feat(gradle): Support authentication for repositories

Extend the repository model to contain credential information. This
allows the Gradle package manager to pass this information to Maven
when resolving packages. So, package metadata can now be downloaded
from private repositories.

Signed-off-by: Oliver Heger <[email protected]>

Author: oheger-bosch

plugins/package-managers/gradle-model/src/main/kotlin/GradleModel.kt

@@ -27,7 +27,7 @@ interface OrtDependencyTreeModel {
     val name: String
     val version: String
     val configurations: List<OrtConfiguration>
-    val repositories: List<String>
+    val repositories: List<OrtRepository>
     val errors: List<String>
     val warnings: List<String>
 }
@@ -64,3 +64,9 @@ interface OrtVcsModel {
     val tag: String
     val browsableUrl: String
 }
+
+interface OrtRepository {
+    val url: String
+    val username: String?
+    val password: String?
+}

plugins/package-managers/gradle-plugin/src/main/kotlin/GradleModelExtensions.kt

@@ -19,8 +19,12 @@
 
 package org.ossreviewtoolkit.plugins.packagemanagers.gradleplugin
 
+import OrtRepository
+
 import org.gradle.api.artifacts.Configuration
 import org.gradle.api.artifacts.dsl.RepositoryHandler
+import org.gradle.api.artifacts.repositories.ArtifactRepository
+import org.gradle.api.artifacts.repositories.AuthenticationSupported
 import org.gradle.api.artifacts.repositories.UrlArtifactRepository
 import org.gradle.api.attributes.AttributeContainer
 import org.gradle.internal.deprecation.DeprecatableConfiguration
@@ -58,7 +62,21 @@ internal fun Configuration.isRelevant(): Boolean {
 }
 
 /**
- * Return a map that associates names of artifact repositories to their URLs.
+ * Return a map that associates names of artifact repositories to their model representations.
+ */
+internal fun RepositoryHandler.associateNamesWithUrlsTo(repositories: MutableMap<String, OrtRepository?>) =
+    associateTo(repositories) { it.name to it.toOrtRepository() }
+
+/**
+ * Convert this [ArtifactRepository] to an [OrtRepository] if it possesses the relevant properties. Return *null* for
+ * an unsupported repository type.
  */
-internal fun RepositoryHandler.associateNamesWithUrlsTo(repositories: MutableMap<String, String?>) =
-    associateTo(repositories) { it.name to (it as? UrlArtifactRepository)?.url?.toString() }
+private fun ArtifactRepository.toOrtRepository(): OrtRepository? =
+    (this as? UrlArtifactRepository)?.let { urlRepository ->
+        val credentials = (urlRepository as? AuthenticationSupported)?.credentials
+        OrtRepositoryImpl(
+            url = urlRepository.url.toString(),
+            username = credentials?.username,
+            password = credentials?.password
+        )
+    }

plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelBuilder.kt

@@ -21,6 +21,7 @@ package org.ossreviewtoolkit.plugins.packagemanagers.gradleplugin
 
 import OrtDependency
 import OrtDependencyTreeModel
+import OrtRepository
 
 import org.apache.maven.model.building.FileModelSource
 import org.apache.maven.model.building.ModelBuildingResult
@@ -48,7 +49,7 @@ import org.gradle.tooling.provider.model.ToolingModelBuilder
 import org.gradle.util.GradleVersion
 
 internal class OrtModelBuilder : ToolingModelBuilder {
-    private val repositories = mutableMapOf<String, String?>()
+    private val repositories = mutableMapOf<String, OrtRepository?>()
 
     private val platformCategories = setOf("platform", "enforced-platform")
 
@@ -186,10 +187,10 @@ internal class OrtModelBuilder : ToolingModelBuilder {
                                     if (it == "26c913274550a0b2221f47a0fe2d2358") "MavenRepo" else it
                                 }.getOrNull()
 
-                                repositories[repositoryId]?.let { repositoryUrl ->
+                                repositories[repositoryId]?.let { repository ->
                                     // Note: Only Maven-style layout is supported for now.
                                     buildString {
-                                        append(repositoryUrl.removeSuffix("/"))
+                                        append(repository.url.removeSuffix("/"))
                                         append('/')
                                         append(id.group.replace('.', '/'))
                                         append('/')

plugins/package-managers/gradle-plugin/src/main/kotlin/OrtModelImpl.kt

@@ -23,6 +23,7 @@ import OrtConfiguration
 import OrtDependency
 import OrtDependencyTreeModel
 import OrtMavenModel
+import OrtRepository
 import OrtVcsModel
 
 import java.io.Serializable
@@ -33,7 +34,7 @@ internal class OrtDependencyTreeModelImpl(
     override val name: String,
     override val version: String,
     override val configurations: List<OrtConfiguration>,
-    override val repositories: List<String>,
+    override val repositories: List<OrtRepository>,
     override val errors: List<String>,
     override val warnings: List<String>
 ) : OrtDependencyTreeModel, Serializable
@@ -74,3 +75,10 @@ internal class OrtVcsModelImpl(
     override val tag: String,
     override val browsableUrl: String
 ) : OrtVcsModel, Serializable
+
+@Suppress("SerialVersionUIDInSerializableClass")
+internal class OrtRepositoryImpl(
+    override val url: String,
+    override val username: String?,
+    override val password: String?
+) : OrtRepository, Serializable

plugins/package-managers/gradle/src/main/kotlin/Gradle.kt

@@ -20,6 +20,7 @@
 package org.ossreviewtoolkit.plugins.packagemanagers.gradle
 
 import OrtDependencyTreeModel
+import OrtRepository
 
 import java.io.ByteArrayOutputStream
 import java.io.File
@@ -32,6 +33,7 @@ import org.eclipse.aether.artifact.Artifact
 import org.eclipse.aether.repository.RemoteRepository
 import org.eclipse.aether.repository.WorkspaceReader
 import org.eclipse.aether.repository.WorkspaceRepository
+import org.eclipse.aether.util.repository.AuthenticationBuilder
 
 import org.gradle.tooling.GradleConnector
 import org.gradle.tooling.events.ProgressListener
@@ -262,10 +264,7 @@ class Gradle(
 
                 initScriptFile.parentFile.safeDeleteRecursively()
 
-                val repositories = dependencyTreeModel.repositories.map {
-                    // TODO: Also handle authentication and snapshot policy.
-                    RemoteRepository.Builder(it, "default", it).build()
-                }
+                val repositories = dependencyTreeModel.repositories.map { it.toRemoteRepository() }
 
                 dependencyHandler.repositories = repositories
 
@@ -326,3 +325,19 @@ private fun getGradleProperties(): Map<String, String> =
         }
         ?.toMap()
         .orEmpty()
+
+/**
+ * Convert this [OrtRepository] to a [RemoteRepository] taking the known properties into account.
+ * TODO: Also handle snapshot policy.
+ */
+private fun OrtRepository.toRemoteRepository(): RemoteRepository =
+    RemoteRepository.Builder(url, "default", url).apply {
+        if (username != null) {
+            setAuthentication(
+                AuthenticationBuilder().apply {
+                    addUsername(username)
+                    password?.also(::addPassword)
+                }.build()
+            )
+        }
+    }.build()

plugins/package-managers/gradle/src/main/resources/init.gradle

@@ -56,7 +56,7 @@ interface OrtDependencyTreeModel {
     String getName()
     String getVersion()
     List<OrtConfiguration> getConfigurations()
-    List<String> getRepositories()
+    List<OrtRepository> getRepositories()
     List<String> getErrors()
     List<String> getWarnings()
 }
@@ -79,14 +79,20 @@ interface OrtDependency {
     String getLocalPath()
 }
 
+interface OrtRepository {
+    String getUrl()
+    String getUsername()
+    String getPassword()
+}
+
 @ToString(includeNames = true)
 @TupleConstructor
 class OrtDependencyTreeModelImpl implements OrtDependencyTreeModel, Serializable {
     String group
     String name
     String version
     List<OrtConfiguration> configurations
-    List<String> repositories
+    List<OrtRepository> repositories
     List<String> errors
     List<String> warnings
 }
@@ -113,6 +119,13 @@ class OrtDependencyImpl implements OrtDependency, Serializable {
     String localPath
 }
 
+@TupleConstructor
+class OrtRepositoryImpl implements OrtRepository, Serializable {
+    String url = ''
+    String username = null
+    String password = null
+}
+
 class OrtDependencyTreeGradlePlugin extends AbstractOrtDependencyTreePlugin<Gradle> {
     @Inject
     OrtDependencyTreeGradlePlugin(ToolingModelBuilderRegistry registry) {
@@ -221,9 +234,9 @@ class AbstractOrtDependencyTreePlugin<T> implements Plugin<T> {
                 }
             }
 
-            List<String> repositories = project.repositories.findResults {
+            List<OrtRepository> repositories = project.repositories.findResults {
                 if (it instanceof DefaultMavenArtifactRepository) {
-                    it.url.toString()
+                    new OrtRepositoryImpl(it.url.toString(), it.credentials?.username, it.credentials?.password)
                 } else if (it instanceof DefaultFlatDirArtifactRepository) {
                     warnings.add('Project uses a flat dir repository which is not supported by the analyzer. ' +
                             "Dependencies from this repository will be ignored: ${it.dirs}".toString())