Merge branch 'master' into 69-reuse-saved-jwt-auth-token-until-it-expire-1

Author: lukasmatusiewicz

.github/badges/branches.svg

@@ -1 +1 @@
-{"branches": 68.42105263157895, "coverage": 90.43595809395066}
+{"branches": 62.698412698412696, "coverage": 81.90562067929065}

.github/badges/coverage-summary.json

@@ -48,7 +48,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.1</version>
+                <version>3.13.0</version>
                 <configuration>
                     <source>11</source>
                     <target>11</target>

.github/badges/jacoco.svg

@@ -125,21 +125,21 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
         }
         privacyIDEA.log(method + " " + endpoint);
         params.forEach((k, v) ->
-                           {
+                       {
                            if (k.equals("pass") || k.equals("password"))
                            {
                                v = "*".repeat(v.length());
                            }
                            privacyIDEA.log(k + "=" + v);
-                           });
+                       });
 
         if (GET.equals(method))
         {
             params.forEach((key, value) ->
-                               {
+                           {
                                String encValue = URLEncoder.encode(value, StandardCharsets.UTF_8);
                                urlBuilder.addQueryParameter(key, encValue);
-                               });
+                           });
         }
 
         String url = urlBuilder.build().toString();
@@ -157,7 +157,7 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
         {
             FormBody.Builder formBodyBuilder = new FormBody.Builder();
             params.forEach((key, value) ->
-                               {
+                           {
                                if (key != null && value != null)
                                {
                                    String encValue = value;
@@ -169,13 +169,13 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
                                    }
                                    formBodyBuilder.add(key, encValue);
                                }
-                               });
+                           });
             // This switches okhttp to make a post request
             requestBuilder.post(formBodyBuilder.build());
         }
 
         Request request = requestBuilder.build();
-        //privacyIDEA.log("HEADERS:\n" + request.headers().toString());
+        //privacyIDEA.log("HEADERS:\n" + request.headers());
         client.newCall(request).enqueue(callback);
     }
 }

pom.xml

@@ -175,12 +175,23 @@ else if ("interactive".equals(modeFromResponse))
                 response.preferredClientMode = modeFromResponse;
             }
             response.message = getString(detail, MESSAGE);
+            response.username = getString(detail, USERNAME);
             response.image = getString(detail, IMAGE);
             response.serial = getString(detail, SERIAL);
             response.transactionID = getString(detail, TRANSACTION_ID);
             response.type = getString(detail, TYPE);
             response.otpLength = getInt(detail, OTPLEN);
-
+            JsonObject passkeyChallenge = detail.getAsJsonObject(PASSKEY);
+            if (passkeyChallenge != null && !passkeyChallenge.isJsonNull())
+            {
+                response.passkeyChallenge = passkeyChallenge.toString();
+                // The passkey challenge can contain a transaction id, use that if none was set prior
+                // This will happen if the passkey challenge was requested via /validate/initialize
+                if (response.transactionID == null || response.transactionID.isEmpty())
+                {
+                    response.transactionID = getString(passkeyChallenge, TRANSACTION_ID);
+                }
+            }
             String r = getString(detail, CHALLENGE_STATUS);
             for (ChallengeStatus cs : ChallengeStatus.values())
             {
@@ -194,12 +205,12 @@ else if ("interactive".equals(modeFromResponse))
             if (arrMessages != null)
             {
                 arrMessages.forEach(val ->
-                                        {
+                                    {
                                         if (val != null)
                                         {
                                             response.messages.add(val.getAsString());
                                         }
-                                        });
+                                    });
             }
 
             JsonArray arrChallenges = detail.getAsJsonArray(MULTI_CHALLENGE);
@@ -215,6 +226,17 @@ else if ("interactive".equals(modeFromResponse))
                     String transactionID = getString(challenge, TRANSACTION_ID);
                     String type = getString(challenge, TYPE);
 
+                    if (challenge.has(PASSKEY_REGISTRATION))
+                    {
+                        response.passkeyRegistration = challenge.get(PASSKEY_REGISTRATION).toString();
+                        // TODO for passkey registration with enroll_via_multichallenge, the txid is probably in the wrong place
+                        // as of 3.11.0
+                        if (response.transactionID == null || response.transactionID.isEmpty())
+                        {
+                            response.transactionID = transactionID;
+                        }
+                    }
+
                     if (TOKEN_TYPE_WEBAUTHN.equals(type))
                     {
                         String webauthnSignRequest = getItemFromAttributes(challenge);
@@ -359,24 +381,24 @@ private TokenInfo parseSingleTokenInfo(String json)
         if (joInfo != null)
         {
             joInfo.entrySet().forEach(entry ->
-                                          {
+                                      {
                                           if (entry.getKey() != null && entry.getValue() != null)
                                           {
                                               info.info.put(entry.getKey(), entry.getValue().getAsString());
                                           }
-                                          });
+                                      });
         }
 
         JsonArray arrRealms = obj.getAsJsonArray(REALMS);
         if (arrRealms != null)
         {
             arrRealms.forEach(val ->
-                                  {
+                              {
                                   if (val != null)
                                   {
                                       info.realms.add(val.getAsString());
                                   }
-                                  });
+                              });
         }
         return info;
     }
@@ -472,7 +494,7 @@ Map<String, String> parseWebAuthnSignResponse(String json)
         }
         catch (JsonSyntaxException e)
         {
-            privacyIDEA.error("WebAuthn sign response has the wrong format: " + e.getLocalizedMessage());
+            privacyIDEA.error("FIDO2 sign response has the wrong format: " + e.getLocalizedMessage());
             return null;
         }
 
@@ -495,6 +517,40 @@ Map<String, String> parseWebAuthnSignResponse(String json)
         return params;
     }
 
+    Map<String, String> parseFIDO2AuthenticationResponse(String json)
+    {
+        Map<String, String> params = new LinkedHashMap<>();
+        JsonObject obj;
+        try
+        {
+            obj = JsonParser.parseString(json).getAsJsonObject();
+        }
+        catch (JsonSyntaxException e)
+        {
+            privacyIDEA.error("FIDO2 sign response has the wrong format: " + e.getLocalizedMessage());
+            return null;
+        }
+
+        params.put(CREDENTIAL_ID, getString(obj, CREDENTIAL_ID));
+        params.put(CLIENTDATAJSON, getString(obj, CLIENTDATAJSON));
+        params.put(SIGNATURE, getString(obj, SIGNATURE));
+        params.put(AUTHENTICATOR_DATA, getString(obj, AUTHENTICATOR_DATA));
+
+        // The userhandle and assertionclientextension fields are optional
+        String userhandle = getString(obj, USERHANDLE);
+        if (!userhandle.isEmpty())
+        {
+            params.put(USERHANDLE, userhandle);
+        }
+        String extensions = getString(obj, ASSERTIONCLIENTEXTENSIONS);
+        if (!extensions.isEmpty())
+        {
+            params.put(ASSERTIONCLIENTEXTENSIONS, extensions);
+        }
+        return params;
+    }
+
+
     private boolean getBoolean(JsonObject obj, String name)
     {
         JsonPrimitive primitive = getPrimitiveOrNull(obj, name);
@@ -528,4 +584,26 @@ private JsonPrimitive getPrimitiveOrNull(JsonObject obj, String name)
         }
         return primitive;
     }
+
+    public Map<String, String> parseFIDO2RegistrationResponse(String registrationResponse)
+    {
+        Map<String, String> params = new LinkedHashMap<>();
+        JsonObject obj;
+        try
+        {
+            obj = JsonParser.parseString(registrationResponse).getAsJsonObject();
+        }
+        catch (JsonSyntaxException e)
+        {
+            privacyIDEA.error("Passkey registration response is not JSON: " + e.getLocalizedMessage());
+            return null;
+        }
+
+        params.put(CREDENTIAL_ID, getString(obj, CREDENTIAL_ID));
+        params.put(CLIENTDATAJSON, getString(obj, CLIENTDATAJSON));
+        params.put(ATTESTATION_OBJECT, getString(obj, ATTESTATION_OBJECT));
+        params.put(AUTHENTICATOR_ATTACHMENT, getString(obj, AUTHENTICATOR_ATTACHMENT));
+        params.put(RAW_ID, getString(obj, RAW_ID));
+        return params;
+    }
 }

src/main/java/org/privacyidea/Endpoint.java

@@ -21,10 +21,6 @@
 
 public class PIConstants
 {
-    private PIConstants()
-    {
-    }
-
     public static final String GET = "GET";
     public static final String POST = "POST";
 
@@ -34,6 +30,7 @@ private PIConstants()
     public static final String ENDPOINT_TRIGGERCHALLENGE = "/validate/triggerchallenge";
     public static final String ENDPOINT_POLLTRANSACTION = "/validate/polltransaction";
     public static final String ENDPOINT_VALIDATE_CHECK = "/validate/check";
+    public static final String ENDPOINT_VALIDATE_INITIALIZE = "/validate/initialize";
     public static final String ENDPOINT_TOKEN = "/token/";
 
     public static final String HEADER_ORIGIN = "Origin";
@@ -43,6 +40,7 @@ private PIConstants()
     // TOKEN TYPES
     public static final String TOKEN_TYPE_PUSH = "push";
     public static final String TOKEN_TYPE_WEBAUTHN = "webauthn";
+    public static final String TOKEN_TYPE_PASSKEY = "passkey";
 
     // JSON KEYS
     public static final String USERNAME = "username";
@@ -85,20 +83,28 @@ private PIConstants()
     public static final String ID = "id";
     public static final String MAXFAIL = "maxfail";
     public static final String INFO = "info";
+    public static final String PASSKEY_REGISTRATION = "passkey_registration";
+    public static final String AUTH_FORM = "authenticationForm";
+    public static final String AUTH_FORM_RESULT = "authenticationFormResult";
 
-    // WebAuthn params
+    // WebAuthn/Passkey params
     public static final String WEBAUTHN_SIGN_REQUEST = "webAuthnSignRequest";
     public static final String CREDENTIALID = "credentialid";
+    public static final String CREDENTIAL_ID = "credential_id";
     public static final String CLIENTDATA = "clientdata";
+    public static final String CLIENTDATAJSON = "clientDataJSON";
     public static final String SIGNATUREDATA = "signaturedata";
     public static final String AUTHENTICATORDATA = "authenticatordata";
+    public static final String AUTHENTICATOR_DATA = "authenticatorData";
     public static final String USERHANDLE = "userhandle";
     public static final String ASSERTIONCLIENTEXTENSIONS = "assertionclientextensions";
-
+    public static final String PASSKEY = "passkey";
+    public static final String RAW_ID = "rawId";
+    public static final String AUTHENTICATOR_ATTACHMENT = "authenticatorAttachment";
+    public static final String ATTESTATION_OBJECT = "attestationObject";
 
     // These will be excluded from url encoding
-    public static final List<String>
-            WEBAUTHN_PARAMETERS =
-            Arrays.asList(CREDENTIALID, CLIENTDATA, SIGNATUREDATA, AUTHENTICATORDATA, USERHANDLE,
-                          ASSERTIONCLIENTEXTENSIONS);
-}
+    public static final List<String> WEBAUTHN_PARAMETERS = Arrays.asList(CREDENTIALID, CLIENTDATA, SIGNATUREDATA, AUTHENTICATORDATA,
+                                                                         USERHANDLE, ASSERTIONCLIENTEXTENSIONS, CREDENTIAL_ID, RAW_ID,
+                                                                         AUTHENTICATOR_ATTACHMENT, ATTESTATION_OBJECT);
+}