diff --git a/cmd/clairctl/main.go b/cmd/clairctl/main.go index 97720e19af..328c444c2e 100644 --- a/cmd/clairctl/main.go +++ b/cmd/clairctl/main.go @@ -7,7 +7,7 @@ import ( "os" "runtime/debug" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4/jwt" "github.com/quay/clair/config" _ "github.com/quay/claircore/updater/defaults" "github.com/urfave/cli/v2" diff --git a/cmd/testdata/ComplexYAML/config.yaml b/cmd/testdata/ComplexYAML/config.yaml index 7d6b012294..dc1d81c61e 100644 --- a/cmd/testdata/ComplexYAML/config.yaml +++ b/cmd/testdata/ComplexYAML/config.yaml @@ -10,7 +10,7 @@ updaters: - alpine auth: psk: - key: 'c2VjcmV0' + key: 'c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=' iss: - quay - clairctl diff --git a/cmd/testdata/ComplexYAML/want.json b/cmd/testdata/ComplexYAML/want.json index f0c7bf5072..ab7b456dad 100644 --- a/cmd/testdata/ComplexYAML/want.json +++ b/cmd/testdata/ComplexYAML/want.json @@ -10,7 +10,7 @@ }, "auth": { "psk": { - "key": "c2VjcmV0", + "key": "c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=", "iss": [ "quay", "clairctl" diff --git a/cmd/testdata/SimpleYAML/config.yaml b/cmd/testdata/SimpleYAML/config.yaml index 7d6b012294..dc1d81c61e 100644 --- a/cmd/testdata/SimpleYAML/config.yaml +++ b/cmd/testdata/SimpleYAML/config.yaml @@ -10,7 +10,7 @@ updaters: - alpine auth: psk: - key: 'c2VjcmV0' + key: 'c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=' iss: - quay - clairctl diff --git a/cmd/testdata/SimpleYAML/want.json b/cmd/testdata/SimpleYAML/want.json index 3071b2bb65..654882a9c5 100644 --- a/cmd/testdata/SimpleYAML/want.json +++ b/cmd/testdata/SimpleYAML/want.json @@ -12,7 +12,7 @@ }, "auth": { "psk": { - "key": "c2VjcmV0", + "key": "c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=", "iss": [ "quay", "clairctl" diff --git a/config/auth.go b/config/auth.go index 8a06e0a58f..fb7b367a0d 100644 --- a/config/auth.go +++ b/config/auth.go @@ -86,6 +86,11 @@ func (a *AuthPSK) validate(_ Mode) ([]Warning, error) { msg: "key is empty", } } + if len(a.Key) < 32 { + return nil, &Warning{ + msg: "key is too short: must be at least 32 bytes", + } + } if len(a.Issuer) == 0 { return nil, &Warning{ path: ".iss", diff --git a/config/config_test.go b/config/config_test.go index 1be7c79850..54f61cd2f6 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -39,6 +39,17 @@ func TestValidateFailure(t *testing.T) { } } + expectError := func(want string) func(*testing.T, *config.Config, error) { + return func(t *testing.T, _ *config.Config, err error) { + if err == nil { + t.Fatal("unexpected success") + } + if got := err.Error(); got != want { + t.Errorf("got error %q, want %q", got, want) + } + } + } + // Tests on the base Config struct. tt := []ValidateTestcase{ { @@ -90,7 +101,20 @@ func TestValidateFailure(t *testing.T) { PSK: &config.AuthPSK{}, }, }, - Check: shouldFail, + Check: expectError("key is empty (at )"), + }, + { + Name: "BadPSKKeyLen", + Conf: config.Config{ + Mode: config.IndexerMode, + Auth: config.Auth{ + PSK: &config.AuthPSK{ + Key: config.Base64([]byte{0xde, 0xad, 0xbe, 0xef}), + Issuer: []string{"iss"}, + }, + }, + }, + Check: expectError("key is too short: must be at least 32 bytes (at )"), }, { Name: "BadPSKIssuer", @@ -98,11 +122,11 @@ func TestValidateFailure(t *testing.T) { Mode: config.IndexerMode, Auth: config.Auth{ PSK: &config.AuthPSK{ - Key: config.Base64([]byte{0xde, 0xad, 0xbe, 0xef}), + Key: config.Base64([]byte("deadbeefdeadbeefdeadbeefdeadbeef")), }, }, }, - Check: shouldFail, + Check: expectError("no issuers defined (at .iss)"), }, } for _, tc := range tt { diff --git a/contrib/cmd/quaybackstop/clair.go b/contrib/cmd/quaybackstop/clair.go index c0caf5c1bd..61987b4ba5 100644 --- a/contrib/cmd/quaybackstop/clair.go +++ b/contrib/cmd/quaybackstop/clair.go @@ -21,7 +21,7 @@ import ( "github.com/quay/clair/v4/cmd" - "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v4" "github.com/jackc/pgx/v5" "github.com/jackc/pgx/v5/pgxpool" "github.com/quay/clair/config" diff --git a/contrib/cmd/quaybackstop/main.go b/contrib/cmd/quaybackstop/main.go index e1a6b3ca0d..10f004125c 100644 --- a/contrib/cmd/quaybackstop/main.go +++ b/contrib/cmd/quaybackstop/main.go @@ -34,8 +34,8 @@ import ( "sync" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/jackc/pgx/v5/pgxpool" "github.com/quay/clair/config" ) @@ -291,7 +291,7 @@ func (a *App) NewRequestWithContext(ctx context.Context, method string, url *url cl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway)) a.clairTokenResign = now.Add(15 * time.Minute) cl.Expiry = jwt.NewNumericDate(a.clairTokenResign) - tok, err := jwt.Signed(a.jwtSigner).Claims(&cl).CompactSerialize() + tok, err := jwt.Signed(a.jwtSigner).Claims(&cl).Serialize() if err != nil { return nil, fmt.Errorf("jwt construction: %w", err) } diff --git a/docker-compose.yaml b/docker-compose.yaml index 285170b516..0214ce120c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -172,7 +172,7 @@ services: - ./notifier/webhook/cmd/webhookd - -D - -key - - c2VjcmV0 + - c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U= rabbitmq: # This provides STOMP and AMQP on the usual ports. # The web UI is available on /rabbitmq diff --git a/go.mod b/go.mod index 29eb04ea15..eaf2b1eca8 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/Masterminds/semver v1.5.0 github.com/evanphx/json-patch/v5 v5.9.11 - github.com/go-jose/go-jose/v3 v3.0.5 + github.com/go-jose/go-jose/v4 v4.1.4 github.com/go-stomp/stomp/v3 v3.1.5 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.21.5 diff --git a/go.sum b/go.sum index ad7df2c43f..be62600c55 100644 --- a/go.sum +++ b/go.sum @@ -27,8 +27,8 @@ github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjT github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ= -github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -44,7 +44,6 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-containerregistry v0.21.5 h1:KTJG9Pn/jC0VdZR6ctV3/jcN+q6/Iqlx0sTVz3ywZlM= @@ -162,7 +161,6 @@ github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVO github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.68.0 h1:cuXaPAfIoJKsYjBjPSb2nKZEmgM43zVr25l37IxhKME= @@ -210,30 +208,20 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI= golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -242,27 +230,13 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ= golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc= golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= @@ -272,8 +246,6 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190924052046-3ac2a5bbd98a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/httptransport/auth_test.go b/httptransport/auth_test.go index af5d5c2e39..4e0adf9cf2 100644 --- a/httptransport/auth_test.go +++ b/httptransport/auth_test.go @@ -12,7 +12,7 @@ import ( "net/http/httptest" "testing" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4/jwt" "github.com/quay/clair/config" "github.com/quay/claircore/test" @@ -116,7 +116,7 @@ func (tc *authTestcase) Run(ctx context.Context) func(*testing.T) { // TestAuth tests configuring both http server and client. func TestAuth(t *testing.T) { - fakeKey := []byte("deadbeef") + fakeKey := []byte("deadbeefdeadbeefdeadbeefdeadbeef") tt := []authTestcase{ {Name: "None"}, { @@ -153,7 +153,7 @@ func TestAuth(t *testing.T) { }, }, ShouldFail: true, - ConfigMod: func(_ *testing.T, cfg *config.Config) { cfg.Auth.PSK.Key = []byte("badbeef") }, + ConfigMod: func(_ *testing.T, cfg *config.Config) { cfg.Auth.PSK.Key = []byte("badbeefbadbeefbadbeefbadbeefbadb") }, }, { Name: "PSKFail", diff --git a/initialize/services.go b/initialize/services.go index 66c21cffa4..1093947ac1 100644 --- a/initialize/services.go +++ b/initialize/services.go @@ -10,7 +10,7 @@ import ( "net/http/cookiejar" "time" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4/jwt" "github.com/jackc/pgx/v5/pgxpool" "github.com/quay/clair/config" "github.com/quay/claircore/datastore/postgres" diff --git a/internal/httputil/signer.go b/internal/httputil/signer.go index aba15d697e..66bf7a633a 100644 --- a/internal/httputil/signer.go +++ b/internal/httputil/signer.go @@ -7,8 +7,8 @@ import ( "net/url" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/quay/clair/config" ) @@ -103,7 +103,7 @@ func (s *Signer) Sign(ctx context.Context, req *http.Request) error { cl.IssuedAt = jwt.NewNumericDate(now) cl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway)) cl.Expiry = jwt.NewNumericDate(now.Add(jwt.DefaultLeeway)) - h, err := jwt.Signed(s.signer).Claims(&cl).CompactSerialize() + h, err := jwt.Signed(s.signer).Claims(&cl).Serialize() if err != nil { return err } diff --git a/local-dev/clair/config.yaml b/local-dev/clair/config.yaml index abef350376..4bf3f860f0 100644 --- a/local-dev/clair/config.yaml +++ b/local-dev/clair/config.yaml @@ -11,7 +11,7 @@ updaters: - osv auth: psk: - key: 'c2VjcmV0' + key: 'c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=' iss: - quay - clairctl diff --git a/local-dev/quay/config.yaml b/local-dev/quay/config.yaml index 9b824842b3..1f99fb9df3 100644 --- a/local-dev/quay/config.yaml +++ b/local-dev/quay/config.yaml @@ -49,7 +49,7 @@ REPO_MIRROR_SERVER_HOSTNAME: null REPO_MIRROR_TLS_VERIFY: true SECURITY_SCANNER_V4_ENDPOINT: http://clair-traefik:6060 SECURITY_SCANNER_ISSUER_NAME: quay -SECURITY_SCANNER_V4_PSK: 'c2VjcmV0' +SECURITY_SCANNER_V4_PSK: 'c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2VjcmV0c2U=' SERVER_HOSTNAME: clair-quay:8080 SETUP_COMPLETE: true SIGNING_ENGINE: gpg2 diff --git a/middleware/auth/httpauth_psk.go b/middleware/auth/httpauth_psk.go index df8388951b..20ac0beb7d 100644 --- a/middleware/auth/httpauth_psk.go +++ b/middleware/auth/httpauth_psk.go @@ -6,7 +6,8 @@ import ( "net/http" "time" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" ) // PSK implements the AuthCheck interface. @@ -33,7 +34,7 @@ func (p *PSK) Check(ctx context.Context, r *http.Request) bool { slog.DebugContext(ctx, "failed to retrieve jwt from header") return false } - tok, err := jwt.ParseSigned(wt) + tok, err := jwt.ParseSigned(wt, []jose.SignatureAlgorithm{jose.HS256, jose.HS384, jose.HS512}) if err != nil { slog.DebugContext(ctx, "failed to parse jwt", "reason", err) return false diff --git a/middleware/auth/httpauth_psk_test.go b/middleware/auth/httpauth_psk_test.go index 88e0feecf4..b820789313 100644 --- a/middleware/auth/httpauth_psk_test.go +++ b/middleware/auth/httpauth_psk_test.go @@ -14,8 +14,8 @@ import ( "testing/quick" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/quay/clair/v4/internal/httputil" ) @@ -40,6 +40,9 @@ var signAlgo = []jose.SignatureAlgorithm{ // implements the Generate interface from testing/quick package. func (tc *pskTestcase) Generate(rand *rand.Rand, sz int) reflect.Value { + if sz < 64 { + sz = 64 + } b := make([]byte, sz) t := &pskTestcase{ key: make([]byte, sz), @@ -111,7 +114,7 @@ func roundtrips(t *testing.T) func(*pskTestcase) bool { Expiry: jwt.NewNumericDate(now.Add(time.Minute)), IssuedAt: jwt.NewNumericDate(now), NotBefore: jwt.NewNumericDate(now), - }).CompactSerialize() + }).Serialize() if err != nil { t.Error(err) return false diff --git a/notifier/webhook/cmd/webhookd/main.go b/notifier/webhook/cmd/webhookd/main.go index 7e2e86dfac..e374a2b2eb 100644 --- a/notifier/webhook/cmd/webhookd/main.go +++ b/notifier/webhook/cmd/webhookd/main.go @@ -25,8 +25,8 @@ import ( "strconv" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/google/uuid" "github.com/quay/clair/v4/notifier" @@ -253,7 +253,7 @@ func (h *Recv) sign(req *http.Request) error { cl.IssuedAt = jwt.NewNumericDate(now) cl.NotBefore = jwt.NewNumericDate(now.Add(-jwt.DefaultLeeway)) cl.Expiry = jwt.NewNumericDate(now.Add(jwt.DefaultLeeway)) - tok, err := jwt.Signed(h.Signer).Claims(&cl).CompactSerialize() + tok, err := jwt.Signed(h.Signer).Claims(&cl).Serialize() if err != nil { return err }