Implement git-lfs-authenticate

author: Rutger Broekhoff 2023-12-30 14:00:34 +0100
committer: Rutger Broekhoff 2023-12-30 14:00:34 +0100
commit: f6c92c5e2d87ab1334648b0d1293771de7aae4a5 (patch)
tree: 265c3a06accd398a1e0a173af56d7392a5f94a24 /vendor/github.com/golang-jwt/jwt/v5/validator.go
parent: 4f167c0fa991aa9ddb3f0252e23694b3aa6532b1 (diff)
download: gitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.tar.gz
gitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.zip
1 files changed, 316 insertions, 0 deletions
diff --git a/vendor/github.com/golang-jwt/jwt/v5/validator.go b/vendor/github.com/golang-jwt/jwt/v5/validator.go
new file mode 100644
index 0000000..008ecd8
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/validator.go
@@ -0,0 +1,316 @@
+package jwt
+import (
+        "crypto/subtle"
+        "fmt"
+        "time"
+)
+// ClaimsValidator is an interface that can be implemented by custom claims who
+// wish to execute any additional claims validation based on
+// application-specific logic. The Validate function is then executed in
+// addition to the regular claims validation and any error returned is appended
+// to the final validation result.
+//
+//      type MyCustomClaims struct {
+//          Foo string `json:"foo"`
+//          jwt.RegisteredClaims
+//      }
+//
+//      func (m MyCustomClaims) Validate() error {
+//          if m.Foo != "bar" {
+//              return errors.New("must be foobar")
+//          }
+//          return nil
+//      }
+type ClaimsValidator interface {
+        Claims
+        Validate() error
+}
+// Validator is the core of the new Validation API. It is automatically used by
+// a [Parser] during parsing and can be modified with various parser options.
+//
+// The [NewValidator] function should be used to create an instance of this
+// struct.
+type Validator struct {
+        // leeway is an optional leeway that can be provided to account for clock skew.
+        leeway time.Duration
+        // timeFunc is used to supply the current time that is needed for
+        // validation. If unspecified, this defaults to time.Now.
+        timeFunc func() time.Time
+        // requireExp specifies whether the exp claim is required
+        requireExp bool
+        // verifyIat specifies whether the iat (Issued At) claim will be verified.
+        // According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
+        // only specifies the age of the token, but no validation check is
+        // necessary. However, if wanted, it can be checked if the iat is
+        // unrealistic, i.e., in the future.
+        verifyIat bool
+        // expectedAud contains the audience this token expects. Supplying an empty
+        // string will disable aud checking.
+        expectedAud string
+        // expectedIss contains the issuer this token expects. Supplying an empty
+        // string will disable iss checking.
+        expectedIss string
+        // expectedSub contains the subject this token expects. Supplying an empty
+        // string will disable sub checking.
+        expectedSub string
+}
+// NewValidator can be used to create a stand-alone validator with the supplied
+// options. This validator can then be used to validate already parsed claims.
+//
+// Note: Under normal circumstances, explicitly creating a validator is not
+// needed and can potentially be dangerous; instead functions of the [Parser]
+// class should be used.
+//
+// The [Validator] is only checking the *validity* of the claims, such as its
+// expiration time, but it does NOT perform *signature verification* of the
+// token.
+func NewValidator(opts ...ParserOption) *Validator {
+        p := NewParser(opts...)
+        return p.validator
+}
+// Validate validates the given claims. It will also perform any custom
+// validation if claims implements the [ClaimsValidator] interface.
+//
+// Note: It will NOT perform any *signature verification* on the token that
+// contains the claims and expects that the [Claim] was already successfully
+// verified.
+func (v *Validator) Validate(claims Claims) error {
+        var (
+                now  time.Time
+                errs []error = make([]error, 0, 6)
+                err  error
+        )
+        // Check, if we have a time func
+        if v.timeFunc != nil {
+                now = v.timeFunc()
+        } else {
+                now = time.Now()
+        }
+        // We always need to check the expiration time, but usage of the claim
+        // itself is OPTIONAL by default. requireExp overrides this behavior
+        // and makes the exp claim mandatory.
+        if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
+                errs = append(errs, err)
+        }
+        // We always need to check not-before, but usage of the claim itself is
+        // OPTIONAL.
+        if err = v.verifyNotBefore(claims, now, false); err != nil {
+                errs = append(errs, err)
+        }
+        // Check issued-at if the option is enabled
+        if v.verifyIat {
+                if err = v.verifyIssuedAt(claims, now, false); err != nil {
+                        errs = append(errs, err)
+                }
+        }
+        // If we have an expected audience, we also require the audience claim
+        if v.expectedAud != "" {
+                if err = v.verifyAudience(claims, v.expectedAud, true); err != nil {
+                        errs = append(errs, err)
+                }
+        }
+        // If we have an expected issuer, we also require the issuer claim
+        if v.expectedIss != "" {
+                if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
+                        errs = append(errs, err)
+                }
+        }
+        // If we have an expected subject, we also require the subject claim
+        if v.expectedSub != "" {
+                if err = v.verifySubject(claims, v.expectedSub, true); err != nil {
+                        errs = append(errs, err)
+                }
+        }
+        // Finally, we want to give the claim itself some possibility to do some
+        // additional custom validation based on a custom Validate function.
+        cvt, ok := claims.(ClaimsValidator)
+        if ok {
+                if err := cvt.Validate(); err != nil {
+                        errs = append(errs, err)
+                }
+        }
+        if len(errs) == 0 {
+                return nil
+        }
+        return joinErrors(errs...)
+}
+// verifyExpiresAt compares the exp claim in claims against cmp. This function
+// will succeed if cmp < exp. Additional leeway is taken into account.
+//
+// If exp is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
+        exp, err := claims.GetExpirationTime()
+        if err != nil {
+                return err
+        }
+        if exp == nil {
+                return errorIfRequired(required, "exp")
+        }
+        return errorIfFalse(cmp.Before((exp.Time).Add(+v.leeway)), ErrTokenExpired)
+}
+// verifyIssuedAt compares the iat claim in claims against cmp. This function
+// will succeed if cmp >= iat. Additional leeway is taken into account.
+//
+// If iat is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
+        iat, err := claims.GetIssuedAt()
+        if err != nil {
+                return err
+        }
+        if iat == nil {
+                return errorIfRequired(required, "iat")
+        }
+        return errorIfFalse(!cmp.Before(iat.Add(-v.leeway)), ErrTokenUsedBeforeIssued)
+}
+// verifyNotBefore compares the nbf claim in claims against cmp. This function
+// will return true if cmp >= nbf. Additional leeway is taken into account.
+//
+// If nbf is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
+        nbf, err := claims.GetNotBefore()
+        if err != nil {
+                return err
+        }
+        if nbf == nil {
+                return errorIfRequired(required, "nbf")
+        }
+        return errorIfFalse(!cmp.Before(nbf.Add(-v.leeway)), ErrTokenNotValidYet)
+}
+// verifyAudience compares the aud claim against cmp.
+//
+// If aud is not set or an empty list, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
+        aud, err := claims.GetAudience()
+        if err != nil {
+                return err
+        }
+        if len(aud) == 0 {
+                return errorIfRequired(required, "aud")
+        }
+        // use a var here to keep constant time compare when looping over a number of claims
+        result := false
+        var stringClaims string
+        for _, a := range aud {
+                if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
+                        result = true
+                }
+                stringClaims = stringClaims + a
+        }
+        // case where "" is sent in one or many aud claims
+        if stringClaims == "" {
+                return errorIfRequired(required, "aud")
+        }
+        return errorIfFalse(result, ErrTokenInvalidAudience)
+}
+// verifyIssuer compares the iss claim in claims against cmp.
+//
+// If iss is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifyIssuer(claims Claims, cmp string, required bool) error {
+        iss, err := claims.GetIssuer()
+        if err != nil {
+                return err
+        }
+        if iss == "" {
+                return errorIfRequired(required, "iss")
+        }
+        return errorIfFalse(iss == cmp, ErrTokenInvalidIssuer)
+}
+// verifySubject compares the sub claim against cmp.
+//
+// If sub is not set, it will succeed if the claim is not required,
+// otherwise ErrTokenRequiredClaimMissing will be returned.
+//
+// Additionally, if any error occurs while retrieving the claim, e.g., when its
+// the wrong type, an ErrTokenUnverifiable error will be returned.
+func (v *Validator) verifySubject(claims Claims, cmp string, required bool) error {
+        sub, err := claims.GetSubject()
+        if err != nil {
+                return err
+        }
+        if sub == "" {
+                return errorIfRequired(required, "sub")
+        }
+        return errorIfFalse(sub == cmp, ErrTokenInvalidSubject)
+}
+// errorIfFalse returns the error specified in err, if the value is true.
+// Otherwise, nil is returned.
+func errorIfFalse(value bool, err error) error {
+        if value {
+                return nil
+        } else {
+                return err
+        }
+}
+// errorIfRequired returns an ErrTokenRequiredClaimMissing error if required is
+// true. Otherwise, nil is returned.
+func errorIfRequired(required bool, claim string) error {
+        if required {
+                return newError(fmt.Sprintf("%s claim is required", claim), ErrTokenRequiredClaimMissing)
+        } else {
+                return nil
+        }
+}
author	Rutger Broekhoff	2023-12-30 14:00:34 +0100
committer	Rutger Broekhoff	2023-12-30 14:00:34 +0100
commit	f6c92c5e2d87ab1334648b0d1293771de7aae4a5 (patch)
tree	265c3a06accd398a1e0a173af56d7392a5f94a24 /vendor/github.com/golang-jwt/jwt/v5/validator.go
parent	4f167c0fa991aa9ddb3f0252e23694b3aa6532b1 (diff)
download	gitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.tar.gz gitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.zip

diff --git a/vendor/github.com/golang-jwt/jwt/v5/validator.go b/vendor/github.com/golang-jwt/jwt/v5/validator.go new file mode 100644 index 0000000..008ecd8 --- /dev/null +++ b/vendor/github.com/golang-jwt/jwt/v5/validator.go
@@ -0,0 +1,316 @@
	1	package jwt
	2
	3	import (
	4	"crypto/subtle"
	5	"fmt"
	6	"time"
	7	)
	8
	9	// ClaimsValidator is an interface that can be implemented by custom claims who
	10	// wish to execute any additional claims validation based on
	11	// application-specific logic. The Validate function is then executed in
	12	// addition to the regular claims validation and any error returned is appended
	13	// to the final validation result.
	14	//
	15	// type MyCustomClaims struct {
	16	// Foo string `json:"foo"`
	17	// jwt.RegisteredClaims
	18	// }
	19	//
	20	// func (m MyCustomClaims) Validate() error {
	21	// if m.Foo != "bar" {
	22	// return errors.New("must be foobar")
	23	// }
	24	// return nil
	25	// }
	26	type ClaimsValidator interface {
	27	Claims
	28	Validate() error
	29	}
	30
	31	// Validator is the core of the new Validation API. It is automatically used by
	32	// a [Parser] during parsing and can be modified with various parser options.
	33	//
	34	// The [NewValidator] function should be used to create an instance of this
	35	// struct.
	36	type Validator struct {
	37	// leeway is an optional leeway that can be provided to account for clock skew.
	38	leeway time.Duration
	39
	40	// timeFunc is used to supply the current time that is needed for
	41	// validation. If unspecified, this defaults to time.Now.
	42	timeFunc func() time.Time
	43
	44	// requireExp specifies whether the exp claim is required
	45	requireExp bool
	46
	47	// verifyIat specifies whether the iat (Issued At) claim will be verified.
	48	// According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
	49	// only specifies the age of the token, but no validation check is
	50	// necessary. However, if wanted, it can be checked if the iat is
	51	// unrealistic, i.e., in the future.
	52	verifyIat bool
	53
	54	// expectedAud contains the audience this token expects. Supplying an empty
	55	// string will disable aud checking.
	56	expectedAud string
	57
	58	// expectedIss contains the issuer this token expects. Supplying an empty
	59	// string will disable iss checking.
	60	expectedIss string
	61
	62	// expectedSub contains the subject this token expects. Supplying an empty
	63	// string will disable sub checking.
	64	expectedSub string
	65	}
	66
	67	// NewValidator can be used to create a stand-alone validator with the supplied
	68	// options. This validator can then be used to validate already parsed claims.
	69	//
	70	// Note: Under normal circumstances, explicitly creating a validator is not
	71	// needed and can potentially be dangerous; instead functions of the [Parser]
	72	// class should be used.
	73	//
	74	// The [Validator] is only checking the validity of the claims, such as its
	75	// expiration time, but it does NOT perform signature verification of the
	76	// token.
	77	func NewValidator(opts ...ParserOption) *Validator {
	78	p := NewParser(opts...)
	79	return p.validator
	80	}
	81
	82	// Validate validates the given claims. It will also perform any custom
	83	// validation if claims implements the [ClaimsValidator] interface.
	84	//
	85	// Note: It will NOT perform any signature verification on the token that
	86	// contains the claims and expects that the [Claim] was already successfully
	87	// verified.
	88	func (v *Validator) Validate(claims Claims) error {
	89	var (
	90	now time.Time
	91	errs []error = make([]error, 0, 6)
	92	err error
	93	)
	94
	95	// Check, if we have a time func
	96	if v.timeFunc != nil {
	97	now = v.timeFunc()
	98	} else {
	99	now = time.Now()
	100	}
	101
	102	// We always need to check the expiration time, but usage of the claim
	103	// itself is OPTIONAL by default. requireExp overrides this behavior
	104	// and makes the exp claim mandatory.
	105	if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
	106	errs = append(errs, err)
	107	}
	108
	109	// We always need to check not-before, but usage of the claim itself is
	110	// OPTIONAL.
	111	if err = v.verifyNotBefore(claims, now, false); err != nil {
	112	errs = append(errs, err)
	113	}
	114
	115	// Check issued-at if the option is enabled
	116	if v.verifyIat {
	117	if err = v.verifyIssuedAt(claims, now, false); err != nil {
	118	errs = append(errs, err)
	119	}
	120	}
	121
	122	// If we have an expected audience, we also require the audience claim
	123	if v.expectedAud != "" {
	124	if err = v.verifyAudience(claims, v.expectedAud, true); err != nil {
	125	errs = append(errs, err)
	126	}
	127	}
	128
	129	// If we have an expected issuer, we also require the issuer claim
	130	if v.expectedIss != "" {
	131	if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
	132	errs = append(errs, err)
	133	}
	134	}
	135
	136	// If we have an expected subject, we also require the subject claim
	137	if v.expectedSub != "" {
	138	if err = v.verifySubject(claims, v.expectedSub, true); err != nil {
	139	errs = append(errs, err)
	140	}
	141	}
	142
	143	// Finally, we want to give the claim itself some possibility to do some
	144	// additional custom validation based on a custom Validate function.
	145	cvt, ok := claims.(ClaimsValidator)
	146	if ok {
	147	if err := cvt.Validate(); err != nil {
	148	errs = append(errs, err)
	149	}
	150	}
	151
	152	if len(errs) == 0 {
	153	return nil
	154	}
	155
	156	return joinErrors(errs...)
	157	}
	158
	159	// verifyExpiresAt compares the exp claim in claims against cmp. This function
	160	// will succeed if cmp < exp. Additional leeway is taken into account.
	161	//
	162	// If exp is not set, it will succeed if the claim is not required,
	163	// otherwise ErrTokenRequiredClaimMissing will be returned.
	164	//
	165	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	166	// the wrong type, an ErrTokenUnverifiable error will be returned.
	167	func (v *Validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
	168	exp, err := claims.GetExpirationTime()
	169	if err != nil {
	170	return err
	171	}
	172
	173	if exp == nil {
	174	return errorIfRequired(required, "exp")
	175	}
	176
	177	return errorIfFalse(cmp.Before((exp.Time).Add(+v.leeway)), ErrTokenExpired)
	178	}
	179
	180	// verifyIssuedAt compares the iat claim in claims against cmp. This function
	181	// will succeed if cmp >= iat. Additional leeway is taken into account.
	182	//
	183	// If iat is not set, it will succeed if the claim is not required,
	184	// otherwise ErrTokenRequiredClaimMissing will be returned.
	185	//
	186	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	187	// the wrong type, an ErrTokenUnverifiable error will be returned.
	188	func (v *Validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
	189	iat, err := claims.GetIssuedAt()
	190	if err != nil {
	191	return err
	192	}
	193
	194	if iat == nil {
	195	return errorIfRequired(required, "iat")
	196	}
	197
	198	return errorIfFalse(!cmp.Before(iat.Add(-v.leeway)), ErrTokenUsedBeforeIssued)
	199	}
	200
	201	// verifyNotBefore compares the nbf claim in claims against cmp. This function
	202	// will return true if cmp >= nbf. Additional leeway is taken into account.
	203	//
	204	// If nbf is not set, it will succeed if the claim is not required,
	205	// otherwise ErrTokenRequiredClaimMissing will be returned.
	206	//
	207	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	208	// the wrong type, an ErrTokenUnverifiable error will be returned.
	209	func (v *Validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
	210	nbf, err := claims.GetNotBefore()
	211	if err != nil {
	212	return err
	213	}
	214
	215	if nbf == nil {
	216	return errorIfRequired(required, "nbf")
	217	}
	218
	219	return errorIfFalse(!cmp.Before(nbf.Add(-v.leeway)), ErrTokenNotValidYet)
	220	}
	221
	222	// verifyAudience compares the aud claim against cmp.
	223	//
	224	// If aud is not set or an empty list, it will succeed if the claim is not required,
	225	// otherwise ErrTokenRequiredClaimMissing will be returned.
	226	//
	227	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	228	// the wrong type, an ErrTokenUnverifiable error will be returned.
	229	func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
	230	aud, err := claims.GetAudience()
	231	if err != nil {
	232	return err
	233	}
	234
	235	if len(aud) == 0 {
	236	return errorIfRequired(required, "aud")
	237	}
	238
	239	// use a var here to keep constant time compare when looping over a number of claims
	240	result := false
	241
	242	var stringClaims string
	243	for _, a := range aud {
	244	if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
	245	result = true
	246	}
	247	stringClaims = stringClaims + a
	248	}
	249
	250	// case where "" is sent in one or many aud claims
	251	if stringClaims == "" {
	252	return errorIfRequired(required, "aud")
	253	}
	254
	255	return errorIfFalse(result, ErrTokenInvalidAudience)
	256	}
	257
	258	// verifyIssuer compares the iss claim in claims against cmp.
	259	//
	260	// If iss is not set, it will succeed if the claim is not required,
	261	// otherwise ErrTokenRequiredClaimMissing will be returned.
	262	//
	263	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	264	// the wrong type, an ErrTokenUnverifiable error will be returned.
	265	func (v *Validator) verifyIssuer(claims Claims, cmp string, required bool) error {
	266	iss, err := claims.GetIssuer()
	267	if err != nil {
	268	return err
	269	}
	270
	271	if iss == "" {
	272	return errorIfRequired(required, "iss")
	273	}
	274
	275	return errorIfFalse(iss == cmp, ErrTokenInvalidIssuer)
	276	}
	277
	278	// verifySubject compares the sub claim against cmp.
	279	//
	280	// If sub is not set, it will succeed if the claim is not required,
	281	// otherwise ErrTokenRequiredClaimMissing will be returned.
	282	//
	283	// Additionally, if any error occurs while retrieving the claim, e.g., when its
	284	// the wrong type, an ErrTokenUnverifiable error will be returned.
	285	func (v *Validator) verifySubject(claims Claims, cmp string, required bool) error {
	286	sub, err := claims.GetSubject()
	287	if err != nil {
	288	return err
	289	}
	290
	291	if sub == "" {
	292	return errorIfRequired(required, "sub")
	293	}
	294
	295	return errorIfFalse(sub == cmp, ErrTokenInvalidSubject)
	296	}
	297
	298	// errorIfFalse returns the error specified in err, if the value is true.
	299	// Otherwise, nil is returned.
	300	func errorIfFalse(value bool, err error) error {
	301	if value {
	302	return nil
	303	} else {
	304	return err
	305	}
	306	}
	307
	308	// errorIfRequired returns an ErrTokenRequiredClaimMissing error if required is
	309	// true. Otherwise, nil is returned.
	310	func errorIfRequired(required bool, claim string) error {
	311	if required {
	312	return newError(fmt.Sprintf("%s claim is required", claim), ErrTokenRequiredClaimMissing)
	313	} else {
	314	return nil
	315	}
	316	}