[lucene-solr] branch gradle-master updated: Initial work on jar checksums/ license file validation.

[dw...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

dweiss pushed a commit to branch gradle-master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/gradle-master by this push:
     new 453eee3  Initial work on jar checksums/ license file validation.
453eee3 is described below

commit 453eee3987af41022cb086c6c8570d3352854d2e
Author: Dawid Weiss <dw...@apache.org>
AuthorDate: Wed Dec 11 18:41:27 2019 +0100

    Initial work on jar checksums/ license file validation.
---
 build.gradle                        |   1 +
 gradle/testing/randomization.gradle |   1 -
 gradle/validation/jar-checks.gradle | 113 ++++++++++++++++++++++++++++++++++++
 3 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index ac6b859..c71782d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -39,6 +39,7 @@ apply from: file('gradle/defaults-idea.gradle')
 
 // Validation tasks
 apply from: file('gradle/validation/forbidden-apis.gradle')
+apply from: file('gradle/validation/jar-checks.gradle')
 
 // Additional development aids.
 apply from: file('gradle/maven/maven-local.gradle')
diff --git a/gradle/testing/randomization.gradle b/gradle/testing/randomization.gradle
index 34f696d..af6b77b 100644
--- a/gradle/testing/randomization.gradle
+++ b/gradle/testing/randomization.gradle
@@ -3,7 +3,6 @@
 //
 
 import java.nio.file.*
-import org.apache.tools.ant.taskdefs.condition.Os
 import com.carrotsearch.randomizedtesting.SeedUtils
 import com.carrotsearch.randomizedtesting.generators.RandomPicks
 
diff --git a/gradle/validation/jar-checks.gradle b/gradle/validation/jar-checks.gradle
new file mode 100644
index 0000000..e11497e
--- /dev/null
+++ b/gradle/validation/jar-checks.gradle
@@ -0,0 +1,113 @@
+
+// This adds validation of project dependencies:
+// 1) license file
+// 2) notice file
+// 3) checksum validation/ generation.
+
+import org.apache.commons.codec.digest.DigestUtils
+import org.apache.commons.codec.digest.MessageDigestAlgorithms
+
+buildscript {
+  repositories {
+    mavenCentral()
+  }
+
+  dependencies {
+    classpath 'commons-codec:commons-codec:1.13'
+  }
+}
+
+// Configure license checksum folder for top-level projects.
+// (The file("licenses") inside the configure scope resolves
+// relative to the current project so they're not the same).
+configure(project(":lucene")) {
+  ext.licensesDir = file("licenses")
+}
+configure(project(":solr")) {
+  ext.licensesDir = file("licenses")
+}
+
+subprojects {
+  // Configure jarValidation configuration for all projects. Any dependency
+  // declared on this configuration (or any configuration it extends from) will
+  // be verified.
+  configurations {
+    jarValidation
+  }
+
+  // For Java projects, add runtime and classpath to jarValidation
+  plugins.withType(JavaPlugin) {
+    configurations {
+      jarValidation {
+        extendsFrom runtimeClasspath
+        extendsFrom compileClasspath
+      }
+    }
+  }
+
+  task collectJarInfos() {
+    dependsOn configurations.jarValidation
+
+    doFirst {
+      // We only care about this module's direct dependencies. Anything imported
+      // from other modules will be taken care of over there.
+      def ownDeps = configurations.detachedConfiguration()
+          .extendsFrom(configurations.jarValidation)
+          .copyRecursive { dep ->
+            !(dep instanceof org.gradle.api.artifacts.ProjectDependency)
+          }
+
+      project.ext.jarInfos = ownDeps.resolvedConfiguration.resolvedArtifacts.collect { resolvedArtifact ->
+        def file = resolvedArtifact.file
+        return [
+            name: resolvedArtifact.name,
+            jarName: file.toPath().getFileName().toString(),
+            path: file,
+            module: resolvedArtifact.moduleVersion,
+            checksum: new DigestUtils(MessageDigestAlgorithms.SHA_1).digestAsHex(file)
+        ]
+      }
+    }
+  }
+
+  task validateJarChecksums() {
+    group = 'Dependency validation'
+    description = "Validate project dependency checksums"
+
+    dependsOn configurations.jarValidation
+    dependsOn collectJarInfos
+
+    // TODO: validation should fail the build but we're out of sync with master.
+    def fail = false
+
+    doLast {
+      def errors = []
+      jarInfos.each { dep ->
+        def expectedChecksumFile = file("${licensesDir}/${dep.jarName}.sha1")
+        if (!expectedChecksumFile.exists()) {
+          errors << "Dependency checksum missing ('${dep.module}'), expected it at: ${expectedChecksumFile}"
+        } else {
+          def expected = expectedChecksumFile.getText("UTF-8").trim()
+          def actual = dep.checksum.trim()
+          if (expected.compareToIgnoreCase(actual) != 0) {
+            errors << "Dependency checksum mismatch ('${dep.module}'), expected it to be: ${expected}, but was: ${actual}"
+          }
+        }
+      }
+
+      if (errors) {
+        def msg = "Dependency checksum validation failed:\n  - " + errors.join("\n  - ")
+        if (fail) {
+          throw new GradleException(msg)
+        } else {
+          logger.log(LogLevel.WARN, "WARNING: ${msg}")
+        }
+      }
+    }
+  }
+}
+
+// Disable validation for these projects.
+configure(project(":solr:solr-ref-guide")) {
+  validateJarChecksums.enabled = false
+}
\ No newline at end of file