From 6b711c950f02f1a2082e6d4ea833ac8eef97ac2b Mon Sep 17 00:00:00 2001
From: Roberto Cortez <radcortez@yahoo.com>
Date: Wed, 25 Oct 2023 19:04:40 +0100
Subject: [PATCH] Filter configuration names from the quarkus namespace in the
 Gradle plugin

---
 .../tasks/AbstractQuarkusExtension.java       | 31 +++++++++++++++++++
 .../gradle/tasks/QuarkusBuildTask.java        | 13 ++++++--
 docs/src/main/asciidoc/reaugmentation.adoc    |  8 +++--
 3 files changed, 47 insertions(+), 5 deletions(-)

diff --git a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java
index 2e97ca979576c..872d1a6f10c65 100644
--- a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java
+++ b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/AbstractQuarkusExtension.java
@@ -128,6 +128,37 @@ private EffectiveConfig buildEffectiveConfiguration(Map<String, Object> properti
                 .build();
     }
 
+    /**
+     * Filters resolved Gradle configuration for properties in the Quarkus namespace
+     * (as in start with <code>quarkus.</code>). This avoids exposing configuration that may contain secrets or
+     * passwords not related to Quarkus (for instance environment variables storing sensitive data for other systems).
+     *
+     * @param appArtifact the application dependency to retrive the quarkus application name and version.
+     * @return a filtered view of the configuration only with <code>quarkus.</code> names.
+     */
+    protected Map<String, String> buildSystemProperties(ResolvedDependency appArtifact) {
+        Map<String, String> buildSystemProperties = new HashMap<>();
+        buildSystemProperties.putIfAbsent("quarkus.application.name", appArtifact.getArtifactId());
+        buildSystemProperties.putIfAbsent("quarkus.application.version", appArtifact.getVersion());
+
+        for (Map.Entry<String, String> entry : forcedPropertiesProperty.get().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue());
+            }
+        }
+        for (Map.Entry<String, String> entry : quarkusBuildProperties.get().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue());
+            }
+        }
+        for (Map.Entry<String, ?> entry : project.getProperties().entrySet()) {
+            if (entry.getKey().startsWith("quarkus.") && entry.getValue() != null) {
+                buildSystemProperties.put(entry.getKey(), entry.getValue().toString());
+            }
+        }
+        return buildSystemProperties;
+    }
+
     private String quarkusProfile() {
         String profile = System.getProperty(QUARKUS_PROFILE);
         if (profile == null) {
diff --git a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java
index b4c664b88e2e1..42a2ea257b487 100644
--- a/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java
+++ b/devtools/gradle/gradle-application-plugin/src/main/java/io/quarkus/gradle/tasks/QuarkusBuildTask.java
@@ -4,6 +4,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
 
@@ -203,14 +204,20 @@ void generateBuild() {
         });
 
         ApplicationModel appModel = resolveAppModelForBuild();
-        Map<String, String> configMap = extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap();
+        Map<String, String> configMap = new HashMap<>();
+        for (Map.Entry<String, String> entry : extension().buildEffectiveConfiguration(appModel.getAppArtifact()).configMap()
+                .entrySet()) {
+            if (entry.getKey().startsWith("quarkus.")) {
+                configMap.put(entry.getKey(), entry.getValue());
+            }
+        }
 
         getLogger().info("Starting Quarkus application build for package type {}", packageType);
 
         if (getLogger().isEnabled(LogLevel.INFO)) {
             getLogger().info("Effective properties: {}",
                     configMap.entrySet().stream()
-                            .filter(e -> e.getKey().startsWith("quarkus.")).map(Object::toString)
+                            .map(Object::toString)
                             .sorted()
                             .collect(Collectors.joining("\n    ", "\n    ", "")));
         }
@@ -218,7 +225,7 @@ void generateBuild() {
         WorkQueue workQueue = workQueue(configMap, () -> extension().buildForkOptions);
 
         workQueue.submit(BuildWorker.class, params -> {
-            params.getBuildSystemProperties().putAll(configMap);
+            params.getBuildSystemProperties().putAll(extension().buildSystemProperties(appModel.getAppArtifact()));
             params.getBaseName().set(extension().finalName());
             params.getTargetDirectory().set(buildDir.toFile());
             params.getAppModel().set(appModel);
diff --git a/docs/src/main/asciidoc/reaugmentation.adoc b/docs/src/main/asciidoc/reaugmentation.adoc
index d95d0bee6b687..7ba30f4fdb9cd 100644
--- a/docs/src/main/asciidoc/reaugmentation.adoc
+++ b/docs/src/main/asciidoc/reaugmentation.adoc
@@ -20,7 +20,6 @@ Initialization steps that used to happen when an EAR file was deployed on a Jaka
 CDI beans added after augmentation won't work (because of the missing proxy classes) as well as build time properties (e.g. `quarkus.datasource.db-kind`) changed after augmentation will be ignored.
 Build time properties are marked with a lock icon (icon:lock[]) in the xref:all-config.adoc[list of all configuration options].
 It doesn't matter if you use profiles or any other way to override the properties.
-The build time properties that were active during augmentation are baked into the build.
 
 > Re-augmentation is the process of recreating the augmentation output for a different build time configuration
 
@@ -32,7 +31,7 @@ If there are only two or three build time properties that depend on the user env
 Please notice that you won't be able to use native images with the package type `mutable-jar`.
 Think of the consequences and what other options you have!
 
-It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes and you could enjoy a cup of coffee until it was ready.
+It is not a good idea to do re-augmentation at runtime unless you miss the good old times when starting up a server took several minutes, and you could enjoy a cup of coffee until it was ready.
 
 == How to re-augment a Quarkus application
 
@@ -45,6 +44,11 @@ TIP: By default, you'll get a warning if a build time property has been changed
 You may set the `quarkus.configuration.build-time-mismatch-at-runtime=fail` property to make sure your application does not start up if there is a mismatch.
 However, as of this writing changing `quarkus.datasource.db-kind` at runtime did neither fail nor produce a warning but was silently ignored.
 
+WARNING: Build time configuration provided by build tools (`properties` in Maven `pom.xml` or `gradle.properties`
+in Gradle) in the `quarkus` namespace will be part of the `mutable-jar` distribution, including configuration from
+`quarkus` that reference secrets or passwords. Please, do not include sensitive information in the build tool
+configuration files.
+
 === 1. Build your application as `mutable-jar`
 
 [source,bash]