bump go-jose to v2.6.0

Update go-jose from v2.2.2 to v2.6.0. This is to make the kubernetes code compatible with newer go-jose versions that have a small breaking change (`jwt.NewNumericDate()` returns a pointer). Signed-off-by: Max Goltzsche <[email protected]>
catandcoder · Mar 2, 2023 · df8fa2e · df8fa2e
1 parent bb8e9f3
commit df8fa2e
Show file tree

Hide file tree

Showing 30 changed files with 641 additions and 174 deletions.
diff --git a/go.mod b/go.mod
@@ -90,7 +90,7 @@ require (
 	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/gcfg.v1 v1.2.0
-	gopkg.in/square/go-jose.v2 v2.2.2
+	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.0.0

diff --git a/go.sum b/go.sum
@@ -1220,8 +1220,8 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA=
-gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/warnings.v0 v0.1.1 h1:XM28wIgFzaBmeZ5dNHIpWLQpt/9DGKxk+rCg/22nnYE=
 gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=

diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go
@@ -46,11 +46,11 @@ type privateClaims struct {
 }
 
 type kubernetes struct {
-	Namespace string          `json:"namespace,omitempty"`
-	Svcacct   ref             `json:"serviceaccount,omitempty"`
-	Pod       *ref            `json:"pod,omitempty"`
-	Secret    *ref            `json:"secret,omitempty"`
-	WarnAfter jwt.NumericDate `json:"warnafter,omitempty"`
+	Namespace string           `json:"namespace,omitempty"`
+	Svcacct   ref              `json:"serviceaccount,omitempty"`
+	Pod       *ref             `json:"pod,omitempty"`
+	Secret    *ref             `json:"secret,omitempty"`
+	WarnAfter *jwt.NumericDate `json:"warnafter,omitempty"`
 }
 
 type ref struct {
@@ -198,7 +198,7 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims,
 
 	// Check special 'warnafter' field for projected service account token transition.
 	warnafter := private.Kubernetes.WarnAfter
-	if warnafter != 0 {
+	if warnafter != nil {
 		if nowTime.After(warnafter.Time()) {
 			secondsAfterWarn := nowTime.Unix() - warnafter.Time().Unix()
 			auditInfo := fmt.Sprintf("subject: %s, seconds after warning threshold: %d", public.Subject, secondsAfterWarn)

diff --git a/pkg/serviceaccount/claims_test.go b/pkg/serviceaccount/claims_test.go
@@ -85,9 +85,9 @@ func TestClaims(t *testing.T) {
 
 			sc: &jwt.Claims{
 				Subject:   "system:serviceaccount:myns:mysvcacct",
-				IssuedAt:  jwt.NumericDate(1514764800),
-				NotBefore: jwt.NumericDate(1514764800),
-				Expiry:    jwt.NumericDate(1514764800),
+				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				Expiry:    jwt.NewNumericDate(time.Unix(1514764800, 0)),
 			},
 			pc: &privateClaims{
 				Kubernetes: kubernetes{
@@ -107,9 +107,9 @@ func TestClaims(t *testing.T) {
 
 			sc: &jwt.Claims{
 				Subject:   "system:serviceaccount:myns:mysvcacct",
-				IssuedAt:  jwt.NumericDate(1514764800),
-				NotBefore: jwt.NumericDate(1514764800),
-				Expiry:    jwt.NumericDate(1514764800 + 100),
+				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
 			},
 			pc: &privateClaims{
 				Kubernetes: kubernetes{
@@ -130,9 +130,9 @@ func TestClaims(t *testing.T) {
 			sc: &jwt.Claims{
 				Subject:   "system:serviceaccount:myns:mysvcacct",
 				Audience:  []string{"1"},
-				IssuedAt:  jwt.NumericDate(1514764800),
-				NotBefore: jwt.NumericDate(1514764800),
-				Expiry:    jwt.NumericDate(1514764800 + 100),
+				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
 			},
 			pc: &privateClaims{
 				Kubernetes: kubernetes{
@@ -152,9 +152,9 @@ func TestClaims(t *testing.T) {
 			sc: &jwt.Claims{
 				Subject:   "system:serviceaccount:myns:mysvcacct",
 				Audience:  []string{"1", "2"},
-				IssuedAt:  jwt.NumericDate(1514764800),
-				NotBefore: jwt.NumericDate(1514764800),
-				Expiry:    jwt.NumericDate(1514764800 + 100),
+				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
 			},
 			pc: &privateClaims{
 				Kubernetes: kubernetes{
@@ -175,16 +175,16 @@ func TestClaims(t *testing.T) {
 
 			sc: &jwt.Claims{
 				Subject:   "system:serviceaccount:myns:mysvcacct",
-				IssuedAt:  jwt.NumericDate(1514764800),
-				NotBefore: jwt.NumericDate(1514764800),
-				Expiry:    jwt.NumericDate(1514764800 + 60*60*24),
+				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
+				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+60*60*24, 0)),
 			},
 			pc: &privateClaims{
 				Kubernetes: kubernetes{
 					Namespace: "myns",
 					Svcacct:   ref{Name: "mysvcacct", UID: "mysvcacct-uid"},
 					Pod:       &ref{Name: "mypod", UID: "mypod-uid"},
-					WarnAfter: jwt.NumericDate(1514764800 + 60*60),
+					WarnAfter: jwt.NewNumericDate(time.Unix(1514764800+60*60, 0)),
 				},
 			},
 		},
@@ -276,14 +276,14 @@ func TestValidatePrivateClaims(t *testing.T) {
 			name:      "expired",
 			getter:    fakeGetter{serviceAccount, nil, nil},
 			private:   &privateClaims{Kubernetes: kubernetes{Svcacct: ref{Name: "saname", UID: "sauid"}, Namespace: "ns"}},
-			expiry:    jwt.NewNumericDate(now().Add(-1_000 * time.Hour)),
+			expiry:    *jwt.NewNumericDate(now().Add(-1_000 * time.Hour)),
 			expectErr: "service account token has expired",
 		},
 		{
 			name:      "not yet valid",
 			getter:    fakeGetter{serviceAccount, nil, nil},
 			private:   &privateClaims{Kubernetes: kubernetes{Svcacct: ref{Name: "saname", UID: "sauid"}, Namespace: "ns"}},
-			notBefore: jwt.NewNumericDate(now().Add(1_000 * time.Hour)),
+			notBefore: *jwt.NewNumericDate(now().Add(1_000 * time.Hour)),
 			expectErr: "service account token is not valid yet",
 		},
 		{
@@ -369,7 +369,7 @@ func TestValidatePrivateClaims(t *testing.T) {
 			if tc.expiry != 0 {
 				expiry = tc.expiry
 			}
-			_, err := v.Validate(context.Background(), "", &jwt.Claims{Expiry: expiry, NotBefore: tc.notBefore}, tc.private)
+			_, err := v.Validate(context.Background(), "", &jwt.Claims{Expiry: &expiry, NotBefore: &tc.notBefore}, tc.private)
 			if len(tc.expectErr) > 0 {
 				if errStr := errString(err); tc.expectErr != errStr {
 					t.Fatalf("expected error %q but got %q", tc.expectErr, errStr)

diff --git a/pkg/serviceaccount/openidmetadata_test.go b/pkg/serviceaccount/openidmetadata_test.go
@@ -135,18 +135,22 @@ func TestServeKeys(t *testing.T) {
 			},
 			WantKeys: []jose.JSONWebKey{
 				{
-					Algorithm:    "RS256",
-					Key:          wantPubRSA,
-					KeyID:        rsaKeyID,
-					Use:          "sig",
-					Certificates: []*x509.Certificate{},
+					Algorithm:                   "RS256",
+					Key:                         wantPubRSA,
+					KeyID:                       rsaKeyID,
+					Use:                         "sig",
+					Certificates:                []*x509.Certificate{},
+					CertificateThumbprintSHA1:   []uint8{},
+					CertificateThumbprintSHA256: []uint8{},
 				},
 				{
-					Algorithm:    "ES256",
-					Key:          wantPubECDSA,
-					KeyID:        ecdsaKeyID,
-					Use:          "sig",
-					Certificates: []*x509.Certificate{},
+					Algorithm:                   "ES256",
+					Key:                         wantPubECDSA,
+					KeyID:                       ecdsaKeyID,
+					Use:                         "sig",
+					Certificates:                []*x509.Certificate{},
+					CertificateThumbprintSHA1:   []uint8{},
+					CertificateThumbprintSHA256: []uint8{},
 				},
 			},
 		},
@@ -158,18 +162,22 @@ func TestServeKeys(t *testing.T) {
 			},
 			WantKeys: []jose.JSONWebKey{
 				{
-					Algorithm:    "RS256",
-					Key:          wantPubRSA,
-					KeyID:        rsaKeyID,
-					Use:          "sig",
-					Certificates: []*x509.Certificate{},
+					Algorithm:                   "RS256",
+					Key:                         wantPubRSA,
+					KeyID:                       rsaKeyID,
+					Use:                         "sig",
+					Certificates:                []*x509.Certificate{},
+					CertificateThumbprintSHA1:   []uint8{},
+					CertificateThumbprintSHA256: []uint8{},
 				},
 				{
-					Algorithm:    "ES256",
-					Key:          wantPubECDSA,
-					KeyID:        ecdsaKeyID,
-					Use:          "sig",
-					Certificates: []*x509.Certificate{},
+					Algorithm:                   "ES256",
+					Key:                         wantPubECDSA,
+					KeyID:                       ecdsaKeyID,
+					Use:                         "sig",
+					Certificates:                []*x509.Certificate{},
+					CertificateThumbprintSHA1:   []uint8{},
+					CertificateThumbprintSHA256: []uint8{},
 				},
 			},
 		},

diff --git a/staging/src/k8s.io/apiserver/go.mod b/staging/src/k8s.io/apiserver/go.mod
@@ -41,7 +41,7 @@ require (
 	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
-	gopkg.in/square/go-jose.v2 v2.2.2
+	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0

diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum
diff --git a/staging/src/k8s.io/cluster-bootstrap/go.mod b/staging/src/k8s.io/cluster-bootstrap/go.mod
@@ -6,7 +6,7 @@ go 1.19
 
 require (
 	github.com/stretchr/testify v1.8.1
-	gopkg.in/square/go-jose.v2 v2.2.2
+	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/klog/v2 v2.90.1

diff --git a/staging/src/k8s.io/cluster-bootstrap/go.sum b/staging/src/k8s.io/cluster-bootstrap/go.sum
diff --git a/test/integration/auth/svcaccttoken_test.go b/test/integration/auth/svcaccttoken_test.go
@@ -446,8 +446,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 
 		// Give some tolerance to avoid flakiness since we are using real time.
 		var leeway int64 = 2
-		actualExpiry := jwt.NewNumericDate(time.Now().Add(time.Duration(24*365) * time.Hour))
-		assumedExpiry := jwt.NewNumericDate(time.Now().Add(time.Duration(requestExp) * time.Second))
+		actualExpiry := *jwt.NewNumericDate(time.Now().Add(time.Duration(24*365) * time.Hour))
+		assumedExpiry := *jwt.NewNumericDate(time.Now().Add(time.Duration(requestExp) * time.Second))
 		exp, err := strconv.ParseInt(getSubObject(t, getPayload(t, treq.Status.Token), "exp"), 10, 64)
 		if err != nil {
 			t.Fatalf("error parsing exp: %v", err)
@@ -500,8 +500,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 
 		// Give some tolerance to avoid flakiness since we are using real time.
 		var leeway int64 = 10
-		actualExpiry := jwt.NewNumericDate(time.Now().Add(time.Duration(60*60) * time.Second))
-		assumedExpiry := jwt.NewNumericDate(time.Now().Add(time.Duration(requestExp) * time.Second))
+		actualExpiry := *jwt.NewNumericDate(time.Now().Add(time.Duration(60*60) * time.Second))
+		assumedExpiry := *jwt.NewNumericDate(time.Now().Add(time.Duration(requestExp) * time.Second))
 
 		warnAfter := getSubObject(t, getPayload(t, treq.Status.Token), "kubernetes.io", "warnafter")
 		if warnAfter != "null" {

diff --git a/vendor/gopkg.in/square/go-jose.v2/.gitignore b/vendor/gopkg.in/square/go-jose.v2/.gitignore
diff --git a/vendor/gopkg.in/square/go-jose.v2/.travis.yml b/vendor/gopkg.in/square/go-jose.v2/.travis.yml
diff --git a/vendor/gopkg.in/square/go-jose.v2/asymmetric.go b/vendor/gopkg.in/square/go-jose.v2/asymmetric.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go