ForgeRock · spetrov · May 22, 2024 · May 15, 2024 · May 16, 2024 · May 16, 2024
diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/RemoteWebAuthnRepository.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/RemoteWebAuthnRepository.kt
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 2024 ForgeRock. All rights reserved.
+ *
+ *  This software may be modified and distributed under the terms
+ *  of the MIT license. See the LICENSE file for details.
+ */
+
+package org.forgerock.android.auth
+
+import android.net.Uri
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.suspendCancellableCoroutine
+import kotlinx.coroutines.withContext
+import okhttp3.Call
+import okhttp3.Callback
+import okhttp3.Request
+import okhttp3.Response
+import org.forgerock.android.auth.exception.ApiException
+import org.forgerock.android.auth.webauthn.PublicKeyCredentialSource
+import org.forgerock.android.auth.webauthn.WebAuthnRepository
+import org.json.JSONObject
+import java.io.IOException
+import java.net.HttpURLConnection
+import java.net.URL
+import kotlin.coroutines.resume
+import kotlin.coroutines.resumeWithException
+
+private val TAG = RemoteWebAuthnRepository::class.java.simpleName
+
+internal class RemoteWebAuthnRepository(val serverConfig: ServerConfig = Config.getInstance().serverConfig) :
+    WebAuthnRepository {
+
+    override suspend fun delete(publicKeyCredentialSource: PublicKeyCredentialSource) {
+        val credentialId = String(publicKeyCredentialSource.id)
+        val userId = String(publicKeyCredentialSource.userHandle)
+
+        val findResponse = find(userId, credentialId)
+        val resourceId = findResponse.getString("uuid")
+        if (resourceId.isNotEmpty()) {
+            val deleteResponse = invokeDelete(userId, resourceId)
+            if (deleteResponse.code != HttpURLConnection.HTTP_OK) {
+                throw ApiException(deleteResponse.code, deleteResponse.message,
+                    "Failed to delete resources")
+            }
+        }
+    }
+
+    private suspend fun find(userId: String, credentialId: String): JSONObject {
+        val response = invokeGet(userId, credentialId)
+        if (response.code != HttpURLConnection.HTTP_OK) {
+            throw ApiException(response.code, response.message, "Failed to find resource")
+        } else {
+            return JSONObject(response.body.toString())
+        }
+    }
+
+    private suspend fun invokeGet(userId: String, credentialId: String): Response =
+        withContext(Dispatchers.IO) {
+            suspendCancellableCoroutine { continuation ->
+                val client =
+                    OkHttpClientProvider.getInstance().lookup(serverConfig)
+                val url = getUrl(userId, credentialId)
+                val request = Request.Builder()
+                    .header(ServerConfig.ACCEPT_API_VERSION, "resource=1.0")
+                    .url(url)
+                    .get().build()
+                val call = client.newCall(request)
+                call.enqueue(object : Callback {
+                    override fun onFailure(call: Call, e: IOException) {
+                        if (continuation.isCancelled) return
+                        Logger.warn(TAG, e, "Delete webauthn device failed."  )
+                        continuation.resumeWithException(e)
+                    }
+
+                    override fun onResponse(call: Call, response: Response) {
+                        continuation.resume(response)
+                    }
+                })
+                continuation.invokeOnCancellation {
+                    try {
+                        call.cancel()
+                    } catch (e: Exception) {
+                        Logger.warn(TAG, e, "Cancel API call failed")
+                    }
+                }
+            }
+
+        }
+
+    private suspend fun invokeDelete(userId: String, resourceId:String): Response =
+        withContext(Dispatchers.IO) {
+            suspendCancellableCoroutine { continuation ->
+                val client =
+                    OkHttpClientProvider.getInstance().lookup(serverConfig)
+                val url = getUrl(userId, resourceId)
+                val request = Request.Builder()
+                    .header(ServerConfig.ACCEPT_API_VERSION, "resource=1.0")
+                    .url(url)
+                    .delete().build()
+                val call = client.newCall(request)
+                call.enqueue(object : Callback {
+                    override fun onFailure(call: Call, e: IOException) {
+                        if (continuation.isCancelled) return
+                        Logger.warn(TAG, e, "Delete webauthn device failed."  )
+                        continuation.resumeWithException(e)
+                    }
+
+                    override fun onResponse(call: Call, response: Response) {
+                        continuation.resume(response)
+                    }
+                })
+                continuation.invokeOnCancellation {
+                    try {
+                        call.cancel()
+                    } catch (e: Exception) {
+                        Logger.warn(TAG, e, "Cancel API call failed")
+                    }
+                }
+            }
+
+        }
+
+    private fun getUrl(userId: String, resourceId:String): URL {
+        val builder = Uri.parse(serverConfig.url).buildUpon()
+        builder.appendPath("json")
+            .appendPath("realms")
+            .appendPath(serverConfig.realm)
+            .appendPath("users")
+            .appendPath(userId)
+            .appendPath("devices")
+            .appendPath("2fa")
+            .appendPath("webauthn")
+            .appendPath(resourceId)
+        return URL(builder.build().toString())
+    }
+
+}
diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/FRWebAuthn.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 ForgeRock. All rights reserved.
+ * Copyright (c) 2023 - 2024 ForgeRock. All rights reserved.
  *
  *  This software may be modified and distributed under the terms
  *  of the MIT license. See the LICENSE file for details.
@@ -8,17 +8,28 @@
 package org.forgerock.android.auth.webauthn
 
 import android.content.Context
+import org.forgerock.android.auth.RemoteWebAuthnRepository
 import org.forgerock.android.auth.WebAuthnDataRepository
+import org.forgerock.android.auth.exception.ApiException
+import java.io.IOException
+
+interface WebAuthnRepository {
+
+    @Throws(ApiException::class, IOException::class)
+    suspend fun delete(publicKeyCredentialSource: PublicKeyCredentialSource)
+
+}
 
 /**
  * Manage [PublicKeyCredentialSource] that generated by the SDK.
  * The [PublicKeyCredentialSource] only contains the reference to the actual key,
  * deleting the [PublicKeyCredentialSource] does not delete the actual key
  */
-class FRWebAuthn(private val context: Context,
+class FRWebAuthn @JvmOverloads constructor(private val context: Context,
                  private val webAuthnDataRepository: WebAuthnDataRepository =
                      WebAuthnDataRepository.WebAuthnDataRepositoryBuilder().context(context)
-                         .build()) {
+                         .build(),
+                 private val remoteWebAuthnRepository: WebAuthnRepository? = RemoteWebAuthnRepository()) {
 
     /**
      * Delete the [PublicKeyCredentialSource] by Relying Party Id
@@ -37,6 +48,23 @@ class FRWebAuthn(private val context: Context,
         webAuthnDataRepository.delete(publicKeyCredentialSource)
     }
 
+    /**
+     * Delete the provide [PublicKeyCredentialSource] from local storage and also remotely from Server.
+     * By default, if failed to delete from server, local storage will not be deleted,
+     * by providing [forceDelete] to true, it will also delete local keys if server call is failed.
+     * @param publicKeyCredentialSource The [PublicKeyCredentialSource] to be deleted
+     * @param forceDelete If true, it will also delete local keys if server call is failed.
+     */
+    suspend fun deleteCredentials(publicKeyCredentialSource: PublicKeyCredentialSource, forceDelete: Boolean = false) {
+        try {
+            remoteWebAuthnRepository?.delete(publicKeyCredentialSource)
+        } catch (e: Exception) {
+            if (forceDelete) {
+                webAuthnDataRepository.delete(publicKeyCredentialSource)
+            }
+        }
+    }
+
     /**
      * Load all the [PublicKeyCredentialSource] by the provided Relying Party Id
      * @param rpId The relying party id to lookup from the internal storage

diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/webauthn/WebAuthnRegistration.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 ForgeRock. All rights reserved.
+ * Copyright (c) 2022 - 2024 ForgeRock. All rights reserved.
  *
  *  This software may be modified and distributed under the terms
  *  of the MIT license. See the LICENSE file for details.
@@ -156,16 +156,17 @@ open class WebAuthnRegistration() : WebAuthn() {
                 publicKeyCredential.rawId,
                 Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING))
 
-        //Extension to support username-less
-        if (options.authenticatorSelection?.requireResidentKey == true &&
-            options.authenticatorSelection?.residentKeyRequirement == ResidentKeyRequirement.RESIDENT_KEY_DISCOURAGED) {
+        //TODO: We are not sure about th side effect of this change, need to test all use cases
+//        //Extension to support username-less
+//        if (options.authenticatorSelection?.requireResidentKey == true &&
+//            options.authenticatorSelection?.residentKeyRequirement == ResidentKeyRequirement.RESIDENT_KEY_DISCOURAGED) {
             val source = PublicKeyCredentialSource.builder()
                 .id(publicKeyCredential.rawId)
                 .rpid(options.rp.id)
                 .userHandle(Base64.decode(options.user.id, Base64.URL_SAFE or Base64.NO_WRAP))
                 .otherUI(options.user.displayName).build()
             persist(context, source)
-        }
+//        }
         return (sb.toString())
     }
 

diff --git a/forgerock-auth/src/test/java/org/forgerock/android/auth/webauthn/FRWebAuthnTest.kt b/forgerock-auth/src/test/java/org/forgerock/android/auth/webauthn/FRWebAuthnTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 ForgeRock. All rights reserved.
+ * Copyright (c) 2023 - 2024 ForgeRock. All rights reserved.
  *
  *  This software may be modified and distributed under the terms
  *  of the MIT license. See the LICENSE file for details.
@@ -11,13 +11,21 @@ import android.content.Context
 import android.content.SharedPreferences
 import androidx.test.core.app.ApplicationProvider
 import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialType
+import kotlinx.coroutines.runBlocking
 import org.assertj.core.api.Assertions.*
+import org.forgerock.android.auth.RemoteWebAuthnRepository
 import org.forgerock.android.auth.WebAuthnDataRepository
+import org.forgerock.android.auth.exception.ApiException
 import org.junit.After
-import org.junit.Assert.*
 import org.junit.Before
 import org.junit.Test
 import org.junit.runner.RunWith
+import org.mockito.kotlin.any
+import org.mockito.kotlin.given
+import org.mockito.kotlin.mock
+import org.mockito.kotlin.verify
+import org.mockito.kotlin.whenever
 
 /**
  * This test is only focus on the wrapper [FRWebAuthn], refer to WebAuthnDataRepositoryTest for
@@ -27,6 +35,7 @@ import org.junit.runner.RunWith
 class FRWebAuthnTest {
 
     private val context: Context = ApplicationProvider.getApplicationContext()
+    private val remoteWebAuthnRepository = mock<RemoteWebAuthnRepository>()
     private var sharedPreferences = context.getSharedPreferences("Test", Context.MODE_PRIVATE)
     private var repository: WebAuthnDataRepository =
         object : WebAuthnDataRepository(context, sharedPreferences) {
@@ -40,7 +49,7 @@ class FRWebAuthnTest {
 
     @Before
     fun prepare() {
-        frWebAuthn = FRWebAuthn(context, repository)
+        frWebAuthn = FRWebAuthn(context, repository, remoteWebAuthnRepository)
         source1 = PublicKeyCredentialSource.builder()
             .id("test1".toByteArray())
             .rpid("rpid")
@@ -59,7 +68,7 @@ class FRWebAuthnTest {
     }
 
     @Test
-    fun deleteCredentialsByRpId() {
+    fun testDeleteCredentialsByRpId() {
         repository.persist(source1)
         frWebAuthn.deleteCredentials(source1.rpid)
         assertThat(frWebAuthn.loadAllCredentials(source1.rpid)).isEmpty()
@@ -75,10 +84,83 @@ class FRWebAuthnTest {
     }
 
     @Test
-    fun loadAllCredentials() {
+    fun testLoadAllCredentials() {
         repository.persist(source1)
         repository.persist(source2)
         val sources = frWebAuthn.loadAllCredentials(source1.rpid)
         assertThat(sources).hasSize(2)
     }
+
+    @Test
+    fun testDeleteCredentialByPublicKeyCredentialSource() {
+        val localKey = PublicKeyCredentialSource(
+            "NbbX-JfFRKW00lCMEK0fKw".toByteArray(),
+            PublicKeyCredentialType.PUBLIC_KEY.toString(),
+            "rpid1",
+            "user1".toByteArray(),
+            "User One",
+            1715204825651
+        )
+
+        repository.persist(localKey)
+
+        frWebAuthn.deleteCredentials(localKey)
+        assertThat(frWebAuthn.loadAllCredentials(localKey.rpid)).isEmpty()
+    }
+
+    @Test
+    fun testDeleteCredentialByPublicKeyCredentialSourceNotForceDelete() : Unit =
+        runBlocking {
+            given(remoteWebAuthnRepository.delete(any())).willAnswer { throw ApiException(403,
+                "Failed",
+                "Failed") }
+            val localKey = PublicKeyCredentialSource(
+                "NbbX-JfFRKW00lCMEK0fKw".toByteArray(),
+                PublicKeyCredentialType.PUBLIC_KEY.toString(),
+                "rpid1",
+                "user1".toByteArray(),
+                "User One",
+                1715204825651
+            )
+
+            repository.persist(localKey)
+
+            try {
+                frWebAuthn.deleteCredentials(localKey, false)
+            } catch (e: Exception) {
+                //ignore
+            }
+
+            verify(remoteWebAuthnRepository).delete(localKey)
+            assertThat(frWebAuthn.loadAllCredentials(localKey.rpid)).isNotEmpty
+    }
+
+    @Test
+    fun testDeleteCredentialByPublicKeyCredentialSourceForceDelete() : Unit =
+        runBlocking {
+            given(remoteWebAuthnRepository.delete(any())).willAnswer { throw ApiException(403,
+                "Failed",
+                "Failed") }
+
+            val localKey = PublicKeyCredentialSource(
+                "NbbX-JfFRKW00lCMEK0fKw".toByteArray(),
+                PublicKeyCredentialType.PUBLIC_KEY.toString(),
+                "rpid2",
+                "user2".toByteArray(),
+                "User Two",
+                1715204825651
+            )
+
+            repository.persist(localKey)
+
+            try {
+                frWebAuthn.deleteCredentials(localKey, true)
+            } catch (e: Exception) {
+                //ignore
+            }
+
+            verify(remoteWebAuthnRepository).delete(localKey)
+            assertThat(frWebAuthn.loadAllCredentials(localKey.rpid)).isEmpty()
+        }
+
 }