Add WebAuthn authentication module

[kovaceviccz]

This PR implements passkey support backed by WebAuthn, addressing #259 by introducing a new wrenam-auth-webauthn authentication module and integrating it with the existing device/profile/REST/UI infrastructure.

At a high level, the PR adds:

• Two authentication modules:

  • WebAuthn performs authentication and supports both passkey (username-less) and username-based WebAuthn flows.
  • WebAuthnRegistration – performs credential registration for authenticated users.

• Device profile persistence for WebAuthn credentials:

  • WebAuthnDeviceSettings modeled after the WebAuthn credential record (credentialId, public key, transports, signCount, backup flags, attestation object, etc.).
  • WebAuthnDeviceProfileManager and a new WebAuthn SMS/REST service (WebAuthnService, WebAuthnServiceFactory) that store profiles in a dedicated user attribute (webAuthnDeviceProfiles), with optional encryption via the existing EncryptedDeviceStorage mechanism.
  • Schema/LDIF updates for all supported directory types (OpenDJ, ODSEE, AD, ADAM, Tivoli) to add webAuthnDeviceProfiles and webAuthnDeviceProfilesContainer, plus idRepo configuration so the attribute is available on user entries and exposed as a readable attribute (entryUUID is also made available for use as user handle).

• A REST API for managing WebAuthn devices:

  • New WebAuthnDevicesDao and WebAuthnDevicesResource under /json/users/{user}/devices/webauthn, wired through CoreRestDevicesGuiceModule and CoreRestRouteProvider.
  • Extension of the generic devices infrastructure (UserDevicesDao/UserDevicesResource now generic over service type) to support WebAuthn alongside OATH, push, and trusted devices.
  • New i18n descriptors and JSON schema for the WebAuthn devices resource.

• UI integration:

  • A new dashboard delegate WebAuthnDeviceService.jsm and updates to AuthenticationDevicesView so WebAuthn devices appear alongside OATH/push devices, with delete and details actions.
  • DeviceDetailsDialog and related templates updated to handle WebAuthn devices (no recovery codes, different type marker).
  • New auth templates WebAuthn3.html and WebAuthnRegistration2.html for the “waiting on authenticator” stages, matching the existing AM login UX.

• Core wiring and upgrade support:

  • amAuth.xml, serviceNames.properties, serviceNames/schemaNames.properties, debugfiles.properties, and test datastore settings updated to register the new modules, SMS services, debug log, and schema.
  • AuthServiceHelper and DirectoryContentUpgrader extended so the new modules and WebAuthn device schema are added on upgrade.
  • AMAuthConfigUtils / ISAuthConstants extended with a Wren-specific auth-level prefix (wrensec-am-auth-…-auth-level) so the WebAuthn modules’ auth levels are picked up consistently.

[kovaceviccz]

I have upgraded the pgpVerifyKeysVersion in the parent pom.xml to account for the addition of the webauthn4j-core module, whose key was added to the whitelist in PR WrenSecurity/wrensec-pgp-whitelist#41, and the checks now complete successfully. Perhaps a PR adding administrator-oriented documentation to WrenSecurity/docs.wrensecurity.org should follow.

[pavelhoral]

LGTM, awesome job (will merge after testing)