Enable Null checking in spring-security-webauthn via JSpecify

Closes gh-17839

Author: rwinch

webauthn/src/main/java/org/springframework/security/web/webauthn/aot/PublicKeyCredentialUserEntityRuntimeHints.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.aot;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.aot.hint.RuntimeHintsRegistrar;
 import org.springframework.jdbc.core.JdbcOperations;
@@ -33,7 +35,7 @@
 class PublicKeyCredentialUserEntityRuntimeHints implements RuntimeHintsRegistrar {
 
 	@Override
-	public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
 		hints.resources().registerPattern("org/springframework/security/user-entities-schema.sql");
 	}
 

webauthn/src/main/java/org/springframework/security/web/webauthn/aot/UserCredentialRuntimeHints.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.aot;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.aot.hint.RuntimeHintsRegistrar;
 import org.springframework.jdbc.core.JdbcOperations;
@@ -33,7 +35,7 @@
 class UserCredentialRuntimeHints implements RuntimeHintsRegistrar {
 
 	@Override
-	public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
+	public void registerHints(RuntimeHints hints, @Nullable ClassLoader classLoader) {
 		hints.resources()
 			.registerPattern("org/springframework/security/user-credentials-schema.sql")
 			.registerPattern("org/springframework/security/user-credentials-schema-postgres.sql");

webauthn/src/main/java/org/springframework/security/web/webauthn/aot/package-info.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * WebAuthn AOT support.
+ */
+@NullMarked
+package org.springframework.security.web.webauthn.aot;
+
+import org.jspecify.annotations.NullMarked;

webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAssertionResponse.java

@@ -18,6 +18,10 @@
 
 import java.io.Serial;
 
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.util.Assert;
+
 /**
  * The <a href=
  * "https://www.w3.org/TR/webauthn-3/#authenticatorassertionresponse">AuthenticatorAssertionResponse</a>
@@ -47,12 +51,12 @@ public final class AuthenticatorAssertionResponse extends AuthenticatorResponse
 
 	private final Bytes signature;
 
-	private final Bytes userHandle;
+	private final @Nullable Bytes userHandle;
 
-	private final Bytes attestationObject;
+	private final @Nullable Bytes attestationObject;
 
 	private AuthenticatorAssertionResponse(Bytes clientDataJSON, Bytes authenticatorData, Bytes signature,
-			Bytes userHandle, Bytes attestationObject) {
+			@Nullable Bytes userHandle, @Nullable Bytes attestationObject) {
 		super(clientDataJSON);
 		this.authenticatorData = authenticatorData;
 		this.signature = signature;
@@ -101,7 +105,7 @@ public Bytes getSignature() {
 	 * ceremony</a> is empty, and MAY return one otherwise.
 	 * @return the <a href="https://www.w3.org/TR/webauthn-3/#user-handle">user handle</a>
 	 */
-	public Bytes getUserHandle() {
+	public @Nullable Bytes getUserHandle() {
 		return this.userHandle;
 	}
 
@@ -113,7 +117,7 @@ public Bytes getUserHandle() {
 	 * object</a>, if the authenticator supports attestation in assertions.
 	 * @return the {@code attestationObject}
 	 */
-	public Bytes getAttestationObject() {
+	public @Nullable Bytes getAttestationObject() {
 		return this.attestationObject;
 	}
 
@@ -133,15 +137,15 @@ public static AuthenticatorAssertionResponseBuilder builder() {
 	 */
 	public static final class AuthenticatorAssertionResponseBuilder {
 
-		private Bytes authenticatorData;
+		private @Nullable Bytes authenticatorData;
 
-		private Bytes signature;
+		private @Nullable Bytes signature;
 
-		private Bytes userHandle;
+		private @Nullable Bytes userHandle;
 
-		private Bytes attestationObject;
+		private @Nullable Bytes attestationObject;
 
-		private Bytes clientDataJSON;
+		private @Nullable Bytes clientDataJSON;
 
 		private AuthenticatorAssertionResponseBuilder() {
 		}
@@ -201,6 +205,9 @@ public AuthenticatorAssertionResponseBuilder clientDataJSON(Bytes clientDataJSON
 		 * @return the {@link AuthenticatorAssertionResponse}
 		 */
 		public AuthenticatorAssertionResponse build() {
+			Assert.notNull(this.clientDataJSON, "clientDataJSON cannot be null");
+			Assert.notNull(this.authenticatorData, "authenticatorData cannot be null");
+			Assert.notNull(this.signature, "signature cannot be null");
 			return new AuthenticatorAssertionResponse(this.clientDataJSON, this.authenticatorData, this.signature,
 					this.userHandle, this.attestationObject);
 		}

webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorAttestationResponse.java

@@ -19,6 +19,8 @@
 import java.util.Arrays;
 import java.util.List;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#authenticatorattestationresponse">AuthenticatorAttestationResponse</a>
@@ -36,10 +38,10 @@ public final class AuthenticatorAttestationResponse extends AuthenticatorRespons
 
 	private final Bytes attestationObject;
 
-	private final List<AuthenticatorTransport> transports;
+	private final @Nullable List<AuthenticatorTransport> transports;
 
 	private AuthenticatorAttestationResponse(Bytes clientDataJSON, Bytes attestationObject,
-			List<AuthenticatorTransport> transports) {
+			@Nullable List<AuthenticatorTransport> transports) {
 		super(clientDataJSON);
 		this.attestationObject = attestationObject;
 		this.transports = transports;
@@ -63,7 +65,7 @@ public Bytes getAttestationObject() {
 	 * "https://www.w3.org/TR/webauthn-3/#dom-authenticatorattestationresponse-transports-slot">transports</a>
 	 * @return the transports
 	 */
-	public List<AuthenticatorTransport> getTransports() {
+	public @Nullable List<AuthenticatorTransport> getTransports() {
 		return this.transports;
 	}
 
@@ -83,10 +85,12 @@ public static AuthenticatorAttestationResponseBuilder builder() {
 	 */
 	public static final class AuthenticatorAttestationResponseBuilder {
 
+		@SuppressWarnings("NullAway.Init")
 		private Bytes attestationObject;
 
-		private List<AuthenticatorTransport> transports;
+		private @Nullable List<AuthenticatorTransport> transports;
 
+		@SuppressWarnings("NullAway.Init")
 		private Bytes clientDataJSON;
 
 		private AuthenticatorAttestationResponseBuilder() {

webauthn/src/main/java/org/springframework/security/web/webauthn/api/AuthenticatorSelectionCriteria.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.webauthn.api;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * <a href=
  * "https://www.w3.org/TR/webauthn-3/#dictdef-authenticatorselectioncriteria">AuthenticatorAttachment</a>
@@ -33,11 +35,11 @@
  */
 public final class AuthenticatorSelectionCriteria {
 
-	private final AuthenticatorAttachment authenticatorAttachment;
+	private final @Nullable AuthenticatorAttachment authenticatorAttachment;
 
-	private final ResidentKeyRequirement residentKey;
+	private final @Nullable ResidentKeyRequirement residentKey;
 
-	private final UserVerificationRequirement userVerification;
+	private final @Nullable UserVerificationRequirement userVerification;
 
 	// NOTE: There is no requireResidentKey property because it is only for backward
 	// compatibility with WebAuthn Level 1
@@ -48,8 +50,8 @@ public final class AuthenticatorSelectionCriteria {
 	 * @param residentKey the resident key requirement
 	 * @param userVerification the user verification
 	 */
-	private AuthenticatorSelectionCriteria(AuthenticatorAttachment authenticatorAttachment,
-			ResidentKeyRequirement residentKey, UserVerificationRequirement userVerification) {
+	private AuthenticatorSelectionCriteria(@Nullable AuthenticatorAttachment authenticatorAttachment,
+			@Nullable ResidentKeyRequirement residentKey, @Nullable UserVerificationRequirement userVerification) {
 		this.authenticatorAttachment = authenticatorAttachment;
 		this.residentKey = residentKey;
 		this.userVerification = userVerification;
@@ -67,7 +69,7 @@ private AuthenticatorSelectionCriteria(AuthenticatorAttachment authenticatorAtta
 	 * Authenticator Attachment Modality</a>).
 	 * @return the authenticator attachment
 	 */
-	public AuthenticatorAttachment getAuthenticatorAttachment() {
+	public @Nullable AuthenticatorAttachment getAuthenticatorAttachment() {
 		return this.authenticatorAttachment;
 	}
 
@@ -81,7 +83,7 @@ public AuthenticatorAttachment getAuthenticatorAttachment() {
 	 * discoverable credential</a>.
 	 * @return the resident key requirement
 	 */
-	public ResidentKeyRequirement getResidentKey() {
+	public @Nullable ResidentKeyRequirement getResidentKey() {
 		return this.residentKey;
 	}
 
@@ -96,7 +98,7 @@ public ResidentKeyRequirement getResidentKey() {
 	 * operation.
 	 * @return the user verification requirement
 	 */
-	public UserVerificationRequirement getUserVerification() {
+	public @Nullable UserVerificationRequirement getUserVerification() {
 		return this.userVerification;
 	}
 
@@ -116,11 +118,11 @@ public static AuthenticatorSelectionCriteriaBuilder builder() {
 	 */
 	public static final class AuthenticatorSelectionCriteriaBuilder {
 
-		private AuthenticatorAttachment authenticatorAttachment;
+		private @Nullable AuthenticatorAttachment authenticatorAttachment;
 
-		private ResidentKeyRequirement residentKey;
+		private @Nullable ResidentKeyRequirement residentKey;
 
-		private UserVerificationRequirement userVerification;
+		private @Nullable UserVerificationRequirement userVerification;
 
 		private AuthenticatorSelectionCriteriaBuilder() {
 		}

webauthn/src/main/java/org/springframework/security/web/webauthn/api/Bytes.java

@@ -22,6 +22,8 @@
 import java.util.Arrays;
 import java.util.Base64;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.util.Assert;
 
 /**
@@ -100,7 +102,7 @@ public static Bytes random() {
 	 * @param base64UrlString the base64 url string
 	 * @return the {@link Bytes}
 	 */
-	public static Bytes fromBase64(String base64UrlString) {
+	public static Bytes fromBase64(@Nullable String base64UrlString) {
 		byte[] bytes = DECODER.decode(base64UrlString);
 		return new Bytes(bytes);
 	}

webauthn/src/main/java/org/springframework/security/web/webauthn/api/CredentialRecord.java

@@ -19,6 +19,8 @@
 import java.time.Instant;
 import java.util.Set;
 
+import org.jspecify.annotations.Nullable;
+
 /**
  * Represents a <a href="https://www.w3.org/TR/webauthn-3/#credential-record">Credential
  * Record</a> that is stored by the Relying Party
@@ -35,7 +37,7 @@ public interface CredentialRecord {
 	 * "https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-type">credential.type</a>
 	 * @return
 	 */
-	PublicKeyCredentialType getCredentialType();
+	@Nullable PublicKeyCredentialType getCredentialType();
 
 	/**
 	 * The <a href=
@@ -104,7 +106,7 @@ public interface CredentialRecord {
 	 * source was registered.
 	 * @return the attestationObject
 	 */
-	Bytes getAttestationObject();
+	@Nullable Bytes getAttestationObject();
 
 	/**
 	 * The <a href=
@@ -113,7 +115,7 @@ public interface CredentialRecord {
 	 * source was registered.
 	 * @return
 	 */
-	Bytes getAttestationClientDataJSON();
+	@Nullable Bytes getAttestationClientDataJSON();
 
 	/**
 	 * A human-readable label for this {@link CredentialRecord} assigned by the user.