From 13c73ea4d90f14ab7aeb2f922f3f2a793388479c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 22 Apr 2024 09:14:15 +0100 Subject: [PATCH] Remove gopkg.in/square/go-jose.v2 dep (#203) * Remove gopkg.in/square/go-jose.v2 dep * Add support for ES256 and HS256 signature algorithms in addition to RS256 Based on https://www.rfc-editor.org/rfc/rfc7519#section-8, this gives us good coverage of all the most commonly expected signature algorithms for a JWT, although for now Google only uses RS256 in my testing --- CHANGELOG.md | 2 +- go.mod | 3 +-- go.sum | 2 -- plugin/path_login.go | 15 ++++++++++++--- plugin/path_login_test.go | 6 +++--- 5 files changed, 17 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f19951..dbfe997 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ IMPROVEMENTS: * `github.com/stretchr/testify` v1.8.4 -> v1.9.0 * `golang.org/x/oauth2` v0.16.0 -> v0.19.0 * `google.golang.org/api` v0.161.0 -> v0.172.0 -* Upgrade `github.com/go-jose/go-jose/v3` to `github.com/go-jose/go-jose/v4` 4.0.1: [GH-202](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/202) +* Upgrade `gopkg.in/square/go-jose.v2` and `github.com/go-jose/go-jose/v3` to `github.com/go-jose/go-jose/v4` 4.0.1: [GH-202](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/202), [GH-203](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/203) * Bump `google.golang.org/protobuf` from 1.32.0 to 1.33.0: [GH-197](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/197) * Bump `github.com/docker/docker` from 24.0.7+incompatible to 24.0.9+incompatible: [GH-198](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/198) * Bump `golang.org/x/net` from 0.22.0 to 0.24.0: [GH-201](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/201) diff --git a/go.mod b/go.mod index 410b592..e290f2b 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ toolchain go1.22.2 require ( cloud.google.com/go/compute/metadata v0.3.0 + github.com/go-jose/go-jose/v4 v4.0.1 github.com/golang/mock v1.6.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-gcp-common v0.8.0 @@ -18,7 +19,6 @@ require ( github.com/stretchr/testify v1.9.0 golang.org/x/oauth2 v0.19.0 google.golang.org/api v0.172.0 - gopkg.in/square/go-jose.v2 v2.6.0 ) require ( @@ -34,7 +34,6 @@ require ( github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fatih/color v1.16.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.0.1 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect diff --git a/go.sum b/go.sum index 2554526..b1ecba8 100644 --- a/go.sum +++ b/go.sum @@ -406,8 +406,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/plugin/path_login.go b/plugin/path_login.go index 30937e3..46ba6fb 100644 --- a/plugin/path_login.go +++ b/plugin/path_login.go @@ -12,6 +12,8 @@ import ( "strings" "time" + jose "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/hashicorp/go-gcp-common/gcputil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/sdk/framework" @@ -21,7 +23,6 @@ import ( "google.golang.org/api/cloudresourcemanager/v1" "google.golang.org/api/compute/v1" "google.golang.org/api/iam/v1" - "gopkg.in/square/go-jose.v2/jwt" ) const ( @@ -29,6 +30,14 @@ const ( jwtExpToleranceSec = 60 ) +var ( + allowedSignatureAlgorithms = []jose.SignatureAlgorithm{ + jose.RS256, + jose.ES256, + jose.HS256, + } +) + func pathLogin(b *GcpAuthBackend) *framework.Path { return &framework.Path{ Pattern: "login$", @@ -205,7 +214,7 @@ func (b *GcpAuthBackend) parseAndValidateJwt(ctx context.Context, s logical.Stor } // Parse 'kid' key id from headers. - jwtVal, err := jwt.ParseSigned(signedJwt.(string)) + jwtVal, err := jwt.ParseSigned(signedJwt.(string), allowedSignatureAlgorithms) if err != nil { return nil, fmt.Errorf("unable to parse signed JWT: %w", err) } @@ -276,7 +285,7 @@ func (b *GcpAuthBackend) getSigningKey(ctx context.Context, token *jwt.JSONWebTo // getJWTSubject grabs 'sub' claim given an unverified signed JWT. func getJWTSubject(signedJwt string) (string, error) { - jwtVal, err := jwt.ParseSigned(signedJwt) + jwtVal, err := jwt.ParseSigned(signedJwt, allowedSignatureAlgorithms) if err != nil { return "", fmt.Errorf("could not parse JWT: %v", err) } diff --git a/plugin/path_login_test.go b/plugin/path_login_test.go index dc07cf4..afc6a34 100644 --- a/plugin/path_login_test.go +++ b/plugin/path_login_test.go @@ -13,6 +13,8 @@ import ( "testing" "time" + jose "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/hashicorp/go-gcp-common/gcputil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" @@ -20,8 +22,6 @@ import ( "google.golang.org/api/iam/v1" "google.golang.org/api/iamcredentials/v1" "google.golang.org/api/option" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) func TestRoleResolution(t *testing.T) { @@ -674,7 +674,7 @@ func testCreateExpiredJwtToken(tb testing.TB, roleName string, creds *gcputil.Gc Subject: creds.ClientId, Audience: []string{fmt.Sprintf(expectedJwtAudTemplate, roleName)}, Expiry: jwt.NewNumericDate(time.Now().Add(-100 * time.Minute)), - }).CompactSerialize() + }).Serialize() if err != nil { tb.Fatal(err) }