Skip to content

Commit

Permalink
feature: Use RegisteredClaims instead of deprecated staruct StandardC…
Browse files Browse the repository at this point in the history
…laims (#16206)

Signed-off-by: wujw39640 <[email protected]>
  • Loading branch information
wujunwei authored Aug 1, 2022
1 parent bbc7282 commit bf741ad
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 22 deletions.
12 changes: 6 additions & 6 deletions src/core/service/token/authutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,14 +122,14 @@ func MakeToken(ctx context.Context, username, service string, access []*token.Re
now := time.Now().UTC()

claims := &v2.Claims{
StandardClaims: jwt.StandardClaims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: options.Issuer,
Subject: username,
Audience: service,
ExpiresAt: now.Add(time.Duration(expiration) * time.Minute).Unix(),
NotBefore: now.Unix(),
IssuedAt: now.Unix(),
Id: utils.GenerateRandomStringWithLen(16),
Audience: jwt.ClaimStrings([]string{service}),
ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(expiration) * time.Minute)),
NotBefore: jwt.NewNumericDate(now),
IssuedAt: jwt.NewNumericDate(now),
ID: utils.GenerateRandomStringWithLen(16),
},
Access: access,
}
Expand Down
4 changes: 2 additions & 2 deletions src/core/service/token/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ func getPublicKey(crtPath string) (*rsa.PublicKey, error) {
}

type harborClaims struct {
jwt.StandardClaims
jwt.RegisteredClaims
// Private claims
Access []*token.ResourceActions `json:"access"`
}
Expand Down Expand Up @@ -160,7 +160,7 @@ func TestMakeToken(t *testing.T) {
}
claims := tok.Claims.(*harborClaims)
assert.Equal(t, *(claims.Access[0]), *(ra[0]), "Access mismatch")
assert.Equal(t, claims.Audience, svc, "Audience mismatch")
assert.Equal(t, claims.Audience, jwt.ClaimStrings([]string{svc}), "Audience mismatch")
}

type parserTestRec struct {
Expand Down
8 changes: 6 additions & 2 deletions src/pkg/token/claims/robot/robot.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,13 @@ import (
"github.com/goharbor/harbor/src/pkg/permission/types"
)

func init() {
jwt.MarshalSingleStringAsArray = false
}

// Claim implements the interface of jwt.Claims
type Claim struct {
jwt.StandardClaims
jwt.RegisteredClaims
TokenID int64 `json:"id"`
ProjectID int64 `json:"pid"`
Access []*types.Policy `json:"access"`
Expand All @@ -27,7 +31,7 @@ func (rc Claim) Valid() error {
if rc.Access == nil {
return errors.New("the access info cannot be nil")
}
stdErr := rc.StandardClaims.Valid()
stdErr := rc.RegisteredClaims.Valid()
if stdErr != nil {
return stdErr
}
Expand Down
11 changes: 8 additions & 3 deletions src/pkg/token/claims/v2/claims.go
Original file line number Diff line number Diff line change
@@ -1,29 +1,34 @@
package v2

import (
"crypto/subtle"
"fmt"

"github.com/docker/distribution/registry/auth/token"
"github.com/golang-jwt/jwt/v4"
)

func init() {
jwt.MarshalSingleStringAsArray = false
}

const (
// Issuer is the only valid issuer for jwt token sent to /v2/xxxx
Issuer = "harbor-token-issuer"
)

// Claims represents the token claims that encapsulated in a JWT token for registry/notary resources
type Claims struct {
jwt.StandardClaims
jwt.RegisteredClaims
Access []*token.ResourceActions `json:"access"`
}

// Valid checks if the issuer is harbor
func (c *Claims) Valid() error {
if err := c.StandardClaims.Valid(); err != nil {
if err := c.RegisteredClaims.Valid(); err != nil {
return err
}
if !c.VerifyIssuer(Issuer, true) {
if subtle.ConstantTimeCompare([]byte(c.Issuer), []byte(Issuer)) == 0 {
return fmt.Errorf("invalid token issuer: %s", c.Issuer)
}
return nil
Expand Down
4 changes: 2 additions & 2 deletions src/pkg/token/claims/v2/claims_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ func TestValid(t *testing.T) {
}{
{
claims: Claims{
StandardClaims: jwt.StandardClaims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "anonymous",
},
Access: []*token.ResourceActions{},
Expand All @@ -24,7 +24,7 @@ func TestValid(t *testing.T) {
},
{
claims: Claims{
StandardClaims: jwt.StandardClaims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: Issuer,
},
Access: []*token.ResourceActions{},
Expand Down
14 changes: 7 additions & 7 deletions src/pkg/token/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,13 @@ func TestNew(t *testing.T) {
tokenID := int64(123)
projectID := int64(321)
tokenExpiration := time.Duration(10) * 24 * time.Hour
expiresAt := time.Now().UTC().Add(tokenExpiration).Unix()
expiresAt := time.Now().UTC().Add(tokenExpiration)
robot := robot_claim.Claim{
TokenID: tokenID,
ProjectID: projectID,
Access: policies,
StandardClaims: jwt.StandardClaims{
ExpiresAt: expiresAt,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
},
}
defaultOpt := DefaultTokenOptions()
Expand All @@ -60,20 +60,20 @@ func TestRaw(t *testing.T) {
Resource: "/project/library/repository",
Action: "pull",
}
policies := []*types.Policy{}
var policies []*types.Policy
policies = append(policies, rbacPolicy)

tokenID := int64(123)
projectID := int64(321)

tokenExpiration := time.Duration(10) * 24 * time.Hour
expiresAt := time.Now().UTC().Add(tokenExpiration).Unix()
expiresAt := time.Now().UTC().Add(tokenExpiration)
robot := robot_claim.Claim{
TokenID: tokenID,
ProjectID: projectID,
Access: policies,
StandardClaims: jwt.StandardClaims{
ExpiresAt: expiresAt,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
},
}
defaultOpt := DefaultTokenOptions()
Expand Down

0 comments on commit bf741ad

Please sign in to comment.