Upgrade jwt package, support custom claim and header (streamnative#906)

tuteng · web-flow · commit 053507659a13 · 2022-12-12T11:45:09.000+08:00
* Upgrade jwt package
Support custom claim and header

* Fixed go import

* Remove golang 13, 14, 15 ci check
diff --git a/.github/workflows/ci-release-checks.yml b/.github/workflows/ci-release-checks.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [ 1.13, 1.14, 1.15, 1.16, 1.17, 1.18 ]
+        go-version: [ 1.16, 1.17, 1.18 ]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v1
diff --git a/go.mod b/go.mod
@@ -7,8 +7,8 @@ require (
 	github.com/apache/pulsar-client-go v0.9.0
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.7.0
-	github.com/form3tech-oss/jwt-go v3.2.3+incompatible
 	github.com/ghodss/yaml v1.0.0
+	github.com/golang-jwt/jwt/v4 v4.4.3
 	github.com/golang/protobuf v1.5.2
 	github.com/imdario/mergo v0.3.8
 	github.com/kris-nova/logger v0.0.0-20181127235838-fd0d87064b06
diff --git a/go.sum b/go.sum
@@ -112,8 +112,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
-github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -144,6 +142,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
+github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
diff --git a/pkg/pulsar/token.go b/pkg/pulsar/token.go
@@ -18,12 +18,15 @@
 package pulsar
 
 import (
+	"encoding/base64"
 	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
 
 	"github.com/streamnative/pulsarctl/pkg/pulsar/common/algorithm/algorithm"
 	"github.com/streamnative/pulsarctl/pkg/pulsar/common/algorithm/keypair"
 
-	"github.com/form3tech-oss/jwt-go"
 	"github.com/pkg/errors"
 )
 
@@ -38,6 +41,10 @@ type Token interface {
 	// object and the expire time
 	Create(algorithm.Algorithm, interface{}, string, int64) (string, error)
 
+	// CreateToken creates a token object using the specified signature algorithm, private key
+	// custom claim and header
+	CreateToken(algorithm.Algorithm, interface{}, *jwt.MapClaims, map[string]interface{}) (string, error)
+
 	// Validate a token is valid or not
 	Validate(algorithm.Algorithm, string, interface{}) (string, int64, error)
 
@@ -77,13 +84,25 @@ func (t *token) CreateSecretKey(signatureAlgorithm algorithm.Algorithm) ([]byte,
 func (t *token) Create(algorithm algorithm.Algorithm, signKey interface{}, subject string,
 	expireTime int64) (string, error) {
 
-	claims := &jwt.StandardClaims{
-		Subject:   subject,
-		ExpiresAt: expireTime,
+	claims := &jwt.MapClaims{
+		"sub": subject,
+		"exp": jwt.NewNumericDate(time.Unix(expireTime, 0)),
 	}
-	signMethod := parseAlgorithmToJwtSignMethod(algorithm)
-	tokenString := jwt.NewWithClaims(signMethod, claims)
+	return t.CreateToken(algorithm, signKey, claims, nil)
+}
 
+func (t *token) CreateToken(
+	algorithm algorithm.Algorithm,
+	signKey interface{},
+	mapClaims *jwt.MapClaims,
+	headers map[string]interface{}) (string, error) {
+	signMethod := parseAlgorithmToJwtSignMethod(algorithm)
+	tokenString := jwt.NewWithClaims(signMethod, mapClaims)
+	if headers != nil && len(headers) > 0 {
+		for s, i := range headers {
+			tokenString.Header[s] = i
+		}
+	}
 	return tokenString.SignedString(signKey)
 }
 
@@ -110,20 +129,20 @@ func (t *token) Validate(algorithm algorithm.Algorithm, tokenString string,
 
 func (t *token) GetAlgorithm(tokenString string) (string, error) {
 	parts := strings.Split(tokenString, ".")
-	algorithm, err := jwt.DecodeSegment(parts[0])
+	alg, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
 		return "", err
 	}
-	return string(algorithm), nil
+	return string(alg), nil
 }
 
 func (t *token) GetSubject(tokenString string) (string, error) {
 	parts := strings.Split(tokenString, ".")
-	algorithm, err := jwt.DecodeSegment(parts[1])
+	alg, err := base64.RawURLEncoding.DecodeString(parts[1])
 	if err != nil {
 		return "", err
 	}
-	return string(algorithm), nil
+	return string(alg), nil
 }
 
 func parseAlgorithmToJwtSignMethod(a algorithm.Algorithm) jwt.SigningMethod {
