ChangeLog

2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>

        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI

        https://bugs.webkit.org/show_bug.cgi?id=208533

        <rdar://problem/60010184>

        Reviewed by NOBODY (OOPS!).

        Covered by new tests within existing test files.

        * en.lproj/Localizable.strings:

        * platform/LocalizedStrings.cpp:

        (WebCore::touchIDPromptTitle):

        (WebCore::biometricFallbackPromptTitle):

        * platform/LocalizedStrings.h:

        Adds localized strings to support the customized LocalAuthentication dialog.

2020-03-02  Per Arne Vollan  <pvollan@apple.com>

        [Cocoa] Mapping from MIME type to UTI type should be done in the UI process

Source/WebKit/ChangeLog

2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>

        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI

        https://bugs.webkit.org/show_bug.cgi?id=208533

        <rdar://problem/60010184>

        Reviewed by NOBODY (OOPS!).

        This patch implements the above SPI to replace -[_WKWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:].

        The original SPI is designed on the premise that Safari is going to highly customize the LocalAuthentication UI, and that is not happening

        anymore. Therefore, WebKit takes back the invocation of LocalAuthentication and offer a new SPI to tell clients when WebKit is about to

        show LocalAuthentication UI. Clients then have the trigger to pull at their pleasure.

        This patch implements all plumbings to replace the SPI. Besides that, this patch also:

        1) enhances the LocalConnection::verifyUser with a slightly customized LocalAuthentication dialog;

        2) adds the SPI used above into the SPI header;

        3) makes _WKWebAuthenticationPanelDelegate.transports as a NSSet instead of a NSArray;

        4) lets LocalService::isAvailable return false if Apple attestation is not available.

        * Platform/spi/Cocoa/LocalAuthenticationSPI.h:

        * UIProcess/API/APIWebAuthenticationPanelClient.h:

        (API::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):

        (API::WebAuthenticationPanelClient::verifyUser const): Deleted.

        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h:

        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:

        (-[_WKWebAuthenticationPanel transports]):

        * UIProcess/WebAuthentication/Authenticator.h:

        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:

        (WebKit::AuthenticatorManager::decidePolicyForLocalAuthenticator):

        (WebKit::AuthenticatorManager::verifyUser): Deleted.

        * UIProcess/WebAuthentication/AuthenticatorManager.h:

        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h:

        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:

        (WebKit::LocalAuthenticator::makeCredential):

        (WebKit::LocalAuthenticator::continueMakeCredentialAfterDecidePolicy):

        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserVerification):

        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):

        (WebKit::LocalAuthenticator::getAssertion):

        (WebKit::LocalAuthenticator::continueGetAssertionAfterResponseSelected):

        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserVerification):

        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented): Deleted.

        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented): Deleted.

        * UIProcess/WebAuthentication/Cocoa/LocalConnection.h:

        * UIProcess/WebAuthentication/Cocoa/LocalConnection.mm:

        (WebKit::LocalConnection::verifyUser const):

        (WebKit::LocalConnection::isUnlocked const): Deleted.

        * UIProcess/WebAuthentication/Cocoa/LocalService.mm:

        (WebKit::LocalService::isAvailable):

        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h:

        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:

        (WebKit::WebAuthenticationPanelClient::WebAuthenticationPanelClient):

        (WebKit::localAuthenticatorPolicy):

        (WebKit::WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator const):

        (WebKit::WebAuthenticationPanelClient::verifyUser const): Deleted.

        * UIProcess/WebAuthentication/Mock/MockLocalConnection.h:

        * UIProcess/WebAuthentication/Mock/MockLocalConnection.mm:

        (WebKit::MockLocalConnection::verifyUser const):

        (WebKit::MockLocalConnection::isUnlocked const): Deleted.

        * UIProcess/WebAuthentication/WebAuthenticationFlags.h:

2020-03-02  Per Arne Vollan  <pvollan@apple.com>

        [Cocoa] Mapping from MIME type to UTI type should be done in the UI process

Source/WebCore/en.lproj/Localizable.strings

/* Video Enter Full Screen context menu item */

"Enter Full Screen" = "Enter Full Screen";

/* Use passcode as a fallback to sign into this website */

"Enter passcode to sign into this website." = "Enter passcode to sign into this website.";

/* menu item */

"Enter Picture in Picture" = "Enter Picture in Picture";

/* prompt string in authentication panel */

"To view this page, you must log in to this area on %@:" = "To view this page, you must log in to this area on %@:";

/* Use Touch ID to sign into this website */

"Touch ID to sign into this website." = "Touch ID to sign into this website.";

/* Transformations context sub-menu item */

"Transformations" = "Transformations";

Source/WebCore/platform/LocalizedStrings.cpp

@@String unacceptableTLSCertificate()

}

#endif

#if ENABLE(WEB_AUTHN)

String touchIDPromptTitle()

{

    return WEB_UI_STRING("Touch ID to sign into this website.", "Use Touch ID to sign into this website");

}

String biometricFallbackPromptTitle()

{

    return WEB_UI_STRING("Enter passcode to sign into this website.", "Use passcode as a fallback to sign into this website");

}

#endif

12101222} // namespace WebCore

Source/WebCore/platform/LocalizedStrings.h

@@namespace WebCore {

    WEBCORE_EXPORT String datePickerYearLabelTitle();

#endif

#if ENABLE(WEB_AUTHN)

    WEBCORE_EXPORT String touchIDPromptTitle();

    WEBCORE_EXPORT String biometricFallbackPromptTitle();

#endif

#if USE(GLIB) && defined(GETTEXT_PACKAGE)

#define WEB_UI_STRING(string, description) WebCore::localizedString(_(string))

#define WEB_UI_STRING_KEY(string, key, description) WebCore::localizedString(C_(key, string))

Source/WebKit/Platform/spi/Cocoa/LocalAuthenticationSPI.h

#else

typedef NS_ENUM(NSInteger, LAOption) {

37 LAOptionNotInteractive,

37 LAOptionAuthenticationTitle,

38 LAOptionPasscodeTitle,

};

@interface LAContext(Private) <NSSecureCoding>

42 - (~~NSD~~ictionary *)evaluatePol~~icy~~:(LAPol~~icy~~)p~~olicy~~ options:(NSDictionary *)options ~~error~~:(NSError **)error;

43- (void)evaluateAccessControl:(SecAccessControlRef)accessControl operation:(LAAccessControlOperation)operation options:(NSDictionary *)options reply:(void(^)(NSDictionary *result, NSError *error))reply;

@end

Source/WebKit/UIProcess/API/APIWebAuthenticationPanelClient.h

#if ENABLE(WEB_AUTHN)

30#include "WebAuthenticationFlags.h"

#include <wtf/CompletionHandler.h>

#include <wtf/HashSet.h>

#include <wtf/RefCounted.h>

@@namespace WebCore {

class AuthenticatorAssertionResponse;

}

namespace WebKit {

enum class WebAuthenticationStatus : uint8_t;

enum class WebAuthenticationResult : bool;

}

namespace API {

class WebAuthenticationPanelClient {

@@public:

    virtual void dismissPanel(WebKit::WebAuthenticationResult) const { }

    virtual void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&& completionHandler) const { completionHandler(emptyString()); }

    virtual void selectAssertionResponse(Vector<Ref<WebCore::AuthenticatorAssertionResponse>>&& responses, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&& completionHandler) const { ASSERT(!responses.isEmpty()); completionHandler(responses[0]); }

58 virtual void ver~~ifyUser(SecAccessControlRef,~~ CompletionHandler<void(L~~AContex~~t *)>&& completionHandler) const { completionHandler(nu~~llptr~~); }

54 virtual void decidePolicyForLocalAuthenticator(CompletionHandler<void(WebKit::LocalAuthenticatorPolicy)>&& completionHandler) const { completionHandler(WebKit::LocalAuthenticatorPolicy::Disallow); }

};

} // namespace API

Source/WebKit/UIProcess/API/C/WKPage.cpp

#include "APIPolicyClient.h"

#include "APISessionState.h"

#include "APIUIClient.h"

50#include "APIWebAuthenticationPanel.h"

51#include "APIWebAuthenticationPanelClient.h"

#include "APIWebsitePolicies.h"

#include "APIWindowFeatures.h"

#include "AuthenticationChallengeDisposition.h"

@@void WKPageSetPageUIClient(WKPageRef pageRef, const WKPageUIClientBase* wkClient

#if ENABLE(WEB_AUTHN)

        // The current method is specialized for WebKitTestRunner.

2082 void runWebAuthenticationPanel(WebPageProxy&, API::WebAuthenticationPanel&, WebFrameProxy&, FrameInfoData&&, CompletionHandler<void(WebKit::WebAuthenticationPanelResult)>&& completionHandler) final

2084 void runWebAuthenticationPanel(WebPageProxy&, API::WebAuthenticationPanel& panel, WebFrameProxy&, FrameInfoData&&, CompletionHandler<void(WebKit::WebAuthenticationPanelResult)>&& completionHandler) final

20832085 {

            class PanelClient : public API::WebAuthenticationPanelClient {

            public:

                void decidePolicyForLocalAuthenticator(CompletionHandler<void(WebKit::LocalAuthenticatorPolicy)>&& completionHandler) const { completionHandler(WebKit::LocalAuthenticatorPolicy::Allow); }

            };

            if (!m_client.runWebAuthenticationPanel) {

                completionHandler(WebKit::WebAuthenticationPanelResult::Unavailable);

                return;

            }

2095

2096 panel.setClient(WTF::makeUniqueRef<PanelClient>());

            completionHandler(WebKit::WebAuthenticationPanelResult::Presented);

        }

#endif

Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h

@@typedef NS_ENUM(NSInteger, _WKWebAuthenticationType) {

    _WKWebAuthenticationTypeGet,

} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

typedef NS_ENUM(NSInteger, _WKLocalAuthenticatorPolicy) {

    _WKLocalAuthenticatorPolicyAllow,

    _WKLocalAuthenticatorPolicyDisallow,

} WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

@protocol _WKWebAuthenticationPanelDelegate <NSObject>

@optional

@@typedef NS_ENUM(NSInteger, _WKWebAuthenticationType) {

- (void)panel:(_WKWebAuthenticationPanel *)panel dismissWebAuthenticationPanelWithResult:(_WKWebAuthenticationResult)result WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

- (void)panel:(_WKWebAuthenticationPanel *)panel requestPINWithRemainingRetries:(NSUInteger)retries completionHandler:(void (^)(NSString *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

- (void)panel:(_WKWebAuthenticationPanel *)panel selectAssertionResponse:(NSArray < _WKWebAuthenticationAssertionResponse *> *)responses completionHandler:(void (^)(_WKWebAuthenticationAssertionResponse *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

79 - (void)panel:(_WKWebAuthenticationPanel *)panel ver~~ifyUse~~rWith~~AccessControl:(SecAccessControlRef)accessControl c~~ompletionHandler:(void (^)(L~~AContex~~t *))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

84- (void)panel:(_WKWebAuthenticationPanel *)panel decidePolicyForLocalAuthenticatorWithCompletionHandler:(void (^)(_WKLocalAuthenticatorPolicy policy))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));

@end

@@WK_CLASS_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA))

@property (nullable, nonatomic, weak) id <_WKWebAuthenticationPanelDelegate> delegate;

@property (nonatomic, readonly, copy) NSString *relyingPartyID;

88 @property (nonatomic, readonly, copy) NS~~Array~~ *transports;

93@property (nonatomic, readonly, copy) NSSet *transports;

@property (nonatomic, readonly) _WKWebAuthenticationType type;

- (void)cancel;

Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@implementation _WKWebAuthenticationPanel {

#if ENABLE(WEB_AUTHN)

    WeakPtr<WebKit::WebAuthenticationPanelClient> _client;

36 RetainPtr<NSMutable~~Array~~> _transports;

36 RetainPtr<NSMutableSet> _transports;

#endif

}

@@static _WKWebAuthenticationTransport wkWebAuthenticationTransport(WebCore::Authe

    }

}

84 - (NS~~Array~~ *)transports

84- (NSSet *)transports

{

    if (_transports)

        return _transports.get();

    auto& transports = _panel->transports();

90 _transports = [[NSMutable~~Array~~ alloc] initWithCapacity:transports.size()];

90 _transports = [[NSMutableSet alloc] initWithCapacity:transports.size()];

    for (auto& transport : transports)

        [_transports addObject:adoptNS([[NSNumber alloc] initWithInt:wkWebAuthenticationTransport(transport)]).get()];

    return _transports.get();

Source/WebKit/UIProcess/WebAuthentication/Authenticator.h

@@public:

        virtual void authenticatorStatusUpdated(WebAuthenticationStatus) = 0;

        virtual void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) = 0;

        virtual void selectAssertionResponse(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) = 0;

59 virtual void ver~~ifyUser(SecAccessControlRef,~~ CompletionHandler<void(L~~AContex~~t *)>&&) = 0;

59 virtual void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) = 0;

    };

    virtual ~Authenticator() = default;

Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

@@void AuthenticatorManager::selectAssertionResponse(const HashSet<Ref<Authenticat

    });

}

298 void AuthenticatorManager::ver~~ifyUser(SecAccessControlRef accessControlRef,~~ CompletionHandler<void(L~~AContex~~t *)>&& completionHandler)

298void AuthenticatorManager::decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&& completionHandler)

299299{

    RetainPtr<SecAccessControlRef> accessControl = accessControlRef;

    dispatchPanelClientCall([accessControl = WTFMove(accessControl), completionHandler = WTFMove(completionHandler)] (const API::WebAuthenticationPanel& panel) mutable {

        panel.client().verifyUser(accessControl.get(), WTFMove(completionHandler));

300 dispatchPanelClientCall([completionHandler = WTFMove(completionHandler)] (const API::WebAuthenticationPanel& panel) mutable {

301 panel.client().decidePolicyForLocalAuthenticator(WTFMove(completionHandler));

    });

}

Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h

@@private:

    void authenticatorStatusUpdated(WebAuthenticationStatus) final;

    void requestPin(uint64_t retries, CompletionHandler<void(const WTF::String&)>&&) final;

    void selectAssertionResponse(const HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) final;

86 void ver~~ifyUser(SecAccessControlRef,~~ CompletionHandler<void(L~~AContex~~t *)>&&) final;

86 void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) final;

    // Overriden by MockAuthenticatorManager.

    virtual UniqueRef<AuthenticatorTransportService> createService(WebCore::AuthenticatorTransport, AuthenticatorTransportService::Observer&) const;

Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.h

@@namespace WebKit {

class LocalAuthenticator final : public Authenticator {

public:

    // Here is the FSM.

41 // MakeCredential: Init => RequestReceived => User~~Consent~~ed => Attested => End

42 // GetAssertion: Init => RequestReceived => ResponseSelected => User~~Consent~~ed => End

41 // MakeCredential: Init => RequestReceived => PolicyDecided => UserVerified => Attested => End

42 // GetAssertion: Init => RequestReceived => ResponseSelected => UserVerified => End

    enum class State {

        Init,

        RequestReceived,

46 User~~Consent~~ed,

46 UserVerified,

4747 Attested,

48 ResponseSelected

48 ResponseSelected,

49 PolicyDecided,

    };

    static Ref<LocalAuthenticator> create(UniqueRef<LocalConnection>&& connection)

@@private:

    explicit LocalAuthenticator(UniqueRef<LocalConnection>&&);

    void makeCredential() final;

60 void continueMakeCredentialAfterUserConsented(SecAccessControlRef, LAContext *);

61 void continueMakeCredentialAfterDecidePolicy(LocalAuthenticatorPolicy);

62 void continueMakeCredentialAfterUserVerification(SecAccessControlRef, LocalConnection::UserVerification, LAContext *);

    void continueMakeCredentialAfterAttested(SecKeyRef, Vector<uint8_t>&& credentialId, Vector<uint8_t>&& authData, NSArray *certificates, NSError *);

    void getAssertion() final;

    void continueGetAssertionAfterResponseSelected(Ref<WebCore::AuthenticatorAssertionResponse>&&);

65 void continueGetAssertionAfterUserC~~onsented(LAContext *,~~ Ref<WebCore::AuthenticatorAssertionResponse>&&);

67 void continueGetAssertionAfterUserVerification(Ref<WebCore::AuthenticatorAssertionResponse>&&, LocalConnection::UserVerification, LAContext *);

    void receiveException(WebCore::ExceptionData&&, WebAuthenticationStatus = WebAuthenticationStatus::LAError) const;

Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

@@void LocalAuthenticator::makeCredential()

    // Step 6.

    // Get user consent.

    if (auto* observer = this->observer()) {

        auto callback = [weakThis = makeWeakPtr(*this)] (LocalAuthenticatorPolicy policy) {

            ASSERT(RunLoop::isMain());

            if (!weakThis)

                return;

            weakThis->continueMakeCredentialAfterDecidePolicy(policy);

        };

        observer->decidePolicyForLocalAuthenticator(WTFMove(callback));

    }

}

void LocalAuthenticator::continueMakeCredentialAfterDecidePolicy(LocalAuthenticatorPolicy policy)

{

    ASSERT(m_state == State::RequestReceived);

    m_state = State::PolicyDecided;

    if (policy == LocalAuthenticatorPolicy::Disallow) {

        receiveRespond(ExceptionData { UnknownError, "Disallow local authenticator."_s });

        return;

    }

    RetainPtr<SecAccessControlRef> accessControl;

    {

        CFErrorRef errorRef = nullptr;

@@void LocalAuthenticator::makeCredential()

        }

    }

    if (auto* observer = this->observer()) {

        SecAccessControlRef accessControlRef = accessControl.get();

        auto callback = [accessControl = WTFMove(accessControl), weakThis = makeWeakPtr(*this)] (LAContext *context) {

            ASSERT(RunLoop::isMain());

            if (!weakThis)

                return;

    SecAccessControlRef accessControlRef = accessControl.get();

    auto callback = [accessControl = WTFMove(accessControl), weakThis = makeWeakPtr(*this)] (LocalConnection::UserVerification verification, LAContext *context) {

        ASSERT(RunLoop::isMain());

        if (!weakThis)

            return;

180201

            weakThis->continueMakeCredentialAfterUserConsented(accessControl.get(), context);

        };

        observer->verifyUser(accessControlRef, WTFMove(callback));

    }

        weakThis->continueMakeCredentialAfterUserVerification(accessControl.get(), verification, context);

    };

    m_connection->verifyUser(accessControlRef, WTFMove(callback));

185205}

186206

187 void LocalAuthenticator::continueMakeCredentialAfterUserC~~onsented~~(SecAccessControlRef accessControlRef, LAContext *context)

207void LocalAuthenticator::continueMakeCredentialAfterUserVerification(SecAccessControlRef accessControlRef, LocalConnection::UserVerification verification, LAContext *context)

{

    using namespace LocalAuthenticatorInternal;

191 ASSERT(m_state == State::~~RequestRece~~ived);

192 m_state = State::User~~Consent~~ed;

211 ASSERT(m_state == State::PolicyDecided);

212 m_state = State::UserVerified;

193213 auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);

194214

195 if (~~!m_~~connection->~~isUnlocked(context)~~) {

196 receive~~Respond(~~Exception~~Data~~ { NotAllowedError, "Couldn't get user ~~consent~~."_s });

215 if (verification == LocalConnection::UserVerification::No) {

216 receiveException({ NotAllowedError, "Couldn't verify user."_s });

        return;

    }

@@void LocalAuthenticator::continueMakeCredentialAfterAttested(SecKeyRef privateKe

{

    using namespace LocalAuthenticatorInternal;

312 ASSERT(m_state == State::User~~Consent~~ed);

332 ASSERT(m_state == State::UserVerified);

    m_state = State::Attested;

    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);

@@void LocalAuthenticator::getAssertion()

        return;

    }

395 // Step 6.

415 // Step 6-7. User consent is implicitly acquired by selecting responses.

    for (NSDictionary *attribute : intersectedCredentialsAttributes) {

        auto addResult = m_assertionResponses.add(AuthenticatorAssertionResponse::create(

            toArrayBuffer(attribute[(id)kSecAttrApplicationLabel]),

@@void LocalAuthenticator::continueGetAssertionAfterResponseSelected(Ref<WebCore::

    ASSERT(m_state == State::RequestReceived);

    m_state = State::ResponseSelected;

    // Step 7. Get user consent.

    if (auto* observer = this->observer()) {

        auto accessControlRef = response->accessControl();

        auto callback = [weakThis = makeWeakPtr(*this), response = WTFMove(response)] (LAContext *context) mutable {

            ASSERT(RunLoop::isMain());

            if (!weakThis)

                return;

    auto accessControlRef = response->accessControl();

    auto callback = [

        weakThis = makeWeakPtr(*this),

        response = WTFMove(response)

    ] (LocalConnection::UserVerification verification, LAContext *context) mutable {

        ASSERT(RunLoop::isMain());

        if (!weakThis)

            return;

432453

            weakThis->continueGetAssertionAfterUserConsented(context, WTFMove(response));

        };

        observer->verifyUser(accessControlRef, WTFMove(callback));

    }

        weakThis->continueGetAssertionAfterUserVerification(WTFMove(response), verification, context);

    };

    m_connection->verifyUser(accessControlRef, WTFMove(callback));

437457}

438458

439 void LocalAuthenticator::continueGetAssertionAfterUserC~~onsented(LAContext *context,~~ Ref<WebCore::AuthenticatorAssertionResponse>&& response)

459void LocalAuthenticator::continueGetAssertionAfterUserVerification(Ref<WebCore::AuthenticatorAssertionResponse>&& response, LocalConnection::UserVerification verification, LAContext *context)

{

    using namespace LocalAuthenticatorInternal;

    ASSERT(m_state == State::ResponseSelected);

443 m_state = State::User~~Consent~~ed;

463 m_state = State::UserVerified;

444464

445 if (~~!m_~~connection->~~isUnlocked(context)~~) {

446 receive~~Respond(~~Exception~~Data~~ { NotAllowedError, "Couldn't get user ~~consent~~."_s });

465 if (verification == LocalConnection::UserVerification::No) {

466 receiveException({ NotAllowedError, "Couldn't verify user."_s });

        return;

    }

@@void LocalAuthenticator::continueGetAssertionAfterUserConsented(LAContext *conte

    // Step 11.

    RetainPtr<CFDataRef> signature;

    {

459 auto query = adoptNS([[NSMutableDictionary alloc] init]);

460 [query addEntriesFromDictionary:@{

479 NSDictionary *query = @{

            (id)kSecClass: (id)kSecClassKey,

            (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,

            (id)kSecAttrApplicationLabel: toNSData(response->rawId()).get(),

483 (id)kSecUseAuthenticationContext: context,

            (id)kSecReturnRef: @YES,

#if HAVE(DATA_PROTECTION_KEYCHAIN)

            (id)kSecUseDataProtectionKeychain: @YES

#else

            (id)kSecAttrNoLegacy: @YES

#endif

        }];

        // context is nullptr in mock testing.

        if (context)

            [query setObject:context forKey:(id)kSecUseAuthenticationContext];

490 };

474491 CFTypeRef privateKeyRef = nullptr;

475 OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query~~.get()~~, &privateKeyRef);

492 OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &privateKeyRef);

        if (status) {

            receiveException({ UnknownError, makeString("Couldn't get the private key reference: ", status) });

            return;

Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.h

OBJC_CLASS LAContext;

namespace WebCore {

39

4039class AuthenticatorAssertionResponse;

41

}

namespace WebKit {

@@class LocalConnection {

    WTF_MAKE_FAST_ALLOCATED;

    WTF_MAKE_NONCOPYABLE(LocalConnection);

public:

    enum class UserVerification : bool {

        No,

        Yes

    };

5558 using AttestationCallback = CompletionHandler<void(NSArray *, NSError *)>;

59 using UserVerificationCallback = CompletionHandler<void(UserVerification, LAContext *)>;

    LocalConnection() = default;

    virtual ~LocalConnection() = default;

    // Overrided by MockLocalConnection.

61 virtual b~~ool~~ i~~sUnlo~~ck~~ed(LA~~Context *) const;

65 virtual void verifyUser(SecAccessControlRef, UserVerificationCallback&&) const;

    virtual RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const;

    virtual void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const;

    virtual void filterResponses(HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&) const { };

Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalConnection.mm

#if ENABLE(WEB_AUTHN)

31#import <WebCore/LocalizedStrings.h>

#import <wtf/BlockPtr.h>

#import <wtf/RunLoop.h>

namespace WebKit {

42 b~~ool~~ LocalConnection::i~~sUnlo~~ck~~ed(LA~~Cont~~ext~~ *context) const

43void LocalConnection::verifyUser(SecAccessControlRef accessControl, UserVerificationCallback&& completionHandler) const

4344{

    NSError *error = nil;

    auto result = [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics options:@{ @(LAOptionNotInteractive): @YES } error:&error];

    if (!result)

        LOG_ERROR("Couldn't get user consent: %@", error);

    return !!result;

    auto context = adoptNS([allocLAContextInstance() init]);

    auto options = adoptNS([[NSMutableDictionary alloc] init]);

    if ([context biometryType] == LABiometryTypeTouchID)

        [options setObject:WebCore::touchIDPromptTitle() forKey:@(LAOptionAuthenticationTitle)];

    [options setObject:WebCore::biometricFallbackPromptTitle() forKey:@(LAOptionPasscodeTitle)];

    auto reply = makeBlockPtr([context, completionHandler = WTFMove(completionHandler)] (NSDictionary *, NSError *error) mutable {

        ASSERT(!RunLoop::isMain());

        UserVerification verification = UserVerification::Yes;

        if (error) {

            LOG_ERROR("Couldn't authenticate with biometrics: %@", error);

            verification = UserVerification::No;

        }

        RunLoop::main().dispatch([completionHandler = WTFMove(completionHandler), verification, context = WTFMove(context)] () mutable {

            completionHandler(verification, context.get());

        });

    });

    [context evaluateAccessControl:accessControl operation:LAAccessControlOperationUseKeySign options:options.get() reply:reply.get()];

}

RetainPtr<SecKeyRef> LocalConnection::createCredentialPrivateKey(LAContext *context, SecAccessControlRef accessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const

Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm

@@bool LocalService::isAvailable()

#if defined(LOCALSERVICE_ADDITIONS)

LOCALSERVICE_ADDITIONS

58#else

59 return false;

#endif

    return true;

Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.h

@@private:

    void dismissPanel(WebAuthenticationResult) const final;

    void requestPin(uint64_t, CompletionHandler<void(const WTF::String&)>&&) const final;

    void selectAssertionResponse(Vector<Ref<WebCore::AuthenticatorAssertionResponse>>&&, CompletionHandler<void(const WebCore::AuthenticatorAssertionResponse&)>&&) const final;

53 void ver~~ifyUser(SecAccessControlRef,~~ CompletionHandler<void(L~~AContex~~t *)>&&) const final;

53 void decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&&) const final;

    _WKWebAuthenticationPanel *m_panel;

    WeakObjCPtr<id <_WKWebAuthenticationPanelDelegate> > m_delegate;

@@private:

        bool panelDismissWebAuthenticationPanelWithResult : 1;

        bool panelRequestPinWithRemainingRetriesCompletionHandler : 1;

        bool panelSelectAssertionResponseCompletionHandler : 1;

63 bool panelVe~~rifyUserWithAccessCo~~nt~~rol~~CompletionHandler : 1;

63 bool panelDecidePolicyForLocalAuthenticatorCompletionHandler : 1;

    } m_delegateMethods;

};

Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm

#import "APIWebAuthenticationAssertionResponse.h"

#import "CompletionHandlerCallChecker.h"

#import "WKNSArray.h"

35 #import "WebAuthenticationFlags.h"

#import "_WKWebAuthenticationAssertionResponseInternal.h"

#import "_WKWebAuthenticationPanel.h"

#import <wtf/BlockPtr.h>

@@WebAuthenticationPanelClient::WebAuthenticationPanelClient(_WKWebAuthenticationP

    m_delegateMethods.panelDismissWebAuthenticationPanelWithResult = [delegate respondsToSelector:@selector(panel:dismissWebAuthenticationPanelWithResult:)];

    m_delegateMethods.panelRequestPinWithRemainingRetriesCompletionHandler = [delegate respondsToSelector:@selector(panel:requestPINWithRemainingRetries:completionHandler:)];

    m_delegateMethods.panelSelectAssertionResponseCompletionHandler = [delegate respondsToSelector:@selector(panel:selectAssertionResponse:completionHandler:)];

53 m_delegateMethods.panelVe~~rifyUserWithAccessCo~~nt~~rol~~CompletionHandler = [delegate respondsToSelector:@selector(panel:ver~~ifyUse~~rWith~~AccessControl:c~~ompletionHandler:)];

52 m_delegateMethods.panelDecidePolicyForLocalAuthenticatorCompletionHandler = [delegate respondsToSelector:@selector(panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:)];

}

RetainPtr<id <_WKWebAuthenticationPanelDelegate> > WebAuthenticationPanelClient::delegate()

@@void WebAuthenticationPanelClient::selectAssertionResponse(Vector<Ref<WebCore::A

    }).get()];

}

170 v~~oid Web~~Authentication~~PanelC~~lient~~::v~~erif~~yUser(SecAccessCon~~trolRef accessControl, CompletionHandler<void(LAContext *~~)>&& completionHandler) const~~

169static LocalAuthenticatorPolicy localAuthenticatorPolicy(_WKLocalAuthenticatorPolicy result)

171170{

172 if (!m_delegateMethods.panelVerifyUserWithAccessControlCompletionHandler) {

173 completionHandler(adoptNS([allocLAContextInstance() init]).get());

    switch (result) {

    case _WKLocalAuthenticatorPolicyAllow:

        return LocalAuthenticatorPolicy::Allow;

    case _WKLocalAuthenticatorPolicyDisallow:

        return LocalAuthenticatorPolicy::Disallow;

    }

    ASSERT_NOT_REACHED();

    return LocalAuthenticatorPolicy::Allow;

}

void WebAuthenticationPanelClient::decidePolicyForLocalAuthenticator(CompletionHandler<void(LocalAuthenticatorPolicy)>&& completionHandler) const

{

    if (!m_delegateMethods.panelDecidePolicyForLocalAuthenticatorCompletionHandler) {

        completionHandler(LocalAuthenticatorPolicy::Disallow);

        return;

    }

    auto delegate = m_delegate.get();

    if (!delegate) {

179 completionHandler(ad~~optNS([~~allo~~cLAContextInstance() init]).get()~~);

190 completionHandler(LocalAuthenticatorPolicy::Disallow);

        return;

    }

183 auto checker = CompletionHandlerCallChecker::create(delegate.get(), @selector(panel:ver~~ifyUse~~rWith~~AccessControl:c~~ompletionHandler:));

184 [delegate panel:m_panel ver~~ifyUse~~rWith~~AccessControl:accessControl c~~ompletionHandler:makeBlockPtr([completionHandler = WTFMove(completionHandler), checker = WTFMove(checker)](L~~AContex~~t *~~context~~) mutable {

194 auto checker = CompletionHandlerCallChecker::create(delegate.get(), @selector(panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:));

195 [delegate panel:m_panel decidePolicyForLocalAuthenticatorWithCompletionHandler:makeBlockPtr([completionHandler = WTFMove(completionHandler), checker = WTFMove(checker)](_WKLocalAuthenticatorPolicy policy) mutable {

        if (checker->completionHandlerHasBeenCalled())

            return;

        checker->didCallCompletionHandler();

188 completionHandler(co~~ntex~~t);

199 completionHandler(localAuthenticatorPolicy(policy));

    }).get()];

}

Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.h

@@public:

    explicit MockLocalConnection(const WebCore::MockWebAuthenticationConfiguration&);

private:

40 b~~ool~~ i~~sUnlo~~ck~~ed(LA~~Context *) const final;

40 void verifyUser(SecAccessControlRef, UserVerificationCallback&&) const final;

    RetainPtr<SecKeyRef> createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const final;

    void getAttestation(SecKeyRef, NSData *authData, NSData *hash, AttestationCallback&&) const final;

    void filterResponses(HashSet<Ref<WebCore::AuthenticatorAssertionResponse>>&) const final;

Source/WebKit/UIProcess/WebAuthentication/Mock/MockLocalConnection.mm

@@MockLocalConnection::MockLocalConnection(const WebCore::MockWebAuthenticationCon

{

}

47 b~~ool~~ MockLocalConnection::i~~sUnlo~~ck~~ed(LA~~Contex~~t *context~~) const

47void MockLocalConnection::verifyUser(SecAccessControlRef, UserVerificationCallback&& callback) const

4848{

49 return m_configuration.local->acceptAuthentication;

    // Mock async operations.

    RunLoop::main().dispatch([configuration = m_configuration, callback = WTFMove(callback)]() mutable {

        ASSERT(configuration.local);

        if (!configuration.local->acceptAuthentication) {

            callback(UserVerification::No, nil);

            return;

        }

        callback(UserVerification::Yes, adoptNS([allocLAContextInstance() init]).get());

    });

}

RetainPtr<SecKeyRef> MockLocalConnection::createCredentialPrivateKey(LAContext *, SecAccessControlRef, const String& secAttrLabel, NSData *secAttrApplicationTag) const

Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationFlags.h

@@enum class WebAuthenticationStatus : uint8_t {

    LANoCredential,

};

enum class LocalAuthenticatorPolicy : bool {

    Allow,

    Disallow

};

} // namespace WebKit

#endif // ENABLE(WEB_AUTHN)

Tools/ChangeLog

2020-03-03  Jiewen Tan  <jiewen_tan@apple.com>

        [WebAuthn] Implement -[_WKWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:] SPI

        https://bugs.webkit.org/show_bug.cgi?id=208533

        <rdar://problem/60010184>

        Reviewed by NOBODY (OOPS!).

        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:

        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

        (-[TestWebAuthenticationPanelDelegate panel:decidePolicyForLocalAuthenticatorWithCompletionHandler:]):

        (TestWebKitAPI::TEST):

        (-[TestWebAuthenticationPanelDelegate panel:verifyUserWithAccessControl:completionHandler:]): Deleted.

        * TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-la.html: Removed.

2020-03-02  Per Arne Vollan  <pvollan@apple.com>

        [Cocoa] Mapping from MIME type to UTI type should be done in the UI process

Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

		573255A722139BC700396AE8 /* load-web-archive-2.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 573255A322139B9000396AE8 /* load-web-archive-2.html */; };

		574217882400AC25002B303D /* web-authentication-make-credential-la-error.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 574217872400ABFD002B303D /* web-authentication-make-credential-la-error.html */; };

		5742178A2400AED8002B303D /* web-authentication-make-credential-la-duplicate-credential.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 574217892400AED0002B303D /* web-authentication-make-credential-la-duplicate-credential.html */; };

353 5742178C2400CD47002B303D /* web-authentication-get-assertion-la.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */; };

		5742178E2400D2DF002B303D /* web-authentication-make-credential-la.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5742178D2400D26C002B303D /* web-authentication-make-credential-la.html */; };

		574F55D2204D47F0002948C6 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 574F55D0204D471C002948C6 /* Security.framework */; };

		5758597F23A2527A00C74572 /* CtapPinTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5758597E23A2527A00C74572 /* CtapPinTest.cpp */; };

				578DA44E23ECD28B00246010 /* web-authentication-get-assertion-hid-pin-invalid-error-retry.html in Copy Resources */,

				570D26FC23C3F87000D5CF67 /* web-authentication-get-assertion-hid-pin.html in Copy Resources */,

				57663DEC234F1F9300E85E09 /* web-authentication-get-assertion-hid.html in Copy Resources */,

1527 5742178C2400CD47002B303D /* web-authentication-get-assertion-la.html in Copy Resources */,

				579833922368FA37008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html in Copy Resources */,

				57663DEA234EA66D00E85E09 /* web-authentication-get-assertion-nfc.html in Copy Resources */,

				577454D22359BB01008E1ED7 /* web-authentication-get-assertion-u2f-no-credentials.html in Copy Resources */,

		5735F0251F3A4EA6000EE801 /* TestWebKitAPI-iOS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "TestWebKitAPI-iOS.entitlements"; sourceTree = "<group>"; };

		574217872400ABFD002B303D /* web-authentication-make-credential-la-error.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la-error.html"; sourceTree = "<group>"; };

		574217892400AED0002B303D /* web-authentication-make-credential-la-duplicate-credential.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la-duplicate-credential.html"; sourceTree = "<group>"; };

1977 5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-get-assertion-la.html"; sourceTree = "<group>"; };

		5742178D2400D26C002B303D /* web-authentication-make-credential-la.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential-la.html"; sourceTree = "<group>"; };

		5742178F2400D54D002B303D /* web-authentication-make-credential.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "web-authentication-make-credential.html"; sourceTree = "<group>"; };

		574F55D0204D471C002948C6 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; };

				578DA44D23ECD26100246010 /* web-authentication-get-assertion-hid-pin-invalid-error-retry.html */,

				570D26FB23C3F86500D5CF67 /* web-authentication-get-assertion-hid-pin.html */,

				57663DEB234F1F8000E85E09 /* web-authentication-get-assertion-hid.html */,

3606 5742178B2400CD2D002B303D /* web-authentication-get-assertion-la.html */,

				5798337B235EB65C008E5547 /* web-authentication-get-assertion-nfc-multiple-tags.html */,

				57663DE9234EA60B00E85E09 /* web-authentication-get-assertion-nfc.html */,

				577454D12359BAD5008E1ED7 /* web-authentication-get-assertion-u2f-no-credentials.html */,

Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@static bool webAuthenticationPanelUpdateLAError = false;

static bool webAuthenticationPanelUpdateLAExcludeCredentialsMatched = false;

static bool webAuthenticationPanelUpdateLANoCredential = false;

static bool webAuthenticationPanelCancelImmediately = false;

58 static boo~~l web~~Authentication~~PanelVer~~if~~yUser~~ = false;

58static _WKLocalAuthenticatorPolicy localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyDisallow;

static String webAuthenticationPanelPin;

static BOOL webAuthenticationPanelNullUserHandle = NO;

static String testES256PrivateKeyBase64 =

@@- (void)panel:(_WKWebAuthenticationPanel *)panel selectAssertionResponse:(NSArra

    completionHandler(responses[index]);

}

154 - (void)panel:(_WKWebAuthenticationPanel *)panel ver~~ifyUse~~rWith~~AccessControl:(SecAccessControlRef)accessControl c~~ompletionHandler:(void (^)(L~~AContex~~t *))completionHandler

154- (void)panel:(_WKWebAuthenticationPanel *)panel decidePolicyForLocalAuthenticatorWithCompletionHandler:(void (^)(_WKLocalAuthenticatorPolicy policy))completionHandler

155155{

    webAuthenticationPanelVerifyUser = true;

    auto context = adoptNS([[LAContext alloc] init]);

    completionHandler(context.get());

156 completionHandler(localAuthenticatorPolicy);

}

@end

@@static void reset()

    webAuthenticationPanelCancelImmediately = false;

    webAuthenticationPanelPin = emptyString();

    webAuthenticationPanelNullUserHandle = NO;

303 ~~web~~Authenticat~~ionPanelVerifyUser~~ = false;

301 localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyDisallow;

}

static void checkPanel(_WKWebAuthenticationPanel *panel, NSString *relyingPartyID, NSArray *transports, _WKWebAuthenticationType type)

{

    EXPECT_WK_STREQ(panel.relyingPartyID, relyingPartyID);

    // Brute force given the maximum size of the array is 4.

    auto *theTransports = panel.transports;

    EXPECT_EQ(theTransports.count, transports.count);

308 EXPECT_EQ(panel.transports.count, transports.count);

313309 size_t count = 0;

314310 for (NSNumber *transport : transports) {

        for (NSNumber *theTransport : theTransports) {

            if (transport == theTransport) {

                count++;

                break;

            }

        }

311 if ([panel.transports containsObject:transport])

312 count++;

    }

    EXPECT_EQ(count, transports.count);

@@TEST(WebAuthenticationPanel, LAMakeCredentialNullDelegate)

    [webView setUIDelegate:delegate.get()];

    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];

1262 [webView waitForMessage:@"Succeeded!"];

1263 cleanUpKeychain("");

1254 [webView waitForMessage:@"Disallow local authenticator."];

12641255}

12651256

1266 TEST(WebAuthenticationPanel, LAMakeCredential)

1257TEST(WebAuthenticationPanel, LAMakeCredentialDisallowLocalAuthenticator)

{

    reset();

    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];

@@TEST(WebAuthenticationPanel, LAMakeCredential)

    [webView setUIDelegate:delegate.get()];

    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];

    Util::run(&webAuthenticationPanelVerifyUser);

    checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeCreate);

    [webView waitForMessage:@"Succeeded!"];

1271 [webView waitForMessage:@"Disallow local authenticator."];

12831272}

12841273

1285 TEST(WebAuthenticationPanel, LAG~~etAss~~ertion)

1274TEST(WebAuthenticationPanel, LAMakeCredentialAllowLocalAuthenticator)

12861275{

12871276 reset();

1288 RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get~~-ass~~er~~tion~~-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];

1277 RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-make-credential-la" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];

    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];

    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];

@@TEST(WebAuthenticationPanel, LAGetAssertion)

    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);

    [webView setUIDelegate:delegate.get()];

1298 ~~ASSERT_TRUE(addKeyToKeychain(testES256Priv~~at~~eKeyBase64, "", testUserhandleBase64))~~;

1287 localAuthenticatorPolicy = _WKLocalAuthenticatorPolicyAllow;

12991288 [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];

1300 Util::run(&webAuthenticationPanelVerifyUser);

1301 checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeGet);

13021289 [webView waitForMessage:@"Succeeded!"];

1290 checkPanel([delegate panel], @"", @[adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportUSB]).get(), adoptNS([[NSNumber alloc] initWithInt:_WKWebAuthenticationTransportInternal]).get()], _WKWebAuthenticationTypeCreate);

    cleanUpKeychain("");

}

Tools/TestWebKitAPI/Tests/WebKitCocoa/web-authentication-get-assertion-la.html

<input type="text" id="input">

<script>

    if (window.internals) {

        internals.setMockWebAuthenticationConfiguration({ local: { acceptAuthentication: true, acceptAttestation: false } });

        internals.withUserGesture(() => { input.focus(); });

    }

    const options = {

        publicKey: {

            challenge: new Uint8Array(16),

            timeout: 100

        }

    };

    navigator.credentials.get(options).then(credential => {

        // console.log("Succeeded!");

        window.webkit.messageHandlers.testHandler.postMessage("Succeeded!");

    }, error => {

        // console.log(error.message);

        window.webkit.messageHandlers.testHandler.postMessage(error.message);

    });

</script>

LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html

                    pubKeyCredParams: [{ type: "public-key", alg: -7 }]

                }

            };

101 return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't get user ~~consent~~.");

101 return promiseRejects(t, "NotAllowedError", navigator.credentials.create(options), "Couldn't verify user.");

        }, "PublicKeyCredential's [[create]] without user consent in a mock local authenticator.");

        promise_test(t => {

LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html

            if (window.testRunner)

                testRunner.addTestKeyToKeychain(privateKeyBase64, testRpId, userhandleBase64);

58 return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't get user ~~consent~~.").then(() => {

58 return promiseRejects(t, "NotAllowedError", navigator.credentials.get(options), "Couldn't verify user.").then(() => {

                if (window.testRunner)

                    testRunner.cleanUpKeychain(testRpId, userhandleBase64);

            });