From 91c20b7ca50b8a7c19ed1dd3138bbd9d0987785e Mon Sep 17 00:00:00 2001 From: kshamajain99 Date: Tue, 16 Mar 2021 11:53:12 -0700 Subject: [PATCH] fix: remove zjwt (#5774) * fix: remove zjwt Signed-off-by: kshamajain99 --- server/server.go | 27 +++++++-------------------- util/jwt/jwt.go | 5 +++++ util/jwt/jwt_test.go | 8 ++++++++ util/oidc/oidc.go | 6 ------ 4 files changed, 20 insertions(+), 26 deletions(-) diff --git a/server/server.go b/server/server.go index 7b46d88276..4bfe69aa80 100644 --- a/server/server.go +++ b/server/server.go @@ -20,7 +20,6 @@ import ( // nolint:staticcheck golang_proto "github.com/golang/protobuf/proto" - "github.com/argoproj/pkg/jwt/zjwt" "github.com/argoproj/pkg/sync" "github.com/dgrijalva/jwt-go/v4" "github.com/go-redis/redis/v8" @@ -94,6 +93,7 @@ import ( "github.com/argoproj/argo-cd/util/healthz" httputil "github.com/argoproj/argo-cd/util/http" "github.com/argoproj/argo-cd/util/io" + jwtutil "github.com/argoproj/argo-cd/util/jwt" kubeutil "github.com/argoproj/argo-cd/util/kube" "github.com/argoproj/argo-cd/util/oidc" "github.com/argoproj/argo-cd/util/rbac" @@ -620,13 +620,6 @@ func (a *ArgoCDServer) setTokenCookie(token string, w http.ResponseWriter) error if !a.Insecure { flags = append(flags, "Secure") } - if token != "" { - var err error - token, err = zjwt.ZJWT(token) - if err != nil { - return err - } - } cookies, err := httputil.MakeCookieMetadata(common.AuthCookieName, token, flags...) if err != nil { return err @@ -964,12 +957,12 @@ func getToken(md metadata.MD) string { } } - var tokens []string - // looks for the HTTP header `Authorization: Bearer ...` + // argocd prefers bearer token over cookie for _, t := range md["authorization"] { - if strings.HasPrefix(t, "Bearer ") { - tokens = append(tokens, strings.TrimPrefix(t, "Bearer ")) + token := strings.TrimPrefix(t, "Bearer ") + if strings.HasPrefix(t, "Bearer ") && jwtutil.IsValid(token) { + return token } } @@ -979,17 +972,11 @@ func getToken(md metadata.MD) string { header.Add("Cookie", t) request := http.Request{Header: header} token, err := httputil.JoinCookies(common.AuthCookieName, request.Cookies()) - if token != "" && err == nil { - tokens = append(tokens, token) + if err == nil && jwtutil.IsValid(token) { + return token } } - for _, t := range tokens { - value, err := zjwt.JWT(t) - if err == nil { - return value - } - } return "" } diff --git a/util/jwt/jwt.go b/util/jwt/jwt.go index e1000e31f5..995b014ecd 100644 --- a/util/jwt/jwt.go +++ b/util/jwt/jwt.go @@ -4,6 +4,7 @@ import ( "encoding/json" "errors" "fmt" + "strings" "time" jwtgo "github.com/dgrijalva/jwt-go/v4" @@ -141,3 +142,7 @@ func IsMember(claims jwtgo.Claims, groups []string, scopes []string) bool { func GetGroups(mapClaims jwtgo.MapClaims, scopes []string) []string { return GetScopeValues(mapClaims, scopes) } + +func IsValid(token string) bool { + return len(strings.SplitN(token, ".", 3)) == 3 +} diff --git a/util/jwt/jwt_test.go b/util/jwt/jwt_test.go index 8348337cb2..098aad3b78 100644 --- a/util/jwt/jwt_test.go +++ b/util/jwt/jwt_test.go @@ -60,3 +60,11 @@ func TestIssuedAtTime_Error_Missing(t *testing.T) { assert.NotNil(t, err) assert.Equal(t, time.Unix(0, 0), iat) } + +func TestIsValid(t *testing.T) { + assert.Equal(t, true, IsValid("foo.bar.foo")) + assert.Equal(t, true, IsValid("foo.bar.foo.bar")) + assert.Equal(t, false, IsValid("foo.bar")) + assert.Equal(t, false, IsValid("foo")) + assert.Equal(t, false, IsValid("")) +} diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go index 92b937f13d..06f0083a75 100644 --- a/util/oidc/oidc.go +++ b/util/oidc/oidc.go @@ -13,7 +13,6 @@ import ( "strings" "time" - "github.com/argoproj/pkg/jwt/zjwt" gooidc "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go/v4" log "github.com/sirupsen/logrus" @@ -325,11 +324,6 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) { return } if idTokenRAW != "" { - idTokenRAW, err = zjwt.ZJWT(idTokenRAW) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } cookies, err := httputil.MakeCookieMetadata(common.AuthCookieName, idTokenRAW, flags...) if err != nil { claimsJSON, _ := json.Marshal(claims)