passkey-authenticator 0.5.0

A webauthn authenticator supporting passkeys.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

use passkey_types::ctap2::{
    Ctap2Error,
    make_credential::{PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity},
};

use crate::passkey::PasskeyAccessor;

#[cfg(any(test, feature = "testable", doc))]
use passkey_types::Passkey;

#[cfg(doc)]
use crate::Authenticator;

/// Additional information that can be displayed to the user if the authenticator has a display.
#[derive(Debug, Clone, PartialEq)]
pub enum UiHint<'a, P> {
    /// Inform the user that the operation cannot be completed because the user already has a credential registered.
    InformExcludedCredentialFound(&'a P),

    /// Inform the user that the operation cannot be completed because the user has no matching credentials registered.
    InformNoCredentialsFound,

    /// Request permission to save the credential in this object.
    RequestNewCredential(
        &'a PublicKeyCredentialUserEntity,
        &'a PublicKeyCredentialRpEntity,
    ),

    /// Request permission to use the existing credential in this object.
    RequestExistingCredential(&'a P),
}

/// The result of a user validation check.
#[derive(Clone, Copy, PartialEq)]
pub struct UserCheck {
    /// Indicates whether the user was present.
    pub presence: bool,

    /// Indicates whether the user was verified.
    pub verification: bool,
}

/// Pluggable trait for the [`Authenticator`] to do user interaction and verification.
#[cfg_attr(any(test, feature = "testable"), mockall::automock(type PasskeyItem = Passkey;))]
#[async_trait::async_trait]
pub trait UserValidationMethod {
    /// The type of the passkey item that can be used to display additional information about the operation to the user.
    type PasskeyItem: PasskeyAccessor + Send + Sync;

    /// Check for the user's presence and obtain consent for the operation. The operation may
    /// also require the user to be verified.
    ///
    /// * `hint` - Can be used to display additional information about the operation to the user.
    /// * `presence` - Indicates whether the user's presence is required.
    /// * `verification` - Indicates whether the user should be verified.
    async fn check_user<'a>(
        &self,
        hint: UiHint<'a, Self::PasskeyItem>,
        presence: bool,
        verification: bool,
    ) -> Result<UserCheck, Ctap2Error>;

    /// Indicates whether this type is capable of testing user presence.
    fn is_presence_enabled(&self) -> bool;

    /// Indicates that this type is capable of verifying the user within itself.
    /// For example, devices with UI, biometrics fall into this category.
    ///
    /// If `Some(true)`, it indicates that the device is capable of user verification
    /// within itself and has been configured.
    ///
    /// If Some(false), it indicates that the device is capable of user verification
    /// within itself and has not been yet configured. For example, a biometric device that has not
    /// yet been configured will return this parameter set to false.
    ///
    /// If `None`, it indicates that the device is not capable of user verification within itself.
    ///
    /// A device that can only do Client PIN will set this to `None`.
    ///
    /// If a device is capable of verifying the user within itself as well as able to do Client PIN,
    ///  it will return both `Some` and the Client PIN option.
    fn is_verification_enabled(&self) -> Option<bool>;
}

/// A version of the [`UiHint`] that uses a [`Passkey`] as the passkey item, is not tied to any specific lifetime,
/// and does not verify new passkey items which contain new random data that the tests cannot know about beforehand.
#[cfg(any(test, feature = "testable"))]
#[derive(Debug, Clone)]
pub enum MockUiHint {
    InformExcludedCredentialFound(Passkey),
    InformNoCredentialsFound,
    RequestNewCredential(PublicKeyCredentialUserEntity, PublicKeyCredentialRpEntity),
    RequestExistingCredential(Passkey),
}

#[cfg(any(test, feature = "testable"))]
impl MockUserValidationMethod {
    /// Sets up the mock for returning true for the verification.
    pub fn verified_user(times: usize) -> Self {
        let mut user_mock = MockUserValidationMethod::new();
        user_mock.expect_is_presence_enabled().returning(|| true);
        user_mock
            .expect_is_verification_enabled()
            .returning(|| Some(true))
            .times(..);
        user_mock.expect_is_presence_enabled().returning(|| true);
        user_mock
            .expect_check_user()
            .with(
                mockall::predicate::always(),
                mockall::predicate::eq(true),
                mockall::predicate::eq(true),
            )
            .returning(|_, _, _| {
                Ok(UserCheck {
                    presence: true,
                    verification: true,
                })
            })
            .times(times);
        user_mock
    }

    /// Sets up the mock for returning true for the verification.
    pub fn verified_user_with_hint(times: usize, expected_hint: MockUiHint) -> Self {
        let mut user_mock = MockUserValidationMethod::new();
        user_mock
            .expect_is_verification_enabled()
            .returning(|| Some(true))
            .times(..);
        user_mock
            .expect_is_presence_enabled()
            .returning(|| true)
            .times(..);
        user_mock
            .expect_check_user()
            .withf(move |actual_hint, presence, verification| {
                *presence
                    && *verification
                    && match &expected_hint {
                        MockUiHint::InformExcludedCredentialFound(p) => {
                            actual_hint == &UiHint::InformExcludedCredentialFound(p)
                        }
                        MockUiHint::InformNoCredentialsFound => {
                            matches!(actual_hint, UiHint::InformNoCredentialsFound)
                        }
                        MockUiHint::RequestNewCredential(user, rp) => {
                            actual_hint == &UiHint::RequestNewCredential(user, rp)
                        }
                        MockUiHint::RequestExistingCredential(p) => {
                            actual_hint == &UiHint::RequestExistingCredential(p)
                        }
                    }
            })
            .returning(|_, _, _| {
                Ok(UserCheck {
                    presence: true,
                    verification: true,
                })
            })
            .times(times);
        user_mock
    }
}