Additional WebAuthn4jRelyingPartyOperationTests

- verify that anonymous users not saved
- verify that when user found the CredentialRecord is allowed

Issue spring-projectsgh-16385

Author: rwinch

web/src/test/java/org/springframework/security/web/webauthn/management/Webauthn4jRelyingPartyOperationsTests.java

@@ -42,6 +42,8 @@
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse;
 import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse.AuthenticatorAttestationResponseBuilder;
 import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria;
@@ -66,6 +68,7 @@
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.assertj.core.api.Assertions.assertThatRuntimeException;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.verifyNoInteractions;
 
 @ExtendWith(MockitoExtension.class)
 class Webauthn4jRelyingPartyOperationsTests {
@@ -546,15 +549,38 @@ void createCredentialRequestOptionsWhenAnonymousAuthentication() {
 			.createCredentialRequestOptions(createRequest);
 
 		assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty();
+		// verify anonymous user not saved
+		verifyNoInteractions(this.userEntities);
 	}
 
 	@Test
 	void createCredentialRequestOptionsWhenNullAuthentication() {
-		PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest(null);
+		PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest(
+				null);
 		PublicKeyCredentialRequestOptions credentialRequestOptions = this.rpOperations
 			.createCredentialRequestOptions(createRequest);
 
 		assertThat(credentialRequestOptions.getAllowCredentials()).isEmpty();
+		// verify anonymous user not saved
+		verifyNoInteractions(this.userEntities);
+	}
+
+	@Test
+	void createCredentialRequestOptionsWhenAuthenticated() {
+		UserDetails user = PasswordEncodedUser.user();
+		UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(user, null,
+				user.getAuthorities());
+		PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntity.userEntity().build();
+		CredentialRecord credentialRecord = TestCredentialRecord.userCredential().build();
+		given(this.userEntities.findByUsername(user.getUsername())).willReturn(userEntity);
+		given(this.userCredentials.findByUserId(userEntity.getId())).willReturn(Arrays.asList(credentialRecord));
+		PublicKeyCredentialRequestOptionsRequest createRequest = new ImmutablePublicKeyCredentialRequestOptionsRequest(
+				auth);
+		PublicKeyCredentialRequestOptions credentialRequestOptions = this.rpOperations
+			.createCredentialRequestOptions(createRequest);
+
+		assertThat(credentialRequestOptions.getAllowCredentials()).extracting(PublicKeyCredentialDescriptor::getId)
+			.containsExactly(credentialRecord.getCredentialId());
 	}
 
 	private static AuthenticatorAttestationResponse setFlag(byte... flags) throws Exception {