Package org.ek9lang.cli

Class PackageResolver

java.lang.Object

org.ek9lang.compiler.common.Reporter

org.ek9lang.cli.PackageResolver

final class PackageResolver
extends Reporter

Once the EK9 'Edp' dependency module has determined that a packaged module now needs to be resolved it will call upon this resolver to make sure that it is available.

This resolver will initially look in the users $HOME/.ek9/lib directory for a zip file matching the vector for the packages, module i.e. 'ekopen.network.support.utils-1.6.1-9.zip'

If that is not present then it will make a https request to repo.ek9lang.com to obtain that zip file, and hash of zip fingerprint. The manual steps for this are:

 curl https://repo.ek9lang.org/ekopen.net.handy.tools-3.2.1-0.zip -o ekopen.net.handy.tools-3.2.1-0.zip
 curl https://repo.ek9lang.org/ekopen.net.handy.tools-3.2.1-0.zip.sha256 -o ekopen.net.handy.tools-3.2.1-0.zip.sha256
 cat ekopen.net.handy.tools-3.2.1-0.zip | shasum -a 256 -c ekopen.net.handy.tools-3.2.1-0.zip.sha256
 

Note when the publisher of the package uploaded the zip, they did a couple of extra bits to be able to provide a secure copy of the hash of the zip. See SigningKeyPair.doubleEncryption as an example of this.

They used their private key to encrypt the hash of the zip they created. They then used the public key of the repo server to encrypt that data. That ensures that only the server with its private key can decrypt that payload, but then only by using the publishers public key can the inner payload be decrypted to reveal the hash. That hash can then be checked against a re-run of hashing of the zip file.

On the repo server, the zip is taken and put to one side for virus scanning and later processing. The first layer of encryption is decrypted by the repo serer using its own private key. This ensures that the data decrypted (the still encrypted hash and un-encrypted client public key) has not been tampered with.

Now the provided client public key can be used to decrypt the encrypted hash. That hash value can be checked against the hash calculated against the zip. If the zip is virus free, then the zip, the encrypted (with the client private key) hash and the clients public key are all stored on the S3 server.

So when the zip is downloaded, this resolver will use the same hashing routine to calculate the fingerprint. It will also get the clients public key to decrypt the encrypted hash and check that the hash values match.

Anyway that's the general idea.

Constructor Summary

Constructors

Constructor	Description
PackageResolver(CommandLine commandLine, boolean muteReportedErrors)

Method Summary

Modifier and Type	Method	Description
(package private) boolean	downloadDependency(String dependencyVector)
protected String	messagePrefix()	Provide the report/log message prefix.
(package private) Optional<Ek9SourceVisitor>	resolve(String dependencyVector)	Provides a source visitor for a packages dependency, so it it has already been resolved and unpacked, it will be returned.

Methods inherited from class org.ek9lang.compiler.common.Reporter

isMuteReportedErrors, isVerbose, log, report, setMuteReportedErrors

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

PackageResolver

PackageResolver(CommandLine commandLine,
 boolean muteReportedErrors)

Method Details

messagePrefix

protected String messagePrefix()

Description copied from class: Reporter

Provide the report/log message prefix.

Specified by:

messagePrefix in class Reporter

resolve

Optional<Ek9SourceVisitor> resolve(String dependencyVector)

Provides a source visitor for a packages dependency, so it it has already been resolved and unpacked, it will be returned. But if it needs to be downloaded then it will be pulled down, unpacked and returned.

downloadDependency

boolean downloadDependency(String dependencyVector)