Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Migrate to use golang-jwt/jwt v4.2.0 #8136

Merged
merged 3 commits into from
Jan 13, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions cmd/argocd/commands/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"time"

"github.com/coreos/go-oidc"
"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"
"github.com/skratchdot/open-golang/open"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -127,9 +127,7 @@ argocd login cd.argoproj.io --core`,
errors.CheckError(err)
tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
}
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
claims := jwt.MapClaims{}
_, _, err := parser.ParseUnverified(tokenString, &claims)
errors.CheckError(err)
Expand Down
2 changes: 1 addition & 1 deletion cmd/argocd/commands/login_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package commands
import (
"testing"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
)

Expand Down
2 changes: 1 addition & 1 deletion cmd/argocd/commands/project_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
"time"

timeutil "github.com/argoproj/pkg/time"
jwtgo "github.com/dgrijalva/jwt-go/v4"
jwtgo "github.com/golang-jwt/jwt/v4"
"github.com/spf13/cobra"

argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ require (
github.com/casbin/casbin/v2 v2.39.1
github.com/chai2010/gettext-go v0.0.0-20170215093142-bf70f2a70fb1 // indirect
github.com/coreos/go-oidc v2.1.0+incompatible
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/dustin/go-humanize v1.0.0
github.com/evanphx/json-patch v4.11.0+incompatible
github.com/fsnotify/fsnotify v1.4.9
Expand All @@ -32,6 +31,7 @@ require (
github.com/gobwas/glob v0.2.3
github.com/gogits/go-gogs-client v0.0.0-20190616193657-5a05380e4bc2
github.com/gogo/protobuf v1.3.2
github.com/golang-jwt/jwt/v4 v4.2.0
github.com/golang/protobuf v1.5.2
github.com/gomodule/redigo v2.0.0+incompatible // indirect
github.com/google/go-cmp v0.5.6
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
Expand Down
10 changes: 4 additions & 6 deletions pkg/apiclient/apiclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (
"time"

"github.com/coreos/go-oidc"
"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/golang/protobuf/ptypes/empty"
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
Expand Down Expand Up @@ -392,15 +392,13 @@ func (c *client) refreshAuthToken(localCfg *localconfig.LocalConfig, ctxName, co
if err != nil {
return err
}
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
var claims jwt.StandardClaims
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
var claims jwt.RegisteredClaims
Comment on lines -395 to +396
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering why we previously skipped audience validation, and now validate audience field?

Copy link
Member Author

@terrytangyuan terrytangyuan Jan 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, thanks for reminding me of this since I meant to double check on this change as well!

This is only because jwt.WithoutAudienceValidation() is no longer available in the new version of JWT client. Although I am not aware of the reason why the audience validation was skipped previously. If you have any suggestions here, please let me know!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important to not validate audience (see #5253 and #5413). Apparently, https://github.com/golang-jwt/jwt does not validate the audience automatically , so it works just as we need right now.

They might re-introduce automatic validate in future golang-jwt/jwt#16 but we are good for now.

_, _, err = parser.ParseUnverified(configCtx.User.AuthToken, &claims)
if err != nil {
return err
}
if claims.Valid(parser.ValidationHelper) == nil {
if claims.Valid() == nil {
// token is still valid
return nil
}
Expand Down
8 changes: 4 additions & 4 deletions server/account/account_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"testing"
"time"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
Expand Down Expand Up @@ -87,16 +87,16 @@ func adminContext(ctx context.Context) context.Context {

func ssoAdminContext(ctx context.Context, iat time.Time) context.Context {
// nolint:staticcheck
return context.WithValue(ctx, "claims", &jwt.StandardClaims{
return context.WithValue(ctx, "claims", &jwt.RegisteredClaims{
Subject: "admin",
Issuer: "https://myargocdhost.com/api/dex",
IssuedAt: jwt.At(iat),
IssuedAt: jwt.NewNumericDate(iat),
})
}

func projTokenContext(ctx context.Context) context.Context {
// nolint:staticcheck
return context.WithValue(ctx, "claims", &jwt.StandardClaims{
return context.WithValue(ctx, "claims", &jwt.RegisteredClaims{
Subject: "proj:demo:deployer",
Issuer: sessionutil.SessionManagerClaimsIssuer,
})
Expand Down
2 changes: 1 addition & 1 deletion server/application/application_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ import (
synccommon "github.com/argoproj/gitops-engine/pkg/sync/common"
"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
"github.com/argoproj/pkg/sync"
"github.com/dgrijalva/jwt-go/v4"
"github.com/ghodss/yaml"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
Expand Down
2 changes: 1 addition & 1 deletion server/logout/logout.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
"strings"
"time"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"

"github.com/argoproj/argo-cd/v2/common"
Expand Down
10 changes: 5 additions & 5 deletions server/logout/logout_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
"github.com/argoproj/argo-cd/v2/util/session"
"github.com/argoproj/argo-cd/v2/util/settings"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -220,29 +220,29 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
if !validJWTPattern.MatchString(tokenString) {
return nil, "", errors.New("invalid jwt")
}
return &jwt.StandardClaims{Issuer: "okta"}, "", nil
return &jwt.RegisteredClaims{Issuer: "okta"}, "", nil
}
nonoidcHandler := NewHandler(appclientset.NewSimpleClientset(), settingsManagerWithoutOIDCConfig, sessionManager, "", baseHRef, "default")
nonoidcHandler.verifyToken = func(tokenString string) (jwt.Claims, string, error) {
if !validJWTPattern.MatchString(tokenString) {
return nil, "", errors.New("invalid jwt")
}
return &jwt.StandardClaims{Issuer: session.SessionManagerClaimsIssuer}, "", nil
return &jwt.RegisteredClaims{Issuer: session.SessionManagerClaimsIssuer}, "", nil
}
oidcHandlerWithoutLogoutURL := NewHandler(appclientset.NewSimpleClientset(), settingsManagerWithOIDCConfigButNoLogoutURL, sessionManager, "", baseHRef, "default")
oidcHandlerWithoutLogoutURL.verifyToken = func(tokenString string) (jwt.Claims, string, error) {
if !validJWTPattern.MatchString(tokenString) {
return nil, "", errors.New("invalid jwt")
}
return &jwt.StandardClaims{Issuer: "okta"}, "", nil
return &jwt.RegisteredClaims{Issuer: "okta"}, "", nil
}

oidcHandlerWithoutBaseURL := NewHandler(appclientset.NewSimpleClientset(), settingsManagerWithOIDCConfigButNoURL, sessionManager, "argocd", baseHRef, "default")
oidcHandlerWithoutBaseURL.verifyToken = func(tokenString string) (jwt.Claims, string, error) {
if !validJWTPattern.MatchString(tokenString) {
return nil, "", errors.New("invalid jwt")
}
return &jwt.StandardClaims{Issuer: "okta"}, "", nil
return &jwt.RegisteredClaims{Issuer: "okta"}, "", nil
}
oidcTokenHeader := make(map[string][]string)
oidcTokenHeader["Cookie"] = []string{"argocd.token=" + oidcToken}
Expand Down
8 changes: 3 additions & 5 deletions server/project/project.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
"github.com/argoproj/argo-cd/v2/util/db"

"github.com/argoproj/pkg/sync"
"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/google/uuid"
log "github.com/sirupsen/logrus"
"google.golang.org/grpc/codes"
Expand Down Expand Up @@ -109,10 +109,8 @@ func (s *Server) CreateToken(ctx context.Context, q *project.ProjectTokenCreateR
if err != nil {
return nil, status.Error(codes.InvalidArgument, err.Error())
}
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
claims := jwt.StandardClaims{}
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
claims := jwt.RegisteredClaims{}
_, _, err = parser.ParseUnverified(jwtToken, &claims)
if err != nil {
return nil, status.Error(codes.InvalidArgument, err.Error())
Expand Down
2 changes: 1 addition & 1 deletion server/project/project_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
"github.com/argoproj/argo-cd/v2/util/db"

"github.com/argoproj/pkg/sync"
"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/codes"
Expand Down
2 changes: 1 addition & 1 deletion server/rbacpolicy/rbacpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package rbacpolicy
import (
"strings"

jwt "github.com/dgrijalva/jwt-go/v4"
jwt "github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"

"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
Expand Down
2 changes: 1 addition & 1 deletion server/rbacpolicy/rbacpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import (
"fmt"
"testing"

jwt "github.com/dgrijalva/jwt-go/v4"
jwt "github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes/fake"
Expand Down
2 changes: 1 addition & 1 deletion server/repository/repository_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ import (

"github.com/stretchr/testify/assert"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

Expand Down
2 changes: 1 addition & 1 deletion server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ import (
golang_proto "github.com/golang/protobuf/proto"

"github.com/argoproj/pkg/sync"
"github.com/dgrijalva/jwt-go/v4"
"github.com/go-redis/redis/v8"
"github.com/golang-jwt/jwt/v4"
"github.com/gorilla/handlers"
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
Expand Down
6 changes: 3 additions & 3 deletions server/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
"testing"
"time"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/metadata"
Expand Down Expand Up @@ -175,7 +175,7 @@ g, bob, role:admin
_ = enf.SetUserPolicy(policy)
allowed := []jwt.Claims{
jwt.MapClaims{"groups": []string{"org1:team1", "org2:team2"}},
jwt.StandardClaims{Subject: "admin"},
jwt.RegisteredClaims{Subject: "admin"},
}
for _, c := range allowed {
if !assert.True(t, enf.Enforce(c, "applications", "delete", "foo/obj")) {
Expand All @@ -185,7 +185,7 @@ g, bob, role:admin

disallowed := []jwt.Claims{
jwt.MapClaims{"groups": []string{"org3:team3"}},
jwt.StandardClaims{Subject: "nobody"},
jwt.RegisteredClaims{Subject: "nobody"},
}
for _, c := range disallowed {
if !assert.False(t, enf.Enforce(c, "applications", "delete", "foo/obj")) {
Expand Down
8 changes: 3 additions & 5 deletions util/clusterauth/clusterauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (
"strings"
"time"

jwt "github.com/dgrijalva/jwt-go/v4"
jwt "github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
Expand Down Expand Up @@ -296,15 +296,13 @@ type ServiceAccountClaims struct {
}

// Valid satisfies the jwt.Claims interface to enable JWT parsing
func (sac *ServiceAccountClaims) Valid(helper *jwt.ValidationHelper) error {
func (sac *ServiceAccountClaims) Valid() error {
return nil
}

// ParseServiceAccountToken parses a Kubernetes service account token
func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error) {
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
var claims ServiceAccountClaims
_, _, err := parser.ParseUnverified(token, &claims)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion util/jwt/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"strings"
"time"

jwtgo "github.com/dgrijalva/jwt-go/v4"
jwtgo "github.com/golang-jwt/jwt/v4"
)

// MapClaims converts a jwt.Claims to a MapClaims
Expand Down
2 changes: 1 addition & 1 deletion util/jwt/jwt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"testing"
"time"

jwt "github.com/dgrijalva/jwt-go/v4"
jwt "github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
)

Expand Down
10 changes: 4 additions & 6 deletions util/localconfig/localconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"path"
"strings"

"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"

configUtil "github.com/argoproj/argo-cd/v2/util/config"
)
Expand Down Expand Up @@ -65,11 +65,9 @@ type User struct {
}

// Claims returns the standard claims from the JWT claims
func (u *User) Claims() (*jwt.StandardClaims, error) {
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
claims := jwt.StandardClaims{}
func (u *User) Claims() (*jwt.RegisteredClaims, error) {
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
claims := jwt.RegisteredClaims{}
_, _, err := parser.ParseUnverified(u.AuthToken, &claims)
if err != nil {
return nil, err
Expand Down
2 changes: 1 addition & 1 deletion util/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (
"time"

gooidc "github.com/coreos/go-oidc"
"github.com/dgrijalva/jwt-go/v4"
"github.com/golang-jwt/jwt/v4"
log "github.com/sirupsen/logrus"
"golang.org/x/oauth2"

Expand Down
2 changes: 1 addition & 1 deletion util/rbac/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (
"github.com/casbin/casbin/v2"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/util"
jwt "github.com/dgrijalva/jwt-go/v4"
jwt "github.com/golang-jwt/jwt/v4"
gocache "github.com/patrickmn/go-cache"
log "github.com/sirupsen/logrus"
"google.golang.org/grpc/codes"
Expand Down
Loading