Add scope support for trusted checksums

Currently TC operated on all resolved artifacts, but this may
not be what user wants. Add scope support with two values
for now: "all" (as before, everything resolved is validated)
or "project" (only project dependencies are validated).

(cherry picked from commit 50587df)

Author: cstamas

maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumsArtifactResolverPostProcessor.java

@@ -84,6 +84,20 @@ public final class TrustedChecksumsArtifactResolverPostProcessor extends Artifac
     private static final String CONF_NAME_FAIL_IF_MISSING = "failIfMissing";
 
     private static final String CONF_NAME_SNAPSHOTS = "snapshots";
+    /**
+     * The scope to apply during post-processing. Accepted values are {@code all} (is default and is what happened
+     * before), and {@code project} when the scope of verification are project dependencies only (i.e. plugins are
+     * not verified).
+     *
+     * @since 1.9.25
+     */
+    public static final String CONFIG_PROP_SCOPE = "scope";
+
+    public static final String ALL_SCOPE = "all";
+
+    public static final String PROJECT_SCOPE = "project";
+
+    public static final String DEFAULT_SCOPE = ALL_SCOPE;
 
     private static final String CONF_NAME_RECORD = "record";
 
@@ -103,6 +117,18 @@ public TrustedChecksumsArtifactResolverPostProcessor(
         this.trustedChecksumsSources = requireNonNull(trustedChecksumsSources);
     }
 
+    private boolean inScope(RepositorySystemSession session, ArtifactResult artifactResult) {
+        String scope = ConfigUtils.getString(session, DEFAULT_SCOPE, configPropKey(CONFIG_PROP_SCOPE));
+        if (ALL_SCOPE.equals(scope)) {
+            return artifactResult.isResolved();
+        } else if (PROJECT_SCOPE.equals(scope)) {
+            return artifactResult.isResolved()
+                    && artifactResult.getRequest().getRequestContext().startsWith("project");
+        } else {
+            throw new IllegalArgumentException("Unknown value for configuration " + CONFIG_PROP_SCOPE + ": " + scope);
+        }
+    }
+
     @SuppressWarnings("unchecked")
     @Override
     protected void doPostProcess(RepositorySystemSession session, List<ArtifactResult> artifactResults) {
@@ -123,7 +149,7 @@ final boolean record = ConfigUtils.getBoolean(session, false, configPropKey(CONF
             if (artifactResult.getRequest().getArtifact().isSnapshot() && !snapshots) {
                 continue;
             }
-            if (artifactResult.isResolved()) {
+            if (inScope(session, artifactResult)) {
                 if (record) {
                     recordArtifactChecksums(session, artifactResult, checksumAlgorithms);
                 } else if (!validateArtifactChecksums(session, artifactResult, checksumAlgorithms, failIfMissing)) {

maven-resolver-impl/src/test/java/org/eclipse/aether/internal/impl/resolution/TrustedChecksumsArtifactResolverPostProcessorTest.java

@@ -134,7 +134,7 @@ public Writer getTrustedArtifactChecksumsWriter(RepositorySystemSession session)
 
     // -- TrustedChecksumsSource interface END
 
-    private ArtifactResult createArtifactResult(Artifact artifact) {
+    private ArtifactResult createArtifactResult(Artifact artifact, String scope) {
         ArtifactResult artifactResult = new ArtifactResult(new ArtifactRequest().setArtifact(artifact));
         artifactResult.setArtifact(artifact);
         return artifactResult;
@@ -144,16 +144,16 @@ private ArtifactResult createArtifactResult(Artifact artifact) {
 
     @Test
     public void unresolvedArtifact() {
-        ArtifactResult artifactResult =
-                createArtifactResult(artifactWithTrustedChecksum).setArtifact(null);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum, "project/compile")
+                .setArtifact(null);
         assertThat(artifactResult.isResolved(), equalTo(false));
 
         subject.postProcess(session, Collections.singletonList(artifactResult)); // no NPE
     }
 
     @Test
     public void haveMatchingChecksumPass() {
-        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum, "project/compile");
         assertThat(artifactResult.isResolved(), equalTo(true));
 
         subject.postProcess(session, Collections.singletonList(artifactResult));
@@ -162,7 +162,7 @@ public void haveMatchingChecksumPass() {
 
     @Test
     public void haveNoChecksumPass() {
-        ArtifactResult artifactResult = createArtifactResult(artifactWithoutTrustedChecksum);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithoutTrustedChecksum, "project/compile");
         assertThat(artifactResult.isResolved(), equalTo(true));
 
         subject.postProcess(session, Collections.singletonList(artifactResult));
@@ -173,7 +173,7 @@ public void haveNoChecksumPass() {
     public void haveNoChecksumFailIfMissingEnabledFail() {
         session.setConfigProperty(
                 "aether.artifactResolver.postProcessor.trustedChecksums.failIfMissing", Boolean.TRUE.toString());
-        ArtifactResult artifactResult = createArtifactResult(artifactWithoutTrustedChecksum);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithoutTrustedChecksum, "plugin");
         assertThat(artifactResult.isResolved(), equalTo(true));
 
         subject.postProcess(session, Collections.singletonList(artifactResult));
@@ -187,7 +187,7 @@ public void haveNoChecksumFailIfMissingEnabledFail() {
     @Test
     public void haveMismatchingChecksumFail() {
         artifactTrustedChecksum = "foobar";
-        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum, "project/compile");
         assertThat(artifactResult.isResolved(), equalTo(true));
 
         subject.postProcess(session, Collections.singletonList(artifactResult));
@@ -214,7 +214,7 @@ public void addTrustedArtifactChecksums(
         };
         session.setConfigProperty(
                 "aether.artifactResolver.postProcessor.trustedChecksums.record", Boolean.TRUE.toString());
-        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum);
+        ArtifactResult artifactResult = createArtifactResult(artifactWithTrustedChecksum, "project/compile");
         assertThat(artifactResult.isResolved(), equalTo(true));
 
         subject.postProcess(session, Collections.singletonList(artifactResult));