From c589df0197b511f05426b6c0ff8fb1074a17f519 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:44:19 +0000 Subject: [PATCH 1/2] chore(deps/gomod): update module github.com/golang-jwt/jwt/v4 to v5 Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- app/kuma-dp/pkg/config/validate.go | 2 +- app/kumactl/cmd/generate/generate_dataplane_token_test.go | 2 +- app/kumactl/cmd/generate/generate_user_token_test.go | 2 +- app/kumactl/cmd/generate/generate_zone_token_test.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- pkg/core/tokens/issuer.go | 2 +- pkg/core/tokens/issuer_test.go | 2 +- pkg/core/tokens/token.go | 2 +- pkg/core/tokens/validator.go | 2 +- pkg/plugins/authn/api-server/tokens/issuer/token.go | 2 +- pkg/tokens/builtin/issuer/issuer.go | 2 +- pkg/tokens/builtin/issuer/token.go | 2 +- pkg/tokens/builtin/zone/token.go | 2 +- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/app/kuma-dp/pkg/config/validate.go b/app/kuma-dp/pkg/config/validate.go index 54ded42938b0..8ddbaed5f2ea 100644 --- a/app/kuma-dp/pkg/config/validate.go +++ b/app/kuma-dp/pkg/config/validate.go @@ -5,7 +5,7 @@ import ( "strings" "github.com/asaskevich/govalidator" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" util_files "github.com/kumahq/kuma/pkg/util/files" diff --git a/app/kumactl/cmd/generate/generate_dataplane_token_test.go b/app/kumactl/cmd/generate/generate_dataplane_token_test.go index 690c096634e2..0f82cc85b4f8 100644 --- a/app/kumactl/cmd/generate/generate_dataplane_token_test.go +++ b/app/kumactl/cmd/generate/generate_dataplane_token_test.go @@ -7,7 +7,7 @@ import ( "path/filepath" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/spf13/cobra" diff --git a/app/kumactl/cmd/generate/generate_user_token_test.go b/app/kumactl/cmd/generate/generate_user_token_test.go index 5c883ca02163..76db383abb94 100644 --- a/app/kumactl/cmd/generate/generate_user_token_test.go +++ b/app/kumactl/cmd/generate/generate_user_token_test.go @@ -6,7 +6,7 @@ import ( "strings" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/app/kumactl/cmd/generate/generate_zone_token_test.go b/app/kumactl/cmd/generate/generate_zone_token_test.go index 4ce26a129fbd..053935fe7113 100644 --- a/app/kumactl/cmd/generate/generate_zone_token_test.go +++ b/app/kumactl/cmd/generate/generate_zone_token_test.go @@ -7,7 +7,7 @@ import ( "path/filepath" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/spf13/cobra" diff --git a/go.mod b/go.mod index c2bc090fd87e..7fbb6c5bbc19 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 github.com/goburrow/cache v0.1.4 - github.com/golang-jwt/jwt/v4 v4.5.1 + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/golang-migrate/migrate/v4 v4.18.2 github.com/golang/protobuf v1.5.4 github.com/google/go-cmp v0.7.0 diff --git a/go.sum b/go.sum index 50ce3dc00456..b24fcb9a6e41 100644 --- a/go.sum +++ b/go.sum @@ -216,8 +216,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= -github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8= github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= diff --git a/pkg/core/tokens/issuer.go b/pkg/core/tokens/issuer.go index 5d7778279da6..f39dd2832ceb 100644 --- a/pkg/core/tokens/issuer.go +++ b/pkg/core/tokens/issuer.go @@ -4,7 +4,7 @@ import ( "context" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" "github.com/kumahq/kuma/pkg/core" diff --git a/pkg/core/tokens/issuer_test.go b/pkg/core/tokens/issuer_test.go index 83f9eb355164..a8175f503b3e 100644 --- a/pkg/core/tokens/issuer_test.go +++ b/pkg/core/tokens/issuer_test.go @@ -4,7 +4,7 @@ import ( "context" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "google.golang.org/protobuf/types/known/wrapperspb" diff --git a/pkg/core/tokens/token.go b/pkg/core/tokens/token.go index cbbd6b1904be..eccb22270cf2 100644 --- a/pkg/core/tokens/token.go +++ b/pkg/core/tokens/token.go @@ -1,6 +1,6 @@ package tokens -import "github.com/golang-jwt/jwt/v4" +import "github.com/golang-jwt/jwt/v5" type Token = string diff --git a/pkg/core/tokens/validator.go b/pkg/core/tokens/validator.go index c3ebb7159191..37d89ddf13a8 100644 --- a/pkg/core/tokens/validator.go +++ b/pkg/core/tokens/validator.go @@ -7,7 +7,7 @@ import ( "fmt" "github.com/go-logr/logr" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" store_config "github.com/kumahq/kuma/pkg/config/core/resources/store" diff --git a/pkg/plugins/authn/api-server/tokens/issuer/token.go b/pkg/plugins/authn/api-server/tokens/issuer/token.go index bf655255041e..4ae31666f426 100644 --- a/pkg/plugins/authn/api-server/tokens/issuer/token.go +++ b/pkg/plugins/authn/api-server/tokens/issuer/token.go @@ -1,7 +1,7 @@ package issuer import ( - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/kumahq/kuma/pkg/core/tokens" "github.com/kumahq/kuma/pkg/core/user" diff --git a/pkg/tokens/builtin/issuer/issuer.go b/pkg/tokens/builtin/issuer/issuer.go index 9b833edfca8b..e081d35d4e55 100644 --- a/pkg/tokens/builtin/issuer/issuer.go +++ b/pkg/tokens/builtin/issuer/issuer.go @@ -4,7 +4,7 @@ import ( "context" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/kumahq/kuma/pkg/core/tokens" ) diff --git a/pkg/tokens/builtin/issuer/token.go b/pkg/tokens/builtin/issuer/token.go index a8c9f790336f..2eb36f4d00e4 100644 --- a/pkg/tokens/builtin/issuer/token.go +++ b/pkg/tokens/builtin/issuer/token.go @@ -1,7 +1,7 @@ package issuer import ( - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" "github.com/kumahq/kuma/pkg/core/tokens" diff --git a/pkg/tokens/builtin/zone/token.go b/pkg/tokens/builtin/zone/token.go index 63de2d8f2dae..fc3f9f5b8abf 100644 --- a/pkg/tokens/builtin/zone/token.go +++ b/pkg/tokens/builtin/zone/token.go @@ -1,7 +1,7 @@ package zone import ( - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" core_tokens "github.com/kumahq/kuma/pkg/core/tokens" ) From e9bdbfb1396fd62b71c885b09f499989d3bbb3b7 Mon Sep 17 00:00:00 2001 From: Bart Smykla Date: Wed, 12 Mar 2025 14:17:04 +0100 Subject: [PATCH 2/2] refactor: adjust code to the changes in the dependency Signed-off-by: Bart Smykla --- app/kuma-dp/pkg/config/validate_test.go | 4 ++-- pkg/core/tokens/issuer_test.go | 10 +++++---- pkg/core/tokens/validator.go | 28 ++++++++++++++++--------- pkg/xds/auth/universal/auth_test.go | 6 +++--- 4 files changed, 29 insertions(+), 19 deletions(-) diff --git a/app/kuma-dp/pkg/config/validate_test.go b/app/kuma-dp/pkg/config/validate_test.go index 82b235ca3f42..a136295a920d 100644 --- a/app/kuma-dp/pkg/config/validate_test.go +++ b/app/kuma-dp/pkg/config/validate_test.go @@ -58,11 +58,11 @@ var _ = Describe("ValidateTokenPath", func() { }), Entry("can't parse token", testCase{ token: "yJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ.rdQ6l_6hzT93Kbk9kO-kZYY7BaexUH8QknvbdRy_f6s", - expectedError: "not valid JWT token. Can't parse it.: invalid character 'È' looking for beginning of value", + expectedError: "not valid JWT token. Can't parse it.: token is malformed: could not JSON decode header: invalid character 'È' looking for beginning of value", }), Entry("need 3 segments", testCase{ token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ", - expectedError: "not valid JWT token. Can't parse it.: token contains an invalid number of segments", + expectedError: "not valid JWT token. Can't parse it.: token is malformed: token contains an invalid number of segments", }), Entry("new line in the end", testCase{ token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ.rdQ6l_6hzT93Kbk9kO-kZYY7BaexUH8QknvbdRy_f6s\n", diff --git a/pkg/core/tokens/issuer_test.go b/pkg/core/tokens/issuer_test.go index a8175f503b3e..d187f4071d8d 100644 --- a/pkg/core/tokens/issuer_test.go +++ b/pkg/core/tokens/issuer_test.go @@ -66,14 +66,10 @@ var _ = Describe("Token issuer", func() { core.Now = func() time.Time { return now } - jwt.TimeFunc = func() time.Time { - return now - } }) AfterEach(func() { core.Now = time.Now - jwt.TimeFunc = time.Now }) Context("Global Scoped tokens", func() { @@ -89,6 +85,9 @@ var _ = Describe("Token issuer", func() { }, tokens.NewRevocations(secretManager, TokenRevocationsGlobalSecretKey), store_config.MemoryStore, + jwt.WithTimeFunc(func() time.Time { + return now + }), ) Expect(signingKeyManager.CreateDefaultSigningKey(ctx)).To(Succeed()) @@ -190,6 +189,9 @@ var _ = Describe("Token issuer", func() { }, tokens.NewRevocations(secretManager, TokenRevocationsSecretKey(core_model.DefaultMesh)), store_config.MemoryStore, + jwt.WithTimeFunc(func() time.Time { + return now + }), ) Expect(secretManager.Create(ctx, mesh.NewMeshResource(), core_store.CreateByKey(core_model.DefaultMesh, core_model.NoMesh))).To(Succeed()) diff --git a/pkg/core/tokens/validator.go b/pkg/core/tokens/validator.go index 37d89ddf13a8..e0ef14c695f3 100644 --- a/pkg/core/tokens/validator.go +++ b/pkg/core/tokens/validator.go @@ -19,18 +19,26 @@ type Validator interface { } type jwtTokenValidator struct { - keyAccessors []SigningKeyAccessor - revocations Revocations - storeType store_config.StoreType - log logr.Logger + keyAccessors []SigningKeyAccessor + revocations Revocations + storeType store_config.StoreType + log logr.Logger + parserOptions []jwt.ParserOption } -func NewValidator(log logr.Logger, keyAccessors []SigningKeyAccessor, revocations Revocations, storeType store_config.StoreType) Validator { +func NewValidator( + log logr.Logger, + keyAccessors []SigningKeyAccessor, + revocations Revocations, + storeType store_config.StoreType, + parserOptions ...jwt.ParserOption, +) Validator { return &jwtTokenValidator{ - log: log, - keyAccessors: keyAccessors, - revocations: revocations, - storeType: storeType, + log: log, + keyAccessors: keyAccessors, + revocations: revocations, + storeType: storeType, + parserOptions: parserOptions, } } @@ -69,7 +77,7 @@ func (j *jwtTokenValidator) ParseWithValidation(ctx context.Context, rawToken To default: return nil, fmt.Errorf("unsupported token alg %s. Allowed algorithms are %s and %s", token.Method.Alg(), jwt.SigningMethodRS256.Name, jwt.SigningMethodHS256) } - }) + }, j.parserOptions...) if err != nil { signingKeyError := &SigningKeyNotFound{} if errors2.As(err, &signingKeyError) { diff --git a/pkg/xds/auth/universal/auth_test.go b/pkg/xds/auth/universal/auth_test.go index 839ec7acf202..edc93db37de5 100644 --- a/pkg/xds/auth/universal/auth_test.go +++ b/pkg/xds/auth/universal/auth_test.go @@ -141,7 +141,7 @@ var _ = Describe("Authentication flow", func() { Name: "dp-1", }, dpRes: &dpRes, - err: "could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts. Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: crypto/rsa: verification error", + err: "could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts. Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token signature is invalid: crypto/rsa: verification error", }), Entry("on token with different tags", testCase{ id: builtin_issuer.DataplaneIdentity{ @@ -188,7 +188,7 @@ var _ = Describe("Authentication flow", func() { // then Expect(err.Error()).To(ContainSubstring("could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts." + - " Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token contains an invalid number of segments")) + " Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token is malformed: token contains an invalid number of segments")) }) It("should throw an error when signing key used for validation is different than for generation", func() { @@ -209,7 +209,7 @@ var _ = Describe("Authentication flow", func() { // then Expect(err.Error()).To(ContainSubstring("could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts." + - " Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: crypto/rsa: verification error")) + " Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token signature is invalid: crypto/rsa: verification error")) }) It("should throw an error when signing key is not found", func() {