From 87780a01cfa8e91dead89e550aa77932e2350ddb Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Fri, 20 Dec 2024 12:57:04 +0100 Subject: [PATCH] chore: use github.com/golang-jwt/jwt/v5 Signed-off-by: Matthieu MOREL --- .golangci.yaml | 5 +++++ cmd/argocd/commands/login.go | 2 +- cmd/argocd/commands/login_test.go | 2 +- cmd/argocd/commands/project_role.go | 2 +- go.mod | 4 ++-- pkg/apiclient/apiclient.go | 5 +++-- server/account/account_test.go | 2 +- server/application/application_test.go | 2 +- server/application/websocket_test.go | 2 +- server/cluster/cluster_test.go | 2 +- server/logout/logout.go | 2 +- server/logout/logout_test.go | 2 +- server/project/project.go | 2 +- server/project/project_test.go | 2 +- server/rbacpolicy/rbacpolicy.go | 2 +- server/rbacpolicy/rbacpolicy_test.go | 2 +- server/repository/repository_test.go | 2 +- server/server.go | 2 +- server/server_test.go | 2 +- util/clusterauth/clusterauth.go | 10 ++-------- util/clusterauth/clusterauth_test.go | 15 +++++++++------ util/grpc/logging.go | 2 +- util/grpc/logging_test.go | 2 +- util/jwt/jwt.go | 2 +- util/jwt/jwt_test.go | 2 +- util/localconfig/localconfig.go | 2 +- util/oidc/oidc.go | 2 +- util/oidc/oidc_test.go | 2 +- util/rbac/rbac.go | 2 +- util/rbac/rbac_test.go | 2 +- util/security/jwt_test.go | 2 +- util/session/sessionmanager.go | 2 +- util/session/sessionmanager_test.go | 20 ++++++-------------- util/test/testutil.go | 2 +- 34 files changed, 55 insertions(+), 60 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index b2c2c0ac51043..ddd4555e2f5c8 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -45,11 +45,16 @@ linters-settings: gomodguard: blocked: modules: + - github.com/golang-jwt/jwt/v4: + recommendations: + - github.com/golang-jwt/jwt/v5 - github.com/pkg/errors: recommendations: - errors importas: alias: + - alias: jwtgo + pkg: github.com/golang-jwt/jwt/v5 - alias: metav1 pkg: k8s.io/apimachinery/pkg/apis/meta/v1 - alias: stderrors diff --git a/cmd/argocd/commands/login.go b/cmd/argocd/commands/login.go index 72b89dae1771c..2843972e7e476 100644 --- a/cmd/argocd/commands/login.go +++ b/cmd/argocd/commands/login.go @@ -13,7 +13,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/skratchdot/open-golang/open" "github.com/spf13/cobra" diff --git a/cmd/argocd/commands/login_test.go b/cmd/argocd/commands/login_test.go index 420b484674901..91cf3e11388b3 100644 --- a/cmd/argocd/commands/login_test.go +++ b/cmd/argocd/commands/login_test.go @@ -7,7 +7,7 @@ import ( utils "github.com/argoproj/argo-cd/v2/util/io" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" ) diff --git a/cmd/argocd/commands/project_role.go b/cmd/argocd/commands/project_role.go index a0da6793fa7e6..759608575908b 100644 --- a/cmd/argocd/commands/project_role.go +++ b/cmd/argocd/commands/project_role.go @@ -8,7 +8,7 @@ import ( "time" timeutil "github.com/argoproj/pkg/time" - jwtgo "github.com/golang-jwt/jwt/v4" + jwtgo "github.com/golang-jwt/jwt/v5" "github.com/spf13/cobra" "github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless" diff --git a/go.mod b/go.mod index 2a8a1b1d6bee8..b2125cb037cb8 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,7 @@ require ( github.com/gobwas/glob v0.2.3 github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355 github.com/gogo/protobuf v1.3.2 - github.com/golang-jwt/jwt/v4 v4.5.1 + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/golang/protobuf v1.5.4 github.com/google/btree v1.1.3 github.com/google/go-cmp v0.6.0 @@ -137,7 +137,7 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect - github.com/golang-jwt/jwt/v5 v5.2.1 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect diff --git a/pkg/apiclient/apiclient.go b/pkg/apiclient/apiclient.go index 4aba674e2b329..efea9c550fdec 100644 --- a/pkg/apiclient/apiclient.go +++ b/pkg/apiclient/apiclient.go @@ -16,7 +16,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/golang/protobuf/ptypes/empty" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry" @@ -402,7 +402,8 @@ func (c *client) refreshAuthToken(localCfg *localconfig.LocalConfig, ctxName, co if err != nil { return err } - if claims.Valid() == nil { + validator := jwt.NewValidator() + if validator.Validate(claims) == nil { // token is still valid return nil } diff --git a/server/account/account_test.go b/server/account/account_test.go index 81e0abc0785f4..eb20c3195d21b 100644 --- a/server/account/account_test.go +++ b/server/account/account_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" diff --git a/server/application/application_test.go b/server/application/application_test.go index 8161f39a1a7f9..4ec2fa8cfacff 100644 --- a/server/application/application_test.go +++ b/server/application/application_test.go @@ -17,7 +17,7 @@ import ( "github.com/argoproj/gitops-engine/pkg/utils/kube" "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" diff --git a/server/application/websocket_test.go b/server/application/websocket_test.go index 2575db2cedf28..ac2166d2ef481 100644 --- a/server/application/websocket_test.go +++ b/server/application/websocket_test.go @@ -16,7 +16,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/assets" "github.com/argoproj/argo-cd/v2/util/rbac" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/gorilla/websocket" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/server/cluster/cluster_test.go b/server/cluster/cluster_test.go index 8ac0a0a05e5bc..7496b83eec6a4 100644 --- a/server/cluster/cluster_test.go +++ b/server/cluster/cluster_test.go @@ -8,7 +8,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/argoproj/argo-cd/v2/server/rbacpolicy" "github.com/argoproj/argo-cd/v2/util/assets" diff --git a/server/logout/logout.go b/server/logout/logout.go index e94424bc7035a..cbbdfd5c3c293 100644 --- a/server/logout/logout.go +++ b/server/logout/logout.go @@ -7,7 +7,7 @@ import ( "strings" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v2/common" diff --git a/server/logout/logout_test.go b/server/logout/logout_test.go index 83bf8ee5d92f3..9571de128e693 100644 --- a/server/logout/logout_test.go +++ b/server/logout/logout_test.go @@ -15,7 +15,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/session" "github.com/argoproj/argo-cd/v2/util/settings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/server/project/project.go b/server/project/project.go index cac913715b623..c361d9d990882 100644 --- a/server/project/project.go +++ b/server/project/project.go @@ -8,7 +8,7 @@ import ( "github.com/argoproj/gitops-engine/pkg/utils/kube" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/server/project/project_test.go b/server/project/project_test.go index a5fe5d292b3c1..2c3ad6755ab94 100644 --- a/server/project/project_test.go +++ b/server/project/project_test.go @@ -10,7 +10,7 @@ import ( "github.com/argoproj/argo-cd/v2/util/db" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/server/rbacpolicy/rbacpolicy.go b/server/rbacpolicy/rbacpolicy.go index ea2b0ee0c166d..08bff84c30b7c 100644 --- a/server/rbacpolicy/rbacpolicy.go +++ b/server/rbacpolicy/rbacpolicy.go @@ -3,7 +3,7 @@ package rbacpolicy import ( "strings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" diff --git a/server/rbacpolicy/rbacpolicy_test.go b/server/rbacpolicy/rbacpolicy_test.go index ae8a9442e80df..b0674ecce577c 100644 --- a/server/rbacpolicy/rbacpolicy_test.go +++ b/server/rbacpolicy/rbacpolicy_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" diff --git a/server/repository/repository_test.go b/server/repository/repository_test.go index 01e158570c8b7..f1d3fe5ffd08b 100644 --- a/server/repository/repository_test.go +++ b/server/repository/repository_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" diff --git a/server/server.go b/server/server.go index 29c7da2ab1552..55f35fe818240 100644 --- a/server/server.go +++ b/server/server.go @@ -33,7 +33,7 @@ import ( "github.com/argoproj/notifications-engine/pkg/api" "github.com/argoproj/pkg/sync" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/gorilla/handlers" grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware" grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth" diff --git a/server/server_test.go b/server/server_test.go index 02bab631ef664..c466e0fe9c629 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -15,7 +15,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/clusterauth/clusterauth.go b/util/clusterauth/clusterauth.go index d57e27792ecb6..0ec1de7a60609 100644 --- a/util/clusterauth/clusterauth.go +++ b/util/clusterauth/clusterauth.go @@ -7,7 +7,7 @@ import ( "strings" "time" - jwt "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -368,17 +368,11 @@ func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleN } type ServiceAccountClaims struct { - Sub string `json:"sub"` - Iss string `json:"iss"` Namespace string `json:"kubernetes.io/serviceaccount/namespace"` SecretName string `json:"kubernetes.io/serviceaccount/secret.name"` ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"` ServiceAccountUID string `json:"kubernetes.io/serviceaccount/service-account.uid"` -} - -// Valid satisfies the jwt.Claims interface to enable JWT parsing -func (sac *ServiceAccountClaims) Valid() error { - return nil + jwt.RegisteredClaims } // ParseServiceAccountToken parses a Kubernetes service account token diff --git a/util/clusterauth/clusterauth_test.go b/util/clusterauth/clusterauth_test.go index 73a99d58d78aa..8f21f39bd22b4 100644 --- a/util/clusterauth/clusterauth_test.go +++ b/util/clusterauth/clusterauth_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" @@ -27,12 +28,14 @@ const ( ) var testClaims = ServiceAccountClaims{ - Sub: "system:serviceaccount:kube-system:argocd-manager", - Iss: "kubernetes/serviceaccount", - Namespace: "kube-system", - SecretName: "argocd-manager-token-tj79r", - ServiceAccountName: "argocd-manager", - ServiceAccountUID: "91dd37cf-8d92-11e9-a091-d65f2ae7fa8d", + "kube-system", + "argocd-manager-token-tj79r", + "argocd-manager", + "91dd37cf-8d92-11e9-a091-d65f2ae7fa8d", + jwt.RegisteredClaims{ + Subject: "system:serviceaccount:kube-system:argocd-manager", + Issuer: "kubernetes/serviceaccount", + }, } func newServiceAccount() *corev1.ServiceAccount { diff --git a/util/grpc/logging.go b/util/grpc/logging.go index 271111977473b..6b244e4b95695 100644 --- a/util/grpc/logging.go +++ b/util/grpc/logging.go @@ -8,7 +8,7 @@ import ( "github.com/gogo/protobuf/jsonpb" "github.com/gogo/protobuf/proto" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" grpc_logging "github.com/grpc-ecosystem/go-grpc-middleware/logging" ctx_logrus "github.com/grpc-ecosystem/go-grpc-middleware/tags/logrus" "github.com/sirupsen/logrus" diff --git a/util/grpc/logging_test.go b/util/grpc/logging_test.go index 98be425928b69..4dfbaf1c2816e 100644 --- a/util/grpc/logging_test.go +++ b/util/grpc/logging_test.go @@ -6,7 +6,7 @@ import ( "fmt" "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/jwt/jwt.go b/util/jwt/jwt.go index 585025990bf8d..e2ca9e92141e9 100644 --- a/util/jwt/jwt.go +++ b/util/jwt/jwt.go @@ -6,7 +6,7 @@ import ( "strings" "time" - jwtgo "github.com/golang-jwt/jwt/v4" + jwtgo "github.com/golang-jwt/jwt/v5" ) // MapClaims converts a jwt.Claims to a MapClaims diff --git a/util/jwt/jwt_test.go b/util/jwt/jwt_test.go index 1b0ac87fe9752..5ef645abb81f9 100644 --- a/util/jwt/jwt_test.go +++ b/util/jwt/jwt_test.go @@ -4,7 +4,7 @@ import ( "testing" "time" - jwt "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/util/localconfig/localconfig.go b/util/localconfig/localconfig.go index 1a0685f753c49..dc18ebedca796 100644 --- a/util/localconfig/localconfig.go +++ b/util/localconfig/localconfig.go @@ -7,7 +7,7 @@ import ( "path" "strings" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/argoproj/argo-cd/v2/util/config" configUtil "github.com/argoproj/argo-cd/v2/util/config" diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go index 94f13b7d3e919..45c47ad8689d6 100644 --- a/util/oidc/oidc.go +++ b/util/oidc/oidc.go @@ -17,7 +17,7 @@ import ( "time" gooidc "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "golang.org/x/oauth2" diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go index 40c606dcd9671..82f06367be9c1 100644 --- a/util/oidc/oidc_test.go +++ b/util/oidc/oidc_test.go @@ -14,7 +14,7 @@ import ( "time" gooidc "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "golang.org/x/oauth2" diff --git a/util/rbac/rbac.go b/util/rbac/rbac.go index 1446620d58bd0..1d0d6e8a87c4b 100644 --- a/util/rbac/rbac.go +++ b/util/rbac/rbac.go @@ -18,7 +18,7 @@ import ( "github.com/casbin/casbin/v2/model" "github.com/casbin/casbin/v2/util" "github.com/casbin/govaluate" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" gocache "github.com/patrickmn/go-cache" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/util/rbac/rbac_test.go b/util/rbac/rbac_test.go index 686d283a3ee50..f24b0be317f43 100644 --- a/util/rbac/rbac_test.go +++ b/util/rbac/rbac_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/security/jwt_test.go b/util/security/jwt_test.go index f8131259c1138..87b6cfb7dd636 100644 --- a/util/security/jwt_test.go +++ b/util/security/jwt_test.go @@ -4,7 +4,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/util/session/sessionmanager.go b/util/session/sessionmanager.go index c04523d243e36..c27c92e0a3045 100644 --- a/util/session/sessionmanager.go +++ b/util/session/sessionmanager.go @@ -14,7 +14,7 @@ import ( "time" "github.com/coreos/go-oidc/v3/oidc" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go index efee1951e7899..82d3472f3f3e0 100644 --- a/util/session/sessionmanager_test.go +++ b/util/session/sessionmanager_test.go @@ -14,7 +14,7 @@ import ( "testing" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" @@ -220,16 +220,8 @@ func TestSessionManager_ProjectToken(t *testing.T) { }) } -type claimsMock struct { - err error -} - -func (cm *claimsMock) Valid() error { - return cm.err -} - type tokenVerifierMock struct { - claims *claimsMock + claims *jwt.RegisteredClaims err error } @@ -258,7 +250,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name string authDisabled bool cookieHeader bool - verifiedClaims *claimsMock + verifiedClaims *jwt.RegisteredClaims verifyTokenErr error expectedStatusCode int expectedResponseBody *string @@ -269,7 +261,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will authenticate successfully", authDisabled: false, cookieHeader: true, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: nil, expectedStatusCode: http.StatusOK, expectedResponseBody: strPointer("Ok"), @@ -287,7 +279,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will return 400 if no cookie header", authDisabled: false, cookieHeader: false, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: nil, expectedStatusCode: http.StatusBadRequest, expectedResponseBody: nil, @@ -296,7 +288,7 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { name: "will return 401 verify token fails", authDisabled: false, cookieHeader: true, - verifiedClaims: &claimsMock{}, + verifiedClaims: &jwt.RegisteredClaims{}, verifyTokenErr: stderrors.New("token error"), expectedStatusCode: http.StatusUnauthorized, expectedResponseBody: nil, diff --git a/util/test/testutil.go b/util/test/testutil.go index a8e506300864d..61fa0e74616fe 100644 --- a/util/test/testutil.go +++ b/util/test/testutil.go @@ -9,7 +9,7 @@ import ( "testing" "github.com/go-jose/go-jose/v3" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/require" )