From 2cd302fb1b15b96b1abd8705be8633cb5f4cf679 Mon Sep 17 00:00:00 2001 From: Marcus Hert Da Coregio Date: Mon, 30 Oct 2023 16:11:02 -0300 Subject: [PATCH 1/2] Revert "Use lenient configuration for prohibited dependencies check" This reverts commit 602d4189d11a3cd59d07f77b81721731f191534e. --- .../classpath/CheckClasspathForProhibitedDependencies.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java b/buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java index 467aa34da8..4738135e90 100644 --- a/buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java +++ b/buildSrc/src/main/java/org/springframework/gradle/classpath/CheckClasspathForProhibitedDependencies.java @@ -55,7 +55,7 @@ public class CheckClasspathForProhibitedDependencies extends DefaultTask { @TaskAction public void checkForProhibitedDependencies() throws IOException { ResolvedConfiguration resolvedConfiguration = this.classpath.getResolvedConfiguration(); - TreeSet prohibited = resolvedConfiguration.getLenientConfiguration().getArtifacts().stream() + TreeSet prohibited = resolvedConfiguration.getResolvedArtifacts().stream() .map((artifact) -> artifact.getModuleVersion().getId()).filter(this::prohibited) .map((id) -> id.getGroup() + ":" + id.getName()).collect(Collectors.toCollection(TreeSet::new)); if (!prohibited.isEmpty()) { From 3f64c6d7454207311dded48fef04ec844a85e53a Mon Sep 17 00:00:00 2001 From: Marcus Hert Da Coregio Date: Mon, 30 Oct 2023 16:11:41 -0300 Subject: [PATCH 2/2] Use version catalog to resolve nimbus dependency versions Issue gh-14047 --- .../VerifyDependenciesVersionsPlugin.java | 107 ++++-------------- 1 file changed, 20 insertions(+), 87 deletions(-) diff --git a/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java b/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java index 6b065ef306..f7f3d17cd4 100644 --- a/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java +++ b/buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java @@ -16,16 +16,12 @@ package org.springframework.security.convention.versions; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.stream.Collectors; - import org.gradle.api.DefaultTask; import org.gradle.api.Plugin; import org.gradle.api.Project; -import org.gradle.api.artifacts.Configuration; +import org.gradle.api.artifacts.MinimalExternalModuleDependency; +import org.gradle.api.artifacts.VersionCatalog; +import org.gradle.api.artifacts.VersionCatalogsExtension; import org.gradle.api.plugins.JavaBasePlugin; import org.gradle.api.tasks.TaskAction; import org.gradle.api.tasks.TaskProvider; @@ -37,101 +33,38 @@ public class VerifyDependenciesVersionsPlugin implements Plugin { TaskProvider verifyDependenciesVersionsTaskProvider = project.getTasks().register("verifyDependenciesVersions", VerifyDependenciesVersionsTask.class, (task) -> { task.setGroup("Verification"); task.setDescription("Verify that specific dependencies are using the same version"); - List allConfigurations = new ArrayList<>(getConfigurations(project)); - task.setConfigurations(allConfigurations); + VersionCatalog versionCatalog = project.getExtensions().getByType(VersionCatalogsExtension.class).named("libs"); + MinimalExternalModuleDependency oauth2OidcSdk = versionCatalog.findLibrary("com-nimbusds-oauth2-oidc-sdk").get().get(); + MinimalExternalModuleDependency nimbusJoseJwt = versionCatalog.findLibrary("com-nimbusds-nimbus-jose-jwt").get().get(); + task.setOauth2OidcSdkVersion(oauth2OidcSdk.getVersionConstraint().getDisplayName()); + task.setExpectedNimbusJoseJwtVersion(nimbusJoseJwt.getVersionConstraint().getDisplayName()); }); project.getTasks().named(JavaBasePlugin.CHECK_TASK_NAME, checkTask -> checkTask.dependsOn(verifyDependenciesVersionsTaskProvider)); } - private List getConfigurations(Project rootProject) { - List configurations = new ArrayList<>(); - for (Project project : rootProject.getAllprojects()) { - List runtimeClasspath = project.getConfigurations().stream() - .filter(Configuration::isCanBeResolved) - .filter((config) -> config.getName().equals("runtimeClasspath")) - .collect(Collectors.toList()); - configurations.addAll(runtimeClasspath); - } - return configurations; - } - public static class VerifyDependenciesVersionsTask extends DefaultTask { - private List configurations; + private String oauth2OidcSdkVersion; - public void setConfigurations(List configurations) { - this.configurations = configurations; + private String expectedNimbusJoseJwtVersion; + + public void setOauth2OidcSdkVersion(String oauth2OidcSdkVersion) { + this.oauth2OidcSdkVersion = oauth2OidcSdkVersion; + } + + public void setExpectedNimbusJoseJwtVersion(String expectedNimbusJoseJwtVersion) { + this.expectedNimbusJoseJwtVersion = expectedNimbusJoseJwtVersion; } @TaskAction public void verify() { - Map> artifacts = getDependencies(this.configurations); - List oauth2OidcSdk = artifacts.get("oauth2-oidc-sdk"); - List nimbusJoseJwt = artifacts.get("nimbus-jose-jwt"); - if (oauth2OidcSdk == null) { - // Could not resolve oauth2-oidc-sdk - return; - } - if (oauth2OidcSdk.size() > 1) { - throw new IllegalStateException("Found multiple versions of oauth2-oidc-sdk: " + oauth2OidcSdk); - } - Artifact oauth2OidcSdkArtifact = oauth2OidcSdk.get(0); - String nimbusJoseJwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(oauth2OidcSdkArtifact.version()); - List differentVersions = nimbusJoseJwt.stream() - .filter((artifact) -> !artifact.version().equals(nimbusJoseJwtVersion)) - .filter((artifact -> !artifact.configurationName().contains("spring-security-cas"))) // CAS uses a different version - .collect(Collectors.toList()); - if (!differentVersions.isEmpty()) { - String message = "Found transitive nimbus-jose-jwt version [" + nimbusJoseJwtVersion + "] in oauth2-oidc-sdk " + oauth2OidcSdkArtifact - + ", but the project contains a different version of nimbus-jose-jwt " + differentVersions - + ". Please align the versions of nimbus-jose-jwt."; + String transitiveNimbusJoseJwtVersion = TransitiveDependencyLookupUtils.lookupJwtVersion(this.oauth2OidcSdkVersion); + if (!transitiveNimbusJoseJwtVersion.equals(this.expectedNimbusJoseJwtVersion)) { + String message = String.format("Found transitive nimbus-jose-jwt:%s in oauth2-oidc-sdk:%s, but the project contains a different version of nimbus-jose-jwt [%s]. Please align the versions.", transitiveNimbusJoseJwtVersion, this.oauth2OidcSdkVersion, this.expectedNimbusJoseJwtVersion); throw new IllegalStateException(message); } } - private Map> getDependencies(List configurations) { - return configurations.stream() - .flatMap((configuration) -> { - return configuration.getIncoming().getResolutionResult().getAllDependencies().stream() - .map((dep) -> { - String[] nameParts = dep.getRequested().getDisplayName().split(":"); - if (nameParts.length > 2) { - return new Artifact(nameParts[1], nameParts[2], configuration.toString()); - } - return null; - }); - }) - .filter(Objects::nonNull) - .distinct() - .collect(Collectors.groupingBy(Artifact::name)); - } - - } - - private static class Artifact { - - private final String name; - private final String version; - private final String configurationName; - - private Artifact(String name, String version, String configurationName) { - this.name = name; - this.version = version; - this.configurationName = configurationName; - } - - public String name() { - return this.name; - } - - public String version() { - return this.version; - } - - public String configurationName() { - return this.configurationName; - } - } }