File: authenticator_request_dialog_controller.h

package info (click to toggle)
chromium 139.0.7258.127-1
links: PTS, VCS
area: main
in suites:
size: 6,122,068 kB
sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (598 lines) | stat: -rw-r--r-- 24,659 bytes
parent folder | download | duplicates (3)
// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_WEBAUTHN_AUTHENTICATOR_REQUEST_DIALOG_CONTROLLER_H_
#define CHROME_BROWSER_WEBAUTHN_AUTHENTICATOR_REQUEST_DIALOG_CONTROLLER_H_

#include <cstdint>
#include <memory>
#include <optional>
#include <string>
#include <vector>

#include "base/functional/callback_forward.h"
#include "base/memory/raw_ptr.h"
#include "base/memory/weak_ptr.h"
#include "base/scoped_observation.h"
#include "base/timer/timer.h"
#include "chrome/browser/ui/webauthn/passkey_upgrade_request_controller.h"
#include "chrome/browser/webauthn/authenticator_reference.h"
#include "chrome/browser/webauthn/authenticator_request_dialog_model.h"
#include "chrome/browser/webauthn/authenticator_transport.h"
#include "chrome/browser/webauthn/observable_authenticator_list.h"
#include "chrome/browser/webauthn/password_credential_controller.h"
#include "components/webauthn/core/browser/passkey_model.h"
#include "components/webauthn/core/browser/passkey_model_change.h"
#include "content/public/browser/authenticator_request_client_delegate.h"
#include "content/public/browser/global_routing_id.h"
#include "third_party/blink/public/mojom/credentialmanagement/credential_type_flags.mojom.h"
#include "url/gurl.h"

class ChallengeUrlFetcher;
class PasskeyUpgradeRequestController;
class Profile;

namespace content {
class RenderFrameHost;
}  // namespace content

// Encapsulates the logic behind the WebAuthn UI flow.
// flow. This is essentially a state machine going through the states defined in
// the `Step` enumeration.
class AuthenticatorRequestDialogController
    : public AuthenticatorRequestDialogModel::Observer,
      public webauthn::PasskeyModel::Observer,
      public PasskeyUpgradeRequestController::Delegate {
 public:
  using RequestCallback = device::FidoRequestHandlerBase::RequestCallback;
  using BlePermissionCallback = base::RepeatingCallback<void(
      device::FidoRequestHandlerBase::BlePermissionCallback)>;
  using EnclaveRequestCallback = base::RepeatingCallback<void(
      std::unique_ptr<device::enclave::CredentialRequest>)>;

  AuthenticatorRequestDialogController(
      AuthenticatorRequestDialogModel* model,
      content::RenderFrameHost* render_frame_host);

  AuthenticatorRequestDialogController(
      const AuthenticatorRequestDialogController&) = delete;
  AuthenticatorRequestDialogController& operator=(
      const AuthenticatorRequestDialogController&) = delete;

  ~AuthenticatorRequestDialogController() override;

  AuthenticatorRequestDialogModel* model() const;

  // AuthenticatorRequestDialogModel::Observer:
  void OnModelDestroyed(AuthenticatorRequestDialogModel* model) override;
  void StartOver() override;
  void OnCreatePasskeyAccepted() override;
  void OnRecoverSecurityDomainClosed() override;
  void ContinueWithFlowAfterBleAdapterPowered() override;
  void PowerOnBleAdapter() override;
  void OpenBlePreferences() override;
  void OnOffTheRecordInterstitialAccepted() override;
  void CancelAuthenticatorRequest() override;
  void OnRequestComplete() override;
  void OnResidentCredentialConfirmed() override;
  void OnHavePIN(std::u16string pin) override;
  void EnclaveEnabledStatusChanged(EnclaveEnabledStatus status) override;
  void OnAccountSelected(size_t index) override;
  void OnAccountPreselectedIndex(size_t index) override;
  void OnBioEnrollmentDone() override;
  void OnUserConfirmedPriorityMechanism() override;

  // webauthn::PasskeyModel::Observer:
  void OnPasskeysChanged(
      const std::vector<webauthn::PasskeyModelChange>& changes) override;
  void OnPasskeyModelShuttingDown() override;
  void OnPasskeyModelIsReady(bool is_ready) override;

  // PasskeyUpgradeRequestController::Delegate:
  void PasskeyUpgradeSucceeded() override;
  void PasskeyUpgradeFailed() override;

  // Hides the dialog. A subsequent call to SetCurrentStep() will unhide it.
  void HideDialog();

  // Returns whether the UI is in a state at which the |request_| member of
  // AuthenticatorImpl has completed processing. Note that the request callback
  // is only resolved after the UI is dismissed.
  bool is_request_complete() const;

  // Starts the UX flow, by either showing the transport or password selection
  // screen or the guided flow for the most likely transport.
  //
  // Valid action when at step: kNotStarted.
  void StartFlow(device::FidoRequestHandlerBase::TransportAvailabilityInfo
                     transport_availability,
                 PasswordCredentialController::PasswordCredentials passwords);

  // Starts a modal WebAuthn flow (i.e. what you normally get if you call
  // WebAuthn with no mediation parameter) from a conditional request.
  //
  // Valid action when at step: kPasskeyAutofill.
  void TransitionToModalWebAuthnRequest();

  // Starts the UX flow. Tries to figure out the most likely transport to be
  // used, and starts the guided flow for that transport; or shows the manual
  // transport selection screen if the transport could not be uniquely
  // identified.
  //
  // Valid action when at step: kNotStarted.
  void StartGuidedFlowForMostLikelyTransportOrShowMechanismSelection();

  bool StartGuidedFlowForHint(AuthenticatorTransport transport);

  // Proceeds straight to the platform authenticator prompt. If `type` is
  // `nullopt` then it actives the default platform authenticator. Otherwise it
  // actives the platform authenticator of the given type.
  void HideDialogAndDispatchToPlatformAuthenticator(
      std::optional<device::AuthenticatorType> type = std::nullopt);

  // Called when some caBLE event (e.g. receiving a BLE message, connecting to
  // the tunnel server, etc) happens.
  void OnCableEvent(device::cablev2::Event event);

  // Called when `cable_connecting_sheet_timer_` completes.
  void OnCableConnectingTimerComplete();

  // StartPhonePairing triggers the display of a QR code for pairing a new
  // phone.
  void StartPhonePairing();

  // Ensures that the Bluetooth adapter is powered before executing |action|.
  //  -- If the adapter is powered, run |action| directly.
  //  -- If Chrome does not have Bluetooth permissions, show an error (macOS).
  //  -- If Chrome has not requested Bluetooth permissions yet, trigger a
  //     permission prompt (macOS).
  //  -- If the adapter is not powered, but Chrome can turn it automatically,
  //     then advanced to the flow to turn on Bluetooth automatically.
  //  -- Otherwise advanced to the manual Bluetooth power on flow.
  //
  // Valid action whenever contacting a phone or showing the QR code screen is
  // possible.
  void EnsureBleAdapterIsPoweredAndContinue(base::OnceClosure action);
  void OnBleStatusKnown(device::FidoRequestHandlerBase::BleStatus ble_status);

  // Tries if a USB device is present -- the user claims they plugged it in.
  //
  // Valid action when at step: kUsbInsert.
  void TryUsbDevice();

  // Tries to dispatch to the platform authenticator -- either because the
  // request requires it or because the user told us to. May show an error for
  // unrecognized credential, or an Incognito mode interstitial, or proceed
  // straight to the platform authenticator prompt.
  //
  // Valid action when at all steps.
  void StartPlatformAuthenticatorFlow();

  // To be called when Web Authentication request times-out.
  void OnRequestTimeout();

  // To be called when the user activates a security key that does not recognize
  // any of the allowed credentials (during a GetAssertion request).
  void OnActivatedKeyNotRegistered();

  // To be called when the user activates a security key that does recognize
  // one of excluded credentials (during a MakeCredential request).
  void OnActivatedKeyAlreadyRegistered();

  // To be called when the selected authenticator cannot currently handle PIN
  // requests because it needs a power-cycle due to too many failures.
  void OnSoftPINBlock();

  // To be called when the selected authenticator must be reset before
  // performing any PIN operations because of too many failures.
  void OnHardPINBlock();

  // To be called when the selected authenticator was removed while
  // waiting for a PIN to be entered.
  void OnAuthenticatorRemovedDuringPINEntry();

  // To be called when the selected authenticator doesn't have the requested
  // resident key capability.
  void OnAuthenticatorMissingResidentKeys();

  // To be called when the selected authenticator doesn't have the requested
  // user verification capability.
  void OnAuthenticatorMissingUserVerification();

  // To be called when the selected authenticator doesn't have the requested
  // large blob capability.
  void OnAuthenticatorMissingLargeBlob();

  // To be called when the selected authenticator doesn't support any of the
  // COSEAlgorithmIdentifiers requested by the RP.
  void OnNoCommonAlgorithms();

  // To be called when the selected authenticator cannot create a resident
  // credential because of insufficient storage.
  void OnAuthenticatorStorageFull();

  // To be called when the user denies consent, e.g. by canceling out of the
  // system's platform authenticator prompt.
  void OnUserConsentDenied();

  // To be called when the user clicks "Cancel" in the native Windows UI.
  // Returns true if the event was handled.
  bool OnWinUserCancelled();

  // To be called when a hybrid connection fails. Returns true if the event
  // was handled.
  bool OnHybridTransportError();

  // To be called when an enclave transaction fails. Returns true if the event
  // was handled.
  bool OnEnclaveError();

  // To be called when there are no passkeys from an internal authenticator.
  // This is a rare case but can happen when the user grants passkeys permission
  // on macOS as part of a request flow and then Chromium realises that the
  // request should never have been sent to iCloud Keychain in the first place.
  bool OnNoPasskeys();

  // To be called when fetching a challenge from a provided URL failed.
  void OnChallengeUrlFailure();

  // To be called when the Bluetooth adapter status changes.
  void BluetoothAdapterStatusChanged(
      device::FidoRequestHandlerBase::BleStatus ble_status);

  void SetRequestCallback(RequestCallback request_callback);
  void SetAccountPreselectedCallback(
      content::AuthenticatorRequestClientDelegate::AccountPreselectedCallback
          callback);
  void SetBluetoothAdapterPowerOnCallback(
      base::RepeatingClosure bluetooth_adapter_power_on_callback);
  void SetRequestBlePermissionCallback(BlePermissionCallback callback);

  // Called when the user needs to retry user verification with the number of
  // |attempts| remaining.
  void OnRetryUserVerification(int attempts);

  // Adds or removes an authenticator to the list of known authenticators. The
  // first authenticator added with transport `kInternal` (or without a
  // transport) is considered to be the default platform authenticator.
  void AddAuthenticator(const device::FidoAuthenticator& authenticator);
  void RemoveAuthenticator(std::string_view authenticator_id);

  // SelectAccount is called to trigger an account selection dialog.
  void SelectAccount(
      std::vector<device::AuthenticatorGetAssertionResponse> responses,
      base::OnceCallback<void(device::AuthenticatorGetAssertionResponse)>
          callback);

  // OnAccountPreselected is called when the user selects a discoverable
  // credential from a platform authenticator prior to providing user
  // authentication. `crededential_id` must match one of the credentials in
  // `transport_availability_.recognized_credentials`. Returns the source of the
  // credential.
  //
  // Note: it's important not to pass a reference to `credential_id` here
  // because this function clears `model_->creds`, which is where such a
  // reference would often point.
  device::AuthenticatorType OnAccountPreselected(
      const std::vector<uint8_t> credential_id);

  void SetSelectedAuthenticatorForTesting(AuthenticatorReference authenticator);

  // StartTransportFlowForTesting moves the UI to focus on the given transport.
  // UI should use |mechanisms()| to enumerate the user-visible mechanisms and
  // use the callbacks therein.
  void StartTransportFlowForTesting(AuthenticatorTransport transport);

  // SetCurrentStepForTesting forces the model to the specified step. This
  // performs the little extra processing that this Controller does before
  // setting the model's Step. In most cases tests can set the Step on the
  // model directly.
  void SetCurrentStepForTesting(AuthenticatorRequestDialogModel::Step step);

  device::FidoRequestHandlerBase::TransportAvailabilityInfo&
  transport_availability_for_testing() {
    return transport_availability_;
  }

  ObservableAuthenticatorList& saved_authenticators() {
    return ephemeral_state_.saved_authenticators_;
  }

  const base::flat_set<AuthenticatorTransport>& available_transports() {
    return transport_availability_.available_transports;
  }

  void CollectPIN(device::pin::PINEntryReason reason,
                  device::pin::PINEntryError error,
                  uint32_t min_pin_length,
                  int attempts,
                  base::OnceCallback<void(std::u16string)> provide_pin_cb);
  void FinishCollectToken();

  void StartInlineBioEnrollment(base::OnceClosure next_callback);
  void OnSampleCollected(int bio_samples_remaining);

  void set_is_non_webauthn_request(bool is_non_webauthn_request) {
    is_non_webauthn_request_ = is_non_webauthn_request;
  }

  void SetHints(
      const content::AuthenticatorRequestClientDelegate::Hints& hints) {
    hints_ = hints;
  }

  void set_cable_transport_info(
      std::optional<bool> extension_is_v2,
      const std::optional<std::string>& cable_qr_string);

  bool win_native_api_enabled() const {
    return transport_availability_.has_win_native_api_authenticator;
  }

  void set_allow_icloud_keychain(bool);
  void set_should_create_in_icloud_keychain(bool);

#if BUILDFLAG(IS_MAC)
  void RecordMacOsStartedHistogram();
  void RecordMacOsSuccessHistogram(device::FidoRequestType,
                                   device::AuthenticatorType);
  void set_is_active_profile_authenticator_user(bool);
  void set_has_icloud_drive_enabled(bool);
#endif

  void SetCredentialTypes(int types);

  content::AuthenticatorRequestClientDelegate::UIPresentation ui_presentation()
      const;
  void SetUIPresentation(
      content::AuthenticatorRequestClientDelegate::UIPresentation modality);

  void ProvideChallengeUrl(
      const GURL& url,
      base::OnceCallback<void(std::optional<base::span<const uint8_t>>)>
          callback);

  void InitializeEnclaveRequestCallback(
      device::FidoDiscoveryFactory* discovery_factory);

  base::WeakPtr<AuthenticatorRequestDialogController> GetWeakPtr();

 private:
  FRIEND_TEST_ALL_PREFIXES(AuthenticatorRequestDialogControllerTest,
                           DeduplicateAccounts);

  // Contains the state that will be reset when calling StartOver(). StartOver()
  // might be called at an arbitrary point of execution.
  struct EphemeralState {
    EphemeralState();
    EphemeralState(EphemeralState&&);
    EphemeralState& operator=(EphemeralState&&);
    ~EphemeralState();

    // Stores a list of |AuthenticatorReference| values such that a request can
    // be dispatched dispatched after some UI interaction. This is useful for
    // platform authenticators (and Windows) where dispatch to the authenticator
    // immediately results in modal UI to appear.
    ObservableAuthenticatorList saved_authenticators_;

    // responses_ contains possible responses to select between after an
    // authenticator has responded to a request.
    std::vector<device::AuthenticatorGetAssertionResponse> responses_;

    // When a request has been dispatched to a platform authenticator, this
    // contains the `AuthenticatorType`. std::nullopt at all other times.
    std::optional<device::AuthenticatorType>
        dispatched_platform_authenticator_type_ = std::nullopt;

    // did_invoke_platform_despite_no_priority_mechanism_ is true if a platform
    // authenticator was triggered despite there not being a
    // `priority_mechanism_index_` set. For example, this can happen if there's
    // an allowlist match.
    bool did_invoke_platform_despite_no_priority_mechanism_ = false;
  };

  void ResetEphemeralState();

  void SetCurrentStep(AuthenticatorRequestDialogModel::Step step);

  // Requests that the step-by-step wizard flow commence, guiding the user
  // through using the Secutity Key with the given |transport|.
  //
  // Valid action when at step: kNotStarted. kMechanismSelection, and steps
  // where the other transports menu is shown, namely, kUsbInsertAndActivate,
  // kCableActivate.
  void StartGuidedFlowForTransport(AuthenticatorTransport transport);

  // Starts the flow for adding an unlisted phone by showing a QR code.
  void StartGuidedFlowForAddPhone();

  // Displays a resident-key warning if needed and then calls
  // |HideDialogAndDispatchToNativeWindowsApi|.
  void StartWinNativeApi();

  void StartICloudKeychain();
  void StartEnclave();

  // Triggers gaia account reauth to restore sync to working order.
  void ReauthForSyncRestore();

  void StartAutofillRequest();
  void StartPasskeyUpgradeRequest();

  void DispatchRequestAsync(AuthenticatorReference* authenticator);

  // SortRecognizedCredentials sorts
  // `transport_availability_.recognized_credentials` into username order.
  void SortRecognizedCredentials();

  // PopulateMechanisms fills in |model_->mechanisms|.
  void PopulateMechanisms();

  // Adds a button that triggers Windows Hello with the specified string ID and
  // transport icon.
  void AddWindowsButton(int label, AuthenticatorTransport transport);

  // IndexOfPriorityMechanism returns the index, in |model_->mechanisms|, of the
  // Mechanism that should be triggered immediately, if any.
  std::optional<size_t> IndexOfPriorityMechanism();

  std::optional<size_t> IndexOfGetAssertionPriorityMechanism();
  std::optional<size_t> IndexOfImmediateGetPriorityMechanism();
  std::optional<size_t> IndexOfMakeCredentialPriorityMechanism();

  // Sets correct step for entering GPM pin based on `gpm_pin_is_arbitrary_`.
  void PromptForGPMPin();

  // Returns true if this request could pick the enclave authenticator by
  // default. This only makes sense for a create() call.
  bool CanDefaultToEnclave(Profile* profile);

  // Returns the render frame host associated with this request. The render
  // frame host indirectly owns the controller, and so it should outlive it.
  content::RenderFrameHost* GetRenderFrameHost() const;

  // Lazy creation accessor.
  ChallengeUrlFetcher* GetChallengeUrlFetcher();

  void MaybeStartChallengeFetch();
  void OnChallengeFetched();

  void PopulatePasswords();

  raw_ptr<AuthenticatorRequestDialogModel> model_;

  // Identifier for the RenderFrameHost of the frame that initiated the current
  // request.
  EphemeralState ephemeral_state_;

  // is_non_webauthn_request_ is true if the current request came from Secure
  // Payment Confirmation, or from credit-card autofill.
  bool is_non_webauthn_request_ = false;

  // started_ records whether |StartFlow| has been called.
  bool started_ = false;

  // pending_step_ holds requested steps until the UI is shown. The UI is only
  // shown once the TransportAvailabilityInfo is available, but authenticators
  // may request, e.g., PIN entry prior to that.
  std::optional<AuthenticatorRequestDialogModel::Step> pending_step_;

  // after_off_the_record_interstitial_ contains the closure to run if the user
  // accepts the interstitial that warns that platform/caBLE authenticators may
  // record information even in incognito mode.
  base::OnceClosure after_off_the_record_interstitial_;

  // after_ble_adapter_powered_ contains the closure to run if the user
  // accepts the interstitial that requests to turn on the BLE adapter.
  base::OnceClosure after_ble_adapter_powered_;

  // This field is only filled out once the UX flow is started.
  device::FidoRequestHandlerBase::TransportAvailabilityInfo
      transport_availability_;

  PasswordCredentialController::PasswordCredentials passwords_;

  content::AuthenticatorRequestClientDelegate::AccountPreselectedCallback
      account_preselected_callback_;
  RequestCallback request_callback_;
  base::RepeatingClosure bluetooth_adapter_power_on_callback_;

  // Triggers a permission prompt on macOS if ble_status is
  // kPendingPermissionRequest and returns the bluetooth status.
  BlePermissionCallback request_ble_permission_callback_;

  base::OnceClosure bio_enrollment_callback_;

  base::OnceCallback<void(std::u16string)> pin_callback_;

  base::OnceCallback<void(device::AuthenticatorGetAssertionResponse)>
      selection_callback_;

  // cable_extension_provided_ indicates whether the request included a caBLE
  // extension.
  bool cable_extension_provided_ = false;

  // cable_device_ready_ is true if a CTAP-level request has been sent to a
  // caBLE device. At this point we assume that any transport errors are
  // cancellations on the device, not networking errors.
  bool cable_device_ready_ = false;

  // cable_connecting_sheet_timer_ is started when we start displaying
  // the "connecting..." sheet for a caBLE connection. To avoid flashing the UI,
  // the sheet won't be automatically replaced until it completes.
  base::OneShotTimer cable_connecting_sheet_timer_;

  // cable_connecting_ready_to_advance_ is set to true if we are ready to
  // advance the "connecting" sheet but are waiting for
  // `cable_connecting_sheet_timer_` to complete.
  bool cable_connecting_ready_to_advance_ = false;

  // allow_icloud_keychain_ is true if iCloud Keychain can be used for this
  // request. It is disabled for Secure Payment Confirmation and other non-
  // WebAuthn cases, for example.
  bool allow_icloud_keychain_ = false;

  // should_create_in_icloud_keychain is true if creation requests with
  // attachment=platform should default to iCloud Keychain rather than the
  // profile authenticator.
  bool should_create_in_icloud_keychain_ = false;

  // enclave_enabled_status_ determines whether Google Password Manager entries
  // should be offered both for `makeCredential` or `getAssertion`. If reauth
  // needed, instead of offering the actual passkeys or creating a passkey,
  // re-authentication to Google is offered.
  EnclaveEnabledStatus enclave_enabled_status_ =
      EnclaveEnabledStatus::kDisabled;

  // The RP's hints. See
  // https://w3c.github.io/webauthn/#enumdef-publickeycredentialhints
  content::AuthenticatorRequestClientDelegate::Hints hints_;

  // True when the priority mechanism was determined to be the enclave.
  bool enclave_was_priority_mechanism_ = false;

#if BUILDFLAG(IS_MAC)
  // did_record_macos_start_histogram_ is set to true if a histogram record of
  // starting the current request was made. Any later successful completion will
  // only be recorded if a start event was recorded first.
  bool did_record_macos_start_histogram_ = false;

  // is_active_profile_authenticator_user_ is true if the current profile has
  // recently used the platform authenticator on macOS that saves credentials
  // into the profile.
  bool is_active_profile_authenticator_user_ = false;

  // has_icloud_drive_enabled_ is true if the current system has iCloud Drive
  // enabled. This is used as an approximation for whether iCloud Keychain
  // syncing is enabled.
  bool has_icloud_drive_enabled_ = false;
#endif

  // The credential types that are being asked for.
  int credential_types_ =
      static_cast<int>(blink::mojom::CredentialTypeFlags::kNone);

  // ChallengeUrl support. The URL is the destination to fetch the challenge
  // and the callback is invoked when the challenge is received.
  GURL challenge_url_;
  base::OnceCallback<void(std::optional<base::span<const uint8_t>>)>
      challenge_callback_;

  std::unique_ptr<ChallengeUrlFetcher> challenge_url_fetcher_;

  const content::GlobalRenderFrameHostId frame_host_id_;

  base::ScopedObservation<webauthn::PasskeyModel,
                          webauthn::PasskeyModel::Observer>
      passkey_model_observation_{this};

  EnclaveRequestCallback enclave_request_callback_;
  std::unique_ptr<PasskeyUpgradeRequestController>
      passkey_upgrade_request_controller_;

  base::WeakPtrFactory<AuthenticatorRequestDialogController> weak_factory_{
      this};
};

#endif  // CHROME_BROWSER_WEBAUTHN_AUTHENTICATOR_REQUEST_DIALOG_CONTROLLER_H_