diff --git a/.golangci.yaml b/.golangci.yaml index 1aea900d3cd11a..b6fae6e0b2c5c3 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -16,7 +16,8 @@ linters: - goimports - gomodguard - gosimple - - govet + - govet + - importas - ineffassign - misspell - perfsprint @@ -44,9 +45,19 @@ linters-settings: gomodguard: blocked: modules: + - github.com/golang-jwt/jwt: + recommendations: + - github.com/golang-jwt/jwt/v5 + - github.com/golang-jwt/jwt/v4: + recommendations: + - github.com/golang-jwt/jwt/v5 - github.com/pkg/errors: recommendations: - errors + importas: + alias: + - alias: jwtgo + pkg: github.com/golang-jwt/jwt/v5 perfsprint: # Optimizes even if it requires an int or uint type cast. int-conversion: true diff --git a/cmd/argocd/commands/login.go b/cmd/argocd/commands/login.go index 72b89dae1771ca..2843972e7e4766 100644 --- a/cmd/argocd/commands/login.go +++ b/cmd/argocd/commands/login.go @@ -13,7 +13,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/skratchdot/open-golang/open" "github.com/spf13/cobra" diff --git a/cmd/argocd/commands/login_test.go b/cmd/argocd/commands/login_test.go index 420b484674901a..91cf3e11388b3a 100644 --- a/cmd/argocd/commands/login_test.go +++ b/cmd/argocd/commands/login_test.go @@ -7,7 +7,7 @@ import ( utils "github.com/argoproj/argo-cd/v2/util/io" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" ) diff --git a/cmd/argocd/commands/project_role.go b/cmd/argocd/commands/project_role.go index a0da6793fa7e69..759608575908bd 100644 --- a/cmd/argocd/commands/project_role.go +++ b/cmd/argocd/commands/project_role.go @@ -8,7 +8,7 @@ import ( "time" timeutil "github.com/argoproj/pkg/time" - jwtgo "github.com/golang-jwt/jwt/v4" + jwtgo "github.com/golang-jwt/jwt/v5" "github.com/spf13/cobra" "github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless" diff --git a/go.mod b/go.mod index 336a1b8018564f..93760293ef859e 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,7 @@ require ( github.com/gobwas/glob v0.2.3 github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355 github.com/gogo/protobuf v1.3.2 - github.com/golang-jwt/jwt/v4 v4.5.1 + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/golang/protobuf v1.5.4 github.com/google/btree v1.1.3 github.com/google/go-cmp v0.6.0 @@ -137,7 +137,7 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect - github.com/golang-jwt/jwt/v5 v5.2.1 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect diff --git a/pkg/apiclient/apiclient.go b/pkg/apiclient/apiclient.go index b0c8f83bc6362b..e3d11e3b03a9b9 100644 --- a/pkg/apiclient/apiclient.go +++ b/pkg/apiclient/apiclient.go @@ -16,7 +16,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/golang/protobuf/ptypes/empty" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry" @@ -402,7 +402,8 @@ func (c *client) refreshAuthToken(localCfg *localconfig.LocalConfig, ctxName, co if err != nil { return err } - if claims.Valid() == nil { + validator := jwt.NewValidator(jwt.WithLeeway(5 * time.Second)) + if validator.Validate(claims) == nil { // token is still valid return nil } diff --git a/server/account/account_test.go b/server/account/account_test.go index 81e0abc0785f44..eb20c3195d21b8 100644 --- a/server/account/account_test.go +++ b/server/account/account_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" diff --git a/server/application/application_test.go b/server/application/application_test.go index 3b1a4fce27a548..f6fac57fa747ae 100644 --- a/server/application/application_test.go +++ b/server/application/application_test.go @@ -17,7 +17,7 @@ import ( "github.com/argoproj/gitops-engine/pkg/utils/kube" "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" diff --git a/server/application/websocket_test.go b/server/application/websocket_test.go index d2222e1bdeb25a..cbb0dbaee5fcb3 100644 --- a/server/application/websocket_test.go +++ b/server/application/websocket_test.go @@ -16,7 +16,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/assets" "github.com/argoproj/argo-cd/v2/util/rbac" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/gorilla/websocket" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/server/cluster/cluster_test.go b/server/cluster/cluster_test.go index f5540dd30753db..94b1060dcc8bcc 100644 --- a/server/cluster/cluster_test.go +++ b/server/cluster/cluster_test.go @@ -8,7 +8,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/argoproj/argo-cd/v2/server/rbacpolicy" "github.com/argoproj/argo-cd/v2/util/assets" diff --git a/server/logout/logout.go b/server/logout/logout.go index e94424bc7035af..cbbdfd5c3c2934 100644 --- a/server/logout/logout.go +++ b/server/logout/logout.go @@ -7,7 +7,7 @@ import ( "strings" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v2/common" diff --git a/server/logout/logout_test.go b/server/logout/logout_test.go index 83bf8ee5d92f36..9571de128e6937 100644 --- a/server/logout/logout_test.go +++ b/server/logout/logout_test.go @@ -15,7 +15,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/session" "github.com/argoproj/argo-cd/v2/util/settings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/server/project/project.go b/server/project/project.go index cac913715b6231..c361d9d990882e 100644 --- a/server/project/project.go +++ b/server/project/project.go @@ -8,7 +8,7 @@ import ( "github.com/argoproj/gitops-engine/pkg/utils/kube" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/server/project/project_test.go b/server/project/project_test.go index d4d9c3e40e4eb4..9c76381dd4caff 100644 --- a/server/project/project_test.go +++ b/server/project/project_test.go @@ -10,7 +10,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/db" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/server/rbacpolicy/rbacpolicy.go b/server/rbacpolicy/rbacpolicy.go index ea2b0ee0c166df..08bff84c30b7cd 100644 --- a/server/rbacpolicy/rbacpolicy.go +++ b/server/rbacpolicy/rbacpolicy.go @@ -3,7 +3,7 @@ package rbacpolicy import ( "strings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" diff --git a/server/rbacpolicy/rbacpolicy_test.go b/server/rbacpolicy/rbacpolicy_test.go index ae8a9442e80df7..b0674ecce577cf 100644 --- a/server/rbacpolicy/rbacpolicy_test.go +++ b/server/rbacpolicy/rbacpolicy_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" diff --git a/server/repository/repository_test.go b/server/repository/repository_test.go index 7b4b77bca2ab11..a60e0f55049346 100644 --- a/server/repository/repository_test.go +++ b/server/repository/repository_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" diff --git a/server/server.go b/server/server.go index 29c7da2ab1552f..55f35fe8182402 100644 --- a/server/server.go +++ b/server/server.go @@ -33,7 +33,7 @@ import ( "github.com/argoproj/notifications-engine/pkg/api" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/gorilla/handlers" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth" diff --git a/server/server_test.go b/server/server_test.go index 02bab631ef6640..c466e0fe9c6296 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -15,7 +15,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/clusterauth/clusterauth.go b/util/clusterauth/clusterauth.go index d57e27792ecb6d..0ec1de7a60609b 100644 --- a/util/clusterauth/clusterauth.go +++ b/util/clusterauth/clusterauth.go @@ -7,7 +7,7 @@ import ( "strings" "time" - jwt "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -368,17 +368,11 @@ func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleN } type ServiceAccountClaims struct { - Sub string `json:"sub"` - Iss string `json:"iss"` Namespace string `json:"kubernetes.io/serviceaccount/namespace"` SecretName string `json:"kubernetes.io/serviceaccount/secret.name"` ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"` ServiceAccountUID string `json:"kubernetes.io/serviceaccount/service-account.uid"` -} - -// Valid satisfies the jwt.Claims interface to enable JWT parsing -func (sac *ServiceAccountClaims) Valid() error { - return nil + jwt.RegisteredClaims } // ParseServiceAccountToken parses a Kubernetes service account token diff --git a/util/clusterauth/clusterauth_test.go b/util/clusterauth/clusterauth_test.go index 73a99d58d78aa8..041d19d9af377d 100644 --- a/util/clusterauth/clusterauth_test.go +++ b/util/clusterauth/clusterauth_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" @@ -27,12 +28,14 @@ const ( ) var testClaims = ServiceAccountClaims{ - Sub: "system:serviceaccount:kube-system:argocd-manager", - Iss: "kubernetes/serviceaccount", - Namespace: "kube-system", - SecretName: "argocd-manager-token-tj79r", - ServiceAccountName: "argocd-manager", - ServiceAccountUID: "91dd37cf-8d92-11e9-a091-d65f2ae7fa8d", + "kube-system", + "argocd-manager-token-tj79r", + "argocd-manager", + "91dd37cf-8d92-11e9-a091-d65f2ae7fa8d", + jwtgo.RegisteredClaims{ + Subject: "system:serviceaccount:kube-system:argocd-manager", + Issuer: "kubernetes/serviceaccount", + }, } func newServiceAccount() *corev1.ServiceAccount { diff --git a/util/grpc/logging.go b/util/grpc/logging.go index 271111977473b6..6b244e4b95695a 100644 --- a/util/grpc/logging.go +++ b/util/grpc/logging.go @@ -8,7 +8,7 @@ import ( "github.com/gogo/protobuf/jsonpb" "github.com/gogo/protobuf/proto" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" grpc_logging "github.com/grpc-ecosystem/go-grpc-middleware/logging" ctx_logrus "github.com/grpc-ecosystem/go-grpc-middleware/tags/logrus" "github.com/sirupsen/logrus" diff --git a/util/grpc/logging_test.go b/util/grpc/logging_test.go index 98be425928b691..4dfbaf1c2816ee 100644 --- a/util/grpc/logging_test.go +++ b/util/grpc/logging_test.go @@ -6,7 +6,7 @@ import ( "fmt" "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/jwt/jwt.go b/util/jwt/jwt.go index 585025990bf8d1..e2ca9e92141e93 100644 --- a/util/jwt/jwt.go +++ b/util/jwt/jwt.go @@ -6,7 +6,7 @@ import ( "strings" "time" - jwtgo "github.com/golang-jwt/jwt/v4" + jwtgo "github.com/golang-jwt/jwt/v5" ) // MapClaims converts a jwt.Claims to a MapClaims diff --git a/util/jwt/jwt_test.go b/util/jwt/jwt_test.go index 1b0ac87fe97520..5ef645abb81f9a 100644 --- a/util/jwt/jwt_test.go +++ b/util/jwt/jwt_test.go @@ -4,7 +4,7 @@ import ( "testing" "time" - jwt "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/util/localconfig/localconfig.go b/util/localconfig/localconfig.go index 221695354ec7f4..cdaf7adcc970e5 100644 --- a/util/localconfig/localconfig.go +++ b/util/localconfig/localconfig.go @@ -6,7 +6,7 @@ import ( "path" "strings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/argoproj/argo-cd/v2/util/config" configUtil "github.com/argoproj/argo-cd/v2/util/config" diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go index 6b475d01c6a815..42a737bf95cc76 100644 --- a/util/oidc/oidc.go +++ b/util/oidc/oidc.go @@ -17,7 +17,7 @@ import ( "time" gooidc "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "golang.org/x/oauth2" diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go index 40c606dcd96715..82f06367be9c1d 100644 --- a/util/oidc/oidc_test.go +++ b/util/oidc/oidc_test.go @@ -14,7 +14,7 @@ import ( "time" gooidc "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "golang.org/x/oauth2" diff --git a/util/rbac/rbac.go b/util/rbac/rbac.go index 1446620d58bd0e..1d0d6e8a87c4bf 100644 --- a/util/rbac/rbac.go +++ b/util/rbac/rbac.go @@ -18,7 +18,7 @@ import ( "github.com/casbin/casbin/v2/model" "github.com/casbin/casbin/v2/util" "github.com/casbin/govaluate" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" gocache "github.com/patrickmn/go-cache" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/util/rbac/rbac_test.go b/util/rbac/rbac_test.go index 686d283a3ee50b..f24b0be317f433 100644 --- a/util/rbac/rbac_test.go +++ b/util/rbac/rbac_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/security/jwt_test.go b/util/security/jwt_test.go index f8131259c1138a..87b6cfb7dd636b 100644 --- a/util/security/jwt_test.go +++ b/util/security/jwt_test.go @@ -4,7 +4,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/session/sessionmanager.go b/util/session/sessionmanager.go index 09ba6aa43cd38c..0483c94a65641e 100644 --- a/util/session/sessionmanager.go +++ b/util/session/sessionmanager.go @@ -14,7 +14,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go index efee1951e78990..82d3472f3f3e0e 100644 --- a/util/session/sessionmanager_test.go +++ b/util/session/sessionmanager_test.go @@ -14,7 +14,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -220,16 +220,8 @@ func TestSessionManager_ProjectToken(t *testing.T) { }) } -type claimsMock struct { - err error -} - -func (cm *claimsMock) Valid() error { - return cm.err -} - type tokenVerifierMock struct { - claims *claimsMock + claims *jwt.RegisteredClaims err error } @@ -258,7 +250,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name string authDisabled bool cookieHeader bool - verifiedClaims *claimsMock + verifiedClaims *jwt.RegisteredClaims verifyTokenErr error expectedStatusCode int expectedResponseBody *string @@ -269,7 +261,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will authenticate successfully", authDisabled: false, cookieHeader: true, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: nil, expectedStatusCode: http.StatusOK, expectedResponseBody: strPointer("Ok"), @@ -287,7 +279,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will return 400 if no cookie header", authDisabled: false, cookieHeader: false, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: nil, expectedStatusCode: http.StatusBadRequest, expectedResponseBody: nil, @@ -296,7 +288,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will return 401 verify token fails", authDisabled: false, cookieHeader: true, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: stderrors.New("token error"), expectedStatusCode: http.StatusUnauthorized, expectedResponseBody: nil, diff --git a/util/test/testutil.go b/util/test/testutil.go index a8e506300864d4..61fa0e74616fe7 100644 --- a/util/test/testutil.go +++ b/util/test/testutil.go @@ -9,7 +9,7 @@ import ( "testing" "github.com/go-jose/go-jose/v3" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/require" )