Fix JSON encoding of credProtect extension inputs

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/data/RegistrationExtensionInputs.java

@@ -25,6 +25,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.RelyingParty;
@@ -60,15 +61,13 @@ public final class RegistrationExtensionInputs implements ExtensionInputs {
   private final Extensions.Prf.PrfRegistrationInput prf;
   private final Boolean uvm;
 
-  @JsonCreator
   private RegistrationExtensionInputs(
-      @JsonProperty("appidExclude") AppId appidExclude,
-      @JsonProperty("credProps") Boolean credProps,
-      @JsonProperty("credProtect")
-          Extensions.CredentialProtection.CredentialProtectionInput credProtect,
-      @JsonProperty("largeBlob") Extensions.LargeBlob.LargeBlobRegistrationInput largeBlob,
-      @JsonProperty("prf") Extensions.Prf.PrfRegistrationInput prf,
-      @JsonProperty("uvm") Boolean uvm) {
+      AppId appidExclude,
+      Boolean credProps,
+      Extensions.CredentialProtection.CredentialProtectionInput credProtect,
+      Extensions.LargeBlob.LargeBlobRegistrationInput largeBlob,
+      Extensions.Prf.PrfRegistrationInput prf,
+      Boolean uvm) {
     this.appidExclude = appidExclude;
     this.credProps = credProps;
     this.credProtect = credProtect;
@@ -77,6 +76,32 @@ private RegistrationExtensionInputs(
     this.uvm = uvm;
   }
 
+  @JsonCreator
+  private RegistrationExtensionInputs(
+      @JsonProperty("appidExclude") AppId appidExclude,
+      @JsonProperty("credProps") Boolean credProps,
+      @JsonProperty("credentialProtectionPolicy")
+          Extensions.CredentialProtection.CredentialProtectionPolicy credProtectPolicy,
+      @JsonProperty("enforceCredentialProtectionPolicy") Boolean enforceCredProtectPolicy,
+      @JsonProperty("largeBlob") Extensions.LargeBlob.LargeBlobRegistrationInput largeBlob,
+      @JsonProperty("prf") Extensions.Prf.PrfRegistrationInput prf,
+      @JsonProperty("uvm") Boolean uvm) {
+    this(
+        appidExclude,
+        credProps,
+        Optional.ofNullable(credProtectPolicy)
+            .map(
+                policy -> {
+                  return enforceCredProtectPolicy != null && enforceCredProtectPolicy
+                      ? Extensions.CredentialProtection.CredentialProtectionInput.require(policy)
+                      : Extensions.CredentialProtection.CredentialProtectionInput.prefer(policy);
+                })
+            .orElse(null),
+        largeBlob,
+        prf,
+        uvm);
+  }
+
   /**
    * Merge <code>other</code> into <code>this</code>. Non-null field values from <code>this</code>
    * take precedence.
@@ -133,10 +158,36 @@ private Boolean getCredPropsJson() {
    *     href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-authenticator-credential-properties-extension">§10.4.
    *     Credential Properties Extension (credProps)</a>
    */
+  @JsonIgnore
   public Optional<Extensions.CredentialProtection.CredentialProtectionInput> getCredProtect() {
     return Optional.ofNullable(credProtect);
   }
 
+  /**
+   * For JSON serialization, because credProtect does not group all inputs under the "credProtect"
+   * key.
+   */
+  @JsonProperty("credentialProtectionPolicy")
+  private Optional<Extensions.CredentialProtection.CredentialProtectionPolicy>
+      getCredProtectPolicy() {
+    return getCredProtect()
+        .map(
+            Extensions.CredentialProtection.CredentialProtectionInput
+                ::getCredentialProtectionPolicy);
+  }
+
+  /**
+   * For JSON serialization, because credProtect does not group all inputs under the "credProtect"
+   * key.
+   */
+  @JsonProperty("enforceCredentialProtectionPolicy")
+  private Optional<Boolean> getEnforceCredProtectPolicy() {
+    return getCredProtect()
+        .map(
+            Extensions.CredentialProtection.CredentialProtectionInput
+                ::isEnforceCredentialProtectionPolicy);
+  }
+
   /**
    * @return The value of the Large blob storage extension (<code>largeBlob</code>) input if
    *     configured, empty otherwise.

webauthn-server-core/src/test/scala/com/yubico/webauthn/data/ExtensionsSpec.scala

@@ -3,6 +3,8 @@ package com.yubico.webauthn.data
 import com.fasterxml.jackson.databind.node.ObjectNode
 import com.yubico.internal.util.JacksonCodecs
 import com.yubico.scalacheck.gen.JacksonGenerators.arbitraryObjectNode
+import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionInput
+import com.yubico.webauthn.data.Extensions.CredentialProtection.CredentialProtectionPolicy
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationInput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobAuthenticationOutput
 import com.yubico.webauthn.data.Extensions.LargeBlob.LargeBlobRegistrationInput
@@ -38,14 +40,23 @@ class ExtensionsSpec
 
   describe("RegistrationExtensionInputs") {
     describe("has a getExtensionIds() method which") {
-      it("contains exactly the names of contained extensions.") {
+      it("contains exactly the names of contained extensions, except for credProtect.") {
         forAll { input: RegistrationExtensionInputs =>
+          val expectedJsonKeys = input.getExtensionIds.asScala.flatMap(id => {
+            if (id == "credProtect") {
+              // credProtect does not gather all inputs under the extension ID as a map key.
+              List(
+                "credentialProtectionPolicy",
+                "enforceCredentialProtectionPolicy",
+              )
+            } else {
+              List(id)
+            }
+          })
           val json = JacksonCodecs.json().valueToTree[ObjectNode](input)
           val jsonKeyNames = json.fieldNames.asScala.toList
-          val extensionIds = input.getExtensionIds
 
-          jsonKeyNames.length should equal(extensionIds.size)
-          jsonKeyNames.toSet should equal(extensionIds.asScala)
+          jsonKeyNames.toSet should equal(expectedJsonKeys)
         }
       }
     }
@@ -74,6 +85,8 @@ class ExtensionsSpec
         """{
           |"appidExclude": "https://example.org",
           |"credProps": true,
+          |"credentialProtectionPolicy": "userVerificationRequired",
+          |"enforceCredentialProtectionPolicy": true,
           |"largeBlob": {
           |  "support": "required"
           |},
@@ -98,6 +111,7 @@ class ExtensionsSpec
         Set(
           "appidExclude",
           "credProps",
+          "credProtect",
           "largeBlob",
           "prf",
           "uvm",
@@ -107,6 +121,13 @@ class ExtensionsSpec
         Some(new AppId("https://example.org"))
       )
       decoded.getCredProps should equal(true)
+      decoded.getCredProtect.toScala should equal(
+        Some(
+          CredentialProtectionInput.require(
+            CredentialProtectionPolicy.UV_REQUIRED
+          )
+        )
+      )
       decoded.getLargeBlob.toScala should equal(
         Some(new LargeBlobRegistrationInput(LargeBlobSupport.REQUIRED))
       )