Deprecate HTTP Download

[JLLeitschuh]

Reasoning

After a 4-month research project into the supply chain security of the JVM ecosystem I published this writeup Want to take over the Java ecosystem? All you need is a MITM!

The project details how some of the most popular projects in the JVM ecosystem were using HTTP instead of HTTPS to download their dependencies.

The goal of this PR is to help close this widespread vulnerability impacting a huge swath of the JVM ecosystem.

New API

This PR adds a few new API's to various places that allow Gradle to download code over HTTP in the cases where it's necessary.

repositories {
   maven {
       setUrl("http://my-company-requires-http.company.com")
       isAllowUntrustedProtocol = true
   }
}

Similar API's have been added to the HttpBuildCache and the TextResourceFactory.

Locations Not Covered By this PR

These should be handled in a follow-on PR.

• The Wrapper task
• Wrapper itself

Contributor Checklist

• Review Contribution Guidelines
• Make sure that all commits are signed off to indicate that you agree to the terms of Developer Certificate of Origin.
• Check "Allow edit from maintainers" option in pull request so that additional changes can be pushed by Gradle team
• Provide integration tests (under <subproject>/src/integTest) to verify changes from a user perspective
• Provide unit tests (under <subproject>/src/test) to verify logic
• Update User Guide, DSL Reference, and Javadoc for public-facing changes
• Ensure that tests pass locally: ./gradlew <changed-subproject>:check

Gradle Core Team Checklist

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation
• Recognize contributor in release notes

[JLLeitschuh]

@eskatos The Kotlin DSL service logic now uses this method to create the DefaultFileOperations to basically attempt to unify on the creation of this type. Before there were multiple different ways that this object was created across three languages. Now, at least the Kotlin DSL and the DefaultScript for groovy are both using the same method.

[JLLeitschuh]

This makes the exceptions a bit more informative when you have enclosing classes named something simple like Factory.

[JLLeitschuh]

@adammurdoch @bigdaz How do we want to deal with the old mavenDeployer when it comes to this depreciation? I don't think we can intercept the redirect chain for the mavenDeployer because it uses all sonatype API's like org.sonatype.aether.repository.RemoteRepository.

[JLLeitschuh]

@thc202 I've updated the description in PR header to describe the reasoning behind this work now that my article is finally public. Go have a look.

[l0rinc]

what about IPV6?

[JLLeitschuh]

This bypass is pretty much for our testing exclusively. It's not even going to be an externally documented feature.

If it's important, I can update this if you think I should.

[l0rinc]

Not important for me, just wanted to point out that it's a possibility, too.

[big-guy]

We should rollback the changes to ObjectConfigurationAction and the TextResources since this seems to ripple into a lot of different areas. In those cases, we should just always produce a warning/deprecation and not allow for an opt-out.

For script plugins applied over http, these should migrate to https (at least) or proper binary plugins or live with a warning. I don't think it's worth the confusion over having to do enable a flag.

For text resources being loaded over http, I think the argument is similar. Maybe it would be useful to have a fromInsecureUri(...), but let's see if that's actually onerous.

When we clamp down on HTTP, we can revisit this to see if we need to still allow some HTTP (with warnings) or provide more opt-in configuration options.

[big-guy]

I think this should either be setAllowInsecureProtocol(boolean) (allow or disallow insecure protocols) or allowInsecureProtocol() (allow insecure protocols to be used). I think we want the first option.

[JLLeitschuh]

@big-guy Looks like just performance failures. 🤔

[ljacomet]

This was reverted and introduced back as #10065