Merge pull request #424 from jhernand/use_jwt_fork

jhernand · web-flow · commit 624dde3035a7 · 2021-08-10T10:17:40.000+02:00
Use `golang-jwt/jwt` instead of `dgrijalva/jwt-go`
diff --git a/CHANGES.adoc b/CHANGES.adoc
@@ -3,6 +3,32 @@
 This document describes the relevant changes between releases of the OCM API
 SDK.
 
+== 0.1.199 TBD
+
+- Use `golang-jwt/jwt` instead of `dgrijalva/jwt-go`.
++
+The `dgrijalva/jwt-go` library is no longer maintained and `golang-jwt/jwt` is
+a community maintained fork. See https://github.com/dgrijalva/jwt-go/issues/462
+for detailts.
++
+Parts of the public interface of the SDK use this library, so this is a
+backwards compatibility breaking change. Projects using the SDK will need to
+switch to the new library, specially if they are using the
+`context.ContextWithToken` or `context.TokenFromContext` functions. The change
+should only require changing the import paths, as the fork is fully compatible
+with the original library.
++
+A simple way to do the required changes is the following command:
++
+....
+$ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|'
+....
++
+This also addresses
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160[CVE-2020-26160],
+but that vulnerability doesn't currently affect the SDK because the
+authentication handler doesn't use the `aud` claim.
+
 == 0.1.198 Aug 03 2021
 
 - Update model to v0.0.139:
diff --git a/authentication/context.go b/authentication/context.go
@@ -22,7 +22,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 )
 
 // ContextWithToken creates a new context containing the given token.
diff --git a/authentication/handler.go b/authentication/handler.go
@@ -35,8 +35,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
 	"github.com/ghodss/yaml"
+	"github.com/golang-jwt/jwt"
 
 	"github.com/openshift-online/ocm-sdk-go/errors"
 	"github.com/openshift-online/ocm-sdk-go/logging"
diff --git a/authentication/handler_test.go b/authentication/handler_test.go
@@ -25,7 +25,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"                         // nolint
diff --git a/authentication/helpers.go b/authentication/helpers.go
@@ -22,7 +22,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 )
 
 // tokenRemaining determines if the given token will eventually expire (offile access tokens, for
diff --git a/authentication/transport_wrapper.go b/authentication/transport_wrapper.go
@@ -35,7 +35,7 @@ import (
 
 	//
 	"github.com/cenkalti/backoff/v4"
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/golang-jwt/jwt"
 	"github.com/openshift-online/ocm-sdk-go/internal"
 	"github.com/openshift-online/ocm-sdk-go/logging"
 	"github.com/prometheus/client_golang/prometheus"
diff --git a/go.mod b/go.mod
@@ -4,8 +4,8 @@ go 1.14
 
 require (
 	github.com/cenkalti/backoff/v4 v4.0.0
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/ghodss/yaml v1.0.0
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/google/uuid v1.2.0
 	github.com/jackc/pgconn v1.9.0
diff --git a/go.sum b/go.sum
@@ -101,6 +101,8 @@ github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
diff --git a/testing/tokens.go b/testing/tokens.go
@@ -24,7 +24,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 
 	. "github.com/onsi/gomega" // nolint
 )

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ import (`
`22`	`22`	`"context"`
`23`	`23`	`"fmt"`
`24`	`24`
`25`		`- "github.com/dgrijalva/jwt-go"`
	`25`	`+ "github.com/golang-jwt/jwt"`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`// ContextWithToken creates a new context containing the given token.`
-Original file line number
+Diff line change
 require (
 	github.com/cenkalti/backoff/v4 v4.0.0
 -	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/ghodss/yaml v1.0.0
 +	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/google/uuid v1.2.0
 	github.com/jackc/pgconn v1.9.0
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ import (`
`24`	`24`	`"net/http"`
`25`	`25`	`"time"`
`26`	`26`
`27`		`- "github.com/dgrijalva/jwt-go"`
	`27`	`+ "github.com/golang-jwt/jwt"`
`28`	`28`
`29`	`29`	`. "github.com/onsi/gomega" // nolint`
`30`	`30`	`)`