From e1947322599f9b7ab24b9a19029bb696b1c358d1 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 3 Apr 2024 12:55:09 -0500
Subject: [PATCH] fix(deps): update module github.com/micahparks/keyfunc/v2 to
v3 (#213)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/MicahParks/keyfunc/v2](https://togithub.com/MicahParks/keyfunc)
| `v2.1.0` -> `v3.3.2` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
MicahParks/keyfunc (github.com/MicahParks/keyfunc/v2)
###
[`v3.3.2`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.3.2):
Allow for user provided ctx during parse
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.3.1...v3.3.2)
The purpose of this release is to add a new method, `.KeyfuncCtx`.
This new method accepts a `context.Context`, then returns a
`jwt.Keyfunc`. This user provided `context.Context` is used during JWK
lookup in the `github.com/MicahParks/jwkset` package when parsing JWTs.
Passing a request scoped context allows the JWT parsing and JWK
retrieval to cancel according to the given `context.Context` behavior
instead of the default `context.Context`, which was provided at
`keyfunc.Keyfunc` initialization.
In practice, this is used to prevent situations where many JWTs with
`kid` not in a remote JWK Set are attempting to be parsed over a long
period of time.
Relevant issues:
-
[https://github.com/MicahParks/jwkset/issues/26](https://togithub.com/MicahParks/jwkset/issues/26)
Relevant pull requests:
-
[https://github.com/MicahParks/keyfunc/pull/118](https://togithub.com/MicahParks/keyfunc/pull/118)
-
[https://github.com/MicahParks/keyfunc/pull/119](https://togithub.com/MicahParks/keyfunc/pull/119)
-
[https://github.com/MicahParks/keyfunc/pull/120](https://togithub.com/MicahParks/keyfunc/pull/120)
-
[https://github.com/MicahParks/keyfunc/pull/121](https://togithub.com/MicahParks/keyfunc/pull/121)
###
[`v3.3.1`](https://togithub.com/MicahParks/keyfunc/compare/v3.3.0...v3.3.1)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.3.0...v3.3.1)
###
[`v3.3.0`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.9...v3.3.0)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.9...v3.3.0)
###
[`v3.2.9`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.8...v3.2.9)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.8...v3.2.9)
###
[`v3.2.8`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.7...v3.2.8)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.7...v3.2.8)
###
[`v3.2.7`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.6...v3.2.7)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.6...v3.2.7)
###
[`v3.2.6`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.5...v3.2.6)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.5...v3.2.6)
###
[`v3.2.5`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.4...v3.2.5)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.4...v3.2.5)
###
[`v3.2.4`](https://togithub.com/MicahParks/keyfunc/compare/v3.2.3...v3.2.4)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.2.3...v3.2.4)
###
[`v3.2.3`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.2.3):
Wrap errors where appropriate
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.2...v3.2.3)
The purpose of this pull request is to wrap errors with
[`errors.Join`](https://pkg.go.dev/errors#Join) where appropriate.
Relevant issues:
-
[https://github.com/MicahParks/keyfunc/issues/103](https://togithub.com/MicahParks/keyfunc/issues/103)
Relevant pull requests:
-
[https://github.com/MicahParks/keyfunc/pull/104](https://togithub.com/MicahParks/keyfunc/pull/104)
###
[`v3.1.2`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.1.2):
X.509 Thumbprint bug fix
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.1...v3.1.2)
JWK Sets have two X.509 thumbprint parameters that are optional. A bug
in `github.com/MicahParks/jwkset` made these parameters required in
circumstances that affect the `keyfunc` project. This release updates
this dependency to the latest version.
Thank you, [@joshkaplinsky](https://togithub.com/joshkaplinsky),
for reporting this bug!
Please see the below release for details:
https://github.com/MicahParks/jwkset/releases/tag/v0.5.5
###
[`v3.1.1`](https://togithub.com/MicahParks/keyfunc/compare/v3.1.0...v3.1.1)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.1.0...v3.1.1)
###
[`v3.1.0`](https://togithub.com/MicahParks/keyfunc/compare/v3.0.0...v3.1.0)
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v3.0.0...v3.1.0)
###
[`v3.0.0`](https://togithub.com/MicahParks/keyfunc/releases/tag/v3.0.0):
V3 simplify API by using github.com/MicahParks/jwkset
[Compare
Source](https://togithub.com/MicahParks/keyfunc/compare/v2.1.0...v3.0.0)
This upgrade removes most of the code in this repository and outsources
JWK and JWK Set related code to the updated
[github.com/MicahParks/jwkset](https://togithub.com/MicahParks/jwkset)
package. The exported assets from the keyfunc project has been vastly
reduced as well, with the intention of making it easier to use for the
majority of use cases.
> \[!NOTE]
> A superset of features from V1 and V2 is available.
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/infratographer/x).
---------
Signed-off-by: Mike Mason
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Mike Mason
---
echojwtx/auth.go | 90 ++++++++++++++++++++++++----------------
echojwtx/handler_test.go | 6 +--
go.mod | 3 +-
go.sum | 6 ++-
4 files changed, 63 insertions(+), 42 deletions(-)
diff --git a/echojwtx/auth.go b/echojwtx/auth.go
index 5b4c30d..8337698 100644
--- a/echojwtx/auth.go
+++ b/echojwtx/auth.go
@@ -22,7 +22,8 @@ import (
"net/url"
"time"
- "github.com/MicahParks/keyfunc/v2"
+ "github.com/MicahParks/jwkset"
+ "github.com/MicahParks/keyfunc/v3"
echojwt "github.com/labstack/echo-jwt/v4"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
@@ -43,14 +44,14 @@ const (
// ActorKey defines the context key an actor is stored in for an echo context
ActorKey = "actor"
- // DefaultKeyFuncOptionRefreshInterval defines the frequency at which the jwks file is refreshed.
- DefaultKeyFuncOptionRefreshInterval = time.Hour
+ // DefaultHTTPClientStorageOptionRefreshInterval defines the frequency at which the jwks file is refreshed.
+ DefaultHTTPClientStorageOptionRefreshInterval = time.Hour
- // DefaultKeyFuncOptionRefreshRateLimit limits how frequently jwks is reloaded when a provided KID is not found.
- DefaultKeyFuncOptionRefreshRateLimit = 5 * time.Minute
+ // DefaultHTTPClientStorageOptionHTTPTimeout limits the runtime of a reload of jwks.
+ DefaultHTTPClientStorageOptionHTTPTimeout = 10 * time.Second
- // DefaultKeyFuncOptionRefreshTimeout limits the runtime of a reload of jwks.
- DefaultKeyFuncOptionRefreshTimeout = 10 * time.Second
+ // DefaultRateLimitWaitMax is the default timeout for waiting for rate limiting to end.
+ DefaultRateLimitWaitMax = time.Minute
)
var (
@@ -74,6 +75,9 @@ type AuthConfig struct {
// RefreshTimeout is the timeout for fetching the JWKS from the issuer.
RefreshTimeout time.Duration `mapstructure:"refresh_timeout"`
+
+ // RateLimitWaitMax is the timeout for waiting for rate limiting to end.
+ RateLimitWaitMax time.Duration `mapstructure:"rate_limit_wait_max"`
}
// Auth handles JWT Authentication as echo middleware.
@@ -85,8 +89,8 @@ type Auth struct {
// JWTConfig configuration for handling JWT validation.
JWTConfig echojwt.Config
- // KeyFuncOptions configuration for fetching JWKS.
- KeyFuncOptions keyfunc.Options
+ // HTTPClientStorageOptions configuration for fetching JWKS.
+ HTTPClientStorageOptions jwkset.HTTPClientStorageOptions
issuer string
audience string
@@ -106,10 +110,10 @@ func WithJWTConfig(jwtConfig echojwt.Config) Opts {
}
}
-// WithKeyFuncOptions sets the KeyFuncOptions for the auth middleware.
-func WithKeyFuncOptions(keyFuncOptions keyfunc.Options) Opts {
+// WithHTTPClientStorageOptions sets the HTTPClientStorageOptions for the auth middleware.
+func WithHTTPClientStorageOptions(options jwkset.HTTPClientStorageOptions) Opts {
return func(a *Auth) {
- a.KeyFuncOptions = keyFuncOptions
+ a.HTTPClientStorageOptions = options
}
}
@@ -124,7 +128,11 @@ func (a *Auth) setup(ctx context.Context, config AuthConfig, options ...Opts) er
}
if config.RefreshTimeout > 0 {
- a.KeyFuncOptions.RefreshTimeout = config.RefreshTimeout
+ a.HTTPClientStorageOptions.HTTPTimeout = config.RefreshTimeout
+ }
+
+ if config.RateLimitWaitMax == 0 {
+ config.RateLimitWaitMax = DefaultRateLimitWaitMax
}
a.issuer = config.Issuer
@@ -136,35 +144,45 @@ func (a *Auth) setup(ctx context.Context, config AuthConfig, options ...Opts) er
return err
}
- if a.KeyFuncOptions.Client == nil {
- a.KeyFuncOptions.Client = otelhttp.DefaultClient
- }
-
- if a.KeyFuncOptions.Ctx == nil {
- a.KeyFuncOptions.Ctx = ctx
+ if a.HTTPClientStorageOptions.Ctx == nil {
+ a.HTTPClientStorageOptions.Ctx = ctx
}
- if a.KeyFuncOptions.RefreshErrorHandler == nil {
- a.KeyFuncOptions.RefreshErrorHandler = func(err error) {
+ if a.HTTPClientStorageOptions.RefreshErrorHandler == nil {
+ a.HTTPClientStorageOptions.RefreshErrorHandler = func(_ context.Context, err error) {
a.logger.Error("error refreshing jwks", zap.Error(err))
}
}
- if a.KeyFuncOptions.RefreshInterval == 0 {
- a.KeyFuncOptions.RefreshInterval = DefaultKeyFuncOptionRefreshInterval
+ if a.HTTPClientStorageOptions.RefreshInterval == 0 {
+ a.HTTPClientStorageOptions.RefreshInterval = DefaultHTTPClientStorageOptionRefreshInterval
+ }
+
+ if a.HTTPClientStorageOptions.HTTPTimeout == 0 {
+ a.HTTPClientStorageOptions.HTTPTimeout = DefaultHTTPClientStorageOptionHTTPTimeout
+ }
+
+ storage, err := jwkset.NewStorageFromHTTP(jwksURI, a.HTTPClientStorageOptions)
+ if err != nil {
+ return err
}
- if a.KeyFuncOptions.RefreshRateLimit == 0 {
- a.KeyFuncOptions.RefreshRateLimit = DefaultKeyFuncOptionRefreshRateLimit
+ clientOptions := jwkset.HTTPClientOptions{
+ Given: storage,
+ RateLimitWaitMax: config.RateLimitWaitMax,
}
- if a.KeyFuncOptions.RefreshTimeout == 0 {
- a.KeyFuncOptions.RefreshTimeout = DefaultKeyFuncOptionRefreshTimeout
+ clientStorage, err := jwkset.NewHTTPClient(clientOptions)
+ if err != nil {
+ return err
}
- a.KeyFuncOptions.RefreshUnknownKID = true
+ keyfuncOptions := keyfunc.Options{
+ Ctx: ctx,
+ Storage: clientStorage,
+ }
- jwks, err := keyfunc.Get(jwksURI, a.KeyFuncOptions)
+ jwks, err := keyfunc.New(keyfuncOptions)
if err != nil {
return err
}
@@ -224,32 +242,32 @@ func NewAuth(ctx context.Context, config AuthConfig, options ...Opts) (*Auth, er
return auth, nil
}
-func jwksURI(ctx context.Context, issuer string) (string, error) {
+func jwksURI(ctx context.Context, issuer string) (*url.URL, error) {
uri, err := url.JoinPath(issuer, ".well-known", "openid-configuration")
if err != nil {
- return "", err
+ return nil, err
}
req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
if err != nil {
- return "", err
+ return nil, err
}
res, err := jwksClient.Do(req)
if err != nil {
- return "", err
+ return nil, err
}
defer res.Body.Close() //nolint:errcheck // no need to check
var m map[string]interface{}
if err := json.NewDecoder(res.Body).Decode(&m); err != nil {
- return "", err
+ return nil, err
}
jwksURL, ok := m["jwks_uri"]
if !ok {
- return "", ErrJWKSURIMissing
+ return nil, ErrJWKSURIMissing
}
- return jwksURL.(string), nil
+ return url.Parse(jwksURL.(string))
}
diff --git a/echojwtx/handler_test.go b/echojwtx/handler_test.go
index db2ef76..88c0fef 100644
--- a/echojwtx/handler_test.go
+++ b/echojwtx/handler_test.go
@@ -7,7 +7,7 @@ import (
"testing"
"time"
- "github.com/MicahParks/keyfunc/v2"
+ "github.com/MicahParks/jwkset"
"github.com/golang-jwt/jwt/v5"
"github.com/labstack/echo/v4"
"github.com/stretchr/testify/assert"
@@ -128,8 +128,8 @@ func TestAudienceValidation(t *testing.T) {
Audience: tc.serverAudience,
Issuer: issuer,
},
- echojwtx.WithLogger(logger), echojwtx.WithKeyFuncOptions(keyfunc.Options{
- RefreshTimeout: 5 * time.Second,
+ echojwtx.WithLogger(logger), echojwtx.WithHTTPClientStorageOptions(jwkset.HTTPClientStorageOptions{
+ HTTPTimeout: 5 * time.Second,
}),
)
diff --git a/go.mod b/go.mod
index 5a68fa6..c79eba3 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,8 @@ require (
entgo.io/contrib v0.4.5
entgo.io/ent v0.13.1
github.com/99designs/gqlgen v0.17.45
- github.com/MicahParks/keyfunc/v2 v2.1.0
+ github.com/MicahParks/jwkset v0.5.17
+ github.com/MicahParks/keyfunc/v3 v3.3.2
github.com/XSAM/otelsql v0.29.0
github.com/brianvoe/gofakeit/v7 v7.0.2
github.com/cockroachdb/cockroach-go/v2 v2.3.7
diff --git a/go.sum b/go.sum
index d0a2fef..79384c6 100644
--- a/go.sum
+++ b/go.sum
@@ -22,8 +22,10 @@ github.com/ClickHouse/clickhouse-go/v2 v2.17.1/go.mod h1:rkGTvFDTLqLIm0ma+13xmcC
github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
-github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
+github.com/MicahParks/jwkset v0.5.17 h1:DrcwyKwSP5adD0G2XJTvDulnWXjD6gbjROMgMXDbkKA=
+github.com/MicahParks/jwkset v0.5.17/go.mod h1:q8ptTGn/Z9c4MwbcfeCDssADeVQb3Pk7PnVxrvi+2QY=
+github.com/MicahParks/keyfunc/v3 v3.3.2 h1:YTtwc4dxalBZKFqHhqctBWN6VhbLdGhywmne9u5RQVM=
+github.com/MicahParks/keyfunc/v3 v3.3.2/go.mod h1:GJBeEjnv25OnD9y2OYQa7ELU6gYahEMBNXINZb+qm34=
github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8=