[PM-5731] Create C# WebAuthn authenticator to support maui apps (#2951)

* [PM-5731] feat: implement get assertion params object

* [PM-5731] feat: add first test

* [PM-5731] feat: add rp mismatch test

* [PM-5731] feat: ask for credentials when found

* [PM-5731] feat: find discoverable credentials

* [PM-5731] feat: add tests for successful UV requests

* [PM-5731] feat: add user does not consent test

* [PM-5731] feat: check for UV when reprompt is active

* [PM-5731] fix: tests a bit, needed some additional "arrange" steps

* [PM-5731] feat: add support for counter

* [PM-5731] feat: implement assertion without signature

* [PM-5732] feat: finish authenticator assertion implementation

note: CryptoFunctionService still needs Sign implemenation

* [PM-5731] chore: minor clean up

* [PM-5731] feat: scaffold make credential

* [PM-5731] feat: start implementing attestation

* [PM-5731] feat: implement credential exclusion

* [PM-5731] feat: add new credential confirmaiton

* [PM-5731] feat: implement credential creation

* [PM-5731] feat: add user verification checks

* [PM-5731] feat: add unknown error handling

* [PM-5731] chore: clean up unusued params

* [PM-5731] feat: partial attestation implementation

* [PM-5731] feat: implement key generation

* [PM-5731] feat: return public key in DER format

* [PM-5731] feat: implement signing

* [PM-5731] feat: remove logging

* [PM-5731] chore: use primary constructor

* [PM-5731] chore: add Async to method names

* [PM-5731] feat: add support for silent discoverability

* [PM-5731] feat: add support for specifying user presence requirement

* [PM-5731] feat: ensure unlocked vault

* [PM-5731] chore: clean up and refactor assertion tests

* [PM-5731] chore: clean up and refactor attestation tests

* [PM-5731] chore: add user presence todo comment

* [PM-5731] feat: scaffold fido2 client

* PM-5731 Fix build updating discoverable flag

* [PM-5731] fix: failing test

* [PM-5731] feat: add sameOriginWithAncestor and user id length checks

* [PM-5731] feat: add incomplete rpId verification

* [PM-5731] chore: document uri helpers

* [PM-5731] feat: implement fido2 client createCredential

* [PM-5731] feat: implement credential assertion in client

* fix wrong signature format

(cherry picked from commit a1c9ebf01f)

* [PM-5731] fix: issues after cherry-pick

* Fix incompatible GUID conversions

(cherry picked from commit c801b2fc3a)

* [PM-5731] chore: remove default constructor

* [PM-5731] feat: refactor user interface to increase flexibility

* [PM-5731] feat: implement generic assertion user interface class

* [PM-5731] feat: remove ability to make user presence optional

* [PM-5731] chore: remove logging comments

* [PM-5731] feat: add native reprompt support to the authenticator

* [PM-5731] feat: allow pre and post UV

* [PM-5731] chore: add `Async` to method name. Remove `I` from struct

* [PM-5731] fix: discoverable string repr lowercase

* [PM-5731] chore: don't use C# 12 features

* [PM-5731] fix: replace magic strings and numbers with contants and enums

* [PM-5731] fix: use UTC creation date

* [PM-5731] fix: formatting

* [PM-5731] chore: use properties for public fields

* [PM-5731] chore: remove TODO

* [PM-5731] fix: IsValidRpId

---------

Co-authored-by: Federico Maccaroni <fedemkr@gmail.com>
Co-authored-by: mpbw2 <59324545+mpbw2@users.noreply.github.com>

test/Core.Test/Services/Fido2ClientAssertCredentialTests.cs

@@ -0,0 +1,224 @@
+using System;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using System.Threading.Tasks;
+using Bit.Core.Abstractions;
+using Bit.Core.Services;
+using Bit.Core.Utilities;
+using Bit.Core.Utilities.Fido2;
+using Bit.Test.Common.AutoFixture;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.Services
+{
+    public class Fido2ClientAssertCredentialTests : IDisposable
+    {
+        private readonly SutProvider<Fido2ClientService> _sutProvider = new SutProvider<Fido2ClientService>().Create();
+
+        private Fido2ClientAssertCredentialParams _params;
+
+        public Fido2ClientAssertCredentialTests()
+        {
+            _params = new Fido2ClientAssertCredentialParams {
+                Origin = "https://bitwarden.com",
+                Challenge = RandomBytes(32),
+                RpId = "bitwarden.com",
+                UserVerification = "required",
+                AllowCredentials = [
+                    new PublicKeyCredentialDescriptor {
+                        Id = RandomBytes(32),
+                        Type = Constants.DefaultFido2CredentialType
+                    }
+                ],
+                Timeout = 60000,
+            };
+
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([]);
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(true);
+        }
+
+        public void Dispose() 
+        {
+        }
+
+        [Fact(Skip = "Not sure how to check this, or if it matters.")]
+        // Spec: If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.
+        public Task AssertCredentialAsync_ThrowsNotAllowedError_OriginIsOpaque() => throw new NotImplementedException();
+
+        [Fact]
+        // Spec: Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, 
+        //       then return a DOMException whose name is "SecurityError" and terminate this algorithm.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_OriginIsNotValidDomain()
+        {
+            // Arrange
+            _params.Origin = "invalid-domain-name";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, 
+        //       return a DOMException whose name is "SecurityError", and terminate this algorithm.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_RpIdIsNotValidForOrigin()
+        {
+            // Arrange
+            _params.Origin = "https://passwordless.dev";
+            _params.RpId = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: The origin's scheme must be https.
+        public async Task AssertCredentialAsync_ThrowsSecurityError_OriginIsNotHttps()
+        {
+            // Arrange
+            _params.Origin = "http://bitwarden.com";
+            _params.RpId = "bitwarden.com";
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.SecurityError, exception.Code);
+        }
+
+        [Fact]
+        // Spec: If the origin's hostname is a blocked uri, then return UriBlockedError.
+        public async Task AssertCredentialAsync_ThrowsUriBlockedError_OriginIsBlocked()
+        {
+            // Arrange
+            _params.Origin = "https://sub.bitwarden.com";
+            _sutProvider.GetDependency<IStateService>().GetAutofillBlacklistedUrisAsync().Returns([
+                "sub.bitwarden.com"
+            ]);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UriBlockedError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsInvalidStateError_AuthenticatorThrowsInvalidStateError()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>(), _sutProvider.GetDependency<IFido2GetAssertionUserInterface>())
+                .Throws(new InvalidStateError());
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        // This keeps sensetive information form leaking
+        public async Task AssertCredentialAsync_ThrowsUnknownError_AuthenticatorThrowsUnknownError()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>(), _sutProvider.GetDependency<IFido2GetAssertionUserInterface>())
+                .Throws(new Exception("unknown error"));
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.UnknownError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsInvalidStateError_UserIsLoggedOut()
+        {
+            // Arrange
+            _sutProvider.GetDependency<IStateService>().IsAuthenticatedAsync().Returns(false);
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.InvalidStateError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ThrowsNotAllowedError_OriginIsBitwardenVault()
+        {
+            // Arrange
+            _params.Origin = "https://vault.bitwarden.com";
+            _sutProvider.GetDependency<IEnvironmentService>().GetWebVaultUrl().Returns("https://vault.bitwarden.com");
+
+            // Act
+            var exception = await Assert.ThrowsAsync<Fido2ClientException>(() => _sutProvider.Sut.AssertCredentialAsync(_params));
+
+            // Assert
+            Assert.Equal(Fido2ClientException.ErrorCode.NotAllowedError, exception.Code);
+        }
+
+        [Fact]
+        public async Task AssertCredentialAsync_ReturnsAssertion()
+        {
+            // Arrange
+            _params.UserVerification = "required";
+            var authenticatorResult = new Fido2AuthenticatorGetAssertionResult {
+                AuthenticatorData = RandomBytes(32),
+                SelectedCredential = new Fido2AuthenticatorGetAssertionSelectedCredential {
+                    Id = RandomBytes(16),
+                    UserHandle = RandomBytes(32)
+                },
+                Signature = RandomBytes(32)
+            };
+            _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .GetAssertionAsync(Arg.Any<Fido2AuthenticatorGetAssertionParams>(), _sutProvider.GetDependency<IFido2GetAssertionUserInterface>())
+                .Returns(authenticatorResult);
+
+            // Act
+            var result = await _sutProvider.Sut.AssertCredentialAsync(_params);
+
+            // Assert
+            await _sutProvider.GetDependency<IFido2AuthenticatorService>()
+                .Received()
+                .GetAssertionAsync(
+                    Arg.Is<Fido2AuthenticatorGetAssertionParams>(x =>
+                        x.RpId == _params.RpId &&
+                        x.RequireUserVerification == true &&
+                        x.AllowCredentialDescriptorList.Length == 1 &&
+                        x.AllowCredentialDescriptorList[0].Id == _params.AllowCredentials[0].Id
+                    ), 
+                    _sutProvider.GetDependency<IFido2GetAssertionUserInterface>()
+                );
+
+            Assert.Equal(authenticatorResult.SelectedCredential.Id, result.RawId);
+            Assert.Equal(CoreHelpers.Base64UrlEncode(authenticatorResult.SelectedCredential.Id), result.Id);
+            Assert.Equal(authenticatorResult.AuthenticatorData, result.AuthenticatorData);
+            Assert.Equal(authenticatorResult.Signature, result.Signature);
+
+            var clientDataJSON = JsonSerializer.Deserialize<JsonObject>(Encoding.UTF8.GetString(result.ClientDataJSON));
+            Assert.Equal("webauthn.get", clientDataJSON["type"].GetValue<string>());
+            Assert.Equal(CoreHelpers.Base64UrlEncode(_params.Challenge), clientDataJSON["challenge"].GetValue<string>());
+            Assert.Equal(_params.Origin, clientDataJSON["origin"].GetValue<string>());
+            Assert.Equal(!_params.SameOriginWithAncestors, clientDataJSON["crossOrigin"].GetValue<bool>());
+        }
+
+        private byte[] RandomBytes(int length)
+        {
+            var bytes = new byte[length];
+            new Random().NextBytes(bytes);
+            return bytes;
+        }
+    }
+}