chromium/src
0
Fork 0
Code Activity

[webauthn] Don't keep network contexts around

Browse Source 
Instead of having fido code pass network contexts around, pass a factory
and get a fresh one every time one is needed.

Keep cable transact* methods that take a network context around until
we clean up the android cable client module in a follow-up.

Bug: 332724843
Change-Id: I33ea5c741706041c75c10cf881452fcf77fce445
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5426374
Reviewed-by: Adam Langley <agl@chromium.org>
Commit-Queue: Nina Satragno <nsatragno@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1284063}
This commit is contained in:
Nina Satragno
2024-04-08 20:07:43 +00:00
committed by Chromium LUCI CQ
parent e48076613b
commit e7188afddf
27 changed files with 292 additions and 149 deletions

6
chrome/android/features/cablev2_authenticator/native/cablev2_authenticator_android.cc

@ -541,7 +541,7 @@ static jlong JNI_CableAuthenticator_StartQR(
global_data.event_to_record_if_stopped =
CableV2MobileEvent::kStoppedWhileAwaitingTunnelServerConnection;
global_data.current_transaction =
device::cablev2::authenticator::TransactFromQRCode(
device::cablev2::authenticator::TransactFromQRCodeDeprecated(
std::make_unique<AndroidPlatform>(env, cable_authenticator,
/*is_usb=*/false),
global_data.network_context, *global_data.root_secret,
@ -595,7 +595,7 @@ static jlong JNI_CableAuthenticator_StartServerLink(
RecordEvent(&global_data, CableV2MobileEvent::kServerLink);
global_data.current_transaction =
device::cablev2::authenticator::TransactFromQRCode(
device::cablev2::authenticator::TransactFromQRCodeDeprecated(
std::make_unique<AndroidPlatform>(env, cable_authenticator,
/*is_usb=*/false),
global_data.network_context, dummy_root_secret,
@ -629,7 +629,7 @@ static jlong JNI_CableAuthenticator_StartCloudMessage(
global_data.event_to_record_if_stopped =
CableV2MobileEvent::kStoppedWhileAwaitingTunnelServerConnection;
global_data.current_transaction =
device::cablev2::authenticator::TransactFromFCM(
device::cablev2::authenticator::TransactFromFCMDeprecated(
std::make_unique<AndroidPlatform>(env, cable_authenticator,
/*is_usb=*/false),
global_data.network_context, *global_data.root_secret,

7
chrome/browser/webauthn/chrome_authenticator_request_delegate.cc

@ -964,8 +964,11 @@ void ChromeAuthenticatorRequestDelegate::ConfigureDiscoveries(
if (non_extension_cablev2_enabled || cablev2_extension_provided ||
enclave_manager_) {
if (SystemNetworkContextManager::GetInstance()) {
discovery_factory->set_network_context(
SystemNetworkContextManager::GetInstance()->GetContext());
// TODO(nsatragno): this should probably use a storage partition network
// context instead. See the SystemNetworkContextManager class comments.
discovery_factory->set_network_context_factory(base::BindRepeating([]() {
return SystemNetworkContextManager::GetInstance()->GetContext();
}));
}
}

15
chrome/browser/webauthn/enclave_manager.cc

@ -50,6 +50,7 @@
#include "device/fido/enclave/enclave_websocket_client.h"
#include "device/fido/enclave/transact.h"
#include "device/fido/enclave/types.h"
#include "device/fido/network_context_factory.h"
#include "google_apis/gaia/gaia_auth_util.h"
#include "google_apis/gaia/gaia_constants.h"
#include "google_apis/gaia/google_service_auth_error.h"
@ -1346,8 +1347,8 @@ class EnclaveManager::StateMachine {
state_ = State::kRegisteringWithEnclave;
std::string token = std::move(absl::get_if<AccessToken>(&event)->value());
enclave::Transact(manager_->network_context_, enclave::GetEnclaveIdentity(),
std::move(token),
enclave::Transact(manager_->network_context_factory_,
enclave::GetEnclaveIdentity(), std::move(token),
/*reauthentication_token=*/std::nullopt,
BuildRegistrationMessage(user_->device_id(),
manager_->hardware_key_->key(),
@ -1403,7 +1404,7 @@ class EnclaveManager::StateMachine {
state_ = State::kWrappingSecrets;
std::string token = std::move(absl::get_if<AccessToken>(&event)->value());
enclave::Transact(
manager_->network_context_, enclave::GetEnclaveIdentity(),
manager_->network_context_factory_, enclave::GetEnclaveIdentity(),
std::move(token),
/*reauthentication_token=*/std::nullopt,
cbor::Value(
@ -1571,7 +1572,7 @@ class EnclaveManager::StateMachine {
// PIN for transmission to the recovery key store.
state_ = State::kWrappingPIN;
enclave::Transact(
manager_->network_context_, enclave::GetEnclaveIdentity(),
manager_->network_context_factory_, enclave::GetEnclaveIdentity(),
std::move(token),
/*reauthentication_token=*/std::nullopt,
ConcatEnclaveRequests(
@ -1592,7 +1593,7 @@ class EnclaveManager::StateMachine {
base::span<const uint8_t> wrapped_secret =
ToSpan(user_->wrapped_security_domain_secrets().begin()->second);
enclave::Transact(
manager_->network_context_, enclave::GetEnclaveIdentity(),
manager_->network_context_factory_, enclave::GetEnclaveIdentity(),
std::move(token), std::move(rapt_),
// The enclave needs to do two things:
// 1) Encrypt the PIN hash with the security domain secret,
@ -2058,11 +2059,11 @@ EnclaveManager::UVKeyOptions& EnclaveManager::UVKeyOptions::operator=(
EnclaveManager::EnclaveManager(
const base::FilePath& base_dir,
signin::IdentityManager* identity_manager,
raw_ptr<network::mojom::NetworkContext> network_context,
device::NetworkContextFactory network_context_factory,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory)
: file_path_(base_dir.Append(FILE_PATH_LITERAL("passkey_enclave_state"))),
identity_manager_(identity_manager),
network_context_(network_context),
network_context_factory_(network_context_factory),
url_loader_factory_(url_loader_factory),
trusted_vault_conn_(trusted_vault::NewFrontendTrustedVaultConnection(
trusted_vault::SecurityDomainId::kPasskeys,

5
chrome/browser/webauthn/enclave_manager.h

@ -20,6 +20,7 @@
#include "components/keyed_service/core/keyed_service.h"
#include "components/trusted_vault/trusted_vault_connection.h"
#include "device/fido/enclave/types.h"
#include "device/fido/network_context_factory.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
#if BUILDFLAG(IS_MAC)
@ -99,7 +100,7 @@ class EnclaveManager : public KeyedService {
EnclaveManager(
const base::FilePath& base_dir,
signin::IdentityManager* identity_manager,
raw_ptr<network::mojom::NetworkContext> network_context,
device::NetworkContextFactory network_context_factory,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory);
~EnclaveManager() override;
EnclaveManager(const EnclaveManager&) = delete;
@ -279,7 +280,7 @@ class EnclaveManager : public KeyedService {
const base::FilePath file_path_;
const raw_ptr<signin::IdentityManager> identity_manager_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
device::NetworkContextFactory network_context_factory_;
const scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory_;
const std::unique_ptr<trusted_vault::TrustedVaultConnection>
trusted_vault_conn_;

7
chrome/browser/webauthn/enclave_manager_factory.cc

@ -46,10 +46,13 @@ std::unique_ptr<KeyedService>
EnclaveManagerFactory::BuildServiceInstanceForBrowserContext(
content::BrowserContext* context) const {
Profile* const profile = Profile::FromBrowserContext(context);
// TODO(nsatragno): this should probably use the storage partition network
// manager instead.
return std::make_unique<EnclaveManager>(
/*base_dir=*/profile->GetPath(),
IdentityManagerFactory::GetForProfile(profile),
SystemNetworkContextManager::GetInstance()->GetContext(),
IdentityManagerFactory::GetForProfile(profile), base::BindRepeating([]() {
return SystemNetworkContextManager::GetInstance()->GetContext();
}),
g_url_loader_factory_test_override
? g_url_loader_factory_test_override
: profile->GetDefaultStoragePartition()

14
chrome/browser/webauthn/enclave_manager_unittest.cc

@ -9,6 +9,7 @@
#include "base/command_line.h"
#include "base/files/file_path.h"
#include "base/files/scoped_temp_dir.h"
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/json/json_reader.h"
#include "base/process/process.h"
@ -206,7 +207,10 @@ class EnclaveManagerTest : public testing::Test, EnclaveManager::Observer {
FakeSecurityDomainService::New(kSecretVersion)),
manager_(temp_dir_.GetPath(),
identity_test_env_.identity_manager(),
network_context_.get(),
base::BindLambdaForTesting(
[&]() -> network::mojom::NetworkContext* {
return network_context_.get();
}),
url_loader_factory_.GetSafeWeakWrapper()) {
OSCryptMocker::SetUp();
@ -280,7 +284,9 @@ class EnclaveManagerTest : public testing::Test, EnclaveManager::Observer {
std::make_unique<sync_pb::WebauthnCredentialSpecifics>(
std::move(in_specifics));
}),
network_context_.get());
base::BindLambdaForTesting([&]() -> network::mojom::NetworkContext* {
return network_context_.get();
}));
std::vector<device::PublicKeyCredentialParams::CredentialInfo>
pub_key_params;
@ -360,7 +366,9 @@ class EnclaveManagerTest : public testing::Test, EnclaveManager::Observer {
std::move(ui_request), /*save_passkey_callback=*/
base::BindRepeating(
[](sync_pb::WebauthnCredentialSpecifics) { NOTREACHED(); }),
network_context_.get());
base::BindLambdaForTesting([&]() -> network::mojom::NetworkContext* {
return network_context_.get();
}));
device::CtapGetAssertionRequest ctap_request("test.com",
R"({"foo": "bar"})");

104
content/browser/webauth/authenticator_impl_unittest.cc

@ -8948,6 +8948,7 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
AuthenticatorImplTest::SetUp();
NavigateAndCommit(GURL(kTestOrigin1));
ResetNetworkService();
old_client_ = SetBrowserClientForTesting(&browser_client_);
@ -9104,7 +9105,8 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
void DoPairingConnection() {
// First do unpaired exchange to get pairing data.
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9120,8 +9122,10 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), root_secret_, "Test Authenticator",
zero_qr_secret_, peer_identity_x962_, contact_id);
base::BindLambdaForTesting(
[&]() { return network_context_.get(); }),
root_secret_, "Test Authenticator", zero_qr_secret_,
peer_identity_x962_, contact_id);
EXPECT_EQ(AuthenticatorMakeCredential().status,
AuthenticatorStatus::SUCCESS);
@ -9143,8 +9147,9 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
auto callback_and_event_stream = device::cablev2::Discovery::EventStream<
std::unique_ptr<device::cablev2::Pairing>>::New();
discovery = std::make_unique<device::cablev2::Discovery>(
request_type, network_context_.get(), qr_generator_key_,
std::move(ble_advert_events_),
request_type,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
std::move(callback_and_event_stream.second),
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
GetPairingCallback(), GetInvalidatedPairingCallback(),
@ -9178,8 +9183,10 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), root_secret_, routing_id, tunnel_id,
pairing_id, client_nonce, contact_id);
base::BindLambdaForTesting(
[&]() { return network_context_.get(); }),
root_secret_, routing_id, tunnel_id, pairing_id, client_nonce,
contact_id);
});
ReplaceDiscoveryFactory(
@ -9190,6 +9197,11 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
EXPECT_TRUE(contact_callback_was_called);
}
void ResetNetworkService() {
network_context_ = device::cablev2::NewMockTunnelServer(base::BindRepeating(
&AuthenticatorCableV2Test::OnContact, base::Unretained(this)));
}
const std::array<uint8_t, device::cablev2::kRootSecretSize> root_secret_ = {
0};
const std::array<uint8_t, device::cablev2::kQRKeySize> qr_generator_key_ = {
@ -9198,10 +9210,7 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
0};
const std::array<uint8_t, device::cablev2::kQRSeedSize> zero_seed_ = {0};
std::unique_ptr<network::mojom::NetworkContext> network_context_ =
device::cablev2::NewMockTunnelServer(
base::BindRepeating(&AuthenticatorCableV2Test::OnContact,
base::Unretained(this)));
std::unique_ptr<network::mojom::NetworkContext> network_context_;
uint8_t peer_identity_x962_[device::kP256X962Length] = {0};
device::VirtualCtap2Device virtual_device_{DeviceState(), DeviceConfig()};
std::vector<std::unique_ptr<device::cablev2::Pairing>> pairings_;
@ -9245,7 +9254,8 @@ class AuthenticatorCableV2Test : public AuthenticatorImplRequestDelegateTest {
TEST_F(AuthenticatorCableV2Test, QRBasedWithNoPairing) {
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9260,8 +9270,9 @@ TEST_F(AuthenticatorCableV2Test, QRBasedWithNoPairing) {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), root_secret_, "Test Authenticator",
zero_qr_secret_, peer_identity_x962_,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
root_secret_, "Test Authenticator", zero_qr_secret_,
peer_identity_x962_,
/*contact_id=*/std::nullopt);
EXPECT_EQ(AuthenticatorMakeCredential().status, AuthenticatorStatus::SUCCESS);
@ -9271,8 +9282,10 @@ TEST_F(AuthenticatorCableV2Test, QRBasedWithNoPairing) {
TEST_F(AuthenticatorCableV2Test, HandshakeError) {
// A handshake error should be fatal to the request with
// `kHybridTransportError`.
auto network_context_factory =
base::BindLambdaForTesting([&]() { return network_context_.get(); });
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion, network_context_factory,
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9287,7 +9300,7 @@ TEST_F(AuthenticatorCableV2Test, HandshakeError) {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), zero_qr_secret_);
network_context_factory, zero_qr_secret_);
FailureReasonCallbackReceiver failure_reason_receiver;
auto mock_delegate = std::make_unique<
@ -9308,6 +9321,38 @@ TEST_F(AuthenticatorCableV2Test, HandshakeError) {
std::get<0>(*failure_reason_receiver.result()));
}
// Test having the network service crash between creating a discovery and
// performing a cable transaction. Regression test for crbug.com/332724843.
TEST_F(AuthenticatorCableV2Test, NetworkServiceCrash) {
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
GetPairingCallback(), GetInvalidatedPairingCallback(),
GetEventCallback());
ReplaceDiscoveryFactory(
std::make_unique<DiscoveryFactory>(std::move(discovery)));
// Simulate the network service restarting.
ResetNetworkService();
std::unique_ptr<device::cablev2::authenticator::Transaction> transaction =
device::cablev2::authenticator::TransactFromQRCode(
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
root_secret_, "Test Authenticator", zero_qr_secret_,
peer_identity_x962_,
/*contact_id=*/std::nullopt);
EXPECT_EQ(AuthenticatorMakeCredential().status, AuthenticatorStatus::SUCCESS);
EXPECT_EQ(pairings_.size(), 0u);
}
TEST_F(AuthenticatorCableV2Test, PairingBased) {
DoPairingConnection();
@ -9354,11 +9399,12 @@ static std::unique_ptr<device::cablev2::Pairing> DummyPairing() {
TEST_F(AuthenticatorCableV2Test, ContactIDDisabled) {
// Passing |nullopt| as the callback here causes all contact IDs to be
// rejected.
auto network_context = device::cablev2::NewMockTunnelServer(std::nullopt);
network_context_ = device::cablev2::NewMockTunnelServer(std::nullopt);
auto callback_and_event_stream = device::cablev2::Discovery::EventStream<
std::unique_ptr<device::cablev2::Pairing>>::New();
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context.get(),
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
std::move(callback_and_event_stream.second),
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9432,7 +9478,8 @@ TEST_F(AuthenticatorCableV2Test, ServerLink) {
server_link_1.desktop_side, server_link_2.desktop_side};
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr, extension_values, GetPairingCallback(),
GetInvalidatedPairingCallback(), GetEventCallback());
@ -9451,8 +9498,9 @@ TEST_F(AuthenticatorCableV2Test, ServerLink) {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), root_secret_, "Test Authenticator",
server_link.secret, server_link.peer_identity,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
root_secret_, "Test Authenticator", server_link.secret,
server_link.peer_identity,
/*contact_id=*/std::nullopt);
EXPECT_EQ(AuthenticatorMakeCredential().status, AuthenticatorStatus::SUCCESS);
@ -9460,8 +9508,10 @@ TEST_F(AuthenticatorCableV2Test, ServerLink) {
}
TEST_F(AuthenticatorCableV2Test, LateLinking) {
auto network_context_factory =
base::BindLambdaForTesting([&]() { return network_context_.get(); });
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion, network_context_factory,
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9478,7 +9528,7 @@ TEST_F(AuthenticatorCableV2Test, LateLinking) {
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_,
/*observer=*/nullptr),
network_context_.get(), zero_qr_secret_, peer_identity_x962_);
network_context_factory, zero_qr_secret_, peer_identity_x962_);
EXPECT_EQ(AuthenticatorMakeCredential().status,
AuthenticatorStatus::NOT_ALLOWED_ERROR);
@ -9503,7 +9553,8 @@ class AuthenticatorCableV2AuthenticatorTest
AuthenticatorCableV2Test::SetUp();
auto discovery = std::make_unique<device::cablev2::Discovery>(
device::FidoRequestType::kGetAssertion, network_context_.get(),
device::FidoRequestType::kGetAssertion,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
qr_generator_key_, std::move(ble_advert_events_),
/*contact_device_stream=*/nullptr,
/*extension_contents=*/std::vector<device::CableDiscoveryData>(),
@ -9516,8 +9567,9 @@ class AuthenticatorCableV2AuthenticatorTest
transaction_ = device::cablev2::authenticator::TransactFromQRCode(
device::cablev2::authenticator::NewMockPlatform(
std::move(ble_advert_callback_), &virtual_device_, this),
network_context_.get(), root_secret_, "Test Authenticator",
zero_qr_secret_, peer_identity_x962_,
base::BindLambdaForTesting([&]() { return network_context_.get(); }),
root_secret_, "Test Authenticator", zero_qr_secret_,
peer_identity_x962_,
/*contact_id=*/std::nullopt);
}

1
device/fido/BUILD.gn

@ -42,6 +42,7 @@ component("fido") {
"fido_transport_protocol.h",
"json_request.cc",
"json_request.h",
"network_context_factory.h",
"opaque_attestation_statement.cc",
"opaque_attestation_statement.h",
"p256_public_key.cc",

9
device/fido/cable/fido_tunnel_device.cc

@ -17,6 +17,7 @@
#include "device/fido/features.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_parsing_utils.h"
#include "device/fido/network_context_factory.h"
#include "net/traffic_annotation/network_traffic_annotation.h"
#include "third_party/boringssl/src/include/openssl/aes.h"
#include "third_party/boringssl/src/include/openssl/digest.h"
@ -96,7 +97,7 @@ constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation =
})");
FidoTunnelDevice::FidoTunnelDevice(
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::optional<base::RepeatingCallback<void(std::unique_ptr<Pairing>)>>
pairing_callback,
std::optional<base::RepeatingCallback<void(Event)>> event_callback,
@ -130,7 +131,7 @@ FidoTunnelDevice::FidoTunnelDevice(
base::BindOnce(&FidoTunnelDevice::OnTunnelReady, base::Unretained(this)),
base::BindRepeating(&FidoTunnelDevice::OnTunnelData,
base::Unretained(this)));
network_context->CreateWebSocket(
network_context_factory.Run()->CreateWebSocket(
url, {kCableWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(),
/*additional_headers=*/{}, network::mojom::kBrowserProcessId,
@ -145,7 +146,7 @@ FidoTunnelDevice::FidoTunnelDevice(
FidoTunnelDevice::FidoTunnelDevice(
FidoRequestType request_type,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::unique_ptr<Pairing> pairing,
base::OnceClosure pairing_is_invalid,
std::optional<base::RepeatingCallback<void(Event)>> event_callback)
@ -185,7 +186,7 @@ FidoTunnelDevice::FidoTunnelDevice(
kCableClientPayloadHeader, client_payload_hex));
headers.emplace_back(
network::mojom::HttpHeader::New(kCableSignalConnectionHeader, "true"));
network_context->CreateWebSocket(
network_context_factory.Run()->CreateWebSocket(
url, {kCableWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(), std::move(headers),
network::mojom::kBrowserProcessId, url::Origin::Create(url),

9
device/fido/cable/fido_tunnel_device.h

@ -17,12 +17,9 @@
#include "device/fido/cable/websocket_adapter.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_device.h"
#include "device/fido/network_context_factory.h"
#include "third_party/abseil-cpp/absl/types/variant.h"
namespace network::mojom {
class NetworkContext;
}
namespace device::cablev2 {
class Crypter;
@ -33,7 +30,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoTunnelDevice : public FidoDevice {
public:
// This constructor is used for QR-initiated connections.
FidoTunnelDevice(
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::optional<base::RepeatingCallback<void(std::unique_ptr<Pairing>)>>
pairing_callback,
std::optional<base::RepeatingCallback<void(Event)>> event_callback,
@ -47,7 +44,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoTunnelDevice : public FidoDevice {
// run.
FidoTunnelDevice(
FidoRequestType request_type,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::unique_ptr<Pairing> pairing,
base::OnceClosure pairing_is_invalid,
std::optional<base::RepeatingCallback<void(Event)>> event_callback);

74
device/fido/cable/v2_authenticator.cc

@ -26,6 +26,7 @@
#include "device/fido/features.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_parsing_utils.h"
#include "device/fido/network_context_factory.h"
#include "device/fido/public_key_credential_descriptor.h"
#include "device/fido/public_key_credential_params.h"
#include "device/fido/public_key_credential_rp_entity.h"
@ -40,9 +41,7 @@
#include "third_party/boringssl/src/include/openssl/ec_key.h"
#include "third_party/boringssl/src/include/openssl/obj.h"
namespace device {
namespace cablev2 {
namespace authenticator {
namespace device::cablev2::authenticator {
using device::CtapDeviceResponseCode;
using device::CtapRequestCommand;
@ -266,7 +265,7 @@ class TunnelTransport : public Transport {
public:
TunnelTransport(
Platform* platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> secret,
base::span<const uint8_t, device::kP256X962Length> peer_identity,
GeneratePairingDataCallback generate_pairing_data)
@ -279,7 +278,7 @@ class TunnelTransport : public Transport {
secret,
base::span<const uint8_t>(),
device::cablev2::DerivedValueType::kEIDKey)),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
peer_identity_(device::fido_parsing_utils::Materialize(peer_identity)),
generate_pairing_data_(std::move(generate_pairing_data)),
secret_(fido_parsing_utils::Materialize(secret)) {
@ -296,7 +295,7 @@ class TunnelTransport : public Transport {
TunnelTransport(
Platform* platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> secret,
base::span<const uint8_t, device::cablev2::kClientNonceSize> client_nonce,
std::array<uint8_t, device::cablev2::kRoutingIdSize> routing_id,
@ -308,7 +307,7 @@ class TunnelTransport : public Transport {
secret,
client_nonce,
device::cablev2::DerivedValueType::kEIDKey)),
network_context_(network_context),
network_context_factory_(network_context_factory),
secret_(fido_parsing_utils::Materialize(secret)),
local_identity_(std::move(local_identity)) {
DCHECK_EQ(state_, State::kNone);
@ -367,7 +366,7 @@ class TunnelTransport : public Transport {
void StartWebSocket() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
network_context_->CreateWebSocket(
network_context_factory_.Run()->CreateWebSocket(
target_, {device::kCableWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(),
/*additional_headers=*/{}, network::mojom::kBrowserProcessId,
@ -600,7 +599,7 @@ class TunnelTransport : public Transport {
const std::array<uint8_t, kEIDKeySize> eid_key_;
std::unique_ptr<WebSocketAdapter> websocket_client_;
std::unique_ptr<Crypter> crypter_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
NetworkContextFactory network_context_factory_;
const std::optional<std::array<uint8_t, kP256X962Length>> peer_identity_;
std::array<uint8_t, kPSKSize> psk_;
GeneratePairingDataCallback generate_pairing_data_;
@ -1192,7 +1191,7 @@ std::unique_ptr<Transaction> TransactWithPlaintextTransport(
std::unique_ptr<Transaction> TransactFromQRCode(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t, kRootSecretSize> root_secret,
const std::string& authenticator_name,
base::span<const uint8_t, 16> qr_secret,
@ -1203,15 +1202,33 @@ std::unique_ptr<Transaction> TransactFromQRCode(
Platform* const platform_ptr = platform.get();
return std::make_unique<CTAP2Processor>(
std::make_unique<TunnelTransport>(platform_ptr, network_context,
qr_secret, peer_identity,
std::move(generate_pairing_data)),
std::make_unique<TunnelTransport>(
platform_ptr, std::move(network_context_factory), qr_secret,
peer_identity, std::move(generate_pairing_data)),
std::move(platform));
}
std::unique_ptr<Transaction> TransactFromQRCodeDeprecated(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
base::span<const uint8_t, kRootSecretSize> root_secret,
const std::string& authenticator_name,
base::span<const uint8_t, 16> qr_secret,
base::span<const uint8_t, kP256X962Length> peer_identity,
std::optional<std::vector<uint8_t>> contact_id) {
NetworkContextFactory factory = base::BindRepeating(
[](network::mojom::NetworkContext* network_context) {
return network_context;
},
network_context);
return TransactFromQRCode(std::move(platform), std::move(factory),
root_secret, authenticator_name, qr_secret,
peer_identity, std::move(contact_id));
}
std::unique_ptr<Transaction> TransactFromFCM(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t, kRootSecretSize> root_secret,
std::array<uint8_t, kRoutingIdSize> routing_id,
base::span<const uint8_t, kTunnelIdSize> tunnel_id,
@ -1223,12 +1240,29 @@ std::unique_ptr<Transaction> TransactFromFCM(
Platform* const platform_ptr = platform.get();
return std::make_unique<CTAP2Processor>(
std::make_unique<TunnelTransport>(platform_ptr, network_context,
paired_secret, client_nonce, routing_id,
tunnel_id, IdentityKey(root_secret)),
std::make_unique<TunnelTransport>(
platform_ptr, std::move(network_context_factory), paired_secret,
client_nonce, routing_id, tunnel_id, IdentityKey(root_secret)),
std::move(platform));
}
} // namespace authenticator
} // namespace cablev2
} // namespace device
std::unique_ptr<Transaction> TransactFromFCMDeprecated(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
base::span<const uint8_t, kRootSecretSize> root_secret,
std::array<uint8_t, kRoutingIdSize> routing_id,
base::span<const uint8_t, kTunnelIdSize> tunnel_id,
base::span<const uint8_t, kPairingIDSize> pairing_id,
base::span<const uint8_t, kClientNonceSize> client_nonce,
std::optional<base::span<const uint8_t>> contact_id) {
NetworkContextFactory factory = base::BindRepeating(
[](network::mojom::NetworkContext* network_context) {
return network_context;
},
network_context);
return TransactFromFCM(std::move(platform), std::move(factory), root_secret,
std::move(routing_id), tunnel_id, pairing_id,
client_nonce, std::move(contact_id));
}
} // namespace device::cablev2::authenticator

35
device/fido/cable/v2_authenticator.h

@ -15,13 +15,11 @@
#include "base/functional/callback.h"
#include "device/fido/cable/v2_constants.h"
#include "device/fido/fido_constants.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
#include "device/fido/network_context_factory.h"
#include "third_party/abseil-cpp/absl/types/variant.h"
#include "third_party/blink/public/mojom/webauthn/authenticator.mojom-forward.h"
namespace device {
namespace cablev2 {
namespace authenticator {
namespace device::cablev2::authenticator {
// Platform abstracts the actions taken by the platform, i.e. the
// credential-store operations themselves, plus an interface for BLE
@ -138,7 +136,7 @@ std::unique_ptr<Transaction> TransactWithPlaintextTransport(
// contents of a QR code.
std::unique_ptr<Transaction> TransactFromQRCode(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t, kRootSecretSize> root_secret,
const std::string& authenticator_name,
// TODO: name this constant.
@ -146,9 +144,32 @@ std::unique_ptr<Transaction> TransactFromQRCode(
base::span<const uint8_t, kP256X962Length> peer_identity,
std::optional<std::vector<uint8_t>> contact_id);
// Deprecated, kept around while Android cable code is cleaned up. Use
// TransactFromQRCode instead.
std::unique_ptr<Transaction> TransactFromQRCodeDeprecated(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
base::span<const uint8_t, kRootSecretSize> root_secret,
const std::string& authenticator_name,
base::span<const uint8_t, 16> qr_secret,
base::span<const uint8_t, kP256X962Length> peer_identity,
std::optional<std::vector<uint8_t>> contact_id);
// TransactFromFCM starts a network-based transaction based on the decoded
// contents of a cloud message.
std::unique_ptr<Transaction> TransactFromFCM(
std::unique_ptr<Platform> platform,
NetworkContextFactory network_context_factory,
base::span<const uint8_t, kRootSecretSize> root_secret,
std::array<uint8_t, kRoutingIdSize> routing_id,
base::span<const uint8_t, kTunnelIdSize> tunnel_id,
base::span<const uint8_t, kPairingIDSize> pairing_id,
base::span<const uint8_t, kClientNonceSize> client_nonce,
std::optional<base::span<const uint8_t>> contact_id);
// Deprecated, kept around while Android cable code is cleaned up. Use
// TransactFromFCM instead.
std::unique_ptr<Transaction> TransactFromFCMDeprecated(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
base::span<const uint8_t, kRootSecretSize> root_secret,
@ -158,8 +179,6 @@ std::unique_ptr<Transaction> TransactFromFCM(
base::span<const uint8_t, kClientNonceSize> client_nonce,
std::optional<base::span<const uint8_t>> contact_id);
} // namespace authenticator
} // namespace cablev2
} // namespace device
} // namespace device::cablev2::authenticator
#endif // DEVICE_FIDO_CABLE_V2_AUTHENTICATOR_H_

16
device/fido/cable/v2_discovery.cc

@ -19,8 +19,7 @@
#include "device/fido/fido_parsing_utils.h"
#include "third_party/boringssl/src/include/openssl/aes.h"
namespace device {
namespace cablev2 {
namespace device::cablev2 {
namespace {
@ -49,7 +48,7 @@ void RecordEvent(CableV2DiscoveryEvent event) {
Discovery::Discovery(
FidoRequestType request_type,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::optional<base::span<const uint8_t, kQRKeySize>> qr_generator_key,
std::unique_ptr<AdvertEventStream> advert_stream,
std::unique_ptr<EventStream<std::unique_ptr<Pairing>>>
@ -62,7 +61,7 @@ Discovery::Discovery(
std::optional<base::RepeatingCallback<void(Event)>> event_callback)
: FidoDeviceDiscovery(FidoTransportProtocol::kHybrid),
request_type_(request_type),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
qr_keys_(KeysFromQRGeneratorKey(qr_generator_key)),
extension_keys_(KeysFromExtension(extension_contents)),
advert_stream_(std::move(advert_stream)),
@ -161,7 +160,7 @@ void Discovery::OnBLEAdvertSeen(base::span<const uint8_t, kAdvertSize> advert) {
event_callback_->Run(Event::kBLEAdvertReceived);
}
AddDevice(std::make_unique<cablev2::FidoTunnelDevice>(
network_context_, pairing_callback_, event_callback_,
network_context_factory_, pairing_callback_, event_callback_,
qr_keys_->qr_secret, qr_keys_->local_identity_seed, *plaintext));
return;
}
@ -177,7 +176,7 @@ void Discovery::OnBLEAdvertSeen(base::span<const uint8_t, kAdvertSize> advert) {
RecordEvent(CableV2DiscoveryEvent::kExtensionMatch);
device_committed_ = true;
AddDevice(std::make_unique<cablev2::FidoTunnelDevice>(
network_context_, base::DoNothing(), event_callback_,
network_context_factory_, base::DoNothing(), event_callback_,
extension.qr_secret, extension.local_identity_seed, *plaintext));
return;
}
@ -190,7 +189,7 @@ void Discovery::OnBLEAdvertSeen(base::span<const uint8_t, kAdvertSize> advert) {
void Discovery::OnContactDevice(std::unique_ptr<Pairing> pairing) {
auto pairing_copy = std::make_unique<Pairing>(*pairing);
tunnels_pending_advert_.emplace_back(std::make_unique<FidoTunnelDevice>(
request_type_, network_context_, std::move(pairing),
request_type_, network_context_factory_, std::move(pairing),
base::BindOnce(&Discovery::PairingIsInvalid, weak_factory_.GetWeakPtr(),
std::move(pairing_copy)),
event_callback_));
@ -249,5 +248,4 @@ std::vector<Discovery::UnpairedKeys> Discovery::KeysFromExtension(
return ret;
}
} // namespace cablev2
} // namespace device
} // namespace device::cablev2

5
device/fido/cable/v2_discovery.h

@ -20,6 +20,7 @@
#include "device/fido/cable/v2_constants.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_device_discovery.h"
#include "device/fido/network_context_factory.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
namespace device::cablev2 {
@ -36,7 +37,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) Discovery : public FidoDeviceDiscovery {
Discovery(
FidoRequestType request_type,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
std::optional<base::span<const uint8_t, kQRKeySize>> qr_generator_key,
std::unique_ptr<AdvertEventStream> advert_stream,
// contact_device_stream contains a series of pairings indicating that the
@ -80,7 +81,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) Discovery : public FidoDeviceDiscovery {
const std::vector<CableDiscoveryData>& extension_contents);
const FidoRequestType request_type_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
NetworkContextFactory network_context_factory_;
const std::optional<UnpairedKeys> qr_keys_;
const std::vector<UnpairedKeys> extension_keys_;
std::unique_ptr<AdvertEventStream> advert_stream_;

29
device/fido/cable/v2_test_util.cc

@ -25,6 +25,7 @@
#include "device/fido/cable/v2_handshake.h"
#include "device/fido/cable/websocket_adapter.h"
#include "device/fido/fido_constants.h"
#include "device/fido/network_context_factory.h"
#include "device/fido/virtual_ctap2_device.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
#include "mojo/public/cpp/bindings/remote.h"
@ -645,12 +646,12 @@ class LateLinkingDevice : public authenticator::Transaction {
public:
LateLinkingDevice(CtapDeviceResponseCode ctap_error,
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret,
base::span<const uint8_t, kP256X962Length> peer_identity)
: ctap_error_(ctap_error),
platform_(std::move(platform)),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
tunnel_id_(device::cablev2::Derive<EXTENT(tunnel_id_)>(
qr_secret,
base::span<uint8_t>(),
@ -670,7 +671,7 @@ class LateLinkingDevice : public authenticator::Transaction {
const GURL target = device::cablev2::tunnelserver::GetNewTunnelURL(
kTunnelServer, tunnel_id_);
network_context_->CreateWebSocket(
network_context_factory_.Run()->CreateWebSocket(
target, {device::kCableWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(),
/*additional_headers=*/{}, network::mojom::kBrowserProcessId,
@ -850,7 +851,7 @@ class LateLinkingDevice : public authenticator::Transaction {
const CtapDeviceResponseCode ctap_error_;
const std::unique_ptr<Platform> platform_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
const NetworkContextFactory network_context_factory_;
const std::array<uint8_t, kTunnelIdSize> tunnel_id_;
const std::array<uint8_t, kEIDKeySize> eid_key_;
const std::array<uint8_t, kP256X962Length> peer_identity_;
@ -867,10 +868,10 @@ class LateLinkingDevice : public authenticator::Transaction {
class HandshakeErrorDevice : public authenticator::Transaction {
public:
HandshakeErrorDevice(std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret)
: platform_(std::move(platform)),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
tunnel_id_(device::cablev2::Derive<EXTENT(tunnel_id_)>(
qr_secret,
base::span<uint8_t>(),
@ -889,7 +890,7 @@ class HandshakeErrorDevice : public authenticator::Transaction {
const GURL target = device::cablev2::tunnelserver::GetNewTunnelURL(
kTunnelServer, tunnel_id_);
network_context_->CreateWebSocket(
network_context_factory_.Run()->CreateWebSocket(
target, {device::kCableWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(),
/*additional_headers=*/{}, network::mojom::kBrowserProcessId,
@ -938,7 +939,7 @@ class HandshakeErrorDevice : public authenticator::Transaction {
}
const std::unique_ptr<Platform> platform_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
const NetworkContextFactory network_context_factory_;
const std::array<uint8_t, kTunnelIdSize> tunnel_id_;
const std::array<uint8_t, kEIDKeySize> eid_key_;
const std::vector<uint8_t> secret_;
@ -974,20 +975,20 @@ std::unique_ptr<authenticator::Platform> NewMockPlatform(
std::unique_ptr<Transaction> NewLateLinkingDevice(
CtapDeviceResponseCode ctap_error,
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret,
base::span<const uint8_t, kP256X962Length> peer_identity) {
return std::make_unique<LateLinkingDevice>(ctap_error, std::move(platform),
network_context, qr_secret,
peer_identity);
std::move(network_context_factory),
qr_secret, peer_identity);
}
std::unique_ptr<Transaction> NewHandshakeErrorDevice(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret) {
return std::make_unique<HandshakeErrorDevice>(std::move(platform),
network_context, qr_secret);
return std::make_unique<HandshakeErrorDevice>(
std::move(platform), std::move(network_context_factory), qr_secret);
}
} // namespace authenticator

5
device/fido/cable/v2_test_util.h

@ -13,6 +13,7 @@
#include "device/fido/cable/v2_authenticator.h"
#include "device/fido/cable/v2_constants.h"
#include "device/fido/cable/v2_discovery.h"
#include "device/fido/network_context_factory.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
namespace device {
@ -66,7 +67,7 @@ std::unique_ptr<Platform> NewMockPlatform(
std::unique_ptr<Transaction> NewLateLinkingDevice(
CtapDeviceResponseCode ctap_error,
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret,
base::span<const uint8_t, kP256X962Length> peer_identity);
@ -74,7 +75,7 @@ std::unique_ptr<Transaction> NewLateLinkingDevice(
// caBLEv2 handshake.
std::unique_ptr<Transaction> NewHandshakeErrorDevice(
std::unique_ptr<Platform> platform,
network::mojom::NetworkContext* network_context,
NetworkContextFactory network_context_factory,
base::span<const uint8_t> qr_secret);
} // namespace authenticator

8
device/fido/enclave/enclave_authenticator.cc

@ -72,9 +72,9 @@ EnclaveAuthenticator::EnclaveAuthenticator(
std::unique_ptr<CredentialRequest> ui_request,
base::RepeatingCallback<void(sync_pb::WebauthnCredentialSpecifics)>
save_passkey_callback,
raw_ptr<network::mojom::NetworkContext> network_context)
NetworkContextFactory network_context_factory)
: id_(RandomId()),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
ui_request_(std::move(ui_request)),
save_passkey_callback_(std::move(save_passkey_callback)) {}
@ -95,7 +95,7 @@ void EnclaveAuthenticator::MakeCredential(CtapMakeCredentialRequest request,
std::make_unique<PendingMakeCredentialRequest>(
std::move(request), std::move(options), std::move(callback));
Transact(network_context_, GetEnclaveIdentity(),
Transact(network_context_factory_, GetEnclaveIdentity(),
std::move(ui_request_->access_token),
/*reauthentication_token=*/std::nullopt,
BuildMakeCredentialCommand(
@ -116,7 +116,7 @@ void EnclaveAuthenticator::GetAssertion(CtapGetAssertionRequest request,
pending_get_assertion_request_ = std::make_unique<PendingGetAssertionRequest>(
request, options, std::move(callback));
Transact(network_context_, GetEnclaveIdentity(),
Transact(network_context_factory_, GetEnclaveIdentity(),
std::move(ui_request_->access_token),
/*reauthentication_token=*/std::nullopt,
BuildGetAssertionCommand(

5
device/fido/enclave/enclave_authenticator.h

@ -26,6 +26,7 @@
#include "device/fido/enclave/enclave_websocket_client.h"
#include "device/fido/fido_authenticator.h"
#include "device/fido/fido_types.h"
#include "device/fido/network_context_factory.h"
#include "services/network/public/mojom/network_context.mojom.h"
#include "url/gurl.h"
@ -40,7 +41,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) EnclaveAuthenticator
std::unique_ptr<CredentialRequest> ui_request,
base::RepeatingCallback<void(sync_pb::WebauthnCredentialSpecifics)>
save_passkey_callback,
raw_ptr<network::mojom::NetworkContext> network_context);
NetworkContextFactory network_context_factory);
~EnclaveAuthenticator() override;
EnclaveAuthenticator(const EnclaveAuthenticator&) = delete;
@ -103,7 +104,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) EnclaveAuthenticator
std::vector<AuthenticatorGetAssertionResponse> responses);
const std::array<uint8_t, 8> id_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
const NetworkContextFactory network_context_factory_;
const std::unique_ptr<CredentialRequest> ui_request_;
// Callback for storing a newly-created passkey.

7
device/fido/enclave/enclave_discovery.cc

@ -26,11 +26,11 @@ EnclaveAuthenticatorDiscovery::EnclaveAuthenticatorDiscovery(
std::unique_ptr<
FidoDiscoveryBase::EventStream<std::unique_ptr<CredentialRequest>>>
ui_request_stream,
raw_ptr<network::mojom::NetworkContext> network_context)
NetworkContextFactory network_context_factory)
: FidoDiscoveryBase(FidoTransportProtocol::kInternal),
ui_request_stream_(std::move(ui_request_stream)),
save_passkey_callback_(std::move(save_passkey_callback)),
network_context_(network_context) {
network_context_factory_(std::move(network_context_factory)) {
ui_request_stream_->Connect(base::BindRepeating(
&EnclaveAuthenticatorDiscovery::OnUIRequest, base::Unretained(this)));
}
@ -46,7 +46,8 @@ void EnclaveAuthenticatorDiscovery::Start() {
void EnclaveAuthenticatorDiscovery::OnUIRequest(
std::unique_ptr<CredentialRequest> request) {
auto authenticator = std::make_unique<EnclaveAuthenticator>(
std::move(request), std::move(save_passkey_callback_), network_context_);
std::move(request), std::move(save_passkey_callback_),
network_context_factory_);
auto* ptr = authenticator.get();
authenticators_.emplace_back(std::move(authenticator));
observer()->AuthenticatorAdded(this, ptr);

6
device/fido/enclave/enclave_discovery.h

@ -27,12 +27,14 @@ class EnclaveAuthenticator;
class COMPONENT_EXPORT(DEVICE_FIDO) EnclaveAuthenticatorDiscovery
: public FidoDiscoveryBase {
public:
using NetworkContextFactory =
base::RepeatingCallback<network::mojom::NetworkContext*()>;
EnclaveAuthenticatorDiscovery(
base::RepeatingCallback<void(sync_pb::WebauthnCredentialSpecifics)>
save_passkey_callback,
std::unique_ptr<EventStream<std::unique_ptr<CredentialRequest>>>
ui_request_stream,
raw_ptr<network::mojom::NetworkContext> network_context);
NetworkContextFactory network_context_factory);
~EnclaveAuthenticatorDiscovery() override;
// FidoDiscoveryBase:
@ -47,7 +49,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) EnclaveAuthenticatorDiscovery
ui_request_stream_;
base::RepeatingCallback<void(sync_pb::WebauthnCredentialSpecifics)>
save_passkey_callback_;
raw_ptr<network::mojom::NetworkContext> network_context_;
NetworkContextFactory network_context_factory_;
std::unique_ptr<EventStream<std::optional<std::string_view>>>
oauth_token_provider_;

7
device/fido/enclave/enclave_websocket_client.cc

@ -9,6 +9,7 @@
#include "components/device_event_log/device_event_log.h"
#include "device/fido/fido_constants.h"
#include "device/fido/fido_parsing_utils.h"
#include "device/fido/network_context_factory.h"
#include "net/http/http_request_headers.h"
#include "net/traffic_annotation/network_traffic_annotation.h"
@ -77,13 +78,13 @@ EnclaveWebSocketClient::EnclaveWebSocketClient(
const GURL& service_url,
std::string access_token,
std::optional<std::string> reauthentication_token,
raw_ptr<network::mojom::NetworkContext> network_context,
NetworkContextFactory network_context_factory,
OnResponseCallback on_response)
: state_(State::kInitialized),
service_url_(service_url),
access_token_(std::move(access_token)),
reauthentication_token_(std::move(reauthentication_token)),
network_context_(network_context),
network_context_factory_(std::move(network_context_factory)),
on_response_(std::move(on_response)),
readable_watcher_(FROM_HERE, mojo::SimpleWatcher::ArmingPolicy::MANUAL) {}
@ -127,7 +128,7 @@ void EnclaveWebSocketClient::Connect() {
"Reauthentication", *reauthentication_token_));
}
network_context_->CreateWebSocket(
network_context_factory_.Run()->CreateWebSocket(
service_url_, {kEnclaveWebSocketProtocol}, net::SiteForCookies(),
/*has_storage_access=*/false, net::IsolationInfo(),
std::move(additional_headers), network::mojom::kBrowserProcessId,

14
device/fido/enclave/enclave_websocket_client.h

@ -14,6 +14,7 @@
#include "base/functional/callback_forward.h"
#include "base/memory/raw_ptr.h"
#include "base/sequence_checker.h"
#include "device/fido/network_context_factory.h"
#include "mojo/public/cpp/bindings/receiver.h"
#include "mojo/public/cpp/bindings/remote.h"
#include "mojo/public/cpp/system/simple_watcher.h"
@ -36,12 +37,11 @@ class EnclaveWebSocketClient : public network::mojom::WebSocketHandshakeClient,
base::RepeatingCallback<void(SocketStatus,
std::optional<std::vector<uint8_t>>)>;
EnclaveWebSocketClient(
const GURL& service_url,
std::string access_token,
std::optional<std::string> reauthentication_token,
raw_ptr<network::mojom::NetworkContext> network_context,
OnResponseCallback on_reponse);
EnclaveWebSocketClient(const GURL& service_url,
std::string access_token,
std::optional<std::string> reauthentication_token,
NetworkContextFactory network_context_factory,
OnResponseCallback on_reponse);
~EnclaveWebSocketClient() override;
EnclaveWebSocketClient(const EnclaveWebSocketClient&) = delete;
@ -92,7 +92,7 @@ class EnclaveWebSocketClient : public network::mojom::WebSocketHandshakeClient,
const GURL service_url_;
const std::string access_token_;
const std::optional<std::string> reauthentication_token_;
const raw_ptr<network::mojom::NetworkContext> network_context_;
NetworkContextFactory network_context_factory_;
OnResponseCallback on_response_;
// pending_read_data_ contains a partial message that is being reassembled.

6
device/fido/enclave/transact.cc

@ -15,6 +15,7 @@
#include "device/fido/cable/v2_handshake.h"
#include "device/fido/enclave/enclave_protocol_utils.h"
#include "device/fido/enclave/enclave_websocket_client.h"
#include "device/fido/network_context_factory.h"
namespace device::enclave {
@ -129,7 +130,7 @@ struct Transaction : base::RefCounted<Transaction> {
} // namespace
void Transact(raw_ptr<network::mojom::NetworkContext> network_context,
void Transact(NetworkContextFactory network_context_factory,
const EnclaveIdentity& enclave,
std::string access_token,
std::optional<std::string> reauthentication_token,
@ -142,7 +143,8 @@ void Transact(raw_ptr<network::mojom::NetworkContext> network_context,
transaction->set_client(std::make_unique<EnclaveWebSocketClient>(
enclave.url, std::move(access_token), std::move(reauthentication_token),
network_context, base::BindRepeating(&Transaction::OnData, transaction)));
std::move(network_context_factory),
base::BindRepeating(&Transaction::OnData, transaction)));
transaction->Start();
}

7
device/fido/enclave/transact.h

@ -12,12 +12,9 @@
#include "base/functional/callback_forward.h"
#include "base/memory/raw_ptr.h"
#include "device/fido/enclave/types.h"
#include "device/fido/network_context_factory.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
namespace network::mojom {
class NetworkContext;
}
namespace cbor {
class Value;
}
@ -29,7 +26,7 @@ namespace device::enclave {
// Serialises and sends `request` and calls `callback` with the response, or
// else `nullopt` if there was an error.
COMPONENT_EXPORT(DEVICE_FIDO)
void Transact(raw_ptr<network::mojom::NetworkContext> network_context,
void Transact(NetworkContextFactory network_context_factory,
const EnclaveIdentity& enclave,
std::string access_token,
std::optional<std::string> reauthentication_token,

13
device/fido/fido_discovery_factory.cc

@ -87,8 +87,8 @@ std::vector<std::unique_ptr<FidoDiscoveryBase>> FidoDiscoveryFactory::Create(
&CableDiscoveryData::version);
if (qr_generator_key_.has_value() || have_v2_discovery_data) {
ret.emplace_back(std::make_unique<cablev2::Discovery>(
request_type_.value(), network_context_, qr_generator_key_,
v1_discovery->GetV2AdvertStream(),
request_type_.value(), network_context_factory_,
qr_generator_key_, v1_discovery->GetV2AdvertStream(),
std::move(contact_device_stream_),
cable_data_.value_or(std::vector<CableDiscoveryData>()),
std::move(cable_pairing_callback_),
@ -148,11 +148,6 @@ void FidoDiscoveryFactory::set_android_accessory_params(
aoa_request_description_ = std::move(aoa_request_description);
}
void FidoDiscoveryFactory::set_network_context(
network::mojom::NetworkContext* network_context) {
network_context_ = network_context;
}
void FidoDiscoveryFactory::set_cable_pairing_callback(
base::RepeatingCallback<void(std::unique_ptr<cablev2::Pairing>)> callback) {
cable_pairing_callback_ = std::move(callback);
@ -271,13 +266,13 @@ void FidoDiscoveryFactory::MaybeCreateEnclaveDiscovery(
std::vector<std::unique_ptr<FidoDiscoveryBase>>& discoveries) {
if (!base::FeatureList::IsEnabled(kWebAuthnEnclaveAuthenticator) ||
!enclave_passkey_creation_callback_ || !enclave_ui_request_stream_ ||
!network_context_) {
!network_context_factory_) {
return;
}
discoveries.emplace_back(
std::make_unique<enclave::EnclaveAuthenticatorDiscovery>(
std::move(enclave_passkey_creation_callback_),
std::move(enclave_ui_request_stream_), network_context_));
std::move(enclave_ui_request_stream_), network_context_factory_));
}
#endif

8
device/fido/fido_discovery_factory.h

@ -25,6 +25,7 @@
#include "device/fido/fido_request_handler_base.h"
#include "device/fido/fido_transport_protocol.h"
#include "device/fido/hid/fido_hid_discovery.h"
#include "device/fido/network_context_factory.h"
#include "mojo/public/cpp/bindings/remote.h"
#include "services/device/public/mojom/usb_manager.mojom.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
@ -71,7 +72,10 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoDiscoveryFactory {
mojo::Remote<device::mojom::UsbDeviceManager>,
std::string aoa_request_description);
void set_network_context(network::mojom::NetworkContext*);
void set_network_context_factory(
NetworkContextFactory network_context_factory) {
network_context_factory_ = std::move(network_context_factory);
}
// set_cable_pairing_callback installs a repeating callback that will be
// called when a QR handshake results in a phone wishing to pair with this
@ -170,7 +174,7 @@ class COMPONENT_EXPORT(DEVICE_FIDO) FidoDiscoveryFactory {
std::optional<mojo::Remote<device::mojom::UsbDeviceManager>>
usb_device_manager_;
std::string aoa_request_description_;
raw_ptr<network::mojom::NetworkContext> network_context_ = nullptr;
NetworkContextFactory network_context_factory_;
std::optional<std::vector<CableDiscoveryData>> cable_data_;
std::optional<std::array<uint8_t, cablev2::kQRKeySize>> qr_generator_key_;
std::optional<FidoRequestType> request_type_;

19
device/fido/network_context_factory.h Normal file

@ -0,0 +1,19 @@
// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef DEVICE_FIDO_NETWORK_CONTEXT_FACTORY_H_
#define DEVICE_FIDO_NETWORK_CONTEXT_FACTORY_H_
#include "base/functional/callback_forward.h"
namespace network::mojom {
class NetworkContext;
} // namespace network::mojom
namespace device {
using NetworkContextFactory =
base::RepeatingCallback<network::mojom::NetworkContext*()>;
} // namespace device
#endif // DEVICE_FIDO_NETWORK_CONTEXT_FACTORY_H_