cadence-workflow · davidporter-id-au · Jan 24, 2024 · Jan 9, 2024 · Jan 23, 2024 · Jan 24, 2024
@@ -93,6 +93,7 @@ require (
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/gogo/googleapis v1.3.2 // indirect
 	github.com/gogo/status v1.1.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect

@@ -136,6 +136,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA=
 github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

@@ -67,6 +67,7 @@ require (
 	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a // indirect
 	github.com/gogo/googleapis v1.3.2 // indirect
 	github.com/gogo/status v1.1.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/s2a-go v0.1.4 // indirect

@@ -89,6 +89,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA=
 github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=

@@ -23,7 +23,7 @@ package authorization
 import (
 	"testing"
 
-	"github.com/cristalhq/jwt/v3"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/suite"
 
 	"github.com/uber/cadence/common"
@@ -63,7 +63,7 @@ func cfgOAuth() config.Authorization {
 		OAuthAuthorizer: config.OAuthAuthorizer{
 			Enable: true,
 			JwtCredentials: config.JwtCredentials{
-				Algorithm: jwt.RS256.String(),
+				Algorithm: jwt.SigningMethodRS256.Name,
 				PublicKey: "../../config/credentials/keytest.pub",
 			},
 			MaxJwtTTL: 12345,
@@ -76,17 +76,18 @@ func (s *factorySuite) TestFactoryNoopAuthorizer() {
 
 	publicKey, _ := common.LoadRSAPublicKey(cfgOAuthVar.OAuthAuthorizer.JwtCredentials.PublicKey)
 
-	verifier, _ := jwt.NewVerifierRS(
-		jwt.Algorithm(cfgOAuthVar.OAuthAuthorizer.JwtCredentials.Algorithm),
-		publicKey,
-	)
 	var tests = []struct {
 		cfg      config.Authorization
 		expected Authorizer
 		err      error
 	}{
 		{cfgNoop(), &nopAuthority{}, nil},
-		{cfgOAuthVar, &oauthAuthority{authorizationCfg: cfgOAuthVar.OAuthAuthorizer, log: s.logger, verifier: verifier}, nil},
+		{cfgOAuthVar, &oauthAuthority{
+			authorizationCfg: cfgOAuthVar.OAuthAuthorizer,
+			log:              s.logger,
+			publicKey:        publicKey,
+			parser:           jwt.NewParser(jwt.WithValidMethods([]string{cfgOAuthVar.OAuthAuthorizer.JwtCredentials.Algorithm}), jwt.WithIssuedAt()),
+		}, nil},
 	}
 
 	for _, test := range tests {

@@ -22,13 +22,12 @@ package authorization
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 
-	"github.com/cristalhq/jwt/v3"
+	"github.com/golang-jwt/jwt/v5"
 	"go.uber.org/yarpc"
 
 	"github.com/uber/cadence/common"
@@ -38,20 +37,24 @@ import (
 	"github.com/uber/cadence/common/log/tag"
 )
 
+var _ jwt.Claims = (*JWTClaims)(nil)
+
 type oauthAuthority struct {
 	authorizationCfg config.OAuthAuthorizer
 	domainCache      cache.DomainCache
 	log              log.Logger
-	verifier         jwt.Verifier
+	parser           *jwt.Parser
+	publicKey        interface{}
 }
 
+// JWTClaims is a Cadence specific claim with embeded Claims defined https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
 type JWTClaims struct {
-	Sub    string
+	jwt.RegisteredClaims
+
 	Name   string
 	Groups string // separated by space
 	Admin  bool
-	Iat    int64
-	TTL    int64
+	TTL    int64 // TODO should be removed. ExpiresAt should be used
 }
 
 func (j JWTClaims) GetGroups() []string {
@@ -66,25 +69,25 @@ func NewOAuthAuthorizer(
 	log log.Logger,
 	domainCache cache.DomainCache,
 ) (Authorizer, error) {
-	publicKey, err := common.LoadRSAPublicKey(authorizationCfg.JwtCredentials.PublicKey)
+
+	key, err := common.LoadRSAPublicKey(authorizationCfg.JwtCredentials.PublicKey)
 	if err != nil {
 		return nil, fmt.Errorf("loading RSA public key: %w", err)
 	}
 
-	verifier, err := jwt.NewVerifierRS(
-		jwt.Algorithm(authorizationCfg.JwtCredentials.Algorithm),
-		publicKey,
-	)
-
-	if err != nil {
-		return nil, fmt.Errorf("creating JWT verifier: %w", err)
+	if authorizationCfg.JwtCredentials.Algorithm != jwt.SigningMethodRS256.Name {
+		return nil, fmt.Errorf("algorithm %q is not supported", authorizationCfg.JwtCredentials.Algorithm)
 	}
 
 	return &oauthAuthority{
 		authorizationCfg: authorizationCfg,
 		domainCache:      domainCache,
 		log:              log,
-		verifier:         verifier,
+		parser: jwt.NewParser(
+			jwt.WithValidMethods([]string{authorizationCfg.JwtCredentials.Algorithm}),
+			jwt.WithIssuedAt(),
+		),
+		publicKey: key,
 	}, nil
 }
 
@@ -101,49 +104,63 @@ func (a *oauthAuthority) Authorize(
 		return Result{Decision: DecisionDeny}, nil
 	}
 
-	claims, err := a.parseToken(token, a.verifier)
+	var claims JWTClaims
+
+	_, err := a.parser.ParseWithClaims(token, &claims, a.keyFunc)
+
 	if err != nil {
 		a.log.Debug("request is not authorized", tag.Error(err))
 		return Result{Decision: DecisionDeny}, nil
 	}
 
-	if err := a.validateTTL(claims); err != nil {
+	if err := a.validateTTL(&claims); err != nil {
 		a.log.Debug("request is not authorized", tag.Error(err))
 		return Result{Decision: DecisionDeny}, nil
 	}
 
 	if claims.Admin {
 		return Result{Decision: DecisionAllow}, nil
 	}
+
 	domain, err := a.domainCache.GetDomain(attributes.DomainName)
 	if err != nil {
 		return Result{Decision: DecisionDeny}, err
 	}
 
-	if err := validatePermission(claims, attributes, domain.GetInfo().Data); err != nil {
+	if err := validatePermission(&claims, attributes, domain.GetInfo().Data); err != nil {
 		a.log.Debug("request is not authorized", tag.Error(err))
 		return Result{Decision: DecisionDeny}, nil
 	}
 
 	return Result{Decision: DecisionAllow}, nil
 }
 
-func (a *oauthAuthority) parseToken(tokenStr string, verifier jwt.Verifier) (*JWTClaims, error) {
-	token, err := jwt.ParseAndVerifyString(tokenStr, verifier)
-	if err != nil {
-		return nil, fmt.Errorf("parse token: %w", err)
-	}
-	var claims JWTClaims
-	_ = json.Unmarshal(token.RawClaims(), &claims)
-	return &claims, nil
+// keyFunc returns correct key to check signature
+func (a *oauthAuthority) keyFunc(token *jwt.Token) (interface{}, error) {
+	// only local public key is supported currently
+	return a.publicKey, nil
 }
 
 func (a *oauthAuthority) validateTTL(claims *JWTClaims) error {
-	if claims.TTL > a.authorizationCfg.MaxJwtTTL {
-		return fmt.Errorf("token TTL: %d is larger than MaxTTL allowed: %d", claims.TTL, a.authorizationCfg.MaxJwtTTL)
+	// Fill ExpiresAt when TTL is passed
+	if claims.TTL > 0 {
+		claims.ExpiresAt = jwt.NewNumericDate(claims.IssuedAt.Time.Add(time.Second * time.Duration(claims.TTL)))
 	}
-	if claims.Iat+claims.TTL < time.Now().Unix() {
-		return errors.New("JWT has expired")
+
+	exp, err := claims.GetExpirationTime()
+
+	if err != nil || exp == nil {
+		return errors.New("ExpiresAt is not set")
 	}
+
+	timeLeft := exp.Unix() - time.Now().Unix()
+	if timeLeft < 0 {
+		return errors.New("token is expired")
+	}
+
+	if timeLeft > a.authorizationCfg.MaxJwtTTL {
+		return fmt.Errorf("token TTL: %d is larger than MaxTTL allowed: %d", timeLeft, a.authorizationCfg.MaxJwtTTL)
+	}
+
 	return nil
 }
@@ -22,10 +22,13 @@ package authorization
 
 import (
 	"fmt"
+	"strings"
 	"testing"
+	"time"
 
-	"github.com/cristalhq/jwt/v3"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/suite"
 	"go.uber.org/yarpc/api/encoding"
@@ -64,7 +67,7 @@ func (s *oauthSuite) SetupTest() {
 	s.cfg = config.OAuthAuthorizer{
 		Enable: true,
 		JwtCredentials: config.JwtCredentials{
-			Algorithm: jwt.RS256.String(),
+			Algorithm: jwt.SigningMethodRS256.Name,
 			PublicKey: "../../config/credentials/keytest.pub",
 		},
 		MaxJwtTTL: 300000001,
@@ -167,23 +170,23 @@ func (s *oauthSuite) TestGetDomainError() {
 func (s *oauthSuite) TestIncorrectPublicKey() {
 	s.cfg.JwtCredentials.PublicKey = "incorrectPublicKey"
 	authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
-	s.Equal(authorizer, nil)
+	s.Equal(nil, authorizer)
 	s.EqualError(err, "loading RSA public key: invalid public key path incorrectPublicKey")
 }
 
 func (s *oauthSuite) TestIncorrectAlgorithm() {
 	s.cfg.JwtCredentials.Algorithm = "SHA256"
 	authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
-	s.Equal(authorizer, nil)
-	s.ErrorContains(err, "jwt: algorithm is not supported")
+	s.Equal(nil, authorizer)
+	s.ErrorContains(err, "algorithm \"SHA256\" is not supported")
 }
 
 func (s *oauthSuite) TestMaxTTLLargerInToken() {
 	s.cfg.MaxJwtTTL = 1
 	authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
 	s.NoError(err)
 	s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool {
-		return fmt.Sprintf("%v", t[0].Field().Interface) == "token TTL: 300000000 is larger than MaxTTL allowed: 1"
+		return strings.HasPrefix(fmt.Sprintf("%v", t[0].Field().Interface), "token TTL:")
 	}))
 	result, _ := authorizer.Authorize(s.ctx, &s.att)
 	s.Equal(result.Decision, DecisionDeny)
@@ -199,7 +202,7 @@ func (s *oauthSuite) TestIncorrectToken() {
 	authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
 	s.NoError(err)
 	s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool {
-		return fmt.Sprintf("%v", t[0].Field().Interface) == "parse token: jwt: token format is not valid"
+		return fmt.Sprintf("%v", t[0].Field().Interface) == "token is malformed: token contains an invalid number of segments"
 	}))
 	result, _ := authorizer.Authorize(ctx, &s.att)
 	s.Equal(result.Decision, DecisionDeny)
@@ -217,7 +220,7 @@ func (s *oauthSuite) TestIatExpiredToken() {
 	authorizer, err := NewOAuthAuthorizer(s.cfg, s.logger, s.domainCache)
 	s.NoError(err)
 	s.logger.On("Debug", "request is not authorized", mock.MatchedBy(func(t []tag.Tag) bool {
-		return fmt.Sprintf("%v", t[0].Field().Interface) == "JWT has expired"
+		return fmt.Sprintf("%v", t[0].Field().Interface) == "token is expired"
 	}))
 	result, _ := authorizer.Authorize(ctx, &s.att)
 	s.Equal(result.Decision, DecisionDeny)
@@ -248,3 +251,50 @@ func (s *oauthSuite) TestIncorrectPermission() {
 	s.NoError(err)
 	s.Equal(result.Decision, DecisionDeny)
 }
+
+func Test_oauthAuthority_validateTTL(t *testing.T) {
+
+	tests := []struct {
+		name      string
+		claims    *JWTClaims
+		ttlConfig int64
+		wantErr   assert.ErrorAssertionFunc
+	}{
+		{
+			name:    "Empty claims will fail TTL validation",
+			claims:  &JWTClaims{},
+			wantErr: assert.Error,
+		},
+		{
+			name: "Claims with IAT and Claim TTL will pass",
+			claims: &JWTClaims{
+				TTL: 300,
+				RegisteredClaims: jwt.RegisteredClaims{
+					IssuedAt: jwt.NewNumericDate(time.Now()),
+				},
+			},
+			wantErr:   assert.NoError,
+			ttlConfig: 500,
+		},
+
+		{
+			name: "Claims with IAT but without TTL or ExpiresAT will fail TTL validation",
+			claims: &JWTClaims{
+				RegisteredClaims: jwt.RegisteredClaims{
+					IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Minute)),
+				},
+			},
+			ttlConfig: 1,
+			wantErr:   assert.Error,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			validator := &oauthAuthority{
+				authorizationCfg: config.OAuthAuthorizer{MaxJwtTTL: tt.ttlConfig},
+			}
+			tt.wantErr(t, validator.validateTTL(tt.claims), fmt.Sprintf("validateTTL(%v)", tt.claims))
+		})
+	}
+}
@@ -23,7 +23,7 @@ package config
 import (
 	"fmt"
 
-	"github.com/cristalhq/jwt/v3"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // Validate validates the persistence config
@@ -33,8 +33,8 @@ func (a *Authorization) Validate() error {
 	}
 
 	if a.OAuthAuthorizer.Enable {
-		if oauthError := a.validateOAuth(); oauthError != nil {
-			return oauthError
+		if err := a.validateOAuth(); err != nil {
+			return err
 		}
 	}
 
@@ -50,7 +50,7 @@ func (a *Authorization) validateOAuth() error {
 	if oauthConfig.JwtCredentials.PublicKey == "" {
 		return fmt.Errorf("[OAuthConfig] PublicKey can't be empty")
 	}
-	if oauthConfig.JwtCredentials.Algorithm != jwt.RS256.String() {
+	if oauthConfig.JwtCredentials.Algorithm != jwt.SigningMethodRS256.Name {
 		return fmt.Errorf("[OAuthConfig] The only supported Algorithm is RS256")
 	}
 	return nil

@@ -106,7 +106,7 @@ type (
 
 	OAuthAuthorizer struct {
 		Enable bool `yaml:"enable"`
-		// Credentials to verify/create the JWT
+		// Credentials to verify/create the JWT using public/private keys
 		JwtCredentials JwtCredentials `yaml:"jwtCredentials"`
 		// Max of TTL in the claim
 		MaxJwtTTL int64 `yaml:"maxJwtTTL"`