summaryrefslogtreecommitdiff
path: root/internal/webauthn/credential_test.go
blob: 4db8598471a0833c6736b93a3f4bac8754411210 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

package webauthn

import (
	"testing"

	"github.com/google/uuid"
	"github.com/stretchr/testify/assert"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/model"
)

func TestVerifyCredential(t *testing.T) {
	testCases := []struct {
		name         string
		config       *schema.WebAuthn
		credential   *model.WebAuthnCredential
		expectResult VerifyCredentialResult
	}{
		{
			name:         "ShouldVerifyMissingStatement",
			config:       &schema.WebAuthn{},
			credential:   &model.WebAuthnCredential{},
			expectResult: VerifyCredentialResult{MissingStatement: true},
		},
		{
			name:   "ShouldVerifyMalformedStatement",
			config: &schema.WebAuthn{},
			credential: &model.WebAuthnCredential{
				Attestation: []byte("abc"),
			},
			expectResult: VerifyCredentialResult{Malformed: true},
		},
		{
			name: "ShouldVerifyProhibitedAAGUID",
			config: &schema.WebAuthn{
				Filtering: schema.WebAuthnFiltering{
					ProhibitedAAGUIDs: []uuid.UUID{
						uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10941"),
					},
				},
			},
			credential: &model.WebAuthnCredential{
				AAGUID: uuid.NullUUID{UUID: uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10941"), Valid: true},
			},
			expectResult: VerifyCredentialResult{MissingStatement: true, IsProhibitedAAGUID: true},
		},
		{
			name: "ShouldVerifyNotPermittedAAGUID",
			config: &schema.WebAuthn{
				Filtering: schema.WebAuthnFiltering{
					PermittedAAGUIDs: []uuid.UUID{
						uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10942"),
					},
				},
			},
			credential: &model.WebAuthnCredential{
				AAGUID: uuid.NullUUID{UUID: uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10941"), Valid: true},
			},
			expectResult: VerifyCredentialResult{MissingStatement: true, IsProhibitedAAGUID: true},
		},
		{
			name: "ShouldVerifyBackupEligible",
			config: &schema.WebAuthn{
				Filtering: schema.WebAuthnFiltering{
					ProhibitBackupEligibility: true,
					PermittedAAGUIDs: []uuid.UUID{
						uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10941"),
					},
				},
			},
			credential: &model.WebAuthnCredential{
				AAGUID:         uuid.NullUUID{UUID: uuid.MustParse("e87c6826-9e40-4a69-a68a-523d45a10941"), Valid: true},
				BackupEligible: true,
			},
			expectResult: VerifyCredentialResult{MissingStatement: true, IsProhibitedBackupEligibility: true},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			assert.Equal(t, tc.expectResult, VerifyCredential(tc.config, tc.credential, nil))
		})
	}
}