From 893aedcab271ac92ef01f1a4346320525e678b39 Mon Sep 17 00:00:00 2001
From: Tamas Cservenak <tamas@cservenak.net>
Date: Sat, 13 Apr 2024 19:02:15 +0200
Subject: [PATCH] [MGPG-125] Fix "bestPractices" (#95)

As currently due defaulted values it would always fail, unless user explicitly re-configures plugin. So, do not set "default value" on mojo level, instead handle it programmatically, when bestPractices is not set. Added ITs for "bestPractices", one for success and one for failure.

---

https://issues.apache.org/jira/browse/MGPG-125
---
 .../invoker.properties                        |  18 ++++
 .../sign-release-best-practices-fail/pom.xml  | 100 ++++++++++++++++++
 .../verify.groovy                             |  24 +++++
 .../invoker.properties                        |  18 ++++
 src/it/sign-release-best-practices/pom.xml    | 100 ++++++++++++++++++
 .../sign-release-best-practices/verify.groovy |  36 +++++++
 src/it/sign-release/verify.groovy             |   4 +-
 .../maven/plugins/gpg/AbstractGpgMojo.java    |  21 +++-
 8 files changed, 314 insertions(+), 7 deletions(-)
 create mode 100644 src/it/sign-release-best-practices-fail/invoker.properties
 create mode 100644 src/it/sign-release-best-practices-fail/pom.xml
 create mode 100644 src/it/sign-release-best-practices-fail/verify.groovy
 create mode 100644 src/it/sign-release-best-practices/invoker.properties
 create mode 100644 src/it/sign-release-best-practices/pom.xml
 create mode 100644 src/it/sign-release-best-practices/verify.groovy

diff --git a/src/it/sign-release-best-practices-fail/invoker.properties b/src/it/sign-release-best-practices-fail/invoker.properties
new file mode 100644
index 0000000..f2a7dfb
--- /dev/null
+++ b/src/it/sign-release-best-practices-fail/invoker.properties
@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+invoker.buildResult = failure
diff --git a/src/it/sign-release-best-practices-fail/pom.xml b/src/it/sign-release-best-practices-fail/pom.xml
new file mode 100644
index 0000000..812b973
--- /dev/null
+++ b/src/it/sign-release-best-practices-fail/pom.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.apache.maven.its.gpg.sr</groupId>
+  <artifactId>test</artifactId>
+  <version>1.0</version>
+  <packaging>jar</packaging>
+
+  <description>
+    Tests the installation of a simple release JAR with an attached artifact and its signatures.
+  </description>
+
+  <properties>
+    <maven.test.skip>true</maven.test.skip>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>@version.maven-compiler-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <version>@project.version@</version>
+        <executions>
+          <execution>
+            <id>sign-artifacts</id>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <bestPractices>true</bestPractices>
+          <!-- load passphrase from settings.xml -->
+          <!-- but not the default -->
+          <passphraseServerId>gpg.passphrase-sign-with-passphase-from-maven-settings</passphraseServerId>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-install-plugin</artifactId>
+        <version>@version.maven-install-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>@version.maven-jar-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-resources-plugin</artifactId>
+        <version>@version.maven-resources-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-source-plugin</artifactId>
+        <version>@version.maven-source-plugin@</version>
+        <executions>
+          <execution>
+            <id>attach-sources</id>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>@version.maven-surefire@</version>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
diff --git a/src/it/sign-release-best-practices-fail/verify.groovy b/src/it/sign-release-best-practices-fail/verify.groovy
new file mode 100644
index 0000000..0ad438c
--- /dev/null
+++ b/src/it/sign-release-best-practices-fail/verify.groovy
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+File buildLog = new File(basedir, "build.log")
+String logContent = new File(basedir, "build.log").text
+
+// assert that bestPractice+worstPractice => MojoFailure
+assert logContent.contains("MojoFailureException: Do not store passphrase in any file")
diff --git a/src/it/sign-release-best-practices/invoker.properties b/src/it/sign-release-best-practices/invoker.properties
new file mode 100644
index 0000000..1122205
--- /dev/null
+++ b/src/it/sign-release-best-practices/invoker.properties
@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+invoker.environmentVariables.MAVEN_GPG_PASSPHRASE = TEST
diff --git a/src/it/sign-release-best-practices/pom.xml b/src/it/sign-release-best-practices/pom.xml
new file mode 100644
index 0000000..6bd9090
--- /dev/null
+++ b/src/it/sign-release-best-practices/pom.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.apache.maven.its.gpg.sr</groupId>
+  <artifactId>test</artifactId>
+  <version>1.0</version>
+  <packaging>jar</packaging>
+
+  <description>
+    Tests the installation of a simple release JAR with an attached artifact and its signatures.
+  </description>
+
+  <properties>
+    <maven.test.skip>true</maven.test.skip>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>@version.maven-compiler-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <version>@project.version@</version>
+        <executions>
+          <execution>
+            <id>sign-artifacts</id>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <bestPractices>true</bestPractices>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-install-plugin</artifactId>
+        <version>@version.maven-install-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>@version.maven-jar-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-resources-plugin</artifactId>
+        <version>@version.maven-resources-plugin@</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-source-plugin</artifactId>
+        <version>@version.maven-source-plugin@</version>
+        <configuration>
+          <forceCreation>true</forceCreation>
+        </configuration>
+        <executions>
+          <execution>
+            <id>attach-sources</id>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>@version.maven-surefire@</version>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
diff --git a/src/it/sign-release-best-practices/verify.groovy b/src/it/sign-release-best-practices/verify.groovy
new file mode 100644
index 0000000..cc27897
--- /dev/null
+++ b/src/it/sign-release-best-practices/verify.groovy
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+var artifactDir = new File(localRepositoryPath, "org/apache/maven/its/gpg/sr/test/1.0")
+
+var expectedFiles = [
+    "test-1.0.pom",
+    "test-1.0.pom.asc",
+    "test-1.0.jar",
+    "test-1.0.jar.asc",
+    "test-1.0-sources.jar",
+    "test-1.0-sources.jar.asc"
+]
+
+for (String expectedFile : expectedFiles) {
+    var file = new File(artifactDir, expectedFile)
+
+    println "Checking for existence of $file"
+
+    assert file.isFile()
+}
diff --git a/src/it/sign-release/verify.groovy b/src/it/sign-release/verify.groovy
index 489b1b3..cc27897 100644
--- a/src/it/sign-release/verify.groovy
+++ b/src/it/sign-release/verify.groovy
@@ -32,7 +32,5 @@ for (String expectedFile : expectedFiles) {
 
     println "Checking for existence of $file"
 
-    if (!file.isFile()) {
-        throw new Exception("Missing file $file")
-    }
+    assert file.isFile()
 }
diff --git a/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java b/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
index 99469f3..68ab280 100644
--- a/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
+++ b/src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java
@@ -131,13 +131,14 @@ public abstract class AbstractGpgMojo extends AbstractMojo {
      * Server id to lookup the passphrase under Maven settings. <em>Do not use this parameter, it leaks
      * sensitive data. Passphrase should be provided only via gpg-agent or via env variable.
      * If parameter {@link #bestPractices} set to {@code true}, plugin fails when this parameter is configured.</em>
+     * Is programatically defaulted to {@link #GPG_PASSPHRASE}.
      *
      * @since 1.6
      * @deprecated Do not use this configuration, it may leak sensitive information. Rely on gpg-agent or env
      * variables instead.
      **/
     @Deprecated
-    @Parameter(property = "gpg.passphraseServerId", defaultValue = GPG_PASSPHRASE)
+    @Parameter(property = "gpg.passphraseServerId")
     private String passphraseServerId;
 
     /**
@@ -299,14 +300,26 @@ public final void execute() throws MojoExecutionException, MojoFailureException
             // We're skipping the signing stuff
             return;
         }
-        if (bestPractices && (isNotBlank(passphrase) || isNotBlank(passphraseServerId))) {
+        if (bestPractices) {
+            enforceBestPractices();
+        } else {
+            if (!isNotBlank(passphraseServerId)) {
+                // default it programmatically: this is needed to handle different cases re bestPractices
+                passphraseServerId = GPG_PASSPHRASE;
+            }
+        }
+
+        doExecute();
+    }
+
+    protected void enforceBestPractices() throws MojoFailureException {
+        // if any of those are not blank: meaning user did explicitly configure these
+        if (isNotBlank(passphrase) || isNotBlank(passphraseServerId)) {
             // Stop propagating worst practices: passphrase MUST NOT be in any file on disk
             throw new MojoFailureException(
                     "Do not store passphrase in any file (disk or SCM repository), rely on GnuPG agent or provide passphrase in "
                             + passphraseEnvName + " environment variable.");
         }
-
-        doExecute();
     }
 
     protected abstract void doExecute() throws MojoExecutionException, MojoFailureException;