[LM-324] Added Maven support to MDM package-firewall generators

[Mahesh-Kete]

Add Maven support to MDM package-firewall generators (LM-324)

Jira: LM-324 — Maven support in MDM scripts

Summary

Adds Java / Maven coverage to the Package Firewall MDM script generators (bash + PowerShell). Generated scripts now configure Maven's user settings (~/.m2/settings.xml) to route all repository requests through the Endor Package Firewall, alongside the existing JavaScript, Python, and Go ecosystems.

Maven required special handling: every other config file is line-oriented and uses #-comment sentinels appended at EOF, but settings.xml is XML — the managed block must live inside <settings>…</settings>, and comments are <!-- … -->. So Maven gets its own XML-aware upsert/remove helpers; everything else follows the existing pattern.

No new credentials are introduced. Maven natively expands ${env.*}, and the required ENDOR_API_KEY_ID / ENDOR_API_SECRET are already provided by the existing credential layer (env.sh on macOS/Linux, HKCU:\Environment on Windows). The only new generation-time value is the Maven firewall URL.

What's included

Shared

• New block file shared/blocks/mavensettings.txt — the managed settings.xml fragment (<mirror mirrorOf="*"> + matching <server>), read by both platforms.

bash

• lib/common.sh — new upsert_xml_block / remove_xml_block helpers + XML sentinel markers.
• templates/maven.sh — orchestration (writes ~/.m2/settings.xml).
• generate.sh — {{MAVEN_REGISTRY_URL}} substitution, MAVEN_BLOCK emission, endor-maven.sh build + fold into endor-all.sh, summary output.
• templates/remove.sh — Maven offboarding.

PowerShell (mirror of the bash changes)

• lib/common.ps1 — Invoke-UpsertXmlBlock / Remove-XmlBlock + XML markers.
• templates/maven.ps1, generate.ps1 wiring, templates/remove.ps1 removal.

Docs

• Updated package-firewall/README.md, bash/README.md, powershell/README.md (ecosystem tables, block list, per-script behaviour, placeholders, security/removal notes).

Behaviour

• Fresh machine → creates a complete, schema-referenced settings.xml wrapping the Endor fragment.
• Existing file → splices the fragment in immediately before </settings>; all other elements (e.g. an admin <profile>) are preserved.
• Re-run / MDM check-in → replaces only the Endor fragment (idempotent).
• Removal → strips only the Endor fragment; deletes the file if it was Endor-only.
• --dry-run / -DryRun supported, consistent with the other scripts.

Notable fix beyond the spec

The original design used awk -v frag="$multiline" to insert the fragment, which fails on macOS/BSD awk ("newline in string") on the idempotent re-run — it only works on GNU awk. Since these scripts target Macs via Kandji/Jamf, Case 3 now passes the fragment via a temp file read with getline, which is portable across BSD and GNU awk.

Testing

• bash verified end-to-end against /usr/bin/awk: fresh-create, idempotency (one mirror after two runs), insert-before-</settings> preserving an existing <profile>, removal preserving other content, and dry-run writing nothing. xmllint confirms valid XML throughout.
• All six generated scripts pass bash -n. Generation bakes in {{MAVEN_REGISTRY_URL}} while keeping ${env.*} literal.

Verification status

• Firewall URL path confirmed as /firewall/maven/ (base host
  factory.endorlabs.com), per the JFrog Artifactory docs. Matches the code; no change needed.
• bash logic verified on /usr/bin/awk (macOS): fresh-create, idempotency,
  insert-before-</settings> preserving an existing <profile>, removal, and dry-run — all
  pass, xmllint-valid throughout.
• PowerShell logic verified on PowerShell 7.7 (macOS): same scenarios as bash —
  generate output, fresh-create, idempotency (one mirror after two runs), insert preserving a
  profile, removal, Endor-only-file deletion, and dry-run — all pass, xmllint-valid.
• Windows-only paths (Get-ConsoleUser via explorer.exe, Set-FileRestrictedAcl
  ACLs) still need a real Windows machine — these platform calls can't be exercised by pwsh on
  macOS. The Maven XML logic itself is fully validated.

Out of scope / follow-ups

• Gradle — does not read ~/.m2/settings.xml for resolution.