CC-796: Remove dependency on unsupported version of go-oidc

2025-07-27 15:49:58 +00:00 · 2022-02-05 15:39:29 +00:00
parent f44e496dd9
commit 0899d6a136
37 changed files with 1146 additions and 905 deletions
--- a/sshgen/sshgen.go
+++ b/sshgen/sshgen.go
@@ -15,10 +15,10 @@ import (
 	"net/url"
 	"time"

-	"github.com/coreos/go-oidc/jose"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	gossh "golang.org/x/crypto/ssh"
+	"gopkg.in/square/go-jose.v2/jwt"

 	"github.com/cloudflare/cloudflared/config"
 	cfpath "github.com/cloudflare/cloudflared/token"
@@ -87,37 +87,33 @@ func SignCert(token, pubKey string) (string, error) {
 		return "", errors.New("invalid token")
 	}

-	jwt, err := jose.ParseJWT(token)
+	parsedToken, err := jwt.ParseSigned(token)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to parse JWT")
 	}

-	claims, err := jwt.Claims()
+	claims := jwt.Claims{}
+	err = parsedToken.UnsafeClaimsWithoutVerification(&claims)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to retrieve JWT claims")
 	}

-	issuer, _, err := claims.StringClaim("iss")
-	if err != nil {
-		return "", errors.Wrap(err, "failed to retrieve JWT iss")
-	}
-
 	buf, err := json.Marshal(&signPayload{
 		PublicKey: pubKey,
 		JWT:       token,
-		Issuer:    issuer,
+		Issuer:    claims.Issuer,
 	})
 	if err != nil {
 		return "", errors.Wrap(err, "failed to marshal signPayload")
 	}
 	var res *http.Response
 	if mockRequest != nil {
-		res, err = mockRequest(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
+		res, err = mockRequest(claims.Issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
 	} else {
 		client := http.Client{
 			Timeout: 10 * time.Second,
 		}
-		res, err = client.Post(issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
+		res, err = client.Post(claims.Issuer+signEndpoint, "application/json", bytes.NewBuffer(buf))
 	}

 	if err != nil {
--- a/sshgen/sshgen_test.go
+++ b/sshgen/sshgen_test.go
@@ -4,8 +4,6 @@
 package sshgen

 import (
-	"crypto/rand"
-	"crypto/rsa"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -18,8 +16,9 @@ import (
 	"testing"
 	"time"

-	"github.com/coreos/go-oidc/jose"
 	"github.com/stretchr/testify/assert"
+	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/jwt"

 	"github.com/cloudflare/cloudflared/config"
 	cfpath "github.com/cloudflare/cloudflared/token"
@@ -97,22 +96,25 @@ func TestCertGenSuccess(t *testing.T) {
 }

 func tokenGenerator() string {
-	iat := time.Now().Unix()
-	exp := time.Now().Add(time.Minute * 5).Unix()
-	claims := jose.Claims{}
-	claims.Add("aud", audTest)
-	claims.Add("iat", iat)
-	claims.Add("nonce", nonceTest)
-	claims.Add("exp", exp)
+	iat := time.Now()
+	exp := time.Now().Add(time.Minute * 5)

-	k, err := rsa.GenerateKey(rand.Reader, 512)
+	claims := jwt.Claims{
+		Audience: jwt.Audience{audTest},
+		IssuedAt: jwt.NewNumericDate(iat),
+		Expiry:   jwt.NewNumericDate(exp),
+	}
+
+	key := []byte("secret")
+	signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, (&jose.SignerOptions{}).WithType("JWT"))
 	if err != nil {
-		return ""
+		panic(err)
 	}
-	signer := jose.NewSignerRSA("asdf", *k)
-	token, terr := jose.NewSignedJWT(claims, signer)
-	if terr != nil {
-		return ""
+
+	signedToken, err := jwt.Signed(signer).Claims(claims).CompactSerialize()
+	if err != nil {
+		panic(err)
 	}
-	return token.Encode()
+
+	return signedToken
 }