updateDepencencies support for nimbus-jose-jwt

Keep nimbus-jose-jwt aligned with the version in nimbus-oauth2-sdk

Issue gh-9542

buildSrc/src/main/java/org/springframework/security/convention/versions/TransitiveDependencyLookupUtils.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2019-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.convention.versions;
+
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.Response;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+import java.io.IOException;
+import java.io.InputStream;
+
+class TransitiveDependencyLookupUtils {
+	static String OIDC_SDK_NAME = "oauth2-oidc-sdk";
+	static String NIMBUS_JOSE_JWT_NAME = "nimbus-jose-jwt";
+
+	private static OkHttpClient client = new OkHttpClient();
+
+	static String lookupJwtVersion(String oauthSdcVersion) {
+		Request request = new Request.Builder()
+				.get()
+				.url("https://repo.maven.apache.org/maven2/com/nimbusds/" + OIDC_SDK_NAME + "/" + oauthSdcVersion + "/" + OIDC_SDK_NAME + "-" + oauthSdcVersion + ".pom")
+				.build();
+		try (Response response = client.newCall(request).execute()) {
+			if (!response.isSuccessful()) {
+				throw new IOException("Unexpected code " + response);
+			}
+			InputStream inputStream = response.body().byteStream();
+			return getVersion(inputStream);
+
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	private static String getVersion(InputStream inputStream) throws ParserConfigurationException, IOException, SAXException, XPathExpressionException {
+		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+		dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+		DocumentBuilder db = dbf.newDocumentBuilder();
+
+		Document doc = db.parse(inputStream);
+
+		doc.getDocumentElement().normalize();
+
+		XPath xPath = XPathFactory.newInstance().newXPath();
+		return xPath.evaluate("/project/dependencies/dependency/version[../artifactId/text() = \"" + NIMBUS_JOSE_JWT_NAME + "\"]", doc);
+	}
+}

buildSrc/src/main/java/org/springframework/security/convention/versions/UpdateDependenciesPlugin.java

@@ -1,5 +1,22 @@
+/*
+ * Copyright 2019-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.convention.versions;
 
+import com.github.benmanes.gradle.versions.reporter.result.Dependency;
 import com.github.benmanes.gradle.versions.reporter.result.DependencyOutdated;
 import com.github.benmanes.gradle.versions.reporter.result.Result;
 import com.github.benmanes.gradle.versions.reporter.result.VersionAvailable;
@@ -15,7 +32,10 @@ import org.gradle.api.Project;
 import org.gradle.api.artifacts.component.ModuleComponentIdentifier;
 import reactor.core.publisher.Mono;
 
-import java.io.*;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
 import java.nio.file.Files;
 import java.time.Duration;
 import java.util.*;
@@ -24,6 +44,9 @@ import java.util.function.Supplier;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import static org.springframework.security.convention.versions.TransitiveDependencyLookupUtils.NIMBUS_JOSE_JWT_NAME;
+import static org.springframework.security.convention.versions.TransitiveDependencyLookupUtils.OIDC_SDK_NAME;
+
 public class UpdateDependenciesPlugin implements Plugin<Project> {
 	private GitHubApi gitHubApi;
 
@@ -98,6 +121,22 @@ public class UpdateDependenciesPlugin implements Plugin<Project> {
 		dependencies.forEach(outdated -> {
 			groups.computeIfAbsent(outdated.getGroup(), (key) -> new ArrayList<>()).add(outdated);
 		});
+		List<DependencyOutdated> nimbusds = groups.getOrDefault("com.nimbusds", new ArrayList<>());
+		DependencyOutdated oidcSdc = nimbusds.stream().filter(d -> d.getName().equals(OIDC_SDK_NAME)).findFirst().orElseGet(() -> null);
+		if(oidcSdc != null) {
+			String oidcVersion = updatedVersion(oidcSdc);
+			String jwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(oidcVersion);
+
+			Dependency nimbusJoseJwtDependency = result.getCurrent().getDependencies().stream().filter(d -> d.getName().equals(NIMBUS_JOSE_JWT_NAME)).findFirst().get();
+			DependencyOutdated outdatedJwt = new DependencyOutdated();
+			outdatedJwt.setVersion(nimbusJoseJwtDependency.getVersion());
+			outdatedJwt.setGroup(oidcSdc.getGroup());
+			outdatedJwt.setName(NIMBUS_JOSE_JWT_NAME);
+			VersionAvailable available = new VersionAvailable();
+			available.setRelease(jwtVersion);
+			outdatedJwt.setAvailable(available);
+			nimbusds.add(outdatedJwt);
+		}
 		File gradlePropertiesFile = project.getRootProject().file(Project.GRADLE_PROPERTIES);
 		Mono<GitHubApi.FindCreateIssueResult> createIssueResult = createIssueResultMono(updateDependenciesSettings);
 		List<File> filesWithDependencies = updateDependenciesSettings.getFiles().get();

buildSrc/src/test/java/org/springframework/security/convention/versions/TransitiveDependencyLookupUtilsTest.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2019-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.convention.versions;
+
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class TransitiveDependencyLookupUtilsTest {
+
+	@Test
+	public void lookupJwtVersionWhen93Then961() {
+		String s = TransitiveDependencyLookupUtils.lookupJwtVersion("9.3");
+		assertThat(s).isEqualTo("9.6.1");
+	}
+}