[Token/JWT] Update to golang-jwt v5.2.0

src/core/service/token/authutils.go

@@ -22,7 +22,7 @@ import (
 
 	"github.com/docker/distribution/registry/auth/token"
 	"github.com/docker/libtrust"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/security"

src/core/service/token/token_test.go

@@ -27,7 +27,7 @@ import (
 	"testing"
 
 	"github.com/docker/distribution/registry/auth/token"
-	jwt "github.com/golang-jwt/jwt/v4"
+	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/goharbor/harbor/src/common/rbac"

src/go.mod

@@ -30,7 +30,7 @@ require (
 	github.com/go-redis/redis/v8 v8.11.4
 	github.com/gocarina/gocsv v0.0.0-20210516172204-ca9e8a8ddea8
 	github.com/gocraft/work v0.5.1
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/golang-migrate/migrate/v4 v4.16.2
 	github.com/gomodule/redigo v2.0.0+incompatible
 	github.com/google/uuid v1.3.1

src/go.sum

@@ -301,6 +301,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.16.2 h1:8coYbMKUyInrFk1lfGfRovTLAW7PhWp8qQDT2iKfuoA=
 github.com/golang-migrate/migrate/v4 v4.16.2/go.mod h1:pfcJX4nPHaVdc5nmdCikFBWtm+UBpiZjRNNsyBbp0/o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

src/pkg/token/claims/robot/robot.go

@@ -17,7 +17,7 @@ package robot
 import (
 	"errors"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/goharbor/harbor/src/pkg/permission/types"
 )

src/pkg/token/claims/v2/claims.go

@@ -17,9 +17,10 @@ package v2
 import (
 	"crypto/subtle"
 	"fmt"
+	"time"
 
 	"github.com/docker/distribution/registry/auth/token"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 func init() {
@@ -39,7 +40,9 @@ type Claims struct {
 
 // Valid checks if the issuer is harbor
 func (c *Claims) Valid() error {
-	if err := c.RegisteredClaims.Valid(); err != nil {
+	var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second))
+
+	if err := v.Validate(c.RegisteredClaims); err != nil {
 		return err
 	}
 	if subtle.ConstantTimeCompare([]byte(c.Issuer), []byte(Issuer)) == 0 {

src/pkg/token/claims/v2/claims_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 
 	"github.com/docker/distribution/registry/auth/token"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 )
 

src/pkg/token/option_test.go

@@ -3,7 +3,7 @@ package token
 import (
 	"testing"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 )
 

src/pkg/token/options.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/goharbor/harbor/src/lib/config"
 	"github.com/goharbor/harbor/src/lib/log"

src/pkg/token/token.go

@@ -19,8 +19,9 @@ import (
 	"crypto/rsa"
 	"errors"
 	"fmt"
+	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/goharbor/harbor/src/lib/log"
 )
@@ -34,7 +35,8 @@ type Token struct {
 
 // New ...
 func New(opt *Options, claims jwt.Claims) (*Token, error) {
-	err := claims.Valid()
+	var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second))
+	err := v.Validate(claims)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +67,8 @@ func Parse(opt *Options, rawToken string, claims jwt.Claims) (*Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	token, err := jwt.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) {
+	var parser = jwt.NewParser(jwt.WithLeeway(time.Duration(10)*time.Second))
+	token, err := parser.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) {
 		if token.Method.Alg() != opt.SignMethod.Alg() {
 			return nil, errors.New("invalid signing method")
 		}

src/pkg/token/token_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"
 
-	jwt "github.com/golang-jwt/jwt/v4"
+	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/goharbor/harbor/src/lib/config"

src/server/middleware/security/v2_token.go

@@ -15,9 +15,11 @@
 package security
 
 import (
-	"fmt"
 	"net/http"
 	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 
 	registry_token "github.com/docker/distribution/registry/auth/token"
 
@@ -35,12 +37,10 @@ type v2TokenClaims struct {
 }
 
 func (vtc *v2TokenClaims) Valid() error {
-	if err := vtc.Claims.Valid(); err != nil {
+	var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second), jwt.WithAudience(svc_token.Registry))
+	if err := v.Validate(vtc.Claims); err != nil {
 		return err
 	}
-	if !vtc.VerifyAudience(svc_token.Registry, true) {
-		return fmt.Errorf("invalid token audience: %s", vtc.Audience)
-	}
 	return nil
 }
 
@@ -67,7 +67,8 @@ func (vt *v2Token) Generate(req *http.Request) security.Context {
 		logger.Warningf("failed to decode bearer token: %v", err)
 		return nil
 	}
-	if err := t.Claims.Valid(); err != nil {
+	var v = jwt.NewValidator(jwt.WithLeeway(10*time.Second))
+	if err := v.Validate(t.Claims); err != nil {
 		logger.Warningf("failed to decode bearer token: %v", err)
 		return nil
 	}