feat: add support for new Origin type

bitwarden · Sep 13, 2024 · c38bec7 · c38bec7
1 parent 5eb836d
commit c38bec7
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 19 deletions.
diff --git a/crates/bitwarden-fido/src/client.rs b/crates/bitwarden-fido/src/client.rs
@@ -1,22 +1,19 @@
 use passkey::client::WebauthnError;
-use reqwest::Url;
 use thiserror::Error;
 
+use crate::types::InvalidOriginError;
+
 use super::{
     authenticator::GetSelectedCredentialError,
     get_string_name_from_enum,
     types::{
         AuthenticatorAssertionResponse, AuthenticatorAttestationResponse, ClientData,
-        ClientExtensionResults, CredPropsResult,
+        ClientExtensionResults, CredPropsResult, Origin,
     },
     Fido2Authenticator, PublicKeyCredentialAuthenticatorAssertionResponse,
     PublicKeyCredentialAuthenticatorAttestationResponse,
 };
 
-#[derive(Debug, Error)]
-#[error("Invalid origin: {0}")]
-pub struct InvalidOriginError(String);
-
 #[derive(Debug, Error)]
 pub enum Fido2ClientError {
     #[error(transparent)]
@@ -43,12 +40,11 @@ pub struct Fido2Client<'a> {
 impl<'a> Fido2Client<'a> {
     pub async fn register(
         &mut self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAttestationResponse, Fido2ClientError> {
-        let origin = Url::parse(&origin).map_err(|e| InvalidOriginError(format!("{}", e)))?;
-
+        let origin: passkey::client::Origin = origin.try_into()?;
         let request: passkey::types::webauthn::CredentialCreationOptions =
             serde_json::from_str(&request)?;
 
@@ -67,7 +63,7 @@ impl<'a> Fido2Client<'a> {
         let rp_id = request.public_key.rp.id.clone();
 
         let mut client = passkey::client::Client::new(self.authenticator.get_authenticator(true));
-        let result = client.register(&origin, request, client_data).await?;
+        let result = client.register(origin, request, client_data).await?;
 
         Ok(PublicKeyCredentialAuthenticatorAttestationResponse {
             id: result.id,
@@ -98,12 +94,11 @@ impl<'a> Fido2Client<'a> {
 
     pub async fn authenticate(
         &mut self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAssertionResponse, Fido2ClientError> {
-        let origin = Url::parse(&origin).map_err(|e| InvalidOriginError(format!("{}", e)))?;
-
+        let origin: passkey::client::Origin = origin.try_into()?;
         let request: passkey::types::webauthn::CredentialRequestOptions =
             serde_json::from_str(&request)?;
 
@@ -116,7 +111,7 @@ impl<'a> Fido2Client<'a> {
             .replace(uv);
 
         let mut client = passkey::client::Client::new(self.authenticator.get_authenticator(false));
-        let result = client.authenticate(&origin, request, client_data).await?;
+        let result = client.authenticate(origin, request, client_data).await?;
 
         Ok(PublicKeyCredentialAuthenticatorAssertionResponse {
             id: result.id,

diff --git a/crates/bitwarden-fido/src/lib.rs b/crates/bitwarden-fido/src/lib.rs
@@ -32,10 +32,10 @@ pub use traits::{
 pub use types::{
     AuthenticatorAssertionResponse, AuthenticatorAttestationResponse, ClientData,
     Fido2CredentialAutofillView, Fido2CredentialAutofillViewError, GetAssertionRequest,
-    GetAssertionResult, MakeCredentialRequest, MakeCredentialResult, Options,
+    GetAssertionResult, MakeCredentialRequest, MakeCredentialResult, Options, Origin,
     PublicKeyCredentialAuthenticatorAssertionResponse,
     PublicKeyCredentialAuthenticatorAttestationResponse, PublicKeyCredentialRpEntity,
-    PublicKeyCredentialUserEntity,
+    PublicKeyCredentialUserEntity, UnverifiedAssetLink,
 };
 
 use self::crypto::{cose_key_to_pkcs8, pkcs8_to_cose_key};

diff --git a/crates/bitwarden-fido/src/types.rs b/crates/bitwarden-fido/src/types.rs
@@ -1,7 +1,10 @@
+use std::borrow::Cow;
+
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use bitwarden_crypto::KeyContainer;
 use bitwarden_vault::{CipherError, CipherView};
 use passkey::types::webauthn::UserVerificationRequirement;
+use reqwest::Url;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
@@ -359,6 +362,67 @@ pub struct AuthenticatorAssertionResponse {
     pub user_handle: Vec<u8>,
 }
 
+#[derive(Debug, Error)]
+#[error("Invalid origin: {0}")]
+pub struct InvalidOriginError(String);
+
+#[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
+/// An Unverified asset link.
+pub struct UnverifiedAssetLink {
+    /// Application package name.
+    package_name: String,
+    /// Fingerprint to compare.
+    sha256_cert_fingerprint: String,
+    /// Host to lookup the well known asset link.
+    host: String,
+    /// When sourced from the application statement list or parsed from host for passkeys.
+    /// Will be generated from `host` if not provided.
+    asset_link_url: Option<String>,
+}
+
+#[cfg_attr(feature = "uniffi", derive(uniffi::Enum))]
+/// The origin of a WebAuthn request.
+pub enum Origin {
+    /// A Url, meant for a request in the web browser.
+    Web(String),
+    /// An android digital asset fingerprint.
+    /// Meant for a request coming from an android application.
+    Android(UnverifiedAssetLink),
+}
+
+impl<'a> TryFrom<Origin> for passkey::client::Origin<'a> {
+    type Error = InvalidOriginError;
+
+    fn try_from(value: Origin) -> Result<Self, Self::Error> {
+        Ok(match value {
+            Origin::Web(url) => {
+                let url = Url::parse(&url).map_err(|e| InvalidOriginError(format!("{}", e)))?;
+                passkey::client::Origin::Web(Cow::Owned(url))
+            }
+            Origin::Android(link) => passkey::client::Origin::Android(link.try_into()?),
+        })
+    }
+}
+
+impl<'a> TryFrom<UnverifiedAssetLink> for passkey::client::UnverifiedAssetLink<'a> {
+    type Error = InvalidOriginError;
+
+    fn try_from(value: UnverifiedAssetLink) -> Result<Self, Self::Error> {
+        let asset_link_url = match value.asset_link_url {
+            Some(url) => Some(Url::parse(&url).map_err(|e| InvalidOriginError(format!("{}", e)))?),
+            None => None,
+        };
+
+        passkey::client::UnverifiedAssetLink::new(
+            Cow::from(value.package_name),
+            value.sha256_cert_fingerprint.as_str(),
+            Cow::from(value.host),
+            asset_link_url,
+        )
+        .map_err(|e| InvalidOriginError(format!("{:?}", e)))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use serde::{Deserialize, Serialize};

diff --git a/crates/bitwarden-uniffi/src/platform/fido2.rs b/crates/bitwarden-uniffi/src/platform/fido2.rs
@@ -11,7 +11,7 @@ use bitwarden::{
     },
     vault::{Cipher, CipherView, Fido2CredentialNewView},
 };
-use bitwarden_fido::Fido2CredentialAutofillView;
+use bitwarden_fido::{Fido2CredentialAutofillView, Origin};
 
 use crate::{error::Result, Client};
 
@@ -135,7 +135,7 @@ pub struct ClientFido2Client(pub(crate) ClientFido2Authenticator);
 impl ClientFido2Client {
     pub async fn register(
         &self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAttestationResponse> {
@@ -153,7 +153,7 @@ impl ClientFido2Client {
 
     pub async fn authenticate(
         &self,
-        origin: String,
+        origin: Origin,
         request: String,
         client_data: ClientData,
     ) -> Result<PublicKeyCredentialAuthenticatorAssertionResponse> {