[MGPG-138] Drop direct use of plexus-cipher and secdispatcher (#115)

Use proper Maven 3 API instead. --- https://issues.apache.org/jira/browse/MGPG-138

Author: cstamas

pgp-keys-map.list

@@ -28,8 +28,7 @@ org.opentest4j:opentest4j = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
 org.apache.maven.resolver = 0x29BEA2A645F2D6CED7FB12E02B172E3E156466E8
 org.apache.maven.shared:maven-invoker = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
 org.apache.maven.shared:maven-shared-utils = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
-org.codehaus.plexus:plexus-cipher = 0x6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688
 org.codehaus.plexus:plexus-classworlds = 0xB91AB7D2121DC6B0A61AA182D7742D58455ECC7C
 org.codehaus.plexus:plexus-component-annotations = 0xFA77DCFEF2EE6EB2DEBEDD2C012579464D01C06A
-org.codehaus.plexus:plexus-utils = 0xF254B35617DC255D9344BCFA873A8E86B4372146
-org.codehaus.plexus:plexus-sec-dispatcher = 0x2BE13D052E9AA567D657D9791FD507154FB9BA39
+org.codehaus.plexus:plexus-utils = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1
+org.codehaus.plexus:plexus-xml = 0x84789D24DF77A32433CE1F079EB80E92EB2135B1

pom.xml

@@ -69,6 +69,12 @@ under the License.
  </properties>
 
  <dependencies>
+ <dependency>
+ <groupId>javax.inject</groupId>
+ <artifactId>javax.inject</artifactId>
+ <version>1</version>
+ <scope>provided</scope>
+ </dependency>
  <dependency>
  <groupId>org.apache.maven</groupId>
  <artifactId>maven-plugin-api</artifactId>
@@ -105,6 +111,12 @@ under the License.
  <version>${mavenVersion}</version>
  <scope>provided</scope>
  </dependency>
+ <dependency>
+ <groupId>org.apache.maven</groupId>
+ <artifactId>maven-settings-builder</artifactId>
+ <version>${mavenVersion}</version>
+ <scope>provided</scope>
+ </dependency>
  <dependency>
  <groupId>org.apache.maven.resolver</groupId>
  <artifactId>maven-resolver-api</artifactId>
@@ -126,7 +138,10 @@ under the License.
  <dependency>
  <groupId>org.codehaus.plexus</groupId>
  <artifactId>plexus-utils</artifactId>
- <version>3.5.1</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.plexus</groupId>
+ <artifactId>plexus-xml</artifactId>
  </dependency>
  <dependency>
  <groupId>org.bouncycastle</groupId>
@@ -149,29 +164,6 @@ under the License.
  <version>2.10.0</version>
  <type>pom</type>
  </dependency>
- <!-- These two below must go in pair -->
- <dependency>
- <groupId>org.codehaus.plexus</groupId>
- <artifactId>plexus-sec-dispatcher</artifactId>
- <version>2.0</version>
- <exclusions>
- <exclusion>
- <groupId>*</groupId>
- <artifactId>*</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.codehaus.plexus</groupId>
- <artifactId>plexus-cipher</artifactId>
- <version>2.0</version>
- <exclusions>
- <exclusion>
- <groupId>*</groupId>
- <artifactId>*</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
 
  <dependency>
  <groupId>org.junit.jupiter</groupId>

src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java

@@ -18,23 +18,23 @@
  */
 package org.apache.maven.plugins.gpg;
 
+import javax.inject.Inject;
+
 import java.io.File;
-import java.util.Collections;
 import java.util.List;
 
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
-import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.settings.Server;
 import org.apache.maven.settings.Settings;
-import org.sonatype.plexus.components.cipher.DefaultPlexusCipher;
-import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
-import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
+import org.apache.maven.settings.building.SettingsProblem;
+import org.apache.maven.settings.crypto.DefaultSettingsDecryptionRequest;
+import org.apache.maven.settings.crypto.SettingsDecrypter;
+import org.apache.maven.settings.crypto.SettingsDecryptionResult;
 
 /**
  * @author Benjamin Bentmann
@@ -256,12 +256,6 @@ public abstract class AbstractGpgMojo extends AbstractMojo {
  @Parameter(property = "gpg.signer", defaultValue = GpgSigner.NAME)
  private String signer;
 
- /**
- * @since 3.0.0
- */
- @Component
- protected MavenSession session;
-
  /**
  * Switch to improve plugin enforcement of "best practices". If set to {@code false}, plugin retains all the
  * backward compatibility regarding getting secrets (but will warn). If set to {@code true}, plugin will fail
@@ -285,14 +279,16 @@ public abstract class AbstractGpgMojo extends AbstractMojo {
  protected Settings settings;
 
  /**
- * Maven Security Dispatcher.
- *
- * @since 1.6
- * @deprecated Provides quasi-encryption, should be avoided.
+ * @since 3.0.0
  */
- @Deprecated
- private final SecDispatcher secDispatcher =
- new DefaultSecDispatcher(new DefaultPlexusCipher(), Collections.emptyMap(), "~/.m2/settings-security.xml");
+ @Inject
+ protected MavenSession session;
+
+ /**
+ * @since 3.2.6
+ */
+ @Inject
+ protected SettingsDecrypter settingsDecrypter;
 
  @Override
  public final void execute() throws MojoExecutionException, MojoFailureException {
@@ -415,11 +411,23 @@ private String loadGpgPassphrase() throws MojoFailureException {
  Server server = settings.getServer(passphraseServerId);
  if (server != null) {
  if (isNotBlank(server.getPassphrase())) {
- try {
- return secDispatcher.decrypt(server.getPassphrase());
- } catch (SecDispatcherException e) {
- throw new MojoFailureException("Unable to decrypt gpg passphrase", e);
+ SettingsDecryptionResult result =
+ settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(server));
+ for (SettingsProblem problem : result.getProblems()) {
+ switch (problem.getSeverity()) {
+ case WARNING:
+ case ERROR:
+ getLog().warn(problem.getMessage(), problem.getException());
+ break;
+ case FATAL:
+ getLog().error(problem.getMessage(), problem.getException());
+ throw new MojoFailureException(problem.getMessage(), problem.getException());
+ default:
+ throw new IllegalStateException("Unknown severity: "
+ + problem.getSeverity().toString());
+ }
  }
+ return result.getServer().getPassphrase();
  }
  }
  }