michael-o commented on code in PR #200: URL: https://github.com/apache/maven-resolver/pull/200#discussion_r990814811
########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/FileTrustedChecksumsSourceSupport.java: ########## @@ -93,24 +94,48 @@ public Map<String, String> getTrustedArtifactChecksums( RepositorySystemSession boolean enabled = ConfigUtils.getBoolean( session, false, CONFIG_PROP_PREFIX + this.name ); if ( enabled ) { - Path basedir = getBasedir( session ); + Path basedir = getBasedir( session, false ); if ( basedir != null && !checksumAlgorithmFactories.isEmpty() ) { - Map<String, String> result = performLookup( - session, basedir, artifact, artifactRepository, checksumAlgorithmFactories ); - - return result == null || result.isEmpty() ? null : result; + return requireNonNull( + performLookup( session, basedir, artifact, artifactRepository, checksumAlgorithmFactories ) + ); + } + else + { + return Collections.emptyMap(); } } return null; } + @Override + public Writer getTrustedArtifactChecksumsWriter( RepositorySystemSession session ) + { + requireNonNull( session, "session is null" ); + boolean enabled = ConfigUtils.getBoolean( session, false, CONFIG_PROP_PREFIX + this.name ); + if ( enabled ) + { + return getWriter( session, getBasedir( session, true ) ); + } + return null; + } + + /** + * Implementors MUST NOT return {@code null} at this point, the source is enabled, worst can happen is checksums Review Comment: ...if the source is enabled...? ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SummaryFileTrustedChecksumsSource.java: ########## @@ -117,14 +111,47 @@ protected Map<String, String> performLookup( RepositorySystemSession session, return checksums; } - private ConcurrentHashMap<String, String> loadProvidedChecksums( Path checksumsFile ) + @Override + protected Writer getWriter( RepositorySystemSession session, Path basedir ) + { + final boolean originAware = isOriginAware( session ); + return ( artifact, artifactRepository, checksumAlgorithmFactories, trustedArtifactChecksums ) -> + { + try + { + for ( ChecksumAlgorithmFactory checksumAlgorithmFactory : checksumAlgorithmFactories ) + { + String checksum = requireNonNull( + trustedArtifactChecksums.get( checksumAlgorithmFactory.getName() ) ); + String summaryLine = ArtifactIdUtils.toId( artifact ) + " " + checksum + "\n"; Review Comment: `System.lineSeparator()` ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,226 @@ +package org.eclipse.aether.internal.impl.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.internal.impl.checksum.Sha1ChecksumAlgorithmFactory; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.resolution.ArtifactResult; +import org.eclipse.aether.spi.checksums.TrustedChecksumsSource; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmHelper; +import org.eclipse.aether.transfer.ChecksumFailureException; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.artifact.ArtifactIdUtils; + +import static java.util.Objects.requireNonNull; + +/** + * Artifact resolver processor that verifies the checksums all the resolved artifacts against trusted checksums. Is also Review Comment: It is also...that do support... (because sources is plural) ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/FileTrustedChecksumsSourceSupport.java: ########## @@ -93,24 +94,48 @@ public Map<String, String> getTrustedArtifactChecksums( RepositorySystemSession boolean enabled = ConfigUtils.getBoolean( session, false, CONFIG_PROP_PREFIX + this.name ); if ( enabled ) { - Path basedir = getBasedir( session ); + Path basedir = getBasedir( session, false ); if ( basedir != null && !checksumAlgorithmFactories.isEmpty() ) { - Map<String, String> result = performLookup( - session, basedir, artifact, artifactRepository, checksumAlgorithmFactories ); - - return result == null || result.isEmpty() ? null : result; + return requireNonNull( + performLookup( session, basedir, artifact, artifactRepository, checksumAlgorithmFactories ) + ); + } + else + { + return Collections.emptyMap(); } } return null; } + @Override + public Writer getTrustedArtifactChecksumsWriter( RepositorySystemSession session ) + { + requireNonNull( session, "session is null" ); + boolean enabled = ConfigUtils.getBoolean( session, false, CONFIG_PROP_PREFIX + this.name ); + if ( enabled ) + { + return getWriter( session, getBasedir( session, true ) ); + } + return null; + } + + /** + * Implementors MUST NOT return {@code null} at this point, the source is enabled, worst can happen is checksums + * for asked artifact are not available. + */ protected abstract Map<String, String> performLookup( RepositorySystemSession session, Path basedir, Artifact artifact, ArtifactRepository artifactRepository, List<ChecksumAlgorithmFactory> checksumAlgorithmFactories ); + /** + * If a subclass of this support class decides it should not be writable, this method should return {@code null}. + */ + protected abstract Writer getWriter( RepositorySystemSession session, Path basedir ); Review Comment: The writer for what? ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SparseDirectoryTrustedChecksumsSource.java: ########## @@ -117,9 +109,53 @@ protected Map<String, String> performLookup( RepositorySystemSession session, catch ( IOException e ) { // unexpected, log, skip - LOGGER.warn( "Could not read provided checksum for '{}' at path '{}'", artifact, checksumPath, e ); + LOGGER.warn( "Could not read {} trusted checksum on path '{}'", artifact, checksumPath, e ); Review Comment: `...artifact '{}' trusted...` logically identical to line 96 ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SparseDirectoryTrustedChecksumsSource.java: ########## @@ -82,26 +84,16 @@ protected Map<String, String> performLookup( RepositorySystemSession session, ArtifactRepository artifactRepository, List<ChecksumAlgorithmFactory> checksumAlgorithmFactories ) { - final String prefix; - if ( isOriginAware( session ) ) - { - prefix = artifactRepository.getId() + "/"; - } - else - { - prefix = ""; - } - + final boolean originAware = isOriginAware( session ); final HashMap<String, String> checksums = new HashMap<>(); - final String artifactPath = localPathComposer.getPathForArtifact( artifact, false ); for ( ChecksumAlgorithmFactory checksumAlgorithmFactory : checksumAlgorithmFactories ) { Path checksumPath = basedir.resolve( - prefix + artifactPath + "." + checksumAlgorithmFactory.getFileExtension() ); + calculateArtifactPath( originAware, artifact, artifactRepository, checksumAlgorithmFactory ) ); if ( !Files.isRegularFile( checksumPath ) ) { - LOGGER.debug( "Artifact '{}' checksum '{}' not found in path '{}'", + LOGGER.debug( "Artifact {} trusted checksum '{}' not found on path '{}'", Review Comment: `Artifact '{}'...` ########## maven-resolver-spi/src/main/java/org/eclipse/aether/spi/checksums/TrustedChecksumsSource.java: ########## @@ -39,16 +39,44 @@ public interface TrustedChecksumsSource { /** - * May return the trusted checksums (for given artifact) from trusted source, or {@code null}. + * May return the trusted checksums (for given artifact) from trusted source, or {@code null} if not enabled. + * Enabled trusted checksum source SHOULD return non-null (empty map) result, when it has no data for given + * artifact. Empty map means in this case "no information", but how that case is interpreted depends on consumer + * for trusted checksums. * * @param session The repository system session, never {@code null}. * @param artifact The artifact we want checksums for, never {@code null}. * @param artifactRepository The origin repository: local, workspace, remote repository, never {@code null}. * @param checksumAlgorithmFactories The checksum algorithms that are expected, never {@code null}. - * @return Map of expected checksums, or {@code null}. + * @return Map of expected checksums, or {@code null} if not enabled. */ Map<String, String> getTrustedArtifactChecksums( RepositorySystemSession session, Artifact artifact, ArtifactRepository artifactRepository, List<ChecksumAlgorithmFactory> checksumAlgorithmFactories ); + + /** + * A writer that is able to write/add trusted checksums to this implementation. + */ + interface Writer Review Comment: This is rather a factory, no? The default method is more like a `newInstance()`? ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,226 @@ +package org.eclipse.aether.internal.impl.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.internal.impl.checksum.Sha1ChecksumAlgorithmFactory; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.resolution.ArtifactResult; +import org.eclipse.aether.spi.checksums.TrustedChecksumsSource; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmHelper; +import org.eclipse.aether.transfer.ChecksumFailureException; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.artifact.ArtifactIdUtils; + +import static java.util.Objects.requireNonNull; + +/** + * Artifact resolver processor that verifies the checksums all the resolved artifacts against trusted checksums. Is also + * able to "record" (calculate and write them to trusted checksum sources that does support this operation). + * + * @since TBD + */ +@Singleton +@Named( TrustedChecksumArtifactResolverPostProcessor.NAME ) +public final class TrustedChecksumArtifactResolverPostProcessor + extends ArtifactResolverPostProcessorSupport +{ + public static final String NAME = "trusted-checksum"; + + private static final String CONF_CHECKSUM_ALGORITHM = "checksumAlgorithm"; + + private static final String CONF_FAIL_IF_MISSING = "failIfMissing"; + + private static final String CONF_RECORD = "record"; + + private final ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector; + + private final Map<String, TrustedChecksumsSource> trustedChecksumsSources; + + @Inject + public TrustedChecksumArtifactResolverPostProcessor( + ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector, + Map<String, TrustedChecksumsSource> trustedChecksumsSources ) + { + super( NAME ); + this.checksumAlgorithmFactorySelector = requireNonNull( checksumAlgorithmFactorySelector ); + this.trustedChecksumsSources = requireNonNull( trustedChecksumsSources ); + } + + @Override + protected Outcome doProcess( RepositorySystemSession session, List<ArtifactResult> artifactResults ) + { + final List<ChecksumAlgorithmFactory> checksumAlgorithmFactories = Collections.singletonList( + checksumAlgorithmFactorySelector.select( ConfigUtils.getString( session, + Sha1ChecksumAlgorithmFactory.NAME, configPropKey( CONF_CHECKSUM_ALGORITHM ) ) ) ); + final boolean failIfMissing = ConfigUtils.getBoolean( + session, false, configPropKey( CONF_FAIL_IF_MISSING ) ); + final boolean record = ConfigUtils.getBoolean( session, false, configPropKey( CONF_RECORD ) ); Review Comment: No conf prefix, nothing? ########## maven-resolver-spi/src/main/java/org/eclipse/aether/spi/resolution/ArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,63 @@ +package org.eclipse.aether.spi.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import java.util.List; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.resolution.ArtifactResult; + +/** + * Artifact resolver post-resolution processor component, is able to hook into resolver and post-process the resolved + * artifact results, if needed even produce resolution failure. It will always be invoked (even when failure is about + * to happen), so detecting these cases are left to post processor implementations. + * + * @since TBD + */ +public interface ArtifactResolverPostProcessor +{ + /** + * Enum representing post-processing outcome. + */ + enum Outcome + { + /** + * Post-processing was ok, continue. + */ + CONTINUE, Review Comment: This implied that the other enum value breaks the loop which it doesn't not? Should be `SUCCESSFUL` or `COMPLETED`, no? ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,226 @@ +package org.eclipse.aether.internal.impl.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.internal.impl.checksum.Sha1ChecksumAlgorithmFactory; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.resolution.ArtifactResult; +import org.eclipse.aether.spi.checksums.TrustedChecksumsSource; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmHelper; +import org.eclipse.aether.transfer.ChecksumFailureException; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.artifact.ArtifactIdUtils; + +import static java.util.Objects.requireNonNull; + +/** + * Artifact resolver processor that verifies the checksums all the resolved artifacts against trusted checksums. Is also + * able to "record" (calculate and write them to trusted checksum sources that does support this operation). + * + * @since TBD + */ +@Singleton +@Named( TrustedChecksumArtifactResolverPostProcessor.NAME ) +public final class TrustedChecksumArtifactResolverPostProcessor + extends ArtifactResolverPostProcessorSupport +{ + public static final String NAME = "trusted-checksum"; + + private static final String CONF_CHECKSUM_ALGORITHM = "checksumAlgorithm"; + + private static final String CONF_FAIL_IF_MISSING = "failIfMissing"; + + private static final String CONF_RECORD = "record"; + + private final ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector; + + private final Map<String, TrustedChecksumsSource> trustedChecksumsSources; + + @Inject + public TrustedChecksumArtifactResolverPostProcessor( + ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector, + Map<String, TrustedChecksumsSource> trustedChecksumsSources ) + { + super( NAME ); + this.checksumAlgorithmFactorySelector = requireNonNull( checksumAlgorithmFactorySelector ); + this.trustedChecksumsSources = requireNonNull( trustedChecksumsSources ); + } + + @Override + protected Outcome doProcess( RepositorySystemSession session, List<ArtifactResult> artifactResults ) + { + final List<ChecksumAlgorithmFactory> checksumAlgorithmFactories = Collections.singletonList( + checksumAlgorithmFactorySelector.select( ConfigUtils.getString( session, + Sha1ChecksumAlgorithmFactory.NAME, configPropKey( CONF_CHECKSUM_ALGORITHM ) ) ) ); + final boolean failIfMissing = ConfigUtils.getBoolean( + session, false, configPropKey( CONF_FAIL_IF_MISSING ) ); + final boolean record = ConfigUtils.getBoolean( session, false, configPropKey( CONF_RECORD ) ); + + Outcome outcome = Outcome.CONTINUE; + for ( ArtifactResult artifactResult : artifactResults ) + { + Artifact artifact = artifactResult.getArtifact(); + if ( artifact != null && artifact.getFile() != null ) + { + if ( record ) + { + recordArtifactChecksums( session, artifactResult, checksumAlgorithmFactories ); + } + else if ( !validateArtifactChecksums( session, artifactResult, checksumAlgorithmFactories, + failIfMissing ) ) + { + artifactResult.setArtifact( artifact.setFile( null ) ); // make it unresolved + outcome = Outcome.FAILED; + } + } + } + return outcome; + } + + /** + * Calculates and records checksums into trusted sources that support writing. + */ + private void recordArtifactChecksums( RepositorySystemSession session, + ArtifactResult artifactResult, + List<ChecksumAlgorithmFactory> checksumAlgorithmFactories ) + { + Artifact artifact = artifactResult.getArtifact(); + ArtifactRepository artifactRepository = artifactResult.getRepository(); + + try + { + final Map<String, String> calculatedChecksums = ChecksumAlgorithmHelper.calculate( + artifact.getFile(), checksumAlgorithmFactories ); + + for ( TrustedChecksumsSource trustedChecksumsSource : trustedChecksumsSources.values() ) + { + TrustedChecksumsSource.Writer writer = trustedChecksumsSource + .getTrustedArtifactChecksumsWriter( session ); + + if ( writer != null ) + { + writer.addTrustedArtifactChecksums( artifact, artifactRepository, checksumAlgorithmFactories, + calculatedChecksums ); + } + } + } + catch ( IOException e ) + { + throw new UncheckedIOException( e ); + } + } + + /** + * Validates trusted checksums against {@link ArtifactResult}, returns {@code true} denoting "valid" checksums or + * {@code false} denoting "invalid" checksums. + */ + private boolean validateArtifactChecksums( RepositorySystemSession session, + ArtifactResult artifactResult, + List<ChecksumAlgorithmFactory> checksumAlgorithmFactories, + boolean failIfMissing ) + { + Artifact artifact = artifactResult.getArtifact(); + ArtifactRepository artifactRepository = artifactResult.getRepository(); + + boolean valid = true; + boolean validated = false; + try + { + // full set: calculate all algorithms we were asked for + final Map<String, String> calculatedChecksums = ChecksumAlgorithmHelper.calculate( + artifact.getFile(), checksumAlgorithmFactories ); + + for ( Map.Entry<String, TrustedChecksumsSource> entry : trustedChecksumsSources.entrySet() ) + { + final String trustedSourceName = entry.getKey(); + final TrustedChecksumsSource trustedChecksumsSource = entry.getValue(); + + // upper bound set: ask source for checksums, ideally same as calculatedChecksums but may be less + Map<String, String> trustedChecksums = trustedChecksumsSource.getTrustedArtifactChecksums( + session, artifact, artifactRepository, checksumAlgorithmFactories ); + + if ( trustedChecksums == null ) + { + continue; // not enabled + } + validated = true; + + if ( !calculatedChecksums.equals( trustedChecksums ) ) + { + Set<String> missingTrustedAlg = new HashSet<>( calculatedChecksums.keySet() ); + missingTrustedAlg.removeAll( trustedChecksums.keySet() ); + + if ( !missingTrustedAlg.isEmpty() && failIfMissing ) + { + artifactResult.addException( new ChecksumFailureException( "Missing from " + trustedSourceName + + " trusted checksum(s) " + missingTrustedAlg + " for artifact " + + ArtifactIdUtils.toId( artifact ) ) ); + valid = false; + } + + // compare values but only present ones, failIfMissing handled above + // we still want to report all: algX - missing, algY - mismatch, etc + for ( ChecksumAlgorithmFactory checksumAlgorithmFactory : checksumAlgorithmFactories ) + { + String calculatedChecksum = calculatedChecksums.get( checksumAlgorithmFactory.getName() ); + String trustedChecksum = trustedChecksums.get( checksumAlgorithmFactory.getName() ); + if ( trustedChecksum != null && !Objects.equals( calculatedChecksum, trustedChecksum ) ) + { + artifactResult.addException( new ChecksumFailureException( "Artifact " + + ArtifactIdUtils.toId( artifact ) + " trusted checksum mismatch: " + + trustedSourceName + "=" + trustedChecksum + "; calculated=" + + calculatedChecksum ) ); + valid = false; + } + } + } + } + + if ( !validated && failIfMissing ) + { + artifactResult.addException( new ChecksumFailureException( "There are no enabled trusted checksum" + + " source(s) to validate with." ) ); Review Comment: ...validate against ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,226 @@ +package org.eclipse.aether.internal.impl.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.internal.impl.checksum.Sha1ChecksumAlgorithmFactory; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.resolution.ArtifactResult; +import org.eclipse.aether.spi.checksums.TrustedChecksumsSource; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmHelper; +import org.eclipse.aether.transfer.ChecksumFailureException; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.artifact.ArtifactIdUtils; + +import static java.util.Objects.requireNonNull; + +/** + * Artifact resolver processor that verifies the checksums all the resolved artifacts against trusted checksums. Is also Review Comment: Artifact resolver processor that verifies the checksums of all resolved artifacts against trusted checksums. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org