[MNG-5728] Switch the default checksum policy from "warn" to "fail"

Signed-off-by: rfscholte <rfscholte@apache.org>
Signed-off-by: Michael Osipov <michaelo@apache.org>

maven-artifact/src/main/java/org/apache/maven/artifact/repository/ArtifactRepositoryPolicy.java

@@ -43,6 +43,8 @@ public class ArtifactRepositoryPolicy
 
     public static final String CHECKSUM_POLICY_IGNORE = "ignore";
 
+    public static final String DEFAULT_CHECKSUM_POLICY = CHECKSUM_POLICY_FAIL;
+
     private boolean enabled;
 
     private String updatePolicy;
@@ -71,7 +73,7 @@ public ArtifactRepositoryPolicy( boolean enabled, String updatePolicy, String ch
 
         if ( checksumPolicy == null )
         {
-            checksumPolicy = CHECKSUM_POLICY_WARN;
+            checksumPolicy = DEFAULT_CHECKSUM_POLICY;
         }
         this.checksumPolicy = checksumPolicy;
     }

maven-compat/src/test/java/org/apache/maven/artifact/AbstractArtifactComponentTestCase.java

@@ -39,6 +39,7 @@
 import org.eclipse.aether.collection.DependencyTraverser;
 import org.eclipse.aether.internal.impl.SimpleLocalRepositoryManagerFactory;
 import org.eclipse.aether.repository.LocalRepository;
+import org.eclipse.aether.spi.connector.layout.RepositoryLayout;
 import org.eclipse.aether.util.graph.manager.ClassicDependencyManager;
 import org.eclipse.aether.util.graph.selector.AndDependencySelector;
 import org.eclipse.aether.util.graph.selector.ExclusionDependencySelector;
@@ -60,9 +61,12 @@
 import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.xml.bind.DatatypeConverter;
+
 /**
  * @author <a href="mailto:jason@maven.org">Jason van Zyl </a>
  */
@@ -298,6 +302,17 @@ protected void createArtifact( Artifact artifact, ArtifactRepository repository
         {
             writer.write( artifact.getId() );
         }
+
+        MessageDigest md = MessageDigest.getInstance( "MD5" );
+        md.update( artifact.getId().getBytes() );
+        byte[] digest = md.digest();
+
+        String md5path = repository.pathOf( artifact ) + ".md5";
+        File md5artifactFile = new File( repository.getBasedir(), md5path );
+        try ( Writer writer = new OutputStreamWriter( new FileOutputStream( md5artifactFile ), StandardCharsets.ISO_8859_1) )
+        {
+            writer.append( printHexBinary( digest ) );
+        }
     }
 
     protected Artifact createArtifact( String artifactId, String version )
@@ -371,4 +386,17 @@ protected RepositorySystemSession initRepoSession()
         return session;
     }
 
+    private static final char[] hexCode = "0123456789ABCDEF".toCharArray();
+
+    private static final String printHexBinary( byte[] data )
+    {
+        StringBuilder r = new StringBuilder( data.length * 2 );
+        for ( byte b : data )
+        {
+            r.append( hexCode[( b >> 4 ) & 0xF] );
+            r.append( hexCode[( b & 0xF )] );
+        }
+        return r.toString();
+    }
+
 }

maven-compat/src/test/java/org/apache/maven/repository/legacy/DefaultWagonManagerTest.java

@@ -101,7 +101,10 @@ public void testUnnecessaryRepositoryLookup()
 
         StringWagon wagon = (StringWagon) wagonManager.getWagon( "string" );
         wagon.addExpectedContent( repos.get( 0 ).getLayout().pathOf( artifact ), "expected" );
+        wagon.addExpectedContent( repos.get( 0 ).getLayout().pathOf( artifact ) + ".md5", "cd26d9e10ce691cc69aa2b90dcebbdac" );
         wagon.addExpectedContent( repos.get( 1 ).getLayout().pathOf( artifact ), "expected" );
+        wagon.addExpectedContent( repos.get( 1 ).getLayout().pathOf( artifact ) + ".md5", "cd26d9e10ce691cc69aa2b90dcebbdac" );
+
 
         class TransferListener
             extends AbstractTransferListener
@@ -170,6 +173,7 @@ public void testGetRemoteJar()
 
         StringWagon wagon = (StringWagon) wagonManager.getWagon( "string" );
         wagon.addExpectedContent( repo.getLayout().pathOf( artifact ), "expected" );
+        wagon.addExpectedContent( repo.getLayout().pathOf( artifact ) + ".md5", "cd26d9e10ce691cc69aa2b90dcebbdac" );
 
         wagonManager.getArtifact( artifact, repo, null, false );
 
@@ -271,6 +275,7 @@ public void testWagonTransferListenerRemovedAfterGetArtifactAndPutArtifact()
         ArtifactRepository repo = createStringRepo();
         StringWagon wagon = (StringWagon) wagonManager.getWagon( "string" );
         wagon.addExpectedContent( repo.getLayout().pathOf( artifact ), "expected" );
+        wagon.addExpectedContent( repo.getLayout().pathOf( artifact ) + ".md5", "cd26d9e10ce691cc69aa2b90dcebbdac" );
 
         /* getArtifact */
         assertFalse( "Transfer listener is registered before test",

maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java

@@ -579,7 +579,7 @@ public ArtifactRepository createDefaultRemoteRepository( MavenExecutionRequest r
         return createRepository( RepositorySystem.DEFAULT_REMOTE_REPO_URL, RepositorySystem.DEFAULT_REMOTE_REPO_ID,
                                  true, ArtifactRepositoryPolicy.UPDATE_POLICY_DAILY, false,
                                  ArtifactRepositoryPolicy.UPDATE_POLICY_DAILY,
-                                 ArtifactRepositoryPolicy.CHECKSUM_POLICY_WARN );
+                                 ArtifactRepositoryPolicy.DEFAULT_CHECKSUM_POLICY );
     }
 
     public ArtifactRepository createRepository( String url, String repositoryId, boolean releases,

maven-model/src/main/mdo/maven.mdo

@@ -1995,12 +1995,11 @@
           <description>
             <![CDATA[
             What to do when verification of an artifact checksum fails. Valid values are
-            <code>ignore</code>
-            ,
+            <code>ignore</code>,
             <code>fail</code>
-            or
+            (default for Maven 4 and above) or
             <code>warn</code>
-            (the default).
+            (default for Maven 2 and 3)
             ]]>
           </description>
           <type>String</type>

maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/ArtifactDescriptorUtils.java

@@ -19,6 +19,7 @@
  * under the License.
  */
 
+import org.apache.maven.artifact.repository.ArtifactRepositoryPolicy;
 import org.apache.maven.model.Repository;
 import org.eclipse.aether.artifact.Artifact;
 import org.eclipse.aether.artifact.DefaultArtifact;
@@ -59,7 +60,7 @@ public static RemoteRepository toRemoteRepository( Repository repository )
     public static RepositoryPolicy toRepositoryPolicy( org.apache.maven.model.RepositoryPolicy policy )
     {
         boolean enabled = true;
-        String checksums = RepositoryPolicy.CHECKSUM_POLICY_WARN;
+        String checksums = toRepositoryChecksumPolicy( ArtifactRepositoryPolicy.DEFAULT_CHECKSUM_POLICY );
         String updates = RepositoryPolicy.UPDATE_POLICY_DAILY;
 
         if ( policy != null )
@@ -78,4 +79,19 @@ public static RepositoryPolicy toRepositoryPolicy( org.apache.maven.model.Reposi
         return new RepositoryPolicy( enabled, updates, checksums );
     }
 
+    public static String toRepositoryChecksumPolicy( final String artifactRepositoryPolicy )
+    {
+        switch ( artifactRepositoryPolicy )
+        {
+            case ArtifactRepositoryPolicy.CHECKSUM_POLICY_FAIL:
+                return RepositoryPolicy.CHECKSUM_POLICY_FAIL;
+            case ArtifactRepositoryPolicy.CHECKSUM_POLICY_IGNORE:
+                return RepositoryPolicy.CHECKSUM_POLICY_IGNORE;
+            case ArtifactRepositoryPolicy.CHECKSUM_POLICY_WARN:
+                return RepositoryPolicy.CHECKSUM_POLICY_WARN;
+            default:
+                throw new IllegalArgumentException( "unknown repository checksum policy: " + artifactRepositoryPolicy );
+        }
+    }
+
 }