RUM-3100 Create plugin to generate verification-metadata.xml

Author: xgouchet

buildSrc/build.gradle.kts

@@ -44,6 +44,9 @@ dependencies {
     implementation(libs.gson)
     implementation(libs.kotlinPoet)
 
+    // Verification Metadata XML
+    implementation(libs.kotlinXmlBuilder)
+
     // Tests
     testImplementation(libs.jUnit4)
     testImplementation(libs.mockitoKotlin)
@@ -70,6 +73,10 @@ gradlePlugin {
             id = "transitiveDependencies" // the alias
             implementationClass = "com.datadog.gradle.plugin.transdeps.TransitiveDependenciesPlugin"
         }
+        register("verificationXml") {
+            id = "verificationXml" // the alias
+            implementationClass = "com.datadog.gradle.plugin.verification.VerificationXmlPlugin"
+        }
     }
 }
 

buildSrc/src/main/kotlin/com/datadog/gradle/config/MavenConfig.kt

@@ -65,10 +65,12 @@ fun Project.publishingConfig(
                             url.set("https://www.apache.org/licenses/LICENSE-2.0")
                         }
                     }
+
                     organization {
                         name.set("Datadog")
                         url.set("https://www.datadoghq.com/")
                     }
+
                     developers {
                         developer {
                             name.set("Datadog")

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/CheckGeneratedFileTask.kt

@@ -0,0 +1,44 @@
+/*
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2016-Present Datadog, Inc.
+ */
+
+package com.datadog.gradle.plugin
+
+import com.datadog.gradle.utils.execShell
+import org.gradle.api.DefaultTask
+import org.gradle.api.tasks.Internal
+import java.io.File
+
+abstract class CheckGeneratedFileTask(
+    @Internal val genTaskName: String
+) : DefaultTask() {
+
+    // region Task
+
+    fun verifyGeneratedFileExists(targetFile: File) {
+        val lines = project.execShell(
+            "git",
+            "diff",
+            "--color=never",
+            "HEAD",
+            "--",
+            targetFile.absolutePath
+        )
+
+        val additions = lines.filter { it.matches(Regex("^\\+[^+].*$")) }
+        val removals = lines.filter { it.matches(Regex("^-[^-].*$")) }
+
+        if (additions.isNotEmpty() || removals.isNotEmpty()) {
+            error(
+                "Make sure you run the $genTaskName task  before you push your PR.\n" +
+                    additions.joinToString("\n") +
+                    "\n" +
+                    removals.joinToString("\n")
+            )
+        }
+    }
+
+    // endregion
+}

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/apisurface/CheckApiSurfaceTask.kt

@@ -6,14 +6,15 @@
 
 package com.datadog.gradle.plugin.apisurface
 
-import com.datadog.gradle.utils.execShell
-import org.gradle.api.DefaultTask
+import com.datadog.gradle.plugin.CheckGeneratedFileTask
 import org.gradle.api.tasks.InputFile
 import org.gradle.api.tasks.InputFiles
 import org.gradle.api.tasks.TaskAction
 import java.io.File
 
-open class CheckApiSurfaceTask : DefaultTask() {
+open class CheckApiSurfaceTask : CheckGeneratedFileTask(
+    genTaskName = ApiSurfacePlugin.TASK_GEN_KOTLIN_API_SURFACE
+) {
 
     @InputFile
     lateinit var kotlinSurfaceFile: File
@@ -30,33 +31,9 @@ open class CheckApiSurfaceTask : DefaultTask() {
 
     @TaskAction
     fun applyTask() {
-        verifySurfaceFile(kotlinSurfaceFile)
+        verifyGeneratedFileExists(kotlinSurfaceFile)
         if (javaSurfaceFile.exists()) {
-            verifySurfaceFile(javaSurfaceFile)
-        }
-    }
-
-    private fun verifySurfaceFile(surfaceFile: File) {
-        val lines = project.execShell(
-            "git",
-            "diff",
-            "--color=never",
-            "HEAD",
-            "--",
-            surfaceFile.absolutePath
-        )
-
-        val additions = lines.filter { it.matches(Regex("^\\+[^+].*$")) }
-        val removals = lines.filter { it.matches(Regex("^-[^-].*$")) }
-
-        if (additions.isNotEmpty() || removals.isNotEmpty()) {
-            error(
-                "Make sure you run the ${ApiSurfacePlugin.TASK_GEN_KOTLIN_API_SURFACE} task" +
-                    " before you push your PR.\n" +
-                    additions.joinToString("\n") +
-                    "\n" +
-                    removals.joinToString("\n")
-            )
+            verifyGeneratedFileExists(javaSurfaceFile)
         }
     }
 

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/transdeps/CheckTransitiveDependenciesTask.kt

@@ -6,13 +6,14 @@
 
 package com.datadog.gradle.plugin.transdeps
 
-import com.datadog.gradle.utils.execShell
-import org.gradle.api.DefaultTask
+import com.datadog.gradle.plugin.CheckGeneratedFileTask
 import org.gradle.api.tasks.InputFile
 import org.gradle.api.tasks.TaskAction
 import java.io.File
 
-open class CheckTransitiveDependenciesTask : DefaultTask() {
+open class CheckTransitiveDependenciesTask : CheckGeneratedFileTask(
+    genTaskName = TransitiveDependenciesPlugin.TASK_GEN_TRANSITIVE_DEPS
+) {
 
     @InputFile
     lateinit var dependenciesFile: File
@@ -26,27 +27,7 @@ open class CheckTransitiveDependenciesTask : DefaultTask() {
 
     @TaskAction
     fun applyTask() {
-        val lines = project.execShell(
-            "git",
-            "diff",
-            "--color=never",
-            "HEAD",
-            "--",
-            dependenciesFile.absolutePath
-        )
-
-        val additions = lines.filter { it.matches(Regex("^\\+[^+].*$")) }
-        val removals = lines.filter { it.matches(Regex("^-[^-].*$")) }
-
-        if (additions.isNotEmpty() || removals.isNotEmpty()) {
-            error(
-                "Make sure you run the ${TransitiveDependenciesPlugin.TASK_GEN_TRANSITIVE_DEPS} task" +
-                    " before you push your PR.\n" +
-                    additions.joinToString("\n") +
-                    "\n" +
-                    removals.joinToString("\n")
-            )
-        }
+        verifyGeneratedFileExists(dependenciesFile)
     }
 
     @InputFile

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/verification/GenerateVerificationXmlTask.kt

@@ -0,0 +1,121 @@
+/*
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2016-Present Datadog, Inc.
+ */
+
+package com.datadog.gradle.plugin.verification
+
+import com.datadog.gradle.config.AndroidConfig
+import org.gradle.api.DefaultTask
+import org.gradle.api.tasks.TaskAction
+import org.redundent.kotlin.xml.PrintOptions
+import org.redundent.kotlin.xml.xml
+import java.io.File
+import java.security.MessageDigest
+
+open class GenerateVerificationXmlTask : DefaultTask() {
+
+    init {
+        group = "datadog"
+        description =
+            "Generate the verification-metadata.xml for the artifact built from the module"
+    }
+
+    private val md = MessageDigest.getInstance("SHA-256")
+
+    // region Task
+
+    @TaskAction
+    fun applyTask() {
+        val buildDir = project.layout.buildDirectory.asFile.get()
+        val projectDir = project.layout.projectDirectory.asFile
+        val publicationReleaseDir = File(File(buildDir, "publications"), "release")
+        val outputFile = File(projectDir, VerificationXmlPlugin.XML_FILE_NAME)
+
+        val aarFile = File(File(File(buildDir, "outputs"), "aar"), "${project.name}-release.aar")
+        val pomFile = File(publicationReleaseDir, "pom-default.xml")
+        val moduleFile = File(publicationReleaseDir, "module.json")
+
+        val aarSha256 = aarFile.sha256()
+        val pomSha256 = pomFile.sha256()
+        val moduleSha256 = moduleFile.sha256()
+
+        val content = xml(TAG_ROOT) {
+            xmlns = NS_DEPS_VERIF
+            TAG_CONFIGURATION {
+                TAG_VERIF_METADATA { -true.toString() }
+                TAG_VERIF_SIGNATURE { -false.toString() } // TODO RUM-3104 add signature verification
+            }
+            TAG_COMPONENTS {
+                TAG_COMPONENT {
+                    attribute(ATTR_GROUP, project.group)
+                    attribute(ATTR_NAME, project.name)
+                    attribute(ATTR_VERSION, AndroidConfig.VERSION.name)
+                    TAG_ARTIFACT {
+                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.aar")
+                        TAG_SHA256 {
+                            attribute(ATTR_VALUE, aarSha256)
+                            attribute(ATTR_ORIGIN, ORIGIN)
+                        }
+                    }
+                    TAG_ARTIFACT {
+                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.pom")
+                        TAG_SHA256 {
+                            attribute(ATTR_VALUE, pomSha256)
+                            attribute(ATTR_ORIGIN, ORIGIN)
+                        }
+                    }
+                    TAG_ARTIFACT {
+                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.module")
+                        TAG_SHA256 {
+                            attribute(ATTR_VALUE, moduleSha256)
+                            attribute(ATTR_ORIGIN, ORIGIN)
+                        }
+                    }
+                }
+            }
+        }
+        val xmlContent = content.toString(
+            PrintOptions(
+                indent = "   ",
+                pretty = true,
+                singleLineTextElements = true
+            )
+        )
+        outputFile.writeText(XML_PREFIX + xmlContent, Charsets.UTF_8)
+    }
+
+    // endregion
+
+    // region Internal
+
+    fun File.sha256(): String {
+        return md.digest(readBytes()).fold("", { str, byte -> str + "%02x".format(byte) })
+    }
+
+    // endregion
+
+    companion object {
+
+        private const val NS_DEPS_VERIF = "https://schema.gradle.org/dependency-verification"
+        private const val XML_PREFIX = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+
+        private const val TAG_ROOT = "verification-metadata"
+        private const val TAG_CONFIGURATION = "configuration"
+        private const val TAG_VERIF_METADATA = "verify-metadata"
+        private const val TAG_VERIF_SIGNATURE = "verify-signature"
+        private const val TAG_COMPONENTS = "components"
+        private const val TAG_COMPONENT = "component"
+        private const val TAG_SHA256 = "sha256"
+
+        private const val TAG_ARTIFACT = "artifact"
+        private const val ATTR_GROUP = "group"
+        private const val ATTR_NAME = "name"
+        private const val ATTR_VERSION = "version"
+        private const val ATTR_VALUE = "value"
+        private const val ATTR_ORIGIN = "origin"
+
+        private const val ORIGIN = "Datadog"
+    }
+}

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/verification/VerificationXmlPlugin.kt

@@ -0,0 +1,40 @@
+/*
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2016-Present Datadog, Inc.
+ */
+
+package com.datadog.gradle.plugin.verification
+
+import com.android.build.gradle.internal.tasks.factory.dependsOn
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+
+class VerificationXmlPlugin : Plugin<Project> {
+
+    override fun apply(target: Project) {
+        val genTask = target.tasks.register(TASK_GEN_VERIFICATION_XML, GenerateVerificationXmlTask::class.java)
+
+        target.afterEvaluate {
+            genTask.dependsOn("bundleReleaseAar")
+            genTask.dependsOn("javaDocReleaseJar")
+            genTask.dependsOn("sourceReleaseJar")
+            genTask.dependsOn("generatePomFileForReleasePublication")
+            genTask.dependsOn("generateMetadataFileForReleasePublication")
+            // TODO RUM-3104 depends on "signReleasePublication"
+
+            getTasksByName("publishToSonatype", false).forEach {
+                it.dependsOn(genTask)
+            }
+            getTasksByName("publishToMavenLocal", false).forEach {
+                it.dependsOn(genTask)
+            }
+        }
+    }
+
+    companion object {
+
+        const val TASK_GEN_VERIFICATION_XML = "generateVerificationXml"
+        const val XML_FILE_NAME = "verification-metadata.xml"
+    }
+}

gradle/libs.versions.toml

@@ -78,6 +78,7 @@ kotlinAntlrRuntime = "v0.1.0"
 jsonSchemaValidator = "1.12.1"
 binaryCompatibility = "0.17.0"
 dependencyLicense = "0.3"
+kotlinXmlBuilder = "1.9.3"
 
 # Integrations
 sqlDelight = "1.5.5"
@@ -220,6 +221,7 @@ kotlinSP = { module = "com.google.devtools.ksp:symbol-processing-api", version.r
 kotlinGrammarParser = { module = "com.github.kotlinx.ast:grammar-kotlin-parser-antlr-kotlin-jvm", version.ref = "kotlinGrammarParser" }
 kotlinAntlrRuntime = { module = "com.github.drieks.antlr-kotlin:antlr-kotlin-runtime", version.ref = "kotlinAntlrRuntime" }
 jsonSchemaValidator = { module = "com.github.everit-org.json-schema:org.everit.json.schema", version.ref = "jsonSchemaValidator" }
+kotlinXmlBuilder = {module="org.redundent:kotlin-xml-builder", version.ref="kotlinXmlBuilder"}
 
 # Integrations
 sqlDelight = { module = "com.squareup.sqldelight:android-driver", version.ref = "sqlDelight" }