chore: introduce maven artifact types and utilities

nathanwn · nathanwn · commit f2ed7f73f04c · 2024-03-26T19:29:07.000+10:00
Signed-off-by: Nathan Nguyen &lt;nathan.nguyen@oracle.com&gt;
diff --git a/src/macaron/artifact/maven.py b/src/macaron/artifact/maven.py
@@ -0,0 +1,145 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This module declares types and utilities for Maven artifacts."""
+
+import re
+from dataclasses import dataclass
+from enum import Enum
+from typing import NamedTuple, Self
+
+from packageurl import PackageURL
+
+
+class _MavenArtifactType(NamedTuple):
+    filename_pattern: str
+    purl_qualifiers: dict[str, str]
+
+
+class MavenArtifactType(_MavenArtifactType, Enum):
+    """Maven artifact types that Macaron supports.
+
+    For reference, see:
+    - https://maven.apache.org/ref/3.9.6/maven-core/artifact-handlers.html
+    - https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#maven
+    """
+
+    # Enum with custom value type.
+    # See https://docs.python.org/3.10/library/enum.html#others.
+    JAR = _MavenArtifactType(
+        filename_pattern="{artifact_id}-{version}.jar",
+        purl_qualifiers={"type": "jar"},
+    )
+    POM = _MavenArtifactType(
+        filename_pattern="{artifact_id}-{version}.pom",
+        purl_qualifiers={"type": "pom"},
+    )
+    JAVADOC = _MavenArtifactType(
+        filename_pattern="{artifact_id}-{version}-javadoc.jar",
+        purl_qualifiers={"type": "javadoc"},
+    )
+    JAVA_SOURCE = _MavenArtifactType(
+        filename_pattern="{artifact_id}-{version}-sources.jar",
+        purl_qualifiers={"type": "sources"},
+    )
+
+
+@dataclass
+class MavenArtifact:
+    """A Maven artifact."""
+
+    group_id: str
+    artifact_id: str
+    version: str
+    artifact_type: MavenArtifactType
+
+    @property
+    def package_url(self) -> PackageURL:
+        """Get the PackageURL of this Maven artifact."""
+        return PackageURL(
+            type="maven",
+            namespace=self.group_id,
+            name=self.artifact_id,
+            version=self.version,
+            qualifiers=self.artifact_type.purl_qualifiers,
+        )
+
+    @classmethod
+    def from_package_url(cls, package_url: PackageURL) -> Self | None:
+        """Create a Maven artifact from a PackageURL.
+
+        Parameters
+        ----------
+        package_url : PackageURL
+            The PackageURL identifying a Maven artifact.
+
+        Returns
+        -------
+        Self | None
+            A Maven artifact, or ``None`` if the PURL is not a valid Maven artifact PURL, or if
+            the artifact type is not supported.
+            For supported artifact types, see :class:`MavenArtifactType`.
+        """
+        if not package_url.namespace:
+            return None
+        if not package_url.version:
+            return None
+        if package_url.type != "maven":
+            return None
+        maven_artifact_type = None
+        for artifact_type in MavenArtifactType:
+            if artifact_type.purl_qualifiers == package_url.qualifiers:
+                maven_artifact_type = artifact_type
+                break
+        if not maven_artifact_type:
+            return None
+        return cls(
+            group_id=package_url.namespace,
+            artifact_id=package_url.name,
+            version=package_url.version,
+            artifact_type=maven_artifact_type,
+        )
+
+    @classmethod
+    def from_artifact_name(
+        cls,
+        artifact_name: str,
+        group_id: str,
+        version: str,
+    ) -> Self | None:
+        """Create a Maven artifact given an artifact name.
+
+        The artifact type is determined based on the naming pattern of the artifact.
+
+        Parameters
+        ----------
+        artifact_name : str
+            The artifact name.
+        group_id : str
+            The group id.
+        version : str
+            The version
+
+        Returns
+        -------
+        Self | None
+            A Maven artifact, or ``None`` if the PURL is not a valid Maven artifact PURL, or if
+            the artifact type is not supported.
+            For supported artifact types, see :class:`MavenArtifactType`.
+        """
+        for maven_artifact_type in MavenArtifactType:
+            pattern = maven_artifact_type.filename_pattern.format(
+                artifact_id="(.*)",
+                version=version,
+            )
+            match_result = re.search(pattern, artifact_name)
+            if not match_result:
+                continue
+            artifact_id = match_result.group(1)
+            return cls(
+                group_id=group_id,
+                artifact_id=artifact_id,
+                version=version,
+                artifact_type=maven_artifact_type,
+            )
+        return None
diff --git a/tests/artifact/__init__.py b/tests/artifact/__init__.py
@@ -0,0 +1,2 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
diff --git a/tests/artifact/test_maven.py b/tests/artifact/test_maven.py
@@ -0,0 +1,205 @@
+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""Tests for types and utilities for Maven artifacts."""
+
+import pytest
+from packageurl import PackageURL
+
+from macaron.artifact.maven import MavenArtifact, MavenArtifactType
+# , MavenSubjectPURLMatcher
+from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, validate_intoto_payload
+
+
+@pytest.mark.parametrize(
+    ("purl_str", "maven_artifact"),
+    [
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=jar",
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAR,
+            ),
+            id="purl for jar artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=javadoc",
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAVADOC,
+            ),
+            id="purl for javadoc artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=sources",
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAVA_SOURCE,
+            ),
+            id="purl for java source artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=pom",
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.POM,
+            ),
+            id="purl for pom artifact",
+        ),
+    ],
+)
+def test_maven_artifact_from_purl(purl_str: str, maven_artifact: MavenArtifact) -> None:
+    """Test creating a ``MavenArtifact`` object given a PackageURL."""
+    assert MavenArtifact.from_package_url(PackageURL.from_string(purl_str)) == maven_artifact
+
+
+@pytest.mark.parametrize(
+    ("params", "maven_artifact"),
+    [
+        pytest.param(
+            {
+                "artifact_name": "jackson-annotations-2.9.9.jar",
+                "group_id": "com.fasterxml.jackson",
+                "version": "2.9.9",
+            },
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAR,
+            ),
+            id="jar artifact",
+        ),
+        pytest.param(
+            {
+                "artifact_name": "jackson-annotations-2.9.9-javadoc.jar",
+                "group_id": "com.fasterxml.jackson",
+                "version": "2.9.9",
+            },
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAVADOC,
+            ),
+            id="javadoc artifact",
+        ),
+        pytest.param(
+            {
+                "artifact_name": "jackson-annotations-2.9.9-sources.jar",
+                "group_id": "com.fasterxml.jackson",
+                "version": "2.9.9",
+            },
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.JAVA_SOURCE,
+            ),
+            id="java-source artifact",
+        ),
+        pytest.param(
+            {
+                "artifact_name": "jackson-annotations-2.9.9.pom",
+                "group_id": "com.fasterxml.jackson",
+                "version": "2.9.9",
+            },
+            MavenArtifact(
+                group_id="com.fasterxml.jackson",
+                artifact_id="jackson-annotations",
+                version="2.9.9",
+                artifact_type=MavenArtifactType.POM,
+            ),
+            id="pom artifact",
+        ),
+    ],
+)
+def test_maven_artifact_from_artifact_name(params: dict, maven_artifact: MavenArtifact) -> None:
+    """Test creating a ``MavenArtifact`` object given an artifact name."""
+    assert MavenArtifact.from_artifact_name(**params) == maven_artifact
+
+
+@pytest.mark.parametrize(
+    ("purl_str", "subject_index"),
+    [
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=jar",
+            0,
+            id="purl for jar artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=javadoc",
+            1,
+            id="purl for javadoc artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=sources",
+            2,
+            id="purl for java source artifact",
+        ),
+        pytest.param(
+            "pkg:maven/com.fasterxml.jackson/jackson-annotations@2.9.9?type=pom",
+            3,
+            id="purl for pom artifact",
+        ),
+    ],
+)
+def test_to_maven_artifact_subject(
+    purl_str: str,
+    subject_index: int,
+) -> None:
+    """Test constructing a ``MavenArtifact`` object from a given artifact name."""
+    purl = PackageURL.from_string(purl_str)
+    provenance_payload: InTotoPayload = validate_intoto_payload(
+        {
+            "_type": "https://in-toto.io/Statement/v0.1",
+            "subject": [
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9-javadoc.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9-sources.jar",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/jackson-annotations-2.9.9.pom",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+                {
+                    "name": "https://witness.dev/attestations/product/v0.1/file:target/foobar.txt",
+                    "digest": {
+                        "sha256": "6f97fe2094bd50435d6fbb7a2f6c2638fe44e6af17cfff98ce111d0abfffe17e",
+                    },
+                },
+            ],
+            "predicateType": "https://witness.testifysec.com/attestation-collection/v0.1",
+        }
+    )
+    assert (
+        MavenSubjectPURLMatcher.get_subject_in_provenance_matching_purl(
+            provenance_payload=provenance_payload,
+            purl=purl,
+        )
+        == provenance_payload.statement["subject"][subject_index]
+    )

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.`
	`2`	`+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.`