shogo82148 · shogo82148 · Oct 8, 2023 · Oct 8, 2023
diff --git a/provider/github-app-token/github/app_access_tokens_test.go b/provider/github-app-token/github/app_access_tokens_test.go
@@ -23,6 +23,7 @@ func TestCreateAppAccessToken(t *testing.T) {
 	}
 
 	ts := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		if r.Method != http.MethodPost {
 			t.Errorf("unexpected method: want POST, got %s", r.Method)
 		}
@@ -34,16 +35,22 @@ func TestCreateAppAccessToken(t *testing.T) {
 			return
 		}
 		auth = strings.TrimPrefix(auth, "Bearer ")
-		token, err := jwt.Parse([]byte(auth), jwt.FindKeyFunc(func(header *jws.Header) (sig.SigningKey, error) {
-			if want, got := jwa.RS256, header.Algorithm(); want != got {
-				t.Errorf("unexpected algorithm: want %s, got %s", want, got)
-			}
-			key, err := readPublicKeyForTest()
-			if err != nil {
-				return nil, err
-			}
-			return jwa.RS256.New().NewSigningKey(key), nil
-		}))
+		p := &jwt.Parser{
+			KeyFinder: jwt.FindKeyFunc(func(ctx context.Context, header *jws.Header) (sig.SigningKey, error) {
+				if want, got := jwa.RS256, header.Algorithm(); want != got {
+					t.Errorf("unexpected algorithm: want %s, got %s", want, got)
+				}
+				key, err := readPublicKeyForTest()
+				if err != nil {
+					return nil, err
+				}
+				return jwa.RS256.New().NewSigningKey(key), nil
+			}),
+			AlgorithmVerfier:      jwt.AllowedAlgorithms{jwa.RS256},
+			AudienceVerifier:      jwt.UnsecureAnyAudience,
+			IssuerSubjectVerifier: jwt.Issuer("123456"),
+		}
+		token, err := p.Parse(ctx, []byte(auth))
 		if err != nil {
 			t.Error(err)
 			rw.WriteHeader(http.StatusUnauthorized)

diff --git a/provider/github-app-token/github/get_app_test.go b/provider/github-app-token/github/get_app_test.go
@@ -23,6 +23,7 @@ func TestGetApp(t *testing.T) {
 	}
 
 	ts := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		if r.Method != http.MethodGet {
 			t.Errorf("unexpected method: want GET, got %s", r.Method)
 		}
@@ -34,16 +35,22 @@ func TestGetApp(t *testing.T) {
 			return
 		}
 		auth = strings.TrimPrefix(auth, "Bearer ")
-		token, err := jwt.Parse([]byte(auth), jwt.FindKeyFunc(func(header *jws.Header) (sig.SigningKey, error) {
-			if want, got := jwa.RS256, header.Algorithm(); want != got {
-				t.Errorf("unexpected algorithm: want %s, got %s", want, got)
-			}
-			key, err := readPublicKeyForTest()
-			if err != nil {
-				return nil, err
-			}
-			return jwa.RS256.New().NewSigningKey(key), nil
-		}))
+		p := &jwt.Parser{
+			KeyFinder: jwt.FindKeyFunc(func(ctx context.Context, header *jws.Header) (sig.SigningKey, error) {
+				if want, got := jwa.RS256, header.Algorithm(); want != got {
+					t.Errorf("unexpected algorithm: want %s, got %s", want, got)
+				}
+				key, err := readPublicKeyForTest()
+				if err != nil {
+					return nil, err
+				}
+				return jwa.RS256.New().NewSigningKey(key), nil
+			}),
+			AlgorithmVerfier:      jwt.AllowedAlgorithms{jwa.RS256},
+			AudienceVerifier:      jwt.UnsecureAnyAudience,
+			IssuerSubjectVerifier: jwt.Issuer("123456"),
+		}
+		token, err := p.Parse(ctx, []byte(auth))
 		if err != nil {
 			t.Error(err)
 			rw.WriteHeader(http.StatusUnauthorized)

diff --git a/provider/github-app-token/github/get_repos_installation_test.go b/provider/github-app-token/github/get_repos_installation_test.go
@@ -23,6 +23,7 @@ func TestGetReposInstallation(t *testing.T) {
 	}
 
 	ts := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		if r.Method != http.MethodGet {
 			t.Errorf("unexpected method: want GET, got %s", r.Method)
 		}
@@ -34,16 +35,22 @@ func TestGetReposInstallation(t *testing.T) {
 			return
 		}
 		auth = strings.TrimPrefix(auth, "Bearer ")
-		token, err := jwt.Parse([]byte(auth), jwt.FindKeyFunc(func(header *jws.Header) (sig.SigningKey, error) {
-			if want, got := jwa.RS256, header.Algorithm(); want != got {
-				t.Errorf("unexpected algorithm: want %s, got %s", want, got)
-			}
-			key, err := readPublicKeyForTest()
-			if err != nil {
-				return nil, err
-			}
-			return jwa.RS256.New().NewSigningKey(key), nil
-		}))
+		p := &jwt.Parser{
+			KeyFinder: jwt.FindKeyFunc(func(ctx context.Context, header *jws.Header) (sig.SigningKey, error) {
+				if want, got := jwa.RS256, header.Algorithm(); want != got {
+					t.Errorf("unexpected algorithm: want %s, got %s", want, got)
+				}
+				key, err := readPublicKeyForTest()
+				if err != nil {
+					return nil, err
+				}
+				return jwa.RS256.New().NewSigningKey(key), nil
+			}),
+			AlgorithmVerfier:      jwt.AllowedAlgorithms{jwa.RS256},
+			AudienceVerifier:      jwt.UnsecureAnyAudience,
+			IssuerSubjectVerifier: jwt.Issuer("123456"),
+		}
+		token, err := p.Parse(ctx, []byte(auth))
 		if err != nil {
 			t.Error(err)
 			rw.WriteHeader(http.StatusUnauthorized)

diff --git a/provider/github-app-token/github/parse_id_token.go b/provider/github-app-token/github/parse_id_token.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/shogo82148/goat/jwa"
 	"github.com/shogo82148/goat/jws"
 	"github.com/shogo82148/goat/jwt"
 	"github.com/shogo82148/goat/sig"
@@ -42,17 +43,23 @@ func (c *Client) ParseIDToken(ctx context.Context, idToken string) (*ActionsIDTo
 	if err != nil {
 		return nil, fmt.Errorf("github: failed to get JWK Set: %w", err)
 	}
-	token, err := jwt.Parse([]byte(idToken), jwt.FindKeyFunc(func(header *jws.Header) (key sig.SigningKey, err error) {
-		jwk, ok := set.Find(header.KeyID())
-		if !ok {
-			return nil, fmt.Errorf("github: kid %s is not found", header.KeyID())
-		}
-		if jwk.Algorithm() != "" && header.Algorithm().KeyAlgorithm() != jwk.Algorithm() {
-			return nil, fmt.Errorf("github: alg parameter mismatch")
-		}
-		key = header.Algorithm().New().NewSigningKey(jwk)
-		return
-	}))
+	p := &jwt.Parser{
+		KeyFinder: jwt.FindKeyFunc(func(ctx context.Context, header *jws.Header) (key sig.SigningKey, err error) {
+			jwk, ok := set.Find(header.KeyID())
+			if !ok {
+				return nil, fmt.Errorf("github: kid %s is not found", header.KeyID())
+			}
+			if jwk.Algorithm() != "" && header.Algorithm().KeyAlgorithm() != jwk.Algorithm() {
+				return nil, fmt.Errorf("github: alg parameter mismatch")
+			}
+			key = header.Algorithm().New().NewSigningKey(jwk)
+			return
+		}),
+		AlgorithmVerfier:      jwt.AllowedAlgorithms{jwa.RS256},
+		AudienceVerifier:      jwt.UnsecureAnyAudience,
+		IssuerSubjectVerifier: jwt.Issuer(oidcIssuer),
+	}
+	token, err := p.Parse(ctx, []byte(idToken))
 	if err != nil {
 		return nil, fmt.Errorf("github: failed to parse id token: %w", err)
 	}

diff --git a/provider/github-app-token/go.mod b/provider/github-app-token/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/goccy/go-yaml v1.11.2
 	github.com/shogo82148/aws-xray-yasdk-go v1.7.1
 	github.com/shogo82148/go-http-logger v1.3.0
-	github.com/shogo82148/goat v0.0.6
+	github.com/shogo82148/goat v0.0.7-0.20231008041607-e11514df9d02
 	github.com/shogo82148/ridgenative v1.4.0
 	golang.org/x/sync v0.4.0
 )
@@ -30,9 +30,9 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/shogo82148/memoize v0.0.2 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	github.com/shogo82148/memoize v0.0.3 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
diff --git a/provider/github-app-token/go.sum b/provider/github-app-token/go.sum
@@ -56,23 +56,23 @@ github.com/shogo82148/aws-xray-yasdk-go v1.7.1 h1:S3ehDH+aJzrhilX5KoJBsegkWu7UF2
 github.com/shogo82148/aws-xray-yasdk-go v1.7.1/go.mod h1:oz8SCOMbtQvC6TbfMKVzl6aJjpiaqwvATlV6RN0vJ3Q=
 github.com/shogo82148/go-http-logger v1.3.0 h1:4mTca6oyIXZrBXVrwzCdu3oWzI8r8aaBbM7sTsZituk=
 github.com/shogo82148/go-http-logger v1.3.0/go.mod h1:kT0vCPqUkYd9WVdLvZIQ0nIl/atEdfuyJCIpsBLOqz8=
-github.com/shogo82148/goat v0.0.6 h1:QmNrB8HnXOt7BFaS8i890aBo4RRbiXVWcgSagd97S7Q=
-github.com/shogo82148/goat v0.0.6/go.mod h1:J5sGtFsP9R1Mh6OLSbCec8pVmXy3oQGaYUj12qtKg94=
-github.com/shogo82148/memoize v0.0.2 h1:KBHGjTpwuKPyCzpNlpNT79hKfmJaheHxpIuqdGzqdIE=
-github.com/shogo82148/memoize v0.0.2/go.mod h1:sOsvhOlJGVR2nHgCzUchvbEeYB6jNvSP9o4SPHgb+bY=
-github.com/shogo82148/pointer v1.2.0 h1:MEPjAx9hK17sdEVhaqHROphdy+RxTH70vaBypZzZ/d8=
-github.com/shogo82148/pointer v1.2.0/go.mod h1:agZ5JFpavFPXznbWonIvbG78NDfvDTFppe+7o53up5w=
+github.com/shogo82148/goat v0.0.7-0.20231008041607-e11514df9d02 h1:aK7B/rM9iuN0dxxONYEoxyy26BkelQ6AW7g5x+0lO14=
+github.com/shogo82148/goat v0.0.7-0.20231008041607-e11514df9d02/go.mod h1:wdexg/SutyUH1M9DlBW4be73zmklR0MvRXUxLyJuDnQ=
+github.com/shogo82148/memoize v0.0.3 h1:dgPkeH6TM9Vu0hXC0UfeSBEIQVL6i0Q9nscBh5CJZAs=
+github.com/shogo82148/memoize v0.0.3/go.mod h1:sOsvhOlJGVR2nHgCzUchvbEeYB6jNvSP9o4SPHgb+bY=
+github.com/shogo82148/pointer v1.3.0 h1:LW5V2jUAjFNjS8e7k/PgFoh3EavOSB/vvN85aGue5+I=
+github.com/shogo82148/pointer v1.3.0/go.mod h1:agZ5JFpavFPXznbWonIvbG78NDfvDTFppe+7o53up5w=
 github.com/shogo82148/ridgenative v1.4.0 h1:yBsshqKQ86Y155CzgW3iC34DPwpcClceCJ8JQBd36UE=
 github.com/shogo82148/ridgenative v1.4.0/go.mod h1:PInWLpQIV0RsZI3j81ZH87hQ2knhDiMGbeDuTli3QIE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=