fix acr auth JWT token verification (default no verification)

roelarents · davidcollom · commit 7e5c22d64e2f · 2025-04-02T12:22:07.000+01:00
Signed-off-by: Roel Arents &lt;roel.arents@kadaster.nl&gt;

fix acr basic auth also needs access token

Signed-off-by: Roel Arents &lt;roel.arents@kadaster.nl&gt;
diff --git a/cmd/app/options.go b/cmd/app/options.go
@@ -24,6 +24,7 @@ const (
 	envACRUsername     = "ACR_USERNAME"
 	envACRPassword     = "ACR_PASSWORD"      // #nosec G101
 	envACRRefreshToken = "ACR_REFRESH_TOKEN" // #nosec G101
+	envACRJWKSURI      = "ACR_JWKS_URI"
 
 	envDockerUsername = "DOCKER_USERNAME"
 	envDockerPassword = "DOCKER_PASSWORD" // #nosec G101
@@ -157,6 +158,12 @@ func (o *Options) addAuthFlags(fs *pflag.FlagSet) {
 				"username/password (%s_%s).",
 			envPrefix, envACRRefreshToken,
 		))
+	fs.StringVar(&o.Client.ACR.JWKSURI,
+		"acr-jwks-uri", "",
+		fmt.Sprintf(
+			"JWKS URI to verify the JWT access token received. If left blank, JWT token will not be verified. (%s_%s)",
+			envPrefix, envACRJWKSURI,
+		))
 	///
 
 	// Docker
@@ -301,6 +308,7 @@ func (o *Options) complete() {
 		{envACRUsername, &o.Client.ACR.Username},
 		{envACRPassword, &o.Client.ACR.Password},
 		{envACRRefreshToken, &o.Client.ACR.RefreshToken},
+		{envACRJWKSURI, &o.Client.ACR.JWKSURI},
 
 		{envDockerUsername, &o.Client.Docker.Username},
 		{envDockerPassword, &o.Client.Docker.Password},
diff --git a/cmd/app/options_test.go b/cmd/app/options_test.go
@@ -31,6 +31,7 @@ func TestComplete(t *testing.T) {
 				{"VERSION_CHECKER_ACR_USERNAME", "acr-username"},
 				{"VERSION_CHECKER_ACR_PASSWORD", "acr-password"},
 				{"VERSION_CHECKER_ACR_REFRESH_TOKEN", "acr-token"},
+				{"VERSION_CHECKER_ACR_JWKS_URI", "acr-jwks-uri"},
 				{"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"},
 				{"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"},
 				{"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"},
@@ -51,6 +52,7 @@ func TestComplete(t *testing.T) {
 					Username:     "acr-username",
 					Password:     "acr-password",
 					RefreshToken: "acr-token",
+					JWKSURI:      "acr-jwks-uri",
 				},
 				Docker: docker.Options{
 					Username: "docker-username",
@@ -92,6 +94,7 @@ func TestComplete(t *testing.T) {
 				{"VERSION_CHECKER_ACR_USERNAME", "acr-username"},
 				{"VERSION_CHECKER_ACR_PASSWORD", "acr-password"},
 				{"VERSION_CHECKER_ACR_REFRESH_TOKEN", "acr-token"},
+				{"VERSION_CHECKER_ACR_JWKS_URI", "acr-jwks-uri"},
 				{"VERSION_CHECKER_DOCKER_USERNAME", "docker-username"},
 				{"VERSION_CHECKER_DOCKER_PASSWORD", "docker-password"},
 				{"VERSION_CHECKER_DOCKER_TOKEN", "docker-token"},
@@ -119,6 +122,7 @@ func TestComplete(t *testing.T) {
 					Username:     "acr-username",
 					Password:     "acr-password",
 					RefreshToken: "acr-token",
+					JWKSURI:      "acr-jwks-uri",
 				},
 				Docker: docker.Options{
 					Username: "docker-username",
diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 )
 
 require (
+	github.com/MicahParks/keyfunc/v3 v3.3.10
 	github.com/aws/aws-sdk-go-v2/config v1.29.12
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.65
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.43.0
@@ -50,6 +51,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.2 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.1 // indirect
+	github.com/MicahParks/jwkset v0.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
diff --git a/go.sum b/go.sum
@@ -19,6 +19,14 @@ github.com/Azure/go-autorest/logger v0.2.2/go.mod h1:I5fg9K52o+iuydlWfa9T5K6WFos
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/Azure/go-autorest/tracing v0.6.1 h1:YUMSrC/CeD1ZnnXcNYU4a/fzsO35u2Fsful9L/2nyR0=
 github.com/Azure/go-autorest/tracing v0.6.1/go.mod h1:/3EgjbsjraOqiicERAeu3m7/z0x1TzjQGAwDrJrXGkc=
+github.com/MicahParks/jwkset v0.5.19 h1:XZCsgJv05DBCvxEHYEHlSafqiuVn5ESG0VRB331Fxhw=
+github.com/MicahParks/jwkset v0.5.19/go.mod h1:q8ptTGn/Z9c4MwbcfeCDssADeVQb3Pk7PnVxrvi+2QY=
+github.com/MicahParks/jwkset v0.8.0 h1:jHtclI38Gibmu17XMI6+6/UB59srp58pQVxePHRK5o8=
+github.com/MicahParks/jwkset v0.8.0/go.mod h1:fVrj6TmG1aKlJEeceAz7JsXGTXEn72zP1px3us53JrA=
+github.com/MicahParks/keyfunc/v3 v3.3.5 h1:7ceAJLUAldnoueHDNzF8Bx06oVcQ5CfJnYwNt1U3YYo=
+github.com/MicahParks/keyfunc/v3 v3.3.5/go.mod h1:SdCCyMJn/bYqWDvARspC6nCT8Sk74MjuAY22C7dCST8=
+github.com/MicahParks/keyfunc/v3 v3.3.10 h1:JtEGE8OcNeI297AMrR4gVXivV8fyAawFUMkbwNreJRk=
+github.com/MicahParks/keyfunc/v3 v3.3.10/go.mod h1:1TEt+Q3FO7Yz2zWeYO//fMxZMOiar808NqjWQQpBPtU=
 github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
 github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
 github.com/aws/aws-sdk-go-v2/config v1.29.12 h1:Y/2a+jLPrPbHpFkpAAYkVEtJmxORlXoo5k2g1fa2sUo=
diff --git a/pkg/client/acr/acr.go b/pkg/client/acr/acr.go
@@ -10,16 +10,19 @@ import (
 	"sync"
 	"time"
 
+	"github.com/MicahParks/keyfunc/v3"
+
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
-	jwt "github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/jetstack/version-checker/pkg/api"
 	"github.com/jetstack/version-checker/pkg/client/util"
 )
 
 const (
-	userAgent = "jetstack/version-checker"
+	userAgent     = "jetstack/version-checker"
+	requiredScope = "repository:*:metadata_read"
 )
 
 type Client struct {
@@ -38,6 +41,7 @@ type Options struct {
 	Username     string
 	Password     string
 	RefreshToken string
+	JWKSURI      string
 }
 
 type AccessTokenResponse struct {
@@ -154,35 +158,52 @@ func (c *Client) getACRClient(ctx context.Context, host string) (*acrClient, err
 	}
 
 	var (
-		client *acrClient
-		err    error
+		client            *acrClient
+		accessTokenClient *autorest.Client
+		accessTokenReq    *http.Request
+		err               error
 	)
-
 	if len(c.RefreshToken) > 0 {
-		client, err = c.getAccessTokenClient(ctx, host)
+		accessTokenClient, accessTokenReq, err = c.getAccessTokenRequesterForRefreshToken(ctx, host)
 	} else {
-		client, err = c.getBasicAuthClient(host)
+		accessTokenClient, accessTokenReq, err = c.getAccessTokenRequesterForBasicAuth(ctx, host)
 	}
 	if err != nil {
 		return nil, err
 	}
+	if client, err = c.getAuthorizedClient(accessTokenClient, accessTokenReq, host); err != nil {
+		return nil, err
+	}
 
 	c.cachedACRClient[host] = client
 
 	return client, nil
 }
 
-func (c *Client) getBasicAuthClient(_ string) (*acrClient, error) {
+func (c *Client) getAccessTokenRequesterForBasicAuth(ctx context.Context, host string) (*autorest.Client, *http.Request, error) {
 	client := autorest.NewClientWithUserAgent(userAgent)
 	client.Authorizer = autorest.NewBasicAuthorizer(c.Username, c.Password)
+	urlParameters := map[string]interface{}{
+		"url": "https://" + host,
+	}
 
-	return &acrClient{
-		Client:      &client,
-		tokenExpiry: time.Unix(1<<63-1, 0),
-	}, nil
+	preparer := autorest.CreatePreparer(
+		autorest.WithCustomBaseURL("{url}", urlParameters),
+		autorest.WithPath("/oauth2/token"),
+		autorest.WithQueryParameters(map[string]interface{}{
+			"scope":   requiredScope,
+			"service": host,
+		}),
+	)
+	req, err := preparer.Prepare((&http.Request{}).WithContext(ctx))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &client, req, nil
 }
 
-func (c *Client) getAccessTokenClient(ctx context.Context, host string) (*acrClient, error) {
+func (c *Client) getAccessTokenRequesterForRefreshToken(ctx context.Context, host string) (*autorest.Client, *http.Request, error) {
 	client := autorest.NewClientWithUserAgent(userAgent)
 	urlParameters := map[string]interface{}{
 		"url": "https://" + host,
@@ -191,7 +212,7 @@ func (c *Client) getAccessTokenClient(ctx context.Context, host string) (*acrCli
 	formDataParameters := map[string]interface{}{
 		"grant_type":    "refresh_token",
 		"refresh_token": c.RefreshToken,
-		"scope":         "repository:*:*",
+		"scope":         requiredScope,
 		"service":       host,
 	}
 
@@ -202,9 +223,12 @@ func (c *Client) getAccessTokenClient(ctx context.Context, host string) (*acrCli
 		autorest.WithFormData(autorest.MapToValues(formDataParameters)))
 	req, err := preparer.Prepare((&http.Request{}).WithContext(ctx))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
+	return &client, req, nil
+}
 
+func (c *Client) getAuthorizedClient(client *autorest.Client, req *http.Request, host string) (*acrClient, error) {
 	resp, err := autorest.SendWithSender(client, req,
 		autorest.DoRetryForStatusCodes(client.RetryAttempts, client.RetryDuration, autorest.StatusCodesForRetry...),
 	)
@@ -220,26 +244,38 @@ func (c *Client) getAccessTokenClient(ctx context.Context, host string) (*acrCli
 			host, err)
 	}
 
-	exp, err := getTokenExpiration(respToken.AccessToken)
+	exp, err := c.getTokenExpiration(respToken.AccessToken)
 	if err != nil {
 		return nil, fmt.Errorf("%s: %s", host, err)
 	}
 
 	token := &adal.Token{
-		RefreshToken: c.RefreshToken,
+		RefreshToken: "", // empty if access_token was retrieved with basic auth. but client is not reused after expiry anyway (see cachedACRClient)
 		AccessToken:  respToken.AccessToken,
 	}
 
 	client.Authorizer = autorest.NewBearerAuthorizer(token)
 
 	return &acrClient{
 		tokenExpiry: exp,
-		Client:      &client,
+		Client:      client,
 	}, nil
 }
 
-func getTokenExpiration(tokenString string) (time.Time, error) {
-	token, err := jwt.Parse(tokenString, nil, jwt.WithoutClaimsValidation())
+func (c *Client) getTokenExpiration(tokenString string) (time.Time, error) {
+	jwtParser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	var token *jwt.Token
+	var err error
+	if c.JWKSURI != "" {
+		var k keyfunc.Keyfunc
+		k, err = keyfunc.NewDefaultCtx(context.TODO(), []string{c.JWKSURI})
+		if err != nil {
+			return time.Time{}, err
+		}
+		token, err = jwtParser.Parse(tokenString, k.Keyfunc)
+	} else {
+		token, _, err = jwtParser.ParseUnverified(tokenString, jwt.MapClaims{})
+	}
 	if err != nil {
 		return time.Time{}, err
 	}
