refactor: Major refactor to the SCRAM project

Signed-off-by: Jorge Solórzano <[email protected]>

.github/workflows/maven.yml

@@ -0,0 +1,30 @@
+# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
+
+name: Java CI with Maven
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up JDK 21
+      uses: actions/setup-java@v3
+      with:
+        java-version: '21'
+        distribution: 'temurin'
+        cache: maven
+    - name: Build with Maven
+      run: ./mvnw -B verify --file pom.xml
+
+    # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
+    - name: Update dependency graph
+      uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6

.gitignore

@@ -10,6 +10,7 @@ local.properties
 .settings/
 .loadpath
 .recommenders
+.pmd
 
 # External tool builders
 .externalToolBuilders/

.gitlab-ci.yml

@@ -1,4 +1,4 @@
-image: openjdk:8-stretch
+image: eclipse-temurin:21-jdk
 
 stages:
   - build
@@ -13,8 +13,4 @@ build:
     paths:
       - .m2/
   script:
-    - bash mvnw clean verify -P safer
-
-build-oracle-jdk-7:
-  extends: build
-  image: registry.gitlab.com/ongresinc/scram/oracle-jdk:7
+    - ./mvnw clean verify

.mvn/wrapper/MavenWrapperDownloader.java

@@ -23,85 +23,50 @@
 import java.net.PasswordAuthentication;
 import java.net.URL;
 import java.nio.file.Files;
-import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
-import java.nio.file.StandardOpenOption;
-import java.util.Properties;
 
 public final class MavenWrapperDownloader
 {
-    private static final String WRAPPER_VERSION = "3.1.0";
+    private static final String WRAPPER_VERSION = "3.2.0";
 
     private static final boolean VERBOSE = Boolean.parseBoolean( System.getenv( "MVNW_VERBOSE" ) );
 
-    /**
-     * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
-     */
-    private static final String DEFAULT_DOWNLOAD_URL =
-        "https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/" + WRAPPER_VERSION
-            + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
-
-    /**
-     * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to use instead of the
-     * default one.
-     */
-    private static final String MAVEN_WRAPPER_PROPERTIES_PATH = ".mvn/wrapper/maven-wrapper.properties";
-
-    /**
-     * Path where the maven-wrapper.jar will be saved to.
-     */
-    private static final String MAVEN_WRAPPER_JAR_PATH = ".mvn/wrapper/maven-wrapper.jar";
-
-    /**
-     * Name of the property which should be used to override the default download url for the wrapper.
-     */
-    private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
-
     public static void main( String[] args )
     {
-        if ( args.length == 0 )
-        {
-            System.err.println( " - ERROR projectBasedir parameter missing" );
-            System.exit( 1 );
-        }
+        log( "Apache Maven Wrapper Downloader " + WRAPPER_VERSION );
 
-        log( " - Downloader started" );
-        final String dir = args[0].replace( "..", "" ); // Sanitize path
-        final Path projectBasedir = Paths.get( dir ).toAbsolutePath().normalize();
-        if ( !Files.isDirectory( projectBasedir, LinkOption.NOFOLLOW_LINKS ) )
+        if ( args.length != 2 )
         {
-            System.err.println( " - ERROR projectBasedir not exists: " + projectBasedir );
+            System.err.println( " - ERROR wrapperUrl or wrapperJarPath parameter missing" );
             System.exit( 1 );
         }
 
-        log( " - Using base directory: " + projectBasedir );
-
-        // If the maven-wrapper.properties exists, read it and check if it contains a custom
-        // wrapperUrl parameter.
-        Path mavenWrapperPropertyFile = projectBasedir.resolve( MAVEN_WRAPPER_PROPERTIES_PATH );
-        String url = readWrapperUrl( mavenWrapperPropertyFile );
-
         try
         {
-            Path outputFile = projectBasedir.resolve( MAVEN_WRAPPER_JAR_PATH );
-            createDirectories( outputFile.getParent() );
-            downloadFileFromURL( url, outputFile );
+            log( " - Downloader started" );
+            final URL wrapperUrl = new URL( args[0] );
+            final String jarPath = args[1].replace( "..", "" ); // Sanitize path
+            final Path wrapperJarPath = Paths.get( jarPath ).toAbsolutePath().normalize();
+            downloadFileFromURL( wrapperUrl, wrapperJarPath );
             log( "Done" );
-            System.exit( 0 );
         }
         catch ( IOException e )
         {
-            System.err.println( "- Error downloading" );
-            e.printStackTrace();
+            System.err.println( "- Error downloading: " + e.getMessage() );
+            if ( VERBOSE )
+            {
+                e.printStackTrace();
+            }
             System.exit( 1 );
         }
     }
 
-    private static void downloadFileFromURL( String urlString, Path destination ) throws IOException
+    private static void downloadFileFromURL( URL wrapperUrl, Path wrapperJarPath )
+        throws IOException
     {
-        log( " - Downloading to: " + destination );
+        log( " - Downloading to: " + wrapperJarPath );
         if ( System.getenv( "MVNW_USERNAME" ) != null && System.getenv( "MVNW_PASSWORD" ) != null )
         {
             final String username = System.getenv( "MVNW_USERNAME" );
@@ -115,40 +80,11 @@ protected PasswordAuthentication getPasswordAuthentication()
                 }
             } );
         }
-        URL website = new URL( urlString );
-        try ( InputStream inStream = website.openStream() ) {
-            Files.copy( inStream, destination, StandardCopyOption.REPLACE_EXISTING );
-        }
-        log( " - Downloader complete" );
-    }
-
-    private static void createDirectories(Path outputPath) throws IOException
-    {
-        if ( !Files.isDirectory( outputPath, LinkOption.NOFOLLOW_LINKS ) ) {
-            Path createDirectories = Files.createDirectories( outputPath );
-            log( " - Directories created: " + createDirectories );
-        }
-    }
-
-    private static String readWrapperUrl( Path mavenWrapperPropertyFile )
-    {
-        String url = DEFAULT_DOWNLOAD_URL;
-        if ( Files.exists( mavenWrapperPropertyFile, LinkOption.NOFOLLOW_LINKS ) )
+        try ( InputStream inStream = wrapperUrl.openStream() )
         {
-            log( " - Reading property file: " + mavenWrapperPropertyFile );
-            try ( InputStream in = Files.newInputStream( mavenWrapperPropertyFile, StandardOpenOption.READ ) )
-            {
-                Properties mavenWrapperProperties = new Properties();
-                mavenWrapperProperties.load( in );
-                url = mavenWrapperProperties.getProperty( PROPERTY_NAME_WRAPPER_URL, DEFAULT_DOWNLOAD_URL );
-            }
-            catch ( IOException e )
-            {
-                System.err.println( " - ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'" );
-            }
+            Files.copy( inStream, wrapperJarPath, StandardCopyOption.REPLACE_EXISTING );
         }
-        log( " - Downloading from: " + url );
-        return url;
+        log( " - Downloader complete" );
     }
 
     private static void log( String msg )

.mvn/wrapper/maven-wrapper.properties

@@ -14,5 +14,5 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar

CHANGELOG.md

@@ -0,0 +1,61 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+## [Unreleased]
+
+## 3.0 - 2024-04-03
+### :boom: Breaking changes
+- :warning: Full refactor of the `scram` java implementation, this release is compatible with Java 8+, but it's incompatible with previous releases :warning:
+
+### :rocket: New features
+- Fully rewrite the `ScramClient` allowing negotiation of channel-binding properly.
+- Create Multi-release Modular JARs, the modules names are:
+  - `com.ongres.scram.common` for the common scram messages.
+  - `com.ongres.scram.client` for the scram client implementation.
+- Add `StringPreparation.POSTGRESQL_PREPARATION`, for any error in SASL preparation, it falls back to return the raw string.
+- Now the released jars are reproducible.
+- Publish CycloneDX SBOM.
+- Implementation of `tls-server-end-point` channel binding data extraction.
+
+### :building_construction: Improvements
+- Update of the `saslprep` dependency to 2.1.
+- Now the password is passed as a `char[]`.
+- Improve Javadoc documentation.
+
+### :ghost: Maintenance
+- Migrate the main repo back to GitHub.
+
+# 2.1
+
+* Updated saslprep to version 1.1 to remove a build dependency coming from stringprep module
+
+# 2.0
+
+* Out of beta testing
+
+# 2.0-beta3
+
+* Fixed licenses issues
+
+# 2.0-beta2
+
+* Added saslprep tests
+
+# 2.0-beta1
+
+* Add new dependency StringPrep
+
+# 1.9-beta1
+
+* API change to be compatible with Java 7
+* Added standard SASLPrep
+* Failover to bouncy castle implementation of PBKDF2WithHmacSHA256 to support Oracle JDK 7
+
+# 1.0.0-beta.2
+
+* Fix maven issue and javadoc
+
+# 1.0.0-beta.1
+
+* First version
+

README.md

@@ -61,7 +61,7 @@ and check the Javadoc: [![Javadocs](http://javadoc.io/badge/com.ongres.scram/com
 
 ## Contributing
 
-Please submit [Merge Requests](https://gitlab.com/ongresinc/scram) for code contributions.
-Make sure to compile with `mvn verify -Psafer` before submitting a MR.
+Please submit [Pull Requests](https://github.com/ongres/scram) for code contributions.
+Make sure to compile with `./mvnw verify -Pchecks,run-its` before submitting a PR.
 
 By making a contribution to this project, you certify that you adhere to requirements of the [DCO](https://developercertificate.org/) by signing-off your commits (`git commit -s`).:

checks/pmd-ruleset.xml

@@ -23,9 +23,9 @@
 
   <rule ref="category/java/errorprone.xml">
     <exclude name="AvoidLiteralsInIfCondition" />
-    <exclude name="BeanMembersShouldSerialize" />
     <exclude name="DataflowAnomalyAnalysis" />
     <exclude name="CloseResource" />
+    <exclude name="AvoidFieldNameMatchingMethodName" />
   </rule>
 
   <rule ref="category/java/errorprone.xml/EmptyCatchBlock">

checks/spotbugs-exclude.xml

@@ -1,5 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<FindBugsFilter>
+<FindBugsFilter
+  xmlns="https://github.com/spotbugs/filter/3.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/4.8.0/spotbugs/etc/findbugsfilter.xsd">
   <!-- Ignore spotbugs reports from generated sources -->
   <Match>
     <Package name="~.*\.generated\..*" />
@@ -17,4 +20,20 @@
   <Match>
     <Bug pattern="IMPROPER_UNICODE" />
   </Match>
+
+  <Match>
+    <Bug pattern="EI_EXPOSE_REP" />
+  </Match>
+  <Match>
+    <Bug pattern="CT_CONSTRUCTOR_THROW" />
+  </Match>
+  <Match>
+    <Bug pattern="PZLA_PREFER_ZERO_LENGTH_ARRAYS" />
+  </Match>
+  <Match>
+    <Bug pattern="AA_ASSERTION_OF_ARGUMENTS" />
+  </Match>
+  <Match>
+    <Bug pattern="NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION" />
+  </Match>
 </FindBugsFilter>