chore(deps/gomod): update module github.com/golang-jwt/jwt/v4 to v5 (#12691)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/golang-jwt/jwt/v4](https://redirect.github.com/golang-jwt/jwt) | `v4.5.1` -> `v5.2.1` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgolang-jwt%2fjwt%2fv4/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgolang-jwt%2fjwt%2fv4/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgolang-jwt%2fjwt%2fv4/v4.5.1/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgolang-jwt%2fjwt%2fv4/v4.5.1/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---------

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Bart Smykla <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Bart Smykla <[email protected]>

Author: renovate[bot]

app/kuma-dp/pkg/config/validate.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	"github.com/asaskevich/govalidator"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 
 	util_files "github.com/kumahq/kuma/pkg/util/files"

app/kuma-dp/pkg/config/validate_test.go

@@ -58,11 +58,11 @@ var _ = Describe("ValidateTokenPath", func() {
 			}),
 			Entry("can't parse token", testCase{
 				token:         "yJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ.rdQ6l_6hzT93Kbk9kO-kZYY7BaexUH8QknvbdRy_f6s",
-				expectedError: "not valid JWT token. Can't parse it.: invalid character 'È' looking for beginning of value",
+				expectedError: "not valid JWT token. Can't parse it.: token is malformed: could not JSON decode header: invalid character 'È' looking for beginning of value",
 			}),
 			Entry("need 3 segments", testCase{
 				token:         "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ",
-				expectedError: "not valid JWT token. Can't parse it.: token contains an invalid number of segments",
+				expectedError: "not valid JWT token. Can't parse it.: token is malformed: token contains an invalid number of segments",
 			}),
 			Entry("new line in the end", testCase{
 				token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJOYW1lIjoidGVzdCIsIk1lc2giOiJkZWZhdWx0IiwiVGFncyI6e30sIlR5cGUiOiIifQ.rdQ6l_6hzT93Kbk9kO-kZYY7BaexUH8QknvbdRy_f6s\n",

app/kumactl/cmd/generate/generate_dataplane_token_test.go

@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/spf13/cobra"

app/kumactl/cmd/generate/generate_user_token_test.go

@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 

app/kumactl/cmd/generate/generate_zone_token_test.go

@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/spf13/cobra"

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/goburrow/cache v0.1.4
-	github.com/golang-jwt/jwt/v4 v4.5.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.7.0

go.sum

@@ -216,8 +216,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
 github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=

pkg/core/tokens/issuer.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 
 	"github.com/kumahq/kuma/pkg/core"

pkg/core/tokens/issuer_test.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"google.golang.org/protobuf/types/known/wrapperspb"
@@ -66,14 +66,10 @@ var _ = Describe("Token issuer", func() {
 		core.Now = func() time.Time {
 			return now
 		}
-		jwt.TimeFunc = func() time.Time {
-			return now
-		}
 	})
 
 	AfterEach(func() {
 		core.Now = time.Now
-		jwt.TimeFunc = time.Now
 	})
 
 	Context("Global Scoped tokens", func() {
@@ -89,6 +85,9 @@ var _ = Describe("Token issuer", func() {
 				},
 				tokens.NewRevocations(secretManager, TokenRevocationsGlobalSecretKey),
 				store_config.MemoryStore,
+				jwt.WithTimeFunc(func() time.Time {
+					return now
+				}),
 			)
 
 			Expect(signingKeyManager.CreateDefaultSigningKey(ctx)).To(Succeed())
@@ -190,6 +189,9 @@ var _ = Describe("Token issuer", func() {
 				},
 				tokens.NewRevocations(secretManager, TokenRevocationsSecretKey(core_model.DefaultMesh)),
 				store_config.MemoryStore,
+				jwt.WithTimeFunc(func() time.Time {
+					return now
+				}),
 			)
 
 			Expect(secretManager.Create(ctx, mesh.NewMeshResource(), core_store.CreateByKey(core_model.DefaultMesh, core_model.NoMesh))).To(Succeed())

pkg/core/tokens/token.go

@@ -1,6 +1,6 @@
 package tokens
 
-import "github.com/golang-jwt/jwt/v4"
+import "github.com/golang-jwt/jwt/v5"
 
 type Token = string
 

pkg/core/tokens/validator.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 
 	store_config "github.com/kumahq/kuma/pkg/config/core/resources/store"
@@ -19,18 +19,26 @@ type Validator interface {
 }
 
 type jwtTokenValidator struct {
-	keyAccessors []SigningKeyAccessor
-	revocations  Revocations
-	storeType    store_config.StoreType
-	log          logr.Logger
+	keyAccessors  []SigningKeyAccessor
+	revocations   Revocations
+	storeType     store_config.StoreType
+	log           logr.Logger
+	parserOptions []jwt.ParserOption
 }
 
-func NewValidator(log logr.Logger, keyAccessors []SigningKeyAccessor, revocations Revocations, storeType store_config.StoreType) Validator {
+func NewValidator(
+	log logr.Logger,
+	keyAccessors []SigningKeyAccessor,
+	revocations Revocations,
+	storeType store_config.StoreType,
+	parserOptions ...jwt.ParserOption,
+) Validator {
 	return &jwtTokenValidator{
-		log:          log,
-		keyAccessors: keyAccessors,
-		revocations:  revocations,
-		storeType:    storeType,
+		log:           log,
+		keyAccessors:  keyAccessors,
+		revocations:   revocations,
+		storeType:     storeType,
+		parserOptions: parserOptions,
 	}
 }
 
@@ -69,7 +77,7 @@ func (j *jwtTokenValidator) ParseWithValidation(ctx context.Context, rawToken To
 		default:
 			return nil, fmt.Errorf("unsupported token alg %s. Allowed algorithms are %s and %s", token.Method.Alg(), jwt.SigningMethodRS256.Name, jwt.SigningMethodHS256)
 		}
-	})
+	}, j.parserOptions...)
 	if err != nil {
 		signingKeyError := &SigningKeyNotFound{}
 		if errors2.As(err, &signingKeyError) {

pkg/plugins/authn/api-server/tokens/issuer/token.go

@@ -1,7 +1,7 @@
 package issuer
 
 import (
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/kumahq/kuma/pkg/core/tokens"
 	"github.com/kumahq/kuma/pkg/core/user"

pkg/tokens/builtin/issuer/issuer.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/kumahq/kuma/pkg/core/tokens"
 )

pkg/tokens/builtin/issuer/token.go

@@ -1,7 +1,7 @@
 package issuer
 
 import (
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
 	"github.com/kumahq/kuma/pkg/core/tokens"

pkg/tokens/builtin/zone/token.go

@@ -1,7 +1,7 @@
 package zone
 
 import (
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	core_tokens "github.com/kumahq/kuma/pkg/core/tokens"
 )

pkg/xds/auth/universal/auth_test.go

@@ -141,7 +141,7 @@ var _ = Describe("Authentication flow", func() {
 				Name: "dp-1",
 			},
 			dpRes: &dpRes,
-			err:   "could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts. Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: crypto/rsa: verification error",
+			err:   "could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts. Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token signature is invalid: crypto/rsa: verification error",
 		}),
 		Entry("on token with different tags", testCase{
 			id: builtin_issuer.DataplaneIdentity{
@@ -188,7 +188,7 @@ var _ = Describe("Authentication flow", func() {
 
 		// then
 		Expect(err.Error()).To(ContainSubstring("could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts." +
-			" Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token contains an invalid number of segments"))
+			" Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token is malformed: token contains an invalid number of segments"))
 	})
 
 	It("should throw an error when signing key used for validation is different than for generation", func() {
@@ -209,7 +209,7 @@ var _ = Describe("Authentication flow", func() {
 
 		// then
 		Expect(err.Error()).To(ContainSubstring("could not parse token. kuma-cp runs with an in-memory database and its state isn't preserved between restarts." +
-			" Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: crypto/rsa: verification error"))
+			" Keep in mind that an in-memory database cannot be used with multiple instances of the control plane: token signature is invalid: crypto/rsa: verification error"))
 	})
 
 	It("should throw an error when signing key is not found", func() {