Bug 1981587 - expose enterprise policy configurable pref to allow direct attestation. a=RyanVM

Original Revision: https://phabricator.services.mozilla.com/D265375

Differential Revision: https://phabricator.services.mozilla.com/D266840

browser/components/enterprisepolicies/Policies.sys.mjs

@@ -2080,6 +2080,7 @@ export var Policies = {
         "security.tls.hello_downgrade_check",
         "security.tls.version.enable-deprecated",
         "security.warn_submit_secure_to_insecure",
+        "security.webauthn.always_allow_direct_attestation",
       ];
       const blockedPrefs = [
         "app.update.channel",

browser/components/enterprisepolicies/tests/xpcshell/test_simple_pref_policies.js

@@ -1184,6 +1184,21 @@ const POLICIES_TESTS = [
       // browser/components/enterprisepolicies/tests/browser/browser_policy_usermessaging.js
     },
   },
+
+  // Bug 1981587
+  {
+    policies: {
+      Preferences: {
+        "security.webauthn.always_allow_direct_attestation": {
+          Value: true,
+          Status: "locked",
+        },
+      },
+    },
+    lockedPrefs: {
+      "security.webauthn.always_allow_direct_attestation": true,
+    },
+  },
 ];
 
 add_task(async function test_policy_simple_prefs() {

dom/webauthn/WebAuthnService.cpp

@@ -31,14 +31,12 @@ void WebAuthnService::ShowAttestationConsentPrompt(
       NS_NewRunnableFunction(__func__, [self, aTransactionId]() {
         self->SetHasAttestationConsent(
             aTransactionId,
-            StaticPrefs::
-                security_webauth_webauthn_testing_allow_direct_attestation());
+            StaticPrefs::security_webauthn_always_allow_direct_attestation());
       }));
 #else
   nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
       __func__, [self, aOrigin, aTransactionId, aBrowsingContextId]() {
-        if (StaticPrefs::
-                security_webauth_webauthn_testing_allow_direct_attestation()) {
+        if (StaticPrefs::security_webauthn_always_allow_direct_attestation()) {
           self->SetHasAttestationConsent(aTransactionId, true);
           return;
         }

dom/webauthn/tests/test_webauthn_attestation_conveyance.html

@@ -22,7 +22,7 @@
 
     add_task(async () => {
       await SpecialPowers.pushPrefEnv({"set": [
-        ["security.webauth.webauthn_testing_allow_direct_attestation", true],
+        ["security.webauthn.always_allow_direct_attestation", true],
       ]});
       await addVirtualAuthenticator();
     });

dom/webauthn/tests/test_webauthn_loopback.html

@@ -22,7 +22,7 @@
 add_task(async function() {
   // This test intentionally compares items to themselves.
   /* eslint-disable no-self-compare */
-  await SpecialPowers.pushPrefEnv({"set": [["security.webauth.webauthn_testing_allow_direct_attestation", true]]});
+  await SpecialPowers.pushPrefEnv({"set": [["security.webauthn.always_allow_direct_attestation", true]]});
   await addVirtualAuthenticator();
   is(navigator.authentication, undefined, "navigator.authentication does not exist any longer");
   isnot(navigator.credentials, undefined, "Credential Management API endpoint must exist");

modules/libpref/init/StaticPrefList.yaml

@@ -16721,8 +16721,8 @@
   mirror: always
   rust: true
 
-# Skip direct attestation consent prompts (for tests).
-- name: security.webauth.webauthn_testing_allow_direct_attestation
+# Skip direct attestation consent prompts
+- name: security.webauthn.always_allow_direct_attestation
   type: RelaxedAtomicBool
   value: false
   mirror: always

testing/profiles/web-platform/user.js

@@ -87,7 +87,7 @@ user_pref("security.webauth.webauthn_enable_softtoken", true);
 // Disable hardware WebAuthn authenticators.
 user_pref("security.webauth.webauthn_enable_usbtoken", false);
 // Disable the WebAuthn direct attestation consent prompt.
-user_pref("security.webauth.webauthn_testing_allow_direct_attestation", true);
+user_pref("security.webauthn.always_allow_direct_attestation", true);
 // Enable WebAuthn conditional mediation.
 user_pref("security.webauthn.enable_conditional_mediation", true);
 // Disable captive portal service