Backed out changeset e2818fa57916 (bug 1435527) mochitest leakcheck failures, a=backout on a CLOSED TREE
authorCiure Andrei <aciure@mozilla.com>
Thu, 08 Feb 2018 00:22:24 +0200
changeset 447366 ec6cd52c3fde993d8672938c135ea7c81c680c0a
parent 447317 c8e7ab77ed3fccf4d99711de3507dae353e16181
child 447367 91be737412952e421f27fd0d7a90edd6bb95f0c5
push id135
push userfmarier@mozilla.com
push dateSat, 10 Feb 2018 02:56:15 +0000
reviewersbackout
bugs1435527
milestone60.0a1
backs oute2818fa5791629800811b280926b834270b26958
Backed out changeset e2818fa57916 (bug 1435527) mochitest leakcheck failures, a=backout on a CLOSED TREE
dom/webauthn/WebAuthnManager.cpp
dom/webauthn/tests/test_webauthn_get_assertion.html
--- a/dom/webauthn/WebAuthnManager.cpp
+++ b/dom/webauthn/WebAuthnManager.cpp
@@ -534,16 +534,23 @@ WebAuthnManager::GetAssertion(const Publ
   }
 
   srv = HashCString(hashService, clientDataJSON, clientDataHash);
   if (NS_WARN_IF(NS_FAILED(srv))) {
     promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
     return promise.forget();
   }
 
+  // Note: we only support U2F-style authentication for now, so we effectively
+  // require an AllowList.
+  if (aOptions.mAllowCredentials.Length() < 1) {
+    promise->MaybeReject(NS_ERROR_DOM_NOT_ALLOWED_ERR);
+    return promise.forget();
+  }
+
   nsTArray<WebAuthnScopedCredential> allowList;
   for (const auto& s: aOptions.mAllowCredentials) {
     if (s.mType == PublicKeyCredentialType::Public_key) {
       WebAuthnScopedCredential c;
       CryptoBuffer cb;
       cb.Assign(s.mId);
       c.id() = cb;
 
--- a/dom/webauthn/tests/test_webauthn_get_assertion.html
+++ b/dom/webauthn/tests/test_webauthn_get_assertion.html
@@ -1,159 +1,129 @@
 <!DOCTYPE html>
 <meta charset=utf-8>
 <head>
   <title>Tests for GetAssertion for W3C Web Authentication</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
   <script type="text/javascript" src="u2futil.js"></script>
   <script type="text/javascript" src="pkijs/common.js"></script>
   <script type="text/javascript" src="pkijs/asn1.js"></script>
   <script type="text/javascript" src="pkijs/x509_schema.js"></script>
   <script type="text/javascript" src="pkijs/x509_simpl.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 
   <h1>Tests for GetAssertion for W3C Web Authentication</h1>
   <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309284">Mozilla Bug 1309284</a>
 
   <script class="testbody" type="text/javascript">
     "use strict";
 
-    is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
-    isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");
-    isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist");
-    isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist");
-
-    let credm = navigator.credentials;
-
-    let gAssertionChallenge = new Uint8Array(16);
-    window.crypto.getRandomValues(gAssertionChallenge);
-
-    let invalidCred = {type: "Magic", id: base64ToBytes("AAA=")};
-    let unknownCred = {type: "public-key", id: base64ToBytes("AAA=")};
+    // Execute the full-scope test
+    SimpleTest.waitForExplicitFinish();
 
     function arrivingHereIsBad(aResult) {
       ok(false, "Bad result! Received a: " + aResult);
+      return Promise.resolve();
     }
 
     function expectNotAllowedError(aResult) {
       ok(aResult.toString().startsWith("NotAllowedError"), "Expecting a NotAllowedError");
+      return Promise.resolve();
     }
 
     function expectTypeError(aResult) {
       ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError");
-    }
-
-    function expectAbortError(aResult) {
-      is(aResult.code, DOMException.ABORT_ERR, "Expecting an AbortError");
+      return Promise.resolve();
     }
 
-    add_task(() => {
-      return SpecialPowers.pushPrefEnv({"set": [
-        ["security.webauth.webauthn", true],
-        ["security.webauth.webauthn_enable_softtoken", true],
-        ["security.webauth.webauthn_enable_usbtoken", false]
-      ]});
-    });
-
-    // Test basic good call, but without giving a credential so expect failures
-    // this is OK by the standard, but not supported by U2F-backed authenticators
-    // like the soft token in use here.
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectNotAllowedError);
-    });
+    SpecialPowers.pushPrefEnv({"set": [["security.webauth.webauthn", true],
+                                       ["security.webauth.webauthn_enable_softtoken", true],
+                                       ["security.webauth.webauthn_enable_usbtoken", false]]},
+                              runTests);
 
-    // Test with an unexpected option
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge,
-        unknownValue: "hi"
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectNotAllowedError);
-    });
+    function runTests() {
+      is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
+      isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");
+      isnot(navigator.credentials.create, undefined, "CredentialManagement create API endpoint must exist");
+      isnot(navigator.credentials.get, undefined, "CredentialManagement get API endpoint must exist");
 
-    // Test with an invalid credential
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge,
-        allowCredentials: [invalidCred]
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectTypeError);
-    });
+      let credm = navigator.credentials;
 
-    // Test with an unknown credential
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge,
-        allowCredentials: [unknownCred]
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectNotAllowedError);
-    });
+      let gAssertionChallenge = new Uint8Array(16);
+      window.crypto.getRandomValues(gAssertionChallenge);
+
+      let invalidCred = {type: "Magic", id: base64ToBytes("AAA=")};
+      let unknownCred = {type: "public-key", id: base64ToBytes("AAA=")};
 
-    // Test with an unexpected option and an invalid credential
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge,
-        unknownValue: "hi",
-        allowCredentials: [invalidCred]
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectTypeError);
-    });
-
-    // Test with an empty credential list
-    add_task(() => {
-      let publicKeyCredentialRequestOptions = {
-        challenge: gAssertionChallenge,
-        allowCredentials: []
-      };
-      return credm.get({publicKey: publicKeyCredentialRequestOptions})
-                  .then(arrivingHereIsBad)
-                  .catch(expectNotAllowedError);
-    });
+      var testFuncs = [
+        function () {
+          // Test basic good call, but without giving a credential so expect failures
+          // this is OK by the standard, but not supported by U2F-backed authenticators
+          // like the soft token in use here.
+          let publicKeyCredentialRequestOptions = {
+            challenge: gAssertionChallenge
+          };
+          return credm.get({publicKey: publicKeyCredentialRequestOptions})
+                      .then(arrivingHereIsBad)
+                      .catch(expectNotAllowedError);
+        },
+        function () {
+          // Test with an unexpected option
+          let publicKeyCredentialRequestOptions = {
+            challenge: gAssertionChallenge,
+            unknownValue: "hi"
+          };
+          return credm.get({publicKey: publicKeyCredentialRequestOptions})
+                      .then(arrivingHereIsBad)
+                      .catch(expectNotAllowedError);
+        },
+        function () {
+          // Test with an invalid credential
+          let publicKeyCredentialRequestOptions = {
+            challenge: gAssertionChallenge,
+            allowCredentials: [invalidCred]
+          };
+          return credm.get({publicKey: publicKeyCredentialRequestOptions})
+                      .then(arrivingHereIsBad)
+                      .catch(expectTypeError);
+        },
+        function () {
+          // Test with an unknown credential
+          let publicKeyCredentialRequestOptions = {
+            challenge: gAssertionChallenge,
+            allowCredentials: [unknownCred]
+          };
+          return credm.get({publicKey: publicKeyCredentialRequestOptions})
+                      .then(arrivingHereIsBad)
+                      .catch(expectNotAllowedError);
+        },
+        function () {
+          // Test with an unexpected option and an invalid credential
+          let publicKeyCredentialRequestOptions = {
+            challenge: gAssertionChallenge,
+            unknownValue: "hi",
+            allowCredentials: [invalidCred]
+          };
+          return credm.get({publicKey: publicKeyCredentialRequestOptions})
+                      .then(arrivingHereIsBad)
+                      .catch(expectTypeError);
+        }
+      ];
 
-    add_task(() => {
-      // Enable USB tokens.
-      return SpecialPowers.pushPrefEnv({"set": [
-        ["security.webauth.webauthn", true],
-        ["security.webauth.webauthn_enable_softtoken", false],
-        ["security.webauth.webauthn_enable_usbtoken", true]
-      ]});
-    });
-
-    // Test with an empty credential list
-    add_task(async () => {
-      let publicKey = {
-        challenge: gAssertionChallenge,
-        allowCredentials: []
+      var i = 0;
+      var runNextTest = () => {
+        if (i == testFuncs.length) {
+          SimpleTest.finish();
+          return;
+        }
+        testFuncs[i]().then(() => { runNextTest(); });
+        i = i + 1;
       };
-
-      let ctrl = new AbortController();
-      let request = credm.get({publicKey, signal: ctrl.signal})
-                         .then(arrivingHereIsBad)
-                         .catch(expectAbortError);
+      runNextTest();
 
-      // Wait a tick for the statemachine to start.
-      await Promise.resolve();
+    }
 
-      // The request should time out. We'll abort it here and will fail or
-      // succeed upon resolution, when the error code is checked.
-      ctrl.abort();
-      await request;
-    });
   </script>
 
 </body>
 </html>