Merge pull request #8 from aakso/chore/upgrade-deps

chore: upgrade deps and switch golang-jwt/jwt

Makefile

@@ -20,7 +20,7 @@ PKG_USER = sshi
 PKG_GROUP = sshi
 PKG_VARDIR = /var/lib/ssh-inscribe
 PKG_BIN_SUFFIX =
-GO_VERSION = 1.15.5
+GO_VERSION = 1.16.4
 GOFLAGS=-mod=vendor
 
 LDFLAGS += -X github.com/aakso/ssh-inscribe/pkg/globals.confDir=/$(PKG_ETC)
@@ -145,18 +145,6 @@ rpm_setup_server_fpm_files:
 rpm_setup_client_fpm_files:
 	cp build/sshi-$(PKG_OS)-$(PKG_ARCH) $(FAKEROOT_CLIENT)/$(PKG_BIN_SSHI)
 
-.PHONY: patch
-patch:
-	patch --dry-run -N -p1 < patch/readline_issue112.patch
-	patch -N -p1 < patch/readline_issue112.patch
-
-.PHONY: ensure-deps
-ensure-deps:
-	dep ensure
-
-.PHONY: get-deps
-get-deps: ensure-deps patch
-
 .PHONY: test
 test:
 	go test $(shell git grep  -l '!race' ./pkg | xargs -n 1 dirname | uniq | sed 's/^/\.\//')

go.mod

@@ -1,51 +1,35 @@
 module github.com/aakso/ssh-inscribe
 
-go 1.15
+go 1.16
 
 require (
 	github.com/Microsoft/go-winio v0.5.0
 	github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5
 	github.com/bgentry/speakeasy v0.1.0
 	github.com/blang/semver/v4 v4.0.0
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
-	github.com/coreos/bbolt v1.3.2 // indirect
-	github.com/coreos/etcd v3.3.13+incompatible // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e // indirect
-	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/ghodss/yaml v1.0.0
 	github.com/gobwas/glob v0.2.3
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/jonboulle/clockwork v0.1.0 // indirect
-	github.com/labstack/echo/v4 v4.3.0
+	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/labstack/echo/v4 v4.5.0
 	github.com/labstack/gommon v0.3.0
-	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/mitchellh/copystructure v1.2.0
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.1
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/prometheus/client_golang v0.9.3 // indirect
 	github.com/sirupsen/logrus v1.8.1
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
-	github.com/soheilhy/cmux v0.1.4 // indirect
 	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 // indirect
 	github.com/vjeantet/ldapserver v1.0.1
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
-	go.etcd.io/bbolt v1.3.2 // indirect
-	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
-	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
-	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
-	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
+	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect
+	golang.org/x/oauth2 v0.0.0-20210810183815-faf39c7919d5
+	golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/ldap.v2 v2.5.1

pkg/auth/backend/authoidc/auth_test.go

@@ -13,7 +13,7 @@ import (
 	"os"
 
 	"github.com/aakso/ssh-inscribe/pkg/auth"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"github.com/stretchr/testify/assert"
 	"gopkg.in/square/go-jose.v2"
 )

pkg/keysigner/keysigner.go

@@ -13,11 +13,12 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sirupsen/logrus"
-	"github.com/aakso/ssh-inscribe/pkg/util"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
+
+	"github.com/aakso/ssh-inscribe/pkg/util"
 )
 
 // Taken from stdlib to allow us to talk to the agent directly
@@ -208,6 +209,8 @@ func (ks *KeySignerService) removeSmartcard(id string) error {
 		return err
 	}
 	if _, ok := res.(*successAgentMsg); ok {
+		ks.pkcs11Provider = ""
+		ks.pkcs11Pin = ""
 		return nil
 	}
 	return errors.New("agent: failure")
@@ -249,6 +252,25 @@ func (ks *KeySignerService) AddSigningKey(pemKey []byte, comment string) error {
 	return nil
 }
 
+func (ks *KeySignerService) RemoveAllKeys() error {
+	ks.Lock()
+	defer ks.Unlock()
+	if !ks.agentPing() {
+		return errors.New("cannot remove signing key: agent is not responding")
+	}
+	if ks.pkcs11Provider != "" {
+		if err := ks.removeSmartcard(ks.pkcs11Provider); err != nil {
+			return errors.Wrap(err, "cannot remove smartcard")
+		}
+	}
+	if err := ks.client.RemoveAll(); err != nil {
+		return errors.Wrap(err, "cannot remove signing key")
+	}
+	ks.selectedSigningKey = nil
+
+	return nil
+}
+
 func (ks *KeySignerService) getSigner() (ssh.Signer, error) {
 	signers, err := ks.client.Signers()
 	if err != nil {

pkg/server/signapi/handle_ca.go

@@ -5,7 +5,7 @@ import (
 	"net/http"
 
 	"github.com/aakso/ssh-inscribe/pkg/auth"
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/golang-jwt/jwt"
 	"github.com/labstack/echo/v4"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ssh"

pkg/server/signapi/handle_login.go

@@ -5,10 +5,11 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/aakso/ssh-inscribe/pkg/auth"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"github.com/labstack/echo/v4"
 	"github.com/pkg/errors"
+
+	"github.com/aakso/ssh-inscribe/pkg/auth"
 )
 
 const (

pkg/server/signapi/handle_sign.go

@@ -8,7 +8,7 @@ import (
 	"github.com/aakso/ssh-inscribe/pkg/auth/authz/authzfilter"
 
 	"github.com/aakso/ssh-inscribe/pkg/auth"
-	jwt "github.com/dgrijalva/jwt-go"
+	jwt "github.com/golang-jwt/jwt"
 	"github.com/labstack/echo/v4"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ssh"

pkg/server/signapi/routes.go

@@ -1,11 +1,13 @@
 package signapi
 
 import (
-	"github.com/aakso/ssh-inscribe/pkg/auth"
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	"github.com/labstack/gommon/random"
+	"github.com/pkg/errors"
+
+	"github.com/aakso/ssh-inscribe/pkg/auth"
 )
 
 func (sa *SignApi) RegisterRoutes(g *echo.Group) {
@@ -41,6 +43,25 @@ func jwtAuth(key []byte, claims jwt.Claims, skipIfMissing bool) echo.MiddlewareF
 		SigningKey:  key,
 		TokenLookup: "header:" + authHeader,
 		Claims:      claims,
+		// ref: echo.labstack.com/middleware/jwt/
+		ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) {
+			keyFunc := func(t *jwt.Token) (interface{}, error) {
+				if t.Method.Alg() != "HS256" {
+					return nil, errors.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
+				}
+				return key, nil
+			}
+
+			// claims are of type `jwt.MapClaims` when token is created with `jwt.Parse`
+			token, err := jwt.ParseWithClaims(auth, &SignClaim{}, keyFunc)
+			if err != nil {
+				return nil, err
+			}
+			if !token.Valid {
+				return nil, errors.New("invalid token")
+			}
+			return token, nil
+		},
 	}
 	if skipIfMissing {
 		config.Skipper = func(c echo.Context) bool {

pkg/server/signapi/signapi.go

@@ -3,10 +3,11 @@ package signapi
 import (
 	"time"
 
+	"github.com/golang-jwt/jwt"
+
 	"github.com/aakso/ssh-inscribe/pkg/auth"
 	"github.com/aakso/ssh-inscribe/pkg/keysigner"
 	"github.com/aakso/ssh-inscribe/pkg/util"
-	"github.com/dgrijalva/jwt-go"
 )
 
 const (