From 63573126e77d6c64399a3da10c30ef4e47ddecf7 Mon Sep 17 00:00:00 2001 From: Ajay Kemparaj Date: Thu, 7 Dec 2023 14:10:28 -0700 Subject: [PATCH] move from gopkg.in/square/go-jose.v2 to go-jose/go-jose (#4688) * move from gopkg.in/square/go-jose.v2 to go-jose/go-jose Signed-off-by: ajayk * maintain backcompat on aud claim Signed-off-by: Andrew Harding --------- Signed-off-by: ajayk Signed-off-by: Andrew Harding Co-authored-by: Andrew Harding --- cmd/spire-server/cli/jwt/mint.go | 2 +- cmd/spire-server/cli/jwt/mint_test.go | 6 +++--- go.mod | 4 ++-- pkg/agent/endpoints/workload/handler.go | 10 ++++++++++ .../plugin/nodeattestor/azuremsi/msi_test.go | 4 ++-- pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go | 6 +++--- .../plugin/nodeattestor/k8spsat/psat_test.go | 4 ++-- pkg/common/bundleutil/marshal.go | 2 +- pkg/common/bundleutil/types.go | 2 +- pkg/common/cryptoutil/keys.go | 2 +- pkg/common/cryptoutil/keys_test.go | 2 +- pkg/common/jwtsvid/common.go | 2 +- pkg/common/jwtsvid/validate.go | 4 ++-- pkg/common/jwtsvid/validate_test.go | 6 +++--- pkg/common/jwtutil/keyset.go | 2 +- pkg/common/jwtutil/keyset_test.go | 2 +- pkg/common/plugin/azure/msi.go | 2 +- pkg/common/plugin/azure/msi_test.go | 2 +- pkg/common/plugin/gcp/iit.go | 2 +- pkg/common/plugin/k8s/utils.go | 2 +- pkg/common/plugin/k8s/utils_test.go | 2 +- pkg/server/api/svid/v1/service_test.go | 2 +- pkg/server/ca/ca.go | 6 +++--- pkg/server/credtemplate/builder.go | 2 +- pkg/server/credtemplate/builder_test.go | 2 +- pkg/server/credvalidator/validator.go | 2 +- pkg/server/credvalidator/validator_test.go | 8 ++++---- .../endpoints/bundle/internal/acmetest/ca.go | 2 +- pkg/server/plugin/nodeattestor/azuremsi/msi.go | 2 +- .../plugin/nodeattestor/azuremsi/msi_test.go | 10 +++++----- .../gcpiit/google_public_key_retriever.go | 2 +- pkg/server/plugin/nodeattestor/gcpiit/iit.go | 4 ++-- .../plugin/nodeattestor/gcpiit/iit_test.go | 16 ++++++++-------- .../plugin/nodeattestor/k8spsat/psat_test.go | 4 ++-- pkg/server/plugin/nodeattestor/k8ssat/sat.go | 2 +- .../plugin/nodeattestor/k8ssat/sat_test.go | 4 ++-- support/oidc-discovery-provider/common_test.go | 2 +- support/oidc-discovery-provider/handler.go | 2 +- support/oidc-discovery-provider/handler_test.go | 2 +- .../healthchecks_handler_test.go | 2 +- support/oidc-discovery-provider/jwks_source.go | 2 +- support/oidc-discovery-provider/server_api.go | 2 +- support/oidc-discovery-provider/workload_api.go | 2 +- .../oidc-discovery-provider/workload_api_test.go | 2 +- test/integration/setup/adminclient/client.go | 2 +- test/testca/ca.go | 6 +++--- 46 files changed, 86 insertions(+), 76 deletions(-) diff --git a/cmd/spire-server/cli/jwt/mint.go b/cmd/spire-server/cli/jwt/mint.go index 2119b6ee59..928c2b1ae0 100644 --- a/cmd/spire-server/cli/jwt/mint.go +++ b/cmd/spire-server/cli/jwt/mint.go @@ -7,6 +7,7 @@ import ( "fmt" "time" + "github.com/go-jose/go-jose/v3/jwt" "github.com/mitchellh/cli" "github.com/spiffe/go-spiffe/v2/spiffeid" svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" @@ -15,7 +16,6 @@ import ( commoncli "github.com/spiffe/spire/pkg/common/cli" "github.com/spiffe/spire/pkg/common/cliprinter" "github.com/spiffe/spire/pkg/common/diskutil" - "gopkg.in/square/go-jose.v2/jwt" ) func NewMintCommand() cli.Command { diff --git a/cmd/spire-server/cli/jwt/mint_test.go b/cmd/spire-server/cli/jwt/mint_test.go index d44ff7c826..937e23e85e 100644 --- a/cmd/spire-server/cli/jwt/mint_test.go +++ b/cmd/spire-server/cli/jwt/mint_test.go @@ -12,6 +12,8 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" "github.com/spiffe/spire/cmd/spire-server/cli/common" @@ -21,8 +23,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/grpc" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) var ( @@ -249,7 +249,7 @@ func TestMintRun(t *testing.T) { "issued_at": "0" } }`, - expStderr: "Unable to determine JWT-SVID lifetime: square/go-jose: compact JWS format must have three parts\n", + expStderr: "Unable to determine JWT-SVID lifetime: go-jose/go-jose: compact JWS format must have three parts\n", }, { name: "expired token", diff --git a/go.mod b/go.mod index 81a0e8cef3..1c806c3058 100644 --- a/go.mod +++ b/go.mod @@ -35,6 +35,7 @@ require ( github.com/docker/docker v24.0.7+incompatible github.com/envoyproxy/go-control-plane v0.11.1 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa + github.com/go-jose/go-jose/v3 v3.0.1 github.com/go-sql-driver/mysql v1.7.1 github.com/godbus/dbus/v5 v5.1.0 github.com/gofrs/uuid v4.4.0+incompatible @@ -82,7 +83,6 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.31.0 - gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.28.4 k8s.io/apimachinery v0.28.4 k8s.io/client-go v0.28.4 @@ -177,7 +177,6 @@ require ( github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-logr/logr v1.3.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect @@ -330,6 +329,7 @@ require ( gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.100.1 // indirect diff --git a/pkg/agent/endpoints/workload/handler.go b/pkg/agent/endpoints/workload/handler.go index c4d0c35b46..9f191a1471 100644 --- a/pkg/agent/endpoints/workload/handler.go +++ b/pkg/agent/endpoints/workload/handler.go @@ -185,6 +185,16 @@ func (h *Handler) ValidateJWTSVID(ctx context.Context, req *workload.ValidateJWT } } + // RFC 7519 structures `aud` as an array of StringOrURIs but has a special + // case where it MAY be specified as a single StringOrURI if there is only + // one audience. We have traditionally always returned it as an array but + // the JWT library we use now returns a single string when there is only + // one. To maintain backcompat, convert a single string value for the + // audience to a list. + if aud, ok := claims["aud"].(string); ok { + claims["aud"] = []string{aud} + } + s, err := structFromValues(claims) if err != nil { log.WithError(err).Error("Error deserializing claims from JWT-SVID") diff --git a/pkg/agent/plugin/nodeattestor/azuremsi/msi_test.go b/pkg/agent/plugin/nodeattestor/azuremsi/msi_test.go index a3e269df81..5975c50986 100644 --- a/pkg/agent/plugin/nodeattestor/azuremsi/msi_test.go +++ b/pkg/agent/plugin/nodeattestor/azuremsi/msi_test.go @@ -7,14 +7,14 @@ import ( "net/http" "testing" + jose "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor" nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test" "github.com/spiffe/spire/pkg/common/plugin/azure" "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "google.golang.org/grpc/codes" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) var ( diff --git a/pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go b/pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go index e3fb882990..d84a849b84 100644 --- a/pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go +++ b/pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go @@ -8,6 +8,9 @@ import ( "net/http/httptest" "testing" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/cryptosigner" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor" nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test" "github.com/spiffe/spire/pkg/common/plugin/gcp" @@ -16,9 +19,6 @@ import ( "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/cryptosigner" - "gopkg.in/square/go-jose.v2/jwt" ) const testServiceAccount = "test-service-account" diff --git a/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go b/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go index f23c69a924..fb6cbd5d90 100644 --- a/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go +++ b/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go @@ -7,6 +7,8 @@ import ( "path/filepath" "testing" + jose "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor" nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test" "github.com/spiffe/spire/pkg/common/pemutil" @@ -14,8 +16,6 @@ import ( "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "google.golang.org/grpc/codes" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) var sampleKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY----- diff --git a/pkg/common/bundleutil/marshal.go b/pkg/common/bundleutil/marshal.go index bc50571b76..ba8063e0f7 100644 --- a/pkg/common/bundleutil/marshal.go +++ b/pkg/common/bundleutil/marshal.go @@ -5,8 +5,8 @@ import ( "encoding/json" "time" + "github.com/go-jose/go-jose/v3" "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" - "gopkg.in/square/go-jose.v2" ) type marshalConfig struct { diff --git a/pkg/common/bundleutil/types.go b/pkg/common/bundleutil/types.go index cf17dd61ba..372e201221 100644 --- a/pkg/common/bundleutil/types.go +++ b/pkg/common/bundleutil/types.go @@ -1,7 +1,7 @@ package bundleutil import ( - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v3" ) const ( diff --git a/pkg/common/cryptoutil/keys.go b/pkg/common/cryptoutil/keys.go index b9ab1c9a3f..28aa24db9c 100644 --- a/pkg/common/cryptoutil/keys.go +++ b/pkg/common/cryptoutil/keys.go @@ -6,8 +6,8 @@ import ( "crypto/rsa" "fmt" + "github.com/go-jose/go-jose/v3" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2" ) func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool { diff --git a/pkg/common/cryptoutil/keys_test.go b/pkg/common/cryptoutil/keys_test.go index 77192f8242..7ec3f483d4 100644 --- a/pkg/common/cryptoutil/keys_test.go +++ b/pkg/common/cryptoutil/keys_test.go @@ -7,9 +7,9 @@ import ( "crypto/rsa" "testing" + "github.com/go-jose/go-jose/v3" "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" ) func TestJoseAlgFromPublicKey(t *testing.T) { diff --git a/pkg/common/jwtsvid/common.go b/pkg/common/jwtsvid/common.go index cdd141162b..37caae5bde 100644 --- a/pkg/common/jwtsvid/common.go +++ b/pkg/common/jwtsvid/common.go @@ -4,8 +4,8 @@ import ( "errors" "time" + "github.com/go-jose/go-jose/v3/jwt" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2/jwt" ) func GetTokenExpiry(token string) (time.Time, time.Time, error) { diff --git a/pkg/common/jwtsvid/validate.go b/pkg/common/jwtsvid/validate.go index 864ef04c37..dbf07584b7 100644 --- a/pkg/common/jwtsvid/validate.go +++ b/pkg/common/jwtsvid/validate.go @@ -7,10 +7,10 @@ import ( "fmt" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) type KeyStore interface { diff --git a/pkg/common/jwtsvid/validate_test.go b/pkg/common/jwtsvid/validate_test.go index a4344973d9..97609de054 100644 --- a/pkg/common/jwtsvid/validate_test.go +++ b/pkg/common/jwtsvid/validate_test.go @@ -6,15 +6,15 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/cryptosigner" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/cryptoutil" "github.com/spiffe/spire/test/clock" "github.com/spiffe/spire/test/spiretest" "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/cryptosigner" - "gopkg.in/square/go-jose.v2/jwt" ) var ( diff --git a/pkg/common/jwtutil/keyset.go b/pkg/common/jwtutil/keyset.go index 0dd2a66a51..7f6f751af9 100644 --- a/pkg/common/jwtutil/keyset.go +++ b/pkg/common/jwtutil/keyset.go @@ -10,9 +10,9 @@ import ( "sync" "time" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2" ) const ( diff --git a/pkg/common/jwtutil/keyset_test.go b/pkg/common/jwtutil/keyset_test.go index 7e256fdcbc..f67ed7a690 100644 --- a/pkg/common/jwtutil/keyset_test.go +++ b/pkg/common/jwtutil/keyset_test.go @@ -9,8 +9,8 @@ import ( "testing" "time" + jose "github.com/go-jose/go-jose/v3" "github.com/stretchr/testify/require" - jose "gopkg.in/square/go-jose.v2" ) func TestDiscoverKeySetURI(t *testing.T) { diff --git a/pkg/common/plugin/azure/msi.go b/pkg/common/plugin/azure/msi.go index 994273a419..9cf1bd82e2 100644 --- a/pkg/common/plugin/azure/msi.go +++ b/pkg/common/plugin/azure/msi.go @@ -5,11 +5,11 @@ import ( "io" "net/http" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/agentpathtemplate" "github.com/spiffe/spire/pkg/common/idutil" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/common/plugin/azure/msi_test.go b/pkg/common/plugin/azure/msi_test.go index bf96547d28..5a1bb3ae56 100644 --- a/pkg/common/plugin/azure/msi_test.go +++ b/pkg/common/plugin/azure/msi_test.go @@ -8,11 +8,11 @@ import ( "strings" "testing" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/agentpathtemplate" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2/jwt" ) func TestFetchMSIToken(t *testing.T) { diff --git a/pkg/common/plugin/gcp/iit.go b/pkg/common/plugin/gcp/iit.go index 0d4c1cd0ff..25080438b4 100644 --- a/pkg/common/plugin/gcp/iit.go +++ b/pkg/common/plugin/gcp/iit.go @@ -1,10 +1,10 @@ package gcp import ( + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/agentpathtemplate" "github.com/spiffe/spire/pkg/common/idutil" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/common/plugin/k8s/utils.go b/pkg/common/plugin/k8s/utils.go index 03ecd29fec..ca292350ab 100644 --- a/pkg/common/plugin/k8s/utils.go +++ b/pkg/common/plugin/k8s/utils.go @@ -7,7 +7,7 @@ import ( "path" "strings" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v3/jwt" authv1 "k8s.io/api/authentication/v1" ) diff --git a/pkg/common/plugin/k8s/utils_test.go b/pkg/common/plugin/k8s/utils_test.go index 47ff579c7d..42d292e247 100644 --- a/pkg/common/plugin/k8s/utils_test.go +++ b/pkg/common/plugin/k8s/utils_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" authv1 "k8s.io/api/authentication/v1" + "github.com/go-jose/go-jose/v3/jwt" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/server/api/svid/v1/service_test.go b/pkg/server/api/svid/v1/service_test.go index b0b33a2ec3..c867dd10b6 100644 --- a/pkg/server/api/svid/v1/service_test.go +++ b/pkg/server/api/svid/v1/service_test.go @@ -34,10 +34,10 @@ import ( "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" + "github.com/go-jose/go-jose/v3/jwt" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "gopkg.in/square/go-jose.v2/jwt" ) var ( diff --git a/pkg/server/ca/ca.go b/pkg/server/ca/ca.go index 717fc51a8e..ba5f8bcdde 100644 --- a/pkg/server/ca/ca.go +++ b/pkg/server/ca/ca.go @@ -11,6 +11,9 @@ import ( "time" "github.com/andres-erbsen/clock" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/cryptosigner" + "github.com/go-jose/go-jose/v3/jwt" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/cryptoutil" @@ -20,9 +23,6 @@ import ( "github.com/spiffe/spire/pkg/common/x509util" "github.com/spiffe/spire/pkg/server/credtemplate" "github.com/spiffe/spire/pkg/server/credvalidator" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/cryptosigner" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/server/credtemplate/builder.go b/pkg/server/credtemplate/builder.go index a8f1607662..a4be8156ae 100644 --- a/pkg/server/credtemplate/builder.go +++ b/pkg/server/credtemplate/builder.go @@ -12,13 +12,13 @@ import ( "time" "github.com/andres-erbsen/clock" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/idutil" "github.com/spiffe/spire/pkg/common/x509svid" "github.com/spiffe/spire/pkg/common/x509util" "github.com/spiffe/spire/pkg/server/api" "github.com/spiffe/spire/pkg/server/plugin/credentialcomposer" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/server/credtemplate/builder_test.go b/pkg/server/credtemplate/builder_test.go index 81efe8082c..69e87500ee 100644 --- a/pkg/server/credtemplate/builder_test.go +++ b/pkg/server/credtemplate/builder_test.go @@ -13,6 +13,7 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" credentialcomposerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/credentialcomposer/v1" "github.com/spiffe/spire/pkg/common/catalog" @@ -25,7 +26,6 @@ import ( "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2/jwt" ) var ( diff --git a/pkg/server/credvalidator/validator.go b/pkg/server/credvalidator/validator.go index 70f1127fcf..e9f8fabbca 100644 --- a/pkg/server/credvalidator/validator.go +++ b/pkg/server/credvalidator/validator.go @@ -7,9 +7,9 @@ import ( "time" "github.com/andres-erbsen/clock" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/idutil" - "gopkg.in/square/go-jose.v2/jwt" ) type Config struct { diff --git a/pkg/server/credvalidator/validator_test.go b/pkg/server/credvalidator/validator_test.go index a561529ede..05a172d6f1 100644 --- a/pkg/server/credvalidator/validator_test.go +++ b/pkg/server/credvalidator/validator_test.go @@ -7,13 +7,13 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/server/credvalidator" "github.com/spiffe/spire/test/clock" "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) var ( @@ -290,7 +290,7 @@ func TestValidateWorkloadJWTSVID(t *testing.T) { makeJWT: func(t *testing.T, claims any) string { return "not-a-jwt" }, - expectErr: "failed to parse JWT-SVID for validation: square/go-jose: compact JWS format must have three parts", + expectErr: "failed to parse JWT-SVID for validation: go-jose/go-jose: compact JWS format must have three parts", }, { desc: "malformed claims", @@ -300,7 +300,7 @@ func TestValidateWorkloadJWTSVID(t *testing.T) { "aud": 1, }) }, - expectErr: "failed to extract JWT-SVID claims for validation: square/go-jose/jwt: expected string or array value to unmarshal to Audience", + expectErr: "failed to extract JWT-SVID claims for validation: go-jose/go-jose/jwt: expected string or array value to unmarshal to Audience", }, { desc: "unexpected subject", diff --git a/pkg/server/endpoints/bundle/internal/acmetest/ca.go b/pkg/server/endpoints/bundle/internal/acmetest/ca.go index 2dc281bef1..f4ed7a3b3e 100644 --- a/pkg/server/endpoints/bundle/internal/acmetest/ca.go +++ b/pkg/server/endpoints/bundle/internal/acmetest/ca.go @@ -62,8 +62,8 @@ import ( "sync" "time" + "github.com/go-jose/go-jose/v3" "golang.org/x/crypto/acme" - "gopkg.in/square/go-jose.v2" ) // CAServer is a simple test server which implements ACME spec bits needed for testing. diff --git a/pkg/server/plugin/nodeattestor/azuremsi/msi.go b/pkg/server/plugin/nodeattestor/azuremsi/msi.go index a7c101069c..f942d88fbe 100644 --- a/pkg/server/plugin/nodeattestor/azuremsi/msi.go +++ b/pkg/server/plugin/nodeattestor/azuremsi/msi.go @@ -15,6 +15,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork" + "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -27,7 +28,6 @@ import ( nodeattestorbase "github.com/spiffe/spire/pkg/server/plugin/nodeattestor/base" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go b/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go index 3f080fb20a..5a359b13e7 100644 --- a/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go +++ b/pkg/server/plugin/nodeattestor/azuremsi/msi_test.go @@ -14,6 +14,8 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork" + jose "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -29,8 +31,6 @@ import ( "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) const ( @@ -182,13 +182,13 @@ func (s *MSIAttestorSuite) TestAttestFailsClaimValidation() { s.T().Run("no audience", func(t *testing.T) { s.requireAttestError(t, s.signAttestPayload("KEYID", "", "TENANTID", "PRINCIPALID"), codes.Internal, - "nodeattestor(azure_msi): unable to validate token claims: square/go-jose/jwt: validation failed, invalid audience claim (aud)") + "nodeattestor(azure_msi): unable to validate token claims: go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)") }) s.T().Run("wrong audience", func(t *testing.T) { s.requireAttestError(t, s.signAttestPayload("KEYID", "FOO", "TENANTID", "PRINCIPALID"), codes.Internal, - "nodeattestor(azure_msi): unable to validate token claims: square/go-jose/jwt: validation failed, invalid audience claim (aud)") + "nodeattestor(azure_msi): unable to validate token claims: go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)") }) s.T().Run(" missing principal id (sub) claim", func(t *testing.T) { @@ -208,7 +208,7 @@ func (s *MSIAttestorSuite) TestAttestTokenExpiration() { // just after 5m leeway s.adjustTime(time.Second) - s.requireAttestError(s.T(), token, codes.Internal, "nodeattestor(azure_msi): unable to validate token claims: square/go-jose/jwt: validation failed, token is expired (exp)") + s.requireAttestError(s.T(), token, codes.Internal, "nodeattestor(azure_msi): unable to validate token claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)") } func (s *MSIAttestorSuite) TestAttestSuccessWithDefaultResourceID() { diff --git a/pkg/server/plugin/nodeattestor/gcpiit/google_public_key_retriever.go b/pkg/server/plugin/nodeattestor/gcpiit/google_public_key_retriever.go index 7dd79eac14..69cc266c59 100644 --- a/pkg/server/plugin/nodeattestor/gcpiit/google_public_key_retriever.go +++ b/pkg/server/plugin/nodeattestor/gcpiit/google_public_key_retriever.go @@ -11,7 +11,7 @@ import ( "sync" "time" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v3" ) type googlePublicKeyRetriever struct { diff --git a/pkg/server/plugin/nodeattestor/gcpiit/iit.go b/pkg/server/plugin/nodeattestor/gcpiit/iit.go index 25b708f268..011b45fdbd 100644 --- a/pkg/server/plugin/nodeattestor/gcpiit/iit.go +++ b/pkg/server/plugin/nodeattestor/gcpiit/iit.go @@ -9,6 +9,8 @@ import ( "github.com/hashicorp/hcl" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" hclog "github.com/hashicorp/go-hclog" "github.com/spiffe/go-spiffe/v2/spiffeid" nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1" @@ -21,8 +23,6 @@ import ( "google.golang.org/api/option" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/pkg/server/plugin/nodeattestor/gcpiit/iit_test.go b/pkg/server/plugin/nodeattestor/gcpiit/iit_test.go index 9644dc673b..307c2ae382 100644 --- a/pkg/server/plugin/nodeattestor/gcpiit/iit_test.go +++ b/pkg/server/plugin/nodeattestor/gcpiit/iit_test.go @@ -9,6 +9,9 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/cryptosigner" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" agentstorev1 "github.com/spiffe/spire-plugin-sdk/proto/spire/hostservice/server/agentstore/v1" nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1" @@ -24,9 +27,6 @@ import ( "github.com/stretchr/testify/require" "google.golang.org/api/compute/v1" "google.golang.org/grpc/codes" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/cryptosigner" - "gopkg.in/square/go-jose.v2/jwt" ) const ( @@ -78,7 +78,7 @@ func (s *IITAttestorSuite) TestErrorOnMissingPayload() { func (s *IITAttestorSuite) TestErrorOnMissingKid() { payload := s.signToken(testKey, "", buildDefaultClaims()) - s.requireAttestError(s.T(), payload, codes.InvalidArgument, "nodeattestor(gcp_iit): failed to validate the identity token signature: square/go-jose: unsupported key type/format") + s.requireAttestError(s.T(), payload, codes.InvalidArgument, "nodeattestor(gcp_iit): failed to validate the identity token signature: go-jose/go-jose: unsupported key type/format") } func (s *IITAttestorSuite) TestErrorOnInvalidClaims() { @@ -86,14 +86,14 @@ func (s *IITAttestorSuite) TestErrorOnInvalidClaims() { claims.Expiry = jwt.NewNumericDate(time.Now().Add(-time.Hour)) payload := s.signToken(testKey, "kid", claims) - s.requireAttestError(s.T(), payload, codes.PermissionDenied, "nodeattestor(gcp_iit): failed to validate the identity token claims: square/go-jose/jwt: validation failed, token is expired (exp)") + s.requireAttestError(s.T(), payload, codes.PermissionDenied, "nodeattestor(gcp_iit): failed to validate the identity token claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)") } func (s *IITAttestorSuite) TestErrorOnInvalidAudience() { claims := buildClaims(testProject, "invalid") payload := s.signToken(testKey, "kid", claims) - s.requireAttestError(s.T(), payload, codes.PermissionDenied, `nodeattestor(gcp_iit): failed to validate the identity token claims: square/go-jose/jwt: validation failed, invalid audience claim (aud)`) + s.requireAttestError(s.T(), payload, codes.PermissionDenied, `nodeattestor(gcp_iit): failed to validate the identity token claims: go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)`) } func (s *IITAttestorSuite) TestErrorOnAttestedBefore() { @@ -118,11 +118,11 @@ func (s *IITAttestorSuite) TestErrorOnInvalidSignature() { payload := s.signToken(alternativeKey, "kid", buildDefaultClaims()) - s.requireAttestError(s.T(), payload, codes.InvalidArgument, "nodeattestor(gcp_iit): failed to validate the identity token signature: square/go-jose: error in cryptographic primitive") + s.requireAttestError(s.T(), payload, codes.InvalidArgument, "nodeattestor(gcp_iit): failed to validate the identity token signature: go-jose/go-jose: error in cryptographic primitive") } func (s *IITAttestorSuite) TestErrorOnInvalidPayload() { - s.requireAttestError(s.T(), []byte("secret"), codes.InvalidArgument, "nodeattestor(gcp_iit): unable to parse the identity token: square/go-jose: compact JWS format must have three parts") + s.requireAttestError(s.T(), []byte("secret"), codes.InvalidArgument, "nodeattestor(gcp_iit): unable to parse the identity token: go-jose/go-jose: compact JWS format must have three parts") } func (s *IITAttestorSuite) TestErrorOnServiceAccountFileMismatch() { diff --git a/pkg/server/plugin/nodeattestor/k8spsat/psat_test.go b/pkg/server/plugin/nodeattestor/k8spsat/psat_test.go index b8cb568d66..8896e6120a 100644 --- a/pkg/server/plugin/nodeattestor/k8spsat/psat_test.go +++ b/pkg/server/plugin/nodeattestor/k8spsat/psat_test.go @@ -17,6 +17,8 @@ import ( "testing" "time" + jose "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/google/go-cmp/cmp" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/catalog" @@ -27,8 +29,6 @@ import ( "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "google.golang.org/grpc/codes" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" authv1 "k8s.io/api/authentication/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/pkg/server/plugin/nodeattestor/k8ssat/sat.go b/pkg/server/plugin/nodeattestor/k8ssat/sat.go index d7bb460b2f..27be0cdeec 100644 --- a/pkg/server/plugin/nodeattestor/k8ssat/sat.go +++ b/pkg/server/plugin/nodeattestor/k8ssat/sat.go @@ -14,6 +14,7 @@ import ( "sync" "time" + "github.com/go-jose/go-jose/v3/jwt" "github.com/gofrs/uuid/v5" hclog "github.com/hashicorp/go-hclog" "github.com/hashicorp/hcl" @@ -25,7 +26,6 @@ import ( nodeattestorbase "github.com/spiffe/spire/pkg/server/plugin/nodeattestor/base" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "gopkg.in/square/go-jose.v2/jwt" authv1 "k8s.io/api/authentication/v1" ) diff --git a/pkg/server/plugin/nodeattestor/k8ssat/sat_test.go b/pkg/server/plugin/nodeattestor/k8ssat/sat_test.go index e831ed4506..3f08470af5 100644 --- a/pkg/server/plugin/nodeattestor/k8ssat/sat_test.go +++ b/pkg/server/plugin/nodeattestor/k8ssat/sat_test.go @@ -18,6 +18,8 @@ import ( "testing" "time" + jose "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" agentstorev1 "github.com/spiffe/spire-plugin-sdk/proto/spire/hostservice/server/agentstore/v1" "github.com/spiffe/spire/pkg/common/catalog" @@ -29,8 +31,6 @@ import ( "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "google.golang.org/grpc/codes" - jose "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" authv1 "k8s.io/api/authentication/v1" ) diff --git a/support/oidc-discovery-provider/common_test.go b/support/oidc-discovery-provider/common_test.go index d586169b03..44c491d9af 100644 --- a/support/oidc-discovery-provider/common_test.go +++ b/support/oidc-discovery-provider/common_test.go @@ -5,8 +5,8 @@ import ( "sync" "time" + "github.com/go-jose/go-jose/v3" "github.com/spiffe/spire/pkg/common/pemutil" - "gopkg.in/square/go-jose.v2" ) var ( diff --git a/support/oidc-discovery-provider/handler.go b/support/oidc-discovery-provider/handler.go index 91318b20d4..d65e457f64 100644 --- a/support/oidc-discovery-provider/handler.go +++ b/support/oidc-discovery-provider/handler.go @@ -7,11 +7,11 @@ import ( "net/http" "net/url" + "github.com/go-jose/go-jose/v3" "github.com/gorilla/handlers" "github.com/sirupsen/logrus" "github.com/spiffe/spire/pkg/common/cryptoutil" "github.com/spiffe/spire/pkg/common/telemetry" - "gopkg.in/square/go-jose.v2" ) const ( diff --git a/support/oidc-discovery-provider/handler_test.go b/support/oidc-discovery-provider/handler_test.go index 9c1c61063f..902a2ce3c8 100644 --- a/support/oidc-discovery-provider/handler_test.go +++ b/support/oidc-discovery-provider/handler_test.go @@ -6,11 +6,11 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" ) func TestHandlerHTTPS(t *testing.T) { diff --git a/support/oidc-discovery-provider/healthchecks_handler_test.go b/support/oidc-discovery-provider/healthchecks_handler_test.go index e44f791060..a6ab31ab42 100644 --- a/support/oidc-discovery-provider/healthchecks_handler_test.go +++ b/support/oidc-discovery-provider/healthchecks_handler_test.go @@ -6,11 +6,11 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus" "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" ) func TestHealthCheckHandler(t *testing.T) { diff --git a/support/oidc-discovery-provider/jwks_source.go b/support/oidc-discovery-provider/jwks_source.go index f684c343c1..8cba051290 100644 --- a/support/oidc-discovery-provider/jwks_source.go +++ b/support/oidc-discovery-provider/jwks_source.go @@ -3,7 +3,7 @@ package main import ( "time" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v3" ) type JWKSSource interface { diff --git a/support/oidc-discovery-provider/server_api.go b/support/oidc-discovery-provider/server_api.go index 0bc38c1e9e..9fe8276ea2 100644 --- a/support/oidc-discovery-provider/server_api.go +++ b/support/oidc-discovery-provider/server_api.go @@ -7,6 +7,7 @@ import ( "time" "github.com/andres-erbsen/clock" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" "github.com/spiffe/spire-api-sdk/proto/spire/api/types" @@ -14,7 +15,6 @@ import ( "github.com/zeebo/errs" "google.golang.org/grpc" "google.golang.org/protobuf/proto" - "gopkg.in/square/go-jose.v2" ) const ( diff --git a/support/oidc-discovery-provider/workload_api.go b/support/oidc-discovery-provider/workload_api.go index 77cf35e958..9fbe0956fe 100644 --- a/support/oidc-discovery-provider/workload_api.go +++ b/support/oidc-discovery-provider/workload_api.go @@ -9,6 +9,7 @@ import ( "time" "github.com/andres-erbsen/clock" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -16,7 +17,6 @@ import ( "github.com/spiffe/spire/pkg/common/telemetry" "github.com/spiffe/spire/pkg/common/util" "github.com/zeebo/errs" - "gopkg.in/square/go-jose.v2" ) const ( diff --git a/support/oidc-discovery-provider/workload_api_test.go b/support/oidc-discovery-provider/workload_api_test.go index 32ffada3be..f16d173262 100644 --- a/support/oidc-discovery-provider/workload_api_test.go +++ b/support/oidc-discovery-provider/workload_api_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" "github.com/sirupsen/logrus/hooks/test" "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" "github.com/spiffe/spire/test/clock" @@ -13,7 +14,6 @@ import ( "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "gopkg.in/square/go-jose.v2" ) func TestWorkloadAPISource(t *testing.T) { diff --git a/test/integration/setup/adminclient/client.go b/test/integration/setup/adminclient/client.go index 72245aa394..09f35b445b 100644 --- a/test/integration/setup/adminclient/client.go +++ b/test/integration/setup/adminclient/client.go @@ -13,6 +13,7 @@ import ( "reflect" "time" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/spiffeid" agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1" bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1" @@ -25,7 +26,6 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" - "gopkg.in/square/go-jose.v2/jwt" ) const ( diff --git a/test/testca/ca.go b/test/testca/ca.go index ea09178272..cd74b4a341 100644 --- a/test/testca/ca.go +++ b/test/testca/ca.go @@ -14,6 +14,9 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v3/cryptosigner" + "github.com/go-jose/go-jose/v3/jwt" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" @@ -24,9 +27,6 @@ import ( "github.com/spiffe/spire/pkg/common/x509util" "github.com/spiffe/spire/test/testkey" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/cryptosigner" - "gopkg.in/square/go-jose.v2/jwt" ) var (