feature: Use RegisteredClaims instead of deprecated staruct StandardClaims (#16206)

Signed-off-by: wujw39640 <wujw39640@hundsun.com>
2024-06-20 11:55:06 +02:00 · 2022-08-01 10:23:47 +08:00 · 2022-08-01 10:23:47 +08:00 · bf741ad381
commit bf741ad381
parent bbc7282c46
6 changed files with 31 additions and 22 deletions
--- a/src/core/service/token/authutils.go
+++ b/src/core/service/token/authutils.go
@ -122,14 +122,14 @@ func MakeToken(ctx context.Context, username, service string, access []*token.Re
 	now := time.Now().UTC()

 	claims := &v2.Claims{
-		StandardClaims: jwt.StandardClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    options.Issuer,
 			Subject:   username,
-			Audience:  service,
-			ExpiresAt: now.Add(time.Duration(expiration) * time.Minute).Unix(),
-			NotBefore: now.Unix(),
-			IssuedAt:  now.Unix(),
-			Id:        utils.GenerateRandomStringWithLen(16),
+			Audience:  jwt.ClaimStrings([]string{service}),
+			ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(expiration) * time.Minute)),
+			NotBefore: jwt.NewNumericDate(now),
+			IssuedAt:  jwt.NewNumericDate(now),
+			ID:        utils.GenerateRandomStringWithLen(16),
 		},
 		Access: access,
 	}
--- a/src/core/service/token/token_test.go
+++ b/src/core/service/token/token_test.go
@ -123,7 +123,7 @@ func getPublicKey(crtPath string) (*rsa.PublicKey, error) {
 }

 type harborClaims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	// Private claims
 	Access []*token.ResourceActions `json:"access"`
 }
@ -160,7 +160,7 @@ func TestMakeToken(t *testing.T) {
 	}
 	claims := tok.Claims.(*harborClaims)
 	assert.Equal(t, *(claims.Access[0]), *(ra[0]), "Access mismatch")
-	assert.Equal(t, claims.Audience, svc, "Audience mismatch")
+	assert.Equal(t, claims.Audience, jwt.ClaimStrings([]string{svc}), "Audience mismatch")
 }

 type parserTestRec struct {
--- a/src/pkg/token/claims/robot/robot.go
+++ b/src/pkg/token/claims/robot/robot.go
@ -8,9 +8,13 @@ import (
 	"github.com/goharbor/harbor/src/pkg/permission/types"
 )

+func init() {
+	jwt.MarshalSingleStringAsArray = false
+}
+
 // Claim implements the interface of jwt.Claims
 type Claim struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	TokenID   int64           `json:"id"`
 	ProjectID int64           `json:"pid"`
 	Access    []*types.Policy `json:"access"`
@ -27,7 +31,7 @@ func (rc Claim) Valid() error {
 	if rc.Access == nil {
 		return errors.New("the access info cannot be nil")
 	}
-	stdErr := rc.StandardClaims.Valid()
+	stdErr := rc.RegisteredClaims.Valid()
 	if stdErr != nil {
 		return stdErr
 	}
--- a/src/pkg/token/claims/v2/claims.go
+++ b/src/pkg/token/claims/v2/claims.go
@ -1,12 +1,17 @@
 package v2

 import (
+	"crypto/subtle"
 	"fmt"

 	"github.com/docker/distribution/registry/auth/token"
 	"github.com/golang-jwt/jwt/v4"
 )

+func init() {
+	jwt.MarshalSingleStringAsArray = false
+}
+
 const (
 	// Issuer is the only valid issuer for jwt token sent to /v2/xxxx
 	Issuer = "harbor-token-issuer"
@ -14,16 +19,16 @@ const (

 // Claims represents the token claims that encapsulated in a JWT token for registry/notary resources
 type Claims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	Access []*token.ResourceActions `json:"access"`
 }

 // Valid checks if the issuer is harbor
 func (c *Claims) Valid() error {
-	if err := c.StandardClaims.Valid(); err != nil {
+	if err := c.RegisteredClaims.Valid(); err != nil {
 		return err
 	}
-	if !c.VerifyIssuer(Issuer, true) {
+	if subtle.ConstantTimeCompare([]byte(c.Issuer), []byte(Issuer)) == 0 {
 		return fmt.Errorf("invalid token issuer: %s", c.Issuer)
 	}
 	return nil
--- a/src/pkg/token/claims/v2/claims_test.go
+++ b/src/pkg/token/claims/v2/claims_test.go
@ -15,7 +15,7 @@ func TestValid(t *testing.T) {
 	}{
 		{
 			claims: Claims{
-				StandardClaims: jwt.StandardClaims{
+				RegisteredClaims: jwt.RegisteredClaims{
 					Issuer: "anonymous",
 				},
 				Access: []*token.ResourceActions{},
@ -24,7 +24,7 @@ func TestValid(t *testing.T) {
 		},
 		{
 			claims: Claims{
-				StandardClaims: jwt.StandardClaims{
+				RegisteredClaims: jwt.RegisteredClaims{
 					Issuer: Issuer,
 				},
 				Access: []*token.ResourceActions{},
--- a/src/pkg/token/token_test.go
+++ b/src/pkg/token/token_test.go
@ -33,13 +33,13 @@ func TestNew(t *testing.T) {
 	tokenID := int64(123)
 	projectID := int64(321)
 	tokenExpiration := time.Duration(10) * 24 * time.Hour
-	expiresAt := time.Now().UTC().Add(tokenExpiration).Unix()
+	expiresAt := time.Now().UTC().Add(tokenExpiration)
 	robot := robot_claim.Claim{
 		TokenID:   tokenID,
 		ProjectID: projectID,
 		Access:    policies,
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expiresAt,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
 		},
 	}
 	defaultOpt := DefaultTokenOptions()
@ -60,20 +60,20 @@ func TestRaw(t *testing.T) {
 		Resource: "/project/library/repository",
 		Action:   "pull",
 	}
-	policies := []*types.Policy{}
+	var policies []*types.Policy
 	policies = append(policies, rbacPolicy)

 	tokenID := int64(123)
 	projectID := int64(321)

 	tokenExpiration := time.Duration(10) * 24 * time.Hour
-	expiresAt := time.Now().UTC().Add(tokenExpiration).Unix()
+	expiresAt := time.Now().UTC().Add(tokenExpiration)
 	robot := robot_claim.Claim{
 		TokenID:   tokenID,
 		ProjectID: projectID,
 		Access:    policies,
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expiresAt,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
 		},
 	}
 	defaultOpt := DefaultTokenOptions()