This is an automated email from the ASF dual-hosted git repository.
cstamas pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-gpg-plugin.git
The following commit(s) were added to refs/heads/master by this push:
new afdfd28 [MGPG-138] Drop direct use of plexus-cipher and secdispatcher
(#115)
afdfd28 is described below
commit afdfd28bab4a0530cfd655397716a36adc1644b6
Author: Tamas Cservenak <ta...@cservenak.net>
AuthorDate: Mon Sep 9 14:21:22 2024 +0200
[MGPG-138] Drop direct use of plexus-cipher and secdispatcher (#115)
Use proper Maven 3 API instead.
---
https://issues.apache.org/jira/browse/MGPG-138
---
pgp-keys-map.list | 5 +-
pom.xml | 40 +++++++---------
.../apache/maven/plugins/gpg/AbstractGpgMojo.java | 54 +++++++++++++---------
3 files changed, 49 insertions(+), 50 deletions(-)
diff --git a/pgp-keys-map.list b/pgp-keys-map.list
index 49d8340..8e42498 100644
--- a/pgp-keys-map.list
+++ b/pgp-keys-map.list
@@ -28,8 +28,7 @@ org.opentest4j:opentest4j =
0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
org.apache.maven.resolver = 0x29BEA2A645F2D6CED7FB12E02B172E3E156466E8
org.apache.maven.shared:maven-invoker =
0x84789D24DF77A32433CE1F079EB80E92EB2135B1
org.apache.maven.shared:maven-shared-utils =
0x84789D24DF77A32433CE1F079EB80E92EB2135B1
-org.codehaus.plexus:plexus-cipher = 0x6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688
org.codehaus.plexus:plexus-classworlds =
0xB91AB7D2121DC6B0A61AA182D7742D58455ECC7C
org.codehaus.plexus:plexus-component-annotations =
0xFA77DCFEF2EE6EB2DEBEDD2C012579464D01C06A
-org.codehaus.plexus:plexus-utils = 0xF254B35617DC255D9344BCFA873A8E86B4372146
-org.codehaus.plexus:plexus-sec-dispatcher =
0x2BE13D052E9AA567D657D9791FD507154FB9BA39
\ No newline at end of file
+org.codehaus.plexus:plexus-utils = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
+org.codehaus.plexus:plexus-xml = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
diff --git a/pom.xml b/pom.xml
index 7010d3c..8d5fccf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -69,6 +69,12 @@ under the License.
</properties>
<dependencies>
+ <dependency>
+ <groupId>javax.inject</groupId>
+ <artifactId>javax.inject</artifactId>
+ <version>1</version>
+ <scope>provided</scope>
+ </dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId>
@@ -105,6 +111,12 @@ under the License.
<version>${mavenVersion}</version>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.maven</groupId>
+ <artifactId>maven-settings-builder</artifactId>
+ <version>${mavenVersion}</version>
+ <scope>provided</scope>
+ </dependency>
<dependency>
<groupId>org.apache.maven.resolver</groupId>
<artifactId>maven-resolver-api</artifactId>
@@ -126,7 +138,10 @@ under the License.
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
- <version>3.5.1</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.plexus</groupId>
+ <artifactId>plexus-xml</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
@@ -149,29 +164,6 @@ under the License.
<version>2.10.0</version>
<type>pom</type>
</dependency>
- <!-- These two below must go in pair -->
- <dependency>
- <groupId>org.codehaus.plexus</groupId>
- <artifactId>plexus-sec-dispatcher</artifactId>
- <version>2.0</version>
- <exclusions>
- <exclusion>
- <groupId>*</groupId>
- <artifactId>*</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.codehaus.plexus</groupId>
- <artifactId>plexus-cipher</artifactId>
- <version>2.0</version>
- <exclusions>
- <exclusion>
- <groupId>*</groupId>
- <artifactId>*</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
diff --git a/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
b/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
index db1b922..a99ce6c 100644
--- a/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
+++ b/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
@@ -18,23 +18,23 @@
*/
package org.apache.maven.plugins.gpg;
+import javax.inject.Inject;
+
import java.io.File;
-import java.util.Collections;
import java.util.List;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
-import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.settings.Server;
import org.apache.maven.settings.Settings;
-import org.sonatype.plexus.components.cipher.DefaultPlexusCipher;
-import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
+import org.apache.maven.settings.building.SettingsProblem;
+import org.apache.maven.settings.crypto.DefaultSettingsDecryptionRequest;
+import org.apache.maven.settings.crypto.SettingsDecrypter;
+import org.apache.maven.settings.crypto.SettingsDecryptionResult;
/**
* @author Benjamin Bentmann
@@ -256,12 +256,6 @@ public abstract class AbstractGpgMojo extends AbstractMojo
{
@Parameter(property = "gpg.signer", defaultValue = GpgSigner.NAME)
private String signer;
- /**
- * @since 3.0.0
- */
- @Component
- protected MavenSession session;
-
/**
* Switch to improve plugin enforcement of "best practices". If set to
{@code false}, plugin retains all the
* backward compatibility regarding getting secrets (but will warn). If
set to {@code true}, plugin will fail
@@ -285,14 +279,16 @@ public abstract class AbstractGpgMojo extends
AbstractMojo {
protected Settings settings;
/**
- * Maven Security Dispatcher.
- *
- * @since 1.6
- * @deprecated Provides quasi-encryption, should be avoided.
+ * @since 3.0.0
*/
- @Deprecated
- private final SecDispatcher secDispatcher =
- new DefaultSecDispatcher(new DefaultPlexusCipher(),
Collections.emptyMap(), "~/.m2/settings-security.xml");
+ @Inject
+ protected MavenSession session;
+
+ /**
+ * @since 3.2.6
+ */
+ @Inject
+ protected SettingsDecrypter settingsDecrypter;
@Override
public final void execute() throws MojoExecutionException,
MojoFailureException {
@@ -415,11 +411,23 @@ public abstract class AbstractGpgMojo extends
AbstractMojo {
Server server = settings.getServer(passphraseServerId);
if (server != null) {
if (isNotBlank(server.getPassphrase())) {
- try {
- return secDispatcher.decrypt(server.getPassphrase());
- } catch (SecDispatcherException e) {
- throw new MojoFailureException("Unable to decrypt gpg
passphrase", e);
+ SettingsDecryptionResult result =
+ settingsDecrypter.decrypt(new
DefaultSettingsDecryptionRequest(server));
+ for (SettingsProblem problem : result.getProblems()) {
+ switch (problem.getSeverity()) {
+ case WARNING:
+ case ERROR:
+ getLog().warn(problem.getMessage(),
problem.getException());
+ break;
+ case FATAL:
+ getLog().error(problem.getMessage(),
problem.getException());
+ throw new
MojoFailureException(problem.getMessage(), problem.getException());
+ default:
+ throw new IllegalStateException("Unknown
severity: "
+ + problem.getSeverity().toString());
+ }
}
+ return result.getServer().getPassphrase();
}
}
}
