[MGPG-138] Drop direct use of plexus-cipher and secdispatcher (#115)

Use proper Maven 3 API instead. --- https://issues.apache.org/jira/browse/MGPG-138
apache · Sep 9, 2024 · afdfd28 · afdfd28
1 parent 7516e7c
commit afdfd28
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 50 deletions.
diff --git a/pgp-keys-map.list b/pgp-keys-map.list
@@ -28,8 +28,7 @@ org.opentest4j:opentest4j = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
 org.apache.maven.resolver = 0x29BEA2A645F2D6CED7FB12E02B172E3E156466E8
 org.apache.maven.shared:maven-invoker = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
 org.apache.maven.shared:maven-shared-utils = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
-org.codehaus.plexus:plexus-cipher = 0x6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688
 org.codehaus.plexus:plexus-classworlds = 0xB91AB7D2121DC6B0A61AA182D7742D58455ECC7C
 org.codehaus.plexus:plexus-component-annotations = 0xFA77DCFEF2EE6EB2DEBEDD2C012579464D01C06A
-org.codehaus.plexus:plexus-utils = 0xF254B35617DC255D9344BCFA873A8E86B4372146
-org.codehaus.plexus:plexus-sec-dispatcher = 0x2BE13D052E9AA567D657D9791FD507154FB9BA39
+org.codehaus.plexus:plexus-utils = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
+org.codehaus.plexus:plexus-xml = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
diff --git a/pom.xml b/pom.xml
@@ -69,6 +69,12 @@ under the License.
   </properties>
 
   <dependencies>
+    <dependency>
+      <groupId>javax.inject</groupId>
+      <artifactId>javax.inject</artifactId>
+      <version>1</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-plugin-api</artifactId>
@@ -105,6 +111,12 @@ under the License.
       <version>${mavenVersion}</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-settings-builder</artifactId>
+      <version>${mavenVersion}</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.resolver</groupId>
       <artifactId>maven-resolver-api</artifactId>
@@ -126,7 +138,10 @@ under the License.
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
-      <version>3.5.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.codehaus.plexus</groupId>
+      <artifactId>plexus-xml</artifactId>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
@@ -149,29 +164,6 @@ under the License.
       <version>2.10.0</version>
       <type>pom</type>
     </dependency>
-    <!-- These two below must go in pair -->
-    <dependency>
-      <groupId>org.codehaus.plexus</groupId>
-      <artifactId>plexus-sec-dispatcher</artifactId>
-      <version>2.0</version>
-      <exclusions>
-        <exclusion>
-          <groupId>*</groupId>
-          <artifactId>*</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.codehaus.plexus</groupId>
-      <artifactId>plexus-cipher</artifactId>
-      <version>2.0</version>
-      <exclusions>
-        <exclusion>
-          <groupId>*</groupId>
-          <artifactId>*</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
 
     <dependency>
       <groupId>org.junit.jupiter</groupId>

diff --git a/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java b/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
@@ -18,23 +18,23 @@
  */
 package org.apache.maven.plugins.gpg;
 
+import javax.inject.Inject;
+
 import java.io.File;
-import java.util.Collections;
 import java.util.List;
 
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
-import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.settings.Server;
 import org.apache.maven.settings.Settings;
-import org.sonatype.plexus.components.cipher.DefaultPlexusCipher;
-import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
+import org.apache.maven.settings.building.SettingsProblem;
+import org.apache.maven.settings.crypto.DefaultSettingsDecryptionRequest;
+import org.apache.maven.settings.crypto.SettingsDecrypter;
+import org.apache.maven.settings.crypto.SettingsDecryptionResult;
 
 /**
  * @author Benjamin Bentmann
@@ -256,12 +256,6 @@ public abstract class AbstractGpgMojo extends AbstractMojo {
     @Parameter(property = "gpg.signer", defaultValue = GpgSigner.NAME)
     private String signer;
 
-    /**
-     * @since 3.0.0
-     */
-    @Component
-    protected MavenSession session;
-
     /**
      * Switch to improve plugin enforcement of "best practices". If set to {@code false}, plugin retains all the
      * backward compatibility regarding getting secrets (but will warn). If set to {@code true}, plugin will fail
@@ -285,14 +279,16 @@ public abstract class AbstractGpgMojo extends AbstractMojo {
     protected Settings settings;
 
     /**
-     * Maven Security Dispatcher.
-     *
-     * @since 1.6
-     * @deprecated Provides quasi-encryption, should be avoided.
+     * @since 3.0.0
      */
-    @Deprecated
-    private final SecDispatcher secDispatcher =
-            new DefaultSecDispatcher(new DefaultPlexusCipher(), Collections.emptyMap(), "~/.m2/settings-security.xml");
+    @Inject
+    protected MavenSession session;
+
+    /**
+     * @since 3.2.6
+     */
+    @Inject
+    protected SettingsDecrypter settingsDecrypter;
 
     @Override
     public final void execute() throws MojoExecutionException, MojoFailureException {
@@ -415,11 +411,23 @@ private String loadGpgPassphrase() throws MojoFailureException {
             Server server = settings.getServer(passphraseServerId);
             if (server != null) {
                 if (isNotBlank(server.getPassphrase())) {
-                    try {
-                        return secDispatcher.decrypt(server.getPassphrase());
-                    } catch (SecDispatcherException e) {
-                        throw new MojoFailureException("Unable to decrypt gpg passphrase", e);
+                    SettingsDecryptionResult result =
+                            settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(server));
+                    for (SettingsProblem problem : result.getProblems()) {
+                        switch (problem.getSeverity()) {
+                            case WARNING:
+                            case ERROR:
+                                getLog().warn(problem.getMessage(), problem.getException());
+                                break;
+                            case FATAL:
+                                getLog().error(problem.getMessage(), problem.getException());
+                                throw new MojoFailureException(problem.getMessage(), problem.getException());
+                            default:
+                                throw new IllegalStateException("Unknown severity: "
+                                        + problem.getSeverity().toString());
+                        }
                     }
+                    return result.getServer().getPassphrase();
                 }
             }
         }