Don't use @builder in FinishAssertionSteps and FinishRegistrationSteps

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -43,11 +43,9 @@
 import java.security.spec.InvalidKeySpecException;
 import java.util.Optional;
 import java.util.Set;
-import lombok.Builder;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 
-@Builder
 @Slf4j
 final class FinishAssertionSteps {
 
@@ -60,10 +58,21 @@ final class FinishAssertionSteps {
   private final Set<String> origins;
   private final String rpId;
   private final CredentialRepository credentialRepository;
-
-  @Builder.Default private final boolean allowOriginPort = false;
-  @Builder.Default private final boolean allowOriginSubdomain = false;
-  @Builder.Default private final boolean validateSignatureCounter = true;
+  private final boolean allowOriginPort;
+  private final boolean allowOriginSubdomain;
+  private final boolean validateSignatureCounter;
+
+  FinishAssertionSteps(RelyingParty rp, FinishAssertionOptions options) {
+    this.request = options.getRequest();
+    this.response = options.getResponse();
+    this.callerTokenBindingId = options.getCallerTokenBindingId();
+    this.origins = rp.getOrigins();
+    this.rpId = rp.getIdentity().getId();
+    this.credentialRepository = rp.getCredentialRepository();
+    this.allowOriginPort = rp.isAllowOriginPort();
+    this.allowOriginSubdomain = rp.isAllowOriginSubdomain();
+    this.validateSignatureCounter = rp.isValidateSignatureCounter();
+  }
 
   public Step5 begin() {
     return new Step5();

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -64,11 +64,9 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import lombok.Builder;
 import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 
-@Builder
 @Slf4j
 final class FinishRegistrationSteps {
 
@@ -87,9 +85,22 @@ final class FinishRegistrationSteps {
   private final Optional<AttestationTrustSource> attestationTrustSource;
   private final CredentialRepository credentialRepository;
   private final Clock clock;
-
-  @Builder.Default private final boolean allowOriginPort = false;
-  @Builder.Default private final boolean allowOriginSubdomain = false;
+  private final boolean allowOriginPort;
+  private final boolean allowOriginSubdomain;
+
+  FinishRegistrationSteps(RelyingParty rp, FinishRegistrationOptions options) {
+    this.request = options.getRequest();
+    this.response = options.getResponse();
+    this.callerTokenBindingId = options.getCallerTokenBindingId();
+    this.origins = rp.getOrigins();
+    this.rpId = rp.getIdentity().getId();
+    this.allowUntrustedAttestation = rp.isAllowUntrustedAttestation();
+    this.attestationTrustSource = rp.getAttestationTrustSource();
+    this.credentialRepository = rp.getCredentialRepository();
+    this.clock = rp.getClock();
+    this.allowOriginPort = rp.isAllowOriginPort();
+    this.allowOriginSubdomain = rp.isAllowOriginSubdomain();
+  }
 
   public Step6 begin() {
     return new Step6();

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -29,14 +29,9 @@
 import com.yubico.webauthn.attestation.AttestationTrustSource;
 import com.yubico.webauthn.data.AssertionExtensionInputs;
 import com.yubico.webauthn.data.AttestationConveyancePreference;
-import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
-import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.ByteArray;
-import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
-import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.CollectedClientData;
-import com.yubico.webauthn.data.PublicKeyCredential;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
 import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions.PublicKeyCredentialCreationOptionsBuilder;
 import com.yubico.webauthn.data.PublicKeyCredentialParameters;
@@ -498,11 +493,7 @@ public PublicKeyCredentialCreationOptions startRegistration(
   public RegistrationResult finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
       throws RegistrationFailedException {
     try {
-      return _finishRegistration(
-              finishRegistrationOptions.getRequest(),
-              finishRegistrationOptions.getResponse(),
-              finishRegistrationOptions.getCallerTokenBindingId())
-          .run();
+      return _finishRegistration(finishRegistrationOptions).run();
     } catch (IllegalArgumentException e) {
       throw new RegistrationFailedException(e);
     }
@@ -515,24 +506,8 @@ public RegistrationResult finishRegistration(FinishRegistrationOptions finishReg
    * It is a separate method to facilitate testing; users should call {@link
    * #finishRegistration(FinishRegistrationOptions)} instead of this method.
    */
-  FinishRegistrationSteps _finishRegistration(
-      PublicKeyCredentialCreationOptions request,
-      PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>
-          response,
-      Optional<ByteArray> callerTokenBindingId) {
-    return FinishRegistrationSteps.builder()
-        .request(request)
-        .response(response)
-        .callerTokenBindingId(callerTokenBindingId)
-        .credentialRepository(credentialRepository)
-        .origins(origins)
-        .rpId(identity.getId())
-        .allowOriginPort(allowOriginPort)
-        .allowOriginSubdomain(allowOriginSubdomain)
-        .allowUntrustedAttestation(allowUntrustedAttestation)
-        .attestationTrustSource(attestationTrustSource)
-        .clock(clock)
-        .build();
+  FinishRegistrationSteps _finishRegistration(FinishRegistrationOptions options) {
+    return new FinishRegistrationSteps(this, options);
   }
 
   public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptions) {
@@ -576,11 +551,7 @@ public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptio
   public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOptions)
       throws AssertionFailedException {
     try {
-      return _finishAssertion(
-              finishAssertionOptions.getRequest(),
-              finishAssertionOptions.getResponse(),
-              finishAssertionOptions.getCallerTokenBindingId())
-          .run();
+      return _finishAssertion(finishAssertionOptions).run();
     } catch (IllegalArgumentException e) {
       throw new AssertionFailedException(e);
     }
@@ -593,22 +564,8 @@ public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOpt
    * a separate method to facilitate testing; users should call {@link
    * #finishAssertion(FinishAssertionOptions)} instead of this method.
    */
-  FinishAssertionSteps _finishAssertion(
-      AssertionRequest request,
-      PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> response,
-      Optional<ByteArray> callerTokenBindingId // = None.asJava
-      ) {
-    return FinishAssertionSteps.builder()
-        .request(request)
-        .response(response)
-        .callerTokenBindingId(callerTokenBindingId)
-        .origins(origins)
-        .rpId(identity.getId())
-        .credentialRepository(credentialRepository)
-        .allowOriginPort(allowOriginPort)
-        .allowOriginSubdomain(allowOriginSubdomain)
-        .validateSignatureCounter(validateSignatureCounter)
-        .build();
+  FinishAssertionSteps _finishAssertion(FinishAssertionOptions options) {
+    return new FinishAssertionSteps(this, options);
   }
 
   public static RelyingPartyBuilder.MandatoryStages builder() {

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -277,9 +277,15 @@ class RelyingPartyAssertionSpec
 
     origins.map(_.asJava).foreach(builder.origins _)
 
+    val fao = FinishAssertionOptions
+      .builder()
+      .request(request)
+      .response(response)
+      .callerTokenBindingId(callerTokenBindingId.toJava)
+
     builder
       .build()
-      ._finishAssertion(request, response, callerTokenBindingId.toJava)
+      ._finishAssertion(fao.build())
   }
 
   testWithEachProvider { it =>

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -175,17 +175,22 @@ class RelyingPartyRegistrationSpec
 
     origins.map(_.asJava).foreach(builder.origins _)
 
-    builder
-      .build()
-      ._finishRegistration(
+    val fro = FinishRegistrationOptions
+      .builder()
+      .request(
         pubkeyCredParams
           .map(pkcp =>
             testData.request.toBuilder.pubKeyCredParams(pkcp.asJava).build()
           )
-          .getOrElse(testData.request),
-        testData.response,
-        callerTokenBindingId.toJava,
+          .getOrElse(testData.request)
       )
+      .response(testData.response)
+      .callerTokenBindingId(callerTokenBindingId.toJava)
+      .build()
+
+    builder
+      .build()
+      ._finishRegistration(fro)
   }
 
   val emptyTrustSource = new AttestationTrustSource {