chore: use github.com/golang-jwt/jwt/v5

Signed-off-by: Matthieu MOREL <[email protected]>

.golangci.yaml

@@ -14,8 +14,10 @@ linters:
     - gocritic
     - gofumpt
     - goimports
+    - gomodguard
     - gosimple
-    - govet
+    - govet    
+    - importas
     - ineffassign
     - misspell
     - perfsprint
@@ -40,6 +42,19 @@ linters-settings:
       - typeSwitchVar
   goimports:
     local-prefixes: github.com/argoproj/argo-cd/v2
+  gomodguard:
+    blocked:
+      modules:
+        - github.com/golang-jwt/jwt:
+            recommendations:
+              - github.com/golang-jwt/jwt/v5
+        - github.com/golang-jwt/jwt/v4:
+            recommendations:
+              - github.com/golang-jwt/jwt/v5
+  importas:
+    alias:
+      - alias: jwtgo 
+        pkg: github.com/golang-jwt/jwt/v5
   perfsprint:
     # Optimizes even if it requires an int or uint type cast.
     int-conversion: true

cmd/argocd/commands/login.go

@@ -13,7 +13,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"

cmd/argocd/commands/login_test.go

@@ -7,7 +7,7 @@ import (
 
 	utils "github.com/argoproj/argo-cd/v2/util/io"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 )
 

cmd/argocd/commands/project_role.go

@@ -8,7 +8,7 @@ import (
 	"time"
 
 	timeutil "github.com/argoproj/pkg/time"
-	jwtgo "github.com/golang-jwt/jwt/v4"
+	jwtgo "github.com/golang-jwt/jwt/v5"
 	"github.com/spf13/cobra"
 
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"

go.mod

@@ -39,7 +39,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355
 	github.com/gogo/protobuf v1.3.2
-	github.com/golang-jwt/jwt/v4 v4.5.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang/protobuf v1.5.4
 	github.com/google/btree v1.1.3
 	github.com/google/go-cmp v0.6.0
@@ -137,7 +137,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect

pkg/apiclient/apiclient.go

@@ -16,7 +16,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/golang/protobuf/ptypes/empty"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
@@ -402,7 +402,8 @@ func (c *client) refreshAuthToken(localCfg *localconfig.LocalConfig, ctxName, co
 	if err != nil {
 		return err
 	}
-	if claims.Valid() == nil {
+	validator := jwt.NewValidator(jwt.WithLeeway(5 * time.Second))
+	if validator.Validate(claims) == nil {
 		// token is still valid
 		return nil
 	}

server/account/account_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"

server/application/application_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 	"github.com/argoproj/pkg/sync"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"

server/application/websocket_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/assets"
 	"github.com/argoproj/argo-cd/v2/util/rbac"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/websocket"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

server/cluster/cluster_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/util/assets"

server/logout/logout.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/argoproj/argo-cd/v2/common"

server/logout/logout_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/session"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"

server/project/project.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/pkg/sync"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"

server/project/project_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/db"
 
 	"github.com/argoproj/pkg/sync"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

server/rbacpolicy/rbacpolicy.go

@@ -3,7 +3,7 @@ package rbacpolicy
 import (
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"

server/rbacpolicy/rbacpolicy_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"

server/repository/repository_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"

server/server.go

@@ -33,7 +33,7 @@ import (
 
 	"github.com/argoproj/notifications-engine/pkg/api"
 	"github.com/argoproj/pkg/sync"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/handlers"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"

server/server_test.go

@@ -15,7 +15,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

util/clusterauth/clusterauth.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"
 
-	jwt "github.com/golang-jwt/jwt/v4"
+	jwtgo "github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -368,22 +368,16 @@ func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleN
 }
 
 type ServiceAccountClaims struct {
-	Sub                string `json:"sub"`
-	Iss                string `json:"iss"`
 	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
 	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name"`
 	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"`
 	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid"`
-}
-
-// Valid satisfies the jwt.Claims interface to enable JWT parsing
-func (sac *ServiceAccountClaims) Valid() error {
-	return nil
+	jwtgo.RegisteredClaims
 }
 
 // ParseServiceAccountToken parses a Kubernetes service account token
 func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error) {
-	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	parser := jwtgo.NewParser(jwtgo.WithoutClaimsValidation())
 	var claims ServiceAccountClaims
 	_, _, err := parser.ParseUnverified(token, &claims)
 	if err != nil {

util/clusterauth/clusterauth_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 	"time"
 
+	jwtgo "github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
@@ -27,12 +28,14 @@ const (
 )
 
 var testClaims = ServiceAccountClaims{
-	Sub:                "system:serviceaccount:kube-system:argocd-manager",
-	Iss:                "kubernetes/serviceaccount",
-	Namespace:          "kube-system",
-	SecretName:         "argocd-manager-token-tj79r",
-	ServiceAccountName: "argocd-manager",
-	ServiceAccountUID:  "91dd37cf-8d92-11e9-a091-d65f2ae7fa8d",
+	"kube-system",
+	"argocd-manager-token-tj79r",
+	"argocd-manager",
+	"91dd37cf-8d92-11e9-a091-d65f2ae7fa8d",
+	jwtgo.RegisteredClaims{
+		Subject: "system:serviceaccount:kube-system:argocd-manager",
+		Issuer:  "kubernetes/serviceaccount",
+	},
 }
 
 func newServiceAccount() *corev1.ServiceAccount {

util/grpc/logging.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/gogo/protobuf/jsonpb"
 	"github.com/gogo/protobuf/proto"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	grpc_logging "github.com/grpc-ecosystem/go-grpc-middleware/logging"
 	ctx_logrus "github.com/grpc-ecosystem/go-grpc-middleware/tags/logrus"
 	"github.com/sirupsen/logrus"

util/grpc/logging_test.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

util/jwt/jwt.go

@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	jwtgo "github.com/golang-jwt/jwt/v4"
+	jwtgo "github.com/golang-jwt/jwt/v5"
 )
 
 // MapClaims converts a jwt.Claims to a MapClaims

util/jwt/jwt_test.go

@@ -4,58 +4,58 @@ import (
 	"testing"
 	"time"
 
-	jwt "github.com/golang-jwt/jwt/v4"
+	jwtgo "github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestGetSingleStringScope(t *testing.T) {
-	claims := jwt.MapClaims{"groups": "my-org:my-team"}
+	claims := jwtgo.MapClaims{"groups": "my-org:my-team"}
 	groups := GetScopeValues(claims, []string{"groups"})
 	assert.Contains(t, groups, "my-org:my-team")
 }
 
 func TestGetMultipleListScopes(t *testing.T) {
-	claims := jwt.MapClaims{"groups1": []string{"my-org:my-team1"}, "groups2": []string{"my-org:my-team2"}}
+	claims := jwtgo.MapClaims{"groups1": []string{"my-org:my-team1"}, "groups2": []string{"my-org:my-team2"}}
 	groups := GetScopeValues(claims, []string{"groups1", "groups2"})
 	assert.Contains(t, groups, "my-org:my-team1")
 	assert.Contains(t, groups, "my-org:my-team2")
 }
 
 func TestClaims(t *testing.T) {
 	assert.Nil(t, Claims(nil))
-	assert.NotNil(t, Claims(jwt.MapClaims{}))
+	assert.NotNil(t, Claims(jwtgo.MapClaims{}))
 }
 
 func TestIsMember(t *testing.T) {
-	assert.False(t, IsMember(jwt.MapClaims{}, nil, []string{"groups"}))
-	assert.False(t, IsMember(jwt.MapClaims{"groups": []string{""}}, []string{"my-group"}, []string{"groups"}))
-	assert.False(t, IsMember(jwt.MapClaims{"groups": []string{"my-group"}}, []string{""}, []string{"groups"}))
-	assert.True(t, IsMember(jwt.MapClaims{"groups": []string{"my-group"}}, []string{"my-group"}, []string{"groups"}))
+	assert.False(t, IsMember(jwtgo.MapClaims{}, nil, []string{"groups"}))
+	assert.False(t, IsMember(jwtgo.MapClaims{"groups": []string{""}}, []string{"my-group"}, []string{"groups"}))
+	assert.False(t, IsMember(jwtgo.MapClaims{"groups": []string{"my-group"}}, []string{""}, []string{"groups"}))
+	assert.True(t, IsMember(jwtgo.MapClaims{"groups": []string{"my-group"}}, []string{"my-group"}, []string{"groups"}))
 }
 
 func TestGetGroups(t *testing.T) {
-	assert.Empty(t, GetGroups(jwt.MapClaims{}, []string{"groups"}))
-	assert.Equal(t, []string{"foo"}, GetGroups(jwt.MapClaims{"groups": []string{"foo"}}, []string{"groups"}))
+	assert.Empty(t, GetGroups(jwtgo.MapClaims{}, []string{"groups"}))
+	assert.Equal(t, []string{"foo"}, GetGroups(jwtgo.MapClaims{"groups": []string{"foo"}}, []string{"groups"}))
 }
 
 func TestIssuedAtTime_Int64(t *testing.T) {
 	// Tuesday, 1 December 2020 14:00:00
-	claims := jwt.MapClaims{"iat": int64(1606831200)}
+	claims := jwtgo.MapClaims{"iat": int64(1606831200)}
 	issuedAt, err := IssuedAtTime(claims)
 	require.NoError(t, err)
 	str := issuedAt.UTC().Format("Mon Jan _2 15:04:05 2006")
 	assert.Equal(t, "Tue Dec  1 14:00:00 2020", str)
 }
 
 func TestIssuedAtTime_Error_NoInt(t *testing.T) {
-	claims := jwt.MapClaims{"iat": 1606831200}
+	claims := jwtgo.MapClaims{"iat": 1606831200}
 	_, err := IssuedAtTime(claims)
 	assert.Error(t, err)
 }
 
 func TestIssuedAtTime_Error_Missing(t *testing.T) {
-	claims := jwt.MapClaims{}
+	claims := jwtgo.MapClaims{}
 	iat, err := IssuedAtTime(claims)
 	require.Error(t, err)
 	assert.Equal(t, time.Unix(0, 0), iat)

util/localconfig/localconfig.go

@@ -6,7 +6,7 @@ import (
 	"path"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/argoproj/argo-cd/v2/util/config"
 	configUtil "github.com/argoproj/argo-cd/v2/util/config"

util/oidc/oidc.go

@@ -17,7 +17,7 @@ import (
 	"time"
 
 	gooidc "github.com/coreos/go-oidc/v3/oidc"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"