Implement pin protocol tests (#151)

Add a way to force the pin protocol supported by the platform, in order to test both
protocols for various actions, such as setting and changing PINs and doing PRF.

Author: msirringhaus

libwebauthn/src/pin.rs

@@ -406,7 +406,13 @@ where
             return Err(Error::Platform(PlatformError::PinTooLong));
         }
 
-        let Some(uv_proto) = select_uv_proto(&get_info_response).await else {
+        let Some(uv_proto) = select_uv_proto(
+            #[cfg(test)]
+            self.get_forced_pin_protocol(),
+            &get_info_response,
+        )
+        .await
+        else {
             error!("No supported PIN/UV auth protocols found");
             return Err(Error::Ctap(CtapError::Other));
         };

libwebauthn/src/tests/mod.rs

@@ -1,3 +1,4 @@
 pub mod basic_ctap1;
 pub mod basic_ctap2;
+pub mod pin_protocols;
 pub mod prf;

libwebauthn/src/tests/pin_protocols.rs

@@ -0,0 +1,66 @@
+use std::time::Duration;
+
+use crate::pin::PinManagement;
+use crate::proto::ctap2::Ctap2PinUvAuthProtocol;
+use crate::transport::hid::get_virtual_device;
+use crate::transport::{Channel, Device};
+use crate::UvUpdate;
+use test_log::test;
+use tokio::sync::broadcast::error::TryRecvError;
+use tokio::sync::broadcast::Receiver;
+
+const TIMEOUT: Duration = Duration::from_secs(10);
+
+async fn handle_updates(mut state_recv: Receiver<UvUpdate>) {
+    let Ok(UvUpdate::PinRequired(p)) = state_recv.recv().await else {
+        panic!("Did not receive PinRequired UvUpdate!");
+    };
+    p.send_pin("1234").expect("Failed to send first PIN");
+}
+
+#[test(tokio::test)]
+async fn test_webauthn_change_pin_once() {
+    let protos = [Ctap2PinUvAuthProtocol::One, Ctap2PinUvAuthProtocol::Two];
+    for proto in protos {
+        let mut device = get_virtual_device();
+        let mut channel = device.channel().await.unwrap();
+
+        let mut state_recv = channel.get_ux_update_receiver();
+
+        channel.set_forced_pin_protocol(proto);
+
+        channel
+            .change_pin(String::from("1234"), TIMEOUT)
+            .await
+            .unwrap();
+
+        assert_eq!(state_recv.try_recv(), Err(TryRecvError::Empty))
+    }
+}
+
+#[test(tokio::test)]
+async fn test_webauthn_change_pin_twice() {
+    let protos = [Ctap2PinUvAuthProtocol::One, Ctap2PinUvAuthProtocol::Two];
+    for proto in protos {
+        let mut device = get_virtual_device();
+        let mut channel = device.channel().await.unwrap();
+
+        let state_recv = channel.get_ux_update_receiver();
+        let update_handle = tokio::spawn(handle_updates(state_recv));
+
+        channel.set_forced_pin_protocol(proto);
+
+        channel
+            .change_pin(String::from("1234"), TIMEOUT)
+            .await
+            .unwrap();
+
+        channel
+            .change_pin(String::from("4321"), TIMEOUT)
+            .await
+            .unwrap();
+
+        // Keeping the update-recv alive until the end to check all updates
+        update_handle.await.unwrap();
+    }
+}

libwebauthn/src/tests/prf.rs

@@ -7,7 +7,7 @@ use crate::ops::webauthn::{
     PRFValue,
 };
 use crate::pin::PinManagement;
-use crate::proto::ctap2::Ctap2PublicKeyCredentialDescriptor;
+use crate::proto::ctap2::{Ctap2PinUvAuthProtocol, Ctap2PublicKeyCredentialDescriptor};
 use crate::transport::hid::channel::HidChannel;
 use crate::transport::hid::get_virtual_device;
 use crate::transport::{Channel, Device};
@@ -44,6 +44,30 @@ async fn test_webauthn_prf_with_pin_set() {
     run_test_battery(&mut channel, true).await;
 }
 
+#[test(tokio::test)]
+async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_one() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+    channel.set_forced_pin_protocol(Ctap2PinUvAuthProtocol::One);
+    channel
+        .change_pin(String::from("1234"), TIMEOUT)
+        .await
+        .unwrap();
+    run_test_battery(&mut channel, true).await;
+}
+
+#[test(tokio::test)]
+async fn test_webauthn_prf_with_pin_set_forced_pin_protocol_two() {
+    let mut device = get_virtual_device();
+    let mut channel = device.channel().await.unwrap();
+    channel.set_forced_pin_protocol(Ctap2PinUvAuthProtocol::Two);
+    channel
+        .change_pin(String::from("1234"), TIMEOUT)
+        .await
+        .unwrap();
+    run_test_battery(&mut channel, true).await;
+}
+
 enum UvUpdateShim {
     PresenceRequired,
     PinRequired,

libwebauthn/src/transport/channel.rs

@@ -61,6 +61,16 @@ pub trait Channel: Send + Sync + Display + Ctap2AuthTokenStore {
     fn supports_preflight() -> bool {
         true
     }
+
+    // Default no-op implementations for these, as we currently only have a test device
+    // for HidChannel, and that will override these default implementations.
+    #[cfg(test)]
+    fn set_forced_pin_protocol(&mut self, _protocols: Ctap2PinUvAuthProtocol) {}
+
+    #[cfg(test)]
+    fn get_forced_pin_protocol(&mut self) -> Option<Ctap2PinUvAuthProtocol> {
+        None
+    }
 }
 
 #[derive(Debug, Clone, PartialEq, Eq)]

libwebauthn/src/transport/hid/channel.rs

@@ -18,6 +18,8 @@ use tracing::{debug, info, instrument, trace, warn, Level};
 use crate::proto::ctap1::apdu::{ApduRequest, ApduResponse};
 use crate::proto::ctap1::{Ctap1, Ctap1RegisterRequest};
 use crate::proto::ctap2::cbor::{CborRequest, CborResponse};
+#[cfg(test)]
+use crate::proto::ctap2::Ctap2PinUvAuthProtocol;
 use crate::proto::ctap2::{Ctap2, Ctap2MakeCredentialRequest};
 use crate::proto::CtapError;
 use crate::transport::channel::{AuthTokenData, Channel, ChannelStatus, Ctap2AuthTokenStore};
@@ -72,6 +74,8 @@ pub struct HidChannel<'d> {
     auth_token_data: Option<AuthTokenData>,
     ux_update_sender: broadcast::Sender<UvUpdate>,
     handle: HidChannelHandle,
+    #[cfg(test)]
+    pin_protocol_override: Option<Ctap2PinUvAuthProtocol>,
 }
 
 impl<'d> HidChannel<'d> {
@@ -97,6 +101,8 @@ impl<'d> HidChannel<'d> {
             auth_token_data: None,
             ux_update_sender,
             handle,
+            #[cfg(test)]
+            pin_protocol_override: None,
         };
         channel.init = channel.init(INIT_TIMEOUT).await?;
         Ok(channel)
@@ -499,6 +505,16 @@ impl Channel for HidChannel<'_> {
     fn get_ux_update_sender(&self) -> &broadcast::Sender<UvUpdate> {
         &self.ux_update_sender
     }
+
+    #[cfg(test)]
+    fn set_forced_pin_protocol(&mut self, protocols: Ctap2PinUvAuthProtocol) {
+        self.pin_protocol_override = Some(protocols);
+    }
+
+    #[cfg(test)]
+    fn get_forced_pin_protocol(&mut self) -> Option<Ctap2PinUvAuthProtocol> {
+        self.pin_protocol_override
+    }
 }
 
 #[derive(Debug, Clone, Copy, Default)]

libwebauthn/src/webauthn/pin_uv_auth_token.rs

@@ -29,8 +29,13 @@ pub(crate) enum UsedPinUvAuthToken {
 }
 
 pub(crate) async fn select_uv_proto(
+    #[cfg(test)] override_protocol: Option<Ctap2PinUvAuthProtocol>,
     get_info_response: &Ctap2GetInfoResponse,
 ) -> Option<Box<dyn PinUvAuthProtocol>> {
+    #[cfg(test)]
+    if let Some(proto) = override_protocol {
+        return Some(proto.create_protocol_object());
+    }
     for &protocol in get_info_response.pin_auth_protos.iter().flatten() {
         match protocol {
             1 => return Some(Box::new(PinUvAuthProtocolOne::new())),
@@ -56,8 +61,12 @@ where
 {
     let get_info_response = channel.ctap2_get_info().await?;
     ctap2_request.handle_legacy_preview(&get_info_response);
-    let maybe_uv_proto = select_uv_proto(&get_info_response).await;
-
+    let maybe_uv_proto = select_uv_proto(
+        #[cfg(test)]
+        channel.get_forced_pin_protocol(),
+        &get_info_response,
+    )
+    .await;
     if let Some(uv_proto) = maybe_uv_proto {
         let token_identifier = Ctap2AuthTokenPermission::new(
             uv_proto.version(),
@@ -161,7 +170,13 @@ where
             uv_operation = Ctap2UserVerificationOperation::OnlyForSharedSecret;
         }
 
-        let Some(uv_proto) = select_uv_proto(get_info_response).await else {
+        let Some(uv_proto) = select_uv_proto(
+            #[cfg(test)]
+            channel.get_forced_pin_protocol(),
+            get_info_response,
+        )
+        .await
+        else {
             error!("No supported PIN/UV auth protocols found");
             return Err(Error::Ctap(CtapError::Other));
         };