chore: Migrate to use golang-jwt/jwt v4.2.0

[terrytangyuan]

The original repo is no longer maintained, see dgrijalva/jwt-go#462. We also received fuzzing reports on this. Upgrading to v4.2.0 might fix some of the issues.

Signed-off-by: Yuan Tang terrytangyuan@gmail.com

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[terrytangyuan]

cc @jannfis @AdamKorcz

[AdamKorcz]

OSS-fuzz issue: https://oss-fuzz.com/testcase-detail/5460437754314752

[terrytangyuan]

@alexmt Since you originally added these in #5228. Could you help review this removal? Looks like since we are using the new method jwt.NewNumericDate, the precision will be in seconds.

// TimePrecision sets the precision of times and dates within this library.
// This has an influence on the precision of times when comparing expiry or
// other related time fields. Furthermore, it is also the precision of times
// when serializing.
//
// For backwards compatibility the default precision is set to seconds, so that
// no fractional timestamps are generated.
var TimePrecision = time.Second

// NumericDate represents a JSON numeric date value, as referenced at
// https://datatracker.ietf.org/doc/html/rfc7519#section-2.
type NumericDate struct {
	time.Time
}

// NewNumericDate constructs a new *NumericDate from a standard library time.Time struct.
// It will truncate the timestamp according to the precision specified in TimePrecision.
func NewNumericDate(t time.Time) *NumericDate {
	return &NumericDate{t.Truncate(TimePrecision)}
}

[jannfis]

I think the workaround that Alex has implemented was due to the fact that our JWTs contain integer timestamps, while the library worked with floats. Now they seem to support multiple precisions and have reverted to integers for the precision we require (seconds), which is nice :) To me, the removal of this workaround looks good.

[terrytangyuan]

@jannfis Thanks for confirming! cc @alexmt to double check as well.

[codecov]

Codecov Report

Merging #8136 (9f21e8e) into master (27af0b4) will decrease coverage by 0.02%.
The diff coverage is 58.33%.

@@            Coverage Diff             @@
##           master    #8136      +/-   ##
==========================================
- Coverage   41.53%   41.50%   -0.03%     
==========================================
  Files         174      174              
  Lines       22736    22717      -19     
==========================================
- Hits         9443     9429      -14     
+ Misses      11949    11945       -4     
+ Partials     1344     1343       -1     

Impacted Files	Coverage Δ
cmd/argocd/commands/login.go	2.30% <0.00%> (+0.01%)	⬆️
cmd/argocd/commands/project_role.go	0.00% <ø> (ø)
server/logout/logout.go	77.77% <ø> (ø)
server/rbacpolicy/rbacpolicy.go	82.35% <ø> (ø)
server/server.go	54.76% <ø> (ø)
util/jwt/jwt.go	60.00% <ø> (ø)
util/localconfig/localconfig.go	3.12% <0.00%> (+0.03%)	⬆️
util/oidc/oidc.go	19.21% <ø> (ø)
util/rbac/rbac.go	76.50% <ø> (ø)
util/session/sessionmanager.go	68.75% <66.66%> (-1.37%)	⬇️
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 27af0b4...9f21e8e. Read the comment docs.

[jannfis]

I was wondering why we previously skipped audience validation, and now validate audience field?

[terrytangyuan]

Oh, thanks for reminding me of this since I meant to double check on this change as well!

This is only because jwt.WithoutAudienceValidation() is no longer available in the new version of JWT client. Although I am not aware of the reason why the audience validation was skipped previously. If you have any suggestions here, please let me know!

[alexmt]

It is important to not validate audience (see #5253 and #5413). Apparently, https://github.com/golang-jwt/jwt does not validate the audience automatically , so it works just as we need right now.

They might re-introduce automatic validate in future golang-jwt/jwt#16 but we are good for now.

[jannfis]

I have confirmed that this fixes the issue that OSS-Fuzz has complained about. After this PR has been merged, the fuzzer needs to be adapted to import github.com/golang-jwt/jwt/v4 instead of github.com/dgrijalva/jwt-go/v4

[jannfis]

LGTM. Thanks a lot @terrytangyuan !

[AdamKorcz]

the fuzzer needs to be adapted to import github.com/golang-jwt/jwt/v4 instead of github.com/dgrijalva/jwt-go/v4

I can do that.

Edit: Nevermind: cncf/cncf-fuzzing#61

[alexmt]

Thank you @terrytangyuan !