diff --git a/CHANGELOG.md b/CHANGELOG.md
index 181a6ef8a049a45126df1a7217ccfc608e07ac05..f16b4499f17665152e428522c0d015b949173aab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,18 +39,26 @@
- Fixed a bug where wrong dates where returned if the database used a different timezone than UTC.
- Fixed a bug in `mytoken-migratedb` were empty databases could not be setup.
+### Security Fixes
+
+- Replaced the uuid library; the old library had a security flaw CVE-2021-3538
+
### Dependencies
-- Bump golang.org/x/term from 0.5.0 to 0.6.0
-- Bump github.com/valyala/fasthttp from 1.44.0 to 1.45.0
+- Bump golang.org/x/term from 0.5.0 to 0.8.0
+- Bump github.com/valyala/fasthttp from 1.44.0 to 1.47.0
- Bump golang.org/x/net from 0.6.0 to 0.7.0
-- Bump golang.org/x/crypto from 0.6.0 to 0.7.0
-- Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0
+- Bump golang.org/x/crypto from 0.6.0 to 0.9.0
+- Bump golang.org/x/oauth2 from 0.5.0 to 0.8.0
- Bump golang.org/x/mod from 0.8.0 to 0.9.0
- Bump github.com/gofiber/helmet/v2 from 2.2.24 to 2.2.25
- Bump github.com/gofiber/template from 1.7.5 to 1.8.0
-- Bump github.com/gofiber/fiber/v2 from 2.42.0 to 2.43.0
+- Bump github.com/gofiber/fiber/v2 from 2.42.0 to 2.46.0
- Bump github.com/pires/go-proxyproto from 0.6.2 to 0.7.0
+- Bump github.com/go-sql-driver/mysql from 1.7.0 to 1.7.1
+- Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2
+- Bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0
+- Replaced github.com/satori/go.uuid with github.com/gofrs/uuid
## mytoken 0.7.2
diff --git a/go.mod b/go.mod
index faecb4b779b1a09b641a7b8a766624c41c01c927..e3b8648167f070917915526c20fd3dd5abcc30e5 100644
--- a/go.mod
+++ b/go.mod
@@ -12,6 +12,7 @@ require (
github.com/gofiber/fiber/v2 v2.46.0
github.com/gofiber/helmet/v2 v2.2.26
github.com/gofiber/template v1.8.1
+ github.com/gofrs/uuid v4.4.0+incompatible
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/ip2location/ip2location-go v8.3.0+incompatible
github.com/jinzhu/copier v0.3.5
@@ -23,7 +24,6 @@ require (
github.com/patrickmn/go-cache v2.1.0+incompatible
github.com/pires/go-proxyproto v0.7.0
github.com/pkg/errors v0.9.1
- github.com/satori/go.uuid v1.2.0
github.com/sirupsen/logrus v1.9.2
github.com/urfave/cli/v2 v2.3.1-0.20211205195634-e8d81738896c
github.com/valyala/fasthttp v1.47.0
diff --git a/go.sum b/go.sum
index b234f9090f84934325cdb9c4b769c9d1a8285542..17190d46ef1a71ae99cc2ca23ad85768b5b2b676 100644
--- a/go.sum
+++ b/go.sum
@@ -175,6 +175,8 @@ github.com/gofiber/helmet/v2 v2.2.26 h1:KreQVUpCIGppPQ6Yt8qQMaIR4fVXMnvBdsda0dJS
github.com/gofiber/helmet/v2 v2.2.26/go.mod h1:XE0DF4cgf0M5xIt7qyAK5zOi8jJblhxfSDv9DAmEEQo=
github.com/gofiber/template v1.8.1 h1:KLnNtXqH3LTzquU0NsLMqX3YGd3pD562UhSNaIca5HI=
github.com/gofiber/template v1.8.1/go.mod h1:+2x8bRo2TAXnqp0RUN2MdyKshUi+BulPoUCOHstFLqE=
+github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
+github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
@@ -428,8 +430,6 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/savsgio/dictpool v0.0.0-20221023140959-7bf2e61cea94 h1:rmMl4fXJhKMNWl+K+r/fq4FbbKI+Ia2m9hYBLm2h4G4=
github.com/savsgio/dictpool v0.0.0-20221023140959-7bf2e61cea94/go.mod h1:90zrgN3D/WJsDd1iXHT96alCoN2KJo6/4x1DZC3wZs8=
github.com/savsgio/gotils v0.0.0-20220530130905-52f3993e8d6d/go.mod h1:Gy+0tqhJvgGlqnTF8CVGP0AaGRjwBtXs/a5PA0Y3+A4=
diff --git a/internal/db/dbrepo/mytokenrepo/mytoken_test.go b/internal/db/dbrepo/mytokenrepo/mytoken_test.go
index 0db9c5f116229f6f786eb6f441a151cc8ea76e18..0f26382aa1a8037eb2dcdef428b30eae0631e561 100644
--- a/internal/db/dbrepo/mytokenrepo/mytoken_test.go
+++ b/internal/db/dbrepo/mytokenrepo/mytoken_test.go
@@ -7,7 +7,8 @@ import (
)
func TestMytokenEntry_Root(t *testing.T) {
- parentRoot := mtid.New()
+ parentRoot, _ := mtid.New()
+ parentID, _ := mtid.New()
tests := []struct {
name string
mt MytokenEntry
@@ -28,7 +29,7 @@ func TestMytokenEntry_Root(t *testing.T) {
{
name: "HasParentAndRoot",
mt: MytokenEntry{
- ParentID: mtid.New(),
+ ParentID: parentID,
},
expected: false,
},
diff --git a/internal/db/profilerepo/add.go b/internal/db/profilerepo/add.go
index c592731c16bf7ad9b84316ab0ab929a2259275ff..b24a29e1798f9857267e97c634e2ca212e98c537 100644
--- a/internal/db/profilerepo/add.go
+++ b/internal/db/profilerepo/add.go
@@ -3,9 +3,9 @@ package profilerepo
import (
"encoding/json"
+ "github.com/gofrs/uuid"
"github.com/jmoiron/sqlx"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/oidc-mytoken/server/internal/db"
@@ -15,10 +15,13 @@ import (
func AddProfile(
rlog log.Ext1FieldLogger, tx *sqlx.Tx, group, name string, payload json.RawMessage,
) error {
- id := uuid.NewV4()
+ id, err := uuid.NewV4()
+ if err != nil {
+ return errors.WithStack(err)
+ }
return db.RunWithinTransaction(
rlog, tx, func(tx *sqlx.Tx) error {
- _, err := tx.Exec(`CALL Profiles_InsertProfiles(?,?,?,?)`, id, group, name, payload)
+ _, err = tx.Exec(`CALL Profiles_InsertProfiles(?,?,?,?)`, id, group, name, payload)
return errors.WithStack(err)
},
)
@@ -28,7 +31,10 @@ func AddProfile(
func AddCapabilities(
rlog log.Ext1FieldLogger, tx *sqlx.Tx, group, name string, payload json.RawMessage,
) error {
- id := uuid.NewV4()
+ id, err := uuid.NewV4()
+ if err != nil {
+ return errors.WithStack(err)
+ }
return db.RunWithinTransaction(
rlog, tx, func(tx *sqlx.Tx) error {
_, err := tx.Exec(`CALL Profiles_InsertCapabilities(?,?,?,?)`, id, group, name, payload)
@@ -41,7 +47,10 @@ func AddCapabilities(
func AddRestrictions(
rlog log.Ext1FieldLogger, tx *sqlx.Tx, group, name string, payload json.RawMessage,
) error {
- id := uuid.NewV4()
+ id, err := uuid.NewV4()
+ if err != nil {
+ return errors.WithStack(err)
+ }
return db.RunWithinTransaction(
rlog, tx, func(tx *sqlx.Tx) error {
_, err := tx.Exec(`CALL Profiles_InsertRestrictions(?,?,?,?)`, id, group, name, payload)
@@ -54,7 +63,10 @@ func AddRestrictions(
func AddRotation(
rlog log.Ext1FieldLogger, tx *sqlx.Tx, group, name string, payload json.RawMessage,
) error {
- id := uuid.NewV4()
+ id, err := uuid.NewV4()
+ if err != nil {
+ return errors.WithStack(err)
+ }
return db.RunWithinTransaction(
rlog, tx, func(tx *sqlx.Tx) error {
_, err := tx.Exec(`CALL Profiles_InsertRotations(?,?,?,?)`, id, group, name, payload)
diff --git a/internal/db/profilerepo/delete.go b/internal/db/profilerepo/delete.go
index 0366009e632136c1db8ac68a5d9bb9b3b267ca39..2473afcfd73147a93499eadfebd69466e1d6e68a 100644
--- a/internal/db/profilerepo/delete.go
+++ b/internal/db/profilerepo/delete.go
@@ -1,9 +1,9 @@
package profilerepo
import (
+ "github.com/gofrs/uuid"
"github.com/jmoiron/sqlx"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/oidc-mytoken/server/internal/db"
diff --git a/internal/db/profilerepo/get.go b/internal/db/profilerepo/get.go
index 4d000a680619817a6b7f35bb43a2cb925f834ab9..dbe109b7500ea535f714c27269b9362ce29fcd74 100644
--- a/internal/db/profilerepo/get.go
+++ b/internal/db/profilerepo/get.go
@@ -3,11 +3,11 @@ package profilerepo
import (
"encoding/json"
+ "github.com/gofrs/uuid"
"github.com/jmoiron/sqlx"
"github.com/oidc-mytoken/api/v0"
"github.com/oidc-mytoken/utils/utils/profile"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/oidc-mytoken/server/internal/db"
diff --git a/internal/db/profilerepo/update.go b/internal/db/profilerepo/update.go
index 6d463b70026bea7579f80968340f177fc532989f..adb3561efd939cd3b95e26a0aec46004a2560d0f 100644
--- a/internal/db/profilerepo/update.go
+++ b/internal/db/profilerepo/update.go
@@ -3,9 +3,9 @@ package profilerepo
import (
"encoding/json"
+ "github.com/gofrs/uuid"
"github.com/jmoiron/sqlx"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/oidc-mytoken/server/internal/db"
diff --git a/internal/endpoints/profiles/profileEndpoint.go b/internal/endpoints/profiles/profileEndpoint.go
index 4702fc1c9e7f81f1778e114e11f69b8e7a3acd5a..634704519c49154fecfd947cfbb96089e16a1b4b 100644
--- a/internal/endpoints/profiles/profileEndpoint.go
+++ b/internal/endpoints/profiles/profileEndpoint.go
@@ -4,10 +4,10 @@ import (
"encoding/json"
"github.com/gofiber/fiber/v2"
+ "github.com/gofrs/uuid"
"github.com/jmoiron/sqlx"
"github.com/oidc-mytoken/api/v0"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/oidc-mytoken/server/internal/db/profilerepo"
diff --git a/internal/model/version/VERSION b/internal/model/version/VERSION
index a3df0a6959e154733da89a5d6063742ce6d5b851..6f4eebdf6f68fc72411793cdb19e3f1715b117f3 100644
--- a/internal/model/version/VERSION
+++ b/internal/model/version/VERSION
@@ -1 +1 @@
-0.8.0
+0.8.1
diff --git a/internal/mytoken/mytokenHandler.go b/internal/mytoken/mytokenHandler.go
index b7898b71bd6a30e28d30f23b7fa34583631b1dcc..47b7d7092478b22cdc9164ce22701b9ddc465597 100644
--- a/internal/mytoken/mytokenHandler.go
+++ b/internal/mytoken/mytokenHandler.go
@@ -258,24 +258,25 @@ func createMytokenEntry(
if req.Rotation != nil {
rot = &req.Rotation.Rotation
}
- ste := mytokenrepo.NewMytokenEntry(
- mytoken.NewMytoken(
- parent.OIDCSubject, parent.OIDCIssuer, req.GeneralMytokenRequest.Name, r, c, rot,
- parent.AuthTime,
- ),
- req.GeneralMytokenRequest.Name, networkData,
+ mt, err := mytoken.NewMytoken(
+ parent.OIDCSubject, parent.OIDCIssuer, req.GeneralMytokenRequest.Name, r, c, rot,
+ parent.AuthTime,
)
+ if err != nil {
+ return nil, model.ErrorToInternalServerErrorResponse(err)
+ }
+ mte := mytokenrepo.NewMytokenEntry(mt, req.GeneralMytokenRequest.Name, networkData)
encryptionKey, _, err := encryptionkeyrepo.GetEncryptionKey(rlog, nil, parent.ID, req.Mytoken.JWT)
if err != nil {
rlog.WithError(err).Error()
- return ste, model.ErrorToInternalServerErrorResponse(err)
+ return mte, model.ErrorToInternalServerErrorResponse(err)
}
- if err = ste.SetRefreshToken(rtID, encryptionKey); err != nil {
+ if err = mte.SetRefreshToken(rtID, encryptionKey); err != nil {
rlog.WithError(err).Error()
- return ste, model.ErrorToInternalServerErrorResponse(err)
+ return mte, model.ErrorToInternalServerErrorResponse(err)
}
- ste.ParentID = parent.ID
- return ste, nil
+ mte.ParentID = parent.ID
+ return mte, nil
}
// RevokeMytoken revokes a Mytoken
diff --git a/internal/mytoken/pkg/mtid/mtid.go b/internal/mytoken/pkg/mtid/mtid.go
index c79f314919d8555c09cb6bb64003ffb14b30302c..61eefc4d69274390099a63d45fa0bb46e7dc6580 100644
--- a/internal/mytoken/pkg/mtid/mtid.go
+++ b/internal/mytoken/pkg/mtid/mtid.go
@@ -4,8 +4,8 @@ import (
"database/sql/driver"
"encoding/json"
+ "github.com/gofrs/uuid"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
"github.com/oidc-mytoken/server/internal/db"
"github.com/oidc-mytoken/server/internal/utils/hashutils"
@@ -18,10 +18,11 @@ type MTID struct {
}
// New creates a new MTID
-func New() MTID {
+func New() (MTID, error) {
+ uuid, err := uuid.NewV4()
return MTID{
- UUID: uuid.NewV4(),
- }
+ UUID: uuid,
+ }, errors.WithStack(err)
}
// Valid checks if the MTID is valid
diff --git a/internal/mytoken/pkg/mtid/mtid_test.go b/internal/mytoken/pkg/mtid/mtid_test.go
index 7c75bebb9b71b58bf335d8952f7a41c8c565ce06..f388e5c755f60152f8b1be95386356addfbd00a0 100644
--- a/internal/mytoken/pkg/mtid/mtid_test.go
+++ b/internal/mytoken/pkg/mtid/mtid_test.go
@@ -5,6 +5,7 @@ import (
)
func TestMTID_HashValid(t *testing.T) {
+ id, _ := New()
tests := []struct {
name string
id MTID
@@ -17,7 +18,7 @@ func TestMTID_HashValid(t *testing.T) {
},
{
name: "Valid",
- id: New(),
+ id: id,
expected: true,
},
{
@@ -43,6 +44,7 @@ func TestMTID_HashValid(t *testing.T) {
}
}
func TestMTID_Valid(t *testing.T) {
+ id, _ := New()
tests := []struct {
name string
id MTID
@@ -55,7 +57,7 @@ func TestMTID_Valid(t *testing.T) {
},
{
name: "Valid",
- id: New(),
+ id: id,
expected: true,
},
{
diff --git a/internal/mytoken/pkg/mytoken.go b/internal/mytoken/pkg/mytoken.go
index 881c34968a1682322008be60ad350e938b5d3142..7224b225d892279c7d843b1430b4452cc75a6d7f 100644
--- a/internal/mytoken/pkg/mytoken.go
+++ b/internal/mytoken/pkg/mytoken.go
@@ -92,8 +92,12 @@ func (mt *Mytoken) VerifyCapabilities(required ...api.Capability) bool {
func NewMytoken(
oidcSub, oidcIss, name string, r restrictions.Restrictions, c api.Capabilities, rot *api.Rotation,
authTime unixtime.UnixTime,
-) *Mytoken {
+) (*Mytoken, error) {
now := unixtime.Now()
+ id, err := mtid.New()
+ if err != nil {
+ return nil, err
+ }
mt := &Mytoken{
Mytoken: api.Mytoken{
Version: api.TokenVer,
@@ -107,7 +111,7 @@ func NewMytoken(
OIDCSubject: oidcSub,
Capabilities: c,
},
- ID: mtid.New(),
+ ID: id,
IssuedAt: now,
NotBefore: now,
AuthTime: authTime,
@@ -125,7 +129,7 @@ func NewMytoken(
mt.NotBefore = nbf
}
}
- return mt
+ return mt, nil
}
// ExpiresIn returns the amount of seconds in which this token expires
diff --git a/internal/oidc/authcode/authcode.go b/internal/oidc/authcode/authcode.go
index dfa1559eb1fb885476c947e251d342251eb5e939..ba33a4c7ed1f0bfdbe6be7a38f0528f8e219df34 100644
--- a/internal/oidc/authcode/authcode.go
+++ b/internal/oidc/authcode/authcode.go
@@ -337,23 +337,24 @@ func createMytokenEntry(
if authFlowInfo.Rotation != nil {
rot = &authFlowInfo.Rotation.Rotation
}
- mte := mytokenrepo.NewMytokenEntry(
- mytoken.NewMytoken(
- oidcSub,
- authFlowInfo.Issuer,
- authFlowInfo.Name,
- authFlowInfo.Restrictions.Restrictions,
- authFlowInfo.Capabilities.Capabilities,
- rot,
- unixtime.Now(),
- ),
- authFlowInfo.Name, networkData,
+ mt, err := mytoken.NewMytoken(
+ oidcSub,
+ authFlowInfo.Issuer,
+ authFlowInfo.Name,
+ authFlowInfo.Restrictions.Restrictions,
+ authFlowInfo.Capabilities.Capabilities,
+ rot,
+ unixtime.Now(),
)
+ if err != nil {
+ return nil, err
+ }
+ mte := mytokenrepo.NewMytokenEntry(mt, authFlowInfo.Name, networkData)
mte.Token.AuthTime = unixtime.Now()
- if err := mte.InitRefreshToken(token.RefreshToken); err != nil {
+ if err = mte.InitRefreshToken(token.RefreshToken); err != nil {
return nil, err
}
- if err := mte.Store(rlog, tx, "Used grant_type oidc_flow authorization_code"); err != nil {
+ if err = mte.Store(rlog, tx, "Used grant_type oidc_flow authorization_code"); err != nil {
return nil, err
}
return mte, nil
diff --git a/internal/server/web/static/img/mytoken-grey.png b/internal/server/web/static/img/mytoken-grey.png
index b832bdfbb41d1a603f8d1db3ca905dbdaa404765..3ed45dfc10f8345523fadac1e5936fda49bb0319 100644
Binary files a/internal/server/web/static/img/mytoken-grey.png and b/internal/server/web/static/img/mytoken-grey.png differ
diff --git a/internal/server/web/static/img/mytoken.png b/internal/server/web/static/img/mytoken.png
index f08c11a25d781f23865f3b7dc33931102bbccaf5..aba83d1796db331efbfd6c64d9e00b75621d2eb5 100644
Binary files a/internal/server/web/static/img/mytoken.png and b/internal/server/web/static/img/mytoken.png differ
diff --git a/internal/utils/ctxutils/id.go b/internal/utils/ctxutils/id.go
index 724a847793c04b0d598d12235f65b73e73061c3e..57608414b4c705f4090c274c72326605d8bcbd7b 100644
--- a/internal/utils/ctxutils/id.go
+++ b/internal/utils/ctxutils/id.go
@@ -4,8 +4,8 @@ import (
"encoding/json"
"github.com/gofiber/fiber/v2"
+ "github.com/gofrs/uuid"
"github.com/pkg/errors"
- uuid "github.com/satori/go.uuid"
)
type idUnmarshal struct {
diff --git a/mytoken.png b/mytoken.png
index f08c11a25d781f23865f3b7dc33931102bbccaf5..aba83d1796db331efbfd6c64d9e00b75621d2eb5 100644
Binary files a/mytoken.png and b/mytoken.png differ