Fuzzing tests for assertion signatures verification

[xenoliss]

The WebAuthn tests have been relocated to a dedicated folder in the test directory, and new fuzzing tests targeting the WebAuthn.verify method have been introduced. The test/fixtures/assertions_fixture.json file contains verification test cases generated using Python scripts (explained below) and is retained as an artifact for use by the fuzzing tests.

This PR introduces several Python scripts in test/helpers to facilitate the generation of new test cases:

• test/helpers/app.py: This script includes a simple Flask app designed to execute a WebAuthn assertion, with the response exposed in the global variable globalAssertion. Additionally, a few JavaScript helper methods are exposed and utilised by the Selenium Python script.

• test/helpers/assertions_generator.py: This Selenium script runs a headless browser (currently supporting only Chrome) and interacts with the Flask app to create new WebAuthn credentials and output assertions signatures with them. The results of the assertions are recorded in the test/fixtures/assertions_fixture.json file, which is used by the fuzzing tests.

There is still room for improvement in the following areas:

1. Integration with other web drivers (e.g., Safari, Firefox) to generate a more diverse set of assertion responses.
2. Enhancement of the assertion response generation to be more dynamic, possibly not enforcing user presence.
3. Consideration of adding a test suite that dynamically starts the Python scripts on the fly, rather than generating test cases beforehand. This could contribute to a more comprehensive fuzzing campaign.

[wilsoncusack]

Will need to refactor now that code has changed :(

[cb-heimdall]

Review Error for 5twelve @ 2024-05-20 14:55:54 UTC User must have write permissions to review