Merge branch 'master' into COMP-1146-fix-error-messages

Author: munishchouhan

CLAUDE.md

@@ -51,7 +51,7 @@ Wave requires several environment variables for registry authentication:
 - Uses Micronaut's configuration system with property injection
 
 ## Technology Stack
-- **Framework**: Micronaut 4.x with Netty runtime
+- **Framework**: Micronaut 4.10.6 with Netty runtime
 - **Language**: Groovy with Java 21+
 - **Build Tool**: Gradle with custom conventions
 - **Container**: JIB for multi-platform builds (AMD64/ARM64)

VERSION

@@ -1 +1 @@
-1.31.2
+1.32.0

build.gradle

@@ -49,6 +49,7 @@ dependencies {
     implementation 'io.seqera:jedis-lock:1.0.0'
     implementation 'io.seqera:lib-data-queue-redis:1.1.1'
     implementation 'io.seqera:lib-data-stream-redis:1.1.2'
+    implementation 'io.seqera:lib-jedis-pool:1.0.0'
     implementation 'io.micronaut:micronaut-http-client'
     implementation 'io.micronaut:micronaut-jackson-databind'
     implementation 'io.micronaut.groovy:micronaut-runtime-groovy'
@@ -91,7 +92,6 @@ dependencies {
     implementation 'org.postgresql:postgresql:42.7.7'        // PostgreSQL Driver
     //object storage dependency
     implementation 'io.micronaut.objectstorage:micronaut-object-storage-aws'
-    implementation 'io.micronaut.objectstorage:micronaut-object-storage-local'
     // include sts to allow the use of service account role - https://stackoverflow.com/a/73306570
     // this sts dependency is require by micronaut-aws-parameter-store,
     // not directly used by the app, for this reason keeping `runtimeOnly`

changelog.txt

@@ -1,4 +1,10 @@
 # Wave changelog
+1.32.0 - 12 Jan 2026
+- Upgrade to Micronaut 4.10.6 (#951) [6dda24c2b]
+- Use noarch node selector for mirror and transfer jobs (#953) [54f985174]
+- Replace RedisFactory with JedisPoolFactory from lib-jedis-pool [c8040227b]
+- Add missing HTTP Security Header (#955) [c48b8511c]
+
 1.31.2 - 17 Dec 2025
 - Add JavaDocs to PixiOpts and update tests for new default pixi image (#950) [7f49bb8b4]
 - docs: Style template build content (#948) [aa40d5513]

gradle.properties

@@ -16,5 +16,5 @@
 #  along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-micronautVersion=4.9.4
+micronautVersion=4.10.6
 micronautEnvs=local,mail,aws-ses

src/main/groovy/io/seqera/wave/configuration/SecurityHeadersConfig.groovy

@@ -0,0 +1,120 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2024, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.configuration
+
+import javax.annotation.Nullable
+import javax.annotation.PostConstruct
+
+import groovy.transform.CompileStatic
+import groovy.transform.ToString
+import groovy.util.logging.Slf4j
+import io.micronaut.context.annotation.Requires
+import io.micronaut.context.annotation.Value
+import jakarta.inject.Singleton
+
+/**
+ * Configuration for HTTP security headers
+ *
+ * @author Munish Chouhan <[email protected]>
+ */
+@ToString(includeNames = true, includePackage = false)
+@CompileStatic
+@Slf4j
+@Singleton
+@Requires(property = 'wave.security.http-headers.enabled', value = 'true', defaultValue = 'true')
+class SecurityHeadersConfig {
+
+    /**
+     * Enable or disable security headers globally
+     */
+    @Value('${wave.security.http-headers.enabled:true}')
+    Boolean enabled
+
+    /**
+     * HSTS max-age in seconds
+     * default to 1 year (31536000 seconds)
+     * This tell browsers to only use HTTPS for one year (31,536,000 seconds) or custom value set by user,
+     * preventing downgrade attacks and improving security by ensuring encrypted connections by default,
+     * for more information check https://hstspreload.org/#submission-requirements
+     */
+    @Value('${wave.security.http-headers.hsts.max-age:31536000}')
+    Long hstsMaxAge
+
+    /**
+     * Include subdomains in HSTS
+     */
+    @Value('${wave.security.http-headers.hsts.include-sub-domains:true}')
+    Boolean hstsIncludeSubDomains
+
+    /**
+     * X-Frame-Options header value (default: `DENY`)
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.frame-options}')
+    String frameOptions
+
+    /**
+     * X-Content-Type-Options header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.content-type-options}')
+    String contentTypeOptions
+
+    /**
+     * Referrer-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.referrer-policy}')
+    String referrerPolicy
+
+    /**
+     * Permissions-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.permissions-policy}')
+    String permissionsPolicy
+
+    /**
+     * Content-Security-Policy header value
+     */
+    @Nullable
+    @Value('${wave.security.http-headers.content-security-policy}')
+    String contentSecurityPolicy
+
+    @PostConstruct
+    private void init() {
+        log.info("Security headers config: enabled=${enabled}; hsts-max-age=${hstsMaxAge}; hsts-include-sub-domains=${hstsIncludeSubDomains}; " +
+                "frame-options=${frameOptions}; content-type-options=${contentTypeOptions}; referrer-policy=${referrerPolicy}; " +
+                "permissions-policy=${permissionsPolicy}; csp=${contentSecurityPolicy}")
+    }
+
+    /**
+     * Build the HSTS header value
+     */
+    String getHstsValue() {
+        if (hstsMaxAge == null) {
+            return null
+        }
+        final result = new StringBuilder("max-age=${hstsMaxAge}")
+        if (hstsIncludeSubDomains) {
+            result.append("; includeSubDomains")
+        }
+        return result.toString()
+    }
+}

src/main/groovy/io/seqera/wave/filter/FilterOrder.groovy

@@ -27,6 +27,7 @@ package io.seqera.wave.filter
  */
 interface FilterOrder {
 
+    final int SECURITY_HEADERS = -120
     final int DENY_CRAWLER = -110
     final int DENY_PATHS = -100
     final int RATE_LIMITER = -50

src/main/groovy/io/seqera/wave/filter/SecurityHeadersFilter.groovy

@@ -0,0 +1,98 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2024, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.filter
+
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import io.micronaut.context.annotation.Requires
+import io.micronaut.core.order.Ordered
+import io.micronaut.http.HttpResponse
+import io.micronaut.http.MutableHttpResponse
+import io.micronaut.http.annotation.ResponseFilter
+import io.micronaut.http.annotation.ServerFilter
+import io.seqera.wave.configuration.SecurityHeadersConfig
+import jakarta.inject.Inject
+import static io.micronaut.http.annotation.ServerFilter.MATCH_ALL_PATTERN
+
+/**
+ * HTTP filter to add security headers to all responses
+ *
+ * @author Munish Chouhan <[email protected]>
+ */
+@Slf4j
+@CompileStatic
+@ServerFilter(MATCH_ALL_PATTERN)
+@Requires(property = 'wave.security.http-headers.enabled', value = 'true', defaultValue = 'true')
+class SecurityHeadersFilter implements Ordered {
+
+    @Inject
+    private SecurityHeadersConfig config
+
+    @Override
+    int getOrder() {
+        return FilterOrder.SECURITY_HEADERS
+    }
+
+    @ResponseFilter
+    void responseFilter(HttpResponse<?> response) {
+        if (response instanceof MutableHttpResponse) {
+            addSecurityHeaders((MutableHttpResponse<?>) response)
+        }
+    }
+
+    /**
+     * Add security headers to the HTTP response
+     *
+     * @param response The mutable HTTP response to add headers to
+     */
+    protected void addSecurityHeaders(MutableHttpResponse<?> response) {
+        // Add HSTS header
+        final hstsValue = config.getHstsValue()
+        if (hstsValue) {
+            response.header('Strict-Transport-Security', hstsValue)
+        }
+
+        // Add X-Frame-Options
+        if (config.frameOptions) {
+            response.header('X-Frame-Options', config.frameOptions)
+        }
+
+        // Add X-Content-Type-Options
+        if (config.contentTypeOptions) {
+            response.header('X-Content-Type-Options', config.contentTypeOptions)
+        }
+
+        // Add Referrer-Policy
+        if (config.referrerPolicy) {
+            response.header('Referrer-Policy', config.referrerPolicy)
+        }
+
+        // Add Permissions-Policy
+        if (config.permissionsPolicy) {
+            response.header('Permissions-Policy', config.permissionsPolicy)
+        }
+
+        // Add Content-Security-Policy
+        if (config.contentSecurityPolicy) {
+            response.header('Content-Security-Policy', config.contentSecurityPolicy)
+        }
+
+        log.trace "Added security headers to response"
+    }
+}