Upgrade nimbus-jose-jwt to 9.37.2 (#1861)

Due to CVE https://ossindex.sonatype.org/vulnerability/CVE-2023-52428?component-type=maven&component-name=com.nimbusds%2Fnimbus-jose-jwt

.github/workflows/sonarqube.yml

@@ -38,7 +38,7 @@ jobs:
         uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
-          java-version: 11
+          java-version: 17
       - name: Optional setup step
         env:
           GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}

gradle/libs.versions.toml

@@ -1,5 +1,5 @@
 [versions]
-managed-nimbus-jose-jwt = "9.25.6"
+managed-nimbus-jose-jwt = "9.37.2"
 
 micronaut = "3.7.5"
 micronaut-docs = "2.0.0"

security-oauth2/src/test/groovy/io/micronaut/security/oauth2/e2e/AuthenticationModeIdTokenSpec.groovy

@@ -71,7 +71,7 @@ class AuthenticationModeIdTokenSpec extends GebEmbeddedServerSpecification {
 
         when:
         LoginPage loginPage = browser.page LoginPage
-        loginPage.login("user", "password")
+        loginPage.login(Keycloak.TEST_USERNAME, Keycloak.TEST_PASSWORD)
 
         then:
         at HomePage

security-oauth2/src/test/groovy/io/micronaut/security/oauth2/e2e/OpenIdAuthorizationCodeSpec.groovy

@@ -66,7 +66,7 @@ class OpenIdAuthorizationCodeSpec extends GebEmbeddedServerSpecification {
 
         when:
         LoginPage loginPage = browser.page LoginPage
-        loginPage.login("user", "password")
+        loginPage.login(Keycloak.TEST_USERNAME, Keycloak.TEST_PASSWORD)
 
         then:
         browser.at HomePage

test-suite-utils/src/main/groovy/io/micronaut/security/testutils/Keycloak.groovy

@@ -15,22 +15,37 @@
  */
 package io.micronaut.security.testutils
 
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
 import org.testcontainers.Testcontainers
 import org.testcontainers.containers.GenericContainer
 import org.testcontainers.containers.wait.strategy.LogMessageWaitStrategy
-import org.testcontainers.images.builder.ImageFromDockerfile
-import spock.util.environment.OperatingSystem
 
 import java.time.Duration
 
 class Keycloak {
-    static final String LOCALHOST = "http://localhost"
-    static final String HOST_TESTCONTAINERS_INTERNAL= "http://host.testcontainers.internal"
-    static final String SYS_TESTCONTAINERS = "testcontainers"
-    static final String CLIENT_ID = "myclient"
-    private static String clientSecret = UUID.randomUUID()
+
+    private static final Logger LOG = LoggerFactory.getLogger(Keycloak.class)
+
+    public static final String LOCALHOST = "http://localhost"
+    public static final String HOST_TESTCONTAINERS_INTERNAL = "http://host.testcontainers.internal"
+    public static final String SYS_TESTCONTAINERS = "testcontainers"
+    public static final String CLIENT_ID = "myclient"
+    public static final String TEST_USERNAME = "test"
+    @SuppressWarnings("java:S2068") // Passwords are for testing an ephemeral container
+    public static final String TEST_PASSWORD = "password"
+
+    private static final String ADMIN_USERNAME = "user"
+    @SuppressWarnings("java:S2068") // Passwords are for testing an ephemeral container
+    private static final String ADMIN_PASSWORD = "bitnami"
+    private static final String REALM = "master"
+    private static final String ADMIN_SERVER = "http://localhost:8080/auth"
+    private static String clientSecret = UUID.randomUUID().toString()
     private static String issuer
-    static GenericContainer keycloak
+    private static GenericContainer<?> container
+
+    private Keycloak() {
+    }
 
     static String getClientSecret() {
         if (clientSecret == null) {
@@ -52,43 +67,98 @@ class Keycloak {
     }
 
     static void init() {
-        if (keycloak == null) {
-            if (OperatingSystem.current.macOs && System.getProperty("os.arch") == 'aarch64') {
-                keycloak = new GenericContainer(new ImageFromDockerfile("keycloak-m1", false).withFileFromClasspath("Dockerfile", "/Dockerfile.keycloak"))
-            } else {
-                keycloak = new GenericContainer("jboss/keycloak:16.1.1")
+        if (container == null) {
+            Map<String, String> containerConfiguration = [
+                    "KEYCLOAK_DATABASE_VENDOR": "h2",
+                    "KC_HTTP_RELATIVE_PATH": "/auth", // https://github.com/micronaut-projects/micronaut-security/issues/1024
+                    "KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI": "true", // https://github.com/micronaut-projects/micronaut-security/issues/1024
+                    "KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN": "true", // https://github.com/micronaut-projects/micronaut-security/issues/1024
+                    "KC_DB": "dev-file"
+            ]
+            container = new GenericContainer<>("bitnami/keycloak:23")
+                    .withExposedPorts(8080)
+                    .withEnv(containerConfiguration)
+                    .withLogConsumer(outputFrame -> System.out.print("[--KEYCLOAK--] " + outputFrame.getUtf8String()))
+                    .waitingFor(new LogMessageWaitStrategy().withRegEx(".*Running the server in development mode. DO NOT use this configuration in production.*").withStartupTimeout(Duration.ofMinutes(5)))
+            container.start()
+
+            def execResult = container.execInContainer(
+                    "/opt/bitnami/keycloak/bin/kcreg.sh",
+                    "config", "credentials",
+                    "--config", "/tmp/kcreg.config",
+                    "--server", ADMIN_SERVER,
+                    "--realm", REALM,
+                    "--user", ADMIN_USERNAME, "--password", ADMIN_PASSWORD
+            )
+
+            if (execResult.exitCode != 0) {
+                throw new IllegalStateException("Failed to configure credentials ${execResult.stderr}")
+            }
+
+            LOG.info(execResult.stdout)
+
+            execResult = container.execInContainer(
+                    "/opt/bitnami/keycloak/bin/kcreg.sh",
+                    "create",
+                    "--config", "/tmp/kcreg.config",
+                    "-s", "clientId=${CLIENT_ID}",
+                    "-s", "redirectUris=[\"http://${getRedirectUriHost()}*\", \"http://localhost*\"]",
+                    "-s", "secret=${clientSecret}"
+            )
+            if (execResult.exitCode != 0) {
+                throw new IllegalStateException("Failed to configure client " + execResult.stderr)
             }
 
-            keycloak = keycloak.withExposedPorts(8080)
-                    .withEnv([
-                            KEYCLOAK_USER: 'user',
-                            KEYCLOAK_PASSWORD: 'password',
-                            DB_VENDOR: 'H2',
-                    ])
-                    .waitingFor(new LogMessageWaitStrategy().withRegEx(".*Deployed \"keycloak-server.war\".*").withStartupTimeout(Duration.ofMinutes(5)))
-            keycloak.start()
-            keycloak.execInContainer("/opt/jboss/keycloak/bin/kcreg.sh config credentials --server http://localhost:8080/auth --realm master --user user --password password".split(" "))
-            keycloak.execInContainer("/opt/jboss/keycloak/bin/kcreg.sh create -s clientId=$CLIENT_ID -s redirectUris=[\"http://${getRedirectUriHost()}*\"] -s secret=$clientSecret".split(" "))
-            int port = keycloak.getMappedPort(8080)
+            LOG.info(execResult.stdout)
+
+            execResult = container.execInContainer(
+                    "/opt/bitnami/keycloak/bin/kcadm.sh",
+                    "create", "users",
+                    "-s", "username=${TEST_USERNAME}",
+                    "-s", "enabled=true",
+                    "--realm", REALM,
+                    "--server", ADMIN_SERVER,
+                    "--user", ADMIN_USERNAME, "--password", ADMIN_PASSWORD
+            )
+            if (execResult.getExitCode() != 0) {
+                throw new IllegalStateException("Failed to create test user " + execResult.getStderr())
+            }
+
+            LOG.info(execResult.getStdout())
+
+            execResult = container.execInContainer(
+                    "/opt/bitnami/keycloak/bin/kcadm.sh",
+                    "set-password",
+                    "--username", TEST_USERNAME,
+                    "--new-password", TEST_PASSWORD,
+                    "--realm", REALM,
+                    "--server", ADMIN_SERVER,
+                    "--user", ADMIN_USERNAME, "--password", ADMIN_PASSWORD
+            )
+            if (execResult.getExitCode() != 0) {
+                throw new IllegalStateException("Failed to set password for test user " + execResult.getStderr())
+            }
+
+            LOG.info(execResult.getStdout())
+
+            int port = container.getMappedPort(8080)
             Testcontainers.exposeHostPorts(port)
-            issuer = "http://" + getHost() + ":" + port  + "/auth/realms/master"
+            issuer = "http://localhost:" + port  + "/auth/realms/master"
         }
+
     }
 
     static String getRedirectUriHost() {
         TestContainersUtils.host
     }
-
-    static String getHost() {
-        'localhost'
-    }
-
     static void destroy() {
-        if (keycloak != null) {
-            keycloak.stop()
+        if (container != null) {
+            container.stop()
         }
-        keycloak = null
+        container = null
         clientSecret = null
         issuer = null
     }
+
 }
+