Merge pull request #43350 from aloubyansky/3.15.0-backports1

[3.15] 3.15.0 backports

Author: aloubyansky

core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/JarResultBuildStep.java

@@ -1290,7 +1290,13 @@ static void filterJarFile(Path resolvedDep, Path targetPath, Set<String> transfo
                 } else {
                     manifest = new Manifest();
                 }
-                try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath), manifest)) {
+                try (JarOutputStream out = new JarOutputStream(Files.newOutputStream(targetPath))) {
+                    JarEntry manifestEntry = new JarEntry(JarFile.MANIFEST_NAME);
+                    // Set manifest time to epoch to always make the same jar
+                    manifestEntry.setTime(0);
+                    out.putNextEntry(manifestEntry);
+                    manifest.write(out);
+                    out.closeEntry();
                     Enumeration<JarEntry> entries = in.entries();
                     while (entries.hasMoreElements()) {
                         JarEntry entry = entries.nextElement();
@@ -1306,6 +1312,8 @@ static void filterJarFile(Path resolvedDep, Path targetPath, Set<String> transfo
                                 while ((r = inStream.read(buffer)) > 0) {
                                     out.write(buffer, 0, r);
                                 }
+                            } finally {
+                                out.closeEntry();
                             }
                         } else {
                             log.debugf("Removed %s from %s", entryName, resolvedDep);

core/deployment/src/test/java/io/quarkus/deployment/pkg/steps/JarResultBuildStepTest.java

@@ -68,6 +68,26 @@ void should_unsign_jar_when_filtered(@TempDir Path tempDir) throws Exception {
         }
     }
 
+    @Test
+    void manifestTimeShouldAlwaysBeSetToEpoch(@TempDir Path tempDir) throws Exception {
+        JavaArchive archive = ShrinkWrap.create(JavaArchive.class, "myarchive.jar")
+                .addClasses(Integer.class)
+                .addManifest();
+        Path initialJar = tempDir.resolve("initial.jar");
+        Path filteredJar = tempDir.resolve("filtered.jar");
+        archive.as(ZipExporter.class).exportTo(new File(initialJar.toUri()), true);
+        JarResultBuildStep.filterJarFile(initialJar, filteredJar, Set.of("java/lang/Integer.class"));
+        try (JarFile jarFile = new JarFile(filteredJar.toFile())) {
+            assertThat(jarFile.stream())
+                    .filteredOn(jarEntry -> jarEntry.getName().equals(JarFile.MANIFEST_NAME))
+                    .isNotEmpty()
+                    .allMatch(jarEntry -> jarEntry.getTime() == 0);
+            // Check that the manifest is still has attributes
+            Manifest manifest = jarFile.getManifest();
+            assertThat(manifest.getMainAttributes()).isNotEmpty();
+        }
+    }
+
     private static KeyStore.PrivateKeyEntry createPrivateKeyEntry()
             throws NoSuchAlgorithmException, CertificateException, OperatorCreationException, CertIOException {
         KeyPairGenerator ky = KeyPairGenerator.getInstance("RSA");

docs/src/main/asciidoc/security-jwt.adoc

@@ -84,10 +84,7 @@ Create a REST endpoint in `src/main/java/org/acme/security/jwt/TokenSecuredResou
 ----
 package org.acme.security.jwt;
 
-import java.security.Principal;
-
 import jakarta.annotation.security.PermitAll;
-import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.InternalServerErrorException;
@@ -105,7 +102,7 @@ public class TokenSecuredResource {
     @Inject
     JsonWebToken jwt; // <1>
 
-    @GET()
+    @GET
     @Path("permit-all")
     @PermitAll // <2>
     @Produces(MediaType.TEXT_PLAIN)
@@ -122,7 +119,7 @@ public class TokenSecuredResource {
         } else {
             name = ctx.getUserPrincipal().getName(); // <6>
         }
-        return String.format("hello + %s,"
+        return String.format("hello %s,"
             + " isHttps: %s,"
             + " authScheme: %s,"
             + " hasJWT: %s",
@@ -172,7 +169,7 @@ Now that the REST endpoint is running, we can access it using a command line too
 [source,shell]
 ----
 $ curl http://127.0.0.1:8080/secured/permit-all; echo
-hello + anonymous, isHttps: false, authScheme: null, hasJWT: false
+hello anonymous, isHttps: false, authScheme: null, hasJWT: false
 ----
 
 We have not provided any JWT in our request, so we would not expect that there is any security state seen by the endpoint,
@@ -194,7 +191,6 @@ package org.acme.security.jwt;
 
 import jakarta.annotation.security.PermitAll;
 import jakarta.annotation.security.RolesAllowed;
-import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.InternalServerErrorException;
@@ -207,7 +203,6 @@ import jakarta.ws.rs.core.SecurityContext;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
 @Path("/secured")
-@RequestScoped
 public class TokenSecuredResource {
 
     @Inject
@@ -238,7 +233,7 @@ public class TokenSecuredResource {
         } else {
             name = ctx.getUserPrincipal().getName();
         }
-        return String.format("hello + %s,"
+        return String.format("hello %s,"
             + " isHttps: %s,"
             + " authScheme: %s,"
             + " hasJWT: %s",
@@ -455,7 +450,7 @@ curl -H "Authorization: Bearer eyJraWQiOiJcL3ByaXZhdGVLZXkucGVtIiwidHlwIjoiSldUI
 [source,shell]
 ----
 $ curl -H "Authorization: Bearer eyJraWQ..." http://127.0.0.1:8080/secured/roles-allowed; echo
-hello + [email protected], isHttps: false, authScheme: Bearer, hasJWT: true, birthdate: 2001-07-13
+hello [email protected], isHttps: false, authScheme: Bearer, hasJWT: true, birthdate: 2001-07-13
 ----
 
 Success! We now have:
@@ -500,14 +495,14 @@ import org.eclipse.microprofile.jwt.Claims;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
 @Path("/secured")
-@RequestScoped
+@RequestScoped <1>
 public class TokenSecuredResource {
 
     @Inject
-    JsonWebToken jwt; // <1>
+    JsonWebToken jwt; // <2>
     @Inject
     @Claim(standard = Claims.birthdate)
-    String birthdate; // <2>
+    String birthdate; // <3>
 
     @GET
     @Path("permit-all")
@@ -530,7 +525,7 @@ public class TokenSecuredResource {
     @RolesAllowed("Admin")
     @Produces(MediaType.TEXT_PLAIN)
     public String helloRolesAllowedAdmin(@Context SecurityContext ctx) {
-        return getResponseString(ctx) + ", birthdate: " + birthdate; // <3>
+        return getResponseString(ctx) + ", birthdate: " + birthdate; // <4>
     }
 
     private String getResponseString(SecurityContext ctx) {
@@ -542,7 +537,7 @@ public class TokenSecuredResource {
         } else {
             name = ctx.getUserPrincipal().getName();
         }
-        return String.format("hello + %s,"
+        return String.format("hello %s,"
             + " isHttps: %s,"
             + " authScheme: %s,"
             + " hasJWT: %s",
@@ -554,9 +549,10 @@ public class TokenSecuredResource {
     }
 }
 ----
-<1> Here we inject the JsonWebToken.
-<2> Here we inject the `birthday` claim as `String` - this is why the `@RequestScoped` scope is now required.
-<3> Here we use the injected `birthday` claim to build the final reply.
+<1> `RequestScoped` scope is required to support an injection of the `birthday` claim as `String`.
+<2> Here we inject the JsonWebToken.
+<3> Here we inject the `birthday` claim as `String` - this is why the `@RequestScoped` scope is now required.
+<4> Here we use the injected `birthday` claim to build the final reply.
 
 Now generate the token again and run:
 
@@ -568,7 +564,7 @@ curl -H "Authorization: Bearer eyJraWQiOiJcL3ByaXZhdGVLZXkucGVtIiwidHlwIjoiSldUI
 [source,shell]
 ----
 $ curl -H "Authorization: Bearer eyJraWQ..." http://127.0.0.1:8080/secured/roles-allowed-admin; echo
-hello + [email protected], isHttps: false, authScheme: Bearer, hasJWT: true, birthdate: 2001-07-13
+hello [email protected], isHttps: false, authScheme: Bearer, hasJWT: true, birthdate: 2001-07-13
 ----
 
 === Package and run the application

docs/src/main/asciidoc/tls-registry-reference.adoc

@@ -25,7 +25,7 @@ The TLS Registry extension is automatically included in your project when you us
 As a result, applications that use the TLS Registry can be ready to handle secure communications out of the box.
 TLS Registry also provides features like automatic certificate reloading, Let's Encrypt (ACME) integration, Kubernetes Cert-Manager support, and compatibility with various keystore formats, such as PKCS12, PEM, and JKS.
 
-[#using-the-tls-registry]
+[[using-the-tls-registry]]
 == Using the TLS registry
 
 To configure a TLS connection, including key and truststores, use the `+quarkus.tls.*+` properties.
@@ -126,7 +126,7 @@ quarkus.grpc.server.plain-text=false
 +
 This configuration enables mTLS by ensuring that both the server and client validate each other's certificates, which provides an additional layer of security.
 
-[#referencing-a-tls-configuration]
+[[referencing-a-tls-configuration]]
 == Referencing a TLS configuration
 
 To reference an example  _named_ configuration that you created by using the `quarkus.tls.<name>.*` properties as explained in <<using-the-tls-registry>>
@@ -257,7 +257,7 @@ quarkus.tls.key-store.jks.alias-password=my-alias-password
 * Alternatively, use SNI to select the appropriate certificate and private key.
 Note that all keys must use the same password.
 
-[#sni]
+[[sni]]
 ==== SNI
 
 Server Name Indication (SNI) is a TLS extension that makes it possible for a client to specify the host name to which it attempts to connect during the TLS handshake.
@@ -585,7 +585,7 @@ When an application that uses the TLS extension starts, the TLS registry perform
 
 If any of these checks fail, the application will not start.
 
-[#reloading-certificates]
+[[reloading-certificates]]
 == Reloading certificates
 
 The `TlsConfiguration` obtained from the `TLSConfigurationRegistry` includes a mechanism for reloading certificates.
@@ -1267,12 +1267,11 @@ quarkus.http.insecure-requests=redirect
 
 ====
 
-[[lets-encrypt-prepare]]
-
 The challenge is served from the primary HTTP interface (accessible from your DNS domain name).
 
 IMPORTANT: Do not start your application yet.
 
+[[lets-encrypt-prepare]]
 === Application preparation
 
 Before you request a Let's Encrypt certificate:

extensions/smallrye-graphql/deployment/src/main/java/io/quarkus/smallrye/graphql/deployment/SmallRyeGraphQLProcessor.java

@@ -83,16 +83,27 @@
 import io.smallrye.graphql.api.Entry;
 import io.smallrye.graphql.api.ErrorExtensionProvider;
 import io.smallrye.graphql.api.OneOf;
+import io.smallrye.graphql.api.federation.Authenticated;
 import io.smallrye.graphql.api.federation.ComposeDirective;
 import io.smallrye.graphql.api.federation.Extends;
 import io.smallrye.graphql.api.federation.External;
+import io.smallrye.graphql.api.federation.FieldSet;
 import io.smallrye.graphql.api.federation.Inaccessible;
 import io.smallrye.graphql.api.federation.InterfaceObject;
 import io.smallrye.graphql.api.federation.Key;
 import io.smallrye.graphql.api.federation.Provides;
 import io.smallrye.graphql.api.federation.Requires;
 import io.smallrye.graphql.api.federation.Shareable;
 import io.smallrye.graphql.api.federation.Tag;
+import io.smallrye.graphql.api.federation.link.Import;
+import io.smallrye.graphql.api.federation.link.Link;
+import io.smallrye.graphql.api.federation.link.Purpose;
+import io.smallrye.graphql.api.federation.policy.Policy;
+import io.smallrye.graphql.api.federation.policy.PolicyGroup;
+import io.smallrye.graphql.api.federation.policy.PolicyItem;
+import io.smallrye.graphql.api.federation.requiresscopes.RequiresScopes;
+import io.smallrye.graphql.api.federation.requiresscopes.ScopeGroup;
+import io.smallrye.graphql.api.federation.requiresscopes.ScopeItem;
 import io.smallrye.graphql.cdi.config.MicroProfileConfig;
 import io.smallrye.graphql.cdi.producer.GraphQLProducer;
 import io.smallrye.graphql.cdi.tracing.TracingService;
@@ -298,6 +309,17 @@ void buildFinalIndex(
             indexer.indexClass(io.smallrye.graphql.api.federation.Override.class);
             indexer.indexClass(Tag.class);
             indexer.indexClass(OneOf.class);
+            indexer.indexClass(Authenticated.class);
+            indexer.indexClass(FieldSet.class);
+            indexer.indexClass(Link.class);
+            indexer.indexClass(Import.class);
+            indexer.indexClass(Purpose.class);
+            indexer.indexClass(Policy.class);
+            indexer.indexClass(PolicyGroup.class);
+            indexer.indexClass(PolicyItem.class);
+            indexer.indexClass(RequiresScopes.class);
+            indexer.indexClass(ScopeGroup.class);
+            indexer.indexClass(ScopeItem.class);
         } catch (IOException ex) {
             LOG.warn("Failure while creating index", ex);
         }

extensions/vertx-http/dev-ui-resources/src/main/resources/dev-ui/qwc/qwc-server-log.js

@@ -136,6 +136,7 @@ export class QwcServerLog extends QwcAbstractLogElement {
     connectedCallback() {
         super.connectedCallback();
         this._toggleOnOff(true);
+        this._history();
         this._loadAllLoggers();
     }
 
@@ -744,4 +745,4 @@ export class QwcServerLog extends QwcAbstractLogElement {
 
 }
 
-customElements.define('qwc-server-log', QwcServerLog);
+customElements.define('qwc-server-log', QwcServerLog);