Make FIDO conformance test tool pass again

Author: ynojima

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/fido/server/endpoint/FidoServerAssertionOptionsEndpointFilter.java

@@ -26,14 +26,14 @@
 import com.webauthn4j.springframework.security.challenge.ChallengeRepository;
 import com.webauthn4j.springframework.security.options.AssertionOptionsProvider;
 import com.webauthn4j.util.Base64UrlUtil;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
+import java.util.Collections;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -86,8 +86,8 @@ protected ServerResponse processRequest(HttpServletRequest request) {
                     objectConverter.getJsonConverter().readValue(inputStream, ServerPublicKeyCredentialGetOptionsRequest.class);
             Challenge challenge = serverEndpointFilterUtil.encodeUserVerification(new DefaultChallenge(), serverRequest.getUserVerification());
             challengeRepository.saveChallenge(challenge, request);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            PublicKeyCredentialRequestOptions options = optionsProvider.getAssertionOptions(request, authentication);
+            //TODO: UsernamePasswordAuthenticationToken should not be used here in this way
+            PublicKeyCredentialRequestOptions options = optionsProvider.getAssertionOptions(request, new UsernamePasswordAuthenticationToken(serverRequest.getUsername(), null, Collections.emptyList()));
             List<ServerPublicKeyCredentialDescriptor> credentials = options.getAllowCredentials().stream()
                     .map(credential -> new ServerPublicKeyCredentialDescriptor(credential.getType(), Base64UrlUtil.encodeToString(credential.getId()), credential.getTransports()))
                     .collect(Collectors.toList());

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/fido/server/endpoint/FidoServerAttestationOptionsEndpointFilter.java

@@ -26,15 +26,15 @@
 import com.webauthn4j.springframework.security.challenge.ChallengeRepository;
 import com.webauthn4j.springframework.security.options.AttestationOptionsProvider;
 import com.webauthn4j.util.Base64UrlUtil;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
 import java.nio.ByteBuffer;
+import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
 import java.util.stream.Collectors;
@@ -85,12 +85,12 @@ protected ServerResponse processRequest(HttpServletRequest request) {
         try {
             ServerPublicKeyCredentialCreationOptionsRequest serverRequest = objectConverter.getJsonConverter()
                     .readValue(inputStream, ServerPublicKeyCredentialCreationOptionsRequest.class);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            String username = authentication.getName();
+            String username = serverRequest.getUsername();
             String displayName = serverRequest.getDisplayName();
             Challenge challenge = serverEndpointFilterUtil.encodeUsername(new DefaultChallenge(), username);
             challengeRepository.saveChallenge(challenge, request);
-            PublicKeyCredentialCreationOptions attestationOptions = optionsProvider.getAttestationOptions(request, authentication);
+            //TODO: UsernamePasswordAuthenticationToken should not be used here in this way
+            PublicKeyCredentialCreationOptions attestationOptions = optionsProvider.getAttestationOptions(request, new UsernamePasswordAuthenticationToken(username, null, Collections.emptyList()));
             String userHandle;
             if (attestationOptions.getUser() == null) {
                 userHandle = Base64UrlUtil.encodeToString(generateUserHandle());

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/app/config/WebSecurityConfig.java

@@ -175,19 +175,6 @@ protected void configure(HttpSecurity http) throws Exception {
         http.addFilterAfter(fidoServerAssertionOptionsEndpointFilter, SessionManagementFilter.class);
         http.addFilterAfter(fidoServerAssertionResultEndpointFilter, SessionManagementFilter.class);
 
-
-//        // FIDO Server Endpoints
-//        http.apply(fidoServer())
-//                .fidoServerAttestationOptionsEndpoint()
-//                .and()
-//                .fidoServerAttestationResultEndpointConfig()
-//                .webAuthnRegistrationRequestValidator(webAuthnRegistrationRequestValidator)
-//                .usernameNotFoundHandler(new SampleUsernameNotFoundHandler(userManager))
-//                .and()
-//                .fidoServerAssertionOptionsEndpointConfig()
-//                .and()
-//                .fidoServerAssertionResultEndpoint();
-
         // Authorization
         http.authorizeRequests()
                 .mvcMatchers("/").permitAll()

samples/fido-server-conformance-test-app/src/main/java/com/webauthn4j/springframework/security/webauthn/sample/domain/component/UserManagerImpl.java

@@ -16,8 +16,6 @@
 
 package com.webauthn4j.springframework.security.webauthn.sample.domain.component;
 
-import com.webauthn4j.authenticator.Authenticator;
-import com.webauthn4j.springframework.security.webauthn.sample.domain.entity.AuthenticatorEntity;
 import com.webauthn4j.springframework.security.webauthn.sample.domain.entity.UserEntity;
 import com.webauthn4j.springframework.security.webauthn.sample.domain.exception.WebAuthnSampleBusinessException;
 import com.webauthn4j.springframework.security.webauthn.sample.domain.exception.WebAuthnSampleEntityNotFoundException;
@@ -31,8 +29,6 @@
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;
 
-import java.util.Arrays;
-
 /**
  * {@inheritDoc}
  */
@@ -143,32 +139,4 @@ public boolean userExists(String username) {
     private UserEntity getCurrentUser() {
         return (UserEntity) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
     }
-
-
-    public void addAuthenticator(String username, Authenticator authenticator) {
-        UserEntity userEntity = userEntityRepository.findOneByEmailAddress(username)
-                .orElseThrow(() -> new WebAuthnSampleEntityNotFoundException("User not found."));
-        AuthenticatorEntity authenticatorEntity = modelMapper.map(authenticator, AuthenticatorEntity.class);
-        authenticatorEntity.setUser(userEntity);
-        userEntity.getAuthenticators().add(authenticatorEntity);
-    }
-
-    public void removeAuthenticator(String username, Authenticator authenticator) {
-        UserEntity userEntity = userEntityRepository.findOneByEmailAddress(username)
-                .orElseThrow(() -> new WebAuthnSampleEntityNotFoundException("User not found."));
-        boolean found = userEntity.getAuthenticators().remove(authenticator);
-        if (!found) {
-            throw new WebAuthnSampleEntityNotFoundException("Authenticator not found.");
-        }
-    }
-
-    public void removeAuthenticator(String username, byte[] credentialId) {
-        UserEntity userEntity = userEntityRepository.findOneByEmailAddress(username)
-                .orElseThrow(() -> new WebAuthnSampleEntityNotFoundException("User not found."));
-        boolean found = userEntity.getAuthenticators().removeIf(item -> Arrays.equals(item.getAttestedCredentialData().getCredentialId(), credentialId));
-        if (!found) {
-            throw new WebAuthnSampleEntityNotFoundException("Authenticator not found.");
-        }
-    }
-
 }