Replace JWT library for signing tokens (#1308)

Author: mantas-sidlauskas

go.mod

@@ -4,9 +4,9 @@ go 1.19
 
 require (
 	github.com/apache/thrift v0.16.0
-	github.com/cristalhq/jwt/v3 v3.1.0
 	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a
 	github.com/gogo/protobuf v1.3.2
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/golang/mock v1.5.0
 	github.com/marusama/semaphore/v2 v2.5.0
 	github.com/opentracing/opentracing-go v1.1.0

go.sum

@@ -28,8 +28,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cristalhq/jwt/v3 v3.1.0 h1:iLeL9VzB0SCtjCy9Kg53rMwTcrNm+GHyVcz2eUujz6s=
-github.com/cristalhq/jwt/v3 v3.1.0/go.mod h1:XOnIXst8ozq/esy5N1XOlSyQqBd+84fxJ99FK+1jgL8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -63,6 +61,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/gogo/status v1.1.0 h1:+eIkrewn5q6b30y+g/BJINVVdi2xH7je5MPJ3ZPK3JA=
 github.com/gogo/status v1.1.0/go.mod h1:BFv9nrluPLmrS0EmGVvLaPNmRosr9KapBYd5/hpY1WM=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=

internal/common/auth/service_wrapper.go

@@ -23,10 +23,10 @@ package auth
 import (
 	"context"
 
-	"go.uber.org/yarpc"
-
+	"github.com/golang-jwt/jwt/v5"
 	"go.uber.org/cadence/.gen/go/cadence/workflowserviceclient"
 	"go.uber.org/cadence/.gen/go/shared"
+	"go.uber.org/yarpc"
 )
 
 const (
@@ -45,11 +45,12 @@ type AuthorizationProvider interface {
 }
 
 type JWTClaims struct {
+	jwt.RegisteredClaims
+
 	Sub    string
 	Name   string
 	Groups string // separated by space
 	Admin  bool
-	Iat    int64
 	TTL    int64
 }
 

internal/jwt_authorization.go

@@ -23,12 +23,14 @@ package internal
 import (
 	"time"
 
-	"github.com/cristalhq/jwt/v3"
+	"github.com/golang-jwt/jwt/v5"
 
 	"go.uber.org/cadence/internal/common/auth"
 	"go.uber.org/cadence/internal/common/util"
 )
 
+const internalIssuer = "internal-jwt"
+
 type JWTAuthProvider struct {
 	PrivateKey []byte
 }
@@ -40,24 +42,28 @@ func NewAdminJwtAuthorizationProvider(privateKey []byte) auth.AuthorizationProvi
 }
 
 func (j *JWTAuthProvider) GetAuthToken() ([]byte, error) {
-	claims := auth.JWTClaims{
-		Admin: true,
-		Iat:   time.Now().Unix(),
-		TTL:   60 * 10,
-	}
 	key, err := util.LoadRSAPrivateKey(j.PrivateKey)
 	if err != nil {
 		return nil, err
 	}
-	signer, err := jwt.NewSignerRS(jwt.RS256, key)
-	if err != nil {
-		return nil, err
+
+	ttl := int64(60 * 10)
+	claims := auth.JWTClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    internalIssuer,
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * time.Duration(ttl))),
+		},
+		Admin: true,
+		TTL:   ttl, // keeping for backwards compatibility
 	}
-	builder := jwt.NewBuilder(signer)
-	token, err := builder.Build(claims)
-	if token == nil {
+
+	tokenString, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(key)
+
+	if err != nil {
 		return nil, err
 	}
 
-	return token.Raw(), nil
+	return []byte(tokenString), nil
+
 }

internal/jwt_authorization_test.go

@@ -21,60 +21,41 @@
 package internal
 
 import (
-	"encoding/json"
-	"io/ioutil"
+	"os"
 	"testing"
 
-	"github.com/cristalhq/jwt/v3"
-	"github.com/stretchr/testify/suite"
-
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
 	"go.uber.org/cadence/internal/common/auth"
 	"go.uber.org/cadence/internal/common/util"
 )
 
-type (
-	jwtAuthSuite struct {
-		suite.Suite
-		key []byte
-	}
-)
-
-func TestJWTAuthSuite(t *testing.T) {
-	suite.Run(t, new(jwtAuthSuite))
-}
-
-func (s *jwtAuthSuite) SetupTest() {
-	var err error
-	s.key, err = ioutil.ReadFile("./common/auth/credentials/keytest")
-	s.NoError(err)
-}
-
-func (s *jwtAuthSuite) TearDownTest() {
-}
-
-func (s *jwtAuthSuite) TestCorrectTokenCreation() {
-	authorizer := NewAdminJwtAuthorizationProvider(s.key)
+func TestCorrectTokenCreation(t *testing.T) {
+	key, err := os.ReadFile("./common/auth/credentials/keytest")
+	assert.NoError(t, err)
+	authorizer := NewAdminJwtAuthorizationProvider(key)
 	authToken, err := authorizer.GetAuthToken()
-	s.NoError(err)
+	assert.NoError(t, err)
 
-	// Decrypting token, it should be enough to make sure authtoken is not empty, this is one steap ahead of that
-	publicKeyStr, err := ioutil.ReadFile("./common/auth/credentials/keytest.pub")
-	s.NoError(err)
+	// Decrypting token, it should be enough to make sure authtoken is not empty, this is one step ahead of that
+	publicKeyStr, err := os.ReadFile("./common/auth/credentials/keytest.pub")
+	assert.NoError(t, err)
 	publicKey, err := util.LoadRSAPublicKey(publicKeyStr)
-	s.NoError(err)
-	verifier, err := jwt.NewVerifierRS(jwt.RS256, publicKey)
-	s.NoError(err)
-	token, err := jwt.ParseAndVerifyString(string(authToken), verifier)
-	s.NoError(err)
+	assert.NoError(t, err)
+	parser := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Name}))
 	var claims auth.JWTClaims
-	_ = json.Unmarshal(token.RawClaims(), &claims)
-	s.Equal(claims.Admin, true)
-	s.Equal(claims.Groups, "")
-	s.Equal(claims.TTL, int64(60*10))
-}
 
-func (s *jwtAuthSuite) TestIncorrectPrivateKeyForTokenCreation() {
+	_, err = parser.ParseWithClaims(string(authToken), &claims, func(token *jwt.Token) (interface{}, error) {
+		return publicKey, nil
+	})
+
+	assert.NoError(t, err)
+	assert.Equal(t, true, claims.Admin)
+	assert.Equal(t, "", claims.Groups)
+	assert.Equal(t, int64(60*10), claims.TTL)
+}
+func TestIncorrectPrivateKeyForTokenCreation(t *testing.T) {
 	authorizer := NewAdminJwtAuthorizationProvider([]byte{})
 	_, err := authorizer.GetAuthToken()
-	s.EqualError(err, "failed to parse PEM block containing the private key")
+	assert.EqualError(t, err, "failed to parse PEM block containing the private key")
 }