Filter configuration names from the quarkus namespace in the Gradle p…

…lugin (cherry picked from commit a8ecb34)
quarkusio · Nov 8, 2023 · 0f04dff · 0f04dff
1 parent 8e87ba9
commit 0f04dff
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 5 deletions.
diff --git a/...le-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java b/...le-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java
@@ -130,6 +130,37 @@ private EffectiveConfig buildEffectiveConfiguration(Map<String, Object> properti
                 .build();
     }
 
+    /**
+     * Filters resolved Gradle configuration for properties in the Quarkus namespace
+     * (as in start with <code>quarkus.</code>). This avoids exposing configuration that may contain secrets or
+     * passwords not related to Quarkus (for instance environment variables storing sensitive data for other systems).
+     *
+     * @param appArtifact the application dependency to retrive the quarkus application name and version.
+     * @return a filtered view of the configuration only with <code>quarkus.</code> names.
+     */
+    protected Map<String, String> buildSystemProperties(ResolvedDependency appArtifact) {
+        Map<String, String> buildSystemProperties = new HashMap<>();
+        buildSystemProperties.putIfAbsent("quarkus.application.name", appArtifact.getArtifactId());
+        buildSystemProperties.putIfAbsent("quarkus.application.version", appArtifact.getVersion());
+
+        for (Map.Entry<String, String> entry : forcedPropertiesProperty.get().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue());
+            }
+        }
+        for (Map.Entry<String, String> entry : quarkusBuildProperties.get().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue());
+            }
+        }
+        for (Map.Entry<String, ?> entry : project.getProperties().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.") && entry.getValue() != null) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue().toString());
+            }
+        }
+        return buildSystemProperties;
+    }
+
     private String quarkusProfile() {
         String profile = System.getProperty(QUARKUS_PROFILE);
         if (profile == null) {

diff --git a/...dle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java b/...dle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java
@@ -4,6 +4,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
 
@@ -205,22 +206,28 @@ void generateBuild() {
         });
 
         ApplicationModel appModel = resolveAppModelForBuild();
-        Map<String, String> configMap = extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap();
+        Map<String, String> configMap = new HashMap<>();
+        for (Map.Entry<String, String> entry : extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap()
+                .entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                configMap.put(entry.getKey(), entry.getValue());
+            }
+        }
 
         getLogger().info("Starting Quarkus application build for package type {}", packageType);
 
         if (getLogger().isEnabled(LogLevel.INFO)) {
             getLogger().info("Effective properties: {}",
                     configMap.entrySet().stream()
-                            .filter(e -> e.getKey().startsWith("quarkus.")).map(Object::toString)
+                            .map(Object::toString)
                             .sorted()
                             .collect(Collectors.joining("\n    ", "\n    ", "")));
         }
 
         WorkQueue workQueue = workQueue(configMap, () -> extension().buildForkOptions);
 
         workQueue.submit(BuildWorker.class, params -> {
-            params.getBuildSystemProperties().putAll(configMap);
+            params.getBuildSystemProperties().putAll(extension().buildSystemProperties(appModel.getAppArtifact()));
             params.getBaseName().set(extension().finalName());
             params.getTargetDirectory().set(buildDir.toFile());
             params.getAppModel().set(appModel);

diff --git a/docs/src/main/asciidoc/reaugmentation.adoc b/docs/src/main/asciidoc/reaugmentation.adoc
@@ -21,7 +21,6 @@ Initialization steps that used to happen when an EAR file was deployed on a Jaka
 CDI beans added after augmentation won't work (because of the missing proxy classes) as well as build time properties (e.g. `quarkus.datasource.db-kind`) changed after augmentation will be ignored.
 Build time properties are marked with a lock icon (icon:lock[]) in the xref:all-config.adoc[list of all configuration options].
 It doesn't matter if you use profiles or any other way to override the properties.
-The build time properties that were active during augmentation are baked into the build.
 
 > Re-augmentation is the process of recreating the augmentation output for a different build time configuration
 
@@ -33,7 +32,7 @@ If there are only two or three build time properties that depend on the user env
 Please notice that you won't be able to use native images with the package type `mutable-jar`.
 Think of the consequences and what other options you have!
 
-It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes and you could enjoy a cup of coffee until it was ready.
+It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes, and you could enjoy a cup of coffee until it was ready.
 
 == How to re-augment a Quarkus application
 
@@ -46,6 +45,11 @@ TIP: By default, you'll get a warning if a build time property has been changed
 You may set the `quarkus.configuration.build-time-mismatch-at-runtime=fail` property to make sure your application does not start up if there is a mismatch.
 However, as of this writing changing `quarkus.datasource.db-kind` at runtime did neither fail nor produce a warning but was silently ignored.
 
+WARNING: Build time configuration provided by build tools (`properties` in Maven `pom.xml` or `gradle.properties`
+in Gradle) in the `quarkus` namespace will be part of the `mutable-jar` distribution, including configuration from
+`quarkus` that reference secrets or passwords. Please, do not include sensitive information in the build tool
+configuration files.
+
 === 1. Build your application as `mutable-jar`
 
 [source,bash]