fix(deps): update module github.com/micahparks/keyfunc/v2 to v3 (#213)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/MicahParks/keyfunc/v2](https://togithub.com/MicahParks/keyfunc) | `v2.1.0` -> `v3.3.2` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fMicahParks%2fkeyfunc%2fv2/v3.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fMicahParks%2fkeyfunc%2fv2/v3.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fMicahParks%2fkeyfunc%2fv2/v2.1.0/v3.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fMicahParks%2fkeyfunc%2fv2/v2.1.0/v3.3.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>MicahParks/keyfunc (github.com/MicahParks/keyfunc/v2)</summary> ### [`v3.3.2`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.3.2): Allow for user provided ctx during parse [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.3.1...v3.3.2) The purpose of this release is to add a new method, `.KeyfuncCtx`. This new method accepts a `context.Context`, then returns a `jwt.Keyfunc`. This user provided `context.Context` is used during JWK lookup in the `github.com/MicahParks/jwkset` package when parsing JWTs. Passing a request scoped context allows the JWT parsing and JWK retrieval to cancel according to the given `context.Context` behavior instead of the default `context.Context`, which was provided at `keyfunc.Keyfunc` initialization. In practice, this is used to prevent situations where many JWTs with `kid` not in a remote JWK Set are attempting to be parsed over a long period of time. Relevant issues: - [MicahParks/jwkset#26 Relevant pull requests: - [MicahParks/keyfunc#118 - [MicahParks/keyfunc#119 - [MicahParks/keyfunc#120 - [MicahParks/keyfunc#121 ### [`v3.3.1`](https://togithub.com/MicahParks/keyfunc/compare/v3.3.0...v3.3.1) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.3.0...v3.3.1) ### [`v3.3.0`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.9...v3.3.0) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.9...v3.3.0) ### [`v3.2.9`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.8...v3.2.9) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.8...v3.2.9) ### [`v3.2.8`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.7...v3.2.8) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.7...v3.2.8) ### [`v3.2.7`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.6...v3.2.7) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.6...v3.2.7) ### [`v3.2.6`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.5...v3.2.6) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.5...v3.2.6) ### [`v3.2.5`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.4...v3.2.5) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.4...v3.2.5) ### [`v3.2.4`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.3...v3.2.4) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.3...v3.2.4) ### [`v3.2.3`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.2.3): Wrap errors where appropriate [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.2...v3.2.3) The purpose of this pull request is to wrap errors with [`errors.Join`](https://pkg.go.dev/errors#Join) where appropriate. Relevant issues: - [MicahParks/keyfunc#103 Relevant pull requests: - [MicahParks/keyfunc#104 ### [`v3.1.2`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.1.2): X.509 Thumbprint bug fix [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.1...v3.1.2) JWK Sets have two X.509 thumbprint parameters that are optional. A bug in `github.com/MicahParks/jwkset` made these parameters required in circumstances that affect the `keyfunc` project. This release updates this dependency to the latest version. Thank you, [@joshkaplinsky](https://togithub.com/joshkaplinsky), for reporting this bug! Please see the below release for details: https://github.com/MicahParks/jwkset/releases/tag/v0.5.5 ### [`v3.1.1`](https://togithub.com/MicahParks/keyfunc/compare/v3.1.0...v3.1.1) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.0...v3.1.1) ### [`v3.1.0`](https://togithub.com/MicahParks/keyfunc/compare/v3.0.0...v3.1.0) [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v3.0.0...v3.1.0) ### [`v3.0.0`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.0.0): V3 simplify API by using github.com/MicahParks/jwkset [Compare Source](https://togithub.com/MicahParks/keyfunc/compare/v2.1.0...v3.0.0) This upgrade removes most of the code in this repository and outsources JWK and JWK Set related code to the updated [github.com/MicahParks/jwkset](https://togithub.com/MicahParks/jwkset) package. The exported assets from the keyfunc project has been vastly reduced as well, with the intention of making it easier to use for the majority of use cases. > \[!NOTE] > A superset of features from V1 and V2 is available. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/infratographer/x).  --------- Signed-off-by: Mike Mason <mimason@equinix.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Mike Mason <mimason@equinix.com>
infratographer · Apr 3, 2024 · e194732 · e194732
1 parent 91fbfbd
commit e194732
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 42 deletions.
diff --git a/echojwtx/auth.go b/echojwtx/auth.go
@@ -22,7 +22,8 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/MicahParks/keyfunc/v2"
+	"github.com/MicahParks/jwkset"
+	"github.com/MicahParks/keyfunc/v3"
 	echojwt "github.com/labstack/echo-jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
@@ -43,14 +44,14 @@ const (
 	// ActorKey defines the context key an actor is stored in for an echo context
 	ActorKey = "actor"
 
-	// DefaultKeyFuncOptionRefreshInterval defines the frequency at which the jwks file is refreshed.
-	DefaultKeyFuncOptionRefreshInterval = time.Hour
+	// DefaultHTTPClientStorageOptionRefreshInterval defines the frequency at which the jwks file is refreshed.
+	DefaultHTTPClientStorageOptionRefreshInterval = time.Hour
 
-	// DefaultKeyFuncOptionRefreshRateLimit limits how frequently jwks is reloaded when a provided KID is not found.
-	DefaultKeyFuncOptionRefreshRateLimit = 5 * time.Minute
+	// DefaultHTTPClientStorageOptionHTTPTimeout limits the runtime of a reload of jwks.
+	DefaultHTTPClientStorageOptionHTTPTimeout = 10 * time.Second
 
-	// DefaultKeyFuncOptionRefreshTimeout limits the runtime of a reload of jwks.
-	DefaultKeyFuncOptionRefreshTimeout = 10 * time.Second
+	// DefaultRateLimitWaitMax is the default timeout for waiting for rate limiting to end.
+	DefaultRateLimitWaitMax = time.Minute
 )
 
 var (
@@ -74,6 +75,9 @@ type AuthConfig struct {
 
 	// RefreshTimeout is the timeout for fetching the JWKS from the issuer.
 	RefreshTimeout time.Duration `mapstructure:"refresh_timeout"`
+
+	// RateLimitWaitMax is the timeout for waiting for rate limiting to end.
+	RateLimitWaitMax time.Duration `mapstructure:"rate_limit_wait_max"`
 }
 
 // Auth handles JWT Authentication as echo middleware.
@@ -85,8 +89,8 @@ type Auth struct {
 	// JWTConfig configuration for handling JWT validation.
 	JWTConfig echojwt.Config
 
-	// KeyFuncOptions configuration for fetching JWKS.
-	KeyFuncOptions keyfunc.Options
+	// HTTPClientStorageOptions configuration for fetching JWKS.
+	HTTPClientStorageOptions jwkset.HTTPClientStorageOptions
 
 	issuer   string
 	audience string
@@ -106,10 +110,10 @@ func WithJWTConfig(jwtConfig echojwt.Config) Opts {
 	}
 }
 
-// WithKeyFuncOptions sets the KeyFuncOptions for the auth middleware.
-func WithKeyFuncOptions(keyFuncOptions keyfunc.Options) Opts {
+// WithHTTPClientStorageOptions sets the HTTPClientStorageOptions for the auth middleware.
+func WithHTTPClientStorageOptions(options jwkset.HTTPClientStorageOptions) Opts {
 	return func(a *Auth) {
-		a.KeyFuncOptions = keyFuncOptions
+		a.HTTPClientStorageOptions = options
 	}
 }
 
@@ -124,7 +128,11 @@ func (a *Auth) setup(ctx context.Context, config AuthConfig, options ...Opts) er
 	}
 
 	if config.RefreshTimeout > 0 {
-		a.KeyFuncOptions.RefreshTimeout = config.RefreshTimeout
+		a.HTTPClientStorageOptions.HTTPTimeout = config.RefreshTimeout
+	}
+
+	if config.RateLimitWaitMax == 0 {
+		config.RateLimitWaitMax = DefaultRateLimitWaitMax
 	}
 
 	a.issuer = config.Issuer
@@ -136,35 +144,45 @@ func (a *Auth) setup(ctx context.Context, config AuthConfig, options ...Opts) er
 			return err
 		}
 
-		if a.KeyFuncOptions.Client == nil {
-			a.KeyFuncOptions.Client = otelhttp.DefaultClient
-		}
-
-		if a.KeyFuncOptions.Ctx == nil {
-			a.KeyFuncOptions.Ctx = ctx
+		if a.HTTPClientStorageOptions.Ctx == nil {
+			a.HTTPClientStorageOptions.Ctx = ctx
 		}
 
-		if a.KeyFuncOptions.RefreshErrorHandler == nil {
-			a.KeyFuncOptions.RefreshErrorHandler = func(err error) {
+		if a.HTTPClientStorageOptions.RefreshErrorHandler == nil {
+			a.HTTPClientStorageOptions.RefreshErrorHandler = func(_ context.Context, err error) {
 				a.logger.Error("error refreshing jwks", zap.Error(err))
 			}
 		}
 
-		if a.KeyFuncOptions.RefreshInterval == 0 {
-			a.KeyFuncOptions.RefreshInterval = DefaultKeyFuncOptionRefreshInterval
+		if a.HTTPClientStorageOptions.RefreshInterval == 0 {
+			a.HTTPClientStorageOptions.RefreshInterval = DefaultHTTPClientStorageOptionRefreshInterval
+		}
+
+		if a.HTTPClientStorageOptions.HTTPTimeout == 0 {
+			a.HTTPClientStorageOptions.HTTPTimeout = DefaultHTTPClientStorageOptionHTTPTimeout
+		}
+
+		storage, err := jwkset.NewStorageFromHTTP(jwksURI, a.HTTPClientStorageOptions)
+		if err != nil {
+			return err
 		}
 
-		if a.KeyFuncOptions.RefreshRateLimit == 0 {
-			a.KeyFuncOptions.RefreshRateLimit = DefaultKeyFuncOptionRefreshRateLimit
+		clientOptions := jwkset.HTTPClientOptions{
+			Given:            storage,
+			RateLimitWaitMax: config.RateLimitWaitMax,
 		}
 
-		if a.KeyFuncOptions.RefreshTimeout == 0 {
-			a.KeyFuncOptions.RefreshTimeout = DefaultKeyFuncOptionRefreshTimeout
+		clientStorage, err := jwkset.NewHTTPClient(clientOptions)
+		if err != nil {
+			return err
 		}
 
-		a.KeyFuncOptions.RefreshUnknownKID = true
+		keyfuncOptions := keyfunc.Options{
+			Ctx:     ctx,
+			Storage: clientStorage,
+		}
 
-		jwks, err := keyfunc.Get(jwksURI, a.KeyFuncOptions)
+		jwks, err := keyfunc.New(keyfuncOptions)
 		if err != nil {
 			return err
 		}
@@ -224,32 +242,32 @@ func NewAuth(ctx context.Context, config AuthConfig, options ...Opts) (*Auth, er
 	return auth, nil
 }
 
-func jwksURI(ctx context.Context, issuer string) (string, error) {
+func jwksURI(ctx context.Context, issuer string) (*url.URL, error) {
 	uri, err := url.JoinPath(issuer, ".well-known", "openid-configuration")
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	res, err := jwksClient.Do(req)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	defer res.Body.Close() //nolint:errcheck // no need to check
 
 	var m map[string]interface{}
 	if err := json.NewDecoder(res.Body).Decode(&m); err != nil {
-		return "", err
+		return nil, err
 	}
 
 	jwksURL, ok := m["jwks_uri"]
 	if !ok {
-		return "", ErrJWKSURIMissing
+		return nil, ErrJWKSURIMissing
 	}
 
-	return jwksURL.(string), nil
+	return url.Parse(jwksURL.(string))
 }
diff --git a/echojwtx/handler_test.go b/echojwtx/handler_test.go
@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/MicahParks/keyfunc/v2"
+	"github.com/MicahParks/jwkset"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/labstack/echo/v4"
 	"github.com/stretchr/testify/assert"
@@ -128,8 +128,8 @@ func TestAudienceValidation(t *testing.T) {
 					Audience: tc.serverAudience,
 					Issuer:   issuer,
 				},
-				echojwtx.WithLogger(logger), echojwtx.WithKeyFuncOptions(keyfunc.Options{
-					RefreshTimeout: 5 * time.Second,
+				echojwtx.WithLogger(logger), echojwtx.WithHTTPClientStorageOptions(jwkset.HTTPClientStorageOptions{
+					HTTPTimeout: 5 * time.Second,
 				}),
 			)
 

diff --git a/go.mod b/go.mod
@@ -8,7 +8,8 @@ require (
 	entgo.io/contrib v0.4.5
 	entgo.io/ent v0.13.1
 	github.com/99designs/gqlgen v0.17.45
-	github.com/MicahParks/keyfunc/v2 v2.1.0
+	github.com/MicahParks/jwkset v0.5.17
+	github.com/MicahParks/keyfunc/v3 v3.3.2
 	github.com/XSAM/otelsql v0.29.0
 	github.com/brianvoe/gofakeit/v7 v7.0.2
 	github.com/cockroachdb/cockroach-go/v2 v2.3.7

diff --git a/go.sum b/go.sum
@@ -22,8 +22,10 @@ github.com/ClickHouse/clickhouse-go/v2 v2.17.1/go.mod h1:rkGTvFDTLqLIm0ma+13xmcC
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
-github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
+github.com/MicahParks/jwkset v0.5.17 h1:DrcwyKwSP5adD0G2XJTvDulnWXjD6gbjROMgMXDbkKA=
+github.com/MicahParks/jwkset v0.5.17/go.mod h1:q8ptTGn/Z9c4MwbcfeCDssADeVQb3Pk7PnVxrvi+2QY=
+github.com/MicahParks/keyfunc/v3 v3.3.2 h1:YTtwc4dxalBZKFqHhqctBWN6VhbLdGhywmne9u5RQVM=
+github.com/MicahParks/keyfunc/v3 v3.3.2/go.mod h1:GJBeEjnv25OnD9y2OYQa7ELU6gYahEMBNXINZb+qm34=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8=