Diff
Modified: trunk/Source/WebKit/ChangeLog (291624 => 291625)
--- trunk/Source/WebKit/ChangeLog 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/ChangeLog 2022-03-22 17:12:15 UTC (rev 291625)
@@ -1,5 +1,34 @@
2022-03-22 J Pascoe <j_pas...@apple.com>
+ [WebAuthn] Pass along timeout to ASA and ignore timeout for conditional mediation requests
+ https://bugs.webkit.org/show_bug.cgi?id=238147
+ rdar://90509464
+
+ Reviewed by Brent Fulgham.
+
+ Currently we don't pass the timeout from the rp into ASA, so the default timeout is always used.
+ This patch starts passing along the timeout to ASA, and creates a place for ASA to specify the
+ mediation of the request, so we can ignore the timeout for requests using conditional mediation.
+
+ Modified API test.
+
+ * Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
+ * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:
+ * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+ (toWebCore):
+ (-[_WKWebAuthenticationPanel makeCredentialWithMediationRequirement:clientDataHash:options:completionHandler:]):
+ (-[_WKWebAuthenticationPanel makeCredentialWithClientDataHash:options:completionHandler:]):
+ (-[_WKWebAuthenticationPanel getAssertionWithMediationRequirement:clientDataHash:options:completionHandler:]):
+ (-[_WKWebAuthenticationPanel getAssertionWithClientDataHash:options:completionHandler:]):
+ * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+ (WebKit::AuthenticatorManager::respondReceived):
+ (WebKit::AuthenticatorManager::initTimeOutTimer):
+ * UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
+ (WebKit::configureRegistrationRequestContext):
+ (WebKit::configureAssertionOptions):
+
+2022-03-22 J Pascoe <j_pas...@apple.com>
+
[WebAuthn] Support getAssertion for virtual HID authenticators
https://bugs.webkit.org/show_bug.cgi?id=238154
rdar://problem/90593150
Modified: trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h (291624 => 291625)
--- trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h 2022-03-22 17:12:15 UTC (rev 291625)
@@ -164,6 +164,7 @@
@property (nonatomic, nullable, copy) NSData *clientDataHash;
@property (nonatomic, nullable, readonly, copy) NSString *userVerificationPreference;
@property (nonatomic, nullable, copy) ASCWebAuthenticationExtensionsClientInputs *extensions;
+@property (nonatomic, nullable, copy) NSNumber *timeout;
@property (nonatomic, nullable, readonly, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *allowedCredentials;
@@ -194,6 +195,7 @@
@property (nonatomic, nullable, copy) NSString *userVerificationPreference;
@property (nonatomic, nullable, copy) NSString *attestationPreference;
@property (nonatomic, nullable, copy) ASCWebAuthenticationExtensionsClientInputs *extensions;
+@property (nonatomic, nullable, copy) NSNumber *timeout;
@property (nonatomic) BOOL shouldRequireResidentKey;
@property (nonatomic, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *excludedCredentials;
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h (291624 => 291625)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h 2022-03-22 17:12:15 UTC (rev 291625)
@@ -86,6 +86,13 @@
_WKWebAuthenticationUserVerificationAvailabilityNotSupported,
} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+typedef NS_ENUM(NSInteger, _WKWebAuthenticationMediationRequirement) {
+ _WKWebAuthenticationMediationRequirementSilent,
+ _WKWebAuthenticationMediationRequirementOptional,
+ _WKWebAuthenticationMediationRequirementRequired,
+ _WKWebAuthenticationMediationRequirementConditional,
+} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
WK_EXPORT extern NSString * const _WKLocalAuthenticatorCredentialNameKey;
WK_EXPORT extern NSString * const _WKLocalAuthenticatorCredentialDisplayNameKey;
WK_EXPORT extern NSString * const _WKLocalAuthenticatorCredentialIDKey;
@@ -141,8 +148,10 @@
// FIXME: <rdar://problem/71509485> Adds detailed NSError.
- (void)makeCredentialWithChallenge:(NSData *)challenge origin:(NSString *)origin options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(12.0), ios(15.0));
- (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)makeCredentialWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
- (void)getAssertionWithChallenge:(NSData *)challenge origin:(NSString *)origin options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(12.0), ios(15.0));
- (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+- (void)getAssertionWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
- (void)cancel;
// FIXME: <rdar://problem/71509848> Deprecate the following properties.
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (291624 => 291625)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-03-22 17:12:15 UTC (rev 291625)
@@ -48,6 +48,7 @@
#import <WebCore/BufferSource.h>
#import <WebCore/CBORReader.h>
#import <WebCore/CBORWriter.h>
+#import <WebCore/CredentialRequestOptions.h>
#import <WebCore/DeviceRequestConverter.h>
#import <WebCore/FidoConstants.h>
#import <WebCore/MockWebAuthenticationConfiguration.h>
@@ -786,6 +787,23 @@
return result;
}
+
+static WebCore::CredentialRequestOptions::MediationRequirement toWebCore(_WKWebAuthenticationMediationRequirement mediation)
+{
+ switch (mediation) {
+ case _WKWebAuthenticationMediationRequirementSilent:
+ return WebCore::CredentialRequestOptions::MediationRequirement::Silent;
+ case _WKWebAuthenticationMediationRequirementOptional:
+ return WebCore::CredentialRequestOptions::MediationRequirement::Optional;
+ case _WKWebAuthenticationMediationRequirementRequired:
+ return WebCore::CredentialRequestOptions::MediationRequirement::Required;
+ case _WKWebAuthenticationMediationRequirementConditional:
+ return WebCore::CredentialRequestOptions::MediationRequirement::Conditional;
+ default:
+ ASSERT_NOT_REACHED();
+ return WebCore::CredentialRequestOptions::MediationRequirement::Optional;
+ }
+}
#endif
+ (WebCore::PublicKeyCredentialCreationOptions)convertToCoreCreationOptionsWithOptions:(_WKPublicKeyCredentialCreationOptions *)options
@@ -844,7 +862,7 @@
#endif
}
-- (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
+- (void)makeCredentialWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
{
#if ENABLE(WEB_AUTHN)
auto callback = [handler = makeBlockPtr(handler)] (std::variant<Ref<WebCore::AuthenticatorResponse>, WebCore::ExceptionData>&& result) mutable {
@@ -854,10 +872,15 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:exception.code userInfo:@{ NSLocalizedDescriptionKey: exception.message }]);
});
};
- _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, toWebCore(mediation), std::nullopt }, WTFMove(callback));
#endif
}
+- (void)makeCredentialWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialCreationOptions *)options completionHandler:(void (^)(_WKAuthenticatorAttestationResponse *, NSError *))handler
+{
+ [self makeCredentialWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:clientDataHash options:options completionHandler:handler];
+}
+
+ (WebCore::PublicKeyCredentialRequestOptions)convertToCoreRequestOptionsWithOptions:(_WKPublicKeyCredentialRequestOptions *)options
{
WebCore::PublicKeyCredentialRequestOptions result;
@@ -908,7 +931,7 @@
#endif
}
-- (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
+- (void)getAssertionWithMediationRequirement:(_WKWebAuthenticationMediationRequirement)mediation clientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
{
#if ENABLE(WEB_AUTHN)
auto callback = [handler = makeBlockPtr(handler)] (std::variant<Ref<WebCore::AuthenticatorResponse>, WebCore::ExceptionData>&& result) mutable {
@@ -918,10 +941,15 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:WKErrorUnknown userInfo:nil]);
});
};
- _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, toWebCore(mediation), std::nullopt }, WTFMove(callback));
#endif
}
+- (void)getAssertionWithClientDataHash:(NSData *)clientDataHash options:(_WKPublicKeyCredentialRequestOptions *)options completionHandler:(void (^)(_WKAuthenticatorAssertionResponse *, NSError *))handler
+{
+ [self getAssertionWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:clientDataHash options:options completionHandler:handler];
+}
+
+ (BOOL)isUserVerifyingPlatformAuthenticatorAvailable
{
#if ENABLE(WEB_AUTHN)
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (291624 => 291625)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp 2022-03-22 17:12:15 UTC (rev 291625)
@@ -281,7 +281,7 @@
void AuthenticatorManager::respondReceived(Respond&& respond)
{
ASSERT(RunLoop::isMain());
- if (!m_requestTimeOutTimer.isActive())
+ if (!m_requestTimeOutTimer.isActive() && (m_pendingRequestData.mediation != WebCore::CredentialRequestOptions::MediationRequirement::Conditional || !m_pendingCompletionHandler))
return;
ASSERT(m_pendingCompletionHandler);
@@ -425,6 +425,8 @@
void AuthenticatorManager::initTimeOutTimer()
{
+ if (m_pendingRequestData.mediation == WebCore::CredentialRequestOptions::MediationRequirement::Conditional)
+ return;
std::optional<unsigned> timeOutInMs;
WTF::switchOn(m_pendingRequestData.options, [&](const PublicKeyCredentialCreationOptions& options) {
timeOutInMs = options.timeout;
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm (291624 => 291625)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm 2022-03-22 17:12:15 UTC (rev 291625)
@@ -241,9 +241,12 @@
if (requestTypes & ASCCredentialRequestTypeSecurityKeyPublicKeyRegistration)
[requestContext setSecurityKeyCredentialCreationOptions:credentialCreationOptions.get()];
- if (options.extensions && [credentialCreationOptions respondsToSelector:@selector(setExtensions:)])
+ if (options.extensions)
[credentialCreationOptions setExtensions:toASCExtensions(*options.extensions).get()];
+ if (options.timeout && [credentialCreationOptions respondsToSelector:@selector(setTimeout:)])
+ credentialCreationOptions.get().timeout = [NSNumber numberWithUnsignedInt:*options.timeout];
+
return requestContext;
}
@@ -257,12 +260,14 @@
auto challenge = WebCore::toNSData(options.challenge);
[assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
}
- if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
+ if (options.extensions)
[assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
if (parentOrigin && [assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
assertionOptions.get().destinationSiteForCrossSiteAssertion = parentOrigin->toString();
else if (parentOrigin && ![assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
return nil;
+ if (options.timeout && [assertionOptions respondsToSelector:@selector(setTimeout:)])
+ assertionOptions.get().timeout = [NSNumber numberWithUnsignedInt:*options.timeout];
return assertionOptions;
}
Modified: trunk/Tools/ChangeLog (291624 => 291625)
--- trunk/Tools/ChangeLog 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Tools/ChangeLog 2022-03-22 17:12:15 UTC (rev 291625)
@@ -1,3 +1,16 @@
+2022-03-22 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Pass along timeout to ASA and ignore timeout for conditional mediation requests
+ https://bugs.webkit.org/show_bug.cgi?id=238147
+ rdar://90509464
+
+ Reviewed by Brent Fulgham.
+
+ Modify API test to use new SPI.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+ (TestWebKitAPI::TEST):
+
2022-03-21 Jonathan Bedard <jbed...@apple.com>
[Merge-Queue] Add ValidateCommitterAndReviewer
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (291624 => 291625)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm 2022-03-22 16:14:25 UTC (rev 291624)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm 2022-03-22 17:12:15 UTC (rev 291625)
@@ -1867,7 +1867,7 @@
Util::run(&webAuthenticationPanelRan);
}
-TEST(WebAuthenticationPanel, MakeCredentialLAClientDataHash)
+TEST(WebAuthenticationPanel, MakeCredentialLAClientDataHashMediation)
{
reset();
@@ -1888,7 +1888,7 @@
auto delegate = adoptNS([[TestWebAuthenticationPanelDelegate alloc] init]);
[panel setDelegate:delegate.get()];
- [panel makeCredentialWithClientDataHash:nsHash.get() options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
+ [panel makeCredentialWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:nsHash.get() options:options.get() completionHandler:^(_WKAuthenticatorAttestationResponse *response, NSError *error) {
webAuthenticationPanelRan = true;
cleanUpKeychain("example.com");
@@ -2088,7 +2088,7 @@
Util::run(&webAuthenticationPanelRan);
}
-TEST(WebAuthenticationPanel, GetAssertionLAClientDataHash)
+TEST(WebAuthenticationPanel, GetAssertionLAClientDataHashMediation)
{
reset();
@@ -2105,7 +2105,7 @@
auto delegate = adoptNS([[TestWebAuthenticationPanelDelegate alloc] init]);
[panel setDelegate:delegate.get()];
- [panel getAssertionWithClientDataHash:nsHash options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
+ [panel getAssertionWithMediationRequirement:_WKWebAuthenticationMediationRequirementOptional clientDataHash:nsHash options:options.get() completionHandler:^(_WKAuthenticatorAssertionResponse *response, NSError *error) {
webAuthenticationPanelRan = true;
cleanUpKeychain("example.com");
