Add latest changes from gitlab-org/gitlab@13-4-stable-ee

2 files changed, 84 insertions, 0 deletions

diff --git a/spec/services/webauthn/authenticate_service_spec.rb b/spec/services/webauthn/authenticate_service_spec.rb
new file mode 100644
index 00000000000..61f64f24f5e
--- /dev/null
+++ b/spec/services/webauthn/authenticate_service_spec.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webauthn/fake_client'
+
+RSpec.describe Webauthn::AuthenticateService do
+  let(:client) { WebAuthn::FakeClient.new(origin) }
+  let(:user) { create(:user) }
+  let(:challenge) { Base64.strict_encode64(SecureRandom.random_bytes(32)) }
+
+  let(:origin) { 'http://localhost' }
+
+  before do
+    create_result = client.create(challenge: challenge) # rubocop:disable Rails/SaveBang
+
+    webauthn_credential = WebAuthn::Credential.from_create(create_result)
+
+    registration = WebauthnRegistration.new(credential_xid: Base64.strict_encode64(webauthn_credential.raw_id),
+                                            public_key: webauthn_credential.public_key,
+                                            counter: 0,
+                                            name: 'name',
+                                            user_id: user.id)
+    registration.save!
+  end
+
+  describe '#execute' do
+    it 'returns true if the response is valid and a matching stored credential is present' do
+      get_result = client.get(challenge: challenge)
+
+      get_result['clientExtensionResults'] = {}
+      service = Webauthn::AuthenticateService.new(user, get_result.to_json, challenge)
+
+      expect(service.execute).to be_truthy
+    end
+
+    it 'returns false if the response is valid but no matching stored credential is present' do
+      other_client = WebAuthn::FakeClient.new(origin)
+      other_client.create(challenge: challenge) # rubocop:disable Rails/SaveBang
+
+      get_result = other_client.get(challenge: challenge)
+
+      get_result['clientExtensionResults'] = {}
+      service = Webauthn::AuthenticateService.new(user, get_result.to_json, challenge)
+
+      expect(service.execute).to be_falsey
+    end
+  end
+end
diff --git a/spec/services/webauthn/register_service_spec.rb b/spec/services/webauthn/register_service_spec.rb
new file mode 100644
index 00000000000..bb9fa2080d2
--- /dev/null
+++ b/spec/services/webauthn/register_service_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webauthn/fake_client'
+
+RSpec.describe Webauthn::RegisterService do
+  let(:client) { WebAuthn::FakeClient.new(origin) }
+  let(:user) { create(:user) }
+  let(:challenge) { Base64.strict_encode64(SecureRandom.random_bytes(32)) }
+
+  let(:origin) { 'http://localhost' }
+
+  describe '#execute' do
+    it 'returns a registration if challenge matches' do
+      create_result = client.create(challenge: challenge) # rubocop:disable Rails/SaveBang
+      webauthn_credential = WebAuthn::Credential.from_create(create_result)
+
+      params = { device_response: create_result.to_json, name: 'abc' }
+      service = Webauthn::RegisterService.new(user, params, challenge)
+
+      registration = service.execute
+      expect(registration.credential_xid).to eq(Base64.strict_encode64(webauthn_credential.raw_id))
+      expect(registration.errors.size).to eq(0)
+    end
+
+    it 'returns an error if challenge does not match' do
+      create_result = client.create(challenge: Base64.strict_encode64(SecureRandom.random_bytes(16))) # rubocop:disable Rails/SaveBang
+
+      params = { device_response: create_result.to_json, name: 'abc' }
+      service = Webauthn::RegisterService.new(user, params, challenge)
+
+      registration = service.execute
+      expect(registration.errors.size).to eq(1)
+    end
+  end
+end