request = Request::create( 'https://test.app/webauthn/create', 'POST', content: json_encode(FakeAuthenticator::attestationResponse()) ); $this->user = WebAuthnAuthenticatableUser::forceCreate([ 'name' => FakeAuthenticator::ATTESTATION_USER['displayName'], 'email' => FakeAuthenticator::ATTESTATION_USER['name'], 'password' => 'test_password', ]); $this->validator = new AttestationValidator($this->app); $this->validation = new AttestationValidation($this->user, $this->request); $this->travelTo(now()->startOfSecond()); $this->challenge = new Challenge( new ByteBuffer(base64_decode(FakeAuthenticator::ATTESTATION_CHALLENGE)), 60, false, ['user_uuid' => FakeAuthenticator::ATTESTATION_USER['id']] ); $this->session(['_webauthn' => $this->challenge]); $this->request->setLaravelSession($this->app->make('session.store')); } protected function validate(): AttestationValidation { return $this->validator->send($this->validation)->thenReturn(); } public function test_validates_attestation_and_instances_webauthn_credential(): void { $validation = $this->validator->send($this->validation)->thenReturn(); static::assertInstanceOf(AttestationValidation::class, $validation); static::assertFalse($validation->credential->exists); $validation->credential->save(); $this->assertModelExists($validation->credential); $this->assertDatabaseHas(WebAuthnCredential::class, [ 'id' => $validation->credential->id, 'authenticatable_type' => WebAuthnAuthenticatableUser::class, 'authenticatable_id' => 1, 'user_id' => $validation->credential->user_id, 'alias' => null, 'counter' => 0, 'rp_id' => 'http://localhost', 'origin' => 'http://localhost', 'transports' => null, 'aaguid' => Uuid::NIL, 'attestation_format' => 'none', 'certificates' => null, 'disabled_at' => null, ]); $key = DB::table('webauthn_credentials')->value('public_key'); static::assertSame($validation->credential->public_key, Crypt::decryptString($key)); } public function test_validates_attestation_for_scoped_origin(): void { $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode([ 'type' => 'webauthn.create', 'origin' => 'https://scoped.localhost', 'challenge' => $this->challenge->data->toBase64Url() ]) ); $this->request->setJson(new ParameterBag($invalid)); static::assertInstanceOf(AttestationValidation::class, $this->validator->send($this->validation)->thenReturn()); } public function test_fails_if_challenge_does_not_exists(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Challenge does not exist.'); $this->session(['_webauthn' => null]); $this->validate(); } public function test_fails_if_challenge_exists_but_is_expired(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Challenge does not exist.'); $this->travelTo(now()->addMinute()->addSecond()); $this->validate(); } public function test_challenge_is_pulled_from_session(): void { $this->validate(); static::assertNull(session('_webauthn')); } public function test_compiling_client_data_json_fails_if_invalid(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Client Data JSON is invalid or malformed.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = 'foo'; $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_client_data_json_fails_if_empty(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Client Data JSON is empty.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode(json_encode([])); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_client_data_json_fails_if_type_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Client Data JSON does not contain the [type] key.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode(json_encode(['origin' => '', 'challenge' => ''])); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_client_data_json_fails_if_origin_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Client Data JSON does not contain the [origin] key.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode(json_encode(['type' => '', 'challenge' => ''])); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_client_data_json_fails_if_challenge_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Client Data JSON does not contain the [challenge] key.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode(json_encode(['type' => '', 'origin' => ''])); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_invalid(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: CBOR Object is anything but an array.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode(hex2bin('1A499602D2')); // 1234567890 in CBOR $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_fmt_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Format is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode(hex2bin('A26761747453746D746068617574684461746160')); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_fmt_not_string(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Format is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D74016761747453746D746068617574684461746160') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_attStmt_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Statement is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A263666D74647465737468617574684461746160') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_attStmt_not_array(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Statement is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D746474657374686175746844617461606761747453746D7400') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_authData_missing(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Authenticator Data is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A263666D7464746573746761747453746D7480') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_authData_not_byte_buffer(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Authenticator Data is missing or invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D7464746573746761747453746D7481006861757468446174611A001E8480') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_attestation_object_fails_if_fmt_not_none(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Format name [invalid] is invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D7467696E76616C69646761747453746D74A068617574684461746159016749960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D97634500000000000000000000000000000000000000000020ECFE96F4E099C876F2EA374218CAF33001E97DFDF8FC7F657257FC2E0BC9AF9DA401030339010020590100C3BD9A5E8971F49A2A88A6A161441E61A514BD63E77C1BE40AAAC08D3DFE4070FC37A0B739954A5150AA88A35E562E962B6D77B8EFACBACD90D2C6F93C3C5CBFD0194FA370713C673B1E0B3CEAC4A94B95C5D41EF0E0078309E0CAF6E3F1D10EF8418B4761842AC61F2B7C9F99595076C7BEEFE41E786BC9C013663054A0B3D3F0BE4FEA906696317BE1E2BD2FF299D6FA430E1A762AF69D0F0BC4CAF2FD16AB6EFA685055933FDE65E2C2232C344BE80EEB309975CBE55772887E7ADBFC38E9F68860DB11B466663FCF40C1F7529E274D6687EB237D41B62838540528CE6943664464ADA55B0F510782D5837AF07780BB7A675EF1D3FA29F39D1B472A7B80852143010001') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_authenticator_data_fails_if_invalid_binary(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Authenticator Data: Invalid input.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D74646E6F6E656761747453746D74A06861757468446174614849960DE5880E8C6D') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_compiling_authenticator_data_fails_if_invalid_length(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: ByteBuffer: Invalid offset or length.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['attestationObject'] = base64_encode( hex2bin('A363666D74646E6F6E656761747453746D74A068617574684461746159016649960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D97634500000000000000000000000000000000000000000020ECFE96F4E099C876F2EA374218CAF33001E97DFDF8FC7F657257FC2E0BC9AF9DA401030339010020590100C3BD9A5E8971F49A2A88A6A161441E61A514BD63E77C1BE40AAAC08D3DFE4070FC37A0B739954A5150AA88A35E562E962B6D77B8EFACBACD90D2C6F93C3C5CBFD0194FA370713C673B1E0B3CEAC4A94B95C5D41EF0E0078309E0CAF6E3F1D10EF8418B4761842AC61F2B7C9F99595076C7BEEFE41E786BC9C013663054A0B3D3F0BE4FEA906696317BE1E2BD2FF299D6FA430E1A762AF69D0F0BC4CAF2FD16AB6EFA685055933FDE65E2C2232C344BE80EEB309975CBE55772887E7ADBFC38E9F68860DB11B466663FCF40C1F7529E274D6687EB237D41B62838540528CE6943664464ADA55B0F510782D5837AF07780BB7A675EF1D3FA29F39D1B472A7B808521430100') ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_action_checks_fails_if_not_webauthn_create(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response is not for creating WebAuthn Credentials.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'invalid', 'origin' => '', 'challenge' => '']) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_check_challenge_fails_if_challenge_is_empty(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response has an empty challenge.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'webauthn.create', 'origin' => '', 'challenge' => '']) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_check_challenge_fails_if_challenge_is_not_equal(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response challenge is not equal.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'webauthn.create', 'origin' => '', 'challenge' => 'invalid']) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_check_origin_fails_if_empty(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response has an empty origin.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'webauthn.create', 'origin' => '', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_check_origin_fails_if_invalid_host(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response origin is invalid.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'webauthn.create', 'origin' => 'invalid', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_check_origin_fails_if_unsecure(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response not made to a secure server (localhost or HTTPS).'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode(['type' => 'webauthn.create', 'origin' => 'http://unsecure.com', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_rp_id_fails_if_empty(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response has an empty origin.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode([ 'type' => 'webauthn.create', 'origin' => '', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE ]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_rp_id_fails_if_not_equal(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode([ 'type' => 'webauthn.create', 'origin' => 'https://otherhost.com', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE ]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_rp_id_fails_if_not_contained(): void { $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Relying Party ID not scoped to current.'); $invalid = FakeAuthenticator::attestationResponse(); $invalid['response']['clientDataJSON'] = base64_encode( json_encode([ 'type' => 'webauthn.create', 'origin' => 'https://invalidlocalhost', 'challenge' => FakeAuthenticator::ATTESTATION_CHALLENGE ]) ); $this->request->setJson(new ParameterBag($invalid)); $this->validate(); } public function test_rp_id_fails_if_hash_not_same(): void { $this->app->when(CheckRelyingPartyHashSame::class) ->needs(ConfigContract::class) ->give(static function (): Repository { return tap(new Repository())->set('webauthn.relying_party.id', 'https://otherhost.com'); }); $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response has different Relying Party ID hash.'); $this->validate(); } public function test_check_user_interaction_fails_if_user_not_present(): void { $this->app->resolving(CheckUserInteraction::class, function (): void { $this->validation->attestationObject = new AttestationObject( $auth = Mockery::mock(AuthenticatorData::class), new None([], $auth), 'none', ); $auth->expects('wasUserAbsent')->andReturnTrue(); }); $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response did not have the user present.'); $this->validate(); } public function test_check_user_interaction_fails_if_user_verification_was_required(): void { $this->challenge->verify = true; $this->app->resolving(CheckUserInteraction::class, function (): void { $this->validation->attestationObject = new AttestationObject( $auth = Mockery::mock(AuthenticatorData::class), new None([], $auth), 'none', ); $auth->expects('wasUserAbsent')->andReturnFalse(); $auth->expects('wasUserNotVerified')->andReturnTrue(); }); $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Response did not verify the user.'); $this->validate(); } public function test_credential_duplicate_check_fails_if_already_exists(): void { $this->app->resolving(CredentialIdShouldNotBeDuplicated::class, static function (): void { DB::table('webauthn_credentials')->insert([ 'id' => FakeAuthenticator::CREDENTIAL_ID, 'authenticatable_type' => WebAuthnAuthenticatableUser::class, 'authenticatable_id' => 1, 'user_id' => 'e8af6f703f8042aa91c30cf72289aa07', 'counter' => 0, 'rp_id' => 'http://localhost', 'origin' => 'http://localhost', 'aaguid' => Uuid::NIL, 'attestation_format' => 'none', 'public_key' => 'test_key', 'updated_at' => now(), 'created_at' => now(), ]); }); $this->expectException(AttestationException::class); $this->expectExceptionMessage('Attestation Error: Credential ID already exists in the database.'); $this->validate(); } }