From 0d15fe116253650ddecfdf45a335c262ff353609 Mon Sep 17 00:00:00 2001
From: Eugene Yokota <eed3si9n@gmail.com>
Date: Sat, 6 Jun 2020 23:01:39 -0400
Subject: [PATCH] Remove HTTP support without explicit opt-in

Ref https://github.com/sbt/sbt/issues/4905
---
 build.sbt                                     |  4 +++-
 main/src/main/scala/sbt/Defaults.scala        | 19 +++++++++++++------
 .../scala/sbt/coursierint/LMCoursier.scala    |  2 +-
 project/Dependencies.scala                    |  2 +-
 .../default-resolvers/test                    |  4 ++++
 .../exclude-bundle/build.sbt                  |  2 +-
 .../exclude-bundle/changes/build.sbt          |  2 +-
 .../dependency-management/url/build.sbt       |  2 +-
 8 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/build.sbt b/build.sbt
index 3d6d64bb3..ef301bd8f 100644
--- a/build.sbt
+++ b/build.sbt
@@ -951,7 +951,9 @@ lazy val mainProj = (project in file("main"))
       // since we're returning the same values as before.
       exclude[IncompatibleSignatureProblem]("sbt.Classpaths.mkIvyConfiguration"),
       exclude[IncompatibleMethTypeProblem]("sbt.internal.server.Definition*"),
-      exclude[IncompatibleTemplateDefProblem]("sbt.internal.server.LanguageServerProtocol")
+      exclude[IncompatibleTemplateDefProblem]("sbt.internal.server.LanguageServerProtocol"),
+      exclude[DirectMissingMethodProblem]("sbt.Classpaths.warnInsecureProtocol"),
+      exclude[DirectMissingMethodProblem]("sbt.Classpaths.warnInsecureProtocolInModules"),
     )
   )
   .configure(
diff --git a/main/src/main/scala/sbt/Defaults.scala b/main/src/main/scala/sbt/Defaults.scala
index 298dd6d73..15670a481 100755
--- a/main/src/main/scala/sbt/Defaults.scala
+++ b/main/src/main/scala/sbt/Defaults.scala
@@ -2748,12 +2748,19 @@ object Classpaths {
     }
   }
 
-  private[sbt] def warnInsecureProtocol(ress: Seq[Resolver], log: Logger): Unit = {
-    ress.foreach(_.validateProtocol(log))
+  private[sbt] def errorInsecureProtocol(ress: Seq[Resolver], log: Logger): Unit = {
+    val bad = !ress.forall(!_.validateProtocol(log))
+    if (bad) {
+      sys.error("insecure protocol is unsupported")
+    }
   }
   // this warns about .from("http:/...") in ModuleID
-  private[sbt] def warnInsecureProtocolInModules(mods: Seq[ModuleID], log: Logger): Unit = {
-    mods.foreach(_.validateProtocol(log))
+  private[sbt] def errorInsecureProtocolInModules(mods: Seq[ModuleID], log: Logger): Unit = {
+    val artifacts = mods.flatMap(_.explicitArtifacts.toSeq)
+    val bad = !artifacts.forall(!_.validateProtocol(log))
+    if (bad) {
+      sys.error("insecure protocol is unsupported")
+    }
   }
 
   private[sbt] def defaultProjectID: Initialize[ModuleID] = Def.setting {
@@ -2782,7 +2789,7 @@ object Classpaths {
     }
   def moduleSettings0: Initialize[Task[ModuleSettings]] = Def.task {
     val deps = allDependencies.value.toVector
-    warnInsecureProtocolInModules(deps, streams.value.log)
+    errorInsecureProtocolInModules(deps, streams.value.log)
     ModuleDescriptorConfiguration(projectID.value, projectInfo.value)
       .withValidate(ivyValidate.value)
       .withScalaModuleInfo(scalaModuleInfo.value)
@@ -3413,7 +3420,7 @@ object Classpaths {
       val (rs, other) = (fullResolvers.value.toVector, otherResolvers.value.toVector)
       val s = streams.value
       warnResolversConflict(rs ++: other, s.log)
-      warnInsecureProtocol(rs ++: other, s.log)
+      errorInsecureProtocol(rs ++: other, s.log)
       InlineIvyConfiguration()
         .withPaths(ivyPaths.value)
         .withResolvers(rs)
diff --git a/main/src/main/scala/sbt/coursierint/LMCoursier.scala b/main/src/main/scala/sbt/coursierint/LMCoursier.scala
index 9e762148d..1bbbd126d 100644
--- a/main/src/main/scala/sbt/coursierint/LMCoursier.scala
+++ b/main/src/main/scala/sbt/coursierint/LMCoursier.scala
@@ -91,7 +91,7 @@ object LMCoursier {
     val sbtScalaOrganization = "org.scala-lang" // always assuming sbt uses mainline scala
     val userForceVersions = Inputs.forceVersions(depsOverrides, scalaVer, scalaBinaryVer)
     Classpaths.warnResolversConflict(rs, log)
-    Classpaths.warnInsecureProtocol(rs, log)
+    Classpaths.errorInsecureProtocol(rs, log)
     CoursierConfiguration()
       .withResolvers(rs.toVector)
       .withInterProjectDependencies(interProjectDependencies.toVector)
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index c6d3e4167..5a8ebec0b 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -13,7 +13,7 @@ object Dependencies {
   // sbt modules
   private val ioVersion = nightlyVersion.getOrElse("1.4.0-M6")
   private val lmVersion =
-    sys.props.get("sbt.build.lm.version").orElse(nightlyVersion).getOrElse("1.3.0")
+    sys.props.get("sbt.build.lm.version").orElse(nightlyVersion).getOrElse("1.4.0-M1")
   val zincVersion = nightlyVersion.getOrElse("1.4.0-M5")
 
   private val sbtIO = "org.scala-sbt" %% "io" % ioVersion
diff --git a/sbt/src/sbt-test/dependency-management/default-resolvers/test b/sbt/src/sbt-test/dependency-management/default-resolvers/test
index 0d310c9f5..769501c0a 100644
--- a/sbt/src/sbt-test/dependency-management/default-resolvers/test
+++ b/sbt/src/sbt-test/dependency-management/default-resolvers/test
@@ -9,3 +9,7 @@
 > set resolvers += Resolver.jcenterRepo
 
 > check2
+
+## HTTP
+> set resolvers += ("old_typesafe" at "http://repo.typesafe.com/typesafe/")
+-> update
diff --git a/sbt/src/sbt-test/dependency-management/exclude-bundle/build.sbt b/sbt/src/sbt-test/dependency-management/exclude-bundle/build.sbt
index 2652a7fd6..ac5aa4f28 100644
--- a/sbt/src/sbt-test/dependency-management/exclude-bundle/build.sbt
+++ b/sbt/src/sbt-test/dependency-management/exclude-bundle/build.sbt
@@ -1,3 +1,3 @@
 libraryDependencies += "org.vaadin" % "dontpush-addon-ozonelayer" % "0.4.6"
 
-resolvers += "asdf" at "http://maven.vaadin.com/vaadin-addons"
+resolvers += "asdf" at "https://maven.vaadin.com/vaadin-addons"
diff --git a/sbt/src/sbt-test/dependency-management/exclude-bundle/changes/build.sbt b/sbt/src/sbt-test/dependency-management/exclude-bundle/changes/build.sbt
index fec4bc3f6..d6348fa72 100644
--- a/sbt/src/sbt-test/dependency-management/exclude-bundle/changes/build.sbt
+++ b/sbt/src/sbt-test/dependency-management/exclude-bundle/changes/build.sbt
@@ -1,3 +1,3 @@
 libraryDependencies += "org.vaadin" % "dontpush-addon-ozonelayer" % "0.4.6" exclude("org.atmosphere", "atmosphere-compat-jetty")
 
-resolvers += "asdf" at "http://maven.vaadin.com/vaadin-addons"
+resolvers += "asdf" at "https://maven.vaadin.com/vaadin-addons"
diff --git a/sbt/src/sbt-test/dependency-management/url/build.sbt b/sbt/src/sbt-test/dependency-management/url/build.sbt
index f3b8f6fa2..1170270b3 100644
--- a/sbt/src/sbt-test/dependency-management/url/build.sbt
+++ b/sbt/src/sbt-test/dependency-management/url/build.sbt
@@ -3,7 +3,7 @@ import sbt.internal.inc.classpath.ClasspathUtilities
 lazy val root = (project in file(".")).
   settings(
     ivyPaths := IvyPaths(baseDirectory.value, Some(target.value / "ivy-cache")),
-    libraryDependencies += "org.jsoup" % "jsoup" % "1.9.1" % Test from "http://jsoup.org/packages/jsoup-1.9.1.jar",
+    libraryDependencies += "org.jsoup" % "jsoup" % "1.9.1" % Test from "https://jsoup.org/packages/jsoup-1.9.1.jar",
     ivyLoggingLevel := UpdateLogging.Full,
     TaskKey[Unit]("checkInTest") := checkClasspath(Test).value,
     TaskKey[Unit]("checkInCompile") := checkClasspath(Compile).value