Switch to form3-tech/jwt-go. #1822
Conversation
|
Can one of the admins verify this patch? |
|
@centos-ci ok-to-test |
|
The test was failing with something that looked unrelated. I added a commit that I think addresses this. |
|
The build error looks like some kind of timeout. Is there a way to rerun it? |
|
/retest this please |
|
This time it looked like a vagrant issue: |
|
Python tests are also getting failed in Github actions. It looks like this got introduced now in the new python version. |
|
The changes generally look pretty reasonable. The changes to glide look minimal, which is very important, so thanks for keeping them small. Once some of the CI issues are sorted out we can do proper reviews. One small request would be to fold your 2 changesets together as having the test fix in with the import changes is more bisection friendly. |
All set! I'll keep poking at the CI stuff, not sure if I'll be able to fix it though. |
dlorenc
force-pushed
the
jwt
branch
2 times, most recently
from
c1ddb88
to
9ef9550
Compare
|
Looks like a legitimate build failure due to one of our other dependencies, github.com/auth0/go-jwt-middleware still relying on the previous jwt lib. But looking at that project's readme on github its also been switched to use this fork. Perhaps the glide entry for that lib just needs to be tweaked too, @dlorenc ? Were you able to build with the current glide config locally? |
All set! Looks like things are passing now. |
|
Great, thanks! The centos ci seems to be having an issue with glide timing out (possibly a network issue?). I want to take a little more time to see if we can sort that out, but another week passes w/o centos ci passing one of may just need to run some tests manually and then we can get on with preparing to merge |
Is there a way to rerun it? The glide steps take several minutes on my laptop. I think that happened earlier to me too, but a rerun fixed it. |
|
/retest this please |
|
The above comment will run the CI again. But I tried many times on the other PR it is not helping out. |
|
@iamniting I think @dlorenc is suggesting to run the glide command more than once in the test, not to start the CI job again. |
|
I have an experiment at #1833 to try a Fonzie-type approach to getting the CI to do anything. |
|
Cool this one has also passed, Now centos CI is on track |
|
@raghavendra-talur PTAL, thanks. |
middleware/jwt.go
Outdated
| @@ -42,7 +42,7 @@ func init() { | |||
| } | |||
| } | |||
|
|
|||
| // From https://github.com/dgrijalva/jwt-go/pull/139 it is understood | |||
| // From https://github.com/form3tech-oss/jwt-go/pull/139 it is understood | |||
There was a problem hiding this comment.
This change does not make sense. The PR is only available in the dgrijalva repo. We can keep the comment as-is or modify the comment to not refer to any PR altogether.
glide.yaml
Outdated
| @@ -1,10 +1,11 @@ | |||
| package: github.com/heketi/heketi | |||
| import: | |||
| - package: github.com/auth0/go-jwt-middleware | |||
| version: 36081240882bbf356af6efb152969e4b0bcf4456 | |||
There was a problem hiding this comment.
This commit is from 2019 and as @phlogistonjohn mentioned, it will bring in dgrijalva/jwt-go as its dependency. I suggest that the version be bumped up to v1.0.0. v1.0.0 uses the fork "github.com/form3tech-oss/jwt-go".
glide.yaml
Outdated
| @@ -1,10 +1,11 @@ | |||
| package: github.com/heketi/heketi | |||
| import: | |||
| - package: github.com/auth0/go-jwt-middleware | |||
| version: 36081240882bbf356af6efb152969e4b0bcf4456 | |||
There was a problem hiding this comment.
| version: 36081240882bbf356af6efb152969e4b0bcf4456 | |
| version: v1.0.0 |
|
@dlorenc have you seen @raghavendra-talur 's feedback? Do you plan on making changes in reponse? |
The old library is abaondoned and has some severe CVEs in it. The form3-tech fork has fixed those CVEs and is the most popular fork. CVE is here: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 Also switch the key size in the jwt_test to 512, this appears required for go 1.13 Signed-off-by: Dan Lorenc <dlorenc@google.com>
Signed-off-by: Raghavendra Talur <rtalur@redhat.com>
With the migration to form3-tech/jwt-go repo, one of the string replaces also edited a link in the comment to an issue in the old jwt repo. This commit reverses the edit. Signed-off-by: Raghavendra Talur <rtalur@redhat.com>
raghavendra-talur
force-pushed
the
jwt
branch
from
d52d8ed
to
44ee562
Compare
What does this PR achieve? Why do we need it?
The old library is abaondoned and has some severe CVEs in it. The form3-tech
fork has fixed those CVEs and is the most popular fork. CVE is here:
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
Does this PR fix issues?
Fixes #
Notes for the reviewer
I understand this is going toward maintenance mode. Hoping to get this update in to help unblock other libraries that import heketi from updating.