update to jwt v5 (crewjam#614)

* update to jwt v5

* chore

* chore

* fix feedback

Author: suqin-haha

go.mod

@@ -3,8 +3,8 @@ module github.com/crewjam/saml
 go 1.22
 
 require (
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/beevik/etree v1.5.0
-	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.7.0
 	github.com/mattermost/xml-roundtrip-validator v0.1.0
 	github.com/russellhaering/goxmldsig v1.4.0

go.sum

@@ -5,8 +5,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=

identity_provider_test.go

@@ -25,7 +25,6 @@ import (
 	"gotest.tools/golden"
 
 	"github.com/beevik/etree"
-	"github.com/golang-jwt/jwt/v4"
 	dsig "github.com/russellhaering/goxmldsig"
 
 	"github.com/crewjam/saml/logger"
@@ -104,7 +103,6 @@ func NewIdentityProviderTest(t *testing.T, opts ...idpTestOpts) *IdentityProvide
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
 	}
-	jwt.TimeFunc = TimeNow
 	RandReader = &testRandomReader{}                // TODO(ross): remove this and use the below generator
 	xmlenc.RandReader = rand.New(rand.NewSource(0)) //nolint:gosec  // deterministic random numbers for tests
 
@@ -485,7 +483,6 @@ func TestIDPCanValidate(t *testing.T) {
 			"</AuthnRequest>"),
 	}
 	assert.Check(t, is.Error(req.Validate(), "cannot find assertion consumer service: file does not exist"))
-
 }
 
 func TestIDPMakeAssertion(t *testing.T) {
@@ -592,94 +589,93 @@ func TestIDPMakeAssertion(t *testing.T) {
 	})
 	assert.Check(t, err)
 
-	expectedAttributes :=
-		[]Attribute{
-			{
-				FriendlyName: "uid",
-				Name:         "urn:oid:0.9.2342.19200300.100.1.1",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "alice",
-					},
+	expectedAttributes := []Attribute{
+		{
+			FriendlyName: "uid",
+			Name:         "urn:oid:0.9.2342.19200300.100.1.1",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "alice",
 				},
 			},
-			{
-				FriendlyName: "mail",
-				Name:         "urn:oid:0.9.2342.19200300.100.1.3",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "[email protected]",
-					},
+		},
+		{
+			FriendlyName: "mail",
+			Name:         "urn:oid:0.9.2342.19200300.100.1.3",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "[email protected]",
 				},
 			},
-			{
-				FriendlyName: "eduPersonPrincipalName",
-				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "[email protected]",
-					},
+		},
+		{
+			FriendlyName: "eduPersonPrincipalName",
+			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "[email protected]",
 				},
 			},
-			{
-				FriendlyName: "sn",
-				Name:         "urn:oid:2.5.4.4",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "Smith",
-					},
+		},
+		{
+			FriendlyName: "sn",
+			Name:         "urn:oid:2.5.4.4",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "Smith",
 				},
 			},
-			{
-				FriendlyName: "givenName",
-				Name:         "urn:oid:2.5.4.42",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "Alice",
-					},
+		},
+		{
+			FriendlyName: "givenName",
+			Name:         "urn:oid:2.5.4.42",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "Alice",
 				},
 			},
-			{
-				FriendlyName: "cn",
-				Name:         "urn:oid:2.5.4.3",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "Alice Smith",
-					},
+		},
+		{
+			FriendlyName: "cn",
+			Name:         "urn:oid:2.5.4.3",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "Alice Smith",
 				},
 			},
-			{
-				FriendlyName: "eduPersonAffiliation",
-				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
-				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
-				Values: []AttributeValue{
-					{
-						Type:  "xs:string",
-						Value: "Users",
-					},
-					{
-						Type:  "xs:string",
-						Value: "Administrators",
-					},
-					{
-						Type:  "xs:string",
-						Value: "♀",
-					},
+		},
+		{
+			FriendlyName: "eduPersonAffiliation",
+			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{
+				{
+					Type:  "xs:string",
+					Value: "Users",
+				},
+				{
+					Type:  "xs:string",
+					Value: "Administrators",
+				},
+				{
+					Type:  "xs:string",
+					Value: "♀",
 				},
 			},
-		}
+		},
+	}
 	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements[0].Attributes))
 }
 
@@ -1044,7 +1040,8 @@ func TestIDPRequestedAttributes(t *testing.T) {
 					},
 				},
 			},
-		}}}
+		},
+	}}
 	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements))
 }
 

samlidp/samlidp_test.go

@@ -16,8 +16,6 @@ import (
 	is "gotest.tools/assert/cmp"
 	"gotest.tools/golden"
 
-	"github.com/golang-jwt/jwt/v4"
-
 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/logger"
 )
@@ -83,7 +81,6 @@ func NewServerTest(t *testing.T) *ServerTest {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
 	}
-	jwt.TimeFunc = saml.TimeNow
 	saml.RandReader = &testRandomReader{}
 
 	test.SPKey = mustParsePrivateKey(golden.Get(t, "sp_key.pem")).(*rsa.PrivateKey)

samlsp/middleware_test.go

@@ -17,7 +17,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
 	dsig "github.com/russellhaering/goxmldsig"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
@@ -55,7 +54,6 @@ func NewMiddlewareTest(t *testing.T) *MiddlewareTest {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05.999999999 MST 2006", "Mon Dec 1 01:57:09.123456789 UTC 2015")
 		return rv
 	}
-	jwt.TimeFunc = saml.TimeNow
 	saml.Clock = dsig.NewFakeClockAt(saml.TimeNow())
 	saml.RandReader = &testRandomReader{}
 
@@ -281,7 +279,7 @@ func TestMiddlewareRequireAccountBadCreds(t *testing.T) {
 
 func TestMiddlewareRequireAccountExpiredCreds(t *testing.T) {
 	test := NewMiddlewareTest(t)
-	jwt.TimeFunc = func() time.Time {
+	saml.TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 UTC 2006", "Mon Dec 1 01:31:21 UTC 2115")
 		return rv
 	}
@@ -306,7 +304,7 @@ func TestMiddlewareRequireAccountExpiredCreds(t *testing.T) {
 	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
 	assert.Check(t, err)
-	golden.Assert(t, string(decodedRequest), "expected_authn_request_secure.xml")
+	golden.Assert(t, strings.Replace(string(decodedRequest), `IssueInstant="2115-12-01T01:31:21Z"`, `IssueInstant="2015-12-01T01:57:09.123Z"`, 1), "expected_authn_request_secure.xml")
 }
 
 func TestMiddlewareRequireAccountPanicOnRequestToACS(t *testing.T) {
@@ -411,7 +409,8 @@ func TestMiddlewareCanParseResponse(t *testing.T) {
 	assert.Check(t, is.DeepEqual([]string{
 		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Path=/saml2/acs; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
 		"ttt=" + test.expectedSessionCookie + "; " +
-			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"},
+			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure",
+	},
 		resp.Header()["Set-Cookie"]))
 }
 

samlsp/new.go

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	dsig "github.com/russellhaering/goxmldsig"
 
 	"github.com/crewjam/saml"

samlsp/request_tracker_jwt.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/crewjam/saml"
 )
@@ -49,22 +49,19 @@ func (s JWTTrackedRequestCodec) Encode(value TrackedRequest) (string, error) {
 
 // Decode returns a Tracked request from an encoded string.
 func (s JWTTrackedRequestCodec) Decode(signed string) (*TrackedRequest, error) {
-	parser := jwt.Parser{
-		ValidMethods: []string{s.SigningMethod.Alg()},
-	}
+	parser := jwt.NewParser(
+		jwt.WithValidMethods([]string{s.SigningMethod.Alg()}),
+		jwt.WithTimeFunc(saml.TimeNow),
+		jwt.WithAudience(s.Audience),
+		jwt.WithIssuer(s.Issuer),
+	)
 	claims := JWTTrackedRequestClaims{}
 	_, err := parser.ParseWithClaims(signed, &claims, func(*jwt.Token) (interface{}, error) {
 		return s.Key.Public(), nil
 	})
 	if err != nil {
 		return nil, err
 	}
-	if !claims.VerifyAudience(s.Audience, true) {
-		return nil, fmt.Errorf("expected audience %q, got %q", s.Audience, claims.Audience)
-	}
-	if !claims.VerifyIssuer(s.Issuer, true) {
-		return nil, fmt.Errorf("expected issuer %q, got %q", s.Issuer, claims.Issuer)
-	}
 	if !claims.SAMLAuthnRequest {
 		return nil, fmt.Errorf("expected saml-authn-request")
 	}

samlsp/session_jwt.go

@@ -3,10 +3,9 @@ package samlsp
 import (
 	"crypto"
 	"errors"
-	"fmt"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/crewjam/saml"
 )
@@ -35,11 +34,11 @@ func (c JWTSessionCodec) New(assertion *saml.Assertion) (Session, error) {
 	now := saml.TimeNow()
 	claims := JWTSessionClaims{}
 	claims.SAMLSession = true
-	claims.Audience = c.Audience
+	claims.Audience = jwt.ClaimStrings{c.Audience}
 	claims.Issuer = c.Issuer
-	claims.IssuedAt = now.Unix()
-	claims.ExpiresAt = now.Add(c.MaxAge).Unix()
-	claims.NotBefore = now.Unix()
+	claims.IssuedAt = jwt.NewNumericDate(now)
+	claims.ExpiresAt = jwt.NewNumericDate(now.Add(c.MaxAge))
+	claims.NotBefore = jwt.NewNumericDate(now)
 
 	if sub := assertion.Subject; sub != nil {
 		if nameID := sub.NameID; nameID != nil {
@@ -89,9 +88,12 @@ func (c JWTSessionCodec) Encode(s Session) (string, error) {
 // Decode parses the serialized session that may have been returned by Encode
 // and returns a Session.
 func (c JWTSessionCodec) Decode(signed string) (Session, error) {
-	parser := jwt.Parser{
-		ValidMethods: []string{c.SigningMethod.Alg()},
-	}
+	parser := jwt.NewParser(
+		jwt.WithValidMethods([]string{c.SigningMethod.Alg()}),
+		jwt.WithTimeFunc(saml.TimeNow),
+		jwt.WithAudience(c.Audience),
+		jwt.WithIssuer(c.Issuer),
+	)
 	claims := JWTSessionClaims{}
 	_, err := parser.ParseWithClaims(signed, &claims, func(*jwt.Token) (interface{}, error) {
 		return c.Key.Public(), nil
@@ -100,12 +102,6 @@ func (c JWTSessionCodec) Decode(signed string) (Session, error) {
 	if err != nil {
 		return nil, err
 	}
-	if !claims.VerifyAudience(c.Audience, true) {
-		return nil, fmt.Errorf("expected audience %q, got %q", c.Audience, claims.Audience)
-	}
-	if !claims.VerifyIssuer(c.Issuer, true) {
-		return nil, fmt.Errorf("expected issuer %q, got %q", c.Issuer, claims.Issuer)
-	}
 	if !claims.SAMLSession {
 		return nil, errors.New("expected saml-session")
 	}
@@ -114,7 +110,7 @@ func (c JWTSessionCodec) Decode(signed string) (Session, error) {
 
 // JWTSessionClaims represents the JWT claims in the encoded session
 type JWTSessionClaims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	Attributes  Attributes `json:"attr"`
 	SAMLSession bool       `json:"saml-session"`
 }