Release 1.8.0

Changes: - BouncyCastle dependency is now optional. In order to opt out, depend on `webauthn-server-core-minimal` instead of `webauthn-server-core`. This is not recommended unless you know your JVM includes JCA providers for all signature algorithms. Note that `webauthn-server-attestation` still depends on BouncyCastle. - Jackson deserializer for `PublicKeyCredential` now allows a `rawId` property to be present if `id` is not present, or if `rawId` equals `id`.
Yubico · Mar 15, 2021 · 9023482 · 9023482
2 parents 8293a6a + f9a5d90
commit 9023482
Show file tree

Hide file tree

Showing 59 changed files with 3,488 additions and 2,900 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11, 13]
+        java: [8, 11, 15]
 
     steps:
     - name: Check out code
@@ -22,7 +22,14 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Run tests
-      run: ./gradlew check
+      run: ./gradlew cleanTest check
+
+    - name: Archive test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v2
+      with:
+        name: test-reports
+        path: "*/build/reports/**"
 
     - name: Build JavaDoc
       run: ./gradlew assembleJavadoc
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,24 +14,20 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
+    - uses: actions/setup-java@v1
+      with:
+        java-version: '11'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
+      with:
+        languages: java
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+    - name: Build project
+      run: |
+        ./gradlew jar
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   test:
-    name: JDK ${{matrix.java}}
+    name: Measure mutation test coverage
 
     runs-on: ubuntu-latest
 

diff --git a/NEWS b/NEWS
@@ -1,3 +1,20 @@
+== Version 1.8.0 ==
+
+Changes:
+
+* BouncyCastle dependency is now optional.
+
+  In order to opt out, depend on `webauthn-server-core-minimal` instead of
+  `webauthn-server-core`.
+  This is not recommended unless you know your JVM includes JCA providers for
+  all signature algorithms.
+
+  Note that `webauthn-server-attestation` still depends on BouncyCastle.
+
+* Jackson deserializer for `PublicKeyCredential` now allows a `rawId` property
+  to be present if `id` is not present, or if `rawId` equals `id`.
+
+
 == Version 1.7.0 ==
 
 webauthn-server-attestation:

diff --git a/README b/README
@@ -25,17 +25,43 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.6.1</version>
+  <version>1.8.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.6.1'
+compile 'com.yubico:webauthn-server-core:1.8.0'
 ----------
 
+=== Semantic versioning
+
+This library uses link:https://semver.org/[semantic versioning].
+The public API consists of all public classes, methods and fields in the `com.yubico.webauthn` package and its subpackages,
+i.e., everything covered by the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/package-summary.html[Javadoc].
+
+Package-private classes and methods are NOT part of the public API.
+The `com.yubico:yubico-util` module is NOT part of the public API.
+Breaking changes to these will NOT be reflected in version numbers.
+
+
+=== Additional modules
+
+In addition to the main `webauthn-server-core` module, there are also:
+
+- `webauthn-server-attestation`: A simple implementation of the
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/attestation/MetadataService.html[`MetadataService`]
+  interface, which by default comes preloaded with attestation metadata for Yubico devices.
+
+- `webauthn-server-core-minimal`: Alternative distribution of `webauthn-server-core`,
+  without a dependency on BouncyCastle.
+  If depending on this module instead of `webauthn-server-core`,
+  you may have to add your own JCA providers to support some signature algorithms.
+  In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+
 
 == Features
 

diff --git a/build.gradle b/build.gradle
@@ -7,8 +7,8 @@ buildscript {
   }
 }
 plugins {
-  id 'com.github.kt3k.coveralls' version '2.10.2'
-  id 'io.codearte.nexus-staging' version '0.22.0'
+  id 'com.github.kt3k.coveralls' version '2.11.0'
+  id 'io.codearte.nexus-staging' version '0.30.0'
   id 'io.franzbecker.gradle-lombok' version '4.0.0'
 }
 
@@ -30,7 +30,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '6.1'
+  gradleVersion = '6.8'
 }
 
 allprojects {
@@ -80,8 +80,8 @@ subprojects {
   apply plugin: LombokPlugin
 
   lombok {
-    version '1.18.10'
-    sha256 = '2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2fa'
+    version '1.18.18'
+    sha256 = '601ec46206e0f9cac2c0583b3350e79f095419c395e991c761640f929038e9cc'
   }
   tasks.withType(AbstractCompile) {
     if (tasks.findByName('verifyLombok')) {
@@ -175,11 +175,14 @@ subprojects { project ->
       from javadoc
     }
 
-    rootProject.tasks.assembleJavadoc {
-      dependsOn javadoc
-      inputs.dir javadoc.destinationDir
-      from(javadoc.destinationDir) {
-        into project.name
+    // TODO: Revert this if statement in the next major release
+    if (project.projectDir.name != "webauthn-server-core-bundle") {
+      rootProject.tasks.assembleJavadoc {
+        dependsOn javadoc
+        inputs.dir javadoc.destinationDir
+        from(javadoc.destinationDir) {
+          into project.projectDir.name
+        }
       }
     }
   }

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
@@ -7,6 +7,6 @@ repositories {
 dependencies {
   implementation(
     'commons-io:commons-io:2.5',
-    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.6',
+    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.5.1',
   )
 }
diff --git a/doc/development.md b/doc/development.md
@@ -0,0 +1,16 @@
+Developer docs
+===
+
+Inconsistent directory naming
+---
+
+In resolving [issue #97](https://github.com/Yubico/java-webauthn-server/issues/97),
+we opted to split the `webauthn-server-core` module into one `webauthn-server-core` meta-module
+and one `webauthn-server-core-minimal` module with the code and all dependencies except BouncyCastle.
+However, to avoid file renames and since this is intended as a temporary change,
+the source code for the `webauthn-server-core` module is hosted in the `webauthn-server-core-bundle/` subproject
+and the `webauthn-server-core-minimal` module is hosted in `webauthn-server-core/`.
+
+We intend to eliminate the `webauthn-server-core-bundle` subproject in the next major version release,
+and return the current `webauthn-server-core-minimal` module to the `webauthn-server-core` module name.
+This naming inconsistency should be fixed along with this.
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -85,46 +85,48 @@ Release versions
 
  4. Remove the "(unreleased)" tag from `NEWS`.
 
- 5. Amend this change into the merge commit:
+ 5. Update the version in the dependency snippets in the README.
+
+ 6. Amend these changes into the merge commit:
 
     ```
     $ git add NEWS
     $ git commit --amend --reset-author
     ```
 
- 6. Run the tests one more time:
+ 7. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 7. Tag the merge commit with an `X.Y.Z` tag:
+ 8. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
- 8. Publish to Sonatype Nexus:
+ 9. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publish closeAndReleaseRepository
     ```
 
- 9. Wait for the artifacts to become downloadable at
+10. Wait for the artifacts to become downloadable at
     https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/1.4.0/ . This
     is needed for one of the GitHub Actions release workflows and usually takes
     less than 30 minutes (long before the artifacts become searchable on the
     main Maven Central website).
 
-10. Push to GitHub:
+11. Push to GitHub:
 
     ```
     $ git push origin master 1.4.0
     ```
 
-11. Make GitHub release.
+12. Make GitHub release.
 
     - Use the new tag as the release tag
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.8-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
@@ -82,6 +82,7 @@ esac
 
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
+
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ] ; then
     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
@@ -129,6 +130,7 @@ fi
 if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+
     JAVACMD=`cygpath --unix "$JAVACMD"`
 
     # We build the pattern for arguments to be converted via cygpath

diff --git a/gradlew.bat b/gradlew.bat
@@ -29,6 +29,9 @@ if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
 
@@ -37,7 +40,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto init
+if "%ERRORLEVEL%" == "0" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -51,7 +54,7 @@ goto fail
 set JAVA_HOME=%JAVA_HOME:"=%
 set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
-if exist "%JAVA_EXE%" goto init
+if exist "%JAVA_EXE%" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
@@ -61,28 +64,14 @@ echo location of your Java installation.
 
 goto fail
 
-:init
-@rem Get command-line arguments, handling Windows variants
-
-if not "%OS%" == "Windows_NT" goto win9xME_args
-
-:win9xME_args
-@rem Slurp the command line arguments.
-set CMD_LINE_ARGS=
-set _SKIP=2
-
-:win9xME_args_slurp
-if "x%~1" == "x" goto execute
-
-set CMD_LINE_ARGS=%*
-
 :execute
 @rem Setup the command line
 
 set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
+
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

diff --git a/settings.gradle b/settings.gradle
@@ -1,10 +1,15 @@
 rootProject.name = 'webauthn-server-parent'
 include ':webauthn-server-attestation'
 include ':webauthn-server-core'
+include ':webauthn-server-core-bundle'
 include ':webauthn-server-demo'
 include ':yubico-util'
 include ':yubico-util-scala'
 
 include ':test-dependent-projects:java-dep-webauthn-server-attestation'
 include ':test-dependent-projects:java-dep-webauthn-server-core'
+include ':test-dependent-projects:java-dep-webauthn-server-core-minimal'
 include ':test-dependent-projects:java-dep-yubico-util'
+
+project(':webauthn-server-core').name = 'webauthn-server-core-minimal'
+project(':webauthn-server-core-bundle').name = 'webauthn-server-core'
diff --git a/test-dependent-projects/java-dep-webauthn-server-core-minimal/build.gradle.kts b/test-dependent-projects/java-dep-webauthn-server-core-minimal/build.gradle.kts
@@ -0,0 +1,19 @@
+plugins {
+    `java-library`
+}
+
+val coreTestsOutput = project(":webauthn-server-core-minimal").extensions.getByType(SourceSetContainer::class).test.get().output
+
+dependencies {
+    implementation(project(":webauthn-server-core-minimal"))
+
+    testImplementation(coreTestsOutput)
+    testImplementation("junit:junit:4.12")
+    testImplementation("org.mockito:mockito-core:[2.27.0,3)")
+
+    // Runtime-only internal dependency of webauthn-server-core-minimal
+    testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
+
+    // Transitive dependencies from coreTestOutput
+    testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,7 @@ on: @@
     jobs:
       test:
-        name: JDK ${{matrix.java}}
+        name: Measure mutation test coverage
         runs-on: ubuntu-latest
@@ Expand Down @@