Merge branch 'main' into generator-bot-19666845203/iaas

Author: marceljk

.github/dependabot.yml

@@ -4,3 +4,12 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "gradle"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+        default-days: 7
+        exclude: ["cloud.stackit*"]

CHANGELOG.md

@@ -1,25 +1,58 @@
-## Release (2025-xx-xx)
-- `iaas`: [v1.0.0](services/iaas/CHANGELOG.md#v100)
-  - **Breaking Change:** The region must be passed as a parameter to any region-specific request.
-  - **Feature:** Add new methods to manage routing tables: `addRoutingTableToArea`, `deleteRoutingTableFromArea`, `getRoutingTableOfArea`, `listRoutingTablesOfArea`, `updateRoutingTableOfArea`
-  - **Feature:** Add new methods to manage routes in routing tables: `addRoutesToRoutingTable`, `deleteRouteFromRoutingTable`, `getRouteOfRoutingTable`, `listRoutesOfRoutingTable`, `updateRouteOfRoutingTable`
-  - **Breaking Change:** Add new method to manage network area regions: `createNetworkAreaRegion`, `deleteNetworkAreaRegion`, `getNetworkAreaRegion`, `listNetworkAreaRegions`, `updateNetworkAreaRegion`
-  - **Feature:** Add new field `Encrypted` to `Backup` model, which indicates if a backup is encrypted
-  - **Feature:** Add new field `ImportProgress` to `Image` model, which indicates the import progress of an image
-  - **Breaking Change:** Remove field `addressFamily` in `CreateNetworkAreaPayload` model
-  - **Breaking Change:** `Network` model has changed:
-    - Rename `networkId` to `id`
-    - Rename `state` to `status`
-    - Move fields `gateway`, `nameservers`, `prefixes` and `publicIp` to new model `NetworkIPv4`, and can be accessed in the new field `ipv4`
-    - Move fields `gatewayv6`, `nameserversv6` and `prefixesv6` to new model `NetworkIPv6`, and can be accessed in the new field `ipv6`
-    - Add new field `routingTabledId`
-  - **Breaking Change:** `NetworkArea` model has changed:
-    - Rename `areaId` to `id`
-    - Remove field `ipv4`
-  - **Breaking Change:** Rename `networkRangeId` to `id` in `NetworkRange` model
-  - **Breaking Change:** `CreateServerPayload` model has changed:
-    - Model `CreateServerPayloadBootVolume` of `BootVolume` property changed to `ServerBootVolume`
-    - Property `Networking` in `CreateServerPayload` is required now
+## Release (2026-MM-DD)
+- `core`: [v0.4.1](core/CHANGELOG.md/#v041)
+  - **Bugfix:** Add check in `KeyFlowAuthenticator` to prevent endless loops
+- `iaas`:
+  - [v1.0.0](services/iaas/CHANGELOG.md#v100)
+    - **Breaking Change:** The region must be passed as a parameter to any region-specific request.
+    - **Feature:** Add new methods to manage routing tables: `addRoutingTableToArea`, `deleteRoutingTableFromArea`, `getRoutingTableOfArea`, `listRoutingTablesOfArea`, `updateRoutingTableOfArea`
+    - **Feature:** Add new methods to manage routes in routing tables: `addRoutesToRoutingTable`, `deleteRouteFromRoutingTable`, `getRouteOfRoutingTable`, `listRoutesOfRoutingTable`, `updateRouteOfRoutingTable`
+    - **Breaking Change:** Add new method to manage network area regions: `createNetworkAreaRegion`, `deleteNetworkAreaRegion`, `getNetworkAreaRegion`, `listNetworkAreaRegions`, `updateNetworkAreaRegion`
+    - **Feature:** Add new field `Encrypted` to `Backup` model, which indicates if a backup is encrypted
+    - **Feature:** Add new field `ImportProgress` to `Image` model, which indicates the import progress of an image
+    - **Breaking Change:** Remove field `addressFamily` in `CreateNetworkAreaPayload` model
+    - **Breaking Change:** `Network` model has changed:
+      - Rename `networkId` to `id`
+      - Rename `state` to `status`
+      - Move fields `gateway`, `nameservers`, `prefixes` and `publicIp` to new model `NetworkIPv4`, and can be accessed in the new field `ipv4`
+      - Move fields `gatewayv6`, `nameserversv6` and `prefixesv6` to new model `NetworkIPv6`, and can be accessed in the new field `ipv6`
+      - Add new field `routingTabledId`
+    - **Breaking Change:** `NetworkArea` model has changed:
+      - Rename `areaId` to `id`
+      - Remove field `ipv4`
+    - **Breaking Change:** Rename `networkRangeId` to `id` in `NetworkRange` model
+    - **Breaking Change:** `CreateServerPayload` model has changed:
+      - Model `CreateServerPayloadBootVolume` of `BootVolume` property changed to `ServerBootVolume`
+      - Property `Networking` in `CreateServerPayload` is required now
+  - [v0.3.1](services/iaas/CHANGELOG.md#v031)
+    - Bump dependency `cloud.stackit.sdk.core` to v0.4.1
+- `resourcemanager`: [v0.4.1](services/resourcemanager/CHANGELOG.md#v041)
+  - Bump dependency `cloud.stackit.sdk.core` to v0.4.1
+- `loadbalancer`:
+  - [v0.1.1](services/loadbalancer/CHANGELOG.md#v011)
+    - Bump dependency `cloud.stackit.sdk.core` to v0.4.1 
+  - [v0.1.0](services/loadbalancer/CHANGELOG.md#v010)
+    - Initial onboarding of STACKIT Java SDK for Load balancer service
+- `alb`:
+  - [v0.2.0](services/alb/CHANGELOG.md#v020)
+    - **Feature:** Switch from `v2beta` API version to `v2` version.
+    - **Feature:** `MaxCredentials` field added to `GetQuotaResponse`
+    - **Breaking change:** added `version` to LoadBalancer constructor
+    - **Breaking change:** renamed `exact` to `exactMatch` in Path model
+    - **Breaking change:** removed `pathPrefix` from Rule model
+  - [v0.1.1](services/alb/CHANGELOG.md#v011)
+    - Bump dependency `cloud.stackit.sdk.core` to v0.4.1
+  - [v0.1.0](services/alb/CHANGELOG.md#v010)
+    - Initial onboarding of STACKIT Java SDK for Application load balancer service
+- `objectstorage`:
+  - [v0.1.1](services/objectstorage/CHANGELOG.md#v011)
+    - Bump dependency `cloud.stackit.sdk.core` to v0.4.1
+  - [v0.1.0](services/objectstorage/CHANGELOG.md#v010)
+    - Initial onboarding of STACKIT Java SDK for Object storage service
+- `serverupdate`:
+  - [v0.1.1](services/serverupdate/CHANGELOG.md#v011)
+    - Bump dependency `cloud.stackit.sdk.core` to v0.4.1
+  - [v0.1.0](services/serverupdate/CHANGELOG.md#v010)
+    - Initial onboarding of STACKIT Java SDK for Server Update service
 
 ## Release (2025-10-29)
 - `core`:

Makefile

@@ -6,6 +6,7 @@ fmt:
 
 lint:
 	@./gradlew pmdMain
+	@./gradlew lintProjectVersion
 
 test:
 	@./gradlew test

README.md

@@ -66,7 +66,7 @@ Examples on services, configuration and authentication possibilities can be foun
 
 ## Authorization
 
-To authenticate to the SDK, you will need a [service account](https://docs.stackit.cloud/stackit/en/service-accounts-134415819.html). Create it in the STACKIT Portal and assign it the necessary permissions, e.g. `project.owner`.
+To authenticate to the SDK, you will need a [service account](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/). Create it in the STACKIT Portal and assign it the necessary permissions, e.g. `project.owner`.
 
 The Java SDK supports only Key flow for authentication.
 
@@ -97,12 +97,12 @@ When creating the service account key, a new pair can be created automatically,
 This will make it much easier to configure the key flow authentication in the SDK, by just providing the service account key.
 
 > **Optionally**, you can provide your own private key when creating the service account key, which will then require you to also provide it explicitly to the SDK, additionally to the service account key.
-> Check the STACKIT Knowledge Base for an [example of how to create your own key-pair](https://docs.stackit.cloud/stackit/en/usage-of-the-service-account-keys-in-stackit-175112464.html#UsageoftheserviceaccountkeysinSTACKIT-CreatinganRSAkey-pair).
+> Check the STACKIT Docs for an [example of how to create your own key-pair](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/).
 
 To configure the key flow, follow this steps:
 
 1. Create a service account key:
-   - Use the STACKIT Portal: go to the `Service Accounts` tab, choose a `Service Account` and go to `Service Account Keys` to create a key. For more details, see [Create a service account key](https://docs.stackit.cloud/stackit/en/create-a-service-account-key-175112456.html).
+   - Use the STACKIT Portal: go to the `Service Accounts` tab, choose a `Service Account` and go to `Service Account Keys` to create a key. For more details, see [Create a service account key](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/).
 2. Save the content of the service account key by copying it and saving it in a JSON file. The expected format of the service account key is **JSON** with the following structure:
 
    ```json

build.gradle

@@ -113,6 +113,8 @@ subprojects {
 			logger.warn("VERSION file not found in project '${project.path}'. Skipping version setting.")
 		}
 
+		tasks.register('lintProjectVersion', VersionCheckTask) {}
+
 		java {
 			withSourcesJar()
 			withJavadocJar()

buildSrc/src/main/groovy/VersionCheckTask.groovy

@@ -0,0 +1,24 @@
+import org.gradle.api.DefaultTask
+import org.gradle.api.tasks.TaskAction
+import org.gradle.api.tasks.Input
+import org.gradle.api.GradleException
+
+class VersionCheckTask extends DefaultTask {
+    @Input
+    def versionRegex = ~/^[0-1]\.\d+\.\d+$/
+
+    @TaskAction
+    def checkVersion() {
+        File versionFile = project.file('VERSION')
+
+        if (!versionFile.exists()) {
+            logger.quiet("VERSION file not found in subproject: ${project.name}")
+            return
+        }
+
+        def version = versionFile.text.trim()
+        if (!(version =~ versionRegex)) {
+            throw new GradleException("Version '${version}' in project '${project.name}' does not match regex: ${versionRegex}")
+        }
+    }
+}

core/CHANGELOG.md

@@ -1,3 +1,6 @@
+## v0.4.1
+- **Bugfix:** Add check in `KeyFlowAuthenticator` to prevent endless loops
+
 ## v0.4.0
 - **Feature:** Added core wait handler structure which can be used by every service waiter implementation.
 

core/VERSION

@@ -1 +1 @@
-0.4.0
+0.4.1

core/src/main/java/cloud/stackit/sdk/core/KeyFlowAuthenticator.java

@@ -52,6 +52,12 @@ public class KeyFlowAuthenticator implements Authenticator {
 	/**
 	 * Creates the initial service account and refreshes expired access token.
 	 *
+	 * <p>NOTE: It's normal that 2 requests are sent, it's regular OkHttp Authenticator behavior.
+	 * The first request is always attempted without the authenticator and in case the response is
+	 * Unauthorized(=401), OkHttp reattempt the request with the authenticator. See <a
+	 * href="https://square.github.io/okhttp/recipes/#handling-authentication-kt-java">OkHttp
+	 * Docs</a>
+	 *
 	 * @deprecated use constructor with OkHttpClient instead to prevent resource leaks. Will be
 	 *     removed in April 2026.
 	 * @param cfg Configuration to set a custom token endpoint and the token expiration leeway.
@@ -65,6 +71,12 @@ public KeyFlowAuthenticator(CoreConfiguration cfg, ServiceAccountKey saKey) {
 	/**
 	 * Creates the initial service account and refreshes expired access token.
 	 *
+	 * <p>NOTE: It's normal that 2 requests are sent, it's regular OkHttp Authenticator behavior.
+	 * The first request is always attempted without the authenticator and in case the response is
+	 * Unauthorized(=401), OkHttp reattempt the request with the authenticator. See <a
+	 * href="https://square.github.io/okhttp/recipes/#handling-authentication-kt-java">OkHttp
+	 * Docs</a>
+	 *
 	 * @deprecated use constructor with OkHttpClient instead to prevent resource leaks. Will be
 	 *     removed in April 2026.
 	 * @param cfg Configuration to set a custom token endpoint and the token expiration leeway.
@@ -81,6 +93,12 @@ public KeyFlowAuthenticator(
 	/**
 	 * Creates the initial service account and refreshes expired access token.
 	 *
+	 * <p>NOTE: It's normal that 2 requests are sent, it's regular OkHttp Authenticator behavior.
+	 * The first request is always attempted without the authenticator and in case the response is
+	 * Unauthorized(=401), OkHttp reattempt the request with the authenticator. See <a
+	 * href="https://square.github.io/okhttp/recipes/#handling-authentication-kt-java">OkHttp
+	 * Docs</a>
+	 *
 	 * @param httpClient OkHttpClient object
 	 * @param cfg Configuration to set a custom token endpoint and the token expiration leeway.
 	 */
@@ -91,6 +109,12 @@ public KeyFlowAuthenticator(OkHttpClient httpClient, CoreConfiguration cfg) thro
 	/**
 	 * Creates the initial service account and refreshes expired access token.
 	 *
+	 * <p>NOTE: It's normal that 2 requests are sent, it's regular OkHttp Authenticator behavior.
+	 * The first request is always attempted without the authenticator and in case the response is
+	 * Unauthorized(=401), OkHttp reattempt the request with the authenticator. See <a
+	 * href="https://square.github.io/okhttp/recipes/#handling-authentication-kt-java">OkHttp
+	 * Docs</a>
+	 *
 	 * @param httpClient OkHttpClient object
 	 * @param cfg Configuration to set a custom token endpoint and the token expiration leeway.
 	 * @param saKey Service Account Key, which should be used for the authentication
@@ -129,6 +153,9 @@ protected KeyFlowAuthenticator(
 
 	@Override
 	public Request authenticate(Route route, @NotNull Response response) throws IOException {
+		if (response.request().header("Authorization") != null) {
+			return null; // Give up, we've already attempted to authenticate.
+		}
 		String accessToken;
 		try {
 			accessToken = getAccessToken();

core/src/test/java/cloud/stackit/sdk/core/KeyFlowAuthenticatorTest.java

@@ -16,8 +16,7 @@
 import java.security.spec.InvalidKeySpecException;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
-import okhttp3.HttpUrl;
-import okhttp3.OkHttpClient;
+import okhttp3.*;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import org.junit.jupiter.api.AfterEach;
@@ -62,6 +61,9 @@ class KeyFlowAuthenticatorTest {
 					+ "h/9afEtu5aUE/m+1vGBoH8z1\n"
 					+ "-----END PRIVATE KEY-----\n";
 
+	private static final Request mockRequest =
+			new Request.Builder().url("https://stackit.com").get().build();
+
 	private ServiceAccountKey createDummyServiceAccount() {
 		ServiceAccountCredentials credentials =
 				new ServiceAccountCredentials("aud", "iss", "kid", PRIVATE_KEY, "sub");
@@ -270,4 +272,92 @@ void createAccessTokenWithRefreshTokenResponse200WithEmptyBodyThrowsException()
 		assertThrows(
 				JsonSyntaxException.class, keyFlowAuthenticator::createAccessTokenWithRefreshToken);
 	}
+
+	@Test
+	@DisplayName("authenticator sets Authorization header")
+	void authenticatorSetsAuthorizationHeaderIfNotAuthenticated()
+			throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+		// Setup mockServer
+		final String authorizationHeader = "Authorization";
+		KeyFlowAuthenticator.KeyFlowTokenResponse mockResponse = mockResponseBody(false);
+		// mock response for KeyFlow authentication with mocked access token
+		MockResponse mockedResponse =
+				new MockResponse()
+						.setResponseCode(200)
+						.setBody(new Gson().toJson(mockResponse))
+						.addHeader("Content-type", "application/json");
+		mockWebServer.enqueue(mockedResponse);
+		HttpUrl url = mockWebServer.url(MOCK_WEBSERVER_PATH);
+
+		// Set unauthorized request
+		Response unauthorizedRequest =
+				new Response.Builder()
+						.request(mockRequest)
+						.code(401)
+						.message("Unauthorized")
+						.protocol(Protocol.HTTP_2)
+						.build();
+
+		// Config
+		CoreConfiguration cfg =
+				new CoreConfiguration().tokenCustomUrl(url.toString()); // Use mockWebServer
+
+		// Check if "Authorization" header is unset
+		assertNull(unauthorizedRequest.request().header(authorizationHeader));
+
+		// Prepare keyFlowAuthenticator
+		KeyFlowAuthenticator keyFlowAuthenticator =
+				new KeyFlowAuthenticator(httpClient, cfg, createDummyServiceAccount());
+		// authenticator creates new access token and sets it the Authorization header
+		Request newRequest = keyFlowAuthenticator.authenticate(null, unauthorizedRequest);
+
+		// Check if new request is not null
+		assertNotNull(newRequest);
+		// Check if the "Authorization" Header is set
+		assertNotNull(newRequest.header(authorizationHeader));
+	}
+
+	@Test
+	@DisplayName("Authenticator returns null when already authenticated")
+	void authenticatorReturnsNullWhenAlreadyAuthenticated()
+			throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+		// Setup mockServer
+		final String authorizationHeader = "Authorization";
+		KeyFlowAuthenticator.KeyFlowTokenResponse mockResponse = mockResponseBody(false);
+		// mock response for KeyFlow authentication with mocked access token
+		MockResponse mockedResponse =
+				new MockResponse()
+						.setResponseCode(200)
+						.setBody(new Gson().toJson(mockResponse))
+						.addHeader("Content-type", "application/json");
+		mockWebServer.enqueue(mockedResponse);
+		HttpUrl url = mockWebServer.url(MOCK_WEBSERVER_PATH);
+
+		// Set unauthorized request
+		Response unauthorizedRequest =
+				new Response.Builder()
+						.request(
+								mockRequest
+										.newBuilder()
+										.addHeader(authorizationHeader, "<my-access-token>")
+										.build())
+						.code(401)
+						.message("Unauthorized")
+						.protocol(Protocol.HTTP_2)
+						.build(); // Unauthorized request
+
+		// Config
+		CoreConfiguration cfg =
+				new CoreConfiguration().tokenCustomUrl(url.toString()); // Use mockWebServer
+
+		// Check if "Authorization" header is set
+		assertNotNull(unauthorizedRequest.request().header(authorizationHeader));
+
+		// Prepare keyFlowAuthenticator
+		KeyFlowAuthenticator keyFlowAuthenticator =
+				new KeyFlowAuthenticator(httpClient, cfg, createDummyServiceAccount());
+
+		// Authenticator returns no new request, because "Authorization" header was already set
+		assertNull(keyFlowAuthenticator.authenticate(null, unauthorizedRequest));
+	}
 }