JWT V2

.gitignore

@@ -13,4 +13,6 @@
 
 # IDE Files
 .vscode
-.idea/
+.idea/
+
+coverage.out

.travis.yml

@@ -1,21 +1,35 @@
+os:
+  - linux
+  - windows
 language: go
 go:
-- 1.14.x
-- 1.13.x
-
+  - 1.13.x
+  - 1.14.x
+git:
+  depth: false
+env:
+  - V=
+  - V=v2
 install:
-- go get -t ./...
-- go get github.com/mattn/goveralls
-- go get github.com/wadey/gocovmerge
-- go get -u honnef.co/go/tools/cmd/staticcheck
-- go get -u github.com/client9/misspell/cmd/misspell
-
+  - go get -t ./...
+  - go get -u honnef.co/go/tools/cmd/staticcheck
+  - go get -u github.com/client9/misspell/cmd/misspell
+  - go get github.com/mattn/goveralls
+  - go get github.com/wadey/gocovmerge
 before_script:
-- $(exit $(go fmt ./... | wc -l))
-- go vet ./...
-- misspell -error -locale US .
-- staticcheck ./...
-
+  - cd $TRAVIS_BUILD_DIR/${V}
+  - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then EXCLUDE_VENDOR=$(go list ./... | grep -v "/vendor/") && $(exit $(go fmt $EXCLUDE_VENDOR | wc -l)) && go vet $EXCLUDE_VENDOR; fi
+  - go vet ./...
+  - misspell -error -locale US .
+  - staticcheck ./...
 script:
-- go test -v -race ./...
-- if [[ "$TRAVIS_GO_VERSION" =~ 1.13 ]]; then ./scripts/cov.sh TRAVIS; fi
+  - go test -v -race ./...
+  - go test -v -coverprofile=./coverage.out ./...
+deploy:
+- provider: script
+  script: $HOME/gopath/bin/goveralls -coverprofile=coverage.out -service travis-ci
+  on:
+    condition: ${V} = "" && $TRAVIS_OS_NAME = linux && $TRAVIS_GO_VERSION =~ ^1.14
+
+
+

activation_claims_test.go

@@ -114,7 +114,7 @@ func TestInvalidActivationClaimIssuer(t *testing.T) {
 
 	for _, i := range inputs {
 		bad := encode(temp, i.kp, t)
-		_, err = DecodeAccountClaims(bad)
+		_, err = DecodeActivationClaims(bad)
 		if i.ok && err != nil {
 			t.Fatal(fmt.Sprintf("unexpected error for %q: %v", i.name, err))
 		}

claims.go

@@ -38,12 +38,15 @@ const (
 	ActivationClaim = "activation"
 	//UserClaim is the type of an user JWT
 	UserClaim = "user"
+	//OperatorClaim is the type of an operator JWT
+	OperatorClaim = "operator"
+
 	//ServerClaim is the type of an server JWT
+	// Deprecated: ServerClaim is not supported
 	ServerClaim = "server"
-	//ClusterClaim is the type of an cluster JWT
+	// ClusterClaim is the type of an cluster JWT
+	// Deprecated: ClusterClaim is not supported
 	ClusterClaim = "cluster"
-	//OperatorClaim is the type of an operator JWT
-	OperatorClaim = "operator"
 )
 
 // Claims is a JWT claims

cluster_claims.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018 The NATS Authors
+ * Copyright 2018-2020 The NATS Authors
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -22,6 +22,7 @@ import (
 )
 
 // Cluster stores the cluster specific elements of a cluster JWT
+// Deprecated: ClusterClaims are not supported
 type Cluster struct {
 	Trust       []string `json:"identity,omitempty"`
 	Accounts    []string `json:"accts,omitempty"`
@@ -35,12 +36,14 @@ func (c *Cluster) Validate(vr *ValidationResults) {
 }
 
 // ClusterClaims defines the data in a cluster JWT
+// Deprecated: ClusterClaims are not supported
 type ClusterClaims struct {
 	ClaimsData
 	Cluster `json:"nats,omitempty"`
 }
 
 // NewClusterClaims creates a new cluster JWT with the specified subject/public key
+// Deprecated: ClusterClaims are not supported
 func NewClusterClaims(subject string) *ClusterClaims {
 	if subject == "" {
 		return nil
@@ -60,6 +63,7 @@ func (c *ClusterClaims) Encode(pair nkeys.KeyPair) (string, error) {
 }
 
 // DecodeClusterClaims tries to parse cluster claims from a JWT string
+// Deprecated: ClusterClaims are not supported
 func DecodeClusterClaims(token string) (*ClusterClaims, error) {
 	v := ClusterClaims{}
 	if err := Decode(token, &v); err != nil {

creds_utils.go

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2019-2020 The NATS Authors
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package jwt
 
 import (
@@ -82,7 +97,7 @@ NKEYs are sensitive and should be treated as secrets.
 	return w.Bytes(), nil
 }
 
-var userConfigRE = regexp.MustCompile(`\s*(?:(?:[-]{3,}.*[-]{3,}\r?\n)([\w\-.=]+)(?:\r?\n[-]{3,}.*[-]{3,}\r?\n))`)
+var userConfigRE = regexp.MustCompile(`\s*(?:(?:[-]{3,}[^\n]*[-]{3,}\n)(.+)(?:\n\s*[-]{3,}[^\n]*[-]{3,}\n))`)
 
 // An user config file looks like this:
 //  -----BEGIN NATS USER JWT-----

creds_utils_test.go

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2019-2020 The NATS Authors
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package jwt
 
 import (
@@ -209,66 +224,3 @@ func Test_DecorateNKeys(t *testing.T) {
 		t.Fatal("required error parsing bad nkey")
 	}
 }
-
-func Test_ParseCreds(t *testing.T) {
-	token, kp := makeJWT(t)
-	d, err := FormatUserConfig(token, seedKey(kp, t))
-	if err != nil {
-		t.Fatal(err)
-	}
-	pk, err := kp.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	token2, err := ParseDecoratedJWT(d)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if token != token2 {
-		t.Fatal("expected jwts to match")
-	}
-	kp2, err := ParseDecoratedUserNKey(d)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pk2, err := kp2.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if pk != pk2 {
-		t.Fatal("expected keys to match")
-	}
-}
-
-func Test_ParseCredsWithCrLfs(t *testing.T) {
-	token, kp := makeJWT(t)
-	d, err := FormatUserConfig(token, seedKey(kp, t))
-	if err != nil {
-		t.Fatal(err)
-	}
-	pk, err := kp.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-	d = bytes.ReplaceAll(d, []byte{'\n'}, []byte{'\r', '\n'})
-
-	token2, err := ParseDecoratedJWT(d)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if token != token2 {
-		t.Fatal("expected jwts to match")
-	}
-	kp2, err := ParseDecoratedUserNKey(d)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pk2, err := kp2.PublicKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if pk != pk2 {
-		t.Fatal("expected keys to match")
-	}
-}

go.mod

@@ -1,5 +1,7 @@
 module github.com/nats-io/jwt
 
-require github.com/nats-io/nkeys v0.1.4
+require (
+	github.com/nats-io/nkeys v0.1.4
+)
 
-go 1.13
+go 1.14

go.sum

@@ -1,9 +1,24 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/nats-io/nkeys v0.1.3 h1:6JrEfig+HzTH85yxzhSVbjHRJv9cn0p6n3IngIcM5/k=
+github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nkeys v0.1.4 h1:aEsHIssIk6ETN5m2/MD8Y4B2X7FfXrBAUdkyRvbVYzA=
 github.com/nats-io/nkeys v0.1.4/go.mod h1:XdZpAbhgyyODYqjTawOnIOI7VlbKSarI9Gfy1tqEu/s=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+vQXfpEPiMdCaZgmGVxjNHM=
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

operator_claims.go

@@ -26,7 +26,7 @@ import (
 
 // Operator specific claims
 type Operator struct {
-	// Slice of real identies (like websites) that can be used to identify the operator.
+	// Slice of real identities (like websites) that can be used to identify the operator.
 	Identities []Identity `json:"identity,omitempty"`
 	// Slice of other operator NKeys that can be used to sign on behalf of the main
 	// operator identity.
@@ -65,7 +65,6 @@ func (o *Operator) Validate(vr *ValidationResults) {
 			vr.AddError("%s is not an operator public key", k)
 		}
 	}
-
 	if o.SystemAccount != "" {
 		if !nkeys.IsValidPublicAccountKey(o.SystemAccount) {
 			vr.AddError("%s is not an account public key", o.SystemAccount)
@@ -120,15 +119,15 @@ func ValidateOperatorServiceURL(v string) error {
 }
 
 func (o *Operator) validateOperatorServiceURLs() []error {
-	var errors []error
+	var errs []error
 	for _, v := range o.OperatorServiceURLs {
 		if v != "" {
 			if err := ValidateOperatorServiceURL(v); err != nil {
-				errors = append(errors, err)
+				errs = append(errs, err)
 			}
 		}
 	}
-	return errors
+	return errs
 }
 
 // OperatorClaims define the data for an operator JWT

operator_claims_test.go

@@ -235,30 +235,6 @@ func testAccountWithAccountServerURL(t *testing.T, u string) error {
 	return nil
 }
 
-func Test_AccountServerURL(t *testing.T) {
-	var asuTests = []struct {
-		u          string
-		shouldFail bool
-	}{
-		{"", false},
-		{"HTTP://foo.bar.com", false},
-		{"http://foo.bar.com/foo/bar", false},
-		{"http://user:pass@foo.bar.com/foo/bar", false},
-		{"https://foo.bar.com", false},
-		{"nats://foo.bar.com", false},
-		{"/hello", true},
-	}
-
-	for i, tt := range asuTests {
-		err := testAccountWithAccountServerURL(t, tt.u)
-		if err != nil && tt.shouldFail == false {
-			t.Fatalf("expected not to fail: %v", err)
-		} else if err == nil && tt.shouldFail {
-			t.Fatalf("test %s expected to fail but didn't", asuTests[i].u)
-		}
-	}
-}
-
 func Test_SystemAccount(t *testing.T) {
 	operatorWithSystemAcc := func(t *testing.T, u string) error {
 		kp := createOperatorNKey(t)
@@ -300,6 +276,30 @@ func Test_SystemAccount(t *testing.T) {
 	}
 }
 
+func Test_AccountServerURL(t *testing.T) {
+	var asuTests = []struct {
+		u          string
+		shouldFail bool
+	}{
+		{"", false},
+		{"HTTP://foo.bar.com", false},
+		{"http://foo.bar.com/foo/bar", false},
+		{"http://user:pass@foo.bar.com/foo/bar", false},
+		{"https://foo.bar.com", false},
+		{"nats://foo.bar.com", false},
+		{"/hello", true},
+	}
+
+	for i, tt := range asuTests {
+		err := testAccountWithAccountServerURL(t, tt.u)
+		if err != nil && tt.shouldFail == false {
+			t.Fatalf("expected not to fail: %v", err)
+		} else if err == nil && tt.shouldFail {
+			t.Fatalf("test %s expected to fail but didn't", asuTests[i].u)
+		}
+	}
+}
+
 func testOperatorWithOperatorServiceURL(t *testing.T, u string) error {
 	kp := createOperatorNKey(t)
 	pk := publicKey(kp, t)
@@ -393,3 +393,12 @@ func Test_OperatorServiceURL(t *testing.T) {
 	errs := vr.Errors()
 	AssertEquals(len(errs), shouldFail, t)
 }
+
+func Test_ForwardCompatibility(t *testing.T) {
+	newOp := `eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJTSUYyR0ZRSEhWWUtDQlZYRklYUURYV1FCQUcyWEw3SVZLVVJZT0ZTWlhVT0tTRUpLWDdBIiwiaWF0IjoxNTkwNTI0NTAwLCJpc3MiOiJPQlQ2REtGSzQ2STM3TjdCUkwyUkpMVVJLWUdSQTZBWVJQREFISFFFQUFBR05ZWExNR1JEUEtMQyIsInN1YiI6Ik9CVDZES0ZLNDZJMzdON0JSTDJSSkxVUktZR1JBNkFZUlBEQUhIUUVBQUFHTllYTE1HUkRQS0xDIiwibmF0cyI6eyJ0YWdzIjpbIm9uZSIsInR3byIsInRocmVlIl0sInR5cGUiOiJvcGVyYXRvciIsInZlcnNpb24iOjJ9fQ.u6JFiISIh2o-CWxktfEw3binmCLhLaFVMyuIa2HNo_x_6EGWVPVICVWc_MOLFS-6Nm17Cj4SmOh3zUtlTRkfDA`
+	if _, err := DecodeOperatorClaims(newOp); err == nil {
+		t.Fatal("Expected error")
+	} else if err.Error() != `unexpected "ed25519-nkey" algorithm` {
+		t.Fatal("Expected different error, got: ", err)
+	}
+}