Add GitHub build and code analysis actions, fix Sonar issues

Signed-off-by: Mart Sõmermaa <[email protected]>

Author: mrts

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,68 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+# ******** NOTE ********
+
+name: CodeQL code analysis
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '18 17 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/maven-build.yml

@@ -0,0 +1,25 @@
+name: Maven build
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-java@v1
+      with:
+        java-version: 1.8
+    - name: Cache Maven packages
+      uses: actions/cache@v1
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ runner.os }}-m2-v8
+    - name: Build
+      run: mvn --batch-mode compile
+    - name: Test
+      run: |
+        mvn -version
+        mvn --batch-mode verify

.github/workflows/sonarcloud-analysis.yml

@@ -0,0 +1,34 @@
+name: SonarCloud code analysis
+
+on: [push, pull_request]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Cache Maven packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-v11-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v11
+      - name: Build and analyze
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

pom.xml

@@ -16,16 +16,25 @@
         <maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
         <java.version>1.8</java.version>
         <jjwt.version>0.11.2</jjwt.version>
+        <slf4j.version>1.7.30</slf4j.version>
+        <caffeine.version>2.8.5</caffeine.version>
         <junit-jupiter.version>5.6.2</junit-jupiter.version>
         <assertj.version>3.17.2</assertj.version>
         <jmockit.version>1.44</jmockit.version>
-        <slf4j.version>1.7.30</slf4j.version>
-        <caffeine.version>2.8.5</caffeine.version>
+        <jacoco.version>0.8.5</jacoco.version>
+        <sonar.coverage.jacoco.xmlReportPaths>
+            ${project.basedir}/../jacoco-coverage-report/target/site/jacoco-aggregate/jacoco.xml
+        </sonar.coverage.jacoco.xmlReportPaths>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <maven.compiler.target>${java.version}</maven.compiler.target>
         <argLine>-Djava.security.egd=file:/dev/./urandom -Xmx256m</argLine>
+
+        <!-- SonarCloud -->
+        <sonar.projectKey>web-eid_web-eid-authtoken-validation-java</sonar.projectKey>
+        <sonar.organization>web-eid</sonar.organization>
+        <sonar.host.url>https://sonarcloud.io</sonar.host.url>
     </properties>
 
     <dependencies>
@@ -116,11 +125,30 @@
                 <version>${maven-surefire-plugin.version}</version>
                 <configuration>
                     <argLine>
-                        -javaagent:${settings.localRepository}/org/jmockit/jmockit/${jmockit.version}/jmockit-${jmockit.version}.jar
+                        @{argLine} -javaagent:${settings.localRepository}/org/jmockit/jmockit/${jmockit.version}/jmockit-${jmockit.version}.jar
                     </argLine>
-                    <disableXmlReport>true</disableXmlReport>
                 </configuration>
             </plugin>
+            <plugin>
+                <!-- Generate a coverage XML file for Sonar -->
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>${jacoco.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>report</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 

src/main/java/org/webeid/security/exceptions/TokenValidationException.java

@@ -26,11 +26,11 @@
  * Base class for all authentication token validation exceptions.
  */
 public abstract class TokenValidationException extends Exception {
-    public TokenValidationException(String msg) {
+    protected TokenValidationException(String msg) {
         super(msg);
     }
 
-    public TokenValidationException(String msg, Throwable cause) {
+    protected TokenValidationException(String msg, Throwable cause) {
         super(msg, cause);
     }
 }

src/main/java/org/webeid/security/util/CertUtil.java

@@ -65,4 +65,8 @@ private static String getField(X509Certificate certificate, ASN1ObjectIdentifier
             .collect(Collectors.joining(", "));
     }
 
+    private CertUtil() {
+        throw new IllegalStateException("Utility class");
+    }
+
 }

src/main/java/org/webeid/security/util/TitleCase.java

@@ -41,4 +41,8 @@ public static String toTitleCase(String input) {
         return titleCase.toString();
     }
 
+    private TitleCase() {
+        throw new IllegalStateException("Utility class");
+    }
+
 }

src/main/java/org/webeid/security/validator/AuthTokenParser.java

@@ -135,8 +135,8 @@ void populateDataFromClaims(AuthTokenValidatorData data) throws TokenParseExcept
             final String nonceField = getStringFieldOrThrow(body, "nonce", "body");
 
             // The "aud" field value is an array that contains the origin and may also contain site certificate fingerprint
-            final List audienceField = getListFieldOrThrow(body, "aud", "body");
-            final String origin = (String) audienceField.get(0);
+            final List<String> audienceField = getListFieldOrThrow(body, "aud", "body");
+            final String origin = audienceField.get(0);
             if (Strings.isNullOrEmpty(origin)) {
                 throw new TokenParseException("origin from aud field must not be empty");
             }
@@ -145,7 +145,7 @@ void populateDataFromClaims(AuthTokenValidatorData data) throws TokenParseExcept
             data.setOrigin(origin);
 
             if (audienceField.size() > 1) {
-                final String siteCertificateFingerprintField = (String) audienceField.get(1);
+                final String siteCertificateFingerprintField = audienceField.get(1);
                 if (Strings.isNullOrEmpty(siteCertificateFingerprintField)
                     || !siteCertificateFingerprintField.startsWith("urn:cert:sha-256:")) {
                     throw new TokenParseException("site certificate fingerprint from aud field must start with urn:cert:sha-256:");
@@ -179,7 +179,7 @@ private String getStringFieldOrThrow(Map<String, Object> fields, String fieldNam
         return fieldValue;
     }
 
-    private List getListFieldOrThrow(Map<String, Object> fields, String fieldName, String sectionName) throws TokenParseException {
+    private List<String> getListFieldOrThrow(Map<String, Object> fields, String fieldName, String sectionName) throws TokenParseException {
         if (fields.get(fieldName) != null && !(fields.get(fieldName) instanceof List)) {
             throw new TokenParseException(fieldName + " field in authentication token "
                 + sectionName + " must be an array");
@@ -198,7 +198,9 @@ private List getListFieldOrThrow(Map<String, Object> fields, String fieldName, S
                 + sectionName + " must be an array of strings, but first element is not a string");
         }
 
-        return fieldValue;
+        @SuppressWarnings("unchecked")
+        final List<String> result = fieldValue;
+        return result;
     }
 
     private static X509Certificate parseCertificate(String certificateInBase64) throws CertificateException, IOException, TokenParseException {

src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -38,7 +38,7 @@
 /**
  * Stores configuration parameters for {@link AuthTokenValidatorImpl}.
  */
-final class AuthTokenValidationConfiguration implements Cloneable {
+final class AuthTokenValidationConfiguration {
 
     private URI siteOrigin;
     private Cache<String, LocalDateTime> nonceCache;
@@ -49,6 +49,20 @@ final class AuthTokenValidationConfiguration implements Cloneable {
     private boolean isSiteCertificateFingerprintValidationEnabled = false;
     private String siteCertificateSha256Fingerprint;
 
+    AuthTokenValidationConfiguration() {
+    }
+
+    private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other) {
+        this.siteOrigin = other.siteOrigin;
+        this.nonceCache = other.nonceCache;
+        this.trustedCACertificates = new ArrayList<>(other.trustedCACertificates);
+        this.isUserCertificateRevocationCheckWithOcspEnabled = other.isUserCertificateRevocationCheckWithOcspEnabled;
+        this.ocspRequestTimeout = other.ocspRequestTimeout;
+        this.allowedClientClockSkew = other.allowedClientClockSkew;
+        this.isSiteCertificateFingerprintValidationEnabled = other.isSiteCertificateFingerprintValidationEnabled;
+        this.siteCertificateSha256Fingerprint = other.siteCertificateSha256Fingerprint;
+    }
+
     void setSiteOrigin(URI siteOrigin) {
         this.siteOrigin = siteOrigin;
     }
@@ -127,14 +141,7 @@ void validate() {
         }
     }
 
-    @Override
-    protected AuthTokenValidationConfiguration clone() {
-        try {
-            final AuthTokenValidationConfiguration clone = (AuthTokenValidationConfiguration) super.clone();
-            clone.trustedCACertificates = new ArrayList<>(trustedCACertificates);
-            return clone;
-        } catch (CloneNotSupportedException e) {
-            throw new AssertionError(); // Can't happen
-        }
+    AuthTokenValidationConfiguration copy() {
+        return new AuthTokenValidationConfiguration(this);
     }
 }

src/main/java/org/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -22,7 +22,6 @@
 
 package org.webeid.security.validator;
 
-import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import okhttp3.OkHttpClient;
 import org.slf4j.Logger;
@@ -32,6 +31,7 @@
 import org.webeid.security.validator.validators.*;
 
 import java.security.cert.X509Certificate;
+import java.util.function.Supplier;
 
 /**
  * Provides default implementation of {@link AuthTokenValidator}.
@@ -56,8 +56,8 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
      * @param configuration configuration parameters for the token validator
      */
     AuthTokenValidatorImpl(AuthTokenValidationConfiguration configuration) {
-        // Clone the configuration object to make AuthTokenValidatorImpl immutable and thread-safe.
-        this.configuration = configuration.clone();
+        // Copy the configuration object to make AuthTokenValidatorImpl immutable and thread-safe.
+        this.configuration = configuration.copy();
         /*
          * Lazy initialization, avoid constructing the OkHttpClient object when certificate revocation check is not enabled.
          * Returns a supplier which caches the instance retrieved during the first call to get() and returns
@@ -80,6 +80,7 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
         ).addOptional(configuration.isSiteCertificateFingerprintValidationEnabled(),
             new SiteCertificateFingerprintValidator(configuration.getSiteCertificateSha256Fingerprint())::validateSiteCertificateFingerprint
         );
+
     }
 
     @Override
@@ -99,14 +100,7 @@ public X509Certificate validate(String authToken) throws TokenValidationExceptio
 
             simpleSubjectCertificateValidators.executeFor(actualTokenData);
 
-            final SubjectCertificateTrustedValidator certTrustedValidator =
-                new SubjectCertificateTrustedValidator(configuration.getTrustedCACertificates());
-            final ValidatorBatch certTrustValidators = ValidatorBatch.createFrom(
-                certTrustedValidator::validateCertificateTrusted
-            ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-                new SubjectCertificateNotRevokedValidator(certTrustedValidator, httpClientSupplier.get())::validateCertificateNotRevoked
-            );
-            certTrustValidators.executeFor(actualTokenData);
+            getCertTrustValidators().executeFor(actualTokenData);
 
             authTokenParser.validateTokenSignatureAndParseClaims();
             authTokenParser.populateDataFromClaims(actualTokenData);
@@ -117,9 +111,27 @@ public X509Certificate validate(String authToken) throws TokenValidationExceptio
             return actualTokenData.getSubjectCertificate();
 
         } catch (Exception e) {
+            // Generally "log and rethrow" is an anti-pattern, but it fits with the surrounding logging style.
             LOG.warn("Token parsing and validation was interrupted:", e);
             throw e;
         }
     }
 
+    /**
+     * Creates the certificate trust validator batch.
+     * As SubjectCertificateTrustedValidator has mutable state that SubjectCertificateNotRevokedValidator depends on,
+     * they cannot be reused/cached in an instance variable in a multi-threaded environment. Hence they are
+     * re-created for each validation run for thread safety.
+     *
+     * @return certificate trust validator batch
+     */
+    private ValidatorBatch getCertTrustValidators() {
+        final SubjectCertificateTrustedValidator certTrustedValidator =
+            new SubjectCertificateTrustedValidator(configuration.getTrustedCACertificates());
+        return ValidatorBatch.createFrom(
+            certTrustedValidator::validateCertificateTrusted
+        ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
+            new SubjectCertificateNotRevokedValidator(certTrustedValidator, httpClientSupplier.get())::validateCertificateNotRevoked
+        );
+    }
 }