diff options
Diffstat (limited to 'testing/web-platform/tests/credential-management/support')
15 files changed, 163 insertions, 10 deletions
diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-helper.js b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js new file mode 100644 index 0000000000..2020d6cda7 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/digital-identity-helper.js @@ -0,0 +1,19 @@ +// Builds valid digital identity request for navigator.identity.get() API. +export function buildValidNavigatorIdentityRequest() { + return { + digital: { + providers: [{ + protocol: "urn:openid.net:oid4vp", + request: JSON.stringify({ + // Based on https://github.com/openid/OpenID4VP/issues/125 + client_id: "client.example.org", + client_id_scheme: "web-origin", + nonce: "n-0S6_WzA2Mj", + presentation_definition: { + // Presentation Exchange request, omitted for brevity + } + }), + }], + }, + }; +} diff --git a/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html new file mode 100644 index 0000000000..8e193ff09f --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/digital-identity-iframe.html @@ -0,0 +1,27 @@ +<!doctype html> +<script src="/resources/testdriver.js"></script> +<script src="/resources/testdriver-vendor.js"></script> +<script type="module"> +import { buildValidNavigatorIdentityRequest } from './digital-identity-helper.js'; + +// Loading digital-identity-iframe.html in the test will make a digital credential call on load, and +// trigger a postMessage upon completion. +// +// message { +// string result: "Pass" | "Fail" +// string data: credential.token +// string errorType: error.data +// } + +window.onload = async () => { + try { + let request = buildValidNavigatorIdentityRequest(); + let credential = await navigator.identity.get(request); + + window.top.postMessage({result: "Pass", data: credential.data}, '*'); + } catch (error) { + window.top.postMessage({result: "Fail", errorType: error.name}, '*'); + } +}; + +</script> diff --git a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js index 765b3cc48a..f0031fa531 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js +++ b/testing/web-platform/tests/credential-management/support/fedcm-helper.sub.js @@ -8,7 +8,9 @@ export function open_and_wait_for_popup(origin, path) { // We rely on the popup page to send us a message when done. const popup_message_handler = (event) => { - if (event.origin == origin) { + // We use new URL() to ensure the two origins are normalized the same + // way (especially so that default ports are handled identically). + if (new URL(event.origin).toString() == new URL(origin).toString()) { popup_window.close(); window.removeEventListener('message', popup_message_handler); resolve(); @@ -22,7 +24,7 @@ export function open_and_wait_for_popup(origin, path) { // Set the identity provider cookie. export function set_fedcm_cookie(host) { if (host == undefined) { - document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure'; + document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure'; return Promise.resolve(); } else { return open_and_wait_for_popup(host, '/credential-management/support/set_cookie'); @@ -102,6 +104,15 @@ credential-management/support/fedcm/${manifest_filename}`; // Test wrapper which does FedCM-specific setup. export function fedcm_test(test_func, test_name) { promise_test(async t => { + // Ensure we start from a clean slate. + await test_driver.delete_all_cookies(); + // Turn off delays that are not useful in tests. + try { + await test_driver.set_fedcm_delay_enabled(false); + } catch (e) { + // Failure is not critical; it just might slow down tests. + } + await set_fedcm_cookie(); await set_alt_fedcm_cookie(); await test_func(t); diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py new file mode 100644 index 0000000000..a6f385feac --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_check_same_site_strict.py @@ -0,0 +1,28 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.accountsCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + if request.headers.get(b"Sec-Fetch-Site") != b"cross-site": + return (538, [], "Wrong Sec-Fetch-Site header") + + response.headers.set(b"Content-Type", b"application/json") + + return """ +{ + "accounts": [{ + "id": "1234", + "given_name": "John", + "name": "John Doe", + "email": "john_doe@idp.example", + "picture": "https://idp.example/profile/123", + "approved_clients": ["123", "456", "789"], + "login_hints": ["john_doe"], + "domain_hints": ["idp.example", "example"] + }] +} +""" diff --git a/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py new file mode 100644 index 0000000000..faea06edc3 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/accounts_no_approved_clients.py @@ -0,0 +1,30 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.accountsCheck(request) + if (request_error): + return request_error + + response.headers.set(b"Content-Type", b"application/json") + + return """ +{ + "accounts": [{ + "id": "1234", + "given_name": "John", + "name": "John Doe", + "email": "john_doe@idp.example", + "picture": "https://idp.example/profile/123", + "login_hints": ["john_doe"], + "domain_hints": ["idp.example", "example"] + }, + { + "id": "jane_doe", + "given_name": "Jane", + "name": "Jane Doe", + "email": "jane_doe@idp.example", + "picture": "https://idp.example/profile/5678" + }] +} +""" diff --git a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py index 42b4f3f8fd..1b4831b51d 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/continue_on.py @@ -8,5 +8,7 @@ def main(request, response): response.headers.set(b"Content-Type", b"application/json") - return "{\"continue_on\": \"resolve.html\"}" + account = request.POST.get(b"account_id").decode("utf-8") + nonce = request.POST.get(b"nonce").decode("utf-8") + return "{\"continue_on\": \"resolve.html?selected=%s&%s\"}" % (account, nonce) diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json new file mode 100644 index 0000000000..d730415983 --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_check_same_site_strict.json @@ -0,0 +1,7 @@ +{ + "accounts_endpoint": "accounts_check_same_site_strict.py", + "client_metadata_endpoint": "client_metadata.py", + "id_assertion_endpoint": "token_check_same_site_strict.py", + "login_url": "login.html" +} + diff --git a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json index 3f5a954b87..d7673c7e1b 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json +++ b/testing/web-platform/tests/credential-management/support/fedcm/manifest_with_continue_on.json @@ -1,5 +1,5 @@ { - "accounts_endpoint": "accounts.py", + "accounts_endpoint": "accounts_no_approved_clients.py", "client_metadata_endpoint": "client_metadata.py", "id_assertion_endpoint": "continue_on.py", "disconnect_endpoint": "disconnect.py", diff --git a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py index b774496d5d..6c610e6e20 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/request-params-check.py @@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request): def commonCredentialedRequestCheck(request): if request.cookies.get(b"cookie") != b"1": return (537, [], "Missing cookie") - if request.headers.get(b"Sec-Fetch-Site") != b"none": - return (538, [], "Wrong Sec-Fetch-Site header") def commonPostCheck(request): if not request.headers.get(b"Origin"): diff --git a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html index 87f5112cfd..dbdc28c324 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/resolve.html +++ b/testing/web-platform/tests/credential-management/support/fedcm/resolve.html @@ -1,7 +1,16 @@ <!DOCTYPE html> <script> async function doResolve() { - IdentityProvider.resolve("resolved token"); + let params = new URLSearchParams(document.location.search); + let options = {}; + if (params.get("accountId")) { + options.accountId = params.get("accountId"); + } + let token = "resolved token"; + if (params.get("selected")) { + token = "account=" + params.get("selected"); + } + IdentityProvider.resolve(token, options); } window.onload = doResolve; </script> diff --git a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py index ab34992210..15adf11324 100644 --- a/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py +++ b/testing/web-platform/tests/credential-management/support/fedcm/set_accounts_cookie.py @@ -15,6 +15,7 @@ def main(request, response): // If this page was opened as a popup, notify the opener. if (window.opener) { window.opener.postMessage("done_loading", "*"); + window.close(); } </script> Sent header value: {}".format(header_value) diff --git a/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py new file mode 100644 index 0000000000..8a4b3a234b --- /dev/null +++ b/testing/web-platform/tests/credential-management/support/fedcm/token_check_same_site_strict.py @@ -0,0 +1,15 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.tokenCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + + response.headers.set(b"Content-Type", b"application/json") + response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) + response.headers.set(b"Access-Control-Allow-Credentials", "true") + + return "{\"token\": \"token\"}" diff --git a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html index 532db7047a..681fcd6787 100644 --- a/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html +++ b/testing/web-platform/tests/credential-management/support/fencedframe-mark-signedin.html @@ -3,13 +3,17 @@ <fencedframe></fencedframe> <script> -const url = new URL("mark_signedin", location.href); -document.querySelector("fencedframe").config = new FencedFrameConfig(url); - // If this page was opened as a popup, notify the opener when we are done loading. if (window.opener) { window.onload = function() { window.opener.postMessage("done_loading", "*"); }; } + +// This code is intentionally after the onload listener registration +// because it can throw if FencedFrameConfig is not defined. In that +// case, we still want to notify the opener to avoid a test timeout. +const url = new URL("mark_signedin", location.href); +document.querySelector("fencedframe").config = new FencedFrameConfig(url); + </script> diff --git a/testing/web-platform/tests/credential-management/support/set_cookie b/testing/web-platform/tests/credential-management/support/set_cookie index 1080b366e4..2c3196058a 100644 --- a/testing/web-platform/tests/credential-management/support/set_cookie +++ b/testing/web-platform/tests/credential-management/support/set_cookie @@ -6,6 +6,7 @@ // If this page was opened as a popup, notify the opener. if (window.opener) { window.opener.postMessage("done_loading", "*"); + window.close(); } </script> </body> diff --git a/testing/web-platform/tests/credential-management/support/set_cookie.headers b/testing/web-platform/tests/credential-management/support/set_cookie.headers index b19ff933a6..4226ff4c99 100644 --- a/testing/web-platform/tests/credential-management/support/set_cookie.headers +++ b/testing/web-platform/tests/credential-management/support/set_cookie.headers @@ -1,2 +1,3 @@ Content-Type: text/html Set-Cookie: cookie=1; SameSite=None; Secure +Set-Cookie: same_site_strict=1; SameSite=Strict; Secure |