[
https://issues.apache.org/jira/browse/MRESOLVER-276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611857#comment-17611857
]
ASF GitHub Bot commented on MRESOLVER-276:
------------------------------------------
michael-o commented on code in PR #200:
URL: https://github.com/apache/maven-resolver/pull/200#discussion_r985080021
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/DefaultArtifactResolver.java:
##########
@@ -117,7 +122,8 @@ public DefaultArtifactResolver()
VersionResolver versionResolver,
UpdateCheckManager updateCheckManager,
RepositoryConnectorProvider
repositoryConnectorProvider,
RemoteRepositoryManager remoteRepositoryManager,
SyncContextFactory syncContextFactory,
- OfflineController offlineController )
+ OfflineController offlineController,
+ Map<String, ArtifactResolverPostProcessor>
artifactResolverPostProcessors )
Review Comment:
Do we really need the key here?
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/ArtifactResolverPostProcessorSupport.java:
##########
@@ -0,0 +1,67 @@
+package org.eclipse.aether.internal.impl.resolution;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.util.List;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.resolution.ArtifactResult;
+import org.eclipse.aether.spi.resolution.ArtifactResolverPostProcessor;
+import org.eclipse.aether.util.ConfigUtils;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Support class to implement {@link ArtifactResolverPostProcessor}.
+ *
+ * @since TBD
+ */
+public abstract class ArtifactResolverPostProcessorSupport
+ implements ArtifactResolverPostProcessor
+{
+ private static final String CONFIG_PROP_PREFIX =
"aether.artifactResolver.postProcessor.";
+
+ private static final String CONF_NAME_ENABLED = "enabled";
Review Comment:
So the post processors aren't auto enabled when discovered by DI?
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/DefaultArtifactResolver.java:
##########
@@ -426,6 +442,14 @@ else if ( local.getFile() != null )
}
}
+ for ( ArtifactResolverPostProcessor artifactResolverPostProcessor :
artifactResolverPostProcessors.values() )
+ {
+ if ( artifactResolverPostProcessor.postProcess( session, results )
)
+ {
+ failures = true;
+ }
Review Comment:
This is not fail fast, right?
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/ChecksumArtifactResolverPostProcessor.java:
##########
@@ -0,0 +1,89 @@
+package org.eclipse.aether.internal.impl.resolution;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.util.List;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.resolution.ArtifactResult;
+import
org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector;
+import org.eclipse.aether.spi.connector.checksum.ProvidedChecksumsSource;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Artifact resolver processor that verifies the checksums all the resolved
artifacts against trusted (provided)
+ * checksums.
+ *
+ * @since TBD
+ */
+@Singleton
+@Named( ChecksumArtifactResolverPostProcessor.NAME )
+public final class ChecksumArtifactResolverPostProcessor
+ extends ArtifactResolverPostProcessorSupport
+{
+ public static final String NAME = "checksum";
+
+ private final ChecksumAlgorithmFactorySelector
checksumAlgorithmFactorySelector;
+
+ private final List<ProvidedChecksumsSource> providedChecksumsSources;
+
+ @Inject
+ public ChecksumArtifactResolverPostProcessor(
ChecksumAlgorithmFactorySelector checksumAlgorithmFactorySelector,
+
List<ProvidedChecksumsSource> providedChecksumsSources )
+ {
+ super( NAME );
+ this.checksumAlgorithmFactorySelector = requireNonNull(
checksumAlgorithmFactorySelector );
+ this.providedChecksumsSources = requireNonNull(
providedChecksumsSources );
+ }
+
+ @Override
+ protected boolean doProcess( RepositorySystemSession session,
List<ArtifactResult> artifactResults )
+ {
+ boolean failures = false;
+ for ( ArtifactResult artifactResult : artifactResults )
+ {
+ Artifact artifact = artifactResult.getArtifact();
+ if ( artifact != null && artifact.getFile() != null )
+ {
+ if ( !validateArtifactChecksums( session, artifactResult ) )
+ {
+ failures = true;
+ }
+ }
+ }
+ return failures;
+ }
+
+ private boolean validateArtifactChecksums( RepositorySystemSession
session, ArtifactResult artifactResult )
+ {
+ Artifact artifact = artifactResult.getArtifact();
+ ArtifactRepository artifactRepository = artifactResult.getRepository();
+
+ // MRESOLVER-259 PR: use trusted checksum source here as this is NOT
transport related!
Review Comment:
This statement contradicts the constructor args.
##########
maven-resolver-spi/src/main/java/org/eclipse/aether/spi/resolution/ArtifactResolverPostProcessor.java:
##########
@@ -0,0 +1,44 @@
+package org.eclipse.aether.spi.resolution;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.util.List;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.resolution.ArtifactResult;
+
+/**
+ * Artifact resolver post-resolution processor, is able to hook into resolver
and post-process the resolved artifact
+ * results, if needed even produce resolution failure.
+ *
+ * @since TBD
+ */
+public interface ArtifactResolverPostProcessor
+{
+ /**
+ * Receives resolver results just before it would return it to caller. Is
able to signal "resolution failure"
+ * by returning {@code true}. When signaling "failure", the passed in
{@link ArtifactResult}s should be properly
+ * augmented using {@link ArtifactResult#addException(Exception)} calls.
Review Comment:
The boolean logic seems inverted here, no? The method name says `postProcess
` so a `true` signals that it has been post-processed, no?
##########
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/ChecksumArtifactResolverPostProcessor.java:
##########
@@ -0,0 +1,89 @@
+package org.eclipse.aether.internal.impl.resolution;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.util.List;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.resolution.ArtifactResult;
+import
org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactorySelector;
+import org.eclipse.aether.spi.connector.checksum.ProvidedChecksumsSource;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Artifact resolver processor that verifies the checksums all the resolved
artifacts against trusted (provided)
+ * checksums.
+ *
+ * @since TBD
+ */
+@Singleton
+@Named( ChecksumArtifactResolverPostProcessor.NAME )
+public final class ChecksumArtifactResolverPostProcessor
+ extends ArtifactResolverPostProcessorSupport
+{
Review Comment:
So without this the provided checksums are useless? This is named provided
since the Trusted to Provided Adapter supplies them?
> Resolver post-processor
> -----------------------
>
> Key: MRESOLVER-276
> URL: https://issues.apache.org/jira/browse/MRESOLVER-276
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
> Reporter: Tamás Cservenák
> Assignee: Tamás Cservenák
> Priority: Major
> Fix For: resolver-next
>
>
> Introduce new feature, resolver post-processor that is able to post process
> resolution results just before artifact resolver returns them to caller. Post
> processor should be able to signal resolution failure (along with errors)
> just like existing resolution may fail.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
