Merge branch 'master' into removed-leases-revoke-wallet-instances-collection

Author: silvicir

apps/io-wallet-user-func/CHANGELOG.md

@@ -1,5 +1,11 @@
 # io-wallet-user-func
 
+## 4.1.7
+
+### Patch Changes
+
+- f78da99: Refactors the MobileAttestationService class
+
 ## 4.1.6
 
 ### Patch Changes

apps/io-wallet-user-func/package.json

@@ -1,6 +1,6 @@
 {
   "name": "io-wallet-user-func",
-  "version": "4.1.6",
+  "version": "4.1.7",
   "private": true,
   "scripts": {
     "build": "tsup-node",

apps/io-wallet-user-func/src/infra/mobile-attestation-service/android/index.ts

@@ -4,8 +4,8 @@ import { X509Certificate } from "crypto";
 import * as E from "fp-ts/Either";
 import { flow, pipe } from "fp-ts/function";
 import * as J from "fp-ts/Json";
-import * as RA from "fp-ts/lib/ReadonlyArray";
 import * as S from "fp-ts/lib/string";
+import * as RA from "fp-ts/ReadonlyArray";
 import * as TE from "fp-ts/TaskEither";
 import * as t from "io-ts";
 import { AndroidDeviceDetails } from "io-wallet-common/device-details";
@@ -26,97 +26,96 @@ const DeviceDetailsWithKey = t.type({
   hardwareKey: JwkPublicKey,
 });
 
+export const parseAndroidAttestation = (data: Buffer) =>
+  pipe(
+    data.toString("utf-8"),
+    S.split(","),
+    RA.map((b64) =>
+      E.tryCatch(
+        () => new X509Certificate(base64ToPem(b64)),
+        () => new AndroidAttestationError("Unable to decode X509 certificate"),
+      ),
+    ),
+    RA.sequence(E.Applicative),
+  );
+
 export const validateAndroidAttestation = (
-  data: Buffer,
+  x509Chain: readonly X509Certificate[],
   nonce: NonEmptyString,
   bundleIdentifiers: string[],
   googlePublicKeys: string[],
   androidCrlUrl: string,
   httpRequestTimeout: number,
 ): TE.TaskEither<Error | ValidationError, ValidatedAttestation> =>
   pipe(
-    data.toString("utf-8"),
-    S.split(","),
-    RA.map(
-      flow(base64ToPem, (cert) =>
-        E.tryCatch(
-          () => new X509Certificate(cert),
-          () =>
-            new AndroidAttestationError(`Unable to decode X509 certificate`),
-        ),
+    getCrlFromUrl(androidCrlUrl, httpRequestTimeout),
+    TE.chain((attestationCrl) =>
+      TE.tryCatch(
+        () =>
+          verifyAttestation({
+            attestationCrl,
+            bundleIdentifiers,
+            challenge: nonce,
+            googlePublicKeys,
+            x509Chain,
+          }),
+        E.toError,
       ),
     ),
-    RA.sequence(E.Applicative),
-    TE.fromEither,
-    TE.chain((x509Chain) =>
-      pipe(
-        getCrlFromUrl(androidCrlUrl, httpRequestTimeout),
-        TE.chain((attestationCrl) =>
-          TE.tryCatch(
-            () =>
-              verifyAttestation({
-                attestationCrl,
-                bundleIdentifiers,
-                challenge: nonce,
-                googlePublicKeys,
-                x509Chain,
-              }),
-            E.toError,
+    TE.chain((attestationValidationResult) =>
+      attestationValidationResult.success
+        ? TE.right(attestationValidationResult)
+        : TE.left(
+            new AndroidAttestationError(attestationValidationResult.reason),
           ),
-        ),
-        TE.chain((attestationValidationResult) =>
-          attestationValidationResult.success
-            ? TE.right(attestationValidationResult)
-            : TE.left(
-                new AndroidAttestationError(attestationValidationResult.reason),
-              ),
-        ),
-        TE.chainW(flow(parse(DeviceDetailsWithKey), TE.fromEither)),
-      ),
     ),
+    TE.chainW(flow(parse(DeviceDetailsWithKey), TE.fromEither)),
   );
 
-export const validateAndroidAssertion = (
-  integrityAssertion: NonEmptyString,
-  hardwareSignature: NonEmptyString,
-  clientData: string,
-  hardwareKey: JwkPublicKey,
-  bundleIdentifiers: string[],
-  androidPlayStoreCertificateHash: string,
+export const parseGoogleAppCredentials = (
   googleAppCredentialsEncoded: string,
-  androidPlayIntegrityUrl: string,
-  allowDevelopmentEnvironment: boolean,
 ) =>
   pipe(
     E.tryCatch(
       () => Buffer.from(googleAppCredentialsEncoded, "base64").toString(),
       E.toError,
     ),
     E.chain(J.parse),
+    E.chainW(parse(GoogleAppCredentials)),
     E.mapLeft(
       () =>
         new AndroidAssertionError(
           "Unable to parse Google App Credentials string",
         ),
     ),
-    E.chainW(parse(GoogleAppCredentials, "Invalid Google App Credentials")),
-    TE.fromEither,
-    TE.chain((googleAppCredentials) =>
-      TE.tryCatch(
-        () =>
-          verifyAssertion({
-            allowDevelopmentEnvironment,
-            androidPlayIntegrityUrl,
-            androidPlayStoreCertificateHash,
-            bundleIdentifiers,
-            clientData,
-            googleAppCredentials,
-            hardwareKey,
-            hardwareSignature,
-            integrityAssertion,
-          }),
-        E.toError,
-      ),
+  );
+
+export const validateAndroidAssertion = (
+  integrityAssertion: NonEmptyString,
+  hardwareSignature: NonEmptyString,
+  clientData: string,
+  hardwareKey: JwkPublicKey,
+  bundleIdentifiers: string[],
+  androidPlayStoreCertificateHash: string,
+  googleAppCredentials: GoogleAppCredentials,
+  androidPlayIntegrityUrl: string,
+  allowDevelopmentEnvironment: boolean,
+) =>
+  pipe(
+    TE.tryCatch(
+      () =>
+        verifyAssertion({
+          allowDevelopmentEnvironment,
+          androidPlayIntegrityUrl,
+          androidPlayStoreCertificateHash,
+          bundleIdentifiers,
+          clientData,
+          googleAppCredentials,
+          hardwareKey,
+          hardwareSignature,
+          integrityAssertion,
+        }),
+      E.toError,
     ),
     TE.chain((assertionValidationResult) =>
       assertionValidationResult.success

apps/io-wallet-user-func/src/infra/mobile-attestation-service/index.ts

@@ -2,12 +2,10 @@ import { ValidationError } from "@pagopa/handler-kit";
 import { FiscalCode, NonEmptyString } from "@pagopa/ts-commons/lib/strings";
 import { createPublicKey } from "crypto";
 import * as E from "fp-ts/Either";
-import { identity, pipe } from "fp-ts/function";
+import { pipe } from "fp-ts/function";
 import * as J from "fp-ts/Json";
-import { Separated } from "fp-ts/lib/Separated";
 import * as O from "fp-ts/Option";
 import * as RA from "fp-ts/ReadonlyArray";
-import * as T from "fp-ts/Task";
 import * as TE from "fp-ts/TaskEither";
 import { JwkPublicKey } from "io-wallet-common/jwk";
 import { calculateJwkThumbprint } from "jose";
@@ -21,10 +19,17 @@ import {
 } from "@/attestation-service";
 
 import {
+  parseAndroidAttestation,
+  parseGoogleAppCredentials,
   validateAndroidAssertion,
   validateAndroidAttestation,
 } from "./android";
-import { validateiOSAssertion, validateiOSAttestation } from "./ios";
+import {
+  parseIosAssertion,
+  parseIosAttestation,
+  validateiOSAssertion,
+  validateiOSAttestation,
+} from "./ios";
 
 export class IntegrityCheckError extends Error {
   name = "IntegrityCheckError";
@@ -36,18 +41,6 @@ export class IntegrityCheckError extends Error {
 const toIntegrityCheckError = (e: Error | ValidationError): Error =>
   e instanceof ValidationError ? new IntegrityCheckError(e.violations) : e;
 
-const getErrorsOrFirstValidValue = (
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  validated: Separated<readonly Error[], readonly any[]>,
-) =>
-  pipe(
-    validated.right,
-    RA.head,
-    E.fromOption(
-      () => new IntegrityCheckError(validated.left.map((el) => el.message)),
-    ),
-  );
-
 export class MobileAttestationService implements AttestationService {
   #configuration: AttestationServiceConfiguration;
 
@@ -87,41 +80,55 @@ export class MobileAttestationService implements AttestationService {
       TE.tryCatch(() => calculateJwkThumbprint(jwk, "sha256"), E.toError),
       TE.chainEitherKW((jwk_thumbprint) =>
         pipe(
-          {
-            challenge: nonce,
-            jwk_thumbprint,
-          },
+          { challenge: nonce, jwk_thumbprint },
           J.stringify,
           E.mapLeft(() => new ValidationError(["Unable to create clientData"])),
         ),
       ),
       TE.chainW((clientData) =>
         pipe(
-          [
+          parseIosAssertion({
+            hardwareSignature,
+            integrityAssertion,
+          }),
+          TE.fromEither,
+          TE.chainW((decodedAssertion) =>
             validateiOSAssertion(
-              integrityAssertion,
-              hardwareSignature,
+              decodedAssertion,
               clientData,
               hardwareKey,
               signCount,
               this.#configuration.iosBundleIdentifiers,
               this.#configuration.iOsTeamIdentifier,
               this.#configuration.skipSignatureValidation,
             ),
-            validateAndroidAssertion(
-              integrityAssertion,
-              hardwareSignature,
-              clientData,
-              hardwareKey,
-              this.#configuration.androidBundleIdentifiers,
-              this.#configuration.androidPlayStoreCertificateHash,
-              this.#configuration.googleAppCredentialsEncoded,
-              this.#configuration.androidPlayIntegrityUrl,
-              this.allowDevelopmentEnvironmentForUser(user),
+          ),
+          TE.orElseW((iosErr) =>
+            pipe(
+              parseGoogleAppCredentials(
+                this.#configuration.googleAppCredentialsEncoded,
+              ),
+              TE.fromEither,
+              TE.chain((googleAppCredentials) =>
+                validateAndroidAssertion(
+                  integrityAssertion,
+                  hardwareSignature,
+                  clientData,
+                  hardwareKey,
+                  this.#configuration.androidBundleIdentifiers,
+                  this.#configuration.androidPlayStoreCertificateHash,
+                  googleAppCredentials,
+                  this.#configuration.androidPlayIntegrityUrl,
+                  this.allowDevelopmentEnvironmentForUser(user),
+                ),
+              ),
+              TE.orElseW((androidErr) =>
+                TE.left(
+                  new IntegrityCheckError([iosErr.message, androidErr.message]),
+                ),
+              ),
             ),
-          ],
-          RA.wilt(T.ApplicativePar)(identity),
-          T.map(getErrorsOrFirstValidValue),
+          ),
         ),
       ),
     );
@@ -140,32 +147,44 @@ export class MobileAttestationService implements AttestationService {
       TE.fromEither,
       TE.chainW((data) =>
         pipe(
-          [
+          parseIosAttestation(data),
+          TE.fromEither,
+          TE.chainW((decoded) =>
             validateiOSAttestation(
-              data,
+              decoded,
               nonce,
               hardwareKeyTag,
               this.#configuration.iosBundleIdentifiers,
               this.#configuration.iOsTeamIdentifier,
               this.#configuration.appleRootCertificate,
               this.allowDevelopmentEnvironmentForUser(user),
             ),
+          ),
+          TE.orElseW((iosErr) =>
             pipe(
-              validateAndroidAttestation(
-                data,
-                nonce,
-                this.#configuration.androidBundleIdentifiers,
-                this.#configuration.googlePublicKeys,
-                this.#configuration.androidCrlUrl,
-                this.#configuration.httpRequestTimeout,
+              parseAndroidAttestation(data),
+              TE.fromEither,
+              TE.chainW((x509Chain) =>
+                validateAndroidAttestation(
+                  x509Chain,
+                  nonce,
+                  this.#configuration.androidBundleIdentifiers,
+                  this.#configuration.googlePublicKeys,
+                  this.#configuration.androidCrlUrl,
+                  this.#configuration.httpRequestTimeout,
+                ),
               ),
               TE.mapLeft(toIntegrityCheckError),
+              TE.orElseW((androidErr) =>
+                TE.left(
+                  new IntegrityCheckError([iosErr.message, androidErr.message]),
+                ),
+              ),
             ),
-          ],
-          RA.wilt(T.ApplicativeSeq)(identity),
-          T.map(getErrorsOrFirstValidValue),
+          ),
         ),
       ),
     );
 }
+
 export { ValidatedAttestation };