Merge pull request #130 from ldsec/go1.15

Getting ready for v3.0.0 release
ldsec · Dec 16, 2021 · 16e723e · 16e723e
2 parents 9cabcdd + f97ce16
commit 16e723e
Show file tree

Hide file tree

Showing 7 changed files with 189 additions and 112 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.14'
+          go-version: '1.15'
       - run: go version
 
       - name: Checkout code

diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 MEDCO_VERSION := $(shell scripts/version.sh)
-GB_VERSION := v2.0.1
+GB_VERSION := v3.0.0
 
 # test commands
 .PHONY: test test_go_fmt test_go_lint test_codecov_unit test_codecov_e2e

diff --git a/build/package/medco/Dockerfile b/build/package/medco/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.14 as build
+FROM golang:1.15 as build
 ARG MEDCO_VERSION=dev
 
 COPY ./ /src

diff --git a/connector/util/server/oidc_provider.go b/connector/util/server/oidc_provider.go
@@ -1,6 +1,7 @@
 package utilserver
 
 import (
+	"context"
 	"errors"
 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/lestrrat-go/jwx/jws"
@@ -33,19 +34,20 @@ type oidcProvider struct {
 
 	// cachedJWKSet is the cached set of keys used to establish the trust with the identity provider,
 	// valid until cachedJWKSetExpiration
-	cachedJWKSet *jwk.Set
+	cachedJWKSet jwk.Set
 
 	// cachedJWKSetExpiration is the expiration time of cachedJWKSet
 	cachedJWKSetExpiration time.Time
 }
 
 // retrieveJWKSets retrieves the JWK set (live or from cache if TTL not expired) and cache it
-func (oidcProvider *oidcProvider) retrieveJWKSet() (keySet *jwk.Set, err error) {
+func (oidcProvider *oidcProvider) retrieveJWKSet() (keySet jwk.Set, err error) {
 
 	if oidcProvider.cachedJWKSet == nil || oidcProvider.cachedJWKSetExpiration.Before(time.Now()) {
 
 		// fetch jwks with custom client to enforce timeout
 		oidcProvider.cachedJWKSet, err = jwk.Fetch(
+			context.Background(),
 			oidcProvider.JwksURL,
 			jwk.WithHTTPClient(&http.Client{
 				Timeout: JwksTimeout,
@@ -82,7 +84,7 @@ func verifyTokenWithJWKSets(token string) (tokenPayload []byte, matchingProvider
 			}
 
 			// signature verification attempt
-			if attemptedTokenPayload, err := jws.VerifyWithJWKSet([]byte(token), keySet, nil); err == nil {
+			if attemptedTokenPayload, err := jws.VerifySet([]byte(token), keySet); err == nil {
 				logrus.Info("Token validation successful with provider: ", provider.JwksURL)
 				if tokenPayload != nil || matchingProvider != nil {
 					logrus.Warn("More than one OIDC provider matches")

diff --git a/connector/util/server/security.go b/connector/util/server/security.go
@@ -1,7 +1,6 @@
 package utilserver
 
 import (
-	"encoding/json"
 	"errors"
 	"github.com/ldsec/medco/connector/restapi/models"
 	"github.com/lestrrat-go/jwx/jwt"
@@ -31,19 +30,14 @@ func AuthenticateUser(token string) (user *models.User, err error) {
 	}
 
 	// parse and validate claims
-	var parsedToken jwt.Token
-	if err = json.Unmarshal(tokenPayload, &parsedToken); err != nil {
-		logrus.Warn("authentication failed (token parsing error): ", err)
-		return
-	}
-
-	err = parsedToken.Verify(
+	parsedToken, err := jwt.Parse(
+		tokenPayload,
 		jwt.WithIssuer(matchingProvider.JwtIssuer),
 		jwt.WithAudience(matchingProvider.ClientID),
 		jwt.WithAcceptableSkew(matchingProvider.JwtAcceptableSkew),
 	)
 	if err != nil {
-		logrus.Warn("authentication failed (invalid claim): ", err)
+		logrus.Warn("authentication failed): ", err)
 		return
 	}
 
@@ -59,12 +53,12 @@ func AuthenticateUser(token string) (user *models.User, err error) {
 	}
 
 	// extract user authorizations
-	user.Authorizations, err = extractAuthorizationsFromToken(&parsedToken, matchingProvider)
+	user.Authorizations, err = extractAuthorizationsFromToken(parsedToken, matchingProvider)
 	return
 }
 
 // extractAuthorizationsFromToken parsed the token to extract the user's authorizations
-func extractAuthorizationsFromToken(token *jwt.Token, provider *oidcProvider) (ua *models.UserAuthorizations, err error) {
+func extractAuthorizationsFromToken(token jwt.Token, provider *oidcProvider) (ua *models.UserAuthorizations, err error) {
 
 	// retrieve roles, within the keycloak pre-determined structure (this is ugly)
 	var extractedRoles []string

diff --git a/go.mod b/go.mod
@@ -1,39 +1,38 @@
 module github.com/ldsec/medco
 
 require (
-	github.com/BurntSushi/toml v0.3.1
-	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
-	github.com/daviddengcn/go-colortext v1.0.0 // indirect
+	github.com/BurntSushi/toml v0.4.1
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/fanliao/go-concurrentMap v0.0.0-20141114143905-7d2d7a5ea67b
-	github.com/go-openapi/errors v0.19.7
-	github.com/go-openapi/loads v0.19.5
-	github.com/go-openapi/runtime v0.19.22
-	github.com/go-openapi/spec v0.19.9
-	github.com/go-openapi/strfmt v0.19.5
-	github.com/go-openapi/swag v0.19.9
-	github.com/go-openapi/validate v0.19.11
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/jessevdk/go-flags v1.4.0
-	github.com/ldsec/unlynx v1.4.1
-	github.com/lestrrat-go/jwx v0.9.0
-	github.com/lib/pq v1.8.0
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mitchellh/mapstructure v1.3.3 // indirect
+	github.com/go-openapi/analysis v0.21.1 // indirect
+	github.com/go-openapi/errors v0.20.1
+	github.com/go-openapi/loads v0.21.0
+	github.com/go-openapi/runtime v0.21.0
+	github.com/go-openapi/spec v0.20.4
+	github.com/go-openapi/strfmt v0.21.1
+	github.com/go-openapi/swag v0.19.15
+	github.com/go-openapi/validate v0.20.3
+	github.com/go-stack/stack v1.8.1 // indirect
+	github.com/jessevdk/go-flags v1.5.0
+	github.com/ldsec/unlynx v1.4.3
+	github.com/lestrrat-go/jwx v1.2.13
+	github.com/lib/pq v1.10.4
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/r0fls/gostats v0.0.0-20180711082619-e793b1fda35c
-	github.com/sirupsen/logrus v1.6.0
-	github.com/smartystreets/goconvey v1.6.4 // indirect
-	github.com/stretchr/testify v1.6.1
-	github.com/urfave/cli v1.22.4
-	go.dedis.ch/kyber/v3 v3.0.12
-	go.dedis.ch/onet/v3 v3.2.0
-	go.etcd.io/bbolt v1.3.5 // indirect
-	go.mongodb.org/mongo-driver v1.5.1 // indirect
-	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
-	golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c
-	golang.org/x/text v0.3.7 // indirect
+	github.com/sirupsen/logrus v1.8.1
+	github.com/stretchr/testify v1.7.0
+	github.com/urfave/cli v1.22.5
+	go.dedis.ch/kyber/v3 v3.0.13
+	go.dedis.ch/onet/v3 v3.2.10
+	go.mongodb.org/mongo-driver v1.8.1 // indirect
+	golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b // indirect
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63
+	golang.org/x/sys v0.0.0-20211214170744-3b038e5940ed // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )
 
-go 1.14
+go 1.15