Merge pull request #29650 from gsmet/2.14.3-backports-1

2.14.3 backports 1

bom/application/pom.xml

@@ -53,7 +53,7 @@
         <smallrye-reactive-types-converter.version>2.7.0</smallrye-reactive-types-converter.version>
         <smallrye-mutiny-vertx-binding.version>2.27.0</smallrye-mutiny-vertx-binding.version>
         <smallrye-reactive-messaging.version>3.21.0</smallrye-reactive-messaging.version>
-        <smallrye-stork.version>1.3.0</smallrye-stork.version>
+        <smallrye-stork.version>1.3.3</smallrye-stork.version>
         <jakarta.activation.version>1.2.1</jakarta.activation.version>
         <jakarta.annotation-api.version>1.3.5</jakarta.annotation-api.version>
         <jakarta.el-impl.version>3.0.4</jakarta.el-impl.version>
@@ -205,6 +205,7 @@
         <strimzi-oauth.nimbus.version>9.25.6</strimzi-oauth.nimbus.version>
         <java-buildpack-client.version>0.0.6</java-buildpack-client.version>
         <org-crac.version>0.1.1</org-crac.version>
+        <sshd-common.version>2.9.2</sshd-common.version>
     </properties>
 
     <dependencyManagement>
@@ -4731,6 +4732,16 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <dependency>
+                <groupId>org.apache.sshd</groupId>
+                <artifactId>sshd-common</artifactId>
+                <version>${sshd-common.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.sshd</groupId>
+                <artifactId>sshd-core</artifactId>
+                <version>${sshd-common.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.wildfly.security</groupId>
                 <artifactId>wildfly-elytron-sasl-gs2</artifactId>

core/deployment/src/main/java/io/quarkus/deployment/IsDockerWorking.java

@@ -9,6 +9,8 @@
 import java.net.Socket;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.time.Duration;
 import java.util.List;
 import java.util.Optional;
@@ -73,8 +75,8 @@ private TestContainersStrategy(boolean silent) {
 
         @Override
         public Result get() {
-            //testcontainers uses the Unreliables library to test if docker is started
-            //this runs in threads that start with 'ducttape'
+            // Testcontainers uses the Unreliables library to test if docker is started
+            // this runs in threads that start with 'ducttape'
             StartupLogCompressor compressor = new StartupLogCompressor("Checking Docker Environment", Optional.empty(), null,
                     (s) -> s.getName().startsWith("ducttape"));
             try {
@@ -104,7 +106,7 @@ public Result get() {
             } catch (ClassNotFoundException | NoSuchMethodException | InvocationTargetException | IllegalAccessException e) {
                 if (!silent) {
                     compressor.closeAndDumpCaptured();
-                    LOGGER.debug("Unable to use testcontainers to determine if Docker is working", e);
+                    LOGGER.debug("Unable to use Testcontainers to determine if Docker is working", e);
                 }
                 return Result.UNKNOWN;
             } finally {
@@ -122,26 +124,46 @@ public Result get() {
      */
     private static class DockerHostStrategy implements Strategy {
 
+        private static final String UNIX_SCHEME = "unix";
+
         @Override
         public Result get() {
-
             String dockerHost = System.getenv("DOCKER_HOST");
-            if (dockerHost != null && !dockerHost.startsWith("unix:")) {
-                try {
-                    URI url = new URI(dockerHost);
+
+            if (dockerHost == null) {
+                return Result.UNKNOWN;
+            }
+
+            try {
+                URI dockerHostUri = new URI(dockerHost);
+
+                if (UNIX_SCHEME.equals(dockerHostUri.getScheme())) {
+                    // Java 11 does not support connecting to Unix sockets so for now let's use a naive approach
+                    Path dockerSocketPath = Path.of(dockerHostUri.getPath());
+
+                    if (Files.isWritable(dockerSocketPath)) {
+                        return Result.AVAILABLE;
+                    } else {
+                        LOGGER.warnf(
+                                "Unix socket defined in DOCKER_HOST %s is not writable, make sure Docker is running on the specified host",
+                                dockerHost);
+                    }
+                } else {
                     try (Socket s = new Socket()) {
-                        s.connect(new InetSocketAddress(url.getHost(), url.getPort()), DOCKER_HOST_CHECK_TIMEOUT);
+                        s.connect(new InetSocketAddress(dockerHostUri.getHost(), dockerHostUri.getPort()),
+                                DOCKER_HOST_CHECK_TIMEOUT);
                         return Result.AVAILABLE;
                     } catch (IOException e) {
                         LOGGER.warnf(
-                                "Unable to connect to DOCKER_HOST URI %s, make sure docker is running on the specified host",
+                                "Unable to connect to DOCKER_HOST URI %s, make sure Docker is running on the specified host",
                                 dockerHost);
                     }
-                } catch (URISyntaxException | IllegalArgumentException e) {
-                    LOGGER.warnf("Unable to parse DOCKER_HOST URI %s, it will be ignored for working docker detection",
-                            dockerHost);
                 }
+            } catch (URISyntaxException | IllegalArgumentException e) {
+                LOGGER.warnf("Unable to parse DOCKER_HOST URI %s, it will be ignored for working Docker detection",
+                        dockerHost);
             }
+
             return Result.UNKNOWN;
         }
     }

docs/src/main/asciidoc/building-native-image.adoc

@@ -523,6 +523,12 @@ That approach is possible with a multi-stage Docker build:
 1. The first stage builds the native executable using Maven or Gradle
 2. The second stage is a minimal image copying the produced native executable
 
+
+[WARNING]
+====
+Before building a container image from the Dockerfiles shown below, you need to update the default `.dockerignore` file, as it filters everything except the `target` directory. In order to build inside a container, you need to copy the `src` directory. Thus, edit your `.dockerignore` and remove the `*` line.
+====
+
 Such a multi-stage build can be achieved as follows:
 
 Sample Dockerfile for building with Maven:
@@ -591,11 +597,6 @@ CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]
 
 If you are using Gradle in your project, you can use this sample Dockerfile.  Save it in `src/main/docker/Dockerfile.multistage`.
 
-[WARNING]
-====
-Before launching our Docker build, we need to update the default `.dockerignore` file as it filters everything except the `target` directory. As we plan to build inside a container, we need to copy the `src` directory. Thus, edit your `.dockerignore` and update the content.
-====
-
 [source,bash]
 ----
 docker build -f src/main/docker/Dockerfile.multistage -t quarkus-quickstart/getting-started .

docs/src/main/asciidoc/http-reference.adoc

@@ -27,7 +27,7 @@ Servlet filter, otherwise it will run directly on top of Vert.x with no Servlet
 
 To serve static resources you must place them in the `META-INF/resources` directory of your application. This location
 was chosen as it is the standard location for resources in `jar` files as defined by the Servlet spec. Even though
-Quarkus can be used without Servlet following this convention allows existing code that places its resources in this
+Quarkus can be used without Servlet, following this convention allows existing code that places its resources in this
 location to function correctly.
 
 === WebJar Locator Support
@@ -134,7 +134,7 @@ quarkus.http.ssl.certificate.key-files=/path/to/key
 
 === Providing a keystore
 
-An alternate solution is to directly provide a keystore which already contains a default entry with a certificate
+An alternate solution is to directly provide a keystore which already contains a default entry with a certificate.
  You will need to at least provide the file and a password.
 
 As with the certificate/key file combination, Quarkus will first try to resolve the given path as a resource, before attempting to read it from the filesystem.

docs/src/main/asciidoc/podman.adoc

@@ -93,21 +93,35 @@ sudo apt install podman podman-docker docker-compose
 
 Podman supports two modes of operation: rootful, in which case the container runs as root on the host system, and rootless, where the container runs under a standard Unix user account.
 On Linux, the REST API Unix socket is, by default, restricted to only allow the root user to access it.
-This prevents someone from using a container to achieve a privilege escalation on the syetem.
+This prevents someone from using a container to achieve a privilege escalation on the system.
 While these restrictions can be softened to allow a special group instead of just root, the recommended approach is to use rootless Podman on Linux.
-To use rootless Podman, you need to set a DOCKER_HOST environment variable to point to the user-specific socket.
+To use rootless Podman, you need to set a `DOCKER_HOST` environment variable to point to the user-specific socket.
 In both cases, you need to start the REST API by enabling the Podman socket service through systemd.
 
 [source]
 ----
-
 # Enable the podman socket with Docker REST API (only needs to be done once)
 systemctl --user enable podman.socket --now
-# Set the required environment variables (need to be run everytime or added to profile)
+----
+
+Then, you can obtain the path of the socket with the following command:
+
+[source]
+----
+$ podman info | grep -A2 'remoteSocket'
+
+remoteSocket:
+  exists: true
+  path: /path/to/podman.sock
+----
 
-export DOCKER_HOST=unix:///run/user/${UID}/podman/podman.sock
+Setting the `DOCKER_HOST` environment variable must be done every time or added to the profile:
 
+[source]
+----
+export DOCKER_HOST=unix:///path/to/podman.sock <1>
 ----
+<1> Replace `/path/to/podman.sock` with the path you obtained previously.
 
 For a detailed explanation, see this https://quarkus.io/blog/quarkus-devservices-testcontainers-podman/[blog article].
 

extensions/infinispan-client/runtime/src/main/java/io/quarkus/infinispan/client/runtime/InfinispanClientProducer.java

@@ -233,7 +233,7 @@ private ConfigurationBuilder builderFromProperties(Properties properties) {
             String cacheName = cache.getKey();
             InfinispanClientRuntimeConfig.RemoteCacheConfig remoteCacheConfig = cache.getValue();
             if (remoteCacheConfig.configurationUri.isPresent()) {
-                URL configFile = InfinispanClientProducer.class.getClassLoader()
+                URL configFile = Thread.currentThread().getContextClassLoader()
                         .getResource(remoteCacheConfig.configurationUri.get());
                 try {
                     builder.remoteCache(cacheName).configurationURI(configFile.toURI());

extensions/resteasy-classic/resteasy/deployment/src/test/java/io/quarkus/resteasy/test/security/HttpPolicyAuthFailureExceptionMapperTest.java

@@ -1,5 +1,9 @@
 package io.quarkus.resteasy.test.security;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.concurrent.atomic.AtomicInteger;
+
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.core.Response;
@@ -22,6 +26,11 @@ public class HttpPolicyAuthFailureExceptionMapperTest {
 
     private static final String EXPECTED_RESPONSE = "expect response";
 
+    /**
+     * Number of times exception mappers was invoked.
+     */
+    private static final AtomicInteger EXCEPTION_MAPPER_INVOCATION_COUNT = new AtomicInteger(0);
+
     @RegisterExtension
     static QuarkusUnitTest runner = new QuarkusUnitTest()
             .withApplicationRoot((jar) -> jar
@@ -47,13 +56,17 @@ public void testAuthFailedExceptionMapper() {
                 .then()
                 .statusCode(401)
                 .body(Matchers.equalTo(EXPECTED_RESPONSE));
+
+        assertEquals(1, EXCEPTION_MAPPER_INVOCATION_COUNT.get(),
+                "Exception mapper was invoked more than once during one request.");
     }
 
     @Provider
     public static class AuthFailedExceptionMapper implements ExceptionMapper<AuthenticationFailedException> {
 
         @Override
         public Response toResponse(AuthenticationFailedException exception) {
+            EXCEPTION_MAPPER_INVOCATION_COUNT.incrementAndGet();
             return Response.status(401).entity(EXPECTED_RESPONSE).build();
         }
     }

extensions/vertx-http/dev-console-runtime-spi/src/main/java/io/quarkus/devconsole/runtime/spi/DevConsolePostHandler.java

@@ -75,7 +75,7 @@ public void run() {
     protected void actionSuccess(RoutingContext event) {
         if (!event.response().ended()) {
             event.response().setStatusCode(HttpResponseStatus.SEE_OTHER.code()).headers()
-                    .set(HttpHeaderNames.LOCATION, event.request().absoluteURI());
+                    .set(HttpHeaderNames.LOCATION, event.request().uri());
             event.response().end();
         }
     }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java

@@ -17,7 +17,7 @@
 public class CertificateConfig {
 
     /**
-     * The {@linkplain CredentialsProvider}}.
+     * The {@linkplain CredentialsProvider}.
      * If this property is configured then a matching 'CredentialsProvider' will be used
      * to get the keystore, keystore key and truststore passwords unless these passwords have already been configured.
      *

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthorizer.java

@@ -138,7 +138,9 @@ public void accept(HttpSecurityPolicy.CheckResult checkResult) {
                 }, new Consumer<Throwable>() {
                     @Override
                     public void accept(Throwable throwable) {
-                        if (!routingContext.response().ended()) {
+                        // we don't fail event if it's already failed with same exception as we don't want to process
+                        // the exception twice;at this point, the exception could be failed by the default auth failure handler
+                        if (!routingContext.response().ended() && !throwable.equals(routingContext.failure())) {
                             routingContext.fail(throwable);
                         } else if (!(throwable instanceof AuthenticationFailedException)) {
                             //don't log auth failure

extensions/vertx/deployment/src/main/java/io/quarkus/vertx/deployment/VertxProcessor.java

@@ -122,6 +122,9 @@ void collectEventConsumers(
         AnnotationStore annotationStore = beanRegistrationPhase.getContext().get(BuildExtension.Key.ANNOTATION_STORE);
         for (BeanInfo bean : beanRegistrationPhase.getContext().beans().classBeans()) {
             for (MethodInfo method : bean.getTarget().get().asClass().methods()) {
+                if (method.isSynthetic()) {
+                    continue;
+                }
                 AnnotationInstance consumeEvent = annotationStore.getAnnotation(method, CONSUME_EVENT);
                 if (consumeEvent != null) {
                     // Validate method params and return type

independent-projects/bootstrap/maven-resolver/src/main/java/io/quarkus/bootstrap/resolver/maven/BuildDependencyGraphVisitor.java

@@ -138,7 +138,7 @@ private void visitLeave(DependencyNode node) throws BootstrapMavenException {
 
             Artifact artifact = dep.getArtifact();
             if (artifact.getFile() == null) {
-                artifact = resolver.resolve(artifact).getArtifact();
+                artifact = resolver.resolve(artifact, node.getRepositories()).getArtifact();
             }
 
             int flags = DependencyFlags.DEPLOYMENT_CP;

integration-tests/bouncycastle-jsse/src/main/java/io/quarkus/it/bouncycastle/SecretProvider.java

@@ -4,18 +4,20 @@
 import java.util.Map;
 
 import javax.enterprise.context.ApplicationScoped;
+import javax.inject.Named;
 
 import io.quarkus.arc.Unremovable;
 import io.quarkus.credentials.CredentialsProvider;
 
 @ApplicationScoped
 @Unremovable
+@Named("custom-secret-provider")
 public class SecretProvider implements CredentialsProvider {
 
     @Override
     public Map<String, String> getCredentials(String credentialsProviderName) {
         Map<String, String> creds = new HashMap<>();
-        creds.put("keystore-password", "password");
+        creds.put("keystore-password", "secret");
         creds.put("truststore-password", "password");
         return creds;
     }

integration-tests/bouncycastle-jsse/src/main/resources/application.properties

@@ -1,10 +1,11 @@
 quarkus.security.security-providers=BCJSSE
 
 quarkus.http.ssl.certificate.key-store-file=server-keystore.jks
-quarkus.http.ssl.certificate.key-store-password-key=key-store-password
+quarkus.http.ssl.certificate.key-store-password-key=keystore-password
 quarkus.http.ssl.certificate.trust-store-file=server-truststore.jks
 quarkus.http.ssl.certificate.trust-store-password-key=truststore-password
 quarkus.http.ssl.certificate.credentials-provider=custom
+quarkus.http.ssl.certificate.credentials-provider-name=custom-secret-provider
 
 quarkus.http.ssl.client-auth=REQUIRED
 quarkus.native.additional-build-args=-H:IncludeResources=.*\\.jks

integration-tests/bouncycastle-jsse/src/test/java/io/quarkus/it/bouncycastle/BouncyCastleJsseTestCase.java

@@ -45,7 +45,7 @@ protected void doTestListProviders() {
                 .setBaseUri(String.format("%s://%s", url.getProtocol(), url.getHost()))
                 .setPort(url.getPort())
                 .setKeyStore("client-keystore.jks", "password")
-                .setTrustStore("client-truststore.jks", "password")
+                .setTrustStore("client-truststore.jks", "secret")
                 .build();
         RestAssured.given()
                 .spec(spec)