集成测试 WebAuthN 作为 2FA 选项
[英]Integration Test WebAuthN as an 2FA option
问题描述
I want to add WebAuthN as an option for multi factor authentication to an Angular & Spring application.
我想将 WebAuthN 作为多因素身份验证的选项添加到 Angular 和 Spring 应用程序。 I use the WebAuthN java-webauthn-server library from Yubico.我使用 Yubico 的 WebAuthN java-webauthn-server库。
What is the best way to integration test my WebAuthN server, without a hardware client?在没有硬件客户端的情况下,集成测试我的 WebAuthN 服务器的最佳方法是什么? Is there any software that can handle the cryptography in an automated test?有没有可以在自动化测试中处理密码学的软件? I want to run these tests automatically in the CI/CD pipeline (GitLab).我想在 CI/CD 管道 (GitLab) 中自动运行这些测试。
In a best case scenario I want to be able to test the whole process, creating credentials as well as logging in. An alternative scenario could be that I use known credentials in the backend and only log in with these.在最好的情况下,我希望能够测试整个过程,创建凭据以及登录。另一种情况可能是我在后端使用已知凭据并仅使用这些凭据登录。
My API is REST/JSON based, with relying party, user, challenge, pubKey etc...我的 API 是基于 REST/JSON 的,具有依赖方、用户、挑战、pubKey 等...
My integration tests are Java based (spring boot starter test)我的集成测试是基于 Java 的(spring boot starter test)
I am mainly interested in how to integration test the server without the client side.我主要对如何在没有客户端的情况下集成测试服务器感兴趣。 Are there utility programs or libraries that can handle authenticators and return the correct data/json objects?是否有实用程序或库可以处理身份验证器并返回正确的数据/json 对象?
I have looked at Testing WebAuthn via REST tool , however, I am not interested in testing the specification, since I am using a library, I only want to ensure that I applied the library correctly to my code.我已经通过 REST 工具查看了测试 WebAuthn ,但是,我对测试规范不感兴趣,因为我使用的是库,我只想确保我将库正确应用于我的代码。
1 个解决方案
解决方案1
2 2020-09-22 04:56:23
If you are only interested in testing the server side, you can write a simple webpage with buttons that exercise your endpoints and call navigator.credentials.(create|get) .如果您只对测试服务器端感兴趣,您可以编写一个带有按钮的简单网页,这些按钮可以锻炼您的端点并调用navigator.credentials.(create|get) 。 You can then instrument a browser using Selenium 4+, set up Virtual Authenticators , and run tests against that webpage.然后,您可以使用Selenium 4+ 检测浏览器,设置Virtual Authenticators并针对该网页运行测试。 Take a look at the selenium tests for an example.以selenium 测试为例。 The code to set up the authenticators looks like this in java:设置验证器的代码在 java 中如下所示:
VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions();
options.setTransport(Transport.INTERNAL)
.hasUserVerification(true)
.isUserVerified(true);
VirtualAuthenticator authenticator =
((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);
Pay attention to setting up the authenticator with the right settings to match your webauthn call.请注意使用正确的设置设置身份验证器以匹配您的 webauthn 调用。 You should pick the right user verification support, resident keys support, and internal (ie platform) vs usb / nfc / ble (ie cross-platform) transport.您应该选择正确的用户验证支持、常驻密钥支持和内部(即平台)与 usb/nfc/ble(即跨平台)传输。
If you're using an older version of selenium, you'll have to manually define the commands yourself.如果您使用的是旧版本的 selenium,则必须自己手动定义命令。 The code should look like代码应该看起来像
browser.driver.getExecutor().defineCommand(
"AddVirtualAuthenticator", "POST", "/session/:sessionId/webauthn/authenticator");
// ...
Command addVirtualAuthCommand = new Command("AddVirtualAuthenticator");
addVirtualAuthCommand.setParameter("protocol", "ctap2");
addVirtualAuthCommand.setParameter("transport", "usb");
browser.driver.getExecutor().execute(addVirtualAuthCommand);
Running selenium tests might take a bit of work if you aren't already using it for integration testing.如果您还没有将它用于集成测试,那么运行 selenium 测试可能需要一些工作。 However, this implementation will very closely match reality.然而,这个实现将非常接近现实。 From the browser's perspective, the virtual authenticator is real hardware.从浏览器的角度来看,虚拟身份验证器是真实的硬件。 The response from the authenticator will be processed by the browser as if it was real.来自身份验证器的响应将由浏览器处理,就好像它是真实的一样。
At the moment, only chromium based browsers support Virtual Authenticators.目前,只有基于 chromium 的浏览器支持虚拟身份验证器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.