feat: ✨ Add the concept of different default checksum algorithms depe…

…nding on the trust source (#398) Co-authored-by: MartinWitt <[email protected]>
chains-project · Aug 31, 2023 · f99517e · f99517e
1 parent 9b0020b
commit f99517e
Show file tree

Hide file tree

Showing 20 changed files with 234 additions and 100 deletions.
diff --git a/README.md b/README.md
@@ -65,7 +65,7 @@ If you invoke build afterward, the exact versions from the lockfile are used.
 
 - `reduced` will reduce the lockfile only containing the dependencies after dependency resolution conflicts are resolved. This format is smaller, and easier to review and read. Only use this if you do not need the full dependency tree.
 - `includeMavenPlugins` will include the maven plugins in the lockfile. This is useful if you want to validate the Maven plugins as well.
-- `checksumAlgorithm` will set the checksum algorithm used to generate the lockfile. The default is `SHA-256`.
+- `checksumAlgorithm` will set the checksum algorithm used to generate the lockfile. The default depends on your checksum mode.
 - `checksumMode` will set the checksum mode used to generate the lockfile. See [Checksum Modes](/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/ChecksumModes.java) for more information.
 - `skip` will skip the execution of the plugin. This is useful if you would like to disable the plugin for a specific module.
 - `getConfigFromFile` will read the configuration of maven lockfile from the existing lockfile.

diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/AbstractLockfileMojo.java
@@ -1,10 +1,11 @@
 package io.github.chains_project.maven_lockfile;
 
+import com.google.common.base.Strings;
 import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
 import io.github.chains_project.maven_lockfile.checksum.FileSystemChecksumCalculator;
 import io.github.chains_project.maven_lockfile.checksum.RemoteChecksumCalculator;
 import io.github.chains_project.maven_lockfile.data.Config;
-import io.github.chains_project.maven_lockfile.data.Metadata;
+import io.github.chains_project.maven_lockfile.data.Environment;
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecution;
@@ -37,7 +38,7 @@ public abstract class AbstractLockfileMojo extends AbstractMojo {
     @Component
     protected DependencyResolver dependencyResolver;
 
-    @Parameter(defaultValue = "false", property = "includeMavenPlugins")
+    @Parameter(property = "includeMavenPlugins")
     protected String includeMavenPlugins;
 
     @Parameter(defaultValue = "${maven.version}")
@@ -46,13 +47,13 @@ public abstract class AbstractLockfileMojo extends AbstractMojo {
     @Parameter(defaultValue = "${java.version}")
     protected String javaVersion;
 
-    @Parameter(defaultValue = "sha1", property = "checksumAlgorithm")
+    @Parameter(property = "checksumAlgorithm")
     protected String checksumAlgorithm;
 
     @Parameter(defaultValue = "maven_local", property = "checksumMode")
     protected String checksumMode;
 
-    @Parameter(defaultValue = "false", property = "reduced")
+    @Parameter(property = "reduced")
     protected String reduced;
 
     @Parameter(defaultValue = "false", property = "skip")
@@ -61,9 +62,9 @@ public abstract class AbstractLockfileMojo extends AbstractMojo {
     @Parameter(defaultValue = "${mojoExecution}", readonly = true)
     protected MojoExecution mojo;
 
-    protected Metadata generateMetaInformation() {
+    protected Environment generateMetaInformation() {
         String osName = System.getProperty("os.name");
-        return new Metadata(osName, mavenVersion, javaVersion);
+        return new Environment(osName, mavenVersion, javaVersion);
     }
 
     protected AbstractChecksumCalculator getChecksumCalculator() throws MojoExecutionException {
@@ -91,11 +92,13 @@ protected AbstractChecksumCalculator getChecksumCalculator(Config config) throws
     }
 
     protected Config getConfig() {
+        String chosenAlgo = Strings.isNullOrEmpty(checksumAlgorithm) ? "SHA-256" : checksumAlgorithm;
+        String chosenMode = Strings.isNullOrEmpty(checksumMode) ? "maven_local" : checksumMode;
         return new Config(
                 Boolean.parseBoolean(includeMavenPlugins),
                 Boolean.parseBoolean(reduced),
                 mojo.getPlugin().getVersion(),
-                checksumMode,
-                checksumAlgorithm);
+                chosenMode,
+                chosenAlgo);
     }
 }
diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/GenerateLockFileMojo.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/GenerateLockFileMojo.java
@@ -4,8 +4,9 @@
 
 import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
 import io.github.chains_project.maven_lockfile.data.Config;
+import io.github.chains_project.maven_lockfile.data.Environment;
 import io.github.chains_project.maven_lockfile.data.LockFile;
-import io.github.chains_project.maven_lockfile.data.Metadata;
+import io.github.chains_project.maven_lockfile.data.MetaData;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -39,16 +40,18 @@ public void execute() throws MojoExecutionException {
             getLog().info("Skipping maven-lockfile");
         }
         try {
-            Metadata metadata = generateMetaInformation();
+            Environment environment = generateMetaInformation();
             LockFile lockFileFromFile =
                     Files.exists(getLockFilePath(project)) ? LockFile.readLockFile(getLockFilePath(project)) : null;
-            Config config = getConfig(lockFileFromFile);
+            Config config = Boolean.parseBoolean(getConfigFromFile) ? getConfig(lockFileFromFile) : getConfig();
+            MetaData metaData = new MetaData(environment, config);
+
             if (lockFileFromFile == null) {
                 getLog().info("No lockfile found. Generating new lockfile.");
             }
             AbstractChecksumCalculator checksumCalculator = getChecksumCalculator(config);
             LockFile lockFile = LockFileFacade.generateLockFileFromProject(
-                    session, project, dependencyCollectorBuilder, checksumCalculator, config, metadata);
+                    session, project, dependencyCollectorBuilder, checksumCalculator, metaData);
 
             Path lockFilePath = LockFileFacade.getLockFilePath(project);
             Files.writeString(lockFilePath, JsonUtils.toJson(lockFile));

diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/LockFileFacade.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/LockFileFacade.java
@@ -4,11 +4,10 @@
 import com.google.common.graph.MutableGraph;
 import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
 import io.github.chains_project.maven_lockfile.data.ArtifactId;
-import io.github.chains_project.maven_lockfile.data.Config;
 import io.github.chains_project.maven_lockfile.data.GroupId;
 import io.github.chains_project.maven_lockfile.data.LockFile;
 import io.github.chains_project.maven_lockfile.data.MavenPlugin;
-import io.github.chains_project.maven_lockfile.data.Metadata;
+import io.github.chains_project.maven_lockfile.data.MetaData;
 import io.github.chains_project.maven_lockfile.data.VersionNumber;
 import io.github.chains_project.maven_lockfile.graph.DependencyGraph;
 import java.nio.file.Path;
@@ -76,7 +75,6 @@ private LockFileFacade() {
      * @param project  The project to generate a lock file for.
      * @param dependencyCollectorBuilder  The dependency collector builder to use for generating the dependency graph.
      * @param checksumCalculator  The checksum calculator to use for calculating the checksums of the artifacts.
-     * @param config  The config to use for generating the lock file.
      * @param metadata The metadata to include in the lock file.
      * @return  A lock file for the project.
      */
@@ -85,25 +83,27 @@ public static LockFile generateLockFileFromProject(
             MavenProject project,
             DependencyCollectorBuilder dependencyCollectorBuilder,
             AbstractChecksumCalculator checksumCalculator,
-            Config config,
-            Metadata metadata) {
+            MetaData metadata) {
         LOGGER.info("Generating lock file for project " + project.getArtifactId());
         List<MavenPlugin> plugins = new ArrayList<>();
-        if (config.isIncludeMavenPlugins()) {
+        if (metadata.getConfig().isIncludeMavenPlugins()) {
             plugins = getAllPlugins(project);
         }
         // Get all the artifacts for the dependencies in the project
         var graph = LockFileFacade.graph(
-                session, project, dependencyCollectorBuilder, checksumCalculator, config.isReduced());
+                session,
+                project,
+                dependencyCollectorBuilder,
+                checksumCalculator,
+                metadata.getConfig().isReduced());
         var roots = graph.getGraph().stream().filter(v -> v.getParent() == null).collect(Collectors.toList());
         return new LockFile(
                 GroupId.of(project.getGroupId()),
                 ArtifactId.of(project.getArtifactId()),
                 VersionNumber.of(project.getVersion()),
                 roots,
                 plugins,
-                metadata,
-                config);
+                metadata);
     }
 
     private static List<MavenPlugin> getAllPlugins(MavenProject project) {

diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/ValidateChecksumMojo.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/ValidateChecksumMojo.java
@@ -4,8 +4,9 @@
 
 import io.github.chains_project.maven_lockfile.checksum.AbstractChecksumCalculator;
 import io.github.chains_project.maven_lockfile.data.Config;
+import io.github.chains_project.maven_lockfile.data.Environment;
 import io.github.chains_project.maven_lockfile.data.LockFile;
-import io.github.chains_project.maven_lockfile.data.Metadata;
+import io.github.chains_project.maven_lockfile.data.MetaData;
 import io.github.chains_project.maven_lockfile.reporting.LockFileDifference;
 import java.io.IOException;
 import java.util.Objects;
@@ -35,16 +36,18 @@ public void execute() throws MojoExecutionException {
             getLog().info("Skipping maven-lockfile");
         }
         try {
-            Metadata metadata = generateMetaInformation();
+            Environment environment = generateMetaInformation();
+
             LockFile lockFileFromFile = LockFile.readLockFile(getLockFilePath(project));
             Config config = lockFileFromFile.getConfig() == null ? getConfig() : lockFileFromFile.getConfig();
+            MetaData metaData = new MetaData(environment, config);
             getLog().warn("No config was found in the lock file. Using default config.");
             AbstractChecksumCalculator checksumCalculator = getChecksumCalculator(config);
             LockFile lockFileFromProject = LockFileFacade.generateLockFileFromProject(
-                    session, project, dependencyCollectorBuilder, checksumCalculator, config, metadata);
-            if (!Objects.equals(lockFileFromFile.getMetadata(), lockFileFromProject.getMetadata())) {
+                    session, project, dependencyCollectorBuilder, checksumCalculator, metaData);
+            if (!Objects.equals(lockFileFromFile.getEnvironment(), lockFileFromProject.getEnvironment())) {
                 getLog().warn(
-                                "Lock file metadata does not match project metadata. This could be due to a change in the environment.");
+                                "Lock file environment does not match project environment. This could be due to a change in the environment.");
             }
             if (!lockFileFromFile.equals(lockFileFromProject)) {
                 var diff = LockFileDifference.diff(lockFileFromFile, lockFileFromProject);

diff --git a/...ain/java/io/github/chains_project/maven_lockfile/checksum/AbstractChecksumCalculator.java b/...ain/java/io/github/chains_project/maven_lockfile/checksum/AbstractChecksumCalculator.java
@@ -7,7 +7,11 @@ public abstract class AbstractChecksumCalculator {
     protected String checksumAlgorithm;
 
     AbstractChecksumCalculator(String checksumAlgorithm) {
-        this.checksumAlgorithm = checksumAlgorithm;
+        if (checksumAlgorithm == null || checksumAlgorithm.isEmpty()) {
+            this.checksumAlgorithm = getDefaultChecksumAlgorithm();
+        } else {
+            this.checksumAlgorithm = checksumAlgorithm;
+        }
     }
 
     /**
@@ -18,4 +22,6 @@ public String getChecksumAlgorithm() {
     }
 
     public abstract String calculateChecksum(Artifact artifact);
+
+    public abstract String getDefaultChecksumAlgorithm();
 }
diff --git a/...n/java/io/github/chains_project/maven_lockfile/checksum/FileSystemChecksumCalculator.java b/...n/java/io/github/chains_project/maven_lockfile/checksum/FileSystemChecksumCalculator.java
@@ -74,4 +74,9 @@ private Optional<String> calculateChecksumInternal(Artifact artifact) {
     public String calculateChecksum(Artifact artifact) {
         return calculateChecksumInternal(resolveDependency(artifact)).orElse("");
     }
+
+    @Override
+    public String getDefaultChecksumAlgorithm() {
+        return "SHA-256";
+    }
 }
diff --git a/.../main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java b/.../main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java
@@ -39,4 +39,9 @@ public String calculateChecksum(Artifact artifact) {
             throw new RuntimeException("Could not resolve artifact: " + artifact.getArtifactId(), e);
         }
     }
+
+    @Override
+    public String getDefaultChecksumAlgorithm() {
+        return "sha1";
+    }
 }
diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/Config.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/Config.java
@@ -1,5 +1,8 @@
 package io.github.chains_project.maven_lockfile.data;
 
+import io.github.chains_project.maven_lockfile.checksum.ChecksumModes;
+import io.github.chains_project.maven_lockfile.checksum.FileSystemChecksumCalculator;
+
 public class Config {
 
     private final boolean includeMavenPlugins;
@@ -25,8 +28,8 @@ public Config() {
         this.includeMavenPlugins = false;
         this.reduced = false;
         this.mavenLockfileVersion = "1";
-        this.checksumMode = "maven_local";
-        this.checksumAlgorithm = "sha1";
+        this.checksumMode = ChecksumModes.MAVEN_LOCAL.name();
+        this.checksumAlgorithm = new FileSystemChecksumCalculator(null, null, null).getDefaultChecksumAlgorithm();
     }
     /**
      * @return the includeMavenPlugins

diff --git a/...project/maven_lockfile/data/Metadata.java → ...ject/maven_lockfile/data/Environment.java b/...project/maven_lockfile/data/Metadata.java → ...ject/maven_lockfile/data/Environment.java
@@ -5,13 +5,13 @@
 /**
  * Metadata about the environment in which the lock file was generated. This includes the OS name, the Maven version and the Java version.
  */
-public class Metadata {
+public class Environment {
 
     private final String osName;
     private final String mavenVersion;
     private final String javaVersion;
 
-    public Metadata(String osName, String mavenVersion, String javaVersion) {
+    public Environment(String osName, String mavenVersion, String javaVersion) {
         this.osName = osName;
         this.mavenVersion = mavenVersion;
         this.javaVersion = javaVersion;
@@ -51,10 +51,10 @@ public boolean equals(Object obj) {
         if (this == obj) {
             return true;
         }
-        if (!(obj instanceof Metadata)) {
+        if (!(obj instanceof Environment)) {
             return false;
         }
-        Metadata other = (Metadata) obj;
+        Environment other = (Environment) obj;
         return Objects.equals(osName, other.osName)
                 && Objects.equals(mavenVersion, other.mavenVersion)
                 && Objects.equals(javaVersion, other.javaVersion);

diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/LockFile.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/LockFile.java
@@ -34,24 +34,21 @@ public class LockFile {
 
     private final List<MavenPlugin> mavenPlugins;
 
-    private final Metadata metadata;
-    private final Config config;
+    private final MetaData metaData;
 
     public LockFile(
             GroupId groupId,
             ArtifactId name,
             VersionNumber versionNumber,
             List<DependencyNode> dependencies,
             List<MavenPlugin> mavenPlugins,
-            Metadata metadata,
-            Config config) {
+            MetaData metaData) {
         this.dependencies = dependencies == null ? Collections.emptyList() : dependencies;
         this.name = name;
         this.version = versionNumber;
         this.groupId = groupId;
         this.mavenPlugins = mavenPlugins == null ? Collections.emptyList() : mavenPlugins;
-        this.metadata = metadata;
-        this.config = config;
+        this.metaData = metaData;
     }
     /**
      * Create a lock file object from a serialized JSON string.
@@ -97,16 +94,16 @@ public List<MavenPlugin> getMavenPlugins() {
     /**
      * @return the metadata about the environment in which the lock file was generated
      */
-    public Metadata getMetadata() {
-        return metadata;
+    public Environment getEnvironment() {
+        return metaData.getEnvironment();
     }
 
     /**
      * @return the config
      */
     @Nullable
     public Config getConfig() {
-        return config;
+        return metaData.getConfig();
     }
 
     @Override
@@ -127,7 +124,7 @@ public boolean equals(Object obj) {
                 && Objects.equals(groupId, other.groupId)
                 && Objects.equals(version, other.version)
                 && lockfileVersion == other.lockfileVersion
-                && Objects.equals(dependencies, other.dependencies)
+                && Objects.equals(nullToEmpty(dependencies), nullToEmpty(other.dependencies))
                 && Objects.equals(nullToEmpty(mavenPlugins), nullToEmpty(other.mavenPlugins));
     }
 

diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/MetaData.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/data/MetaData.java
@@ -0,0 +1,26 @@
+package io.github.chains_project.maven_lockfile.data;
+
+public class MetaData {
+
+    private final Environment environment;
+    private final Config config;
+
+    public MetaData(Environment environment, Config config) {
+        this.environment = environment;
+        this.config = config;
+    }
+
+    /**
+     * @return the config
+     */
+    public Config getConfig() {
+        return config;
+    }
+
+    /**
+     * @return the environment
+     */
+    public Environment getEnvironment() {
+        return environment;
+    }
+}