From 34840a227a66d0480103e3d1e6d5a69ee6868ada Mon Sep 17 00:00:00 2001 From: Antoine Jouve Date: Fri, 5 Jan 2024 12:06:43 +0100 Subject: [PATCH 1/3] feat: update to golang-jwt v5.2.0 Signed-off-by: Antoine Jouve --- src/core/service/token/authutils.go | 2 +- src/core/service/token/token_test.go | 2 +- src/go.mod | 2 +- src/go.sum | 2 ++ src/pkg/token/claims/robot/robot.go | 2 +- src/pkg/token/claims/v2/claims.go | 7 +++++-- src/pkg/token/claims/v2/claims_test.go | 2 +- src/pkg/token/option_test.go | 2 +- src/pkg/token/options.go | 2 +- src/pkg/token/token.go | 9 ++++++--- src/pkg/token/token_test.go | 2 +- src/server/middleware/security/v2_token.go | 13 +++++++------ 12 files changed, 28 insertions(+), 19 deletions(-) diff --git a/src/core/service/token/authutils.go b/src/core/service/token/authutils.go index 2597270896ac..da392b19b378 100644 --- a/src/core/service/token/authutils.go +++ b/src/core/service/token/authutils.go @@ -22,7 +22,7 @@ import ( "github.com/docker/distribution/registry/auth/token" "github.com/docker/libtrust" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/security" diff --git a/src/core/service/token/token_test.go b/src/core/service/token/token_test.go index 6525df9c6170..f0881904e4ad 100644 --- a/src/core/service/token/token_test.go +++ b/src/core/service/token/token_test.go @@ -27,7 +27,7 @@ import ( "testing" "github.com/docker/distribution/registry/auth/token" - jwt "github.com/golang-jwt/jwt/v4" + jwt "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/goharbor/harbor/src/common/rbac" diff --git a/src/go.mod b/src/go.mod index db6c8017bb1f..a7125e6f606f 100644 --- a/src/go.mod +++ b/src/go.mod @@ -30,7 +30,7 @@ require ( github.com/go-redis/redis/v8 v8.11.4 github.com/gocarina/gocsv v0.0.0-20210516172204-ca9e8a8ddea8 github.com/gocraft/work v0.5.1 - github.com/golang-jwt/jwt/v4 v4.5.0 + github.com/golang-jwt/jwt/v5 v5.2.0 github.com/golang-migrate/migrate/v4 v4.16.2 github.com/gomodule/redigo v2.0.0+incompatible github.com/google/uuid v1.3.1 diff --git a/src/go.sum b/src/go.sum index aceda6828cbe..5204c53714c7 100644 --- a/src/go.sum +++ b/src/go.sum @@ -301,6 +301,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-migrate/migrate/v4 v4.16.2 h1:8coYbMKUyInrFk1lfGfRovTLAW7PhWp8qQDT2iKfuoA= github.com/golang-migrate/migrate/v4 v4.16.2/go.mod h1:pfcJX4nPHaVdc5nmdCikFBWtm+UBpiZjRNNsyBbp0/o= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= diff --git a/src/pkg/token/claims/robot/robot.go b/src/pkg/token/claims/robot/robot.go index 11de0bd7ea76..7fb724a0c90b 100644 --- a/src/pkg/token/claims/robot/robot.go +++ b/src/pkg/token/claims/robot/robot.go @@ -17,7 +17,7 @@ package robot import ( "errors" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/goharbor/harbor/src/pkg/permission/types" ) diff --git a/src/pkg/token/claims/v2/claims.go b/src/pkg/token/claims/v2/claims.go index 687c6af61ba5..0af2ef30f041 100644 --- a/src/pkg/token/claims/v2/claims.go +++ b/src/pkg/token/claims/v2/claims.go @@ -17,9 +17,10 @@ package v2 import ( "crypto/subtle" "fmt" + "time" "github.com/docker/distribution/registry/auth/token" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" ) func init() { @@ -39,7 +40,9 @@ type Claims struct { // Valid checks if the issuer is harbor func (c *Claims) Valid() error { - if err := c.RegisteredClaims.Valid(); err != nil { + var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + + if err := v.Validate(c.RegisteredClaims); err != nil { return err } if subtle.ConstantTimeCompare([]byte(c.Issuer), []byte(Issuer)) == 0 { diff --git a/src/pkg/token/claims/v2/claims_test.go b/src/pkg/token/claims/v2/claims_test.go index 6af09ae22813..6d107b3cc3f3 100644 --- a/src/pkg/token/claims/v2/claims_test.go +++ b/src/pkg/token/claims/v2/claims_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/docker/distribution/registry/auth/token" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" ) diff --git a/src/pkg/token/option_test.go b/src/pkg/token/option_test.go index 5139afbd107c..2d23c1040143 100644 --- a/src/pkg/token/option_test.go +++ b/src/pkg/token/option_test.go @@ -3,7 +3,7 @@ package token import ( "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" ) diff --git a/src/pkg/token/options.go b/src/pkg/token/options.go index 0c8fe614b161..7f639dfdc386 100644 --- a/src/pkg/token/options.go +++ b/src/pkg/token/options.go @@ -19,7 +19,7 @@ import ( "fmt" "os" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/goharbor/harbor/src/lib/config" "github.com/goharbor/harbor/src/lib/log" diff --git a/src/pkg/token/token.go b/src/pkg/token/token.go index fe95421a8d44..64d1095030cb 100644 --- a/src/pkg/token/token.go +++ b/src/pkg/token/token.go @@ -19,8 +19,9 @@ import ( "crypto/rsa" "errors" "fmt" + "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/goharbor/harbor/src/lib/log" ) @@ -34,7 +35,8 @@ type Token struct { // New ... func New(opt *Options, claims jwt.Claims) (*Token, error) { - err := claims.Valid() + var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + err := v.Validate(claims) if err != nil { return nil, err } @@ -65,7 +67,8 @@ func Parse(opt *Options, rawToken string, claims jwt.Claims) (*Token, error) { if err != nil { return nil, err } - token, err := jwt.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) { + var parser = jwt.NewParser(jwt.WithLeeway(time.Duration(10)*time.Second)) + token, err := parser.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) { if token.Method.Alg() != opt.SignMethod.Alg() { return nil, errors.New("invalid signing method") } diff --git a/src/pkg/token/token_test.go b/src/pkg/token/token_test.go index fa87d7518274..b1248443a418 100644 --- a/src/pkg/token/token_test.go +++ b/src/pkg/token/token_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - jwt "github.com/golang-jwt/jwt/v4" + jwt "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/goharbor/harbor/src/lib/config" diff --git a/src/server/middleware/security/v2_token.go b/src/server/middleware/security/v2_token.go index a4b4a30692e3..91eb10fe71d4 100644 --- a/src/server/middleware/security/v2_token.go +++ b/src/server/middleware/security/v2_token.go @@ -15,9 +15,11 @@ package security import ( - "fmt" "net/http" "strings" + "time" + + "github.com/golang-jwt/jwt/v5" registry_token "github.com/docker/distribution/registry/auth/token" @@ -35,12 +37,10 @@ type v2TokenClaims struct { } func (vtc *v2TokenClaims) Valid() error { - if err := vtc.Claims.Valid(); err != nil { + var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second), jwt.WithAudience(svc_token.Registry)) + if err := v.Validate(vtc.Claims); err != nil { return err } - if !vtc.VerifyAudience(svc_token.Registry, true) { - return fmt.Errorf("invalid token audience: %s", vtc.Audience) - } return nil } @@ -67,7 +67,8 @@ func (vt *v2Token) Generate(req *http.Request) security.Context { logger.Warningf("failed to decode bearer token: %v", err) return nil } - if err := t.Claims.Valid(); err != nil { + var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + if err := v.Validate(t.Claims); err != nil { logger.Warningf("failed to decode bearer token: %v", err) return nil } From 0ce3667d1ee66329b22873893fb7cccfd8c9b91d Mon Sep 17 00:00:00 2001 From: Antoine Jouve Date: Fri, 5 Jan 2024 14:33:02 +0100 Subject: [PATCH 2/3] fix: module issues and robot claims Signed-off-by: Antoine Jouve --- src/go.mod | 9 +++++---- src/go.sum | 8 ++++---- src/pkg/token/claims/robot/robot.go | 5 +++-- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/go.mod b/src/go.mod index a7125e6f606f..6a04e52f0e4a 100644 --- a/src/go.mod +++ b/src/go.mod @@ -21,12 +21,12 @@ require ( github.com/go-asn1-ber/asn1-ber v1.5.1 github.com/go-ldap/ldap/v3 v3.2.4 github.com/go-openapi/errors v0.20.4 - github.com/go-openapi/loads v0.19.5 // indirect + github.com/go-openapi/loads v0.19.5 github.com/go-openapi/runtime v0.19.20 - github.com/go-openapi/spec v0.19.8 // indirect + github.com/go-openapi/spec v0.19.8 github.com/go-openapi/strfmt v0.19.5 github.com/go-openapi/swag v0.19.14 - github.com/go-openapi/validate v0.19.10 // indirect + github.com/go-openapi/validate v0.19.10 github.com/go-redis/redis/v8 v8.11.4 github.com/gocarina/gocsv v0.0.0-20210516172204-ca9e8a8ddea8 github.com/gocraft/work v0.5.1 @@ -66,7 +66,7 @@ require ( golang.org/x/oauth2 v0.13.0 golang.org/x/sync v0.3.0 golang.org/x/text v0.14.0 - golang.org/x/time v0.5.0 + golang.org/x/time v0.4.0 gopkg.in/h2non/gock.v1 v1.0.16 gopkg.in/yaml.v2 v2.4.0 helm.sh/helm/v3 v3.11.3 @@ -109,6 +109,7 @@ require ( github.com/go-openapi/jsonreference v0.20.0 // indirect github.com/go-stack/stack v1.8.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect diff --git a/src/go.sum b/src/go.sum index 5204c53714c7..98f1b75dc4ba 100644 --- a/src/go.sum +++ b/src/go.sum @@ -299,8 +299,8 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-migrate/migrate/v4 v4.16.2 h1:8coYbMKUyInrFk1lfGfRovTLAW7PhWp8qQDT2iKfuoA= @@ -915,8 +915,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.4.0 h1:Z81tqI5ddIoXDPvVQ7/7CC9TnLM7ubaFG2qXYd5BbYY= +golang.org/x/time v0.4.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/src/pkg/token/claims/robot/robot.go b/src/pkg/token/claims/robot/robot.go index 7fb724a0c90b..9cd9160fe494 100644 --- a/src/pkg/token/claims/robot/robot.go +++ b/src/pkg/token/claims/robot/robot.go @@ -45,8 +45,9 @@ func (rc Claim) Valid() error { if rc.Access == nil { return errors.New("the access info cannot be nil") } - stdErr := rc.RegisteredClaims.Valid() - if stdErr != nil { + var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + + if stdErr := v.Validate(rc.RegisteredClaims); stdErr != nil { return stdErr } return nil From 85355341c2d176861b98e6936507288a312091c0 Mon Sep 17 00:00:00 2001 From: Antoine Jouve Date: Tue, 9 Jan 2024 14:10:40 +0100 Subject: [PATCH 3/3] fix: add missing time import Signed-off-by: Antoine Jouve --- src/pkg/token/claims/robot/robot.go | 1 + src/pkg/token/claims/v2/claims.go | 2 +- src/server/middleware/security/v2_token.go | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pkg/token/claims/robot/robot.go b/src/pkg/token/claims/robot/robot.go index 9cd9160fe494..7fbd9c312522 100644 --- a/src/pkg/token/claims/robot/robot.go +++ b/src/pkg/token/claims/robot/robot.go @@ -16,6 +16,7 @@ package robot import ( "errors" + "time" "github.com/golang-jwt/jwt/v5" diff --git a/src/pkg/token/claims/v2/claims.go b/src/pkg/token/claims/v2/claims.go index 0af2ef30f041..f46815cd5cfa 100644 --- a/src/pkg/token/claims/v2/claims.go +++ b/src/pkg/token/claims/v2/claims.go @@ -40,7 +40,7 @@ type Claims struct { // Valid checks if the issuer is harbor func (c *Claims) Valid() error { - var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + var v = jwt.NewValidator(jwt.WithLeeway(10 * time.Second)) if err := v.Validate(c.RegisteredClaims); err != nil { return err diff --git a/src/server/middleware/security/v2_token.go b/src/server/middleware/security/v2_token.go index 91eb10fe71d4..63eeb49f2c2a 100644 --- a/src/server/middleware/security/v2_token.go +++ b/src/server/middleware/security/v2_token.go @@ -67,7 +67,7 @@ func (vt *v2Token) Generate(req *http.Request) security.Context { logger.Warningf("failed to decode bearer token: %v", err) return nil } - var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second)) + var v = jwt.NewValidator(jwt.WithLeeway(10 * time.Second)) if err := v.Validate(t.Claims); err != nil { logger.Warningf("failed to decode bearer token: %v", err) return nil