn Login
 		http.apply(webAuthnLogin())
-				.rpName("Spring Security WebAuthn Sample")
-				.attestation(AttestationConveyancePreference.NONE)
-				.publicKeyCredParams()
-				.addPublicKeyCredParams(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.RS256)  // Windows Hello
-				.addPublicKeyCredParams(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256) // FIDO U2F Key, etc
-				.and()
 				.loginPage("/login")
 				.usernameParameter("username")
 				.passwordParameter("password")
@@ -115,4 +106,5 @@ protected void configure(HttpSecurity http) throws Exception {
 
 	}
 
+
 }

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/web/AuthenticatorCreateForm.java

@@ -16,8 +16,6 @@
 
 package org.springframework.security.webauthn.sample.app.web;
 
-import com.webauthn4j.data.AuthenticatorTransport;
-
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 import java.util.Set;
@@ -32,7 +30,7 @@ public class AuthenticatorCreateForm {
 	@Valid
 	private String attestationObject;
 
-	private Set<AuthenticatorTransport> transports;
+	private Set<String> transports;
 
 	@NotNull
 	private String clientExtensions;
@@ -53,11 +51,11 @@ public void setAttestationObject(String attestationObject) {
 		this.attestationObject = attestationObject;
 	}
 
-	public Set<AuthenticatorTransport> getTransports() {
+	public Set<String> getTransports() {
 		return transports;
 	}
 
-	public void setTransports(Set<AuthenticatorTransport> transports) {
+	public void setTransports(Set<String> transports) {
 		this.transports = transports;
 	}
 

samples/javaconfig/webauthn/src/main/java/org/springframework/security/webauthn/sample/app/web/WebAuthnSampleController.java

@@ -16,34 +16,39 @@
 
 package org.springframework.security.webauthn.sample.app.web;
 
+import com.webauthn4j.util.Base64UrlUtil;
 import com.webauthn4j.util.UUIDUtil;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.MultiFactorAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.webauthn.WebAuthnRegistrationRequestValidationResponse;
+import org.springframework.security.webauthn.WebAuthnDataConverter;
+import org.springframework.security.webauthn.WebAuthnOptionWebHelper;
+import org.springframework.security.webauthn.WebAuthnRegistrationRequest;
 import org.springframework.security.webauthn.WebAuthnRegistrationRequestValidator;
+import org.springframework.security.webauthn.authenticator.WebAuthnAuthenticator;
+import org.springframework.security.webauthn.authenticator.WebAuthnAuthenticatorImpl;
+import org.springframework.security.webauthn.authenticator.WebAuthnAuthenticatorTransport;
+import org.springframework.security.webauthn.exception.DataConversionException;
 import org.springframework.security.webauthn.exception.ValidationException;
-import org.springframework.security.webauthn.sample.domain.entity.AuthenticatorEntity;
-import org.springframework.security.webauthn.sample.domain.entity.UserEntity;
-import org.springframework.security.webauthn.sample.domain.exception.WebAuthnSampleBusinessException;
-import org.springframework.security.webauthn.sample.domain.service.WebAuthnUserDetailsServiceImpl;
+import org.springframework.security.webauthn.userdetails.InMemoryWebAuthnAndPasswordUserDetailsManager;
+import org.springframework.security.webauthn.userdetails.WebAuthnAndPasswordUser;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.Base64Utils;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import javax.validation.Valid;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.UUID;
+import java.util.*;
+import java.util.stream.Collectors;
 
 /**
  * Login controller
@@ -52,6 +57,8 @@
 @Controller
 public class WebAuthnSampleController {
 
+	private final Log logger = LogFactory.getLog(getClass());
+
 	private static final String REDIRECT_LOGIN = "redirect:/login";
 	private static final String REDIRECT_SIGNUP = "redirect:/signup";
 
@@ -62,14 +69,26 @@ public class WebAuthnSampleController {
 	private static final String VIEW_DASHBOARD_DASHBOARD = "dashboard/dashboard";
 
 	@Autowired
-	private WebAuthnUserDetailsServiceImpl webAuthnUserDetailsService;
+	private InMemoryWebAuthnAndPasswordUserDetailsManager webAuthnUserDetailsService;
 
 	@Autowired
 	private WebAuthnRegistrationRequestValidator registrationRequestValidator;
 
+	@Autowired
+	private WebAuthnOptionWebHelper webAuthnOptionWebHelper;
+
+	@Autowired
+	private WebAuthnDataConverter webAuthnDataConverter;
+
 	@Autowired
 	private PasswordEncoder passwordEncoder;
 
+	@ModelAttribute
+	public void addAttributes(Model model, HttpServletRequest request) {
+		model.addAttribute("webAuthnChallenge", webAuthnOptionWebHelper.getChallenge(request));
+		model.addAttribute("webAuthnCredentialIds", webAuthnOptionWebHelper.getCredentialIds());
+	}
+
 	@RequestMapping(value = "/")
 	public String index(Model model) {
 		return REDIRECT_SIGNUP;
@@ -91,49 +110,70 @@ public String template(Model model) {
 	}
 
 	@RequestMapping(value = "/signup", method = RequestMethod.POST)
-	public String create(HttpServletRequest request, HttpServletResponse response, @Valid @ModelAttribute("userForm") UserCreateForm userCreateForm, BindingResult result, Model model, RedirectAttributes redirectAttributes) {
+	public String create(HttpServletRequest request, @Valid @ModelAttribute("userForm") UserCreateForm userCreateForm, BindingResult result, Model model) {
 
 		if (result.hasErrors()) {
 			return VIEW_SIGNUP_SIGNUP;
 		}
-		WebAuthnRegistrationRequestValidationResponse webAuthnRegistrationRequestValidationResponse;
+
+		WebAuthnRegistrationRequest webAuthnRegistrationRequest = new WebAuthnRegistrationRequest(
+				request,
+				userCreateForm.getAuthenticator().getClientDataJSON(),
+				userCreateForm.getAuthenticator().getAttestationObject(),
+				userCreateForm.getAuthenticator().getTransports(),
+				userCreateForm.getAuthenticator().getClientExtensions()
+		);
 		try {
-			webAuthnRegistrationRequestValidationResponse = registrationRequestValidator.validate(
-					request,
-					userCreateForm.getAuthenticator().getClientDataJSON(),
-					userCreateForm.getAuthenticator().getAttestationObject(),
-					null, //TODO
-					userCreateForm.getAuthenticator().getClientExtensions()
-			);
-		} catch (ValidationException e) {
+			registrationRequestValidator.validate(webAuthnRegistrationRequest);
+		}
+		catch (ValidationException e){
+			logger.debug("WebAuthn registration request validation failed.", e);
 			return VIEW_SIGNUP_SIGNUP;
 		}
+		catch (DataConversionException e){
+			logger.debug("WebAuthn registration request data conversion failed.", e);
+			return VIEW_SIGNUP_SIGNUP;
+		}
+
+		AuthenticatorCreateForm sourceAuthenticator = userCreateForm.getAuthenticator();
 
-		UserEntity destination = new UserEntity();
+		byte[] attestationObject = Base64UrlUtil.decode(sourceAuthenticator.getAttestationObject());
+		byte[] authenticatorData = webAuthnDataConverter.extractAuthenticatorData(attestationObject);
+		byte[] attestedCredentialData = webAuthnDataConverter.extractAttestedCredentialData(authenticatorData);
+		byte[] credentialId = webAuthnDataConverter.extractCredentialId(attestedCredentialData);
+		long signCount = webAuthnDataConverter.extractSignCount(authenticatorData);
+		Set<WebAuthnAuthenticatorTransport> transports;
+		if (sourceAuthenticator.getTransports() == null) {
+			transports = null;
+		}
+		else {
+			transports = sourceAuthenticator.getTransports().stream()
+					.map(WebAuthnAuthenticatorTransport::create)
+					.collect(Collectors.toSet());
+		}
 
-		destination.setUserHandle(Base64Utils.decodeFromUrlSafeString(userCreateForm.getUserHandle()));
-		destination.setUsername(userCreateForm.getUsername());
-		destination.setPassword(passwordEncoder.encode(userCreateForm.getPassword()));
+		List<WebAuthnAuthenticator> authenticators = new ArrayList<>();
+		WebAuthnAuthenticator authenticator = new WebAuthnAuthenticatorImpl(
+				credentialId,
+				null,
+				attestationObject,
+				signCount,
+				transports,
+				sourceAuthenticator.getClientExtensions());
 
-		List<AuthenticatorEntity> authenticators = new ArrayList<>();
-		AuthenticatorEntity authenticator = new AuthenticatorEntity();
-		AuthenticatorCreateForm sourceAuthenticator = userCreateForm.getAuthenticator();
-		authenticator.setUser(destination);
-		authenticator.setName(null); // sample application doesn't name authenticator
-		authenticator.setAttestationStatement(webAuthnRegistrationRequestValidationResponse.getAttestationObject().getAttestationStatement());
-		authenticator.setAttestedCredentialData(webAuthnRegistrationRequestValidationResponse.getAttestationObject().getAuthenticatorData().getAttestedCredentialData());
-		authenticator.setCounter(webAuthnRegistrationRequestValidationResponse.getAttestationObject().getAuthenticatorData().getSignCount());
-		authenticator.setTransports(sourceAuthenticator.getTransports());
 		authenticators.add(authenticator);
 
-		destination.setAuthenticators(authenticators);
-		destination.setLocked(false);
-		destination.setSingleFactorAuthenticationAllowed(userCreateForm.isSingleFactorAuthenticationAllowed());
+		byte[] userHandle = Base64Utils.decodeFromUrlSafeString(userCreateForm.getUserHandle());
+		String username = userCreateForm.getUsername();
+		String password = passwordEncoder.encode(userCreateForm.getPassword());
+		List<GrantedAuthority> authorities = Collections.emptyList();
+		boolean singleFactorAuthenticationAllowed = userCreateForm.isSingleFactorAuthenticationAllowed();
+		WebAuthnAndPasswordUser user = new WebAuthnAndPasswordUser(userHandle, username, password, authenticators, singleFactorAuthenticationAllowed, authorities);
+
 
-		UserEntity user = destination;
 		try {
 			webAuthnUserDetailsService.createUser(user);
-		} catch (WebAuthnSampleBusinessException ex) {
+		} catch (IllegalArgumentException ex) {
 			return VIEW_SIGNUP_SIGNUP;
 		}