Merge pull request #34384 from gsmet/2.16.8-backports-1

2.16.8 backports 1

.gitignore

@@ -41,3 +41,4 @@ nb-configuration.xml
 .sdkmanrc
 .envrc
 .jekyll-cache
+.mvn/.gradle-enterprise/

bom/application/pom.xml

@@ -138,8 +138,8 @@
         <infinispan.version>14.0.6.Final</infinispan.version>
         <infinispan.protostream.version>4.5.1.Final</infinispan.protostream.version>
         <caffeine.version>3.1.1</caffeine.version>
-        <netty.version>4.1.86.Final</netty.version>
-        <brotli4j.version>1.8.0</brotli4j.version>
+        <netty.version>4.1.94.Final</netty.version>
+        <brotli4j.version>1.12.0</brotli4j.version>
         <reactive-streams.version>1.0.3</reactive-streams.version>
         <jboss-logging.version>3.5.0.Final</jboss-logging.version>
         <mutiny.version>1.9.0</mutiny.version>

core/deployment/src/main/java/io/quarkus/deployment/builditem/DevServicesResultBuildItem.java

@@ -87,7 +87,9 @@ public boolean isOwner() {
 
         @Override
         public void close() throws IOException {
-            this.closeable.close();
+            if (this.closeable != null) {
+                this.closeable.close();
+            }
         }
 
         public DevServicesResultBuildItem toBuildItem() {

devtools/maven/src/main/java/io/quarkus/maven/QuarkusBootstrapProvider.java

@@ -190,8 +190,11 @@ private CuratedApplication doBootstrap(QuarkusBootstrapMojo mojo, LaunchMode mod
             effectiveProperties.putIfAbsent("quarkus.application.version", mojo.mavenProject().getVersion());
 
             for (Map.Entry<String, String> attribute : mojo.manifestEntries().entrySet()) {
-                effectiveProperties.put(toManifestAttributeKey(attribute.getKey()),
-                        attribute.getValue());
+                if (attribute.getValue() == null) {
+                    mojo.getLog().warn("Skipping manifest entry property " + attribute.getKey() + " with a missing value");
+                } else {
+                    effectiveProperties.put(toManifestAttributeKey(attribute.getKey()), attribute.getValue());
+                }
             }
             for (ManifestSection section : mojo.manifestSections()) {
                 for (Map.Entry<String, String> attribute : section.getManifestEntries().entrySet()) {

docs/src/main/asciidoc/_attributes.adoc

@@ -1,4 +1,4 @@
-// Common attributes. 
+// Common attributes.
 // --> No blank lines (it ends the document header)
 :project-name: Quarkus
 :quarkus-version: ${project.version}
@@ -52,5 +52,6 @@
 :micrometer-registry-guide: https://quarkiverse.github.io/quarkiverse-docs/quarkus-micrometer-registry/dev/index.html
 // .
 :create-app-group-id: org.acme
+:create-cli-group-id: {create-app-group-id}
 // .
 include::_attributes-local.adoc[]

docs/src/main/asciidoc/_includes/devtools/create-cli.adoc

@@ -3,29 +3,27 @@
 ****
 [source,bash,subs=attributes+]
 ----
-ifdef::create-cli-group-id[]
-ifdef::create-cli-extensions[]
+ifdef::create-cli-extensions,create-cli-stream[]
 quarkus create cli {create-cli-group-id}:{create-cli-artifact-id} \
 endif::[]
-ifndef::create-cli-extensions[]
+ifndef::create-cli-extensions,create-cli-stream[]
 ifndef::create-cli-code[]
 quarkus create cli {create-cli-group-id}:{create-cli-artifact-id} \
 endif::[]
 ifdef::create-cli-code[]
 quarkus create cli {create-cli-group-id}:{create-cli-artifact-id}
 endif::[]
 endif::[]
-endif::[]
-ifndef::create-cli-group-id[]
+ifdef::create-cli-stream[]
 ifdef::create-cli-extensions[]
-quarkus create cli org.acme:{create-cli-artifact-id} \
+    --stream={create-cli-stream} \
 endif::[]
 ifndef::create-cli-extensions[]
 ifndef::create-cli-code[]
-quarkus create cli org.acme:{create-cli-artifact-id} \
+    --stream={create-cli-stream} \
 endif::[]
 ifdef::create-cli-code[]
-quarkus create cli org.acme:{create-cli-artifact-id}
+    --stream={create-cli-stream}
 endif::[]
 endif::[]
 endif::[]
@@ -61,9 +59,10 @@ _For more information about how to install the Quarkus CLI and use it, please re
 [source,bash,subs=attributes+]
 ----
 mvn io.quarkus.platform:quarkus-maven-plugin:{quarkus-version}:create \
-ifdef::create-cli-group-id[]
-    -DprojectGroupId={create-cli-group-id} \
+ifdef::create-cli-stream[]
+    -DplatformVersion={quarkus-version} \
 endif::[]
+    -DprojectGroupId={create-cli-group-id} \
 ifndef::create-cli-group-id[]
     -DprojectGroupId=org.acme \
 endif::[]

docs/src/main/asciidoc/security-csrf-prevention.adoc

@@ -120,7 +120,7 @@ public class UserNameResource {
 
 The form POST request will fail with HTTP status `400` if the filter finds the hidden CSRF form field is missing, the CSRF cookie is missing, or if the CSRF form field and CSRF cookie values do not match.
 
-At this stage no additional configuration is needed - by default the CSRF form field and cookie name will be set to `csrf_token`, and the filter will verify the token. But you can change these names if you would like:
+At this stage no additional configuration is needed - by default the CSRF form field and cookie name will be set to `csrf-token`, and the filter will verify the token. But you can change these names if you would like:
 
 [source,properties]
 ----
@@ -241,6 +241,7 @@ import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.MediaType;
 
 import io.quarkus.qute.Template;
@@ -263,7 +264,7 @@ public class UserNameResource {
     @Path("/csrfTokenForm")
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     @Produces(MediaType.TEXT_PLAIN)
-    public String postCsrfTokenForm(@CookieParam("csrf-token") csrfCookie, @FormParam("csrf-token") String formCsrfToken, @FormParam("name") String userName) {
+    public String postCsrfTokenForm(@CookieParam("csrf-token") Cookie csrfCookie, @FormParam("csrf-token") String formCsrfToken, @FormParam("name") String userName) {
         if (!csrfCookie.getValue().equals(formCsrfToken)) { <1>
             throw new BadRequestException();
         }

extensions/config-yaml/runtime/src/main/resources/META-INF/quarkus-extension.yaml

@@ -8,7 +8,7 @@ metadata:
   categories:
   - "core"
   status: "stable"
-  guide: "https://quarkus.io/guides/config#yaml"
+  guide: "https://quarkus.io/guides/config-yaml"
   codestart:
     name: "config-yaml"
     languages:

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java

@@ -435,7 +435,7 @@ private Uni<TokenVerificationResult> refreshJwksAndVerifyTokenUni(TenantConfigCo
                 .recoverWithUni(f -> introspectTokenUni(resolvedContext, token));
     }
 
-    private Uni<TokenVerificationResult> introspectTokenUni(TenantConfigContext resolvedContext, String token) {
+    private Uni<TokenVerificationResult> introspectTokenUni(TenantConfigContext resolvedContext, final String token) {
         TokenIntrospectionCache tokenIntrospectionCache = tenantResolver.getTokenIntrospectionCache();
         Uni<TokenIntrospection> tokenIntrospectionUni = tokenIntrospectionCache == null ? null
                 : tokenIntrospectionCache
@@ -444,7 +444,12 @@ private Uni<TokenVerificationResult> introspectTokenUni(TenantConfigContext reso
             tokenIntrospectionUni = newTokenIntrospectionUni(resolvedContext, token);
         } else {
             tokenIntrospectionUni = tokenIntrospectionUni.onItem().ifNull()
-                    .switchTo(newTokenIntrospectionUni(resolvedContext, token));
+                    .switchTo(new Supplier<Uni<? extends TokenIntrospection>>() {
+                        @Override
+                        public Uni<TokenIntrospection> get() {
+                            return newTokenIntrospectionUni(resolvedContext, token);
+                        }
+                    });
         }
         return tokenIntrospectionUni.onItem().transform(t -> new TokenVerificationResult(null, t));
     }
@@ -489,10 +494,8 @@ private Uni<UserInfo> getUserInfoUni(RoutingContext vertxContext, TokenAuthentic
         }
 
         LOG.debug("Requesting UserInfo");
-        String accessToken = vertxContext.get(OidcConstants.ACCESS_TOKEN_VALUE);
-        if (accessToken == null) {
-            accessToken = request.getToken().getToken();
-        }
+        String contextAccessToken = vertxContext.get(OidcConstants.ACCESS_TOKEN_VALUE);
+        final String accessToken = contextAccessToken != null ? contextAccessToken : request.getToken().getToken();
 
         UserInfoCache userInfoCache = tenantResolver.getUserInfoCache();
         Uni<UserInfo> userInfoUni = userInfoCache == null ? null
@@ -501,7 +504,12 @@ private Uni<UserInfo> getUserInfoUni(RoutingContext vertxContext, TokenAuthentic
             userInfoUni = newUserInfoUni(resolvedContext, accessToken);
         } else {
             userInfoUni = userInfoUni.onItem().ifNull()
-                    .switchTo(newUserInfoUni(resolvedContext, accessToken));
+                    .switchTo(new Supplier<Uni<? extends UserInfo>>() {
+                        @Override
+                        public Uni<UserInfo> get() {
+                            return newUserInfoUni(resolvedContext, accessToken);
+                        }
+                    });
         }
         return userInfoUni;
     }

extensions/resteasy-classic/rest-client-config/runtime/src/main/java/io/quarkus/restclient/config/RestClientConfig.java

@@ -137,7 +137,8 @@ public class RestClientConfig {
     public Optional<QueryParamStyle> queryParamStyle;
 
     /**
-     * Set whether hostname verification is enabled.
+     * Set whether hostname verification is enabled. Default is enabled.
+     * This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
      */
     @ConfigItem
     public Optional<Boolean> verifyHost;

extensions/resteasy-classic/rest-client-config/runtime/src/main/java/io/quarkus/restclient/config/RestClientsConfig.java

@@ -226,7 +226,8 @@ public class RestClientsConfig {
     public Optional<QueryParamStyle> queryParamStyle;
 
     /**
-     * Set whether hostname verification is enabled.
+     * Set whether hostname verification is enabled. Default is enabled.
+     * This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
      *
      * Can be overwritten by client-specific settings.
      */

extensions/resteasy-reactive/rest-client-reactive/deployment/src/test/java/io/quarkus/rest/client/reactive/ConfigurationTest.java

@@ -78,9 +78,6 @@ private void verifyClientConfig(RestClientConfig clientConfig, boolean checkExtr
         assertThat(clientConfig.followRedirects.get()).isEqualTo(true);
         assertThat(clientConfig.queryParamStyle).isPresent();
         assertThat(clientConfig.queryParamStyle.get()).isEqualTo(QueryParamStyle.COMMA_SEPARATED);
-        assertThat(clientConfig.hostnameVerifier).isPresent();
-        assertThat(clientConfig.hostnameVerifier.get())
-                .isEqualTo("io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier");
 
         if (checkExtraProperties) {
             assertThat(clientConfig.connectionTTL).isPresent();

extensions/resteasy-reactive/rest-client-reactive/deployment/src/test/java/io/quarkus/rest/client/reactive/GlobalConfigurationTest.java

@@ -64,8 +64,6 @@ void checkGlobalConfigValues() {
         assertThat(configRoot.readTimeout).isEqualTo(2001);
         assertThat(configRoot.userAgent.get()).isEqualTo("agent");
         assertThat(configRoot.headers).isEqualTo(Collections.singletonMap("foo", "bar"));
-        assertThat(configRoot.hostnameVerifier.get())
-                .isEqualTo("io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier");
         assertThat(configRoot.connectionTTL.get()).isEqualTo(20000); // value in ms, will be converted to seconds
         assertThat(configRoot.connectionPoolSize.get()).isEqualTo(2);
         assertThat(configRoot.keepAliveEnabled.get()).isTrue();

extensions/resteasy-reactive/rest-client-reactive/deployment/src/test/java/io/quarkus/rest/client/reactive/HelloClientWithBaseUri.java

@@ -1,7 +1,5 @@
 package io.quarkus.rest.client.reactive;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLSession;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
@@ -30,11 +28,4 @@ public void filter(ClientRequestContext requestContext, ClientResponseContext re
         }
     }
 
-    class MyHostnameVerifier implements HostnameVerifier {
-        @Override
-        public boolean verify(String hostname, SSLSession session) {
-            return true;
-        }
-    }
-
 }

extensions/resteasy-reactive/rest-client-reactive/deployment/src/test/resources/configuration-test-application.properties

@@ -2,7 +2,6 @@
 io.quarkus.rest.client.reactive.HelloClientWithBaseUri/mp-rest/url=http://localhost:${quarkus.http.test-port:8081}/invalid-endpoint
 io.quarkus.rest.client.reactive.HelloClientWithBaseUri/mp-rest/scope=InvalidScope
 io.quarkus.rest.client.reactive.HelloClientWithBaseUri/mp-rest/providers=InvalidProvider
-io.quarkus.rest.client.reactive.HelloClientWithBaseUri/mp-rest/hostnameVerifier=InvalidVerifier
 
 # client identified by class name
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".url=http://localhost:${quarkus.http.test-port:8081}/hello
@@ -13,7 +12,6 @@ quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".rea
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".follow-redirects=true
 #quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".proxy-address=localhost:8080
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".query-param-style=COMMA_SEPARATED
-quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".hostname-verifier=io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".connection-ttl=30000
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".connection-pool-size=10
 quarkus.rest-client."io.quarkus.rest.client.reactive.HelloClientWithBaseUri".keep-alive-enabled=false
@@ -30,7 +28,6 @@ quarkus.rest-client.client-prefix.read-timeout=6000
 quarkus.rest-client.client-prefix.follow-redirects=true
 quarkus.rest-client.client-prefix.proxy-address=localhost:8080
 quarkus.rest-client.client-prefix.query-param-style=COMMA_SEPARATED
-quarkus.rest-client.client-prefix.hostname-verifier=io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier
 quarkus.rest-client.client-prefix.connection-ttl=30000
 quarkus.rest-client.client-prefix.connection-pool-size=10
 quarkus.rest-client.client-prefix.keep-alive-enabled=false
@@ -54,4 +51,3 @@ mp-client-prefix/mp-rest/readTimeout=6000
 mp-client-prefix/mp-rest/followRedirects=true
 mp-client-prefix/mp-rest/proxyAddress=localhost:8080
 mp-client-prefix/mp-rest/queryParamStyle=COMMA_SEPARATED
-mp-client-prefix/mp-rest/hostnameVerifier=io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier

extensions/resteasy-reactive/rest-client-reactive/deployment/src/test/resources/global-configuration-test-application.properties

@@ -18,7 +18,6 @@ quarkus.rest-client.connect-timeout=2000
 quarkus.rest-client.read-timeout=2001
 quarkus.rest-client.user-agent=agent
 quarkus.rest-client.headers.foo=bar
-quarkus.rest-client.hostname-verifier=io.quarkus.rest.client.reactive.HelloClientWithBaseUri$MyHostnameVerifier
 quarkus.rest-client.connection-ttl=20000
 quarkus.rest-client.connection-pool-size=2
 quarkus.rest-client.keep-alive-enabled=true

extensions/resteasy-reactive/rest-client-reactive/runtime/src/test/java/io/quarkus/rest/client/reactive/runtime/RestClientCDIDelegateBuilderTest.java

@@ -12,8 +12,6 @@
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLSession;
 import javax.ws.rs.client.ClientRequestContext;
 import javax.ws.rs.client.ClientResponseContext;
 import javax.ws.rs.client.ClientResponseFilter;
@@ -101,7 +99,6 @@ public void testClientSpecificConfigs() {
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.USER_AGENT, "agent1");
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.STATIC_HEADERS,
                 Collections.singletonMap("header1", "value"));
-        Mockito.verify(restClientBuilderMock).hostnameVerifier(Mockito.any(MyHostnameVerifier1.class));
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.CONNECTION_TTL, 10); // value converted to seconds
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.CONNECTION_POOL_SIZE, 103);
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.KEEP_ALIVE_ENABLED, false);
@@ -144,7 +141,6 @@ public void testGlobalConfigs() {
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.USER_AGENT, "agent2");
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.STATIC_HEADERS,
                 Collections.singletonMap("header2", "value"));
-        Mockito.verify(restClientBuilderMock).hostnameVerifier(Mockito.any(MyHostnameVerifier2.class));
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.CONNECTION_TTL, 20);
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.CONNECTION_POOL_SIZE, 203);
         Mockito.verify(restClientBuilderMock).property(QuarkusRestClientProperties.KEEP_ALIVE_ENABLED, true);
@@ -173,8 +169,6 @@ private static RestClientsConfig createSampleConfigRoot() {
         configRoot.readTimeout = 201L;
         configRoot.userAgent = Optional.of("agent2");
         configRoot.headers = Collections.singletonMap("header2", "value");
-        configRoot.hostnameVerifier = Optional
-                .of("io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilderTest$MyHostnameVerifier2");
         configRoot.connectionTTL = Optional.of(20000); // value in ms, will be converted to seconds
         configRoot.connectionPoolSize = Optional.of(203);
         configRoot.keepAliveEnabled = Optional.of(true);
@@ -212,8 +206,6 @@ private static RestClientConfig createSampleClientConfig() {
         clientConfig.readTimeout = Optional.of(101L);
         clientConfig.userAgent = Optional.of("agent1");
         clientConfig.headers = Collections.singletonMap("header1", "value");
-        clientConfig.hostnameVerifier = Optional
-                .of("io.quarkus.rest.client.reactive.runtime.RestClientCDIDelegateBuilderTest$MyHostnameVerifier1");
         clientConfig.connectionTTL = Optional.of(10000); // value in milliseconds, will be converted to seconds
         clientConfig.connectionPoolSize = Optional.of(103);
         clientConfig.keepAliveEnabled = Optional.of(false);
@@ -251,18 +243,4 @@ public void filter(ClientRequestContext requestContext, ClientResponseContext re
         }
     }
 
-    public static class MyHostnameVerifier1 implements HostnameVerifier {
-        @Override
-        public boolean verify(String hostname, SSLSession session) {
-            return true;
-        }
-    }
-
-    public static class MyHostnameVerifier2 implements HostnameVerifier {
-        @Override
-        public boolean verify(String hostname, SSLSession session) {
-            return true;
-        }
-    }
-
 }

independent-projects/resteasy-reactive/client/runtime/src/main/java/org/jboss/resteasy/reactive/client/impl/ClientBuilderImpl.java

@@ -59,7 +59,7 @@ public class ClientBuilderImpl extends ClientBuilder {
 
     private boolean followRedirects;
     private boolean trustAll;
-    private boolean verifyHost;
+    private boolean verifyHost = true;
 
     private LoggingScope loggingScope;
     private Integer loggingBodySize = 100;
@@ -81,7 +81,7 @@ public ClientBuilder withConfig(Configuration config) {
     @Override
     public ClientBuilder sslContext(SSLContext sslContext) {
         // TODO
-        throw new RuntimeException("Specifying SSLContext is not supported at the moment");
+        throw new UnsupportedOperationException("Specifying SSLContext is not supported at the moment");
     }
 
     @Override
@@ -104,8 +104,8 @@ public ClientBuilder trustStore(KeyStore trustStore, char[] password) {
 
     @Override
     public ClientBuilder hostnameVerifier(HostnameVerifier verifier) {
-        this.hostnameVerifier = verifier;
-        return this;
+        // TODO
+        throw new UnsupportedOperationException("Specifying HostnameVerifier is not supported at the moment");
     }
 
     @Override

independent-projects/resteasy-reactive/server/runtime/src/main/java/org/jboss/resteasy/reactive/server/jaxrs/HttpHeadersImpl.java

@@ -23,7 +23,6 @@ public class HttpHeadersImpl implements HttpHeaders {
 
     private final MultivaluedMap<String, String> requestHeaders;
     private final MultivaluedMap<String, String> unmodifiableRequestHeaders;
-    private Map<String, Cookie> cookies;
 
     public HttpHeadersImpl(Iterable<Map.Entry<String, String>> vertxHeaders) {
         requestHeaders = new CaseInsensitiveMap<>();
@@ -50,10 +49,7 @@ public List<String> getRequestHeader(String name) {
 
     @Override
     public Map<String, Cookie> getCookies() {
-        if (cookies == null) {
-            cookies = Collections.unmodifiableMap(HeaderUtil.getCookies(requestHeaders));
-        }
-        return cookies;
+        return Collections.unmodifiableMap(HeaderUtil.getCookies(requestHeaders));
     }
 
     @Override