feat: implement register Passkey user API v2 (#5873)

* command/crypto: DRY the code - reuse the the algorithm switch to create a secret generator - add a verifyCryptoCode function * command: crypto code tests * migrate webauthn package * finish integration tests with webauthn mock client
zitadel · May 24, 2023 · a301c40 · a301c40 · vercel · May 24, 2023
1 parent 6839a5c
commit a301c40
Show file tree

Hide file tree

Showing 44 changed files with 2,528 additions and 517 deletions.
diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
@@ -735,6 +735,7 @@ InternalAuthZ:
         - "user.grant.delete"
         - "user.membership.read"
         - "user.credential.write"
+        - "user.passkey.write"
         - "policy.read"
         - "policy.write"
         - "policy.delete"
@@ -811,6 +812,7 @@ InternalAuthZ:
         - "user.grant.delete"
         - "user.membership.read"
         - "user.credential.write"
+        - "user.passkey.write"
         - "policy.read"
         - "policy.write"
         - "policy.delete"
@@ -847,6 +849,7 @@ InternalAuthZ:
         - "user.grant.write"
         - "user.grant.delete"
         - "user.membership.read"
+        - "user.passkey.write"
         - "project.read"
         - "project.member.read"
         - "project.role.read"
@@ -882,6 +885,7 @@ InternalAuthZ:
         - "user.grant.delete"
         - "user.membership.read"
         - "user.credential.write"
+        - "user.passkey.write"
         - "policy.read"
         - "policy.write"
         - "policy.delete"

diff --git a/go.mod b/go.mod
@@ -15,12 +15,13 @@ require (
 	github.com/benbjohnson/clock v1.3.0
 	github.com/boombuler/barcode v1.0.1
 	github.com/cockroachdb/cockroach-go/v2 v2.3.3
+	github.com/descope/virtualwebauthn v1.0.2
 	github.com/dop251/goja v0.0.0-20230402114112-623f9dda9079
 	github.com/dop251/goja_nodejs v0.0.0-20230322100729-2550c7b6c124
 	github.com/drone/envsubst v1.0.3
-	github.com/duo-labs/webauthn v0.0.0-20221205164246-ebaf9b74c6ec
 	github.com/envoyproxy/protoc-gen-validate v0.10.1
 	github.com/go-ldap/ldap/v3 v3.4.4
+	github.com/go-webauthn/webauthn v0.8.2
 	github.com/golang/glog v1.1.1
 	github.com/golang/mock v1.6.0
 	github.com/golang/protobuf v1.5.3
@@ -70,7 +71,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.14.0
 	go.opentelemetry.io/otel/sdk/metric v0.37.0
 	go.opentelemetry.io/otel/trace v1.14.0
-	golang.org/x/crypto v0.7.0
+	golang.org/x/crypto v0.9.0
 	golang.org/x/net v0.10.0
 	golang.org/x/oauth2 v0.8.0
 	golang.org/x/sync v0.1.0
@@ -86,12 +87,16 @@ require (
 
 require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.37.0 // indirect
-	github.com/cloudflare/cfssl v1.6.3 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/go-webauthn/revoke v0.1.9 // indirect
+	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
+	github.com/smartystreets/assertions v1.0.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 )
@@ -136,7 +141,6 @@ require (
 	github.com/golang/geo v0.0.0-20230404232722-c4acd7a044dc // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect

diff --git a/go.sum b/go.sum
diff --git a/internal/api/authz/user.go b/internal/api/authz/user.go
@@ -0,0 +1,16 @@
+package authz
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/errors"
+)
+
+// UserIDInCTX checks if the userID
+// equals the authenticated user in the context.
+func UserIDInCTX(ctx context.Context, userID string) error {
+	if GetCtxData(ctx).UserID != userID {
+		return errors.ThrowUnauthenticated(nil, "AUTH-Bohd2", "Errors.User.UserIDWrong")
+	}
+	return nil
+}
diff --git a/internal/api/grpc/fields.go b/internal/api/grpc/fields.go
@@ -0,0 +1,36 @@
+package grpc
+
+import (
+	"testing"
+
+	"google.golang.org/protobuf/reflect/protoreflect"
+)
+
+// AllFieldsSet recusively checks if all values in a message
+// have a non-zero value.
+func AllFieldsSet(t testing.TB, msg protoreflect.Message, ignoreTypes ...protoreflect.FullName) {
+	ignore := make(map[protoreflect.FullName]bool, len(ignoreTypes))
+	for _, name := range ignoreTypes {
+		ignore[name] = true
+	}
+
+	md := msg.Descriptor()
+	name := md.FullName()
+	if ignore[name] {
+		return
+	}
+
+	fields := md.Fields()
+
+	for i := 0; i < fields.Len(); i++ {
+		fd := fields.Get(i)
+		if !msg.Has(fd) {
+			t.Errorf("not all fields set in %q, missing %q", name, fd.Name())
+			continue
+		}
+
+		if fd.Kind() == protoreflect.MessageKind {
+			AllFieldsSet(t, msg.Get(fd).Message(), ignoreTypes...)
+		}
+	}
+}
diff --git a/internal/api/grpc/settings/v2/settings_converter_test.go b/internal/api/grpc/settings/v2/settings_converter_test.go
@@ -11,38 +11,13 @@ import (
 	"google.golang.org/protobuf/reflect/protoreflect"
 	"google.golang.org/protobuf/types/known/durationpb"
 
+	"github.com/zitadel/zitadel/internal/api/grpc"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2alpha"
 )
 
-var ignoreMessageTypes = map[protoreflect.FullName]bool{
-	"google.protobuf.Duration": true,
-}
-
-// allFieldsSet recusively checks if all values in a message
-// have a non-zero value.
-func allFieldsSet(t testing.TB, msg protoreflect.Message) {
-	md := msg.Descriptor()
-	name := md.FullName()
-	if ignoreMessageTypes[name] {
-		return
-	}
-
-	fields := md.Fields()
-
-	for i := 0; i < fields.Len(); i++ {
-		fd := fields.Get(i)
-		if !msg.Has(fd) {
-			t.Errorf("not all fields set in %q, missing %q", name, fd.Name())
-			continue
-		}
-
-		if fd.Kind() == protoreflect.MessageKind {
-			allFieldsSet(t, msg.Get(fd).Message())
-		}
-	}
-}
+var ignoreTypes = []protoreflect.FullName{"google.protobuf.Duration"}
 
 func Test_loginSettingsToPb(t *testing.T) {
 	arg := &query.LoginPolicy{
@@ -100,7 +75,7 @@ func Test_loginSettingsToPb(t *testing.T) {
 	}
 
 	got := loginSettingsToPb(arg)
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("loginSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -241,7 +216,7 @@ func Test_passwordSettingsToPb(t *testing.T) {
 	}
 
 	got := passwordSettingsToPb(arg)
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("passwordSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -295,7 +270,7 @@ func Test_brandingSettingsToPb(t *testing.T) {
 	}
 
 	got := brandingSettingsToPb(arg, "http://example.com")
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("brandingSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -315,7 +290,7 @@ func Test_domainSettingsToPb(t *testing.T) {
 		ResourceOwnerType:                      settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
 	}
 	got := domainSettingsToPb(arg)
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("domainSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -337,7 +312,7 @@ func Test_legalSettingsToPb(t *testing.T) {
 		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
 	}
 	got := legalAndSupportSettingsToPb(arg)
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("legalSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -353,7 +328,7 @@ func Test_lockoutSettingsToPb(t *testing.T) {
 		ResourceOwnerType:   settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
 	}
 	got := lockoutSettingsToPb(arg)
-	allFieldsSet(t, got.ProtoReflect())
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
 		t.Errorf("lockoutSettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
@@ -387,7 +362,7 @@ func Test_identityProvidersToPb(t *testing.T) {
 	got := identityProvidersToPb(arg)
 	require.Len(t, got, len(got))
 	for i, v := range got {
-		allFieldsSet(t, v.ProtoReflect())
+		grpc.AllFieldsSet(t, v.ProtoReflect(), ignoreTypes...)
 		if !proto.Equal(v, want[i]) {
 			t.Errorf("identityProvidersToPb() =\n%v\nwant\n%v", got, want)
 		}

diff --git a/internal/api/grpc/user/v2/passkey.go b/internal/api/grpc/user/v2/passkey.go
@@ -0,0 +1,104 @@
+package user
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+func (s *Server) RegisterPasskey(ctx context.Context, req *user.RegisterPasskeyRequest) (resp *user.RegisterPasskeyResponse, err error) {
+	var (
+		resourceOwner = authz.GetCtxData(ctx).ResourceOwner
+		authenticator = passkeyAuthenticatorToDomain(req.GetAuthenticator())
+	)
+	if code := req.GetCode(); code != nil {
+		return passkeyRegistrationDetailsToPb(
+			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, s.userCodeAlg),
+		)
+	}
+	return passkeyRegistrationDetailsToPb(
+		s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, authenticator),
+	)
+}
+
+func passkeyAuthenticatorToDomain(pa user.PasskeyAuthenticator) domain.AuthenticatorAttachment {
+	switch pa {
+	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_UNSPECIFIED:
+		return domain.AuthenticatorAttachmentUnspecified
+	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_PLATFORM:
+		return domain.AuthenticatorAttachmentPlattform
+	case user.PasskeyAuthenticator_PASSKEY_AUTHENTICATOR_CROSS_PLATFORM:
+		return domain.AuthenticatorAttachmentCrossPlattform
+	default:
+		return domain.AuthenticatorAttachmentUnspecified
+	}
+}
+
+func passkeyRegistrationDetailsToPb(details *domain.PasskeyRegistrationDetails, err error) (*user.RegisterPasskeyResponse, error) {
+	if err != nil {
+		return nil, err
+	}
+	return &user.RegisterPasskeyResponse{
+		Details:                            object.DomainToDetailsPb(details.ObjectDetails),
+		PasskeyId:                          details.PasskeyID,
+		PublicKeyCredentialCreationOptions: details.PublicKeyCredentialCreationOptions,
+	}, nil
+}
+
+func (s *Server) VerifyPasskeyRegistration(ctx context.Context, req *user.VerifyPasskeyRegistrationRequest) (*user.VerifyPasskeyRegistrationResponse, error) {
+	resourceOwner := authz.GetCtxData(ctx).ResourceOwner
+	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", req.GetPublicKeyCredential())
+	if err != nil {
+		return nil, err
+	}
+	return &user.VerifyPasskeyRegistrationResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) CreatePasskeyRegistrationLink(ctx context.Context, req *user.CreatePasskeyRegistrationLinkRequest) (resp *user.CreatePasskeyRegistrationLinkResponse, err error) {
+	resourceOwner := authz.GetCtxData(ctx).ResourceOwner
+
+	switch medium := req.Medium.(type) {
+	case nil:
+		return passkeyDetailsToPb(
+			s.command.AddUserPasskeyCode(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
+		)
+	case *user.CreatePasskeyRegistrationLinkRequest_SendLink:
+		return passkeyDetailsToPb(
+			s.command.AddUserPasskeyCodeURLTemplate(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg, medium.SendLink.GetUrlTemplate()),
+		)
+	case *user.CreatePasskeyRegistrationLinkRequest_ReturnCode:
+		return passkeyCodeDetailsToPb(
+			s.command.AddUserPasskeyCodeReturn(ctx, req.GetUserId(), resourceOwner, s.userCodeAlg),
+		)
+	default:
+		return nil, caos_errs.ThrowUnimplementedf(nil, "USERv2-gaD8y", "verification oneOf %T in method CreatePasskeyRegistrationLink not implemented", medium)
+	}
+}
+
+func passkeyDetailsToPb(details *domain.ObjectDetails, err error) (*user.CreatePasskeyRegistrationLinkResponse, error) {
+	if err != nil {
+		return nil, err
+	}
+	return &user.CreatePasskeyRegistrationLinkResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func passkeyCodeDetailsToPb(details *domain.PasskeyCodeDetails, err error) (*user.CreatePasskeyRegistrationLinkResponse, error) {
+	if err != nil {
+		return nil, err
+	}
+	return &user.CreatePasskeyRegistrationLinkResponse{
+		Details: object.DomainToDetailsPb(details.ObjectDetails),
+		Code: &user.PasskeyRegistrationCode{
+			Id:   details.CodeID,
+			Code: details.Code,
+		},
+	}, nil
+}