Update dependencies - libraries with CVEs, image versions used in examples and testsuite (#280)

Signed-off-by: Marko Strukelj <[email protected]>

Author: mstruk

bin/build.sh

@@ -69,9 +69,9 @@ if [ "$arch" == 's390x' ]; then
     export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/s390x-linux-gnu/jni
 
     cd target
-    git clone -b 23.0.5 https://github.com/keycloak/keycloak.git
+    git clone -b 26.3.3 https://github.com/keycloak/keycloak.git
     cd keycloak/quarkus/container
-    docker build . -t quay.io/keycloak/keycloak:23.0.5
+    docker build . -t quay.io/keycloak/keycloak:26.3.3
     cd ../../../.. && rm -rf target/keycloak
 
     docker build --target hydra-import -t strimzi-oauth-testsuite/hydra-import:latest -f ./testsuite/docker/hydra-import/Dockerfile.s390x .

examples/docker/kafka-oauth-strimzi/kafka/Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/strimzi/kafka:0.45.0-kafka-3.9.0
+FROM quay.io/strimzi/kafka:0.47.0-kafka-4.0.0
 
 COPY libs/* /opt/kafka/libs/strimzi/
 COPY config/* /opt/kafka/config/

examples/docker/keycloak/compose.yml

@@ -1,7 +1,7 @@
 services:
 
   keycloak:
-    image: quay.io/keycloak/keycloak:23.0.5
+    image: quay.io/keycloak/keycloak:26.3.3
     ports:
       - "8080:8080"
       - "8443:8443"

examples/docker/spring/Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi8/openjdk-17
+FROM registry.access.redhat.com/ubi9/openjdk-17
 
 ENTRYPOINT ["java", "-jar", "/usr/share/oauth/server.jar"]
 

examples/docker/spring/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.4.4</version>
+		<version>3.4.9</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 
@@ -21,6 +21,15 @@
 		<plugins.resources.version>3.1.0</plugins.resources.version>
 		<fabric8-docker-plugin.version>0.40.2</fabric8-docker-plugin.version>
 	</properties>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>com.nimbusds</groupId>
+				<artifactId>nimbus-jose-jwt</artifactId>
+				<version>10.0.2</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>

examples/docker/strimzi-kafka-image/Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/strimzi/kafka:0.45.0-kafka-3.9.0
+FROM quay.io/strimzi/kafka:0.47.0-kafka-4.0.0
 
 COPY target/libs/* /opt/kafka/libs/oauth/
 ENV CLASSPATH /opt/kafka/libs/oauth/*

examples/docker/strimzi-kafka-image/README.md

@@ -1,12 +1,12 @@
 Strimzi Kafka Image with SNAPSHOT Strimzi Kafka OAuth
 =====================================================
 
-This is a build of a Docker image based on `quay.io/strimzi/kafka:0.45.0-kafka-3.9.0` with added most recently locally built SNAPSHOT version of Strimzi Kafka OAuth libraries.
+This is a build of a Docker image based on `quay.io/strimzi/kafka:0.47.0-kafka-4.0.0` with added most recently locally built SNAPSHOT version of Strimzi Kafka OAuth libraries.
 
 This image adds a `/opt/kafka/libs/oauth` directory, and copies the latest jars for OAuth support in it.
 Then it puts this directory as the first directory on the classpath.
 
-The result is that the specific version of Strimzi Kafka OAuth jars and their dependencies is used, because they appear on the classpath before the ones that are part of `quay.io/strimzi/kafka:0.45.0-kafka-3.9.0` which are located in the `/opt/kafka/libs` directory.
+The result is that the specific version of Strimzi Kafka OAuth jars and their dependencies is used, because they appear on the classpath before the ones that are part of `quay.io/strimzi/kafka:0.47.0-kafka-4.0.0` which are located in the `/opt/kafka/libs` directory.
 
 
 Building
@@ -79,9 +79,9 @@ Deploying
 
 In order for the operator to use your Kafka image, you have to replace the Kafka image coordinates in `packaging/install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml` in your `strimzi-kafka-operator` project.
 
-This image builds the kafka-3.9.0 replacement image, so we need to replace all occurrences where kafka-3.9.0 is referred to into the proper coordinates to our image:
+This image builds the kafka-3.9.1 replacement image, so we need to replace all occurrences where kafka-3.9.1 is referred to into the proper coordinates to our image:
 
-    sed -Ei "s#quay.io/strimzi/kafka:latest-kafka-3.9.0#${DOCKER_REG}/strimzi/kafka:latest-kafka-3.9.0-oauth#" \
+    sed -Ei "s#quay.io/strimzi/kafka:latest-kafka-3.9.1#${DOCKER_REG}/strimzi/kafka:latest-kafka-3.9.1-oauth#" \
         packaging/install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml
 
 
@@ -94,11 +94,11 @@ You can now deploy Strimzi Kafka Operator following instructions in [HACKING.md]
 
 ## Via Helm
 
-You can also run the operator via its Helm chart and set the `kafka.image.registry` property to your local registry. As an example, if you've built and tagged the image as `local.dev/strimzi/kafka:0.45.0-kafka-3.9.0`. You can run it using the operator as:
+You can also run the operator via its Helm chart and set the `kafka.image.registry` property to your local registry. As an example, if you've built and tagged the image as `local.dev/strimzi/kafka:0.47.0-kafka-3.9.1`. You can run it using the operator as:
 
     helm repo add strimzi https://strimzi.io/charts/ --force-update
     helm upgrade -i -n strimzi strimzi strimzi/strimzi-kafka-operator \
-      --version 0.45.0 \
+      --version 0.47.0 \
       --set watchNamespaces="{default}" \
       --set generateNetworkPolicy=false \
       --set kafka.image.registry="local.dev" \

examples/kubernetes/kafka-oauth-authz-metrics-client.yaml

@@ -40,7 +40,7 @@ metadata:
 spec:
   containers:
     - name: kafka-client-shell
-      image: quay.io/strimzi/kafka:latest-kafka-3.9.0
+      image: quay.io/strimzi/kafka:latest-kafka-3.9.1
       command:
         - /bin/sh
       env:

examples/kubernetes/keycloak-postgres.yaml

@@ -27,7 +27,7 @@ metadata:
 spec:
   containers:
   - name: keycloak
-    image: quay.io/keycloak/keycloak:23.0.5
+    image: quay.io/keycloak/keycloak:26.3.3
     args: ["-v", "start", "--import-realm", "--features=token-exchange,authorization,scripts"]
     env:
     - name: KEYCLOAK_ADMIN

oauth-common/src/test/java/io/strimzi/kafka/oauth/jsonpath/CustomCheckTest.java

@@ -226,4 +226,40 @@ public void testPerformance() throws Exception {
             System.out.printf("Ran query on %d unique tokens in %d ms :: '%s'%n", tokens.size(), System.currentTimeMillis() - time, parsedQuery);
         }
     }
+
+    @Ignore
+    @Test
+    public void testComplexQuery() throws Exception {
+        String jsonString = "{\n" +
+                " \"exp\" : 1756844595,\n" +
+                " \"iat\" : 1756844295,\n" +
+                " \"jti\" : \"trrtcc:92eb0ba2-8c4f-e829-abed-2a54a77f0020\",\n" +
+                " \"iss\" : \"http://keycloak:8080/realms/kafka-authz\",\n" +
+                " \"aud\" : [ \"kafka\", \"account\" ],\n" +
+                " \"sub\" : \"7b3b2198-d44f-4786-8a2b-e896af230e2b\",\n" +
+                " \"typ\" : \"Bearer\",\n" +
+                " \"azp\" : \"team-b-client\",\n" +
+                " \"acr\" : \"1\",\n" +
+                " \"realm_access\" : {\n" +
+                "   \"roles\" : [ \"offline_access\", \"Dev Team B\" ]\n" +
+                " },\n" +
+                " \"resource_access\" : {\n" +
+                "   \"kafka\" : {\n" +
+                "     \"roles\" : [ \"kafka-user\" ]\n" +
+                "   },\n" +
+                "   \"account\" : {\n" +
+                "     \"roles\" : [ \"manage-account\", \"manage-account-links\", \"view-profile\" ]\n" +
+                "   }\n" +
+                " },\n" +
+                " \"scope\" : \"email profile\",\n" +
+                " \"email_verified\" : false,\n" +
+                " \"preferred_username\" : \"service-account-team-b-client\"\n" +
+                "}\n";
+
+        String query = "@.typ == 'Bearer' && @.iss == 'http://keycloak:8080/realms/kafka-authz'  && 'kafka' in @.aud && 'kafka-user' in @.resource_access.kafka.roles";
+
+        JsonNode json = JSONUtil.readJSON(jsonString, JsonNode.class);
+        JsonPathFilterQuery q = JsonPathFilterQuery.parse(query);
+        Assert.assertTrue(q.matches(json));
+    }
 }