From 2308e2f8be735d9ba7a7e6c6f3663f2446675bd6 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 27 Aug 2024 05:58:50 -0400 Subject: [PATCH] fix(deps): update go-jose to new updated repo due to migration (#630) * updates go-jose to new updated repo due to migration - updated from /square/go-jose to /go-jose/go-jose - updates to v2.6.3 - addresses CVE-2016-9123 and CVE-2016-9121 - fixes tests that were adjusting for a 1s delay * revert 299>300 in op_test.go --- example/server/storage/storage.go | 2 +- example/server/storage/storage_dynamic.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- internal/testutil/token.go | 2 +- pkg/client/client.go | 2 +- pkg/client/profile/jwt_profile.go | 2 +- pkg/client/rp/jwks.go | 2 +- pkg/client/rp/relying_party.go | 2 +- pkg/client/rp/verifier.go | 2 +- pkg/client/rp/verifier_test.go | 2 +- pkg/crypto/hash.go | 2 +- pkg/crypto/sign.go | 2 +- pkg/oidc/keyset.go | 2 +- pkg/oidc/keyset_test.go | 2 +- pkg/oidc/token.go | 2 +- pkg/oidc/token_request.go | 2 +- pkg/oidc/token_test.go | 2 +- pkg/oidc/types.go | 2 +- pkg/oidc/verifier.go | 2 +- pkg/op/discovery.go | 2 +- pkg/op/discovery_test.go | 2 +- pkg/op/keys.go | 2 +- pkg/op/keys_test.go | 2 +- pkg/op/mock/authorizer.mock.impl.go | 2 +- pkg/op/mock/discovery.mock.go | 2 +- pkg/op/mock/signer.mock.go | 2 +- pkg/op/mock/storage.mock.go | 2 +- pkg/op/op.go | 2 +- pkg/op/signer.go | 2 +- pkg/op/storage.go | 2 +- pkg/op/verifier_jwt_profile.go | 2 +- 32 files changed, 33 insertions(+), 33 deletions(-) diff --git a/example/server/storage/storage.go b/example/server/storage/storage.go index 3015626..2b15ba0 100644 --- a/example/server/storage/storage.go +++ b/example/server/storage/storage.go @@ -12,7 +12,7 @@ import ( "time" "github.com/google/uuid" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/op" diff --git a/example/server/storage/storage_dynamic.go b/example/server/storage/storage_dynamic.go index cb16c02..90a75f6 100644 --- a/example/server/storage/storage_dynamic.go +++ b/example/server/storage/storage_dynamic.go @@ -4,7 +4,7 @@ import ( "context" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/op" diff --git a/go.mod b/go.mod index 292e894..8441b29 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( go.opentelemetry.io/otel/trace v1.24.0 golang.org/x/oauth2 v0.20.0 golang.org/x/text v0.15.0 - gopkg.in/square/go-jose.v2 v2.6.0 + gopkg.in/go-jose/go-jose.v2 v2.6.3 ) require ( diff --git a/go.sum b/go.sum index dc2751b..98fe762 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= +gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/testutil/token.go b/internal/testutil/token.go index 121aa0b..22fd0df 100644 --- a/internal/testutil/token.go +++ b/internal/testutil/token.go @@ -9,7 +9,7 @@ import ( "time" "github.com/zitadel/oidc/v2/pkg/oidc" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) // KeySet implements oidc.Keys diff --git a/pkg/client/client.go b/pkg/client/client.go index 7486ef1..f14d8bc 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -12,7 +12,7 @@ import ( "time" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/crypto" httphelper "github.com/zitadel/oidc/v2/pkg/http" diff --git a/pkg/client/profile/jwt_profile.go b/pkg/client/profile/jwt_profile.go index a220dc5..463fe55 100644 --- a/pkg/client/profile/jwt_profile.go +++ b/pkg/client/profile/jwt_profile.go @@ -5,7 +5,7 @@ import ( "time" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/client" "github.com/zitadel/oidc/v2/pkg/oidc" diff --git a/pkg/client/rp/jwks.go b/pkg/client/rp/jwks.go index 3438bd6..d5f71bd 100644 --- a/pkg/client/rp/jwks.go +++ b/pkg/client/rp/jwks.go @@ -7,7 +7,7 @@ import ( "net/http" "sync" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" httphelper "github.com/zitadel/oidc/v2/pkg/http" "github.com/zitadel/oidc/v2/pkg/oidc" diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go index 051b8c8..c8f3df2 100644 --- a/pkg/client/rp/relying_party.go +++ b/pkg/client/rp/relying_party.go @@ -12,7 +12,7 @@ import ( "github.com/google/uuid" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/client" httphelper "github.com/zitadel/oidc/v2/pkg/http" diff --git a/pkg/client/rp/verifier.go b/pkg/client/rp/verifier.go index 75d149b..c4cb477 100644 --- a/pkg/client/rp/verifier.go +++ b/pkg/client/rp/verifier.go @@ -4,7 +4,7 @@ import ( "context" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" ) diff --git a/pkg/client/rp/verifier_test.go b/pkg/client/rp/verifier_test.go index f4e0f9d..3eae68d 100644 --- a/pkg/client/rp/verifier_test.go +++ b/pkg/client/rp/verifier_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" tu "github.com/zitadel/oidc/v2/internal/testutil" "github.com/zitadel/oidc/v2/pkg/oidc" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) func TestVerifyTokens(t *testing.T) { diff --git a/pkg/crypto/hash.go b/pkg/crypto/hash.go index 6fcc71f..81dace3 100644 --- a/pkg/crypto/hash.go +++ b/pkg/crypto/hash.go @@ -8,7 +8,7 @@ import ( "fmt" "hash" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) var ErrUnsupportedAlgorithm = errors.New("unsupported signing algorithm") diff --git a/pkg/crypto/sign.go b/pkg/crypto/sign.go index 90e4c0e..58967e4 100644 --- a/pkg/crypto/sign.go +++ b/pkg/crypto/sign.go @@ -4,7 +4,7 @@ import ( "encoding/json" "errors" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) func Sign(object any, signer jose.Signer) (string, error) { diff --git a/pkg/oidc/keyset.go b/pkg/oidc/keyset.go index 7b766a5..be228b9 100644 --- a/pkg/oidc/keyset.go +++ b/pkg/oidc/keyset.go @@ -7,7 +7,7 @@ import ( "crypto/rsa" "errors" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) const ( diff --git a/pkg/oidc/keyset_test.go b/pkg/oidc/keyset_test.go index 82b3ee8..c160f29 100644 --- a/pkg/oidc/keyset_test.go +++ b/pkg/oidc/keyset_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) func TestFindKey(t *testing.T) { diff --git a/pkg/oidc/token.go b/pkg/oidc/token.go index 36d546c..8459814 100644 --- a/pkg/oidc/token.go +++ b/pkg/oidc/token.go @@ -6,7 +6,7 @@ import ( "time" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/muhlemmer/gu" "github.com/zitadel/oidc/v2/pkg/crypto" diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go index 07c4ca0..dc8a1b2 100644 --- a/pkg/oidc/token_request.go +++ b/pkg/oidc/token_request.go @@ -5,7 +5,7 @@ import ( "fmt" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) const ( diff --git a/pkg/oidc/token_test.go b/pkg/oidc/token_test.go index f3ea8d2..7e208c8 100644 --- a/pkg/oidc/token_test.go +++ b/pkg/oidc/token_test.go @@ -6,7 +6,7 @@ import ( "github.com/stretchr/testify/assert" "golang.org/x/text/language" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) var ( diff --git a/pkg/oidc/types.go b/pkg/oidc/types.go index 6ab7469..c04cd80 100644 --- a/pkg/oidc/types.go +++ b/pkg/oidc/types.go @@ -11,7 +11,7 @@ import ( "github.com/gorilla/schema" "github.com/muhlemmer/gu" "golang.org/x/text/language" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) type Audience []string diff --git a/pkg/oidc/verifier.go b/pkg/oidc/verifier.go index 1af1ebb..eaeee15 100644 --- a/pkg/oidc/verifier.go +++ b/pkg/oidc/verifier.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" str "github.com/zitadel/oidc/v2/pkg/strings" ) diff --git a/pkg/op/discovery.go b/pkg/op/discovery.go index 26f89eb..a8e974b 100644 --- a/pkg/op/discovery.go +++ b/pkg/op/discovery.go @@ -4,7 +4,7 @@ import ( "context" "net/http" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" httphelper "github.com/zitadel/oidc/v2/pkg/http" "github.com/zitadel/oidc/v2/pkg/oidc" diff --git a/pkg/op/discovery_test.go b/pkg/op/discovery_test.go index 2d0b8af..640ee98 100644 --- a/pkg/op/discovery_test.go +++ b/pkg/op/discovery_test.go @@ -9,7 +9,7 @@ import ( "github.com/golang/mock/gomock" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/op" diff --git a/pkg/op/keys.go b/pkg/op/keys.go index 239ecbd..f84a5f8 100644 --- a/pkg/op/keys.go +++ b/pkg/op/keys.go @@ -4,7 +4,7 @@ import ( "context" "net/http" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" httphelper "github.com/zitadel/oidc/v2/pkg/http" ) diff --git a/pkg/op/keys_test.go b/pkg/op/keys_test.go index 2e56b78..91ca9b0 100644 --- a/pkg/op/keys_test.go +++ b/pkg/op/keys_test.go @@ -9,7 +9,7 @@ import ( "github.com/golang/mock/gomock" "github.com/stretchr/testify/assert" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/op" diff --git a/pkg/op/mock/authorizer.mock.impl.go b/pkg/op/mock/authorizer.mock.impl.go index 3f1d525..c7da673 100644 --- a/pkg/op/mock/authorizer.mock.impl.go +++ b/pkg/op/mock/authorizer.mock.impl.go @@ -6,7 +6,7 @@ import ( "github.com/golang/mock/gomock" "github.com/gorilla/schema" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" "github.com/zitadel/oidc/v2/pkg/op" diff --git a/pkg/op/mock/discovery.mock.go b/pkg/op/mock/discovery.mock.go index 0c78d52..31a9a70 100644 --- a/pkg/op/mock/discovery.mock.go +++ b/pkg/op/mock/discovery.mock.go @@ -9,7 +9,7 @@ import ( reflect "reflect" gomock "github.com/golang/mock/gomock" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) // MockDiscoverStorage is a mock of DiscoverStorage interface. diff --git a/pkg/op/mock/signer.mock.go b/pkg/op/mock/signer.mock.go index 78c0efe..a30e3b8 100644 --- a/pkg/op/mock/signer.mock.go +++ b/pkg/op/mock/signer.mock.go @@ -8,7 +8,7 @@ import ( reflect "reflect" gomock "github.com/golang/mock/gomock" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) // MockSigningKey is a mock of SigningKey interface. diff --git a/pkg/op/mock/storage.mock.go b/pkg/op/mock/storage.mock.go index 85afb2a..8e7f36c 100644 --- a/pkg/op/mock/storage.mock.go +++ b/pkg/op/mock/storage.mock.go @@ -12,7 +12,7 @@ import ( gomock "github.com/golang/mock/gomock" oidc "github.com/zitadel/oidc/v2/pkg/oidc" op "github.com/zitadel/oidc/v2/pkg/op" - jose "gopkg.in/square/go-jose.v2" + jose "gopkg.in/go-jose/go-jose.v2" ) // MockStorage is a mock of Storage interface. diff --git a/pkg/op/op.go b/pkg/op/op.go index 286dcca..3a2e164 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -12,7 +12,7 @@ import ( "go.opentelemetry.io/otel" "go.opentelemetry.io/otel/trace" "golang.org/x/text/language" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" httphelper "github.com/zitadel/oidc/v2/pkg/http" "github.com/zitadel/oidc/v2/pkg/oidc" diff --git a/pkg/op/signer.go b/pkg/op/signer.go index 6cef288..8cb8a2a 100644 --- a/pkg/op/signer.go +++ b/pkg/op/signer.go @@ -3,7 +3,7 @@ package op import ( "errors" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" ) var ErrSignerCreationFailed = errors.New("signer creation failed") diff --git a/pkg/op/storage.go b/pkg/op/storage.go index 17aa0b4..826dee6 100644 --- a/pkg/op/storage.go +++ b/pkg/op/storage.go @@ -5,7 +5,7 @@ import ( "errors" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" ) diff --git a/pkg/op/verifier_jwt_profile.go b/pkg/op/verifier_jwt_profile.go index e7c9611..ac39e76 100644 --- a/pkg/op/verifier_jwt_profile.go +++ b/pkg/op/verifier_jwt_profile.go @@ -6,7 +6,7 @@ import ( "fmt" "time" - "gopkg.in/square/go-jose.v2" + "gopkg.in/go-jose/go-jose.v2" "github.com/zitadel/oidc/v2/pkg/oidc" )