private boolean validateArtifactChecksums()

in maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumsArtifactResolverPostProcessor.java [213:282]


    private boolean validateArtifactChecksums(
            RepositorySystemSession session,
            ArtifactResult artifactResult,
            List<ChecksumAlgorithmFactory> checksumAlgorithmFactories,
            boolean failIfMissing) {
        Artifact artifact = artifactResult.getArtifact();
        ArtifactRepository artifactRepository = artifactResult.getRepository();
        boolean valid = true;
        boolean validated = false;
        try {
            // full set: calculate all algorithms we were asked for
            final Map<String, String> calculatedChecksums =
                    ChecksumAlgorithmHelper.calculate(artifact.getPath(), checksumAlgorithmFactories);

            for (Map.Entry<String, TrustedChecksumsSource> entry : trustedChecksumsSources.entrySet()) {
                final String trustedSourceName = entry.getKey();
                final TrustedChecksumsSource trustedChecksumsSource = entry.getValue();

                // upper bound set: ask source for checksums, ideally same as calculatedChecksums but may be less
                Map<String, String> trustedChecksums = trustedChecksumsSource.getTrustedArtifactChecksums(
                        session, artifact, artifactRepository, checksumAlgorithmFactories);

                if (trustedChecksums == null) {
                    continue; // not enabled
                }
                validated = true;

                if (!calculatedChecksums.equals(trustedChecksums)) {
                    Set<String> missingTrustedAlg = new HashSet<>(calculatedChecksums.keySet());
                    missingTrustedAlg.removeAll(trustedChecksums.keySet());

                    if (!missingTrustedAlg.isEmpty() && failIfMissing) {
                        artifactResult.addException(
                                artifactRepository,
                                new ChecksumFailureException("Missing from " + trustedSourceName
                                        + " trusted checksum(s) " + missingTrustedAlg + " for artifact "
                                        + ArtifactIdUtils.toId(artifact)));
                        valid = false;
                    }

                    // compare values but only present ones, failIfMissing handled above
                    // we still want to report all: algX - missing, algY - mismatch, etc
                    for (ChecksumAlgorithmFactory checksumAlgorithmFactory : checksumAlgorithmFactories) {
                        String calculatedChecksum = calculatedChecksums.get(checksumAlgorithmFactory.getName());
                        String trustedChecksum = trustedChecksums.get(checksumAlgorithmFactory.getName());
                        if (trustedChecksum != null && !Objects.equals(calculatedChecksum, trustedChecksum)) {
                            artifactResult.addException(
                                    artifactRepository,
                                    new ChecksumFailureException("Artifact "
                                            + ArtifactIdUtils.toId(artifact) + " trusted checksum mismatch: "
                                            + trustedSourceName + "=" + trustedChecksum + "; calculated="
                                            + calculatedChecksum));
                            valid = false;
                        }
                    }
                }
            }

            if (!validated && failIfMissing) {
                artifactResult.addException(
                        artifactRepository,
                        new ChecksumFailureException(
                                "There are no enabled trusted checksums" + " source(s) to validate against."));
                valid = false;
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
        return valid;
    }