From 700bc49316d1d42b691c2a4dbd0a5810a108f7ae Mon Sep 17 00:00:00 2001 From: Mantas Sidlauskas Date: Tue, 9 Jan 2024 14:34:35 +0200 Subject: [PATCH 1/4] Replace JWT validation library --- common/authorization/factory_test.go | 15 ++-- common/authorization/oauthAuthorizer.go | 82 +++++++++++++------- common/authorization/oauthAuthorizer_test.go | 73 +++++++++++++++-- common/config/authorization.go | 8 +- common/config/config.go | 2 +- common/rsa.go | 4 +- go.sum | 2 + tools/cli/utils.go | 38 ++++----- 8 files changed, 149 insertions(+), 75 deletions(-) diff --git a/common/authorization/factory_test.go b/common/authorization/factory_test.go index db62c861195..d7c589d64eb 100644 --- a/common/authorization/factory_test.go +++ b/common/authorization/factory_test.go @@ -23,7 +23,7 @@ package authorization import ( "testing" - "github.com/cristalhq/jwt/v3" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/suite" "github.com/uber/cadence/common" @@ -63,7 +63,7 @@ func cfgOAuth() config.Authorization { OAuthAuthorizer: config.OAuthAuthorizer{ Enable: true, JwtCredentials: config.JwtCredentials{ - Algorithm: jwt.RS256.String(), + Algorithm: jwt.SigningMethodRS256.Name, PublicKey: "../../config/credentials/keytest.pub", }, MaxJwtTTL: 12345, @@ -76,17 +76,18 @@ func (s *factorySuite) TestFactoryNoopAuthorizer() { publicKey, _ := common.LoadRSAPublicKey(cfgOAuthVar.OAuthAuthorizer.JwtCredentials.PublicKey) - verifier, _ := jwt.NewVerifierRS( - jwt.Algorithm(cfgOAuthVar.OAuthAuthorizer.JwtCredentials.Algorithm), - publicKey, - ) var tests = []struct { cfg config.Authorization expected Authorizer err error }{ {cfgNoop(), &nopAuthority{}, nil}, - {cfgOAuthVar, &oauthAuthority{authorizationCfg: cfgOAuthVar.OAuthAuthorizer, log: s.logger, verifier: verifier}, nil}, + {cfgOAuthVar, &oauthAuthority{ + authorizationCfg: cfgOAuthVar.OAuthAuthorizer, + log: s.logger, + publicKey: publicKey, + parser: jwt.NewParser(jwt.WithValidMethods([]string{cfgOAuthVar.OAuthAuthorizer.JwtCredentials.Algorithm}), jwt.WithIssuedAt()), + }, nil}, } for _, test := range tests { diff --git a/common/authorization/oauthAuthorizer.go b/common/authorization/oauthAuthorizer.go index e2726607591..b36fcb29672 100644 --- a/common/authorization/oauthAuthorizer.go +++ b/common/authorization/oauthAuthorizer.go @@ -22,13 +22,12 @@ package authorization import ( "context" - "encoding/json" "errors" "fmt" "strings" "time" - "github.com/cristalhq/jwt/v3" + "github.com/golang-jwt/jwt/v5" "go.uber.org/yarpc" "github.com/uber/cadence/common" @@ -38,20 +37,24 @@ import ( "github.com/uber/cadence/common/log/tag" ) +var _ jwt.Claims = (*JWTClaims)(nil) + type oauthAuthority struct { authorizationCfg config.OAuthAuthorizer domainCache cache.DomainCache log log.Logger - verifier jwt.Verifier + parser *jwt.Parser + publicKey interface{} } +// JWTClaims is a Cadence specific claim with embeded Claims defined https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 type JWTClaims struct { - Sub string + jwt.RegisteredClaims + Name string Groups string // separated by space Admin bool - Iat int64 - TTL int64 + TTL int64 // TODO should be removed. ExpiresAt should be used } func (j JWTClaims) GetGroups() []string { @@ -66,25 +69,25 @@ func NewOAuthAuthorizer( log log.Logger, domainCache cache.DomainCache, ) (Authorizer, error) { - publicKey, err := common.LoadRSAPublicKey(authorizationCfg.JwtCredentials.PublicKey) + + key, err := common.LoadRSAPublicKey(authorizationCfg.JwtCredentials.PublicKey) if err != nil { return nil, fmt.Errorf("loading RSA public key: %w", err) } - verifier, err := jwt.NewVerifierRS( - jwt.Algorithm(authorizationCfg.JwtCredentials.Algorithm), - publicKey, - ) - - if err != nil { - return nil, fmt.Errorf("creating JWT verifier: %w", err) + if authorizationCfg.JwtCredentials.Algorithm != jwt.SigningMethodRS256.Name { + return nil, fmt.Errorf("algorithm %q is not supported", authorizationCfg.JwtCredentials.Algorithm) } return &oauthAuthority{ authorizationCfg: authorizationCfg, domainCache: domainCache, log: log, - verifier: verifier, + parser: jwt.NewParser( + jwt.WithValidMethods([]string{authorizationCfg.JwtCredentials.Algorithm}), + jwt.WithIssuedAt(), + ), + publicKey: key, }, nil } @@ -101,13 +104,16 @@ func (a *oauthAuthority) Authorize( return Result{Decision: DecisionDeny}, nil } - claims, err := a.parseToken(token, a.verifier) + var claims JWTClaims + + _, err := a.parser.ParseWithClaims(token, &claims, a.keyFunc) + if err != nil { a.log.Debug("request is not authorized", tag.Error(err)) return Result{Decision: DecisionDeny}, nil } - if err := a.validateTTL(claims); err != nil { + if err := a.validateTTL(&claims); err != nil { a.log.Debug("request is not authorized", tag.Error(err)) return Result{Decision: DecisionDeny}, nil } @@ -115,12 +121,13 @@ func (a *oauthAuthority) Authorize( if claims.Admin { return Result{Decision: DecisionAllow}, nil } + domain, err := a.domainCache.GetDomain(attributes.DomainName) if err != nil { return Result{Decision: DecisionDeny}, err } - if err := validatePermission(claims, attributes, domain.GetInfo().Data); err != nil { + if err := validatePermission(&claims, attributes, domain.GetInfo().Data); err != nil { a.log.Debug("request is not authorized", tag.Error(err)) return Result{Decision: DecisionDeny}, nil } @@ -128,22 +135,37 @@ func (a *oauthAuthority) Authorize( return Result{Decision: DecisionAllow}, nil } -func (a *oauthAuthority) parseToken(tokenStr string, verifier jwt.Verifier) (*JWTClaims, error) { - token, err := jwt.ParseAndVerifyString(tokenStr, verifier) - if err != nil { - return nil, fmt.Errorf("parse token: %w", err) - } - var claims JWTClaims - _ = json.Unmarshal(token.RawClaims(), &claims) - return &claims, nil +// keyFunc returns correct key to check signature +func (a *oauthAuthority) keyFunc(token *jwt.Token) (interface{}, error) { + // only local public key is supported currently + return a.publicKey, nil } func (a *oauthAuthority) validateTTL(claims *JWTClaims) error { - if claims.TTL > a.authorizationCfg.MaxJwtTTL { - return fmt.Errorf("token TTL: %d is larger than MaxTTL allowed: %d", claims.TTL, a.authorizationCfg.MaxJwtTTL) + + if claims.IssuedAt == nil { + return errors.New("IssuedAt is not set") + } + + // Fill ExpiresAt when TTL is passed + if claims.TTL > 0 { + claims.ExpiresAt = jwt.NewNumericDate(claims.IssuedAt.Time.Add(time.Second * time.Duration(claims.TTL))) } - if claims.Iat+claims.TTL < time.Now().Unix() { - return errors.New("JWT has expired") + + exp, err := claims.GetExpirationTime() + + if err != nil || exp == nil { + return errors.New("ExpiresAt is not set") } + + timeLeft := exp.Unix() - time.Now().Unix() + if timeLeft < 0 { + return errors.New("token is expired") + } + + if timeLeft > a.authorizationCfg.MaxJwtTTL { + return fmt.Errorf("token TTL: %d is larger than MaxTTL allowed: %d", timeLeft, a.authorizationCfg.MaxJwtTTL) + } + return nil } diff --git a/common/authorization/oauthAuthorizer_test.go b/common/authorization/oauthAuthorizer_test.go index 9cc0b50c87f..45513d73e70 100644 --- a/common/authorization/oauthAuthorizer_test.go +++ b/common/authorization/oauthAuthorizer_test.go @@ -22,10 +22,13 @@ package authorization import ( "fmt" + "strings" "testing" + "time" - "github.com/cristalhq/jwt/v3" + "github.com/golang-jwt/jwt/v5" "github.com/golang/mock/gomock" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/suite" "go.uber.org/yarpc/api/encoding" @@ -64,7 +67,7 @@ func (s *oauthSuite) SetupTest() { s.cfg = config.OAuthAuthorizer{ Enable: true, JwtCredentials: config.JwtCredentials{ - Algorithm: jwt.RS256.String(), + Algorithm: jwt.SigningMethodRS256.Name, PublicKey: "../../config/credentials/keytest.pub", }, MaxJwtTTL: 300000001, @@ -167,15 +170,15 @@ func (s *oauthSuite) TestGetDomainError() { func (s *oauthSuite) TestIncorrectPublicKey() { s.cfg.JwtCredentials.PublicKey = "incorrectPublicKey" authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache) - s.Equal(authorizer, nil) + s.Equal(nil, authorizer) s.EqualError(err, "loading RSA public key: invalid public key path incorrectPublicKey") } func (s *oauthSuite) TestIncorrectAlgorithm() { s.cfg.JwtCredentials.Algorithm = "SHA256" authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache) - s.Equal(authorizer, nil) - s.ErrorContains(err, "jwt: algorithm is not supported") + s.Equal(nil, authorizer) + s.ErrorContains(err, "algorithm \"SHA256\" is not supported") } func (s *oauthSuite) TestMaxTTLLargerInToken() { @@ -183,7 +186,7 @@ func (s *oauthSuite) TestMaxTTLLargerInToken() { authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache) s.NoError(err) s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool { - return fmt.Sprintf("%v", t[0].Field().Interface) == "token TTL: 300000000 is larger than MaxTTL allowed: 1" + return strings.HasPrefix(fmt.Sprintf("%v", t[0].Field().Interface), "token TTL:") })) result, _ := authorizer.Authorize(s.ctx, &s.att) s.Equal(result.Decision, DecisionDeny) @@ -199,7 +202,7 @@ func (s *oauthSuite) TestIncorrectToken() { authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache) s.NoError(err) s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool { - return fmt.Sprintf("%v", t[0].Field().Interface) == "parse token: jwt: token format is not valid" + return fmt.Sprintf("%v", t[0].Field().Interface) == "token is malformed: token contains an invalid number of segments" })) result, _ := authorizer.Authorize(ctx, &s.att) s.Equal(result.Decision, DecisionDeny) @@ -217,7 +220,7 @@ func (s *oauthSuite) TestIatExpiredToken() { authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache) s.NoError(err) s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool { - return fmt.Sprintf("%v", t[0].Field().Interface) == "JWT has expired" + return fmt.Sprintf("%v", t[0].Field().Interface) == "token is expired" })) result, _ := authorizer.Authorize(ctx, &s.att) s.Equal(result.Decision, DecisionDeny) @@ -248,3 +251,57 @@ func (s *oauthSuite) TestIncorrectPermission() { s.NoError(err) s.Equal(result.Decision, DecisionDeny) } + +func Test_oauthAuthority_validateTTL(t *testing.T) { + + tests := []struct { + name string + claims *JWTClaims + ttlConfig int64 + wantErr assert.ErrorAssertionFunc + }{ + { + name: "Empty claims will fail TTL validation", + claims: &JWTClaims{}, + wantErr: assert.Error, + }, + { + name: "Claims with no IAT claim will fail TTL validation", + claims: &JWTClaims{ + TTL: 30000, + }, + wantErr: assert.Error, + }, + { + name: "Claims with IAT and Claim TTL will pass", + claims: &JWTClaims{ + TTL: 300, + RegisteredClaims: jwt.RegisteredClaims{ + IssuedAt: jwt.NewNumericDate(time.Now()), + }, + }, + wantErr: assert.NoError, + ttlConfig: 500, + }, + + { + name: "Claims with IAT but without TTL or ExpiresAT will fail TTL validation", + claims: &JWTClaims{ + RegisteredClaims: jwt.RegisteredClaims{ + IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Minute)), + }, + }, + ttlConfig: 1, + wantErr: assert.Error, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + validator := &oauthAuthority{ + authorizationCfg: config.OAuthAuthorizer{MaxJwtTTL: tt.ttlConfig}, + } + tt.wantErr(t, validator.validateTTL(tt.claims), fmt.Sprintf("validateTTL(%v)", tt.claims)) + }) + } +} diff --git a/common/config/authorization.go b/common/config/authorization.go index cb2c888656f..113e331a7ab 100644 --- a/common/config/authorization.go +++ b/common/config/authorization.go @@ -23,7 +23,7 @@ package config import ( "fmt" - "github.com/cristalhq/jwt/v3" + "github.com/golang-jwt/jwt/v5" ) // Validate validates the persistence config @@ -33,8 +33,8 @@ func (a *Authorization) Validate() error { } if a.OAuthAuthorizer.Enable { - if oauthError := a.validateOAuth(); oauthError != nil { - return oauthError + if err := a.validateOAuth(); err != nil { + return err } } @@ -50,7 +50,7 @@ func (a *Authorization) validateOAuth() error { if oauthConfig.JwtCredentials.PublicKey == "" { return fmt.Errorf("[OAuthConfig] PublicKey can't be empty") } - if oauthConfig.JwtCredentials.Algorithm != jwt.RS256.String() { + if oauthConfig.JwtCredentials.Algorithm != jwt.SigningMethodRS256.Name { return fmt.Errorf("[OAuthConfig] The only supported Algorithm is RS256") } return nil diff --git a/common/config/config.go b/common/config/config.go index 76b5ce2aaba..1033d262ed2 100644 --- a/common/config/config.go +++ b/common/config/config.go @@ -106,7 +106,7 @@ type ( OAuthAuthorizer struct { Enable bool `yaml:"enable"` - // Credentials to verify/create the JWT + // Credentials to verify/create the JWT using public/private keys JwtCredentials JwtCredentials `yaml:"jwtCredentials"` // Max of TTL in the claim MaxJwtTTL int64 `yaml:"maxJwtTTL"` diff --git a/common/rsa.go b/common/rsa.go index b2a3c2d7a22..9a1fd53cb41 100644 --- a/common/rsa.go +++ b/common/rsa.go @@ -25,7 +25,7 @@ import ( "crypto/x509" "encoding/pem" "fmt" - "io/ioutil" + "os" "strings" ) @@ -38,7 +38,7 @@ const ( ) func loadRSAKey(path string, keyType KeyType) (interface{}, error) { - keyString, err := ioutil.ReadFile(path) + keyString, err := os.ReadFile(path) if err != nil { return nil, fmt.Errorf("invalid %s path %s", keyType, path) } diff --git a/go.sum b/go.sum index 80b25767353..2b55b1ff572 100644 --- a/go.sum +++ b/go.sum @@ -155,6 +155,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA= github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/tools/cli/utils.go b/tools/cli/utils.go index 631103313d9..028b19e42c4 100644 --- a/tools/cli/utils.go +++ b/tools/cli/utils.go @@ -39,8 +39,8 @@ import ( "strings" "time" - "github.com/cristalhq/jwt/v3" "github.com/fatih/color" + "github.com/golang-jwt/jwt/v5" "github.com/urfave/cli" "github.com/valyala/fastjson" @@ -731,19 +731,18 @@ func processJWTFlags(ctx context.Context, cliCtx *cli.Context) context.Context { path := getJWTPrivateKey(cliCtx) t := getJWT(cliCtx) var token string + var err error if t != "" { token = t } else if path != "" { - createdToken, err := createJWT(path) + token, err = createJWT(path) if err != nil { ErrorAndExit("Error creating JWT token", err) } - token = *createdToken } - ctx = context.WithValue(ctx, CtxKeyJWT, token) - return ctx + return context.WithValue(ctx, CtxKeyJWT, token) } func populateContextFromCLIContext(ctx context.Context, cliCtx *cli.Context) context.Context { @@ -990,29 +989,22 @@ func getInputFile(inputFile string) *os.File { } // createJWT defines the logic to create a JWT -func createJWT(keyPath string) (*string, error) { - claims := authorization.JWTClaims{ - Admin: true, - Iat: time.Now().Unix(), - TTL: 60 * 10, - } - +func createJWT(keyPath string) (string, error) { privateKey, err := common.LoadRSAPrivateKey(keyPath) if err != nil { - return nil, err + return "", err } - signer, err := jwt.NewSignerRS(jwt.RS256, privateKey) - if err != nil { - return nil, err - } - builder := jwt.NewBuilder(signer) - token, err := builder.Build(claims) - if token == nil { - return nil, err + ttl := int64(60 * 10) + claims := authorization.JWTClaims{ + Admin: true, + RegisteredClaims: jwt.RegisteredClaims{ + IssuedAt: jwt.NewNumericDate(time.Now()), + ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * time.Duration(ttl))), + }, } - tokenString := token.String() - return &tokenString, nil + + return jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(privateKey) } func getWorkflowMemo(input map[string]interface{}) (*types.Memo, error) { From ff66c5d3563b11e012d9a6f9f368a755ec90560e Mon Sep 17 00:00:00 2001 From: Mantas Sidlauskas Date: Tue, 23 Jan 2024 10:31:24 +0200 Subject: [PATCH 2/4] Remove unneeded issuedAt check --- common/authorization/oauthAuthorizer.go | 5 ----- go.mod | 12 +++++------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/common/authorization/oauthAuthorizer.go b/common/authorization/oauthAuthorizer.go index b36fcb29672..47ce1bea575 100644 --- a/common/authorization/oauthAuthorizer.go +++ b/common/authorization/oauthAuthorizer.go @@ -142,11 +142,6 @@ func (a *oauthAuthority) keyFunc(token *jwt.Token) (interface{}, error) { } func (a *oauthAuthority) validateTTL(claims *JWTClaims) error { - - if claims.IssuedAt == nil { - return errors.New("IssuedAt is not set") - } - // Fill ExpiresAt when TTL is passed if claims.TTL > 0 { claims.ExpiresAt = jwt.NewNumericDate(claims.IssuedAt.Time.Add(time.Second * time.Duration(claims.TTL))) diff --git a/go.mod b/go.mod index 43bbae9a79b..af669973de6 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,6 @@ require ( github.com/aws/aws-sdk-go v1.44.180 github.com/cactus/go-statsd-client/statsd v0.0.0-20191106001114-12b4e2b38748 github.com/cch123/elasticsql v0.0.0-20190321073543-a1a440758eb9 - github.com/cristalhq/jwt/v3 v3.1.0 github.com/dave/dst v0.26.2 github.com/davecgh/go-spew v1.1.1 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 @@ -17,11 +16,14 @@ require ( github.com/go-sql-driver/mysql v1.7.1 github.com/gocql/gocql v0.0.0-20211015133455-b225f9b53fa1 github.com/gogo/protobuf v1.3.2 + github.com/golang-jwt/jwt/v5 v5.2.0 github.com/golang/mock v1.6.0 + github.com/google/go-cmp v0.6.0 github.com/google/uuid v1.5.0 github.com/hashicorp/go-version v1.2.0 github.com/iancoleman/strcase v0.2.0 github.com/jmoiron/sqlx v1.2.1-0.20200615141059-0794cb1f47ee + github.com/jonboulle/clockwork v0.4.0 github.com/lib/pq v1.2.0 github.com/m3db/prometheus_client_golang v0.8.1 github.com/olekukonko/tablewriter v0.0.4 @@ -52,6 +54,7 @@ require ( go.uber.org/thriftrw v1.29.2 go.uber.org/yarpc v1.70.3 go.uber.org/zap v1.13.0 + golang.org/x/exp v0.0.0-20231226003508-02704c960a9b golang.org/x/net v0.19.0 golang.org/x/sync v0.5.0 golang.org/x/time v0.3.0 @@ -62,12 +65,6 @@ require ( gopkg.in/yaml.v2 v2.3.0 ) -require ( - github.com/google/go-cmp v0.6.0 - github.com/jonboulle/clockwork v0.4.0 - golang.org/x/exp v0.0.0-20231226003508-02704c960a9b -) - require ( github.com/BurntSushi/toml v0.4.1 // indirect github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect @@ -76,6 +73,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect + github.com/cristalhq/jwt/v3 v3.1.0 // indirect github.com/eapache/go-resiliency v1.2.0 // indirect github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect github.com/eapache/queue v1.1.0 // indirect From 2e7cada32dd7ca05e52cd9cb97c18abd49af3279 Mon Sep 17 00:00:00 2001 From: Mantas Sidlauskas Date: Wed, 24 Jan 2024 19:32:48 +0200 Subject: [PATCH 3/4] fix test --- common/authorization/oauthAuthorizer_test.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/common/authorization/oauthAuthorizer_test.go b/common/authorization/oauthAuthorizer_test.go index 45513d73e70..bdf83cc0b3d 100644 --- a/common/authorization/oauthAuthorizer_test.go +++ b/common/authorization/oauthAuthorizer_test.go @@ -265,13 +265,6 @@ func Test_oauthAuthority_validateTTL(t *testing.T) { claims: &JWTClaims{}, wantErr: assert.Error, }, - { - name: "Claims with no IAT claim will fail TTL validation", - claims: &JWTClaims{ - TTL: 30000, - }, - wantErr: assert.Error, - }, { name: "Claims with IAT and Claim TTL will pass", claims: &JWTClaims{ From f4104936604ffef365a4e60386725b884cbc3deb Mon Sep 17 00:00:00 2001 From: Mantas Sidlauskas Date: Wed, 24 Jan 2024 22:52:31 +0200 Subject: [PATCH 4/4] run ./scripts/buildkite/golint.sh --- cmd/server/go.mod | 1 + cmd/server/go.sum | 2 ++ common/archiver/gcloud/go.mod | 1 + common/archiver/gcloud/go.sum | 2 ++ 4 files changed, 6 insertions(+) diff --git a/cmd/server/go.mod b/cmd/server/go.mod index 1dce83ed5c7..21c437d02cf 100644 --- a/cmd/server/go.mod +++ b/cmd/server/go.mod @@ -93,6 +93,7 @@ require ( github.com/fatih/structtag v1.2.0 // indirect github.com/gogo/googleapis v1.3.2 // indirect github.com/gogo/status v1.1.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/golang/snappy v0.0.4 // indirect diff --git a/cmd/server/go.sum b/cmd/server/go.sum index fc0983a0389..84d3f373238 100644 --- a/cmd/server/go.sum +++ b/cmd/server/go.sum @@ -136,6 +136,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA= github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/common/archiver/gcloud/go.mod b/common/archiver/gcloud/go.mod index ead24b89176..032769464cf 100644 --- a/common/archiver/gcloud/go.mod +++ b/common/archiver/gcloud/go.mod @@ -67,6 +67,7 @@ require ( github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a // indirect github.com/gogo/googleapis v1.3.2 // indirect github.com/gogo/status v1.1.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/s2a-go v0.1.4 // indirect diff --git a/common/archiver/gcloud/go.sum b/common/archiver/gcloud/go.sum index e32e6912a93..f295ac28f39 100644 --- a/common/archiver/gcloud/go.sum +++ b/common/archiver/gcloud/go.sum @@ -89,6 +89,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA= github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=