From b16236496bac0bd01c60f544177cf544e107f6af Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Mon, 11 Jan 2021 07:57:54 -0700
Subject: [PATCH] jws: remove issuer (#1754)

---
 authenticate/handlers_test.go        | 6 +++---
 authenticate/state.go                | 2 +-
 authorize/check_response_test.go     | 4 ++--
 authorize/grpc_test.go               | 4 ++--
 authorize/session_test.go            | 4 ++--
 authorize/state.go                   | 6 +-----
 cmd/pomerium-cli/cli.go              | 2 +-
 internal/encoding/jws/jws.go         | 5 ++---
 internal/sessions/middleware_test.go | 2 +-
 internal/sessions/mock/mock_store.go | 2 +-
 proxy/forward_auth_test.go           | 2 +-
 proxy/state.go                       | 2 +-
 12 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go
index 75f872056..78bc3bd7c 100644
--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@@ -359,7 +359,7 @@ func TestAuthenticate_OAuthCallback(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			signer, err := jws.NewHS256Signer(nil, "mock")
+			signer, err := jws.NewHS256Signer(nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -493,7 +493,7 @@ func TestAuthenticate_SessionValidatorMiddleware(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			signer, err := jws.NewHS256Signer(nil, "mock")
+			signer, err := jws.NewHS256Signer(nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -614,7 +614,7 @@ func TestAuthenticate_Dashboard(t *testing.T) {
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
 
-			signer, err := jws.NewHS256Signer(nil, "mock")
+			signer, err := jws.NewHS256Signer(nil)
 			if err != nil {
 				t.Fatal(err)
 			}
diff --git a/authenticate/state.go b/authenticate/state.go
index e4a0829cc..40dc4a0c2 100644
--- a/authenticate/state.go
+++ b/authenticate/state.go
@@ -77,7 +77,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 	}
 
 	// shared state encoder setup
-	state.sharedEncoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), cfg.Options.GetAuthenticateURL().Host)
+	state.sharedEncoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
 	if err != nil {
 		return nil, err
 	}
diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go
index 7fa25f593..3b473288a 100644
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@@ -36,7 +36,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 		JWTClaimsHeaders: []string{"email"},
 	}
 	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
+	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
 	a.state.Load().encoder = encoder
 	a.currentOptions.Store(opt)
 	a.store = evaluator.NewStore()
@@ -205,7 +205,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 
 func TestAuthorize_deniedResponse(t *testing.T) {
 	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
+	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
 	a.state.Load().encoder = encoder
 	a.currentOptions.Store(&config.Options{
 		Policies: []config.Policy{{
diff --git a/authorize/grpc_test.go b/authorize/grpc_test.go
index 859a63614..83dd5d284 100644
--- a/authorize/grpc_test.go
+++ b/authorize/grpc_test.go
@@ -51,7 +51,7 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
 
 func Test_getEvaluatorRequest(t *testing.T) {
 	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
+	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
 	a.state.Load().encoder = encoder
 	a.currentOptions.Store(&config.Options{
 		Policies: []config.Policy{{
@@ -271,7 +271,7 @@ func Test_handleForwardAuth(t *testing.T) {
 
 func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
 	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
+	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
 	a.state.Load().encoder = encoder
 	a.currentOptions.Store(&config.Options{
 		Policies: []config.Policy{{
diff --git a/authorize/session_test.go b/authorize/session_test.go
index 8f36c7366..bb0096c8a 100644
--- a/authorize/session_test.go
+++ b/authorize/session_test.go
@@ -20,7 +20,7 @@ import (
 
 func TestLoadSession(t *testing.T) {
 	opts := config.NewDefaultOptions()
-	encoder, err := jws.NewHS256Signer(nil, "example.com")
+	encoder, err := jws.NewHS256Signer(nil)
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -117,7 +117,7 @@ func TestAuthorize_getJWTClaimHeaders(t *testing.T) {
 		}},
 	}
 	a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
-	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
+	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
 	a.state.Load().encoder = encoder
 	a.currentOptions.Store(opt)
 	a.store = evaluator.NewStore()
diff --git a/authorize/state.go b/authorize/state.go
index a765dffee..018a0ce43 100644
--- a/authorize/state.go
+++ b/authorize/state.go
@@ -33,11 +33,7 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *evaluator.Store) (*a
 		return nil, fmt.Errorf("authorize: failed to update policy with options: %w", err)
 	}
 
-	var host string
-	if cfg.Options.AuthenticateURL != nil {
-		host = cfg.Options.AuthenticateURL.Host
-	}
-	state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), host)
+	state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/pomerium-cli/cli.go b/cmd/pomerium-cli/cli.go
index 21e2d6a6b..70319ee76 100644
--- a/cmd/pomerium-cli/cli.go
+++ b/cmd/pomerium-cli/cli.go
@@ -160,7 +160,7 @@ var serviceAccountCmd = &cobra.Command{
 		}
 		serviceAccountOptions.serviceAccount.ID = sa.GetId()
 
-		encoder, err := jws.NewHS256Signer([]byte(sharedKey), serviceAccountOptions.serviceAccount.Issuer)
+		encoder, err := jws.NewHS256Signer([]byte(sharedKey))
 		if err != nil {
 			return fmt.Errorf("bad shared key: %w", err)
 		}
diff --git a/internal/encoding/jws/jws.go b/internal/encoding/jws/jws.go
index e372b5449..142bd294a 100644
--- a/internal/encoding/jws/jws.go
+++ b/internal/encoding/jws/jws.go
@@ -13,19 +13,18 @@ import (
 // https://tools.ietf.org/html/rfc7519
 type JSONWebSigner struct {
 	Signer jose.Signer
-	Issuer string
 
 	key interface{}
 }
 
 // NewHS256Signer creates a SHA256 JWT signer from a 32 byte key.
-func NewHS256Signer(key []byte, issuer string) (encoding.MarshalUnmarshaler, error) {
+func NewHS256Signer(key []byte) (encoding.MarshalUnmarshaler, error) {
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key},
 		(&jose.SignerOptions{}).WithType("JWT"))
 	if err != nil {
 		return nil, err
 	}
-	return &JSONWebSigner{Signer: sig, key: key, Issuer: issuer}, nil
+	return &JSONWebSigner{Signer: sig, key: key}, nil
 }
 
 // Marshal signs, and serializes a JWT.
diff --git a/internal/sessions/middleware_test.go b/internal/sessions/middleware_test.go
index be09fda9c..d24d0bf61 100644
--- a/internal/sessions/middleware_test.go
+++ b/internal/sessions/middleware_test.go
@@ -30,7 +30,7 @@ func TestNewContext(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			signer, err := jws.NewHS256Signer(cryptutil.NewKey(), "issuer")
+			signer, err := jws.NewHS256Signer(cryptutil.NewKey())
 			if err != nil {
 				t.Fatal(err)
 			}
diff --git a/internal/sessions/mock/mock_store.go b/internal/sessions/mock/mock_store.go
index 058787d90..5263af40d 100644
--- a/internal/sessions/mock/mock_store.go
+++ b/internal/sessions/mock/mock_store.go
@@ -32,7 +32,7 @@ func (ms *Store) ClearSession(http.ResponseWriter, *http.Request) {
 // LoadSession returns the session and a error
 func (ms Store) LoadSession(*http.Request) (string, error) {
 	var signer encoding.MarshalUnmarshaler
-	signer, _ = jws.NewHS256Signer(ms.Secret, "mock")
+	signer, _ = jws.NewHS256Signer(ms.Secret)
 	jwt, _ := signer.Marshal(ms.Session)
 	return string(jwt), ms.LoadError
 }
diff --git a/proxy/forward_auth_test.go b/proxy/forward_auth_test.go
index 510fce788..c36346d0e 100644
--- a/proxy/forward_auth_test.go
+++ b/proxy/forward_auth_test.go
@@ -88,7 +88,7 @@ func TestProxy_ForwardAuth(t *testing.T) {
 			p.OnConfigChange(&config.Config{Options: tt.options})
 			state := p.state.Load()
 			state.sessionStore = tt.sessionStore
-			signer, err := jws.NewHS256Signer(nil, "mock")
+			signer, err := jws.NewHS256Signer(nil)
 			if err != nil {
 				t.Fatal(err)
 			}
diff --git a/proxy/state.go b/proxy/state.go
index ebb34ba45..0a2e54bbe 100644
--- a/proxy/state.go
+++ b/proxy/state.go
@@ -49,7 +49,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	state.cookieSecret, _ = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
 
 	// used to load and verify JWT tokens signed by the authenticate service
-	state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), cfg.Options.GetAuthenticateURL().Host)
+	state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
 	if err != nil {
 		return nil, err
 	}