feat(v2): register user u2f (#6020)

internal/command/user_v2_passkey.go

@@ -16,7 +16,7 @@ import (
 
 // RegisterUserPasskey creates a passkey registration for the current authenticated user.
 // UserID, ussualy taken from the request is compaired against the user ID in the context.
-func (c *Commands) RegisterUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment) (*domain.PasskeyRegistrationDetails, error) {
+func (c *Commands) RegisterUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment) (*domain.WebAuthNRegistrationDetails, error) {
 	if err := authz.UserIDInCTX(ctx, userID); err != nil {
 		return nil, err
 	}
@@ -25,7 +25,7 @@ func (c *Commands) RegisterUserPasskey(ctx context.Context, userID, resourceOwne
 
 // RegisterUserPasskeyWithCode registers a new passkey for a unauthenticated user id.
 // The resource is protected by the code, identified by the codeID.
-func (c *Commands) RegisterUserPasskeyWithCode(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, codeID, code string, alg crypto.EncryptionAlgorithm) (*domain.PasskeyRegistrationDetails, error) {
+func (c *Commands) RegisterUserPasskeyWithCode(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, codeID, code string, alg crypto.EncryptionAlgorithm) (*domain.WebAuthNRegistrationDetails, error) {
 	event, err := c.verifyUserPasskeyCode(ctx, userID, resourceOwner, codeID, code, alg)
 	if err != nil {
 		return nil, err
@@ -63,7 +63,7 @@ func (c *Commands) verifyUserPasskeyCodeFailed(ctx context.Context, wm *HumanPas
 	logging.WithFields("userID", userAgg.ID).OnError(err).Error("RegisterUserPasskeyWithCode push failed")
 }
 
-func (c *Commands) registerUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, events ...eventCallback) (*domain.PasskeyRegistrationDetails, error) {
+func (c *Commands) registerUserPasskey(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, events ...eventCallback) (*domain.WebAuthNRegistrationDetails, error) {
 	wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, userID, resourceOwner, authenticator)
 	if err != nil {
 		return nil, err
@@ -79,7 +79,7 @@ func (c *Commands) createUserPasskey(ctx context.Context, userID, resourceOwner
 	return c.addHumanWebAuthN(ctx, userID, resourceOwner, false, passwordlessTokens, authenticator, domain.UserVerificationRequirementRequired)
 }
 
-func (c *Commands) pushUserPasskey(ctx context.Context, wm *HumanWebAuthNWriteModel, userAgg *eventstore.Aggregate, webAuthN *domain.WebAuthNToken, events ...eventCallback) (*domain.PasskeyRegistrationDetails, error) {
+func (c *Commands) pushUserPasskey(ctx context.Context, wm *HumanWebAuthNWriteModel, userAgg *eventstore.Aggregate, webAuthN *domain.WebAuthNToken, events ...eventCallback) (*domain.WebAuthNRegistrationDetails, error) {
 	cmds := make([]eventstore.Command, len(events)+1)
 	cmds[0] = user.NewHumanPasswordlessAddedEvent(ctx, userAgg, wm.WebauthNTokenID, webAuthN.Challenge)
 	for i, event := range events {
@@ -90,9 +90,9 @@ func (c *Commands) pushUserPasskey(ctx context.Context, wm *HumanWebAuthNWriteMo
 	if err != nil {
 		return nil, err
 	}
-	return &domain.PasskeyRegistrationDetails{
+	return &domain.WebAuthNRegistrationDetails{
 		ObjectDetails:                      writeModelToObjectDetails(&wm.WriteModel),
-		PasskeyID:                          wm.WebauthNTokenID,
+		ID:                                 wm.WebauthNTokenID,
 		PublicKeyCredentialCreationOptions: webAuthN.CredentialCreationData,
 	}, nil
 }

internal/command/user_v2_passkey_test.go

@@ -46,7 +46,7 @@ func TestCommands_RegisterUserPasskey(t *testing.T) {
 		name    string
 		fields  fields
 		args    args
-		want    *domain.PasskeyRegistrationDetails
+		want    *domain.WebAuthNRegistrationDetails
 		wantErr error
 	}{
 		{
@@ -449,7 +449,7 @@ func TestCommands_pushUserPasskey(t *testing.T) {
 			require.ErrorIs(t, err, tt.wantErr)
 			if tt.wantErr == nil {
 				assert.NotEmpty(t, got.PublicKeyCredentialCreationOptions)
-				assert.Equal(t, "123", got.PasskeyID)
+				assert.Equal(t, "123", got.ID)
 				assert.Equal(t, "org1", got.ObjectDetails.ResourceOwner)
 			}
 		})

internal/command/user_v2_u2f.go

@@ -0,0 +1,46 @@
+package command
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user"
+)
+
+func (c *Commands) RegisterUserU2F(ctx context.Context, userID, resourceOwner string) (*domain.WebAuthNRegistrationDetails, error) {
+	if err := authz.UserIDInCTX(ctx, userID); err != nil {
+		return nil, err
+	}
+	return c.registerUserU2F(ctx, userID, resourceOwner)
+}
+
+func (c *Commands) registerUserU2F(ctx context.Context, userID, resourceOwner string) (*domain.WebAuthNRegistrationDetails, error) {
+	wm, userAgg, webAuthN, err := c.createUserU2F(ctx, userID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushUserU2F(ctx, wm, userAgg, webAuthN)
+}
+
+func (c *Commands) createUserU2F(ctx context.Context, userID, resourceOwner string) (*HumanWebAuthNWriteModel, *eventstore.Aggregate, *domain.WebAuthNToken, error) {
+	tokens, err := c.getHumanU2FTokens(ctx, userID, resourceOwner)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return c.addHumanWebAuthN(ctx, userID, resourceOwner, false, tokens, domain.AuthenticatorAttachmentUnspecified, domain.UserVerificationRequirementRequired)
+}
+
+func (c *Commands) pushUserU2F(ctx context.Context, wm *HumanWebAuthNWriteModel, userAgg *eventstore.Aggregate, webAuthN *domain.WebAuthNToken) (*domain.WebAuthNRegistrationDetails, error) {
+	cmd := user.NewHumanU2FAddedEvent(ctx, userAgg, wm.WebauthNTokenID, webAuthN.Challenge)
+	err := c.pushAppendAndReduce(ctx, wm, cmd)
+	if err != nil {
+		return nil, err
+	}
+	return &domain.WebAuthNRegistrationDetails{
+		ObjectDetails:                      writeModelToObjectDetails(&wm.WriteModel),
+		ID:                                 wm.WebauthNTokenID,
+		PublicKeyCredentialCreationOptions: webAuthN.CredentialCreationData,
+	}, nil
+}

internal/command/user_v2_u2f_test.go

@@ -0,0 +1,215 @@
+package command
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+	"github.com/zitadel/zitadel/internal/id"
+	id_mock "github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/org"
+	"github.com/zitadel/zitadel/internal/repository/user"
+	webauthn_helper "github.com/zitadel/zitadel/internal/webauthn"
+)
+
+func TestCommands_RegisterUserU2F(t *testing.T) {
+	ctx := authz.NewMockContextWithPermissions("instance1", "org1", "user1", nil)
+	ctx = authz.WithRequestedDomain(ctx, "example.com")
+
+	webauthnConfig := &webauthn_helper.Config{
+		DisplayName:    "test",
+		ExternalSecure: true,
+	}
+	userAgg := &user.NewAggregate("user1", "org1").Aggregate
+	type fields struct {
+		eventstore  *eventstore.Eventstore
+		idGenerator id.Generator
+	}
+	type args struct {
+		userID        string
+		resourceOwner string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    *domain.WebAuthNRegistrationDetails
+		wantErr error
+	}{
+		{
+			name: "wrong user",
+			args: args{
+				userID:        "foo",
+				resourceOwner: "org1",
+			},
+			wantErr: caos_errs.ThrowUnauthenticated(nil, "AUTH-Bohd2", "Errors.User.UserIDWrong"),
+		},
+		{
+			name: "get human passwordless error",
+			fields: fields{
+				eventstore: eventstoreExpect(t,
+					expectFilterError(io.ErrClosedPipe),
+				),
+			},
+			args: args{
+				userID:        "user1",
+				resourceOwner: "org1",
+			},
+			wantErr: io.ErrClosedPipe,
+		},
+		{
+			name: "id generator error",
+			fields: fields{
+				eventstore: eventstoreExpect(t,
+					expectFilter(), // getHumanPasswordlessTokens
+					expectFilter(eventFromEventPusher(
+						user.NewHumanAddedEvent(ctx,
+							userAgg,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.German,
+							domain.GenderUnspecified,
+							"email@test.ch",
+							true,
+						),
+					)),
+					expectFilter(eventFromEventPusher(
+						org.NewOrgAddedEvent(ctx,
+							&org.NewAggregate("org1").Aggregate,
+							"org1",
+						),
+					)),
+					expectFilter(eventFromEventPusher(
+						org.NewDomainPolicyAddedEvent(ctx,
+							&org.NewAggregate("org1").Aggregate,
+							false, false, false,
+						),
+					)),
+				),
+				idGenerator: id_mock.NewIDGeneratorExpectError(t, io.ErrClosedPipe),
+			},
+			args: args{
+				userID:        "user1",
+				resourceOwner: "org1",
+			},
+			wantErr: io.ErrClosedPipe,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:     tt.fields.eventstore,
+				idGenerator:    tt.fields.idGenerator,
+				webauthnConfig: webauthnConfig,
+			}
+			_, err := c.RegisterUserU2F(ctx, tt.args.userID, tt.args.resourceOwner)
+			require.ErrorIs(t, err, tt.wantErr)
+			// successful case can't be tested due to random challenge.
+		})
+	}
+}
+
+func TestCommands_pushUserU2F(t *testing.T) {
+	ctx := authz.WithRequestedDomain(context.Background(), "example.com")
+	webauthnConfig := &webauthn_helper.Config{
+		DisplayName:    "test",
+		ExternalSecure: true,
+	}
+	userAgg := &user.NewAggregate("user1", "org1").Aggregate
+
+	prep := []expect{
+		expectFilter(), // getHumanU2FTokens
+		expectFilter(eventFromEventPusher(
+			user.NewHumanAddedEvent(ctx,
+				userAgg,
+				"username",
+				"firstname",
+				"lastname",
+				"nickname",
+				"displayname",
+				language.German,
+				domain.GenderUnspecified,
+				"email@test.ch",
+				true,
+			),
+		)),
+		expectFilter(eventFromEventPusher(
+			org.NewOrgAddedEvent(ctx,
+				&org.NewAggregate("org1").Aggregate,
+				"org1",
+			),
+		)),
+		expectFilter(eventFromEventPusher(
+			org.NewDomainPolicyAddedEvent(ctx,
+				&org.NewAggregate("org1").Aggregate,
+				false, false, false,
+			),
+		)),
+		expectFilter(eventFromEventPusher(
+			user.NewHumanWebAuthNAddedEvent(eventstore.NewBaseEventForPush(
+				ctx, &org.NewAggregate("org1").Aggregate, user.HumanPasswordlessTokenAddedType,
+			), "111", "challenge"),
+		)),
+	}
+
+	tests := []struct {
+		name       string
+		expectPush func(challenge string) expect
+		wantErr    error
+	}{
+		{
+			name: "push error",
+			expectPush: func(challenge string) expect {
+				return expectPushFailed(io.ErrClosedPipe, []*repository.Event{eventFromEventPusher(
+					user.NewHumanU2FAddedEvent(ctx,
+						userAgg, "123", challenge,
+					),
+				)})
+			},
+			wantErr: io.ErrClosedPipe,
+		},
+		{
+			name: "success",
+			expectPush: func(challenge string) expect {
+				return expectPush([]*repository.Event{eventFromEventPusher(
+					user.NewHumanU2FAddedEvent(ctx,
+						userAgg, "123", challenge,
+					),
+				)})
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:     eventstoreExpect(t, prep...),
+				webauthnConfig: webauthnConfig,
+				idGenerator:    id_mock.NewIDGeneratorExpectIDs(t, "123"),
+			}
+			wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, "user1", "org1", domain.AuthenticatorAttachmentCrossPlattform)
+			require.NoError(t, err)
+
+			c.eventstore = eventstoreExpect(t, tt.expectPush(webAuthN.Challenge))
+
+			got, err := c.pushUserU2F(ctx, wm, userAgg, webAuthN)
+			require.ErrorIs(t, err, tt.wantErr)
+			if tt.wantErr == nil {
+				assert.NotEmpty(t, got.PublicKeyCredentialCreationOptions)
+				assert.Equal(t, "123", got.ID)
+				assert.Equal(t, "org1", got.ObjectDetails.ResourceOwner)
+			}
+		})
+	}
+}