Quarkus Gradle plugin fails to initialize when an "aes-gcm-nopadding"-encrypted value is present in application.properties #33135

jskillin-idt · 2023-05-04T22:51:47Z

Describe the bug

The Gradle Quarkus plugin gives the following error if any ${aes-gcm-nopadding::...} values are present in the application.properties file:

FAILURE: Build failed with an exception.

* What went wrong:
Could not determine the dependencies of task ':quarkusBuild'.
> SRCFG00046: Could not find a secret key handler for aes-gcm-nopadding

The build.gradle file has the correct dependencies:

dependencies {
    implementation enforcedPlatform("${quarkusPlatformGroupId}:${quarkusPlatformArtifactId}:${quarkusPlatformVersion}")
    implementation 'io.quarkus:quarkus-arc'
    implementation 'io.smallrye.config:smallrye-config-crypto'
    testImplementation 'io.quarkus:quarkus-junit5'
}

This failure does not appear in a Maven build.

Here is a portion of the stack trace:

Caused by: java.util.NoSuchElementException: SRCFG00046: Could not find a secret key handler for aes-gcm-nopadding
        at io.smallrye.config.SecretKeysHandlerConfigSourceInterceptor.getSecretValue(SecretKeysHandlerConfigSourceInterceptor.java:35)
        at io.smallrye.config.SecretKeysHandlerConfigSourceInterceptor.getValue(SecretKeysHandlerConfigSourceInterceptor.java:24)
        at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
        at io.smallrye.config.FallbackConfigSourceInterceptor.getValue(FallbackConfigSourceInterceptor.java:24)
        at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
        at io.smallrye.config.PropertyNamesConfigSourceInterceptor.getValue(PropertyNamesConfigSourceInterceptor.java:17)
        at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
        at io.smallrye.config.SmallRyeConfig.getConfigValue(SmallRyeConfig.java:323)
        at io.quarkus.gradle.tasks.EffectiveConfig.lambda$generateFullConfigMap$1(EffectiveConfig.java:108)
        at io.quarkus.gradle.tasks.EffectiveConfig.generateFullConfigMap(EffectiveConfig.java:107)
        at io.quarkus.gradle.tasks.EffectiveConfig.<init>(EffectiveConfig.java:87)
        at io.quarkus.gradle.tasks.EffectiveConfig$Builder.build(EffectiveConfig.java:165)
        at io.quarkus.gradle.tasks.AbstractQuarkusExtension.buildEffectiveConfiguration(AbstractQuarkusExtension.java:128)
        at io.quarkus.gradle.tasks.AbstractQuarkusExtension.buildBaseConfig(AbstractQuarkusExtension.java:69)
        at org.gradle.api.internal.provider.DefaultProvider.calculateOwnValue(DefaultProvider.java:72)
        at org.gradle.api.internal.provider.AbstractMinimalProvider.calculateValue(AbstractMinimalProvider.java:108)
        at org.gradle.api.internal.provider.TransformBackedProvider.calculateOwnValue(TransformBackedProvider.java:82)
        at org.gradle.api.internal.provider.AbstractMinimalProvider.calculateValue(AbstractMinimalProvider.java:108)
        at org.gradle.api.internal.provider.AbstractMinimalProvider.withFinalValue(AbstractMinimalProvider.java:164)
        at org.gradle.api.internal.provider.DefaultProperty.finalValue(DefaultProperty.java:133)
        at org.gradle.api.internal.provider.DefaultProperty.finalValue(DefaultProperty.java:26)
        at org.gradle.api.internal.provider.AbstractProperty.finalizeNow(AbstractProperty.java:245)
        at org.gradle.api.internal.provider.AbstractProperty.finalizeValue(AbstractProperty.java:194)
        at io.quarkus.gradle.tasks.AbstractQuarkusExtension.baseConfig(AbstractQuarkusExtension.java:74)
        at io.quarkus.gradle.tasks.QuarkusBuildTask.packageType(QuarkusBuildTask.java:60)
        at io.quarkus.gradle.tasks.QuarkusBuild.getBuildInputFiles(QuarkusBuild.java:168)
        at io.quarkus.gradle.tasks.QuarkusBuild_Decorated.getBuildInputFiles(Unknown Source)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at org.gradle.internal.reflect.annotations.impl.DefaultPropertyAnnotationMetadata.getPropertyValue(DefaultPropertyAnnotationMetadata.java:97)
        at org.gradle.internal.properties.annotations.DefaultTypeMetadataStore$DefaultPropertyMetadata.getPropertyValue(DefaultTypeMetadataStore.java:266)
        at org.gradle.internal.properties.bean.DefaultPropertyWalker$1.lambda$visitLeaf$0(DefaultPropertyWalker.java:88)
        at org.gradle.internal.deprecation.DeprecationLogger.whileDisabled(DeprecationLogger.java:258)
        at org.gradle.internal.properties.bean.DefaultPropertyWalker$CachedPropertyValue.lambda$new$0(DefaultPropertyWalker.java:105)
        at com.google.common.base.Suppliers$NonSerializableMemoizingSupplier.get(Suppliers.java:183)
        at org.gradle.internal.properties.bean.DefaultPropertyWalker$CachedPropertyValue.call(DefaultPropertyWalker.java:147)
        at org.gradle.util.internal.GUtil.uncheckedCall(GUtil.java:437)
        at org.gradle.util.internal.DeferredUtil.unpackNestableDeferred(DeferredUtil.java:83)
        at org.gradle.api.internal.file.collections.UnpackingVisitor.add(UnpackingVisitor.java:90)
        at org.gradle.api.internal.file.DefaultFileCollectionFactory$ResolvingFileCollection.visitChildren(DefaultFileCollectionFactory.java:285)
        at org.gradle.api.internal.file.CompositeFileCollection.visitDependencies(CompositeFileCollection.java:122)
        at org.gradle.api.internal.tasks.CachingTaskDependencyResolveContext$TaskGraphImpl.getNodeValues(CachingTaskDependencyResolveContext.java:103)
        at org.gradle.internal.graph.CachingDirectedGraphWalker$GraphWithEmptyEdges.getNodeValues(CachingDirectedGraphWalker.java:213)
        at org.gradle.internal.graph.CachingDirectedGraphWalker.doSearch(CachingDirectedGraphWalker.java:121)
        at org.gradle.internal.graph.CachingDirectedGraphWalker.findValues(CachingDirectedGraphWalker.java:73)
        at org.gradle.api.internal.tasks.CachingTaskDependencyResolveContext.getDependencies(CachingTaskDependencyResolveContext.java:66)
        ... 142 more

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

Reproducer: https://github.com/jskillin-idt/quarkusio-quarkus-issues-33135

To recreate the reproducer:

Simply create a repo: quarkus create app --no-code --gradle
In src/main/resources/application.properties add the line: someValue = ${aes-gcm-nopadding::garbage} (it doesn't matter what it is as long as it references "aes-gcm-nopadding")

With either your own repo or the reproducer, simply:

Run ./gradlew build

Notice that the configuration of the build.gradle, through dependencies or classpath, does not appear to affect the outcome.

Output of `uname -a` or `ver`

Linux jskillin-ubuntu-dev 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Output of `java -version`

openjdk version "11.0.18" 2023-01-17 OpenJDK Runtime Environment (build 11.0.18+10-post-Ubuntu-0ubuntu5) OpenJDK 64-Bit Server VM (build 11.0.18+10-post-Ubuntu-0ubuntu5, mixed mode, sharing)

GraalVM version (if different from Java)

No response

Quarkus version or git rev

3.0.2.Final

Build tool (ie. output of `mvnw --version` or `gradlew --version`)

Gradle 8.1

Additional information

No response

The text was updated successfully, but these errors were encountered:

quarkus-bot · 2023-05-04T22:51:51Z

/cc @glefloch, @quarkusio/devtools

gastaldi · 2023-05-04T22:57:34Z

/cc @radcortez

radcortez · 2023-05-05T13:17:50Z

I'll have a look.

radcortez · 2023-05-05T23:10:43Z

In #31166, the Gradle plugin was refactored to use SmallRye Config and set its own configuration.

The problem is that the Config instance in the Gradle plugin reads application.properties, which contains the secret handler, but it doesn't add the dependency of smallrye-config-crypto.

We could:

Add the crypto dependency to the Gradle Plugin
Configure the Gradle build to add the dependency to the plugin? (not sure if this is possible)
Add the crypto dependency to the Quarkus Core

I'm not a Gradle expert, so some help from @snazy would be appreciated :)

snazy · 2023-05-06T10:47:49Z

Adding the dependency isn't a big deal, however the dependency requires the decryption key to be present, even if no value's encrypted. Not sure whether the Gradle build itself (Quarkus build is not affected should actually get the decrypted values at all. Thinking that it should probably be "good enough" to just return <REDACTED> for each encrypted value. WDYT?

As decribed in quarkusio#33135, using encrypted configuration values does not work with the current Gradle plugin since Quarkus 3.0.0. `smallrye-config-crypto` requires the `smallrye.config.secret-handler.aes-gcm-nopadding.encryption-key` to be present for _all_ builds, even those that do not use encrypted config values. It is probably not necessary to actually know the decrypted configuration values in the Gradle build, it might practically be a security risk, because the secret key could leak into build log files (could be prevented of course) and the Gradle cache, which has a high chance of being shared with others, likely publicly. This PR adds a "fake" secret keys handler that just returns the string `<REDACTED>` for all encrypted values. Fixes quarkusio#33135

As decribed in quarkusio#33135, using encrypted configuration values did not work with the Gradle plugin since Quarkus 3.0.0, prior to SmallRye Config 3.3.0 (quarkusio#33079). This change just adds tests to validate the behavior.

jskillin-idt added the kind/bug Something isn't working label May 4, 2023

quarkus-bot bot added the area/gradle Gradle label May 4, 2023

gastaldi added the area/config label May 4, 2023

snazy mentioned this issue May 6, 2023

Quarkus Gradle Plugin: tests with encrypted configuration #33173

Merged

radcortez mentioned this issue May 24, 2023

Update SmallRye Config to 3.3.0 #33079

Merged

gsmet closed this as completed in #33079 Jun 13, 2023

quarkus-bot bot added this to the 3.2 - main milestone Jun 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Quarkus Gradle plugin fails to initialize when an "aes-gcm-nopadding"-encrypted value is present in application.properties #33135

Quarkus Gradle plugin fails to initialize when an "aes-gcm-nopadding"-encrypted value is present in application.properties #33135

jskillin-idt commented May 4, 2023 •

edited

Loading

quarkus-bot bot commented May 4, 2023

gastaldi commented May 4, 2023

radcortez commented May 5, 2023

radcortez commented May 5, 2023

snazy commented May 6, 2023

Quarkus Gradle plugin fails to initialize when an "aes-gcm-nopadding"-encrypted value is present in application.properties #33135

Quarkus Gradle plugin fails to initialize when an "aes-gcm-nopadding"-encrypted value is present in application.properties #33135

Comments

jskillin-idt commented May 4, 2023 • edited Loading

Describe the bug

Expected behavior

Actual behavior

How to Reproduce?

Output of uname -a or ver

Output of java -version

GraalVM version (if different from Java)

Quarkus version or git rev

Build tool (ie. output of mvnw --version or gradlew --version)

Additional information

quarkus-bot bot commented May 4, 2023

gastaldi commented May 4, 2023

radcortez commented May 5, 2023

radcortez commented May 5, 2023

snazy commented May 6, 2023

jskillin-idt commented May 4, 2023 •

edited

Loading

Output of `uname -a` or `ver`

Output of `java -version`

Build tool (ie. output of `mvnw --version` or `gradlew --version`)