From bbe19ce4c4406384be4df5a18e83dab42f23ef49 Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Mon, 5 May 2025 16:09:32 +0200 Subject: [PATCH 1/3] Change default parameter from local to remote --- .../chains_project/maven_lockfile/AbstractLockfileMojo.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java index 150af670a..a546bedf3 100644 --- a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java +++ b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java @@ -57,7 +57,7 @@ public abstract class AbstractLockfileMojo extends AbstractMojo { @Parameter(property = "checksumAlgorithm") protected String checksumAlgorithm; - @Parameter(defaultValue = "local", property = "checksumMode") + @Parameter(defaultValue = "remote", property = "checksumMode") protected String checksumMode; @Parameter(property = "reduced") From 55906136a012831201dcaba3a551f173e920b87e Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Tue, 6 May 2025 21:17:42 +0200 Subject: [PATCH 2/3] Add additional checksums from remote Enable sha256 and sha512 for maven central In case sha256/sha512 is missing from remote, download file, verify with sha1, and calculate new checksum --- .../checksum/RemoteChecksumCalculator.java | 69 ++++++++++++++----- 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java index bc1f3c79c..771849143 100644 --- a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java +++ b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java @@ -1,10 +1,14 @@ package io.github.chains_project.maven_lockfile.checksum; +import com.google.common.io.BaseEncoding; import io.github.chains_project.maven_lockfile.data.ResolvedUrl; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; +import java.nio.file.Files; +import java.security.MessageDigest; +import java.util.Locale; import java.util.Optional; import org.apache.log4j.Logger; import org.apache.maven.artifact.Artifact; @@ -23,8 +27,8 @@ public RemoteChecksumCalculator( ProjectBuildingRequest artifactBuildingRequest, ProjectBuildingRequest pluginBuildingRequest) { super(checksumAlgorithm); - if (!(checksumAlgorithm.equals("sha1") || checksumAlgorithm.equals("md5"))) { - throw new IllegalArgumentException("Invalid checksum algorithm maven central only supports sha1 or md5"); + if (!(checksumAlgorithm.equals("md5") || checksumAlgorithm.equals("sha1") || checksumAlgorithm.equals("sha256") || checksumAlgorithm.equals("sha512"))) { + throw new IllegalArgumentException("Invalid checksum algorithm maven central only supports md5, sha1, sha256 or sha512."); } this.artifactBuildingRequest = artifactBuildingRequest; @@ -42,21 +46,53 @@ private Optional calculateChecksumInternal(Artifact artifact, ProjectBui } String filename = artifactId + "-" + version + "." + extension; + BaseEncoding baseEncoding = BaseEncoding.base16(); + HttpClient client = HttpClient.newBuilder() + .followRedirects(HttpClient.Redirect.ALWAYS) + .build(); + for (ArtifactRepository repository : buildingRequest.getRemoteRepositories()) { - String url = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version - + "/" + filename + "." + checksumAlgorithm; + String artifactUrl = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version + + "/" + filename; + String checksumUrl = artifactUrl + "." + checksumAlgorithm; - LOGGER.debug("Checking: " + url); + LOGGER.debug("Checking: " + checksumUrl); - HttpClient client = HttpClient.newBuilder() - .followRedirects(HttpClient.Redirect.ALWAYS) - .build(); - HttpRequest request = - HttpRequest.newBuilder().uri(URI.create(url)).build(); - HttpResponse response = client.send(request, HttpResponse.BodyHandlers.ofString()); + HttpRequest checksumRequest = + HttpRequest.newBuilder().uri(URI.create(checksumUrl)).build(); + HttpResponse checksumResponse = client.send(checksumRequest, HttpResponse.BodyHandlers.ofString()); - if (response.statusCode() >= 200 && response.statusCode() < 300) { - return Optional.of(response.body().strip()); + if (checksumResponse.statusCode() >= 200 && checksumResponse.statusCode() < 300) { + return Optional.of(checksumResponse.body().strip()); + } + + if (checksumResponse.statusCode() == 404) { + HttpRequest artifactRequest = HttpRequest.newBuilder().uri(URI.create(artifactUrl)).build(); + HttpResponse artifactResponse = client.send(artifactRequest, HttpResponse.BodyHandlers.ofByteArray()); + + if (artifactResponse.statusCode() < 200 || artifactResponse.statusCode() >= 300) { + continue; + } + + // Fallback to and verify downloaded artifact with sha1 + HttpRequest artifactVerificationRequest = HttpRequest.newBuilder().uri(URI.create(artifactUrl + ".sha1")).build(); + HttpResponse artifactVerificationResponse = client.send(artifactVerificationRequest, HttpResponse.BodyHandlers.ofString()); + + if (artifactVerificationResponse.statusCode() >= 200 && artifactVerificationResponse.statusCode() < 300) { + MessageDigest verificationMessageDigest = MessageDigest.getInstance("sha1"); + String sha1 = baseEncoding.encode(verificationMessageDigest.digest(artifactResponse.body())).toLowerCase(Locale.ROOT); + + if (!sha1.equals(artifactVerificationResponse.body().strip())) { + LOGGER.error("Invalid sha1 checksum for download of: " + artifactUrl); + throw new RuntimeException("Invalid sha1 checksum for download of: " + artifactUrl); + } + } else { + LOGGER.warn("Unable to find sha1 to verify download of: " + artifactUrl); + } + + MessageDigest messageDigest = MessageDigest.getInstance(checksumAlgorithm); + String checksum = baseEncoding.encode(messageDigest.digest(artifactResponse.body())).toLowerCase(Locale.ROOT); + return Optional.of(checksum); } } @@ -80,15 +116,16 @@ private Optional getResolvedFieldInternal(Artifact artifact, Projec } String filename = artifactId + "-" + version + "." + extension; + HttpClient client = HttpClient.newBuilder() + .followRedirects(HttpClient.Redirect.ALWAYS) + .build(); + for (ArtifactRepository repository : buildingRequest.getRemoteRepositories()) { String url = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version + "/" + filename; LOGGER.debug("Checking: " + url); - HttpClient client = HttpClient.newBuilder() - .followRedirects(HttpClient.Redirect.ALWAYS) - .build(); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(url)) .method("HEAD", HttpRequest.BodyPublishers.noBody()) From 63d83774e95de6a009cf370b84bdae7019381b3e Mon Sep 17 00:00:00 2001 From: LogFlames <36220731+LogFlames@users.noreply.github.com> Date: Tue, 6 May 2025 19:20:01 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=93=9D=20Update=20Documentation=20wit?= =?UTF-8?q?h=20current=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../checksum/RemoteChecksumCalculator.java | 43 +++++++++++++------ 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java index 771849143..5f4c9fbd4 100644 --- a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java +++ b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java @@ -6,7 +6,6 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; -import java.nio.file.Files; import java.security.MessageDigest; import java.util.Locale; import java.util.Optional; @@ -27,8 +26,12 @@ public RemoteChecksumCalculator( ProjectBuildingRequest artifactBuildingRequest, ProjectBuildingRequest pluginBuildingRequest) { super(checksumAlgorithm); - if (!(checksumAlgorithm.equals("md5") || checksumAlgorithm.equals("sha1") || checksumAlgorithm.equals("sha256") || checksumAlgorithm.equals("sha512"))) { - throw new IllegalArgumentException("Invalid checksum algorithm maven central only supports md5, sha1, sha256 or sha512."); + if (!(checksumAlgorithm.equals("md5") + || checksumAlgorithm.equals("sha1") + || checksumAlgorithm.equals("sha256") + || checksumAlgorithm.equals("sha512"))) { + throw new IllegalArgumentException( + "Invalid checksum algorithm maven central only supports md5, sha1, sha256 or sha512."); } this.artifactBuildingRequest = artifactBuildingRequest; @@ -52,35 +55,45 @@ private Optional calculateChecksumInternal(Artifact artifact, ProjectBui .build(); for (ArtifactRepository repository : buildingRequest.getRemoteRepositories()) { - String artifactUrl = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version - + "/" + filename; + String artifactUrl = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + + version + "/" + filename; String checksumUrl = artifactUrl + "." + checksumAlgorithm; LOGGER.debug("Checking: " + checksumUrl); HttpRequest checksumRequest = HttpRequest.newBuilder().uri(URI.create(checksumUrl)).build(); - HttpResponse checksumResponse = client.send(checksumRequest, HttpResponse.BodyHandlers.ofString()); + HttpResponse checksumResponse = + client.send(checksumRequest, HttpResponse.BodyHandlers.ofString()); if (checksumResponse.statusCode() >= 200 && checksumResponse.statusCode() < 300) { return Optional.of(checksumResponse.body().strip()); } if (checksumResponse.statusCode() == 404) { - HttpRequest artifactRequest = HttpRequest.newBuilder().uri(URI.create(artifactUrl)).build(); - HttpResponse artifactResponse = client.send(artifactRequest, HttpResponse.BodyHandlers.ofByteArray()); + HttpRequest artifactRequest = HttpRequest.newBuilder() + .uri(URI.create(artifactUrl)) + .build(); + HttpResponse artifactResponse = + client.send(artifactRequest, HttpResponse.BodyHandlers.ofByteArray()); if (artifactResponse.statusCode() < 200 || artifactResponse.statusCode() >= 300) { continue; } // Fallback to and verify downloaded artifact with sha1 - HttpRequest artifactVerificationRequest = HttpRequest.newBuilder().uri(URI.create(artifactUrl + ".sha1")).build(); - HttpResponse artifactVerificationResponse = client.send(artifactVerificationRequest, HttpResponse.BodyHandlers.ofString()); - - if (artifactVerificationResponse.statusCode() >= 200 && artifactVerificationResponse.statusCode() < 300) { + HttpRequest artifactVerificationRequest = HttpRequest.newBuilder() + .uri(URI.create(artifactUrl + ".sha1")) + .build(); + HttpResponse artifactVerificationResponse = + client.send(artifactVerificationRequest, HttpResponse.BodyHandlers.ofString()); + + if (artifactVerificationResponse.statusCode() >= 200 + && artifactVerificationResponse.statusCode() < 300) { MessageDigest verificationMessageDigest = MessageDigest.getInstance("sha1"); - String sha1 = baseEncoding.encode(verificationMessageDigest.digest(artifactResponse.body())).toLowerCase(Locale.ROOT); + String sha1 = baseEncoding + .encode(verificationMessageDigest.digest(artifactResponse.body())) + .toLowerCase(Locale.ROOT); if (!sha1.equals(artifactVerificationResponse.body().strip())) { LOGGER.error("Invalid sha1 checksum for download of: " + artifactUrl); @@ -91,7 +104,9 @@ private Optional calculateChecksumInternal(Artifact artifact, ProjectBui } MessageDigest messageDigest = MessageDigest.getInstance(checksumAlgorithm); - String checksum = baseEncoding.encode(messageDigest.digest(artifactResponse.body())).toLowerCase(Locale.ROOT); + String checksum = baseEncoding + .encode(messageDigest.digest(artifactResponse.body())) + .toLowerCase(Locale.ROOT); return Optional.of(checksum); } }