Merge branch 'palantir:develop' into ealvarez/mergedssl

.excavator.yml

@@ -5,6 +5,7 @@ auto-label:
     versions-props/upgrade-all: [ "merge when ready" ]
     circleci/manage-circleci: [ "merge when ready" ]
   tags:
+    donotmerge: [ "do not merge" ]
     roomba: [ "merge when ready" ]
     automerge: [ "merge when ready" ]
     autorelease: [ "autorelease" ]

build.gradle

@@ -5,18 +5,18 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.palantir.jakartapackagealignment:jakarta-package-alignment:0.5.0'
-        classpath 'com.palantir.gradle.jdks:gradle-jdks:0.33.0'
-        classpath 'com.palantir.gradle.jdkslatest:gradle-jdks-latest:0.10.0'
+        classpath 'com.palantir.jakartapackagealignment:jakarta-package-alignment:0.6.0'
+        classpath 'com.palantir.gradle.jdks:gradle-jdks:0.34.0'
+        classpath 'com.palantir.gradle.jdkslatest:gradle-jdks-latest:0.12.0'
         classpath 'com.palantir.gradle.externalpublish:gradle-external-publish-plugin:1.12.0'
-        classpath 'com.palantir.javaformat:gradle-palantir-java-format:2.35.0'
+        classpath 'com.palantir.javaformat:gradle-palantir-java-format:2.38.0'
         classpath 'com.palantir.gradle.revapi:gradle-revapi:1.7.0'
         classpath 'com.netflix.nebula:gradle-dependency-lock-plugin:7.0.1'
-        classpath 'com.palantir.baseline:gradle-baseline-java:5.13.0'
+        classpath 'com.palantir.baseline:gradle-baseline-java:5.25.0'
         classpath 'com.palantir.gradle.gitversion:gradle-git-version:3.0.0'
-        classpath 'com.palantir.metricschema:gradle-metric-schema:0.22.0'
+        classpath 'com.palantir.metricschema:gradle-metric-schema:0.25.0'
         classpath 'gradle.plugin.org.inferred:gradle-processors:3.7.0'
-        classpath 'com.palantir.gradle.consistentversions:gradle-consistent-versions:2.13.0'
+        classpath 'com.palantir.gradle.consistentversions:gradle-consistent-versions:2.16.0'
     }
 }
 
@@ -29,7 +29,7 @@ apply plugin: 'com.palantir.jdks.latest'
 
 javaVersions {
     libraryTarget = 11
-    runtime = 17
+    runtime = 21
 }
 
 version gitVersion()
@@ -67,12 +67,6 @@ allprojects {
                 version { strictly '2.4.0' }
                 because 'Retrofit 2.5.0 breaks with our path parameter routing logic'
             }
-
-            rootConfiguration 'com.squareup.okhttp3:okhttp', {
-                version { strictly '[3, 3.14.0[' }
-                because 'okhttp 3.14.0 removed UnrepeatableRequestBody which is relied on by an internal library'
-            }
-
         }
     }
 }
@@ -81,7 +75,7 @@ subprojects {
     apply plugin: 'java-library'
     apply plugin: 'com.palantir.baseline-class-uniqueness'
 
-    tasks.check.dependsOn javadoc, checkUnusedDependencies
+    tasks.check.dependsOn javadoc, checkImplicitDependenciesMain, checkUnusedDependencies
 
     test {
         minHeapSize = "512m"

changelog/7.62.0/pr-2714.v2.yml

@@ -0,0 +1,5 @@
+type: fix
+fix:
+  description: Replace deprecated mappingException
+  links:
+  - https://github.com/palantir/conjure-java-runtime/pull/2714

changelog/7.65.0/pr-2721.v2.yml

@@ -0,0 +1,5 @@
+type: fix
+fix:
+  description: Always load certificates from the same jar as the code
+  links:
+  - https://github.com/palantir/conjure-java-runtime/pull/2721

changelog/7.67.0/pr-2709.v2.yml

@@ -0,0 +1,5 @@
+type: improvement
+improvement:
+  description: Bump to OkHttp 4.X
+  links:
+  - https://github.com/palantir/conjure-java-runtime/pull/2709

client-config/build.gradle

@@ -7,7 +7,10 @@ dependencies {
     api 'com.palantir.tritium:tritium-registry'
     api 'com.google.errorprone:error_prone_annotations'
     api 'com.palantir.refreshable:refreshable'
+    implementation 'com.palantir.conjure.java.api:ssl-config'
+    implementation 'com.palantir.safe-logging:preconditions'
     implementation 'com.palantir.safe-logging:safe-logging'
+    implementation 'com.google.code.findbugs:jsr305'
     implementation 'com.google.guava:guava'
     implementation project(":keystores")
 

client-config/src/main/java/com/palantir/conjure/java/client/config/ClientConfiguration.java

@@ -23,6 +23,7 @@
 import com.palantir.conjure.java.api.config.service.PartialServiceConfiguration;
 import com.palantir.conjure.java.api.config.service.ServiceConfiguration;
 import com.palantir.conjure.java.api.config.service.UserAgent;
+import com.palantir.logsafe.DoNotLog;
 import com.palantir.logsafe.SafeArg;
 import com.palantir.logsafe.UnsafeArg;
 import com.palantir.tritium.metrics.registry.TaggedMetricRegistry;
@@ -38,6 +39,7 @@
  * A context-independent (i.e., does not depend on configuration files or on-disk entities like JKS keystores)
  * instantiation of a {@link ServiceConfiguration}.
  */
+@DoNotLog
 @Value.Immutable
 @ImmutablesStyle
 public interface ClientConfiguration {

client-config/src/main/java/com/palantir/conjure/java/client/config/ClientConfigurations.java

@@ -25,8 +25,10 @@
 import com.palantir.conjure.java.api.config.ssl.SslConfiguration;
 import com.palantir.conjure.java.config.ssl.SslSocketFactories;
 import com.palantir.conjure.java.config.ssl.TrustContext;
+import com.palantir.logsafe.SafeArg;
 import com.palantir.logsafe.UnsafeArg;
 import com.palantir.logsafe.exceptions.SafeIllegalArgumentException;
+import com.palantir.logsafe.exceptions.SafeIllegalStateException;
 import com.palantir.logsafe.logger.SafeLogger;
 import com.palantir.logsafe.logger.SafeLoggerFactory;
 import com.palantir.tritium.metrics.registry.SharedTaggedMetricRegistries;
@@ -200,7 +202,10 @@ public static ProxySelector createProxySelector(ProxyConfiguration proxyConfig)
                 // fall through
         }
 
-        throw new IllegalStateException("Failed to create ProxySelector for proxy configuration: " + proxyConfig);
+        throw new SafeIllegalStateException(
+                "Failed to create ProxySelector for proxy configuration",
+                SafeArg.of("type", proxyConfig.type()),
+                UnsafeArg.of("hostAndPort", proxyConfig.hostAndPort()));
     }
 
     @VisibleForTesting

conjure-java-jackson-serialization/build.gradle

@@ -12,8 +12,13 @@ dependencies {
     api "com.fasterxml.jackson.datatype:jackson-datatype-joda"
     api "com.fasterxml.jackson.datatype:jackson-datatype-jsr310"
     api "com.palantir.safe-logging:preconditions"
+    implementation 'com.fasterxml.jackson.core:jackson-core'
+    implementation 'com.google.code.findbugs:jsr305'
+    implementation 'com.google.guava:guava'
     implementation "com.palantir.safe-logging:logger"
+    implementation 'com.palantir.safe-logging:safe-logging'
     implementation 'com.palantir.tritium:tritium-registry'
+    implementation 'io.dropwizard.metrics:metrics-core'
 
     testImplementation "org.assertj:assertj-core"
     testImplementation 'org.junit.jupiter:junit-jupiter'

conjure-java-jackson-serialization/src/main/java/com/palantir/conjure/java/serialization/ObjectMappers.java

@@ -17,6 +17,7 @@
 package com.palantir.conjure.java.serialization;
 
 import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.StreamReadConstraints;
 import com.fasterxml.jackson.core.TSFBuilder;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.MapperFeature;
@@ -243,12 +244,18 @@ public static CBORFactory cborFactory() {
 
     /** Configures provided JsonFactory with Conjure default settings. */
     private static <F extends JsonFactory, B extends TSFBuilder<F, B>> B withDefaults(B builder) {
-        return ReflectiveStreamReadConstraints.withDefaultConstraints(builder
+        return builder
                 // Interning introduces excessive contention https://github.com/FasterXML/jackson-core/issues/946
                 .disable(JsonFactory.Feature.INTERN_FIELD_NAMES)
                 // Canonicalization can be helpful to avoid string re-allocation, however we expect unbounded
                 // key space due to use of maps keyed by random identifiers, which cause heavy heap churn.
                 // See this discussion: https://github.com/FasterXML/jackson-benchmarks/pull/6
-                .disable(JsonFactory.Feature.CANONICALIZE_FIELD_NAMES));
+                .disable(JsonFactory.Feature.CANONICALIZE_FIELD_NAMES)
+                .streamReadConstraints(StreamReadConstraints.builder()
+                        // 50mb up from the default 20mb as a more permissive value to begin with, which we can ratchet
+                        // down over time. This allows us to decouple the initial risk of adopting string length limits
+                        // from the risk introduced by taking a dependency upgrade.
+                        .maxStringLength(50_000_000)
+                        .build());
     }
 }

conjure-java-jackson-serialization/src/main/java/com/palantir/conjure/java/serialization/PathDeserializer.java

@@ -37,10 +37,15 @@
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonToken;
 import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.deser.std.StdScalarDeserializer;
+import com.google.errorprone.annotations.CompileTimeConstant;
+import com.palantir.logsafe.Arg;
+import com.palantir.logsafe.SafeLoggable;
 import java.io.IOException;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.List;
 
 public final class PathDeserializer extends StdScalarDeserializer<Path> {
     private static final long serialVersionUID = 1;
@@ -58,6 +63,26 @@ public Path deserialize(JsonParser parser, DeserializationContext ctxt) throws I
             }
             // 16-Oct-2015: should we perhaps allow JSON Arrays (of Strings) as well?
         }
-        throw ctxt.mappingException(Path.class, token);
+        throw new SafeJsonMappingException(
+                "Could not deserialize path", parser, ctxt.wrongTokenException(parser, Path.class, token, null));
+    }
+
+    private static final class SafeJsonMappingException extends JsonMappingException implements SafeLoggable {
+        private final String logMessage;
+
+        SafeJsonMappingException(@CompileTimeConstant String message, JsonParser parser, JsonMappingException cause) {
+            super(parser, message, cause);
+            this.logMessage = message;
+        }
+
+        @Override
+        public String getLogMessage() {
+            return logMessage;
+        }
+
+        @Override
+        public List<Arg<?>> getArgs() {
+            return List.of();
+        }
     }
 }

conjure-java-jaxrs-client/build.gradle

@@ -15,12 +15,19 @@ dependencies {
     api "com.palantir.dialogue:dialogue-target"
 
     implementation project(":conjure-java-annotations")
+    implementation 'com.fasterxml.jackson.core:jackson-annotations'
+    implementation 'com.fasterxml.jackson.core:jackson-core'
+    implementation 'com.fasterxml.jackson.core:jackson-databind'
+    implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor'
+    implementation 'com.palantir.conjure.java.api:errors'
+    implementation 'com.palantir.conjure.java.api:service-config'
     implementation "com.palantir.dialogue:dialogue-apache-hc5-client"
     implementation "com.palantir.dialogue:dialogue-core"
     implementation "com.palantir.dialogue:dialogue-serde"
     implementation 'com.palantir.safe-logging:logger'
-
+    implementation 'com.palantir.safe-logging:safe-logging'
     implementation 'com.palantir.tritium:tritium-registry'
+    implementation 'io.dropwizard.metrics:metrics-core'
 
     implementation project(":conjure-java-jackson-serialization")
     implementation "com.google.guava:guava"

conjure-java-jersey-jakarta-server/build.gradle

@@ -8,14 +8,23 @@ dependencies {
 
     implementation 'com.palantir.tritium:tritium-registry'
     implementation 'io.dropwizard.metrics:metrics-core'
+    implementation 'com.fasterxml.jackson.core:jackson-core'
+    implementation 'com.fasterxml.jackson.core:jackson-databind'
+    implementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor'
     implementation "com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-cbor-provider", {
         // activation-api should be a 'compileOnly' dependency where 'jakarta.activation' should be used at runtime
         exclude module: 'jakarta.activation-api'
     }
+    implementation 'com.google.code.findbugs:jsr305'
+    implementation 'com.google.guava:guava'
     implementation "com.netflix.feign:feign-core"
     implementation "com.palantir.safe-logging:safe-logging"
     implementation 'com.palantir.tokens:auth-tokens'
     implementation "com.palantir.tracing:tracing-jersey-jakarta"
+    implementation 'jakarta.annotation:jakarta.annotation-api'
+    implementation 'jakarta.inject:jakarta.inject-api'
+    implementation 'jakarta.ws.rs:jakarta.ws.rs-api'
+    implementation 'org.glassfish.jersey.core:jersey-common'
     implementation project(':conjure-java-jackson-serialization')
 
     runtimeOnly "org.glassfish.jersey.ext:jersey-bean-validation"

conjure-java-jersey-jakarta-server/src/main/java/com/palantir/conjure/java/server/jersey/AuthHeaderParamConverterProvider.java

@@ -16,6 +16,7 @@
 
 package com.palantir.conjure.java.server.jersey;
 
+import com.palantir.logsafe.DoNotLog;
 import com.palantir.logsafe.Preconditions;
 import com.palantir.tokens.auth.AuthHeader;
 import jakarta.ws.rs.HeaderParam;
@@ -81,6 +82,7 @@ public AuthHeader fromString(final String value) {
             }
         }
 
+        @DoNotLog
         @Override
         public String toString(final AuthHeader value) {
             Preconditions.checkArgument(value != null);

conjure-java-jersey-jakarta-server/src/main/java/com/palantir/conjure/java/server/jersey/BearerTokenParamConverterProvider.java

@@ -16,6 +16,7 @@
 
 package com.palantir.conjure.java.server.jersey;
 
+import com.palantir.logsafe.DoNotLog;
 import com.palantir.logsafe.Preconditions;
 import com.palantir.tokens.auth.BearerToken;
 import jakarta.ws.rs.CookieParam;
@@ -80,6 +81,7 @@ public BearerToken fromString(final String value) {
             }
         }
 
+        @DoNotLog
         @Override
         public String toString(final BearerToken value) {
             Preconditions.checkArgument(value != null);