Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Migrate to use golang-jwt/jwt v4.2.0 #8136

Merged
merged 3 commits into from
Jan 13, 2022

Conversation

terrytangyuan
Copy link
Member

@terrytangyuan terrytangyuan commented Jan 10, 2022

The original repo is no longer maintained, see dgrijalva/jwt-go#462. We also received fuzzing reports on this. Upgrading to v4.2.0 might fix some of the issues.

Signed-off-by: Yuan Tang [email protected]

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).

@terrytangyuan
Copy link
Member Author

cc @jannfis @AdamKorcz

@AdamKorcz
Copy link

token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
settings, err := mgr.settingsMgr.GetSettings()
if err != nil {
return "", err
}
// workaround for https://github.com/argoproj/argo-cd/issues/5217
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexmt Since you originally added these in #5228. Could you help review this removal? Looks like since we are using the new method jwt.NewNumericDate, the precision will be in seconds.

// TimePrecision sets the precision of times and dates within this library.
// This has an influence on the precision of times when comparing expiry or
// other related time fields. Furthermore, it is also the precision of times
// when serializing.
//
// For backwards compatibility the default precision is set to seconds, so that
// no fractional timestamps are generated.
var TimePrecision = time.Second

// NumericDate represents a JSON numeric date value, as referenced at
// https://datatracker.ietf.org/doc/html/rfc7519#section-2.
type NumericDate struct {
	time.Time
}

// NewNumericDate constructs a new *NumericDate from a standard library time.Time struct.
// It will truncate the timestamp according to the precision specified in TimePrecision.
func NewNumericDate(t time.Time) *NumericDate {
	return &NumericDate{t.Truncate(TimePrecision)}
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the workaround that Alex has implemented was due to the fact that our JWTs contain integer timestamps, while the library worked with floats. Now they seem to support multiple precisions and have reverted to integers for the precision we require (seconds), which is nice :) To me, the removal of this workaround looks good.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jannfis Thanks for confirming! cc @alexmt to double check as well.

@terrytangyuan terrytangyuan requested a review from alexmt January 11, 2022 15:45
Signed-off-by: Yuan Tang <[email protected]>
@codecov
Copy link

codecov bot commented Jan 11, 2022

Codecov Report

Merging #8136 (9f21e8e) into master (27af0b4) will decrease coverage by 0.02%.
The diff coverage is 58.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #8136      +/-   ##
==========================================
- Coverage   41.53%   41.50%   -0.03%     
==========================================
  Files         174      174              
  Lines       22736    22717      -19     
==========================================
- Hits         9443     9429      -14     
+ Misses      11949    11945       -4     
+ Partials     1344     1343       -1     
Impacted Files Coverage Δ
cmd/argocd/commands/login.go 2.30% <0.00%> (+0.01%) ⬆️
cmd/argocd/commands/project_role.go 0.00% <ø> (ø)
server/logout/logout.go 77.77% <ø> (ø)
server/rbacpolicy/rbacpolicy.go 82.35% <ø> (ø)
server/server.go 54.76% <ø> (ø)
util/jwt/jwt.go 60.00% <ø> (ø)
util/localconfig/localconfig.go 3.12% <0.00%> (+0.03%) ⬆️
util/oidc/oidc.go 19.21% <ø> (ø)
util/rbac/rbac.go 76.50% <ø> (ø)
util/session/sessionmanager.go 68.75% <66.66%> (-1.37%) ⬇️
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 27af0b4...9f21e8e. Read the comment docs.

Comment on lines -395 to +396
parser := &jwt.Parser{
ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
}
var claims jwt.StandardClaims
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
var claims jwt.RegisteredClaims
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering why we previously skipped audience validation, and now validate audience field?

Copy link
Member Author

@terrytangyuan terrytangyuan Jan 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, thanks for reminding me of this since I meant to double check on this change as well!

This is only because jwt.WithoutAudienceValidation() is no longer available in the new version of JWT client. Although I am not aware of the reason why the audience validation was skipped previously. If you have any suggestions here, please let me know!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important to not validate audience (see #5253 and #5413). Apparently, https://github.com/golang-jwt/jwt does not validate the audience automatically , so it works just as we need right now.

They might re-introduce automatic validate in future golang-jwt/jwt#16 but we are good for now.

@jannfis
Copy link
Member

jannfis commented Jan 13, 2022

I have confirmed that this fixes the issue that OSS-Fuzz has complained about. After this PR has been merged, the fuzzer needs to be adapted to import github.com/golang-jwt/jwt/v4 instead of github.com/dgrijalva/jwt-go/v4

Copy link
Member

@jannfis jannfis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks a lot @terrytangyuan !

@AdamKorcz
Copy link

AdamKorcz commented Jan 13, 2022

the fuzzer needs to be adapted to import github.com/golang-jwt/jwt/v4 instead of github.com/dgrijalva/jwt-go/v4

I can do that.

Edit: Nevermind: cncf/cncf-fuzzing#61

Copy link
Collaborator

@alexmt alexmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @terrytangyuan !

@alexmt alexmt merged commit d6f3f87 into argoproj:master Jan 13, 2022
@terrytangyuan terrytangyuan deleted the update-jwt branch January 13, 2022 21:30
@jannfis jannfis added the fuzzing Bugs detected by fuzzer label Jan 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fuzzing Bugs detected by fuzzer
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants