chore: adds tests, clippy, formatting, and auditing to CI

changes the following to appease the new CI rules:
  * ignores unused dep warning for openssl-sys.
  * runs cargo +nightly fmt on source.
  * fixes clippy issues.
  * removes modules from V1 that weren't being used. These modules were behind v1
    feature flags that had been removed as well.
  * adds deny.toml from c2pa-rs.

.github/workflows/build.yml

@@ -15,8 +15,135 @@ on:
         default: 'false'
 
 jobs:
+  tests:
+    name: Unit tests
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ windows-latest, macos-latest, ubuntu-latest ]
+        rust_version: [ stable, 1.76.0 ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust_version }}
+          components: llvm-tools-preview
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+  clippy_check:
+    name: Clippy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run Clippy
+        run: cargo clippy --all-features --all-targets -- -Dwarnings
+
+  cargo_fmt:
+    name: Enforce Rust code format
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install nightly toolchain
+        uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rustfmt
+
+      - name: Check format
+        run: cargo +nightly fmt --all -- --check
+
+  docs_rs:
+    name: Preflight docs.rs build
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install nightly Rust toolchain
+        # Nightly is used here because the docs.rs build
+        # uses nightly and we use doc_cfg features that are
+        # not in stable Rust as of this writing (Rust 1.76).
+        uses: dtolnay/rust-toolchain@nightly
+
+      - name: Run cargo docs
+        # This is intended to mimic the docs.rs build
+        # environment. The goal is to fail PR validation
+        # if the subsequent release would result in a failed
+        # documentation build on docs.rs.
+        run: cargo +nightly doc --workspace --all-features --no-deps
+        env:
+          RUSTDOCFLAGS: --cfg docsrs
+          DOCS_RS: 1
+  cargo-deny:
+    name: License / vulnerability audit
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing CI:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Audit crate dependencies
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check ${{ matrix.checks }}
+
+  unused_deps:
+    name: Check for unused dependencies
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install nightly Rust toolchain
+        uses: dtolnay/rust-toolchain@nightly
+
+      - name: Run cargo-udeps
+        uses: aig787/cargo-udeps-action@v1
+        with:
+          version: latest
+          args: --all-targets --all-features
+
   linux:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         target: [x86_64, aarch64]
@@ -63,6 +190,7 @@ jobs:
 
   windows:
     runs-on: windows-latest
+
     strategy:
       matrix:
         target: [x64, x86]
@@ -88,6 +216,7 @@ jobs:
 
   macos_x86:
     runs-on: macos-latest
+
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -145,9 +274,11 @@ jobs:
 
   release:
     name: Release
+
+    if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true'
+
     runs-on: ubuntu-latest
     environment: Publish
-    if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true'
     needs: [linux, windows, macos_x86, macos_aarch64, sdist]
     steps:
       - uses: actions/download-artifact@v3

Cargo.toml

@@ -9,6 +9,8 @@ authors = ["Gavin Peacock <[email protected]"]
 name = "c2pa"
 crate-type = ["cdylib"]
 
+[package.metadata.cargo-udeps.ignore]
+normal = ["openssl-src"]
 
 [dependencies]
 c2pa = {version = "0.35.0", features = ["unstable_api", "file_io", "openssl", "pdf", "fetch_remote_manifests"]}
@@ -20,7 +22,6 @@ thiserror = "1.0.49"
 uniffi = "0.24.1"
 openssl-src = "=300.3.1" # Required for openssl-sys
 log = "0.4.21"
-env_logger = "0.11.3"
 
 [build-dependencies]
 uniffi = { version = "0.24.1", features = ["build"] }

deny.toml

@@ -0,0 +1,52 @@
+# Configuration used for dependency checking with cargo-deny.
+#
+# For further details on all configuration options see:
+# https://embarkstudios.github.io/cargo-deny/checks/cfg.html
+
+[graph]
+targets = [
+    { triple = "x86_64-unknown-linux-gnu" },
+    { triple = "x86_64-apple-darwin" },
+    { triple = "x86_64-pc-windows-msvc" },
+    { triple = "aarch64-apple-darwin" },
+    { triple = "wasm32-unknown-unknown" },
+]
+
+[advisories]
+yanked = "deny"
+
+ignore = [
+    "RUSTSEC-2021-0127", # serde_cbor
+    "RUSTSEC-2023-0071", # rsa Marvin Attack: (https://jira.corp.adobe.com/browse/CAI-5104)
+]
+
+[bans]
+multiple-versions = "allow"
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "LicenseRef-ring",
+    "MIT",
+    "MPL-2.0",
+    "Unicode-DFS-2016",
+    "Zlib",
+]
+confidence-threshold = 0.9
+
+[[licenses.clarify]]
+name = "ring"
+expression = "LicenseRef-ring"
+license-files = [
+    { path = "LICENSE", hash = 3171872035 }
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []

src/callback_signer.rs

@@ -10,7 +10,7 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use c2pa::{SigningAlg, Signer};
+use c2pa::{Signer, SigningAlg};
 use log::debug;
 
 use crate::Result;
@@ -29,32 +29,34 @@ pub struct CallbackSigner {
 }
 
 pub struct RemoteSigner {
-    signer_callback : Box<dyn SignerCallback>,
+    signer_callback: Box<dyn SignerCallback>,
     alg: SigningAlg,
     reserve_size: u32,
 }
 
-impl c2pa::Signer for RemoteSigner {
-  fn alg(&self) -> SigningAlg {
-      self.alg
-  }
+impl Signer for RemoteSigner {
+    fn sign(&self, data: &[u8]) -> c2pa::Result<Vec<u8>> {
+        self.signer_callback
+            .sign(data.to_vec())
+            .map_err(|e| c2pa::Error::BadParam(e.to_string()))
+    }
 
-  fn certs(&self) -> c2pa::Result<Vec<Vec<u8>>> {
-      Ok(Vec::new())
-  }
+    fn alg(&self) -> SigningAlg {
+        self.alg
+    }
 
-  // signer will return a COSE structure
-  fn direct_cose_handling(&self) -> bool {
-      true
-  }
+    fn certs(&self) -> c2pa::Result<Vec<Vec<u8>>> {
+        Ok(Vec::new())
+    }
 
-  fn sign(&self, data: &[u8]) -> c2pa::Result<Vec<u8>> {
-      self.signer_callback.sign(data.to_vec()).map_err(|e| c2pa::Error::BadParam(e.to_string()))
-  }
+    fn reserve_size(&self) -> usize {
+        self.reserve_size as usize // TODO: Find better conversion for usize
+    }
 
-  fn reserve_size(&self) -> usize {
-      self.reserve_size as usize // TODO: Find better conversion for usize
-  }
+    // signer will return a COSE structure
+    fn direct_cose_handling(&self) -> bool {
+        true
+    }
 }
 
 impl CallbackSigner {
@@ -76,26 +78,31 @@ impl CallbackSigner {
             signer = signer.set_tsa_url(url);
         }
 
-        Self { signer: Box::new(signer) }
+        Self {
+            signer: Box::new(signer),
+        }
     }
 
     pub fn new_from_signer(
-      callback: Box<dyn SignerCallback>,
-      alg: SigningAlg,
-      reserve_size: u32,
+        callback: Box<dyn SignerCallback>,
+        alg: SigningAlg,
+        reserve_size: u32,
     ) -> Self {
         debug!("c2pa-python: CallbackSigner -> new_from_signer");
         let signer = RemoteSigner {
             signer_callback: callback,
             alg,
-            reserve_size
+            reserve_size,
         };
 
-        Self { signer: Box::new(signer) }
+        Self {
+            signer: Box::new(signer),
+        }
     }
 
     /// The python Builder wrapper sign function calls this
-    pub fn signer(&self) -> &Box<dyn c2pa::Signer + Sync + Send> {
+    #[allow(clippy::borrowed_box)]
+    pub fn signer(&self) -> &Box<dyn Signer + Sync + Send> {
         &self.signer
     }
 }

src/error.rs

@@ -96,8 +96,6 @@ impl Error {
             ClaimVerification(_) | InvalidClaim(_) | JumbfParseError(_) => {
                 Self::Verify { reason: err_str }
             }
-            #[cfg(feature = "add_thumbnails")]
-            ImageError => Self::ImageError(err_str),
             _ => Self::Other { reason: err_str },
         }
     }