JWT V2 #66
JWT V2 #66
Conversation
- V1 Deprecates cluster/server claims, as these are not used - will re-introduced when supported - V2 Removes deprecated API - Resolve JWT namespace squatting. Extra fields leaked through to the root object of the claims - NATS claims add a version number enabling the library to reject claims that it doesn't understand. - Old JWTs are automatically migrated into their v2 formats on read, so reading code is backwards compatible for non-tool clients. - V2 Removes internal use of deprecated fields JWT Namespace Squatting Changes - ClaimsData had `tags` and `type` fields for all JWT types, these are moved to the structure `nats`. - ActivationsClaims and UserClaims had `issuer_account` moved to the `nats` structure.
aricart
requested review from
kozlovic,
derekcollison,
philpennock and
wallyqs
|
Since using modules not sure we need to have a |
- V1 Deprecates cluster/server claims, as these are not used - will re-introduced when supported - V2 Removes deprecated API - Resolve JWT namespace squatting. Extra fields leaked through to the root object of the claims - NATS claims add a version number enabling the library to reject claims that it doesn't understand. - Old JWTs are automatically migrated into their v2 formats on read, so reading code is backwards compatible for non-tool clients. - V2 Removes internal use of deprecated fields JWT Namespace Squatting Changes - ClaimsData had `tags` and `type` fields for all JWT types, these are moved to the structure `nats`. - ActivationsClaims and UserClaims had `issuer_account` moved to the `nats` structure.
This pulls in system_account changes
Signed-off-by: Matthias Hanel <mh@synadia.com>
Changing name of the algorithm to trip v1 jwt libraries. The old name ed25519 is not used by other jwt libraries and was only valid for our library. Therefore changing that string is ok. Add field assert server version to operator.
aricart
requested review from
kozlovic,
matthiashanel,
derekcollison and
philpennock
and removed request for
wallyqs,
derekcollison,
philpennock and
kozlovic
Yes we need access to both versions at the same time from the same library. |
|
Just for further documentation, the workflow of doing a |
| - 1.13.x | ||
| - 1.12.x | ||
|
|
||
| - 1.13.x |
There was a problem hiding this comment.
Probably want to have 1.14.x and 1.13.x and drop 1.12.x now (I know, PR was originally created long ago).
.travis.yml
Outdated
| script: $HOME/gopath/bin/goveralls -coverprofile=v2/coverage.out -service travis-ci | ||
| on: | ||
| tags: true | ||
| condition: ${V} = v2 && $TRAVIS_GO_VERSION =~ ^1.13. |
| - misspell -error -locale US . | ||
| - staticcheck ./... | ||
|
|
||
| - cd $TRAVIS_BUILD_DIR/${V} |
There was a problem hiding this comment.
Since you do move to that directory to run the tests down below, not sure you need it here.
go.mod
Outdated
| require github.com/nats-io/nkeys v0.1.4 | ||
| require ( | ||
| github.com/nats-io/nkeys v0.1.3 | ||
| github.com/stretchr/testify v1.5.1 // indirect |
There was a problem hiding this comment.
Hopefully that does not bring this dep in the nats-server/go client. I know you are a big fan of it, but I like to minimize any dependency unless really required. So far, all testing in nats-server/streaming-server have not needed any feature that testify may bring that could not be done with std lib.
| uc.Validate(vr) | ||
|
|
||
| if vr.IsEmpty() || len(vr.Issues) != 1 || !vr.IsBlocking(true) { | ||
| t.Error("bad permission should be invalid") |
There was a problem hiding this comment.
t.Error() will mark the test as failed, but will continue execution of the test. Does that make sense? I personally never use t.Error() because any error condition in my opinion invalidates the test.
(I won't repeat comment on all t.Error() occurrences).
There was a problem hiding this comment.
yes it is required - the test is mucking with the model further down to catch other kinds of errors - likely it should many different tests but it isn't.
|
General by @ripienaar has insisted on making move to UTC for all dates and times. Might be a good time to do so here as well? |
go.mod
Outdated
| @@ -1,5 +1,8 @@ | |||
| module github.com/nats-io/jwt | |||
|
|
|||
| require github.com/nats-io/nkeys v0.1.4 | |||
| require ( | |||
| github.com/nats-io/nkeys v0.1.3 | |||
There was a problem hiding this comment.
I just re-bumped them up.
| github.com/stretchr/testify v1.5.1 | ||
| ) | ||
|
|
||
| replace github.com/nats-io/jwt v0.3.2 => ../ |
There was a problem hiding this comment.
Not sure how well this will work since it is an 'inter dependent module' but maybe it will... think this more or less following the major subdirectory strategy. The other alternative is to follow the major branch strategy where can skip having a v2 folder and master with only the v2 contents. I think also requires making the v1.0.0 tag, but can then continue development of both v1 and v2 series just in different branches.
There was a problem hiding this comment.
we need to be able to read/write v1 from v2, if we run into a problem while developing that portion, then we can change on that.
There was a problem hiding this comment.
yes I know that, but we need to make sure that we are taking the right strategy to avoid causing issues to other repos in the ecosystem
There was a problem hiding this comment.
Not following the other issues on the nats side - the JWT library has always been a go.mod library since day one, so all the current clients are already importing the lib as such, regardless of whether the other products rely on vendoring to do their builds.
The subdirectory strategy is how they say to use modules, not some invention. The interdependent is a gray area, but in all honesty, I think they are worried about replacements that cannot be honored. In our case, it is the same repo.
Now if we want to do flat (perfectly ok), we need to take a stance and do it. This also means that the library will probably duplicate a bunch of types, but I am sure we can sort it out.
The timestamp format is defined by the JWT standard in the case of our lib, so they are already defined to be exactly what they are (UNIX time) - which is UTC. |
| module github.com/nats-io/jwt/v2 | ||
|
|
||
| require ( | ||
| github.com/nats-io/jwt v0.3.2 |
There was a problem hiding this comment.
I think we should consider tagging v1.0.0 first before merging in the v2 commits in master
There was a problem hiding this comment.
note that we are not releasing v2 until later - the merge won't trigger a v2 release until the other systems consume them.
There was a problem hiding this comment.
Imho I would imagine that jetstream is going to be the feature that triggers a nats-server version bump (or at least hoping that is the case). I think that is the opportunity to v2 releases. This will draw the line that a previous major version can reject the older jwts. Otherwise, it seems that we are not applying semver properly.
There was a problem hiding this comment.
It might be fine but if we don't know we probably shouldn't do it unless testing that is ok, in general should be careful since there isn't really room for errors with Go modules because the Go proxy will cache the state of the repo as soon as it is available.
|
I tested pushing v2 jwt to an "old" account server as well as connecting with a v2 jwt to an "old" nats-server. Both behaved as expected. |
|
Some notes about the module strategy here:
EDIT: Updated mentions of v1 to be v0 which is more correct. |
added windows for build test
|
Since the library is still at v0.3.2 I'm now thinking that the bump that should be done is against v1.0.0 instead of v2, we might be unnecessarily skipping one important major version and probably making the migration more complex by aiming to call it v2 (which could be done later). |
@derekcollison we hashed out that v2 is correct. We are going to tag v1.0.0, but remains at is, otherwise the imports will be weird with a jwt@v1 when that is importing jwt. |
|
If you and @wallyqs agree on approach I am good. |
we are all in the same page now. |
# Conflicts: # .travis.yml
|
Yes now this PR can be rebased on top of the changes from the v1.0.0, v1.0.1 tags and then start dev of the v2 module and merge to master. There can be still changes to v1.0.1 or releases if needed but they would branch out from that v1 tag and the repo will eventually be tagged as v2.0.0 (using the pre-release tags first with the format like |
| - go test -v -race ./... | ||
| - if [[ "$TRAVIS_GO_VERSION" =~ 1.13 ]]; then ./scripts/cov.sh TRAVIS; fi | ||
| - go test -v -race ./... | ||
| - go test -v -coverprofile=./coverage.out ./... |
There was a problem hiding this comment.
If you are going to report coverage only once, you may want to simply not run it here for matrixes that do not report. Say you report only for Go 1.14 and v2, then you should run only then. That being said, jwt tests are run quickly, so that is less of a concern.
There was a problem hiding this comment.
Not quite sure what the coverage report means for the multi version repo.
There was a problem hiding this comment.
That's my point, we should do the coverage only once per PR. Here it will run for all the matrix entries, but we should post only once.
There was a problem hiding this comment.
Again, why run the coverage if you are not going to report it? Since down below we push it on v2, for linux, and Go 1.14, I would have run the coverage code only in those conditions.
.travis.yml
Outdated
| - provider: script | ||
| script: $HOME/gopath/bin/goveralls -coverprofile=v2/coverage.out -service travis-ci | ||
| on: | ||
| tags: true |
There was a problem hiding this comment.
The way I understand you will push coveralls only on a git tags push, which is not what we want I think.
There was a problem hiding this comment.
Whenever you do a tag it will push, which is fine, that matches the releases.
There was a problem hiding this comment.
The point is that we - for other projects - update the coverage for every PR, not only when there is a new release.
.travis.yml
Outdated
| - go test -v -coverprofile=./coverage.out ./... | ||
| deploy: | ||
| - provider: script | ||
| script: $HOME/gopath/bin/goveralls -coverprofile=v2/coverage.out -service travis-ci |
There was a problem hiding this comment.
Not sure about v2/coverage.out. Is that where the file will be? We call go test -v -coverprofile=./coverage.out ./..., does that work by creating a coverage.out in the /v2 directory?
There was a problem hiding this comment.
Sure it does. When we activate the v2 release, then I’ll have that coverage be posted.
| - go test -v -race ./... | ||
| - if [[ "$TRAVIS_GO_VERSION" =~ 1.13 ]]; then ./scripts/cov.sh TRAVIS; fi | ||
| - go test -v -race ./... | ||
| - go test -v -coverprofile=./coverage.out ./... |
There was a problem hiding this comment.
Again, why run the coverage if you are not going to report it? Since down below we push it on v2, for linux, and Go 1.14, I would have run the coverage code only in those conditions.
V2 Changes
cluster/serverclaims, as these are not used - will re-introduce when supporteded25519-nkey. This is done purposefully to make any system component that has not been updated fail validating any v2 written JWTs.JWT Namespace Squatting Changes
ClaimsDatahadtagsandtypefields for all JWT types, these are moved to the structurenats.ActivationsClaimsandUserClaimshadissuer_accountmoved to thenatsstructure.Refer to the 3rd checking to see the changes, as I moved files to minimize the diffs and allow focusing on the actual changes.
This PR will merge into jwt/master, but will not be released as v2.0.0 yet. As we'll need to develop the strategy for having services such as NGS conditionally rewrite JWTs matching the format v1 or v2 that was provided for signing.