bump go-jose to v2.6.0

Update go-jose from v2.2.2 to v2.6.0. This is to make the kubernetes code compatible with newer go-jose versions that have a small breaking change (`jwt.NewNumericDate()` returns a pointer). Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
2025-09-21 18:11:22 +00:00 · 2023-02-20 00:19:33 +01:00
parent bb8e9f3afb
commit df8fa2eab5
30 changed files with 642 additions and 175 deletions
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
@@ -35,7 +35,7 @@ type Expected struct {
 	Audience Audience
 	// ID matches the "jti" claim exactly.
 	ID string
-	// Time matches the "exp" and "nbf" claims with leeway.
+	// Time matches the "exp", "nbf" and "iat" claims with leeway.
 	Time time.Time
 }

@@ -94,12 +94,20 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
 		}
 	}

-	if !e.Time.IsZero() && e.Time.Add(leeway).Before(c.NotBefore.Time()) {
-		return ErrNotValidYet
-	}
+	if !e.Time.IsZero() {
+		if c.NotBefore != nil && e.Time.Add(leeway).Before(c.NotBefore.Time()) {
+			return ErrNotValidYet
+		}

-	if !e.Time.IsZero() && e.Time.Add(-leeway).After(c.Expiry.Time()) {
-		return ErrExpired
+		if c.Expiry != nil && e.Time.Add(-leeway).After(c.Expiry.Time()) {
+			return ErrExpired
+		}
+
+		// IssuedAt is optional but cannot be in the future. This is not required by the RFC, but
+		// something is misconfigured if this happens and we should not trust it.
+		if c.IssuedAt != nil && e.Time.Add(leeway).Before(c.IssuedAt.Time()) {
+			return ErrIssuedInTheFuture
+		}
 	}

 	return nil