From 54ccf06a7ebdfa5978240c0d358f21bc90829cfd Mon Sep 17 00:00:00 2001
From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
Date: Fri, 2 Aug 2024 13:05:28 +0200
Subject: [PATCH] Add override for manifest signature URL

---
 .../main/java/org/wildfly/channel/ChannelImpl.java | 10 ++++++++--
 .../wildfly/channel/ChannelManifestCoordinate.java | 14 +++++++++++++-
 .../wildfly/channel/ChannelMetadataCoordinate.java | 11 +++++++++++
 .../org/wildfly/channel/v2.1.0/schema.json         |  4 ++++
 doc/spec.adoc                                      |  3 ++-
 5 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/org/wildfly/channel/ChannelImpl.java b/core/src/main/java/org/wildfly/channel/ChannelImpl.java
index 58ba360c..a032df52 100644
--- a/core/src/main/java/org/wildfly/channel/ChannelImpl.java
+++ b/core/src/main/java/org/wildfly/channel/ChannelImpl.java
@@ -228,7 +228,7 @@ private ChannelManifest resolveManifest(ChannelManifestCoordinate manifestCoordi
      *
      * @throws ArtifactTransferException if any artifacts can not be resolved.
      */
-    public List<URL> resolveChannelMetadata(List<? extends ChannelMetadataCoordinate> coords, boolean optional) throws ArtifactTransferException {
+    private List<URL> resolveChannelMetadata(List<? extends ChannelMetadataCoordinate> coords, boolean optional) throws ArtifactTransferException {
         requireNonNull(coords);
 
         List<URL> channels = new ArrayList<>();
@@ -239,7 +239,13 @@ public List<URL> resolveChannelMetadata(List<? extends ChannelMetadataCoordinate
                 channels.add(coord.getUrl());
                 if (channelDefinition.requiresGpgCheck()) {
                     try {
-                        validateGpgSignature(coord.getUrl(), new URL(coord.getUrl().toExternalForm()+ SIGNATURE_FILE_SUFFIX));
+                        final URL signatureUrl;
+                        if (coord.getSignatureUrl() == null) {
+                            signatureUrl = new URL(coord.getUrl().toExternalForm() + SIGNATURE_FILE_SUFFIX);
+                        } else {
+                            signatureUrl = coord.getSignatureUrl();
+                        }
+                        validateGpgSignature(coord.getUrl(), signatureUrl);
                     } catch (IOException e) {
                         throw new InvalidChannelMetadataException("Unable to download a detached signature file from: " + coord.getUrl().toExternalForm()+ SIGNATURE_FILE_SUFFIX,
                                 List.of(e.getMessage()), e);
diff --git a/core/src/main/java/org/wildfly/channel/ChannelManifestCoordinate.java b/core/src/main/java/org/wildfly/channel/ChannelManifestCoordinate.java
index 8b4efcc1..9cadc48a 100644
--- a/core/src/main/java/org/wildfly/channel/ChannelManifestCoordinate.java
+++ b/core/src/main/java/org/wildfly/channel/ChannelManifestCoordinate.java
@@ -45,12 +45,18 @@ public ChannelManifestCoordinate(URL url) {
         super(url);
     }
 
+    public ChannelManifestCoordinate(URL url, URL signatureUrl) {
+        super(url, signatureUrl);
+    }
+
     public ChannelManifestCoordinate() {
         super(ChannelManifest.CLASSIFIER, ChannelManifest.EXTENSION);
     }
 
     @JsonCreator
-    public static ChannelManifestCoordinate create(@JsonProperty(value = "url") String url, @JsonProperty(value = "maven") MavenCoordinate gav) throws MalformedURLException {
+    public static ChannelManifestCoordinate create(@JsonProperty(value = "url") String url,
+                                                   @JsonProperty(value = "signature-url") String signatureUrl,
+                                                   @JsonProperty(value = "maven") MavenCoordinate gav) throws MalformedURLException {
         if (gav != null) {
             if (gav.getVersion() == null || gav.getVersion().isEmpty()) {
                 return new ChannelManifestCoordinate(gav.getGroupId(), gav.getArtifactId());
@@ -81,4 +87,10 @@ private boolean isEmpty(String text) {
     public URL getUrl() {
         return super.getUrl();
     }
+
+    @JsonProperty(value = "signature-url")
+    @JsonInclude(NON_NULL)
+    public URL getSignatureUrl() {
+        return super.getSignatureUrl();
+    }
 }
diff --git a/core/src/main/java/org/wildfly/channel/ChannelMetadataCoordinate.java b/core/src/main/java/org/wildfly/channel/ChannelMetadataCoordinate.java
index 7eb1435c..82fd2c32 100644
--- a/core/src/main/java/org/wildfly/channel/ChannelMetadataCoordinate.java
+++ b/core/src/main/java/org/wildfly/channel/ChannelMetadataCoordinate.java
@@ -35,6 +35,7 @@ public class ChannelMetadataCoordinate {
     private String extension;
 
     private URL url;
+    protected URL signatureUrl;
 
     protected ChannelMetadataCoordinate() {
     }
@@ -57,6 +58,12 @@ public ChannelMetadataCoordinate(URL url) {
         requireNonNull(url);
     }
 
+    public ChannelMetadataCoordinate(URL url, URL signatureUrl) {
+        this(null, null, null, null, null, url);
+        requireNonNull(url);
+        this.signatureUrl = signatureUrl;
+    }
+
     private ChannelMetadataCoordinate(String groupId, String artifactId, String version, String classifier, String extension, URL url) {
         this.groupId = groupId;
         this.artifactId = artifactId;
@@ -94,6 +101,10 @@ public String getExtension() {
         return extension;
     }
 
+    public URL getSignatureUrl() {
+        return signatureUrl;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
diff --git a/core/src/main/resources/org/wildfly/channel/v2.1.0/schema.json b/core/src/main/resources/org/wildfly/channel/v2.1.0/schema.json
index 7ad2a046..6c7814c0 100644
--- a/core/src/main/resources/org/wildfly/channel/v2.1.0/schema.json
+++ b/core/src/main/resources/org/wildfly/channel/v2.1.0/schema.json
@@ -81,6 +81,10 @@
         "url": {
           "description": "URL of the manifest file.",
           "type": "string"
+        },
+        "signature-url": {
+          "description": "URL of the manifest signature file.",
+          "type": "string"
         }
       },
       "oneOf": [
diff --git a/doc/spec.adoc b/doc/spec.adoc
index 69bf16ab..3d30c97f 100644
--- a/doc/spec.adoc
+++ b/doc/spec.adoc
@@ -65,6 +65,7 @@ A channel is composed of several fields:
 **** Mandatory `groupId` and `artifactId` elements that are the Maven coordinates of the manifest.
 **** Optional `version` to stick to a given manifest version (instead of requiring the latest version of that manifest). In the absence of this `version`, the latest version of the manifest will be determined based on the Maven repository metadata (see <<Component Version>>).
 *** `url` corresponding to a URL where the manifest file can be found.
+*** `signature-url` corresponding to a URL where the signature of the manifest file can be found.
 * Optional `blocklist` corresponding to the Blocklist artifact. Blocklist is used to define versions of artifacts excluded from a channel.
 ** One of the following, mutually exclusive fields, used to resolve the Blocklist:
 *** `maven` corresponds to Maven coordinates of the Blocklist. It's composed of:
@@ -247,7 +248,7 @@ The signature file is resolved at the same time as the artifact. If the signatur
 
 #### Verifing manifest signatures
 
-If the manifest of a channel is defined as a Maven GA(V), it is treated as any other maven artifact. If it is defined as an URL, the signature file must be available at the same URL with ".asc" suffix. If the signature cannot be resolved, the channel creation must fail.
+If the manifest of a channel is defined as a Maven GA(V), it is treated as any other maven artifact. If it is defined as an URL, the signature file must be available at the same URL with ".asc" suffix. Alternatively, a `signature-url` element can be used to provide a location of the signature. If the signature cannot be resolved, the channel creation must fail.
 
 #### Public keys