2017-10-27 01:08:41 +03:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
2016-02-09 18:43:00 +03:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
|
|
#ifndef mozilla_dom_U2F_h
|
|
|
|
|
#define mozilla_dom_U2F_h
|
|
|
|
|
|
|
|
|
|
#include "js/TypeDecls.h"
|
|
|
|
|
#include "mozilla/Attributes.h"
|
|
|
|
|
#include "mozilla/dom/BindingDeclarations.h"
|
|
|
|
|
#include "mozilla/dom/Nullable.h"
|
2016-10-13 06:56:56 +03:00
|
|
|
#include "mozilla/dom/U2FBinding.h"
|
2017-12-05 21:05:06 +03:00
|
|
|
#include "mozilla/dom/WebAuthnManagerBase.h"
|
2016-02-09 18:43:00 +03:00
|
|
|
#include "mozilla/ErrorResult.h"
|
2019-01-19 02:21:46 +03:00
|
|
|
#include "mozilla/Maybe.h"
|
2016-10-13 06:56:56 +03:00
|
|
|
#include "mozilla/MozPromise.h"
|
|
|
|
|
#include "nsProxyRelease.h"
|
2016-02-09 18:43:00 +03:00
|
|
|
#include "nsWrapperCache.h"
|
2017-01-09 23:22:49 +03:00
|
|
|
#include "U2FAuthenticator.h"
|
2016-11-22 09:19:06 +03:00
|
|
|
|
2017-06-10 07:24:46 +03:00
|
|
|
namespace mozilla {
|
2016-02-09 18:43:00 +03:00
|
|
|
namespace dom {
|
|
|
|
|
|
2018-02-12 23:46:11 +03:00
|
|
|
class WebAuthnMakeCredentialResult;
|
|
|
|
|
class WebAuthnGetAssertionResult;
|
|
|
|
|
|
2016-02-09 18:43:00 +03:00
|
|
|
class U2FRegisterCallback;
|
|
|
|
|
class U2FSignCallback;
|
|
|
|
|
|
2016-10-13 06:56:56 +03:00
|
|
|
// Defined in U2FBinding.h by the U2F.webidl; their use requires a JSContext.
|
|
|
|
|
struct RegisterRequest;
|
|
|
|
|
struct RegisteredKey;
|
|
|
|
|
|
2017-11-28 12:21:07 +03:00
|
|
|
class U2FTransaction {
|
2017-12-08 18:55:52 +03:00
|
|
|
typedef Variant<nsMainThreadPtrHandle<U2FRegisterCallback>,
|
|
|
|
|
nsMainThreadPtrHandle<U2FSignCallback>>
|
|
|
|
|
U2FCallback;
|
|
|
|
|
|
2017-11-28 12:21:07 +03:00
|
|
|
public:
|
2018-05-30 17:06:09 +03:00
|
|
|
explicit U2FTransaction(const U2FCallback&& aCallback)
|
2019-03-29 20:59:08 +03:00
|
|
|
: mCallback(std::move(aCallback)),
|
|
|
|
|
mId(NextId()),
|
|
|
|
|
mVisibilityChanged(false) {
|
2017-11-28 12:21:07 +03:00
|
|
|
MOZ_ASSERT(mId > 0);
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-08 18:55:52 +03:00
|
|
|
bool HasRegisterCallback() {
|
|
|
|
|
return mCallback.is<nsMainThreadPtrHandle<U2FRegisterCallback>>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auto& GetRegisterCallback() {
|
|
|
|
|
return mCallback.as<nsMainThreadPtrHandle<U2FRegisterCallback>>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool HasSignCallback() {
|
|
|
|
|
return mCallback.is<nsMainThreadPtrHandle<U2FSignCallback>>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auto& GetSignCallback() {
|
|
|
|
|
return mCallback.as<nsMainThreadPtrHandle<U2FSignCallback>>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The callback passed to the API.
|
|
|
|
|
U2FCallback mCallback;
|
|
|
|
|
|
2017-11-28 12:21:07 +03:00
|
|
|
// Unique transaction id.
|
|
|
|
|
uint64_t mId;
|
|
|
|
|
|
2019-03-29 20:59:08 +03:00
|
|
|
// Whether or not visibility has changed for the window during this
|
|
|
|
|
// transaction
|
|
|
|
|
bool mVisibilityChanged;
|
|
|
|
|
|
2017-11-28 12:21:07 +03:00
|
|
|
private:
|
|
|
|
|
// Generates a unique id for new transactions. This doesn't have to be unique
|
|
|
|
|
// forever, it's sufficient to differentiate between temporally close
|
|
|
|
|
// transactions, where messages can intersect. Can overflow.
|
|
|
|
|
static uint64_t NextId() {
|
|
|
|
|
static uint64_t id = 0;
|
|
|
|
|
return ++id;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2017-12-06 20:41:58 +03:00
|
|
|
class U2F final : public WebAuthnManagerBase, public nsWrapperCache {
|
2016-02-09 18:43:00 +03:00
|
|
|
public:
|
2019-01-19 02:21:46 +03:00
|
|
|
NS_DECL_ISUPPORTS_INHERITED
|
|
|
|
|
NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED(U2F,
|
|
|
|
|
WebAuthnManagerBase)
|
2016-02-09 18:43:00 +03:00
|
|
|
|
2017-12-06 20:41:58 +03:00
|
|
|
explicit U2F(nsPIDOMWindowInner* aParent) : WebAuthnManagerBase(aParent) {}
|
2016-02-09 18:43:00 +03:00
|
|
|
|
|
|
|
|
nsPIDOMWindowInner* GetParentObject() const { return mParent; }
|
|
|
|
|
|
Bug 1245527 - Rewrite U2F.cpp to use U2FTokenManager. r=keeler, r=ttaubert
- This patch reworks the U2F module to asynchronously call U2FManager,
which in turn handles constructing and managing the U2FTokenManager
via IPC.
- Add U2FTransaction{Parent,Child} implementations to mirror similar ones for
WebAuthn
- Rewrite all tests to compensate for U2F executing asynchronously now.
- Used async tasks, used the manifest parameters for scheme, and generally
made these cleaner.
- The mochitest "pref =" functionality from Bug 1328830 doesn't support Android
yet, causing breakage on Android. Rework the tests to go back to the old way
of using iframes to test U2F.
NOTE TO REVIEWERS:
Since this is huge, I recommend the following:
keeler - please review U2F.cpp/h, the tests, and the security-prefs.js. Most
of the U2F logic is still in U2F.cpp like before, but there's been
some reworking of how it is called.
ttaubert - please review U2FManager, the Transaction classes, build changes,
and the changes to nsGlobalWindow. All of these should be very
similar to the WebAuthn code it's patterned off.
MozReview-Commit-ID: C1ZN2ch66Rm
--HG--
extra : rebase_source : 5a2c52b0340c13f471af5040b998eb7e661b1981
2017-09-11 22:56:59 +03:00
|
|
|
void Init(ErrorResult& aRv);
|
2016-02-09 18:43:00 +03:00
|
|
|
|
|
|
|
|
virtual JSObject* WrapObject(JSContext* aCx,
|
|
|
|
|
JS::Handle<JSObject*> aGivenProto) override;
|
|
|
|
|
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT
|
2016-02-09 18:43:00 +03:00
|
|
|
void Register(const nsAString& aAppId,
|
|
|
|
|
const Sequence<RegisterRequest>& aRegisterRequests,
|
|
|
|
|
const Sequence<RegisteredKey>& aRegisteredKeys,
|
|
|
|
|
U2FRegisterCallback& aCallback,
|
|
|
|
|
const Optional<Nullable<int32_t>>& opt_aTimeoutSeconds,
|
|
|
|
|
ErrorResult& aRv);
|
|
|
|
|
|
Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug
There are two related problems this patch is trying to address. The first, and
simpler, one is bug 1553436: there are websites that use existing variables and
functions named "u2f" and adding a non-replaceable readonly property with that
name on Window breaks them. The fix for this is straightforward: mark the
property [Replaceable].
The second problem, covered by bug 1551282, involves sites that use the Google
U2F polyfill. The relevant parts of that polyfill look like this:
'use strict';
var u2f = u2f || {};
u2f.register = some_function_that_only_works_right_in_Chrome;
u2f.sign = some_function_that_only_works_right_in_Chrome;
The failure mode for that code before this fix is that the assignment to "u2f"
throws because it's a readonly property and we're in strict mode, so any code
the page concatenates in the same file after the polyfill does not get run.
That's what bug 1551282 is about. The [Replaceable] annotation fixes that
issue, because now the polyfill gets the value of window.u2f and then redefines
the property (via the [Replaceable] setter) to be a value property with that
value. So far, so good.
But then we need to prevent the sets of u2f.register
and u2f.sign from taking effect, because if they are allowed to happen, the
actual sign/register functionality on the page will not work in Firefox. We
can't just make the properties readonly, because then the sets will throw due
to being in strict mode, and we still have bug 1551282. The proposed fix is to
make these accessor properties with a no-op setter, which is exactly what
[LenientSetter] gives us.
The rest of the patch is just setting up infrastructure for generating the
normal bits we would generate if "sign" and "register" were methods and using
that to create the JSFunctions at the point when the getter is called. The
JSFunctions then get cached on the u2f instance object.
Differential Revision: https://phabricator.services.mozilla.com/D32357
--HG--
extra : moz-landing-system : lando
2019-05-24 23:40:59 +03:00
|
|
|
void GetRegister(JSContext* aCx, JS::MutableHandle<JSObject*> aRegisterFunc,
|
|
|
|
|
ErrorResult& aRv);
|
|
|
|
|
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT
|
2016-02-09 18:43:00 +03:00
|
|
|
void Sign(const nsAString& aAppId, const nsAString& aChallenge,
|
|
|
|
|
const Sequence<RegisteredKey>& aRegisteredKeys,
|
|
|
|
|
U2FSignCallback& aCallback,
|
|
|
|
|
const Optional<Nullable<int32_t>>& opt_aTimeoutSeconds,
|
|
|
|
|
ErrorResult& aRv);
|
|
|
|
|
|
Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug
There are two related problems this patch is trying to address. The first, and
simpler, one is bug 1553436: there are websites that use existing variables and
functions named "u2f" and adding a non-replaceable readonly property with that
name on Window breaks them. The fix for this is straightforward: mark the
property [Replaceable].
The second problem, covered by bug 1551282, involves sites that use the Google
U2F polyfill. The relevant parts of that polyfill look like this:
'use strict';
var u2f = u2f || {};
u2f.register = some_function_that_only_works_right_in_Chrome;
u2f.sign = some_function_that_only_works_right_in_Chrome;
The failure mode for that code before this fix is that the assignment to "u2f"
throws because it's a readonly property and we're in strict mode, so any code
the page concatenates in the same file after the polyfill does not get run.
That's what bug 1551282 is about. The [Replaceable] annotation fixes that
issue, because now the polyfill gets the value of window.u2f and then redefines
the property (via the [Replaceable] setter) to be a value property with that
value. So far, so good.
But then we need to prevent the sets of u2f.register
and u2f.sign from taking effect, because if they are allowed to happen, the
actual sign/register functionality on the page will not work in Firefox. We
can't just make the properties readonly, because then the sets will throw due
to being in strict mode, and we still have bug 1551282. The proposed fix is to
make these accessor properties with a no-op setter, which is exactly what
[LenientSetter] gives us.
The rest of the patch is just setting up infrastructure for generating the
normal bits we would generate if "sign" and "register" were methods and using
that to create the JSFunctions at the point when the getter is called. The
JSFunctions then get cached on the u2f instance object.
Differential Revision: https://phabricator.services.mozilla.com/D32357
--HG--
extra : moz-landing-system : lando
2019-05-24 23:40:59 +03:00
|
|
|
void GetSign(JSContext* aCx, JS::MutableHandle<JSObject*> aSignFunc,
|
|
|
|
|
ErrorResult& aRv);
|
|
|
|
|
|
2017-12-05 21:05:06 +03:00
|
|
|
// WebAuthnManagerBase
|
|
|
|
|
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT
|
2017-12-05 21:05:06 +03:00
|
|
|
void FinishMakeCredential(
|
|
|
|
|
const uint64_t& aTransactionId,
|
2018-02-12 23:08:54 +03:00
|
|
|
const WebAuthnMakeCredentialResult& aResult) override;
|
2017-11-28 12:21:07 +03:00
|
|
|
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT
|
2017-12-05 21:05:06 +03:00
|
|
|
void FinishGetAssertion(const uint64_t& aTransactionId,
|
2018-02-12 23:08:54 +03:00
|
|
|
const WebAuthnGetAssertionResult& aResult) override;
|
2017-11-28 12:21:07 +03:00
|
|
|
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT
|
2017-12-05 21:05:06 +03:00
|
|
|
void RequestAborted(const uint64_t& aTransactionId,
|
|
|
|
|
const nsresult& aError) override;
|
2017-11-28 12:21:07 +03:00
|
|
|
|
2017-12-06 20:41:58 +03:00
|
|
|
protected:
|
|
|
|
|
// Cancels the current transaction (by sending a Cancel message to the
|
|
|
|
|
// parent) and rejects it by calling RejectTransaction().
|
2019-03-29 20:59:08 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT void CancelTransaction(const nsresult& aError);
|
|
|
|
|
// Upon a visibility change, makes note of it in the current transaction.
|
|
|
|
|
MOZ_CAN_RUN_SCRIPT void HandleVisibilityChange() override;
|
2017-11-28 12:21:07 +03:00
|
|
|
|
|
|
|
|
private:
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT ~U2F();
|
2017-11-28 12:21:07 +03:00
|
|
|
|
2017-12-08 18:55:52 +03:00
|
|
|
template <typename T, typename C>
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT void ExecuteCallback(T& aResp,
|
|
|
|
|
nsMainThreadPtrHandle<C>& aCb);
|
2017-12-08 18:55:52 +03:00
|
|
|
|
|
|
|
|
// Rejects the current transaction and clears it.
|
2019-03-19 23:53:55 +03:00
|
|
|
MOZ_CAN_RUN_SCRIPT void RejectTransaction(const nsresult& aError);
|
2017-09-19 17:55:38 +03:00
|
|
|
|
2019-04-02 02:13:26 +03:00
|
|
|
// Clears all information we have about the current transaction.
|
|
|
|
|
void ClearTransaction();
|
|
|
|
|
|
2017-09-09 10:09:21 +03:00
|
|
|
nsString mOrigin;
|
2017-11-28 12:21:07 +03:00
|
|
|
|
|
|
|
|
// The current transaction, if any.
|
|
|
|
|
Maybe<U2FTransaction> mTransaction;
|
2016-02-09 18:43:00 +03:00
|
|
|
};
|
|
|
|
|
|
2019-01-19 02:21:46 +03:00
|
|
|
inline void ImplCycleCollectionTraverse(
|
|
|
|
|
nsCycleCollectionTraversalCallback& aCallback, U2FTransaction& aTransaction,
|
|
|
|
|
const char* aName, uint32_t aFlags = 0) {
|
|
|
|
|
if (aTransaction.HasRegisterCallback()) {
|
|
|
|
|
CycleCollectionNoteChild(
|
|
|
|
|
aCallback, aTransaction.GetRegisterCallback().get(), aName, aFlags);
|
|
|
|
|
} else {
|
|
|
|
|
CycleCollectionNoteChild(aCallback, aTransaction.GetSignCallback().get(),
|
|
|
|
|
aName, aFlags);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inline void ImplCycleCollectionUnlink(U2FTransaction& aTransaction) {
|
|
|
|
|
if (aTransaction.HasRegisterCallback()) {
|
|
|
|
|
aTransaction.GetRegisterCallback() = nullptr;
|
|
|
|
|
} else {
|
|
|
|
|
aTransaction.GetSignCallback() = nullptr;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-09 18:43:00 +03:00
|
|
|
} // namespace dom
|
|
|
|
|
} // namespace mozilla
|
|
|
|
|
|
|
|
|
|
#endif // mozilla_dom_U2F_h
|
