Merge pull request #213 from mimiro-io/feat/UAO-197_new_token_validation

UAO-197: Add support for Hydra HMAC tokens. Upgrade to golang-jwt v4.

go.mod

@@ -10,10 +10,9 @@ require (
 	github.com/dgraph-io/badger/v3 v3.2103.5
 	github.com/dop251/goja v1.0.0
 	github.com/franela/goblin v0.0.0-20211003143422-0a4f594942bf
-	github.com/goburrow/cache v0.1.4
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gojektech/heimdall/v6 v6.1.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/uuid v1.3.0
 	github.com/juliangruber/go-intersect v1.1.0
 	github.com/labstack/echo/v4 v4.10.2
@@ -29,21 +28,27 @@ require (
 
 replace github.com/dop251/goja => github.com/mimiro-io/goja v1.0.0
 
-require github.com/pkg/errors v0.9.1
+require (
+	github.com/lestrrat-go/jwx/v2 v2.0.9
+	github.com/pkg/errors v0.9.1
+)
 
 require (
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dlclark/regexp2 v1.8.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gojektech/valkyrie v0.0.0-20190210220504-8f62c1e7ba45 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -53,11 +58,15 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.16.0 // indirect
 	github.com/labstack/gommon v0.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/afero v1.9.4 // indirect
@@ -73,14 +82,13 @@ require (
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/dig v1.16.1 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

internal/security/claims.go

@@ -15,18 +15,23 @@
 package security
 
 import (
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"strings"
 )
 
 type CustomClaims struct {
-	Scope string   `json:"scope"`
-	Gty   string   `json:"gty"`
-	Adm   bool     `json:"adm"`
-	Roles []string `json:"roles"`
-	jwt.StandardClaims
+	Scope    string   `json:"scope"`
+	Scp      []string `json:"scp"`
+	Gty      string   `json:"gty"`
+	Adm      bool     `json:"adm"`
+	Roles    []string `json:"roles"`
+	ClientId string   `json:"client_id"`
+	jwt.RegisteredClaims
 }
 
 func (claims CustomClaims) Scopes() []string {
-	return strings.Split(claims.Scope, ",")
+	if claims.Scope != "" {
+		return strings.Split(claims.Scope, ",")
+	}
+	return claims.Scp
 }

internal/security/manager.go

@@ -27,7 +27,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
 	"github.com/mimiro-io/datahub/internal/conf"
 	"github.com/mimiro-io/datahub/internal/server"
@@ -311,11 +311,11 @@ func (serviceCore *ServiceCore) loadAcls() error {
 func CreateJWTForTokenRequest(subject string, audience string, privateKey *rsa.PrivateKey) (string, error) {
 	uniqueId := uuid.New()
 
-	claims := jwt.StandardClaims{
-		ExpiresAt: time.Now().Add(time.Minute * 1).Unix(),
-		Id:        uniqueId.String(),
+	claims := jwt.RegisteredClaims{
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 1)),
+		ID:        uniqueId.String(),
 		Subject:   subject,
-		Audience:  audience,
+		Audience:  jwt.ClaimStrings{audience},
 	}
 
 	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(privateKey)
@@ -412,11 +412,11 @@ func (serviceCore *ServiceCore) MakeAdminJWT(clientKey string, clientSecret stri
 
 	claims := CustomClaims{}
 	claims.Roles = roles
-	claims.StandardClaims =
-		jwt.StandardClaims{
-			ExpiresAt: time.Now().Add(time.Minute * 15).Unix(),
+	claims.RegisteredClaims =
+		jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 15)),
 			Issuer:    "node:" + serviceCore.NodeInfo.NodeId,
-			Audience:  "node:" + serviceCore.NodeInfo.NodeId,
+			Audience:  jwt.ClaimStrings{"node:" + serviceCore.NodeInfo.NodeId},
 			Subject:   clientKey,
 		}
 
@@ -430,18 +430,18 @@ func (serviceCore *ServiceCore) MakeAdminJWT(clientKey string, clientSecret stri
 
 func (serviceCore *ServiceCore) ValidateClientJWTMakeJWTAccessToken(clientJWT string) (string, error) {
 	// parse without key to get subject
-	token, err := jwt.ParseWithClaims(clientJWT, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+	token, err := jwt.ParseWithClaims(clientJWT, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
 		return []byte(""), nil
 	})
 
-	clientClaims := token.Claims.(*jwt.StandardClaims)
+	clientClaims := token.Claims.(*jwt.RegisteredClaims)
 	var clientId = clientClaims.Subject
 
 	client, _ := serviceCore.clients.Load(clientId)
 	clientPublicKey, err := ParseRsaPublicKeyFromPem(client.(*ClientInfo).PublicKey)
 
 	// parse again with key
-	token, err = jwt.ParseWithClaims(clientJWT, &jwt.StandardClaims{}, func(token *jwt.Token) (interface{}, error) {
+	token, err = jwt.ParseWithClaims(clientJWT, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
 		return clientPublicKey, nil
 	})
 
@@ -460,11 +460,11 @@ func (serviceCore *ServiceCore) ValidateClientJWTMakeJWTAccessToken(clientJWT st
 	// add in roles in config
 	claims := CustomClaims{}
 	claims.Roles = roles
-	claims.StandardClaims =
-		jwt.StandardClaims{
-			ExpiresAt: time.Now().Add(time.Minute * 15).Unix(),
+	claims.RegisteredClaims =
+		jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 15)),
 			Issuer:    "node:" + serviceCore.NodeInfo.NodeId,
-			Audience:  "node:" + serviceCore.NodeInfo.NodeId,
+			Audience:  jwt.ClaimStrings{"node:" + serviceCore.NodeInfo.NodeId},
 			Subject:   clientId,
 		}
 

internal/security/nodeprovider.go

@@ -17,7 +17,7 @@ package security
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 	"io/ioutil"
 	"net/http"
@@ -61,7 +61,7 @@ func (nodeTokenProvider *NodeJwtBearerProvider) getToken() (string, error) {
 			return "", err
 		}
 		nodeTokenProvider.cache = &cache{
-			until: time.Unix(0, token.Claims.(*CustomClaims).ExpiresAt),
+			until: token.Claims.(*CustomClaims).ExpiresAt.Time,
 			token: token.Raw,
 		}
 	}

internal/web/datasethandler.go

@@ -20,7 +20,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/mimiro-io/datahub/internal/security"
 	"github.com/mimiro-io/datahub/internal/service/types"
 	"io"