Merge branch 'zkbesu' into clique-simulate-block-production

CHANGELOG.md

@@ -15,7 +15,11 @@
     - Proof of Work consensus
     - Fast Sync
 ### Additions and Improvements
+- Add TLS/mTLS options and configure the GraphQL HTTP service[#7910](https://github.com/hyperledger/besu/pull/7910)
+- Allow plugins to propose transactions during block creation [#8268](https://github.com/hyperledger/besu/pull/8268)
 ### Bug fixes
+- Upgrade Netty to version 4.1.118 to fix CVE-2025-24970 [#8275](https://github.com/hyperledger/besu/pull/8275)
+- Add missing RPC method `debug_accountRange` to `RpcMethod.java` and implemented its handler. [#8153](https://github.com/hyperledger/besu/issues/8153)
 
 ## 25.2.0
 
@@ -37,6 +41,7 @@
 - Add a tx selector to skip txs from the same sender after the first not selected [#8216](https://github.com/hyperledger/besu/pull/8216)
 - `rpc-gas-cap` default value has changed from 0 (unlimited) to 50M [#8251](https://github.com/hyperledger/besu/issues/8251)
 
+
 #### Prague
 - Add timestamps to enable Prague hardfork on Sepolia and Holesky test networks [#8163](https://github.com/hyperledger/besu/pull/8163)
 - Update system call addresses to match [devnet-6](https://github.com/ethereum/execution-spec-tests/releases/) values [#8209](https://github.com/hyperledger/besu/issues/8209) 
@@ -74,15 +79,15 @@
 - Retrieve all transaction receipts for a block in one request [#6646](https://github.com/hyperledger/besu/pull/6646)
 - Implement EIP-7840: Add blob schedule to config files [#8042](https://github.com/hyperledger/besu/pull/8042)
 - Allow gasPrice (legacy) and 1559 gasPrice params to be specified simultaneously for `eth_call`, `eth_createAccessList`, and `eth_estimateGas` [#8059](https://github.com/hyperledger/besu/pull/8059)
-- Improve debug_traceBlock calls performance and reduce output size [#8076](https://github.com/hyperledger/besu/pull/8076)
+- Improve debug_traceBlock calls performance and reduce output size [#8103](https://github.com/hyperledger/besu/pull/8103)
 - Add support for EIP-7702 transaction in the txpool [#8018](https://github.com/hyperledger/besu/pull/8018) [#7984](https://github.com/hyperledger/besu/pull/7984)
 - Add support for `movePrecompileToAddress` in `StateOverrides` (`eth_call`)[8115](https://github.com/hyperledger/besu/pull/8115)
 - Default target-gas-limit to 36M for holesky [#8125](https://github.com/hyperledger/besu/pull/8125)
 - Add EIP-7623 - Increase calldata cost [#8093](https://github.com/hyperledger/besu/pull/8093)
 - Add nonce to transaction call object [#8139](https://github.com/hyperledger/besu/pull/8139)
 
 ### Bug fixes
-- Fix serialization of state overrides when `movePrecompileToAddress` is present [#8204](https://github.com/hyperledger/besu/pull/8024)
+- Fix serialization of state overrides when `movePrecompileToAddress` is present [#8024](https://github.com/hyperledger/besu/pull/8024)
 - Revise the approach for setting level_compaction_dynamic_level_bytes RocksDB configuration option [#8037](https://github.com/hyperledger/besu/pull/8037)
 - Fix possible incomplete txpool restore from dump file [#7991](https://github.com/hyperledger/besu/pull/7991)
 
@@ -93,14 +98,14 @@ This is an optional hotfix to address serialization of state overrides parameter
 There is no need to upgrade from 24.12.0 (or 24.12.1) to this release if you are not yet using this functionality.
 
 ### Bug fixes
-- Fix serialization of state overrides when `movePrecompileToAddress` is present [#8204](https://github.com/hyperledger/besu/pull/8024)
+- Fix serialization of state overrides when `movePrecompileToAddress` is present [#8024](https://github.com/hyperledger/besu/pull/8024)
 
 ## 24.12.1 Hotfix
 
 This is a hotfix to address publishing besu maven artifacts.  There are no issues with 24.12.0 other than incomplete artifact publishing, and there is no functional difference between 24.12.0 and 24.12.1 release binaries.
 
 ### Bug fixes
-- Fix BOM pom publication to Artifactory [#8201](https://github.com/hyperledger/besu/pull/8021)
+- Fix BOM pom publication to Artifactory [#8021](https://github.com/hyperledger/besu/pull/8021)
 
 ## 24.12.0
 

besu/src/main/java/org/hyperledger/besu/cli/options/GraphQlOptions.java

@@ -57,6 +57,36 @@ public class GraphQlOptions {
   private final CorsAllowedOriginsProperty graphQLHttpCorsAllowedOrigins =
       new CorsAllowedOriginsProperty();
 
+  @CommandLine.Option(
+      names = {"--graphql-tls-enabled"},
+      description = "Enable TLS for GraphQL HTTP service")
+  private Boolean graphqlTlsEnabled = false;
+
+  @CommandLine.Option(
+      names = {"--graphql-tls-keystore-file"},
+      description = "Path to the TLS keystore file for GraphQL HTTP service")
+  private String graphqlTlsKeystoreFile;
+
+  @CommandLine.Option(
+      names = {"--graphql-tls-keystore-password-file"},
+      description = "Path to the file containing the password for the TLS keystore")
+  private String graphqlTlsKeystorePasswordFile;
+
+  @CommandLine.Option(
+      names = {"--graphql-mtls-enabled"},
+      description = "Enable mTLS for GraphQL HTTP service")
+  private Boolean graphqlMtlsEnabled = false;
+
+  @CommandLine.Option(
+      names = {"--graphql-tls-truststore-file"},
+      description = "Path to the TLS truststore file for GraphQL HTTP service")
+  private String graphqlTlsTruststoreFile;
+
+  @CommandLine.Option(
+      names = {"--graphql-tls-truststore-password-file"},
+      description = "Path to the file containing the password for the TLS truststore")
+  private String graphqlTlsTruststorePasswordFile;
+
   /** Default constructor */
   public GraphQlOptions() {}
 
@@ -72,7 +102,28 @@ public void validate(final Logger logger, final CommandLine commandLine) {
         commandLine,
         "--graphql-http-enabled",
         !isGraphQLHttpEnabled,
-        asList("--graphql-http-cors-origins", "--graphql-http-host", "--graphql-http-port"));
+        asList(
+            "--graphql-http-cors-origins",
+            "--graphql-http-host",
+            "--graphql-http-port",
+            "--graphql-tls-enabled"));
+
+    CommandLineUtils.checkOptionDependencies(
+        logger,
+        commandLine,
+        "--graphql-tls-enabled",
+        !graphqlTlsEnabled,
+        asList(
+            "--graphql-tls-keystore-file",
+            "--graphql-tls-keystore-password-file",
+            "--graphql-mtls-enabled"));
+
+    CommandLineUtils.checkOptionDependencies(
+        logger,
+        commandLine,
+        "--graphql-mtls-enabled",
+        !graphqlMtlsEnabled,
+        asList("--graphql-tls-truststore-file", "--graphql-tls-truststore-password-file"));
   }
 
   /**
@@ -93,6 +144,13 @@ public GraphQLConfiguration graphQLConfiguration(
     graphQLConfiguration.setHostsAllowlist(hostsAllowlist);
     graphQLConfiguration.setCorsAllowedDomains(graphQLHttpCorsAllowedOrigins);
     graphQLConfiguration.setHttpTimeoutSec(timoutSec);
+    graphQLConfiguration.setTlsEnabled(graphqlTlsEnabled);
+    graphQLConfiguration.setTlsKeyStorePath(graphqlTlsKeystoreFile);
+    graphQLConfiguration.setTlsKeyStorePasswordFile(graphqlTlsKeystorePasswordFile);
+    graphQLConfiguration.setMtlsEnabled(graphqlMtlsEnabled);
+    graphQLConfiguration.setTlsTrustStorePath(graphqlTlsTruststoreFile);
+    graphQLConfiguration.setTlsTrustStorePasswordFile(graphqlTlsTruststorePasswordFile);
+
     return graphQLConfiguration;
   }
 

besu/src/main/java/org/hyperledger/besu/services/TransactionSelectionServiceImpl.java

@@ -14,30 +14,42 @@
  */
 package org.hyperledger.besu.services;
 
+import static com.google.common.base.Preconditions.checkState;
+
+import org.hyperledger.besu.plugin.data.ProcessableBlockHeader;
 import org.hyperledger.besu.plugin.services.TransactionSelectionService;
+import org.hyperledger.besu.plugin.services.txselection.BlockTransactionSelectionService;
 import org.hyperledger.besu.plugin.services.txselection.PluginTransactionSelector;
 import org.hyperledger.besu.plugin.services.txselection.PluginTransactionSelectorFactory;
-
-import java.util.Optional;
+import org.hyperledger.besu.plugin.services.txselection.SelectorsStateManager;
 
 /** The Transaction Selection service implementation. */
 public class TransactionSelectionServiceImpl implements TransactionSelectionService {
 
   /** Default Constructor. */
   public TransactionSelectionServiceImpl() {}
 
-  private Optional<PluginTransactionSelectorFactory> factory = Optional.empty();
+  private PluginTransactionSelectorFactory factory = PluginTransactionSelectorFactory.NO_OP_FACTORY;
+
+  @Override
+  public PluginTransactionSelector createPluginTransactionSelector(
+      final SelectorsStateManager selectorsStateManager) {
+    return factory.create(selectorsStateManager);
+  }
 
   @Override
-  public PluginTransactionSelector createPluginTransactionSelector() {
-    return factory
-        .map(PluginTransactionSelectorFactory::create)
-        .orElse(PluginTransactionSelector.ACCEPT_ALL);
+  public void selectPendingTransactions(
+      final BlockTransactionSelectionService selectionService,
+      final ProcessableBlockHeader pendingBlockHeader) {
+    factory.selectPendingTransactions(selectionService, pendingBlockHeader);
   }
 
   @Override
   public void registerPluginTransactionSelectorFactory(
       final PluginTransactionSelectorFactory pluginTransactionSelectorFactory) {
-    factory = Optional.ofNullable(pluginTransactionSelectorFactory);
+    checkState(
+        factory == PluginTransactionSelectorFactory.NO_OP_FACTORY,
+        "PluginTransactionSelectorFactory was already registered");
+    factory = pluginTransactionSelectorFactory;
   }
 }

besu/src/test/resources/everything_config.toml

@@ -109,6 +109,12 @@ graphql-http-enabled=false
 graphql-http-host="6.7.8.9"
 graphql-http-port=6789
 graphql-http-cors-origins=["none"]
+graphql-tls-enabled=false
+graphql-tls-keystore-file="none.pfx"
+graphql-tls-keystore-password-file="none.passwd"
+graphql-mtls-enabled=false
+graphql-tls-truststore-file="none.pfx"
+graphql-tls-truststore-password-file="none.passwd"
 
 # WebSockets API
 rpc-ws-enabled=false

datatypes/src/main/java/org/hyperledger/besu/datatypes/HardforkId.java

@@ -80,7 +80,7 @@ enum MainnetHardforkId implements HardforkId {
     /** Cancun + EOF fork. */
     CANCUN_EOF(false, "Cancun + EOF"),
     /** Prague fork. */
-    PRAGUE(false, "Prague"),
+    PRAGUE(true, "Prague"),
     /** Osaka fork. */
     OSAKA(false, "Osaka"),
     /** Amsterdam fork. */

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/graphql/GraphQLConfiguration.java

@@ -18,6 +18,9 @@
 
 import org.hyperledger.besu.ethereum.api.handlers.TimeoutOptions;
 
+import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -44,6 +47,13 @@ public class GraphQLConfiguration {
   private List<String> hostsAllowlist = Arrays.asList("localhost", DEFAULT_GRAPHQL_HTTP_HOST);
   private long httpTimeoutSec = TimeoutOptions.defaultOptions().getTimeoutSeconds();
 
+  private String tlsKeyStorePath;
+  private String tlsKeyStorePasswordFile;
+  private String tlsTrustStorePath;
+  private String tlsTrustStorePasswordFile;
+  private boolean tlsEnabled;
+  private boolean mtlsEnabled;
+
   /**
    * Creates a default configuration for GraphQL.
    *
@@ -174,6 +184,120 @@ public void setHttpTimeoutSec(final long httpTimeoutSec) {
     this.httpTimeoutSec = httpTimeoutSec;
   }
 
+  /**
+   * Retrieves the TLS key store path.
+   *
+   * @return the TLS key store path
+   */
+  public String getTlsKeyStorePath() {
+    return tlsKeyStorePath;
+  }
+
+  /**
+   * Sets the TLS key store path.
+   *
+   * @param tlsKeyStorePath the path to the TLS key store
+   */
+  public void setTlsKeyStorePath(final String tlsKeyStorePath) {
+    this.tlsKeyStorePath = tlsKeyStorePath;
+  }
+
+  /**
+   * Retrieves the TLS key store password.
+   *
+   * @return the TLS key store password
+   * @throws Exception if an error occurs while reading the password file
+   */
+  public String getTlsKeyStorePassword() throws Exception {
+    return new String(
+            Files.readAllBytes(Paths.get(tlsKeyStorePasswordFile)), Charset.defaultCharset())
+        .trim();
+  }
+
+  /**
+   * Sets the TLS key store password file.
+   *
+   * @param tlsKeyStorePasswordFile the path to the TLS key store password file
+   */
+  public void setTlsKeyStorePasswordFile(final String tlsKeyStorePasswordFile) {
+    this.tlsKeyStorePasswordFile = tlsKeyStorePasswordFile;
+  }
+
+  /**
+   * Retrieves the TLS trust store path.
+   *
+   * @return the TLS trust store path
+   */
+  public String getTlsTrustStorePath() {
+    return tlsTrustStorePath;
+  }
+
+  /**
+   * Sets the TLS trust store path.
+   *
+   * @param tlsTrustStorePath the path to the TLS trust store
+   */
+  public void setTlsTrustStorePath(final String tlsTrustStorePath) {
+    this.tlsTrustStorePath = tlsTrustStorePath;
+  }
+
+  /**
+   * Retrieves the TLS trust store password.
+   *
+   * @return the TLS trust store password
+   * @throws Exception if an error occurs while reading the password file
+   */
+  public String getTlsTrustStorePassword() throws Exception {
+    return new String(
+            Files.readAllBytes(Paths.get(tlsTrustStorePasswordFile)), Charset.defaultCharset())
+        .trim();
+  }
+
+  /**
+   * Sets the TLS trust store password file.
+   *
+   * @param tlsTrustStorePasswordFile the path to the TLS trust store password file
+   */
+  public void setTlsTrustStorePasswordFile(final String tlsTrustStorePasswordFile) {
+    this.tlsTrustStorePasswordFile = tlsTrustStorePasswordFile;
+  }
+
+  /**
+   * Retrieves the TLS enabled status.
+   *
+   * @return true if TLS is enabled, false otherwise
+   */
+  public boolean isTlsEnabled() {
+    return tlsEnabled;
+  }
+
+  /**
+   * Sets the TLS enabled status.
+   *
+   * @param tlsEnabled the status to set. true to enable TLS, false to disable it
+   */
+  public void setTlsEnabled(final boolean tlsEnabled) {
+    this.tlsEnabled = tlsEnabled;
+  }
+
+  /**
+   * Retrieves the mTLS enabled status.
+   *
+   * @return true if mTLS is enabled, false otherwise
+   */
+  public boolean isMtlsEnabled() {
+    return mtlsEnabled;
+  }
+
+  /**
+   * Sets the mTLS enabled status.
+   *
+   * @param mtlsEnabled the status to set. true to enable mTLS, false to disable it
+   */
+  public void setMtlsEnabled(final boolean mtlsEnabled) {
+    this.mtlsEnabled = mtlsEnabled;
+  }
+
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)