2.10.3 backports 1

bom/application/pom.xml

@@ -47,7 +47,7 @@
         <smallrye-graphql.version>1.6.0</smallrye-graphql.version>
         <smallrye-opentracing.version>2.1.0</smallrye-opentracing.version>
         <smallrye-fault-tolerance.version>5.4.1</smallrye-fault-tolerance.version>
-        <smallrye-jwt.version>3.5.1</smallrye-jwt.version>
+        <smallrye-jwt.version>3.5.3</smallrye-jwt.version>
         <smallrye-context-propagation.version>1.2.2</smallrye-context-propagation.version>
         <smallrye-reactive-streams-operators.version>1.0.13</smallrye-reactive-streams-operators.version>
         <smallrye-reactive-types-converter.version>2.7.0</smallrye-reactive-types-converter.version>

core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildRunner.java

@@ -72,10 +72,9 @@ public Result build(List<String> args, String nativeImageName, String resultingE
             if (objcopyExists) {
                 if (debugSymbolsEnabled) {
                     splitDebugSymbols(nativeImageName, resultingExecutableName);
-                } else {
-                    // Strip debug symbols regardless, because the underlying JDK might contain them
-                    objcopy("--strip-debug", resultingExecutableName);
                 }
+                // Strip debug symbols regardless, because the underlying JDK might contain them
+                objcopy("--strip-debug", resultingExecutableName);
             } else if (SystemUtils.IS_OS_LINUX) {
                 log.warn(
                         "objcopy executable not found in PATH. Debug symbols will therefore not be separated from the executable.");

core/runtime/src/main/java/io/quarkus/runtime/MockedThroughWrapper.java

@@ -8,4 +8,6 @@
  */
 public interface MockedThroughWrapper {
     void setMock(Object mock);
+
+    void clearMock();
 }

devtools/bom-descriptor-json/src/main/resources/catalog-overrides.json

@@ -139,6 +139,7 @@
   ],
   "metadata":{
     "project": {
+      "default-codestart": "resteasy-reactive",
       "properties": {
         "doc-root": "https://quarkus.io",
         "rest-assured-version": "${rest-assured.version}",

docs/src/main/asciidoc/getting-started-testing.adoc

@@ -1317,6 +1317,9 @@ public class CustomResource implements QuarkusTestResourceLifecycleManager, DevS
         // apply the network to the container
         containerNetworkId.ifPresent(container::withNetworkMode);
 
+        // start container before retrieving its URL or other properties
+        container.start();
+
         String jdbcUrl = container.getJdbcUrl();
         if (containerNetworkId.isPresent()) {
             // Replace hostname + port in the provided JDBC URL with the hostname of the Docker container

docs/src/main/asciidoc/getting-started.adoc

@@ -113,7 +113,7 @@ In addition, you can see the `quarkus-maven-plugin` responsible of the packaging
         <plugin>
             <groupId>${quarkus.platform.group-id}</groupId>
             <artifactId>quarkus-maven-plugin</artifactId>
-            <version>${quarkus-plugin.version}</version>
+            <version>${quarkus.platform.version}</version>
             <extensions>true</extensions>
             <executions>
                 <execution>

docs/src/main/asciidoc/gradle-tooling.adoc

@@ -517,7 +517,7 @@ This task depends on both `check` and `quarkusBuild` tasks. The final artifact w
 
 `fast-jar` is now the default quarkus package type. The result of `./gradlew build` command is a new directory under `build` named `quarkus-app`.
 
-You can run the application using: `java -jar target/quarkus-app/quarkus-run.jar`.
+You can run the application using: `java -jar build/quarkus-app/quarkus-run.jar`.
 
 WARNING: In order to successfully run the produced jar, you need to have the entire contents of the `quarkus-app` directory. If any of the files are missing, the application will not start or
 might not function correctly.

docs/src/main/asciidoc/includes/prerequisites.adoc

@@ -13,7 +13,7 @@ ifndef::prerequisites-no-maven[]
 * Apache Maven {maven-version}
 endif::[]
 ifdef::prerequisites-docker[]
-* A working container runtime (Docker or Podman)
+* A working container runtime (Docker or xref:podman.adoc[Podman])
 endif::[]
 ifdef::prerequisites-docker-compose[]
 * Docker and Docker Compose or xref:podman.adoc[Podman], and Docker Compose

docs/src/main/asciidoc/security.adoc

@@ -285,6 +285,19 @@ If you work with the link:https://jeremylong.github.io/DependencyCheck/dependenc
 
 You can add `OWASP Dependency Check Plugin` to your project's `pom.xml` like this:
 
+[source,xml]
+----
+<plugin>
+    <groupId>org.owasp</groupId>
+    <artifactId>dependency-check-maven</artifactId>
+    <version>${owasp-dependency-check-plugin.version}</version>
+</plugin>
+----
+
+where `owasp-dependency-check-plugin.version` should be set to `7.1.1` or later.
+
+You can configure the plugin like this:
+
 [source,xml]
 ----
 <plugin>
@@ -374,4 +387,3 @@ For example, it can look like this:
 
 Such a suppression list has to be carefully prepared and revisited from time to time. You should consider making individual suppressions time limited by adding an `until` tribute, for example: `<suppress until="2022-01-01Z">...</suppress>`. It will let you doublecheck that only the same known false positives are reported when the suppression period expires, and after reviewing the report you can set a new expiry date.
 
-Note link:https://jeremylong.github.io/DependencyCheck/dependency-check-maven/[OWASP Dependency Check Plugin] `6.5.3` or later should be used with Quarkus.

extensions/grpc/deployment/src/main/java/io/quarkus/grpc/deployment/GrpcServerProcessor.java

@@ -466,7 +466,7 @@ KubernetesPortBuildItem registerGrpcServiceInKubernetes(List<BindableServiceBuil
         if (!bindables.isEmpty()) {
             int port = ConfigProvider.getConfig().getOptionalValue("quarkus.grpc.server.port", Integer.class)
                     .orElse(9000);
-            return new KubernetesPortBuildItem(port, GRPC_SERVER);
+            return new KubernetesPortBuildItem(port, "grpc");
         }
         return null;
     }

extensions/kafka-client/deployment/src/main/java/io/quarkus/kafka/client/deployment/RedPandaKafkaContainer.java

@@ -42,7 +42,8 @@ final class RedPandaKafkaContainer extends GenericContainer<RedPandaKafkaContain
         withCreateContainerCmdModifier(cmd -> {
             cmd.withEntrypoint("sh");
         });
-        withCommand("-c", "while [ ! -f " + STARTER_SCRIPT + " ]; do sleep 0.1; done; " + STARTER_SCRIPT);
+        withCommand("-c", "while [ ! -f " + STARTER_SCRIPT + " ]; do sleep 0.1; done; sleep 0.1; " +
+                STARTER_SCRIPT);
         waitingFor(Wait.forLogMessage(".*Started Kafka API server.*", 1));
     }
 

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java

@@ -1,5 +1,6 @@
 package io.quarkus.keycloak.pep.runtime;
 
+import java.net.URI;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
@@ -90,8 +91,11 @@ private static PolicyEnforcer createPolicyEnforcer(OidcTenantConfig oidcConfig,
         adapterConfig.setConnectionPoolSize(keycloakPolicyEnforcerConfig.connectionPoolSize);
 
         if (oidcConfig.proxy.host.isPresent()) {
-            adapterConfig.setProxyUrl(oidcConfig.proxy.host.get() + ":"
-                    + oidcConfig.proxy.port);
+            String host = oidcConfig.proxy.host.get();
+            if (!host.startsWith("http://") && !host.startsWith("https://")) {
+                host = URI.create(authServerUrl).getScheme() + "://" + host;
+            }
+            adapterConfig.setProxyUrl(host + ":" + oidcConfig.proxy.port);
         }
 
         PolicyEnforcerConfig enforcerConfig = getPolicyEnforcerConfig(keycloakPolicyEnforcerConfig,

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KnativeProcessor.java

@@ -79,6 +79,7 @@ public class KnativeProcessor {
     private static final String KNATIVE_UTILIZATION_PERCENTAGE = "autoscaling.knative.dev/target-utilization-percentage";
     private static final String KNATIVE_AUTOSCALING_TARGET = "autoscaling.knative.dev/target";
     private static final String KNATIVE_CONTAINER_CONCURRENCY = "container-concurrency";
+    private static final String KNATIVE_DEV_VISIBILITY = "networking.knative.dev/visibility";
 
     @BuildStep
     public void checkKnative(ApplicationInfoBuildItem applicationInfo, KnativeConfig config,
@@ -174,8 +175,12 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
                 });
 
         if (config.clusterLocal) {
-            result.add(new DecoratorBuildItem(KNATIVE,
-                    new AddLabelDecorator(name, "networking.knative.dev/visibility", "cluster-local")));
+            if (labels.stream().filter(l -> KNATIVE.equals(l.getTarget()))
+                    .noneMatch(l -> l.getKey().equals(KNATIVE_DEV_VISIBILITY))) {
+                result.add(new DecoratorBuildItem(KNATIVE,
+                        new AddLabelDecorator(name, KNATIVE_DEV_VISIBILITY, "cluster-local")));
+            }
+
         }
 
         /**

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/OpenshiftProcessor.java

@@ -67,6 +67,7 @@ public class OpenshiftProcessor {
     private static final int OPENSHIFT_PRIORITY = DEFAULT_PRIORITY;
     private static final String OPENSHIFT_INTERNAL_REGISTRY = "image-registry.openshift-image-registry.svc:5000";
     private static final String DOCKERIO_REGISTRY = "docker.io";
+    private static final String OPENSHIFT_V3_APP = "app";
 
     @BuildStep
     public void checkOpenshift(ApplicationInfoBuildItem applicationInfo, OpenshiftConfig config,
@@ -197,7 +198,10 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
         if (config.flavor == v3) {
             //Openshift 3.x doesn't recognize 'app.kubernetes.io/name', it uses 'app' instead.
             //The decorator will be applied even on non-openshift resources is it may affect for example: knative
-            result.add(new DecoratorBuildItem(new AddLabelDecorator(name, "app", name)));
+            if (labels.stream().filter(l -> OPENSHIFT.equals(l.getTarget()))
+                    .noneMatch(l -> l.getKey().equals(OPENSHIFT_V3_APP))) {
+                result.add(new DecoratorBuildItem(new AddLabelDecorator(name, OPENSHIFT_V3_APP, name)));
+            }
 
             // The presence of optional is causing issues in OCP 3.11, so we better remove them.
             // The following 4 decorator will set the optional property to null, so that it won't make it into the file.
@@ -247,7 +251,8 @@ public List<DecoratorBuildItem> createDecorators(ApplicationInfoBuildItem applic
 
         result.add(new DecoratorBuildItem(OPENSHIFT, new ApplyImagePullPolicyDecorator(name, config.getImagePullPolicy())));
 
-        if (labels.stream().noneMatch(l -> l.getKey().equals(OPENSHIFT_APP_RUNTIME))) {
+        if (labels.stream().filter(l -> OPENSHIFT.equals(l.getTarget()))
+                .noneMatch(l -> l.getKey().equals(OPENSHIFT_APP_RUNTIME))) {
             result.add(new DecoratorBuildItem(OPENSHIFT, new AddLabelDecorator(name, OPENSHIFT_APP_RUNTIME, QUARKUS)));
         }
 

extensions/liquibase-mongodb/runtime/src/main/java/io/quarkus/liquibase/mongodb/LiquibaseMongodbFactory.java

@@ -39,12 +39,15 @@ public Liquibase createLiquibase() {
                                 "Config property 'quarkus.mongodb.database' must be defined when no database " +
                                         "exist in the connection string"));
             }
+            if (mongoClientConfig.credentials.authSource.isPresent()) {
+                connectionString += "?authSource=" + mongoClientConfig.credentials.authSource.get();
+            }
+
             Database database = DatabaseFactory.getInstance().openDatabase(connectionString,
                     this.mongoClientConfig.credentials.username.orElse(null),
                     this.mongoClientConfig.credentials.password.orElse(null),
                     null, resourceAccessor);
 
-            ;
             if (database != null) {
                 liquibaseMongodbConfig.liquibaseCatalogName.ifPresent(database::setLiquibaseCatalogName);
                 liquibaseMongodbConfig.liquibaseSchemaName.ifPresent(database::setLiquibaseSchemaName);

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java

@@ -109,7 +109,7 @@ public Uni<Tokens> get() {
                         body.add(OidcConstants.CLIENT_ASSERTION, jwt);
                     }
                 } else if (!OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
-                    body.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+                    body = copyMultiMap(body).set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
                 }
                 if (!additionalGrantParameters.isEmpty()) {
                     body = copyMultiMap(body);
@@ -122,7 +122,11 @@ public Uni<Tokens> get() {
                         .onFailure(ConnectException.class)
                         .retry()
                         .atMost(oidcConfig.connectionRetryCount)
-                        .onFailure().transform(t -> t.getCause());
+                        .onFailure().transform(t -> {
+                            LOG.warn("OIDC Server is not available:", t.getCause() != null ? t.getCause() : t);
+                            // don't wrap t to avoid information leak
+                            return new OidcClientException("OIDC Server is not available");
+                        });
                 return response.onItem()
                         .transform(resp -> emitGrantTokens(resp, refresh));
             }

extensions/oidc-common/runtime/pom.xml

@@ -42,6 +42,11 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-jwt-build</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5-internal</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java

@@ -228,7 +228,14 @@ public static Optional<ProxyOptions> toProxyOptions(OidcCommonConfig.Proxy proxy
             return Optional.empty();
         }
         JsonObject jsonOptions = new JsonObject();
-        jsonOptions.put("host", proxyConfig.host.get());
+        // Vert.x Client currently does not expect a host having a scheme but keycloak-authorization expects scheme and host.
+        // Having a dedicated scheme property is probably better, but since it is property is not taken into account in Vertx Client
+        // it does not really make sense as it can send a misleading message that users can choose between `http` and `https`.
+        String host = URI.create(proxyConfig.host.get()).getHost();
+        if (host == null) {
+            host = proxyConfig.host.get();
+        }
+        jsonOptions.put("host", host);
         jsonOptions.put("port", proxyConfig.port);
         if (proxyConfig.username.isPresent()) {
             jsonOptions.put("username", proxyConfig.username.get());

extensions/oidc-common/runtime/src/test/java/io/quarkus/oidc/common/runtime/OidcCommonUtilsTest.java

@@ -0,0 +1,45 @@
+package io.quarkus.oidc.common.runtime;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.net.URI;
+import java.util.Optional;
+
+import org.junit.jupiter.api.Test;
+
+import io.vertx.core.net.ProxyOptions;
+
+public class OidcCommonUtilsTest {
+
+    @Test
+    public void testProxyOptionsWithHostWithoutScheme() throws Exception {
+        OidcCommonConfig.Proxy config = new OidcCommonConfig.Proxy();
+        config.host = Optional.of("localhost");
+        config.port = 8080;
+        config.username = Optional.of("user");
+        config.password = Optional.of("password");
+
+        ProxyOptions options = OidcCommonUtils.toProxyOptions(config).get();
+        assertEquals("localhost", options.getHost());
+        assertEquals(8080, options.getPort());
+        assertEquals("user", options.getUsername());
+        assertEquals("password", options.getPassword());
+    }
+
+    @Test
+    public void testProxyOptionsWithHostWithScheme() throws Exception {
+        OidcCommonConfig.Proxy config = new OidcCommonConfig.Proxy();
+        config.host = Optional.of("http://localhost");
+        config.port = 8080;
+        config.username = Optional.of("user");
+        config.password = Optional.of("password");
+
+        assertEquals("http", URI.create(config.host.get()).getScheme());
+
+        ProxyOptions options = OidcCommonUtils.toProxyOptions(config).get();
+        assertEquals("localhost", options.getHost());
+        assertEquals(8080, options.getPort());
+        assertEquals("user", options.getUsername());
+        assertEquals("password", options.getPassword());
+    }
+}

extensions/panache/hibernate-reactive-panache-common/runtime/pom.xml

@@ -10,7 +10,7 @@
 
     <artifactId>quarkus-hibernate-reactive-panache-common</artifactId>
     <name>Quarkus - Hibernate Reactive with Panache - Common - Runtime</name>
-    <description>Simplify your persistence code for Hibernate Reactive via the active record or the repository pattern</description>
+    <description>Common module to simplify your persistence code for Hibernate Reactive via the active record or the repository pattern</description>
     <dependencies>
         <dependency>
             <groupId>io.quarkus</groupId>

extensions/panache/mongodb-panache-kotlin/runtime/pom.xml

@@ -11,7 +11,7 @@
 
     <artifactId>quarkus-mongodb-panache-kotlin</artifactId>
     <name>Quarkus - MongoDB with Panache - Kotlin Runtime</name>
-    <description>Simplify your persistence code for MongoDB via the active record or the repository pattern</description>
+    <description>Simplify your persistence code for MongoDB in Kotlin via the active record or the repository pattern</description>
     <dependencies>
         <dependency>
             <groupId>io.quarkus</groupId>

extensions/resteasy-reactive/rest-client-reactive/runtime/src/main/java/io/quarkus/rest/client/reactive/runtime/RestClientReactiveCDIWrapperBase.java

@@ -47,7 +47,13 @@ public Object getDelegate() {
         return mock == null ? delegate : mock;
     }
 
+    @Override
     public void setMock(Object mock) {
         this.mock = mock;
     }
+
+    @Override
+    public void clearMock() {
+        this.mock = null;
+    }
 }