From 145d08dc44353556370c594507a2e626f3bc4340 Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Mon, 15 Mar 2021 17:26:54 -0700 Subject: [PATCH] Updates the JWT/OIDC auth plugin to v0.9.1 (#11107) --- go.mod | 2 +- go.sum | 4 ++-- .../hashicorp/vault-plugin-auth-jwt/path_login.go | 12 +++++++++++- vendor/modules.txt | 2 +- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index ae55421b5..e8fdfc327 100644 --- a/go.mod +++ b/go.mod @@ -83,7 +83,7 @@ require ( github.com/hashicorp/vault-plugin-auth-centrify v0.8.0 github.com/hashicorp/vault-plugin-auth-cf v0.8.0 github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 - github.com/hashicorp/vault-plugin-auth-jwt v0.9.0 + github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 github.com/hashicorp/vault-plugin-auth-oci v0.7.0 diff --git a/go.sum b/go.sum index 99cf32a79..11528364f 100644 --- a/go.sum +++ b/go.sum @@ -694,8 +694,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.8.0/go.mod h1:exPUMj8yNohKM7yRiHa7O github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 h1:57uJ2Vqo+M+W7pD8xEONKJ1BBGS8V4xpm7VU56A9RWA= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w= -github.com/hashicorp/vault-plugin-auth-jwt v0.9.0 h1:82+2S9k06YAT/+yNJtDZQ+X5Hny+WZqtEkdhp2svlDI= -github.com/hashicorp/vault-plugin-auth-jwt v0.9.0/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws= +github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 h1:8CnT8z+o26/c8PUUhvp+BaiDSIgA5giazyYbZlfNJ5Q= +github.com/hashicorp/vault-plugin-auth-jwt v0.9.1/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 h1:QxW0gRevydrNfRvo1qI6p0jQkhedLUgiWqpCN36RXoQ= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0/go.mod h1:h+7pLm4Z2EeKHOGPefX0bGzdUQCMBUlvM/BpSMNgTFw= github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 h1:X/eXFuJqVW8YN73ohTaI5YyCwcjd6C3mpnMv/elkNrw= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go index a1b93b259..19da21211 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go @@ -92,12 +92,22 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d return logical.ErrorResponse("error configuring token validator: %s", err.Error()), nil } + // Validate JWT supported algorithms if they've been provided. Otherwise, + // ensure that the signing algorithm is a member of the supported set. + signingAlgorithms := toAlg(config.JWTSupportedAlgs) + if len(signingAlgorithms) == 0 { + signingAlgorithms = []jwt.Alg{ + jwt.RS256, jwt.RS384, jwt.RS512, jwt.ES256, jwt.ES384, + jwt.ES512, jwt.PS256, jwt.PS384, jwt.PS512, jwt.EdDSA, + } + } + // Set expected claims values to assert on the JWT expected := jwt.Expected{ Issuer: config.BoundIssuer, Subject: role.BoundSubject, Audiences: role.BoundAudiences, - SigningAlgorithms: toAlg(config.JWTSupportedAlgs), + SigningAlgorithms: signingAlgorithms, NotBeforeLeeway: role.NotBeforeLeeway, ExpirationLeeway: role.ExpirationLeeway, ClockSkewLeeway: role.ClockSkewLeeway, diff --git a/vendor/modules.txt b/vendor/modules.txt index 7620bc43f..0a3b9b313 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -563,7 +563,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util # github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 github.com/hashicorp/vault-plugin-auth-gcp/plugin github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache -# github.com/hashicorp/vault-plugin-auth-jwt v0.9.0 +# github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 github.com/hashicorp/vault-plugin-auth-kerberos