From a8ecb34a02a9ff29723b7040a8cfb3cdee7c1f93 Mon Sep 17 00:00:00 2001 From: Roberto Cortez Date: Wed, 25 Oct 2023 19:04:40 +0100 Subject: [PATCH] Filter configuration names from the quarkus namespace in the Gradle plugin --- .../tasks/AbstractQuarkusExtension.java | 31 +++++++++++++++++++ .../gradle/tasks/QuarkusBuildTask.java | 13 ++++++-- docs/src/main/asciidoc/reaugmentation.adoc | 8 +++-- 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java index 8d59abd2a90ef..f2696a9266f23 100644 --- a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java +++ b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java @@ -130,6 +130,37 @@ private EffectiveConfig buildEffectiveConfiguration(Map properti .build(); } + /** + * Filters resolved Gradle configuration for properties in the Quarkus namespace + * (as in start with quarkus.). This avoids exposing configuration that may contain secrets or + * passwords not related to Quarkus (for instance environment variables storing sensitive data for other systems). + * + * @param appArtifact the application dependency to retrive the quarkus application name and version. + * @return a filtered view of the configuration only with quarkus. names. + */ + protected Map buildSystemProperties(ResolvedDependency appArtifact) { + Map buildSystemProperties = new HashMap<>(); + buildSystemProperties.putIfAbsent("quarkus.application.name", appArtifact.getArtifactId()); + buildSystemProperties.putIfAbsent("quarkus.application.version", appArtifact.getVersion()); + + for (Map.Entry entry : forcedPropertiesProperty.get().entrySet()) { + if (entry.getKey().startsWith("quarkus.")) { + buildSystemProperties.put(entry.getKey(), entry.getValue()); + } + } + for (Map.Entry entry : quarkusBuildProperties.get().entrySet()) { + if (entry.getKey().startsWith("quarkus.")) { + buildSystemProperties.put(entry.getKey(), entry.getValue()); + } + } + for (Map.Entry entry : project.getProperties().entrySet()) { + if (entry.getKey().startsWith("quarkus.") && entry.getValue() != null) { + buildSystemProperties.put(entry.getKey(), entry.getValue().toString()); + } + } + return buildSystemProperties; + } + private String quarkusProfile() { String profile = System.getProperty(QUARKUS_PROFILE); if (profile == null) { diff --git a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java index 106bca4941130..13c97cfd722a1 100644 --- a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java +++ b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; +import java.util.HashMap; import java.util.Map; import java.util.stream.Collectors; @@ -205,14 +206,20 @@ void generateBuild() { }); ApplicationModel appModel = resolveAppModelForBuild(); - Map configMap = extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap(); + Map configMap = new HashMap<>(); + for (Map.Entry entry : extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap() + .entrySet()) { + if (entry.getKey().startsWith("quarkus.")) { + configMap.put(entry.getKey(), entry.getValue()); + } + } getLogger().info("Starting Quarkus application build for package type {}", packageType); if (getLogger().isEnabled(LogLevel.INFO)) { getLogger().info("Effective properties: {}", configMap.entrySet().stream() - .filter(e -> e.getKey().startsWith("quarkus.")).map(Object::toString) + .map(Object::toString) .sorted() .collect(Collectors.joining("\n ", "\n ", ""))); } @@ -220,7 +227,7 @@ void generateBuild() { WorkQueue workQueue = workQueue(configMap, () -> extension().buildForkOptions); workQueue.submit(BuildWorker.class, params -> { - params.getBuildSystemProperties().putAll(configMap); + params.getBuildSystemProperties().putAll(extension().buildSystemProperties(appModel.getAppArtifact())); params.getBaseName().set(extension().finalName()); params.getTargetDirectory().set(buildDir.toFile()); params.getAppModel().set(appModel); diff --git a/docs/src/main/asciidoc/reaugmentation.adoc b/docs/src/main/asciidoc/reaugmentation.adoc index 4e36e653dad3d..0c5c976565bdc 100644 --- a/docs/src/main/asciidoc/reaugmentation.adoc +++ b/docs/src/main/asciidoc/reaugmentation.adoc @@ -21,7 +21,6 @@ Initialization steps that used to happen when an EAR file was deployed on a Jaka CDI beans added after augmentation won't work (because of the missing proxy classes) as well as build time properties (e.g. `quarkus.datasource.db-kind`) changed after augmentation will be ignored. Build time properties are marked with a lock icon (icon:lock[]) in the xref:all-config.adoc[list of all configuration options]. It doesn't matter if you use profiles or any other way to override the properties. -The build time properties that were active during augmentation are baked into the build. > Re-augmentation is the process of recreating the augmentation output for a different build time configuration @@ -33,7 +32,7 @@ If there are only two or three build time properties that depend on the user env Please notice that you won't be able to use native images with the package type `mutable-jar`. Think of the consequences and what other options you have! -It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes and you could enjoy a cup of coffee until it was ready. +It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes, and you could enjoy a cup of coffee until it was ready. == How to re-augment a Quarkus application @@ -46,6 +45,11 @@ TIP: By default, you'll get a warning if a build time property has been changed You may set the `quarkus.configuration.build-time-mismatch-at-runtime=fail` property to make sure your application does not start up if there is a mismatch. However, as of this writing changing `quarkus.datasource.db-kind` at runtime did neither fail nor produce a warning but was silently ignored. +WARNING: Build time configuration provided by build tools (`properties` in Maven `pom.xml` or `gradle.properties` +in Gradle) in the `quarkus` namespace will be part of the `mutable-jar` distribution, including configuration from +`quarkus` that reference secrets or passwords. Please, do not include sensitive information in the build tool +configuration files. + === 1. Build your application as `mutable-jar` [source,bash]