devices: shrink credentials by removing unnecessary data (#2951)

pkg/grpc/device/device.go

@@ -170,6 +170,8 @@ func PutCredential(
 	client databroker.DataBrokerServiceClient,
 	credential *Credential,
 ) error {
+	shrinkCredential(credential)
+
 	any := protoutil.NewAny(credential)
 	_, err := client.Put(ctx, &databroker.PutRequest{
 		Record: &databroker.Record{
@@ -214,3 +216,33 @@ func PutOwnerCredentialRecord(
 	})
 	return err
 }
+
+var maxCredentialSize = 256 * 1024
+
+// shrinkCredential shrinks a credential object by removing unnecessary responses and options
+// until its within the max credential size
+func shrinkCredential(credential *Credential) {
+	for len(protoutil.NewAny(credential).GetValue()) > maxCredentialSize {
+		if specifier := credential.Specifier.(*Credential_Webauthn); specifier != nil {
+			// (1) remove authenticate responses
+			if len(specifier.Webauthn.AuthenticateResponse) > 0 {
+				specifier.Webauthn.AuthenticateResponse = specifier.Webauthn.AuthenticateResponse[1:]
+				continue
+			}
+
+			// (2) remove register response
+			if len(specifier.Webauthn.RegisterResponse) > 0 {
+				specifier.Webauthn.RegisterResponse = nil
+				continue
+			}
+
+			// (3) remove register options
+			if len(specifier.Webauthn.RegisterOptions) > 0 {
+				specifier.Webauthn.RegisterOptions = nil
+				continue
+			}
+		}
+
+		break
+	}
+}

pkg/grpc/device/device_test.go

@@ -0,0 +1,106 @@
+package device
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestShrinkCredential(t *testing.T) {
+	t.Run("authenticate response", func(t *testing.T) {
+		credential := &Credential{
+			Id:           "c1",
+			TypeId:       "t1",
+			EnrollmentId: "e1",
+			UserId:       "u1",
+			Specifier: &Credential_Webauthn{
+				Webauthn: &Credential_WebAuthn{
+					Id:        []byte{0, 1, 2},
+					PublicKey: []byte{3, 4, 5},
+
+					RegisterOptions:  bytes.Repeat([]byte{1}, 10),
+					RegisterResponse: bytes.Repeat([]byte{2}, 10),
+					AuthenticateResponse: [][]byte{
+						bytes.Repeat([]byte{3}, 64*1024),
+						bytes.Repeat([]byte{4}, 64*1024),
+						bytes.Repeat([]byte{5}, 64*1024),
+						bytes.Repeat([]byte{6}, 64*1024),
+						bytes.Repeat([]byte{7}, 64*1024),
+						bytes.Repeat([]byte{8}, 64*1024),
+					},
+				},
+			},
+		}
+		shrinkCredential(credential)
+
+		assert.Equal(t, "c1", credential.GetId())
+		assert.Equal(t, "t1", credential.GetTypeId())
+		assert.Equal(t, "e1", credential.GetEnrollmentId())
+		assert.Equal(t, "u1", credential.GetUserId())
+		assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
+		assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
+		assert.Equal(t, bytes.Repeat([]byte{1}, 10), credential.GetWebauthn().GetRegisterOptions())
+		assert.Equal(t, bytes.Repeat([]byte{2}, 10), credential.GetWebauthn().GetRegisterResponse())
+		assert.Equal(t, [][]byte{
+			bytes.Repeat([]byte{6}, 64*1024),
+			bytes.Repeat([]byte{7}, 64*1024),
+			bytes.Repeat([]byte{8}, 64*1024),
+		}, credential.GetWebauthn().GetAuthenticateResponse())
+	})
+	t.Run("register response", func(t *testing.T) {
+		credential := &Credential{
+			Id:           "c1",
+			TypeId:       "t1",
+			EnrollmentId: "e1",
+			UserId:       "u1",
+			Specifier: &Credential_Webauthn{
+				Webauthn: &Credential_WebAuthn{
+					Id:        []byte{0, 1, 2},
+					PublicKey: []byte{3, 4, 5},
+
+					RegisterOptions:  bytes.Repeat([]byte{1}, 10),
+					RegisterResponse: bytes.Repeat([]byte{2}, 256*1024),
+				},
+			},
+		}
+		shrinkCredential(credential)
+
+		assert.Equal(t, "c1", credential.GetId())
+		assert.Equal(t, "t1", credential.GetTypeId())
+		assert.Equal(t, "e1", credential.GetEnrollmentId())
+		assert.Equal(t, "u1", credential.GetUserId())
+		assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
+		assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
+		assert.Equal(t, bytes.Repeat([]byte{1}, 10), credential.GetWebauthn().GetRegisterOptions())
+		assert.Empty(t, credential.GetWebauthn().GetRegisterResponse())
+		assert.Empty(t, credential.GetWebauthn().GetAuthenticateResponse())
+	})
+	t.Run("register options", func(t *testing.T) {
+		credential := &Credential{
+			Id:           "c1",
+			TypeId:       "t1",
+			EnrollmentId: "e1",
+			UserId:       "u1",
+			Specifier: &Credential_Webauthn{
+				Webauthn: &Credential_WebAuthn{
+					Id:        []byte{0, 1, 2},
+					PublicKey: []byte{3, 4, 5},
+
+					RegisterOptions: bytes.Repeat([]byte{1}, 256*1024),
+				},
+			},
+		}
+		shrinkCredential(credential)
+
+		assert.Equal(t, "c1", credential.GetId())
+		assert.Equal(t, "t1", credential.GetTypeId())
+		assert.Equal(t, "e1", credential.GetEnrollmentId())
+		assert.Equal(t, "u1", credential.GetUserId())
+		assert.Equal(t, []byte{0, 1, 2}, credential.GetWebauthn().GetId())
+		assert.Equal(t, []byte{3, 4, 5}, credential.GetWebauthn().GetPublicKey())
+		assert.Empty(t, credential.GetWebauthn().GetRegisterOptions())
+		assert.Empty(t, credential.GetWebauthn().GetRegisterResponse())
+		assert.Empty(t, credential.GetWebauthn().GetAuthenticateResponse())
+	})
+}