Merge pull request #38285 from gsmet/3.6.7-backports-1

3.6.7 backports 1

bom/application/pom.xml

@@ -26,7 +26,7 @@
         <parsson.version>1.1.5</parsson.version>
         <resteasy-microprofile.version>2.1.4.Final</resteasy-microprofile.version>
         <resteasy-spring-web.version>3.0.2.Final</resteasy-spring-web.version>
-        <resteasy.version>6.2.6.Final</resteasy.version>
+        <resteasy.version>6.2.7.Final</resteasy.version>
         <opentracing.version>0.33.0</opentracing.version>
         <opentracing-jdbc.version>0.2.4</opentracing-jdbc.version>
         <opentracing-kafka.version>0.1.15</opentracing-kafka.version>
@@ -5013,6 +5013,14 @@
                 <artifactId>hibernate-jpamodelgen</artifactId>
                 <version>${hibernate-orm.version}</version>
             </dependency>
+            <!-- Workaround for Maven relocations not being supported for
+                 annotation processor paths in Maven Compiler Plugin
+                 See https://github.com/apache/maven-compiler-plugin/pull/180#issuecomment-1876921475 -->
+            <dependency>
+                <groupId>org.hibernate</groupId>
+                <artifactId>hibernate-jpamodelgen</artifactId>
+                <version>${hibernate-orm.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.hibernate.common</groupId>
                 <artifactId>hibernate-commons-annotations</artifactId>

docs/src/main/asciidoc/container-image.adoc

@@ -47,14 +47,14 @@ For example, the presence of `src/main/jib/foo/bar` would result in  `/foo/bar`
 
 There are cases where the built container image may need to have Java debugging conditionally enabled at runtime.
 
-When the base image has not been changed (and therefore `ubi8/openjdk-11-runtime`,  `ubi8/openjdk-17-runtime`, or `ubi8/openjdk-21-runtime` is used), then the `quarkus.jib.jvm-arguments` configuration property can be used in order to
+When the base image has not been changed (and therefore `ubi8/openjdk-11-runtime`,  `ubi8/openjdk-17-runtime`, or `ubi8/openjdk-21-runtime` is used), then the `quarkus.jib.jvm-additional-arguments` configuration property can be used in order to
 make the JVM listen on the debug port at startup.
 
 The exact configuration is:
 
 [source,properties]
 ----
-quarkus.jib.jvm-arguments=-agentlib:jdwp=transport=dt_socket\\,server=y\\,suspend=n\\,address=*:5005
+quarkus.jib.jvm-additional-arguments=-agentlib:jdwp=transport=dt_socket\\,server=y\\,suspend=n\\,address=*:5005
 ----
 
 Other base images might provide launch scripts that enable debugging when an environment variable is set, in which case you would set than environment variable when launching the container.

docs/src/main/asciidoc/qute-reference.adoc

@@ -223,7 +223,7 @@ Likewise, a line that contains an _expression_ or a _non-whitespace character_ i
                           <3>
      {/for}               <4>
      </ul>
-   <body>
+   </body>
 </html>
 ----
 <1> This is a standalone line and will be removed.
@@ -240,7 +240,7 @@ Likewise, a line that contains an _expression_ or a _non-whitespace character_ i
        <li>Foo 100</li>
 
      </ul>
-   <body>
+   </body>
 </html>
 ----
 
@@ -258,7 +258,7 @@ In this case, all whitespace characters from a standalone line will be printed t
 
 
      </ul>
-   <body>
+   </body>
 </html>
 ----
 
@@ -273,7 +273,7 @@ In the `object.property` (dot notation) syntax, the `property` must be a <<ident
 In the `object[property_name]` (bracket notation) syntax, the `property_name` has to be a non-null <<literals,literal>> value.
 
 An expression can start with an optional namespace followed by a colon (`:`).
-A valid namespace consist of alphanumeric characters and underscores.
+A valid namespace consists of alphanumeric characters and underscores.
 Namespace expressions are resolved differently - see also <<expression_resolution>>.
 
 .Property Accessor Examples
@@ -336,7 +336,7 @@ You can learn more about virtual methods in the <<virtual_methods,following sect
 ==== Resolution
 
 The first part of the expression is always resolved against the <<current_context_object,current context object>>.
-If no result is found for the first part it's resolved against the parent context object (if available).
+If no result is found for the first part, it's resolved against the parent context object (if available).
 For an expression that starts with a namespace the current context object is found using all the available ``NamespaceResolver``s.
 For an expression that does not start with a namespace the current context object is *derived from the position* of the tag.
 All other parts of an expression are resolved using all ``ValueResolver``s against the result of the previous resolution.
@@ -1426,7 +1426,7 @@ template.data(foo).createUni().subscribe().with(System.out::println);
 `TemplateInstance.createMulti()` returns a new `Multi<String>` object.
 Each item represents a part/chunk of the rendered template.
 Again, `createMulti()` does not trigger rendering.
-Instead, every time a computation is triggered by a subscriber the template is rendered again.
+Instead, every time a computation is triggered by a subscriber, the template is rendered again.
 
 .`TemplateInstance.createMulti()` Example
 [source,java]

extensions/csrf-reactive/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java

@@ -87,12 +87,26 @@ public void filter(ResteasyReactiveContainerRequestContext requestContext, Routi
         if (requestMethodIsSafe(requestContext)) {
             // safe HTTP method, tolerate the absence of a token
             if (isCsrfTokenRequired(routing, config)) {
-                // Set the CSRF cookie with a randomly generated value
-                byte[] tokenBytes = new byte[config.tokenSize];
-                secureRandom.nextBytes(tokenBytes);
-                routing.put(CSRF_TOKEN_BYTES_KEY, tokenBytes);
-                routing.put(CSRF_TOKEN_KEY, Base64.getUrlEncoder().withoutPadding().encodeToString(tokenBytes));
-
+                if (cookieToken == null) {
+                    generateNewCsrfToken(routing, config);
+                } else {
+                    String csrfTokenHeaderParam = requestContext.getHeaderString(config.tokenHeaderName);
+                    if (csrfTokenHeaderParam != null) {
+                        LOG.debugf("CSRF token found in the token header");
+                        // Verify the header, make sure the header value, possibly signed, is returned as the next cookie value
+                        verifyCsrfToken(requestContext, routing, config, cookieToken, csrfTokenHeaderParam);
+                    } else if (!config.tokenSignatureKey.isEmpty()) {
+                        // If the signature is required, then we can not use the current cookie value
+                        // as the HTML form token key because it represents a signed value of the previous key
+                        // and it will lead to the double-signing issue if this value is reused as the key.
+                        // It should be fine for simple HTML forms anyway
+                        generateNewCsrfToken(routing, config);
+                    } else {
+                        // Make sure the same cookie value is returned
+                        routing.put(CSRF_TOKEN_KEY, cookieToken);
+                        routing.put(CSRF_TOKEN_BYTES_KEY, Base64.getUrlDecoder().decode(cookieToken));
+                    }
+                }
                 routing.put(NEW_COOKIE_REQUIRED, true);
             }
         } else if (config.verifyToken) {
@@ -139,6 +153,14 @@ public void filter(ResteasyReactiveContainerRequestContext requestContext, Routi
         }
     }
 
+    private void generateNewCsrfToken(RoutingContext routing, CsrfReactiveConfig config) {
+        // Set the CSRF cookie with a randomly generated value
+        byte[] tokenBytes = new byte[config.tokenSize];
+        secureRandom.nextBytes(tokenBytes);
+        routing.put(CSRF_TOKEN_BYTES_KEY, tokenBytes);
+        routing.put(CSRF_TOKEN_KEY, Base64.getUrlEncoder().withoutPadding().encodeToString(tokenBytes));
+    }
+
     private void verifyCsrfToken(ResteasyReactiveContainerRequestContext requestContext, RoutingContext routing,
             CsrfReactiveConfig config, String cookieToken, String csrfToken) {
         if (cookieToken == null) {
@@ -160,6 +182,7 @@ private void verifyCsrfToken(ResteasyReactiveContainerRequestContext requestCont
                 return;
             } else {
                 routing.put(CSRF_TOKEN_KEY, csrfToken);
+                routing.put(CSRF_TOKEN_BYTES_KEY, Base64.getUrlDecoder().decode(csrfToken));
                 routing.put(CSRF_TOKEN_VERIFIED, true);
                 // reset the cookie
                 routing.put(NEW_COOKIE_REQUIRED, true);

extensions/jaxb/deployment/src/main/java/io/quarkus/jaxb/deployment/JaxbProcessor.java

@@ -70,7 +70,6 @@
 import io.quarkus.deployment.builditem.nativeimage.NativeImageResourceBundleBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.NativeImageSystemPropertyBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
-import io.quarkus.deployment.builditem.nativeimage.ReflectiveHierarchyBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveHierarchyIgnoreWarningBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeInitializedClassBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ServiceProviderBuildItem;
@@ -187,7 +186,6 @@ void processAnnotationsAndIndexFiles(
             BuildProducer<NativeImageProxyDefinitionBuildItem> proxyDefinitions,
             CombinedIndexBuildItem combinedIndexBuildItem,
             List<JaxbFileRootBuildItem> fileRoots,
-            BuildProducer<ReflectiveHierarchyBuildItem> reflectiveHierarchies,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClass,
             BuildProducer<NativeImageResourceBuildItem> resource,
             BuildProducer<NativeImageResourceBundleBuildItem> resourceBundle,
@@ -204,11 +202,10 @@ void processAnnotationsAndIndexFiles(
         for (DotName jaxbRootAnnotation : JAXB_ROOT_ANNOTATIONS) {
             for (AnnotationInstance jaxbRootAnnotationInstance : index
                     .getAnnotations(jaxbRootAnnotation)) {
-                if (jaxbRootAnnotationInstance.target().kind() == Kind.CLASS
-                        && !JAXB_ANNOTATIONS.contains(jaxbRootAnnotationInstance.target().asClass().getClass())) {
-                    DotName targetClass = jaxbRootAnnotationInstance.target().asClass().name();
-                    addReflectiveHierarchyClass(targetClass, reflectiveHierarchies, index);
-                    classesToBeBound.add(targetClass.toString());
+                if (jaxbRootAnnotationInstance.target().kind() == Kind.CLASS) {
+                    String className = jaxbRootAnnotationInstance.target().asClass().name().toString();
+                    reflectiveClass.produce(ReflectiveClassBuildItem.builder(className).methods().fields().build());
+                    classesToBeBound.add(className);
                     jaxbRootAnnotationsDetected = true;
                 }
             }
@@ -415,17 +412,6 @@ public static Stream<Path> safeWalk(Path p) {
         }
     }
 
-    private void addReflectiveHierarchyClass(DotName className,
-            BuildProducer<ReflectiveHierarchyBuildItem> reflectiveHierarchy,
-            IndexView index) {
-        Type jandexType = Type.create(className, Type.Kind.CLASS);
-        reflectiveHierarchy.produce(new ReflectiveHierarchyBuildItem.Builder()
-                .type(jandexType)
-                .index(index)
-                .source(getClass().getSimpleName() + " > " + jandexType.name().toString())
-                .build());
-    }
-
     private void addReflectiveClass(BuildProducer<ReflectiveClassBuildItem> reflectiveClass, boolean methods, boolean fields,
             String... className) {
         reflectiveClass.produce(new ReflectiveClassBuildItem(methods, fields, className));

integration-tests/csrf-reactive/src/test/java/io/quarkus/it/csrf/CsrfReactiveTest.java

@@ -4,6 +4,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
 import java.net.URL;
@@ -56,6 +57,8 @@ public void testCsrfTokenInForm() throws Exception {
             assertNotNull(htmlPage.getWebResponse().getResponseHeaderValue("Set-Cookie"));
             assertEquals("alice:true:tokenHeaderIsSet=false", textPage.getContent());
 
+            Cookie cookie1 = webClient.getCookieManager().getCookie("csrftoken");
+
             // This request which returns String is not CSRF protected
             textPage = webClient.getPage("http://localhost:8081/service/hello");
             assertEquals("hello", textPage.getContent());
@@ -67,6 +70,11 @@ public void testCsrfTokenInForm() throws Exception {
             assertNotNull(htmlPage.getWebResponse().getResponseHeaderValue("Set-Cookie"));
             assertEquals("alice:true:tokenHeaderIsSet=false", textPage.getContent());
 
+            Cookie cookie2 = webClient.getCookieManager().getCookie("csrftoken");
+
+            assertEquals(cookie1.getValue(), cookie2.getValue());
+            assertTrue(cookie1.getExpires().before(cookie2.getExpires()));
+
             webClient.getCookieManager().clearCookies();
         }
     }
@@ -366,6 +374,12 @@ private void assurePostFormPath(io.vertx.ext.web.client.WebClient vertxWebClient
         if (responseBody != null) {
             assertEquals(responseBody, result.result().bodyAsString(), path);
         }
+        if (expectedStatus != 400) {
+            String[] nextCookie = result.result().cookies().get(0).split(";");
+            String[] cookieNameValue = nextCookie[0].trim().split("=");
+            assertEquals(csrfCookie.getName(), cookieNameValue[0]);
+            assertEquals(csrfCookie.getValue(), cookieNameValue[1]);
+        }
     }
 
     private void assurePostJsonPath(io.vertx.ext.web.client.WebClient vertxWebClient, String path,

integration-tests/jaxb/src/main/java/io/quarkus/it/jaxb/JaxbResource.java

@@ -65,19 +65,4 @@ public io.quarkus.it.jaxb.Response seeAlso() {
         return response;
     }
 
-    //Test for Jaxb with parent class field
-    @Path("/bookwithparent")
-    @GET
-    @Produces(MediaType.TEXT_PLAIN)
-    public String getBookWithParent(@QueryParam("name") String name, @QueryParam("iban") String iban) throws JAXBException {
-        BookWithParent bookWithParent = new BookWithParent();
-        bookWithParent.setTitle(name);
-        bookWithParent.setIBAN(iban);
-        JAXBContext context = JAXBContext.newInstance(bookWithParent.getClass());
-        Marshaller marshaller = context.createMarshaller();
-        StringWriter sw = new StringWriter();
-        marshaller.marshal(bookWithParent, sw);
-        return sw.toString();
-    }
-
 }

integration-tests/jaxb/src/test/java/io/quarkus/it/jaxb/JaxbIT.java

@@ -1,24 +1,8 @@
 package io.quarkus.it.jaxb;
 
-import static io.restassured.RestAssured.given;
-import static org.hamcrest.Matchers.is;
-
-import org.junit.jupiter.api.Test;
-
 import io.quarkus.test.junit.QuarkusIntegrationTest;
 
 @QuarkusIntegrationTest
 public class JaxbIT extends JaxbTest {
-    //We have to test native executable of Jaxb
-    @Test
-    public void bookWithParent() {
-        given().when()
-                .param("name", "Foundation")
-                .param("iban", "4242")
-                .get("/jaxb/bookwithparent")
-                .then()
-                .statusCode(200)
-                .body(is(
-                        "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><bookWithParent><IBAN>4242</IBAN><title>Foundation</title></bookWithParent>"));
-    }
+
 }