Creates missing system images from application/src/main/data/resources/images
during LTS patch startup, mirroring the upgrade-path loadSystemResources logic.
Existing system images in the DB are left untouched.
- postgres: 16.6 -> 18 (dao sql-test.properties / nosql-test.properties)
- timescaledb: latest-pg12 -> latest-pg18 (dao timescale-test.properties)
TimescaleDB pg15+ images crash on cgroup v2 CI hosts because
/docker-entrypoint-initdb.d/001_timescaledb_tune.sh evaluates
[ ${TS_TUNE_MEMORY} -gt ${FREE_BYTES} ] with an empty left operand
after the kernel reports the 64-bit max for /sys/fs/cgroup/memory.max.
Work around the upstream bug by setting NO_TS_TUNE=true.
The Testcontainers JDBC URL (jdbc:tc:timescaledb:...) does not support
docker env vars, so register a custom JdbcDatabaseContainerProvider
(TbTimescaleDBContainerProvider, activated via jdbc:tc:tbtimescaledb:...)
that starts a PostgreSQLContainer backed by timescale/timescaledb with
NO_TS_TUNE=true.
Production docker-compose files and tb-postgres image are untouched.
- Mark force-added entity-field filter mappings as ignored under OR so
EntityDataAdapter keeps the response shape identical to AND (applied
to both findEntityDataByQuery and validateEntityCountQuery paths).
- Skip the ON-clause filter in toLatestJoin when forceLeftJoin=true to
avoid duplicating the predicate that buildQuery already emits at the
middle layer under OR (different bound parameter names, same filter).
- Document the empty-predicate drop in buildQuery (safe under AND,
narrowing under OR) and the defensive vacuously-true return in
RepositoryUtils.checkKeyFilters.
- Explain why validateEntityCountQuery uses the nullable
getKeyFiltersOperation() rather than the OrDefault helper.
- Add regression test asserting latest[ENTITY_FIELD] under OR only
contains keys declared in entityFields.
- EntityKeyMapping: replace fragile null-swap of entityKeyColumn with a useAliasAsField flag threaded through buildKeyQuery/buildPredicateQuery, avoiding mutation of shared instance state
- TbAlarmCountSubCtx, TbAlarmDataSubCtx: normalize keyFiltersOperation at query construction via getKeyFiltersOperationOrDefault(), matching DefaultEntityQueryService
- BaseEntityService: end the disabled-OR validation error with a period and attribute it to the system administrator, aligning with the existing UI translation
- EntityQueryControllerTest: extract helpers (createDeviceWithSharedAttributes, createDeviceWithTimeseries, createAlarm, deviceTypeFilter, numericKeyFilter, stringKeyFilter, pageLinkSortedByName, nameEntityField, extractNames) and replace the pagination test's obscure temperature ternary with an explicit array
Apply SsrfProtectionValidator.validateUri() to AI providers with
user-supplied URLs (OpenAI baseUrl, Azure OpenAI endpoint, Ollama
baseUrl). Validation at two layers:
- execution time in Langchain4jChatModelConfigurerImpl
- save time in AiModelDataValidator
Controlled by the existing SSRF_PROTECTION_ENABLED flag.
RuleChainEntity and RuleChainDetailsEntity map to the same DB table.
When RuleChainDetailsEntity is loaded into the persistence context
(e.g. during isUpdateNeeded metadata comparison) and then the same row
is updated via RuleChainEntity (during saveRuleChain), the cached
RuleChainDetailsEntity becomes stale. Subsequent save via
RuleChainDetailsEntity fails with OptimisticLockException.
Fix: detach the entity immediately after loading in findById so it
does not linger in the persistence context.
- Wrap entityKeyColumn null-swap in try/finally in EntityKeyMapping
- Remove @Setter from BaseEntityService, use ReflectionTestUtils in test
- Replace Thread.sleep with awaitility in all OR test methods
- Fix confusing temperature comment in pagination test
- Add test for OR with textSearch (middle-layer WHERE logic)
- Add test for OR with TIME_SERIES key filters
- Add test for OR with ComplexFilterPredicate within key filter
- Add EDQS tests for STRING/entity-field with OR (including null special case)
- Move validateKeyFiltersOperation from DefaultEntityQueryService to
BaseEntityService.validateEntityCountQuery so both REST and WebSocket
paths are covered
- Fix AND/OR toggle: use valueChanges listener to prevent OR selection
when disabled (instead of [disabled] which broke the control entirely)
- Force AND when OR is disabled and filter had OR saved
- Update test to set flag on BaseEntityService
- Move OR filter predicates to middle-layer WHERE clause where JOIN alias
table references are visible, fixing BadSqlGrammarException
- Use alias name (e.g. alias2) instead of bare column name for entity
field predicates in middle-layer WHERE
- Propagate keyFiltersOperation through BaseEntityService optimization
path and alarm subscription contexts (TbAlarmDataSubCtx, TbAlarmCountSubCtx)
- Replace ThingsboardException with IllegalArgumentException for OR
disabled validation
- Add AlarmCountQuery 3-arg constructor for test convenience
- Add 8 new integration tests: alarm data/count OR, mixed entity field +
attribute OR, string attributes, single filter, 3-way OR, pagination,
and zero-match edge case
- Read keyFiltersOperationOrDefault in countEntitiesByQuery and findEntityDataByQuery
- Under OR: relocate entity field filter predicates from inner WHERE to outer WHERE
- Under OR: pass forceLeftJoin=true to buildLatestJoins for all aliases
- Under OR: combine all filter mappings with OR joiner via buildQuery(ComplexOperation.OR)
- Under OR: ensure entity field filter columns are in inner SELECT for outer WHERE reference
- AND path remains completely unchanged (same execution path as before)
- Add 4-arg buildQuery overload with ComplexOperation parameter that joins predicates with OR
- Add 3-arg toQueries overload with outerContext flag for bare column names in outer WHERE
- Add forceLeftJoin parameter to toLatestJoin and buildLatestJoins for LEFT JOIN under OR
- Modify prepareKeyMapping to create individual mappings per KeyFilter under OR (no same-key grouping)
- Modify prepareEntityCountKeyMapping with same OR ungrouping logic
- All existing 2-arg/3-arg overloads preserved as backward-compatible delegates
Route DataAccessException and PersistenceException (including bare
ConstraintViolationException) to a unified handler that extracts the
constraint name and returns "Constraint violation: <name>" instead of
the raw PSQLException message. Other DB errors continue to return the
generic "Database error" response.
Adds DaoUtil.extractConstraintViolation helper and an integration test
that verifies no SQL details leak when an FK constraint is violated.
- Extract shared parseHostEntries() to deduplicate setAllowedHosts/setAdditionalBlockedHosts
- Add isHostnameAllowed() and propagate hostname allow-list check in resolver
- Move OAuth2 custom mapper URL SSRF validation to save-time (Oauth2ClientDataValidator)
- Remove runtime SSRF checks from CustomOAuth2ClientMapper and GithubOAuth2ClientMapper
(custom URL now validated at save; GitHub emailUrl is server config, not user input)
- Replace example.com with 8.8.8.8 in resolver test to avoid DNS dependency
- Extract RuleChainDetailsDao from RuleChainDao to reuse JpaAbstractDao
save logic (proper @Version increment, flush, detach)
- Reduce notes column size from 10MB to 1MB in schema and migration
- Catch "value too long" DB error with user-friendly message
- Pass tenantId consistently through the details DAO API
- Exclude content/markdownCss from RuleChainNote toString
- Add tests: save/load notes, update notes, preserve notes on
RuleChain save, remove notes, exceeded size limit
- TimeseriesServiceNoSqlTest.shouldSaveEntryOfEachTypeWithTtl: await
tsService.save() with bounded .get(MAX_TIMEOUT, TimeUnit.SECONDS)
- EntityServiceTest.testFindTenantTelemetry: await timeseriesService.save()
and attributesService.save() with .get(TIMEOUT, TimeUnit.SECONDS) to
prevent both the race condition and an indefinite hang
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use ID token claims as the source of truth for Apple OAuth2 attributes
- Added Apple mapper type to OAuth2 client data validation
- Consolidated duplicated validation logic for BASIC, GITHUB, and APPLE mapper types
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dashevchenko
Viacheslav Klimov
Sergey Matvienko
imbeacon
Oleksandra Matviienko
Dmytro Skarzhynets
Volodymyr Babak
Andrii Landiak
Vladyslav_Prykhodko