Merge pull request #376 from Yubico/fido-mds-unknown-fields

Fix FidoMetadataDownloader failure on unknown properties

.github/workflows/integration-test.yml

@@ -0,0 +1,52 @@
+# This name is shown in the status badge in the README
+name: integration-test
+
+on:
+  push:
+    branches:
+    - main
+    - 'release-*'
+  schedule:
+    # Run once a week to check compatibility with new FIDO MDS blob contents
+    - cron: '0 0 * * 1'
+
+jobs:
+  test:
+    name: JDK ${{ matrix.java }} ${{ matrix.distribution }}
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [17]
+        distribution: [temurin]
+
+    outputs:
+        report-java: 17
+        report-dist: temurin
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK ${{ matrix.java }}
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ matrix.java }}
+        distribution: ${{ matrix.distribution }}
+
+    - name: Run integration tests
+      run: ./gradlew integrationTest
+
+    - name: Archive HTML test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-html
+        path: "*/build/reports/**"
+
+    - name: Archive JUnit test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-xml
+        path: "*/build/test-results/**/*.xml"

NEWS

@@ -1,3 +1,13 @@
+== Version 2.5.3 (unreleased) ==
+
+`webauthn-server-attestation`:
+
+Fixes:
+
+* `FidoMetadataDownloader` no longer rejects FIDO MDS metadata BLOBs with
+  unknown properties.
+
+
 == Version 2.5.2 ==
 
 Fixes:

buildSrc/build.gradle.kts

@@ -10,12 +10,12 @@ repositories {
 }
 
 dependencies {
-  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.9.11")
+  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.15.0")
   implementation("io.franzbecker:gradle-lombok:5.0.0")
 
   // Spotless dropped Java 8 support in version 2.33.0
   if (JavaVersion.current().isJava11Compatible) {
-    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.19.0")
-    implementation("io.github.cosmicsilence:gradle-scalafix:0.1.14")
+    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.25.0")
+    implementation("io.github.cosmicsilence:gradle-scalafix:0.2.2")
   }
 }

buildSrc/src/main/groovy/project-convention-code-formatting-internal.gradle

@@ -13,9 +13,10 @@ spotless {
 scalafix {
     configFile.set(project.rootProject.file("scalafix.conf"))
 
-    // Work around dependency resolution issues in April 2022
-    semanticdb.autoConfigure.set(true)
-    semanticdb.version.set("4.5.5")
+    if (project.name != "yubico-util-scala") {
+        // yubico-util-scala is the only subproject with Scala sources in the "main" source set
+        ignoreSourceSets.add("main")
+    }
 }
 
 project.dependencies.scalafix("com.github.liancheng:organize-imports_2.13:0.6.0")

buildSrc/src/main/kotlin/project-convention-pitest.gradle.kts

@@ -4,7 +4,7 @@ plugins {
 }
 
 pitest {
-    pitestVersion.set("1.9.5")
+    pitestVersion.set("1.15.0")
     timestampedReports.set(false)
 
     outputFormats.set(listOf("XML", "HTML"))

test-platform/build.gradle.kts

@@ -9,12 +9,12 @@ dependencies {
     api("junit:junit:4.13.2")
     api("org.bouncycastle:bcpkix-jdk18on:[1.62,2)")
     api("org.bouncycastle:bcprov-jdk18on:[1.62,2)")
-    api("org.mockito:mockito-core:4.7.0")
-    api("org.scalacheck:scalacheck_2.13:1.16.0")
-    api("org.scalatest:scalatest_2.13:3.2.13")
-    api("org.scalatestplus:junit-4-13_2.13:3.2.13.0")
-    api("org.scalatestplus:scalacheck-1-16_2.13:3.2.13.0")
-    api("org.slf4j:slf4j-nop:2.0.3")
+    api("org.mockito:mockito-core:4.11.0")
+    api("org.scalacheck:scalacheck_2.13:1.18.0")
+    api("org.scalatest:scalatest_2.13:3.2.18")
+    api("org.scalatestplus:junit-4-13_2.13:3.2.18.0")
+    api("org.scalatestplus:scalacheck-1-16_2.13:3.2.14.0")
+    api("org.slf4j:slf4j-nop:2.0.13")
     api("uk.org.lidalia:slf4j-test:1.2.0")
   }
 }

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java

@@ -25,7 +25,6 @@
 package com.yubico.fido.metadata;
 
 import com.fasterxml.jackson.core.Base64Variants;
-import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.yubico.fido.metadata.FidoMetadataDownloaderException.Reason;
 import com.yubico.internal.util.BinaryUtil;
@@ -1172,9 +1171,7 @@ private static ParseResult parseBlob(ByteArray jwt) throws IOException, Base64Ur
     final ByteArray jwtSignature = ByteArray.fromBase64Url(s.next());
 
     final ObjectMapper headerJsonMapper =
-        com.yubico.internal.util.JacksonCodecs.json()
-            .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
-            .setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS);
+        JacksonCodecs.json().setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS);
 
     return new ParseResult(
         new MetadataBLOB(

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/JacksonCodecs.java

@@ -5,8 +5,13 @@
 
 class JacksonCodecs {
 
-  static ObjectMapper jsonWithDefaultEnums() {
+  static ObjectMapper json() {
     return com.yubico.internal.util.JacksonCodecs.json()
+        .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+  }
+
+  static ObjectMapper jsonWithDefaultEnums() {
+    return json()
         .configure(DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE, true);
   }
 }