Upgrade to Quarkus 3.13.0

Closes keycloak#31676

Signed-off-by: Václav Muzikář <[email protected]>
Co-authored-by: Peter Zaoral <[email protected]>

docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc

@@ -97,3 +97,11 @@ This is enforced by default, and can be disabled using the SPI option `spi-singl
 It used to be difficult to regain access to a {project_name} instance when all admin users were locked out. The process required multiple advanced steps, including direct database access and manual changes. In an effort to improve the user experience, {project_name} now provides multiple ways to bootstrap a new admin account, which can be used to recover from such situations.
 
 Consequently, the environment variables `KEYCLOAK_ADMIN` and `KEYCLOAK_ADMIN_PASSWORD` have been deprecated. You should use `KC_BOOTSTRAP_ADMIN_USERNAME` and `KC_BOOTSTRAP_ADMIN_PASSWORD` instead. These are also general options, so they may be specified via the cli or other config sources, for example `--bootstrap-admin-username=admin`. For more information, see the new https://www.keycloak.org/server/bootstrap-admin-recovery[Bootstrap admin and recovery] guide.
+
+= Keystore and trust store default format change
+
+{project_name} now determines the format of the keystore and trust store based on the file extension. If the file extension is `.p12`, `.pkcs12` or `.pfx`, the format is PKCS12. If the file extension is `.jks`, `.keystore` or `.truststore`, the format is JKS. If the file extension is `.pem`, `.crt` or `.key`, the format is PEM.
+
+You can still override automatic detection by specifying the `https-key-store-type` and `https-trust-store-type` explicitly. Restrictions for the FIPS strict mode stays unchanged.
+
+NOTE: The `+spi-truststore-file-*+` options and the truststore related options `+https-trust-store-*+` are deprecated, we strongly recommend to use System Truststore. For more details refer to the relevant https://www.keycloak.org/server/keycloak-truststore[guide].

operator/pom.xml

@@ -165,7 +165,7 @@
                     </goals>
                     <configuration>
                         <properties>
-                            <quarkus.package.filter-optional-dependencies>true</quarkus.package.filter-optional-dependencies> 
+                            <quarkus.package.jar.filter-optional-dependencies>true</quarkus.package.jar.filter-optional-dependencies>
                         </properties>
                     </configuration>
                     </execution>

pom.xml

@@ -51,8 +51,8 @@
         <jboss.snapshots.repo.id>jboss-snapshots-repository</jboss.snapshots.repo.id>
         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
 
-        <quarkus.version>3.8.5</quarkus.version>
-        <quarkus.build.version>3.8.5</quarkus.build.version>
+        <quarkus.version>3.13.0</quarkus.version>
+        <quarkus.build.version>3.13.0</quarkus.build.version>
 
         <project.build-time>${timestamp}</project.build-time>
 
@@ -99,12 +99,11 @@
         <h2.version>2.2.224</h2.version>
         <hibernate-orm.plugin.version>6.2.13.Final</hibernate-orm.plugin.version>
         <hibernate.c3p0.version>6.2.13.Final</hibernate.c3p0.version>
-        <infinispan.version>15.0.5.Final</infinispan.version>
+        <infinispan.version>15.0.6.Final</infinispan.version>
         <protostream.version>5.0.7.Final</protostream.version>
 
         <!--JAKARTA-->
-        <jakarta.mail.version>2.1.1</jakarta.mail.version>
-        <angus.mail.version>2.0.1</angus.mail.version>
+        <jakarta.mail.version>2.0.1</jakarta.mail.version>
         <jakarta.xml.ws.version>4.0.0</jakarta.xml.ws.version>
         <jakarta.xml.soap.version>3.0.0</jakarta.xml.soap.version>
 
@@ -115,7 +114,7 @@
         <jboss.spec.javax.servlet.jsp.jboss-jsp-api_2.3_spec.version>2.0.0.Final</jboss.spec.javax.servlet.jsp.jboss-jsp-api_2.3_spec.version>
         <log4j.version>1.2.17</log4j.version>
         <resteasy-legacy.version>4.7.7.Final</resteasy-legacy.version>
-        <resteasy.version>6.2.7.Final</resteasy.version>
+        <resteasy.version>6.2.9.Final</resteasy.version>
         <resteasy.undertow.version>${resteasy.version}</resteasy.undertow.version>
         <owasp.html.sanitizer.version>20240325.1</owasp.html.sanitizer.version>
         <slf4j.version>2.0.6</slf4j.version>
@@ -128,7 +127,7 @@
         <undertow.version>${undertow-legacy.version}</undertow.version>
         <undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
         <undertow-jakarta.version>2.3.2.Final</undertow-jakarta.version>
-        <wildfly-elytron.version>2.2.3.Final</wildfly-elytron.version>
+        <wildfly-elytron.version>2.5.0.Final</wildfly-elytron.version>
         <elytron.undertow-server.version>1.9.0.Final</elytron.undertow-server.version>
         <woodstox.version>6.0.3</woodstox.version>
         <wildfly.common.quarkus.aligned.version>1.5.4.Final-format-001</wildfly.common.quarkus.aligned.version>
@@ -152,7 +151,7 @@
         <com.apicatalog.titanium-json-ld.version>1.3.3</com.apicatalog.titanium-json-ld.version>
         <io.setl.rdf-urdna.version>1.1</io.setl.rdf-urdna.version>
 
-        <liquibase.version>4.25.1</liquibase.version>
+        <liquibase.version>4.27.0</liquibase.version>
         <servlet.api.30.version>1.0.2.Final</servlet.api.30.version>
         <servlet.api.40.version>2.0.0.Final</servlet.api.40.version>
         <twitter4j.version>4.1.2</twitter4j.version>
@@ -163,12 +162,12 @@
         <postgresql.version>16</postgresql.version>
         <aurora-postgresql.version>16.1</aurora-postgresql.version>
         <aws-jdbc-wrapper.version>2.3.1</aws-jdbc-wrapper.version>
-        <postgresql-jdbc.version>42.7.2</postgresql-jdbc.version>
+        <postgresql-jdbc.version>42.7.3</postgresql-jdbc.version>
         <mariadb.version>10.11</mariadb.version>
-        <mariadb-jdbc.version>3.3.3</mariadb-jdbc.version>
+        <mariadb-jdbc.version>3.4.0</mariadb-jdbc.version>
         <mssql.version>2022-latest</mssql.version>
         <!-- this is the mssql driver version also used in the Quarkus BOM -->
-        <mssql-jdbc.version>12.4.2.jre11</mssql-jdbc.version>
+        <mssql-jdbc.version>12.6.3.jre11</mssql-jdbc.version>
         <oracledb.version>19.3</oracledb.version>
         <!-- this is the oracle driver version also used in the Quarkus BOM -->
         <oracle-jdbc.version>23.3.0.23.09</oracle-jdbc.version>
@@ -425,16 +424,10 @@
 
             <!--JAKARTA-->
             <dependency>
-                <groupId>jakarta.mail</groupId>
-                <artifactId>jakarta.mail-api</artifactId>
+                <groupId>com.sun.mail</groupId>
+                <artifactId>jakarta.mail</artifactId>
                 <version>${jakarta.mail.version}</version>
             </dependency>
-            <!--Implementation of the Jakarta Mail API-->
-            <dependency>
-                <groupId>org.eclipse.angus</groupId>
-                <artifactId>angus-mail</artifactId>
-                <version>${angus.mail.version}</version>
-            </dependency>
             <dependency>
                 <groupId>jakarta.xml.ws</groupId>
                 <artifactId>jakarta.xml.ws-api</artifactId>

quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java

@@ -87,7 +87,7 @@ public enum ClientAuth {
     public static final Option<String> HTTPS_KEY_STORE_TYPE = new OptionBuilder<>("https-key-store-type", String.class)
             .category(OptionCategory.HTTP)
             .description("The type of the key store file. " +
-                    "If not given, the type is automatically detected based on the file name. " +
+                    "If not given, the type is automatically detected based on the file extension. " +
                     "If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
             .build();
 
@@ -106,7 +106,7 @@ public enum ClientAuth {
     public static final Option<String> HTTPS_TRUST_STORE_TYPE = new OptionBuilder<>("https-trust-store-type", String.class)
             .category(OptionCategory.HTTP)
             .description("The type of the trust store file. " +
-                    "If not given, the type is automatically detected based on the file name. " +
+                    "If not given, the type is automatically detected based on the file extension. " +
                     "If '" + SecurityOptions.FIPS_MODE.getKey() + "' is set to '" + FipsMode.STRICT + "' and no value is set, it defaults to 'BCFKS'.")
             .deprecated("Use the System Truststore instead, see the docs for details.")
             .build();

quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java

@@ -22,7 +22,6 @@
 import io.quarkus.agroal.spi.JdbcDriverBuildItem;
 import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
 import io.quarkus.arc.deployment.BuildTimeConditionBuildItem;
-import io.quarkus.arc.processor.AnnotationsTransformer;
 import io.quarkus.bootstrap.logging.InitialConfigurator;
 import io.quarkus.datasource.deployment.spi.DevServicesDatasourceResultBuildItem;
 import io.quarkus.deployment.IsDevelopment;
@@ -50,10 +49,12 @@
 import io.smallrye.config.ConfigValue;
 import org.eclipse.microprofile.health.Readiness;
 import org.hibernate.cfg.AvailableSettings;
+import org.hibernate.jpa.boot.spi.PersistenceUnitDescriptor;
 import org.hibernate.jpa.boot.internal.ParsedPersistenceXmlDescriptor;
 import org.hibernate.jpa.boot.internal.PersistenceXmlParser;
 import org.jboss.jandex.AnnotationInstance;
 import org.jboss.jandex.AnnotationTarget;
+import org.jboss.jandex.AnnotationTransformation;
 import org.jboss.jandex.ClassInfo;
 import org.jboss.jandex.DotName;
 import org.jboss.jandex.IndexView;
@@ -317,7 +318,7 @@ void configurePersistenceUnits(HibernateOrmConfig config,
         List<String> userManagedEntities = new ArrayList<>();
 
         for (PersistenceXmlDescriptorBuildItem item : descriptors) {
-            ParsedPersistenceXmlDescriptor descriptor = item.getDescriptor();
+            ParsedPersistenceXmlDescriptor descriptor = (ParsedPersistenceXmlDescriptor) item.getDescriptor();
 
             if ("keycloak-default".equals(descriptor.getName())) {
                 defaultUnitDescriptor = descriptor;
@@ -468,7 +469,7 @@ private void configureUserDefinedPersistenceUnits(List<PersistenceXmlDescriptorB
             Map<String, ProviderFactory> preConfiguredProviders, Spi spi) {
         descriptors.stream()
                 .map(PersistenceXmlDescriptorBuildItem::getDescriptor)
-                .map(ParsedPersistenceXmlDescriptor::getName)
+                .map(PersistenceUnitDescriptor::getName)
                 .filter(Predicate.not("keycloak-default"::equals)).forEach((String unitName) -> {
                     NamedJpaConnectionProviderFactory factory = new NamedJpaConnectionProviderFactory();
 
@@ -624,9 +625,9 @@ void disableHealthCheckBean(BuildProducer<BuildTimeConditionBuildItem> removeBea
     // bean without the @Readiness annotation so it won't be used as a health check on it's own.
     @BuildStep
     AnnotationsTransformerBuildItem disableDefaultDataSourceHealthCheck() {
-        return new AnnotationsTransformerBuildItem(AnnotationsTransformer.appliedToClass()
+        return new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses()
                 .whenClass(c -> c.name().equals(DotName.createSimple(DataSourceHealthCheck.class)))
-                .thenTransform(t -> t.remove(
+                .transform(t -> t.remove(
                         a -> a.name().equals(DotName.createSimple(Readiness.class)))));
     }
 

quarkus/runtime/pom.xml

@@ -538,12 +538,8 @@
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>jakarta.mail</groupId>
-            <artifactId>jakarta.mail-api</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.angus</groupId>
-            <artifactId>angus-mail</artifactId>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>jakarta.mail</artifactId>
         </dependency>
         <dependency>
             <groupId>jakarta.xml.soap</groupId>

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java

@@ -23,6 +23,7 @@
 import static org.keycloak.quarkus.runtime.cli.Picocli.println;
 import static org.keycloak.quarkus.runtime.configuration.ConfigArgsConfigSource.getAllCliArgs;
 
+import io.quarkus.runtime.LaunchMode;
 import org.keycloak.config.OptionCategory;
 import org.keycloak.quarkus.runtime.Environment;
 import org.keycloak.quarkus.runtime.Messages;
@@ -31,7 +32,6 @@
 import io.quarkus.bootstrap.runner.QuarkusEntryPoint;
 import io.quarkus.bootstrap.runner.RunnerClassLoader;
 
-import io.quarkus.runtime.configuration.ProfileManager;
 import io.smallrye.config.ConfigValue;
 import picocli.CommandLine;
 import picocli.CommandLine.Command;
@@ -131,7 +131,7 @@ private void beforeReaugmentationOnWindows() {
     }
 
     private void cleanTempResources() {
-        if (!ProfileManager.getLaunchMode().isDevOrTest()) {
+        if (!LaunchMode.current().isDevOrTest()) {
             // only needed for dev/testing purposes
             getHomePath().resolve("quarkus-artifact.properties").toFile().delete();
         }

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java

@@ -30,6 +30,7 @@
 import java.util.function.Consumer;
 import java.util.regex.Pattern;
 
+import io.smallrye.config.ConfigValue;
 import io.smallrye.config.PropertiesConfigSource;
 
 import org.keycloak.quarkus.runtime.cli.command.Main;
@@ -89,15 +90,14 @@ private static String getRawConfigArgs() {
     }
 
     @Override
-    public String getValue(String propertyName) {
-        Map<String, String> properties = getProperties();
-        String value = properties.get(propertyName);
+    public ConfigValue getConfigValue(String propertyName) {
+        ConfigValue value = super.getConfigValue(propertyName);
 
         if (value != null) {
             return value;
         }
 
-        return properties.get(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.'));
+        return super.getConfigValue(propertyName.replace(OPTION_PART_SEPARATOR_CHAR, '.'));
     }
 
     private static Map<String, String> parseArguments() {

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/KeycloakPropertiesConfigSource.java

@@ -63,7 +63,21 @@ protected String[] getFileExtensions() {
 
     @Override
     protected ConfigSource loadConfigSource(URL url, int ordinal) throws IOException {
-        return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal);
+        // a workaround for https://github.com/smallrye/smallrye-config/issues/1207
+        // replace by the following line when fixed:
+        // return new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal);
+        var cs = new PropertiesConfigSource(transform(ConfigSourceUtil.urlToMap(url)), url.toString(), ordinal) {
+            private String name;
+            @Override
+            public String getName() {
+                return name;
+            }
+            public void setName(String name) {
+                this.name = name;
+            }
+        };
+        cs.setName(url.toString());
+        return cs;
     }
 
     public static class InClassPath extends KeycloakPropertiesConfigSource implements ConfigSourceProvider {

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PersistedConfigSource.java

@@ -32,6 +32,7 @@
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 
+import io.smallrye.config.ConfigValue;
 import io.smallrye.config.PropertiesConfigSource;
 import org.keycloak.quarkus.runtime.Environment;
 
@@ -54,7 +55,7 @@ public final class PersistedConfigSource extends PropertiesConfigSource {
     private static final ThreadLocal<Boolean> ENABLED = ThreadLocal.withInitial(() -> true);
 
     private PersistedConfigSource() {
-        super(readProperties(), "", 200);
+        super(readProperties(), NAME, 200);
     }
 
     public static PersistedConfigSource getInstance() {
@@ -67,15 +68,15 @@ public String getName() {
     }
 
     @Override
-    public String getValue(String propertyName) {
+    public ConfigValue getConfigValue(String propertyName) {
         if (isEnabled()) {
-            String value = super.getValue(propertyName);
+            ConfigValue value = super.getConfigValue(propertyName);
 
             if (value != null) {
                 return value;
             }
 
-            return super.getValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.'));
+            return super.getConfigValue(propertyName.replace(Configuration.OPTION_PART_SEPARATOR_CHAR, '.'));
         }
 
         return null;

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/QuarkusPropertiesConfigSource.java

@@ -57,7 +57,10 @@ public static boolean isSameSource(ConfigValue value) {
             return false;
         }
 
-        return NAME.equals(value.getConfigSourceName());
+        // workaround for https://github.com/smallrye/smallrye-config/issues/1207
+        // replace by the following line when fixed:
+        // return NAME.equals(value.getConfigSourceName());
+        return value.getConfigSourceName() != null && value.getConfigSourceName().endsWith(FILE_NAME);
     }
 
     public static Path getConfigurationFile() {