Skip to content

Commit

Permalink
Migrate away from square jwt to community jwt, including api changes (#…
Browse files Browse the repository at this point in the history
…243)

* Migrate away from square jwt to community jwt, including api changes
  • Loading branch information
cviecco authored Aug 13, 2024
1 parent 6a6df7c commit 35a5f3d
Show file tree
Hide file tree
Showing 8 changed files with 97 additions and 92 deletions.
7 changes: 4 additions & 3 deletions cmd/keymasterd/authToken.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,9 @@ import (

"github.com/Cloud-Foundations/keymaster/lib/instrumentedwriter"
"github.com/Cloud-Foundations/keymaster/lib/paths"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"

"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"
)

func (state *RuntimeState) generateAuthJWT(username string) (string, error) {
Expand All @@ -32,7 +33,7 @@ func (state *RuntimeState) generateAuthJWT(username string) (string, error) {
IssuedAt: now,
TokenType: "keymaster_webauth_for_cli_identity",
}
return jwt.Signed(signer).Claims(authToken).CompactSerialize()
return jwt.Signed(signer).Claims(authToken).Serialize()
}

func (state *RuntimeState) SendAuthDocumentHandler(w http.ResponseWriter,
Expand Down
14 changes: 7 additions & 7 deletions cmd/keymasterd/idp_oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ import (

"github.com/Cloud-Foundations/keymaster/lib/authutil"
"github.com/Cloud-Foundations/keymaster/lib/instrumentedwriter"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"
)

//For minimal openid connect interaface and easy config we need 5 enpoints
Expand Down Expand Up @@ -491,7 +491,7 @@ func (state *RuntimeState) idpOpenIDCAuthorizationHandler(w http.ResponseWriter,
}
logger.Debugf(3, "auth request is valid, now proceeding to generate redirect")

raw, err := jwt.Signed(signer).Claims(codeToken).CompactSerialize()
raw, err := jwt.Signed(signer).Claims(codeToken).Serialize()
if err != nil {
panic(err)
}
Expand Down Expand Up @@ -592,7 +592,7 @@ func (state *RuntimeState) idpOpenIDCTokenHandler(w http.ResponseWriter, r *http
return

}
tok, err := jwt.ParseSigned(codeString)
tok, err := jwt.ParseSigned(codeString, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
logger.Printf("err=%s", err)
state.writeFailureResponse(w, r, http.StatusBadRequest, "bad code")
Expand Down Expand Up @@ -741,7 +741,7 @@ func (state *RuntimeState) idpOpenIDCTokenHandler(w http.ResponseWriter, r *http
idToken.Expiration = keymasterToken.AuthExpiration
idToken.IssuedAt = time.Now().Unix()

signedIdToken, err := jwt.Signed(signer).Claims(idToken).CompactSerialize()
signedIdToken, err := jwt.Signed(signer).Claims(idToken).Serialize()
if err != nil {
log.Printf("error signing idToken in idpOpenIDCTokenHandler,: %s", err)
state.writeFailureResponse(w, r, http.StatusInternalServerError, "Internal Error")
Expand All @@ -756,7 +756,7 @@ func (state *RuntimeState) idpOpenIDCTokenHandler(w http.ResponseWriter, r *http
if len(keymasterToken.AccessAudience) > 0 {
accessToken.Audience = append(keymasterToken.AccessAudience, state.idpGetIssuer()+idpOpenIDCUserinfoPath)
}
signedAccessToken, err := jwt.Signed(signer).Claims(accessToken).CompactSerialize()
signedAccessToken, err := jwt.Signed(signer).Claims(accessToken).Serialize()
if err != nil {
log.Printf("error signing accessToken in idpOpenIDCTokenHandler: %s", err)
state.writeFailureResponse(w, r, http.StatusInternalServerError, "Internal Error")
Expand Down Expand Up @@ -927,7 +927,7 @@ func (state *RuntimeState) idpOpenIDCUserinfoHandler(w http.ResponseWriter,
"Missing access token")
return
}
tok, err := jwt.ParseSigned(accessToken)
tok, err := jwt.ParseSigned(accessToken, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
logger.Printf("err=%s", err)
state.writeFailureResponse(w, r, http.StatusBadRequest,
Expand Down
7 changes: 4 additions & 3 deletions cmd/keymasterd/idp_oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@ import (
"testing"

"github.com/Cloud-Foundations/Dominator/lib/log/debuglogger"
"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"
cv "github.com/nirasan/go-oauth-pkce-code-verifier"
"gopkg.in/square/go-jose.v2/jwt"
)

func init() {
Expand Down Expand Up @@ -159,7 +160,7 @@ func TestIDPOpenIDCAuthorizationHandlerSuccess(t *testing.T) {
}
rCode := location.Query().Get("code")
t.Logf("rCode=%s", rCode)
tok, err := jwt.ParseSigned(rCode)
tok, err := jwt.ParseSigned(rCode, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -585,7 +586,7 @@ func TestIDPOpenIDCPKCEFlowWithAudienceSuccess(t *testing.T) {
t.Logf("resultAccessToken='%+v'", resultAccessToken)

// lets parse the access token to ensure the requested audience is there.
tok, err := jwt.ParseSigned(resultAccessToken.AccessToken)
tok, err := jwt.ParseSigned(resultAccessToken.AccessToken, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
t.Fatal(err)
}
Expand Down
18 changes: 10 additions & 8 deletions cmd/keymasterd/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ import (
"fmt"
"time"

"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"
"golang.org/x/crypto/ssh"
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
)

// This actually gets the SSH key fingerprint
Expand Down Expand Up @@ -46,6 +46,8 @@ func (state *RuntimeState) JWTClaims(t *jwt.JSONWebToken, dest ...interface{}) (
return err
}

//func (state *RuntimeState) getJoseSignerFromSigner(

func (state *RuntimeState) genNewSerializedAuthJWT(username string,
authLevel int, durationSeconds int64) (string, error) {
signerOptions := (&jose.SignerOptions{}).WithType("JWT")
Expand All @@ -59,7 +61,7 @@ func (state *RuntimeState) genNewSerializedAuthJWT(username string,
authToken.NotBefore = time.Now().Unix()
authToken.IssuedAt = authToken.NotBefore
authToken.Expiration = authToken.IssuedAt + durationSeconds
return jwt.Signed(signer).Claims(authToken).CompactSerialize()
return jwt.Signed(signer).Claims(authToken).Serialize()
}

func (state *RuntimeState) getAuthInfoFromAuthJWT(serializedToken string) (
Expand All @@ -69,7 +71,7 @@ func (state *RuntimeState) getAuthInfoFromAuthJWT(serializedToken string) (

func (state *RuntimeState) getAuthInfoFromJWT(serializedToken,
tokenType string) (rvalue authInfo, err error) {
tok, err := jwt.ParseSigned(serializedToken)
tok, err := jwt.ParseSigned(serializedToken, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
return rvalue, err
}
Expand Down Expand Up @@ -100,7 +102,7 @@ func (state *RuntimeState) updateAuthJWTWithNewAuthLevel(intoken string, newAuth
return "", err
}

tok, err := jwt.ParseSigned(intoken)
tok, err := jwt.ParseSigned(intoken, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
return "", err
}
Expand All @@ -117,7 +119,7 @@ func (state *RuntimeState) updateAuthJWTWithNewAuthLevel(intoken string, newAuth
return "", err
}
parsedJWT.AuthType = newAuthLevel
return jwt.Signed(signer).Claims(parsedJWT).CompactSerialize()
return jwt.Signed(signer).Claims(parsedJWT).Serialize()
}

func (state *RuntimeState) genNewSerializedStorageStringDataJWT(username string, dataType int, data string, expiration int64) (string, error) {
Expand All @@ -134,11 +136,11 @@ func (state *RuntimeState) genNewSerializedStorageStringDataJWT(username string,
storageToken.IssuedAt = storageToken.NotBefore
storageToken.Expiration = expiration

return jwt.Signed(signer).Claims(storageToken).CompactSerialize()
return jwt.Signed(signer).Claims(storageToken).Serialize()
}

func (state *RuntimeState) getStorageDataFromStorageStringDataJWT(serializedToken string) (rvalue storageStringDataJWT, err error) {
tok, err := jwt.ParseSigned(serializedToken)
tok, err := jwt.ParseSigned(serializedToken, []jose.SignatureAlgorithm{jose.RS256})
if err != nil {
return rvalue, err
}
Expand Down
6 changes: 3 additions & 3 deletions cmd/keymasterd/jwt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ import (
"testing"
"time"

"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
"github.com/go-jose/go-jose/v4"
"github.com/go-jose/go-jose/v4/jwt"
)

func testONLYGenerateAuthJWT(state *RuntimeState, username string, authLevel int, issuer string, audience []string) (string, error) {
Expand All @@ -20,7 +20,7 @@ func testONLYGenerateAuthJWT(state *RuntimeState, username string, authLevel int
authToken.NotBefore = time.Now().Unix()
authToken.IssuedAt = authToken.NotBefore
authToken.Expiration = authToken.IssuedAt + maxAgeSecondsAuthCookie // TODO seek the actual duration
return jwt.Signed(signer).Claims(authToken).CompactSerialize()
return jwt.Signed(signer).Claims(authToken).Serialize()
}

func TestJWTAudtienceAuthToken(t *testing.T) {
Expand Down
44 changes: 22 additions & 22 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,18 @@ require (
github.com/Cloud-Foundations/golib v0.5.0
github.com/Cloud-Foundations/npipe v0.0.0-20191222161149-761e85df1f92
github.com/Cloud-Foundations/tricorder v0.0.0-20191102180116-cf6bbf6d0168
github.com/aws/aws-sdk-go v1.54.10
github.com/aws/aws-sdk-go-v2 v1.30.0
github.com/aws/aws-sdk-go-v2/config v1.27.22
github.com/aws/aws-sdk-go-v2/service/organizations v1.29.0
github.com/aws/aws-sdk-go-v2/service/sts v1.30.0
github.com/aws/aws-sdk-go v1.55.5
github.com/aws/aws-sdk-go-v2 v1.30.3
github.com/aws/aws-sdk-go-v2/config v1.27.27
github.com/aws/aws-sdk-go-v2/service/organizations v1.30.2
github.com/aws/aws-sdk-go-v2/service/sts v1.30.3
github.com/bearsh/hid v1.5.0
github.com/cloudflare/cfssl v1.6.5
github.com/cviecco/argon2 v0.0.0-20171122181119-1dc43e2eaa99
github.com/duo-labs/webauthn v0.0.0-20221205164246-ebaf9b74c6ec
github.com/flynn/u2f v0.0.0-20180613185708-15554eb68e5d
github.com/foomo/htpasswd v0.0.0-20200116085101-e3a90e78da9c
github.com/go-jose/go-jose/v4 v4.0.4
github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
github.com/lib/pq v1.10.9
github.com/marshallbrekka/go-u2fhost v0.0.0-20210111072507-3ccdec8c8105
Expand All @@ -31,12 +32,11 @@ require (
github.com/prometheus/client_golang v1.19.1
github.com/tstranex/u2f v1.0.0
github.com/vjeantet/ldapserver v1.0.1
golang.org/x/crypto v0.24.0
golang.org/x/net v0.26.0
golang.org/x/crypto v0.25.0
golang.org/x/net v0.27.0
golang.org/x/oauth2 v0.21.0
golang.org/x/term v0.21.0
golang.org/x/term v0.22.0
gopkg.in/ldap.v2 v2.5.1
gopkg.in/square/go-jose.v2 v2.6.0
gopkg.in/yaml.v2 v2.4.0
mvdan.cc/sh/v3 v3.8.0
)
Expand All @@ -45,11 +45,11 @@ require (
dario.cat/mergo v1.0.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProtonMail/go-crypto v1.0.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
github.com/cloudflare/circl v1.3.9 // indirect
github.com/cyphar/filepath-securejoin v0.2.5 // indirect
github.com/cyphar/filepath-securejoin v0.3.1 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
Expand All @@ -61,23 +61,23 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/skeema/knownhosts v1.2.2 // indirect
github.com/skeema/knownhosts v1.3.0 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
)

require (
github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.22 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
github.com/aws/smithy-go v1.20.3 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/boombuler/barcode v1.0.1 // indirect
github.com/boombuler/barcode v1.0.2 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/dchest/blake2b v1.0.0 // indirect
github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a // indirect
Expand All @@ -92,7 +92,7 @@ require (
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/time v0.5.0
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
Expand Down
Loading

0 comments on commit 35a5f3d

Please sign in to comment.