Merge pull request #342 from cedarcode/braulio_fix_acceptable_attestation_types_inclusion_for_none

grzuy · web-flow · commit 3c2d2fac47b5 · 2021-02-15T13:28:34.000-03:00
Fix: validate acceptable attestation type inclusion when attestation statement is None
diff --git a/lib/webauthn/attestation_statement/none.rb b/lib/webauthn/attestation_statement/none.rb
@@ -6,12 +6,18 @@ module WebAuthn
   module AttestationStatement
     class None < Base
       def valid?(*_args)
-        if statement == {}
+        if statement == {} && trustworthy?
           [WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE, nil]
         else
           false
         end
       end
+
+      private
+
+      def attestation_type
+        WebAuthn::AttestationStatement::ATTESTATION_TYPE_NONE
+      end
     end
   end
 end
diff --git a/spec/webauthn/attestation_statement/none_spec.rb b/spec/webauthn/attestation_statement/none_spec.rb
@@ -31,5 +31,11 @@
       expect(WebAuthn::AttestationStatement::None.new([]).valid?(authenticator_data, nil)).to be_falsy
       expect(WebAuthn::AttestationStatement::None.new("a" => "b").valid?(authenticator_data, nil)).to be_falsy
     end
+
+    it "returns false if None is not among the acceptable attestation types" do
+      WebAuthn.configuration.acceptable_attestation_types = ['AttCA']
+
+      expect(WebAuthn::AttestationStatement::None.new({}).valid?(authenticator_data, nil)).to be_falsy
+    end
   end
 end
