Merge branch '4.12.x' into 5.0.x

micronaut-projects · Jan 8, 2025 · b0e93e3 · b0e93e3
2 parents 662c2a9 + 5372743
commit b0e93e3
Show file tree

Hide file tree

Showing 189 changed files with 6,519 additions and 277 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,24 +1,32 @@
 {
   "extends": [
-    "config:base"
+    "config:recommended"
+  ],
+  "addLabels": [
+    "type: dependency-upgrade"
   ],
-  "addLabels": ["type: dependency-upgrade"],
   "schedule": [
-    "after 10pm every day"
+    "after 10pm"
   ],
   "prHourlyLimit": 1,
   "prConcurrentLimit": 20,
   "timezone": "Europe/Prague",
   "packageRules": [
     {
-      "matchPackagePatterns": ["actions.*"],
       "dependencyDashboardApproval": true,
-      "matchUpdateTypes": ["patch"],
+      "matchUpdateTypes": [
+        "patch"
+      ],
       "matchCurrentVersion": "!/^0/",
-      "automerge": true
+      "automerge": true,
+      "matchPackageNames": [
+        "/actions.*/"
+      ]
     },
     {
-      "matchUpdateTypes": ["patch"],
+      "matchUpdateTypes": [
+        "patch"
+      ],
       "matchCurrentVersion": "!/^0/",
       "automerge": true
     }

diff --git a/.github/workflows/aot.yml b/.github/workflows/aot.yml
@@ -28,7 +28,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gradle-
       - name: Set up JDK
-        uses: actions/setup-java@v4.2.2
+        uses: actions/setup-java@v4.6.0
         with:
           distribution: 'temurin'
           java-version: '17'

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"
@@ -45,7 +47,7 @@ jobs:
           fetch-depth: 0
 
       - name: "🔧 Setup GraalVM CE"
-        uses: graalvm/[email protected].3
+        uses: graalvm/[email protected].6
         with:
           distribution: 'graalvm'
           java-version: ${{ matrix.java }}
@@ -58,6 +60,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |
@@ -70,15 +77,15 @@ jobs:
 
       - name: "📊 Publish Test Report"
         if: always()
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@v5
         with:
           check_name: Java CI / Test Report (${{ matrix.java }})
           report_paths: '**/build/test-results/test/TEST-*.xml'
           check_retries: 'true'
 
       - name: "📜 Upload binary compatibility check results"
         if: matrix.java == '17'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: binary-compatibility-reports
           path: "**/build/reports/binary-compatibility-*.html"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,13 +66,13 @@ jobs:
           # Store the hash in a file, which is uploaded as a workflow artifact.
           sha256sum $ARTIFACTS | base64 -w0 > artifacts-sha256
       - name: Upload build artifacts
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: gradle-build-outputs
           path: build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/*
           retention-days: 5
       - name: Upload artifacts-sha256
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: artifacts-sha256
           path: artifacts-sha256
@@ -146,7 +146,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Download artifacts
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
@@ -160,6 +160,6 @@ jobs:
       - name: Upload assets
         # Upload the artifacts to the existing release. Note that the SLSA provenance will
         # attest to each artifact file and not the aggregated ZIP file.
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           files: artifacts.zip
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
@@ -7,5 +7,6 @@ repositories {
 }
 
 dependencies {
-    implementation "org.graalvm.buildtools.native:org.graalvm.buildtools.native.gradle.plugin:0.10.3"
+    implementation(libs.graalvm.native.buildtools)
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/settings.gradle b/buildSrc/settings.gradle
@@ -0,0 +1,7 @@
+dependencyResolutionManagement {
+    versionCatalogs {
+        libs {
+            from(files("../gradle/libs.versions.toml"))
+        }
+    }
+}
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.security-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.security-module.gradle
@@ -1,4 +1,14 @@
 plugins {
     id "io.micronaut.build.internal.security-base"
     id "io.micronaut.build.internal.module"
+    id("org.sonatype.gradle.plugins.scan")
+}
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+ossIndexAudit {
+    username = ossIndexUsername
+    password = ossIndexPassword
+}
 }
diff --git a/gradle.properties b/gradle.properties
@@ -2,7 +2,7 @@ projectVersion=5.0.0-SNAPSHOT
 projectGroup=io.micronaut.security
 
 micronautDocsVersion=2.0.0
-micronautGradlePluginVersion=4.4.2
+micronautGradlePluginVersion=4.4.4
 micronautAotVersion=2.0.1
 
 title=Micronaut Security

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,36 +1,39 @@
 [versions]
-managed-nimbus-jose-jwt = "9.40"
+managed-nimbus-jose-jwt = "9.48"
 managed-jjwt = "0.12.6"
 
-micronaut = "4.6.4"
-micronaut-platform = "4.5.1"
+micronaut = "4.7.10"
+micronaut-platform = "4.6.3"
 micronaut-docs = "2.0.0"
 
 geb = "7.0"
-selenium = "4.24.0"
-system-stubs-core = "2.1.6"
-unboundid-ldapsdk = "7.0.1"
+selenium = "4.27.0"
+system-stubs-core = "2.1.7"
+unboundid-ldapsdk = "7.0.2"
 bouncycastle = "1.70"
-kotlin = "2.0.20"
+kotlin = "2.1.0"
 bcpkix = "1.70"
-micronaut-test = "4.5.0"
-micronaut-hibernate-validator = "4.5.0"
-micronaut-multitenancy = "5.4.0"
-micronaut-reactor = "3.5.0"
-micronaut-logging = "1.4.0"
-micronaut-serde = "2.11.0"
-micronaut-servlet = "4.11.1"
-micronaut-session = "4.4.0"
-micronaut-views = "5.5.1"
-micronaut-validation = "4.7.0"
-micronaut-data = "4.9.3"
-micronaut-sql="5.8.1"
-micronaut-test-resources="2.6.0"
+micronaut-test = "4.6.2"
+micronaut-hibernate-validator = "4.6.0"
+micronaut-multitenancy = "5.5.0"
+micronaut-cache="5.1.0"
+micronaut-reactor = "3.6.0"
+micronaut-logging = "1.5.0"
+micronaut-serde = "2.13.0"
+micronaut-servlet = "4.12.0"
+micronaut-session = "4.5.0"
+micronaut-views = "5.6.0"
+micronaut-validation = "4.8.0"
+micronaut-data = "4.10.5"
+micronaut-sql="6.0.2"
+micronaut-test-resources="2.7.0"
+sonatype-scan = "3.0.0"
+graalvm-native-buildtools = "0.10.4"
 
-micronaut-core = { module = 'io.micronaut:micronaut-core-bom', version.ref = 'micronaut' }
 [libraries]
 # Core
 micronaut-core = { module = 'io.micronaut:micronaut-core-bom', version.ref = 'micronaut' }
+micronaut-cache = { module = "io.micronaut.cache:micronaut-cache-bom", version.ref = "micronaut-cache" }
 micronaut-hibernate-validator = { module = "io.micronaut.beanvalidation:micronaut-hibernate-validator-bom", version.ref = "micronaut-hibernate-validator" }
 micronaut-test-resources = { module = "io.micronaut.testresources:micronaut-test-resources-bom", version.ref = "micronaut-test-resources" }
 micronaut-test = { module = "io.micronaut.test:micronaut-test-bom", version.ref = "micronaut-test" }
@@ -68,6 +71,8 @@ junit-platform-engine = { module = "org.junit.platform:junit-platform-suite-engi
 
 testcontainers-selenium = { module = "org.testcontainers:selenium"}
 testcontainers-junit-jupiter = { module = "org.testcontainers:junit-jupiter"}
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
+graalvm-native-buildtools = { module = "org.graalvm.buildtools.native:org.graalvm.buildtools.native.gradle.plugin", version.ref = "graalvm-native-buildtools" }
 
 [plugins]
 kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/gradlew b/gradlew
@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

diff --git a/security-csrf/build.gradle.kts b/security-csrf/build.gradle.kts
@@ -0,0 +1,28 @@
+plugins {
+    id("io.micronaut.build.internal.security-module")
+}
+
+dependencies {
+    api(projects.micronautSecurity)
+    compileOnly(mn.micronaut.http.server)
+    compileOnly(projects.micronautSecuritySession)
+    testAnnotationProcessor(mn.micronaut.inject.java)
+    testImplementation(mnTest.micronaut.test.junit5)
+    testRuntimeOnly(libs.junit.jupiter.engine)
+    testRuntimeOnly(mnLogging.logback.classic)
+    testImplementation(mn.micronaut.http.server.netty)
+    testImplementation(mn.micronaut.http.client)
+    testAnnotationProcessor(mnSerde.micronaut.serde.processor)
+    testImplementation(mnSerde.micronaut.serde.jackson)
+    testImplementation(projects.testSuiteUtilsSecurity)
+    testImplementation(projects.micronautSecurityJwt)
+    testImplementation(projects.micronautSecuritySession)
+}
+
+tasks.withType<Test> {
+    useJUnitPlatform()
+}
+
+micronautBuild {
+    binaryCompatibility.enabled = false
+}
diff --git a/security-csrf/src/main/java/io/micronaut/security/csrf/CsrfConfiguration.java b/security-csrf/src/main/java/io/micronaut/security/csrf/CsrfConfiguration.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2017-2024 original authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.micronaut.security.csrf;
+
+import io.micronaut.core.annotation.NonNull;
+import io.micronaut.core.annotation.Nullable;
+import io.micronaut.core.util.Toggleable;
+import io.micronaut.http.cookie.CookieConfiguration;
+import io.micronaut.security.config.SecurityConfigurationProperties;
+
+/**
+ * CSRF Configuration.
+ * @author Sergio del Amo
+ * @since 4.11.0
+ */
+public interface CsrfConfiguration extends CookieConfiguration, Toggleable {
+    String PREFIX = SecurityConfigurationProperties.PREFIX + ".csrf";
+
+    /**
+     *
+     * @return Random value's size in bytes. The random value used is used to build a CSRF Token.
+     */
+    int getRandomValueSize();
+
+    /**
+     *
+     * @return The Secret Key that is used to calculate an HMAC as part of a CSRF token generation.
+     */
+    @Nullable
+    String getSecretKey();
+
+    /**
+     * HTTP Header name to look for the CSRF token. It is recommended to use a custom request header. By using a custom HTTP Header name, it will not be possible to send them cross-origin without a permissive CORS implementation.
+     * @return HTTP Header name to look for the CSRF token.
+     */
+    @NonNull
+    String getHeaderName();
+
+    /**
+     *
+     * @return Key to look for the CSRF token in an HTTP Session.
+     */
+    @NonNull
+    String getHttpSessionName();
+
+    /**
+     *
+     * @return Field name in a form url encoded submission  to look for the CSRF token.
+     */
+    @NonNull
+    String getFieldName();
+}