[ https://issues.apache.org/jira/browse/MRESOLVER-276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615340#comment-17615340 ]
ASF GitHub Bot commented on MRESOLVER-276: ------------------------------------------ cstamas commented on code in PR #200: URL: https://github.com/apache/maven-resolver/pull/200#discussion_r991617468 ########## maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumArtifactResolverPostProcessor.java: ########## @@ -0,0 +1,231 @@ +package org.eclipse.aether.internal.impl.resolution; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.Artifact; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.resolution.ArtifactResult; +import org.eclipse.aether.spi.checksums.TrustedChecksumsSource; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector; +import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmHelper; +import org.eclipse.aether.transfer.ChecksumFailureException; +import org.eclipse.aether.util.ConfigUtils; +import org.eclipse.aether.util.artifact.ArtifactIdUtils; + +import static java.util.Objects.requireNonNull; + +/** + * Artifact resolver processor that verifies the checksums of all resolved artifacts against trusted checksums. Is also + * able to "record" (calculate and write them) to trusted checksum sources, that do support this operation. + * + * @since TBD + */ +@Singleton +@Named( TrustedChecksumArtifactResolverPostProcessor.NAME ) +public final class TrustedChecksumArtifactResolverPostProcessor + extends ArtifactResolverPostProcessorSupport +{ + public static final String NAME = "trusted-checksum"; + + private static final String CONF_CHECKSUM_ALGORITHMS = "checksumAlgorithms"; + + private static final String DEFAULT_CHECKSUM_ALGORITHMS = "SHA-1"; + + private static final String CONF_FAIL_IF_MISSING = "failIfMissing"; + + private static final String CONF_RECORD = "record"; + + private static final String CHECKSUM_ALGORITHMS_CACHE_KEY = + TrustedChecksumArtifactResolverPostProcessor.class.getName() + ".checksumAlgorithms"; + + private final ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector; + + private final Map<String, TrustedChecksumsSource> trustedChecksumsSources; + + @Inject + public TrustedChecksumArtifactResolverPostProcessor( + ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector, + Map<String, TrustedChecksumsSource> trustedChecksumsSources ) + { + super( NAME ); + this.checksumAlgorithmFactorySelector = requireNonNull( checksumAlgorithmFactorySelector ); + this.trustedChecksumsSources = requireNonNull( trustedChecksumsSources ); + } + + @SuppressWarnings( "unchecked" ) + @Override + protected void doProcess( RepositorySystemSession session, List<ArtifactResult> artifactResults ) + { + final List<ChecksumAlgorithmFactory> checksumAlgorithms = (List<ChecksumAlgorithmFactory>) session.getData() + .computeIfAbsent( CHECKSUM_ALGORITHMS_CACHE_KEY, () -> + checksumAlgorithmFactorySelector.select( + ConfigUtils.parseCommaSeparatedUniqueNames( ConfigUtils.getString( + session, DEFAULT_CHECKSUM_ALGORITHMS, CONF_CHECKSUM_ALGORITHMS ) ) + ) ); + + final boolean failIfMissing = ConfigUtils.getBoolean( + session, false, configPropKey( CONF_FAIL_IF_MISSING ) ); + final boolean record = ConfigUtils.getBoolean( session, false, configPropKey( CONF_RECORD ) ); + + for ( ArtifactResult artifactResult : artifactResults ) + { + if ( artifactResult.isResolved() ) + { + if ( record ) Review Comment: If "record" configured, the inforation is collected here, yes. > Resolver post-processor > ----------------------- > > Key: MRESOLVER-276 > URL: https://issues.apache.org/jira/browse/MRESOLVER-276 > Project: Maven Resolver > Issue Type: Improvement > Components: Resolver > Reporter: Tamas Cservenak > Assignee: Tamas Cservenak > Priority: Major > Fix For: resolver-next > > > Introduce new feature, resolver post-processor that is able to post process > resolution results just before artifact resolver returns them to caller. Post > processor should be able to signal resolution failure (along with errors) > just like existing resolution may fail. -- This message was sent by Atlassian Jira (v8.20.10#820010)