From b1d72c829b20cfa2f5d23deecb3cee3e95f0819c Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Fri, 31 Jul 2020 09:50:06 -0600
Subject: [PATCH] pomerium-cli: fix kubernetes token caching (#1169)

* pomerium-cli: fix kubernetes token caching

* switch to jose v2
---
 cmd/pomerium-cli/kubernetes.go | 14 +++++++-------
 go.mod                         |  1 -
 go.sum                         |  2 --
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/cmd/pomerium-cli/kubernetes.go b/cmd/pomerium-cli/kubernetes.go
index c8697080a..b34e75475 100644
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@@ -14,9 +14,9 @@ import (
 
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
-	"github.com/square/go-jose/jwt"
 	"golang.org/x/crypto/ssh/terminal"
 	"golang.org/x/sync/errgroup"
+	jose "gopkg.in/square/go-jose.v2"
 )
 
 func init() {
@@ -155,22 +155,22 @@ func runHandleJWT(ctx context.Context, serverURL *url.URL, incomingJWT chan stri
 }
 
 func parseToken(rawjwt string) (*ExecCredential, error) {
-	tok, err := jwt.ParseSigned(rawjwt)
+	tok, err := jose.ParseSigned(rawjwt)
 	if err != nil {
 		return nil, err
 	}
 
 	var claims struct {
-		Exp int64 `json:"exp"`
+		Expiry int64 `json:"exp"`
 	}
-	err = tok.UnsafeClaimsWithoutVerification(&claims)
+	err = json.Unmarshal(tok.UnsafePayloadWithoutVerification(), &claims)
 	if err != nil {
 		return nil, err
 	}
 
-	expiresAt := time.Unix(claims.Exp, 0)
+	expiresAt := time.Unix(claims.Expiry, 0)
 	if expiresAt.IsZero() {
-		expiresAt = time.Now().Add(time.Minute)
+		expiresAt = time.Now().Add(time.Hour)
 	}
 
 	return &ExecCredential{
@@ -179,7 +179,7 @@ func parseToken(rawjwt string) (*ExecCredential, error) {
 			Kind:       "ExecCredential",
 		},
 		Status: &ExecCredentialStatus{
-			ExpirationTimestamp: time.Now().Add(time.Second * 10),
+			ExpirationTimestamp: expiresAt,
 			Token:               "Pomerium-" + rawjwt,
 		},
 	}, nil
diff --git a/go.mod b/go.mod
index 1e5a98940..802d3fa4b 100644
--- a/go.mod
+++ b/go.mod
@@ -53,7 +53,6 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.0
-	github.com/square/go-jose v2.5.1+incompatible
 	github.com/stretchr/testify v1.6.1
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
 	github.com/uber/jaeger-client-go v2.20.1+incompatible // indirect
diff --git a/go.sum b/go.sum
index b7dae9945..9cd234b1c 100644
--- a/go.sum
+++ b/go.sum
@@ -534,8 +534,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/square/go-jose v2.5.1+incompatible h1:FC+BwI9FzJZWpKaE0yUhFNbp/CyFHndARzuGVME/LGk=
-github.com/square/go-jose v2.5.1+incompatible/go.mod h1:7MxpAF/1WTVUu8Am+T5kNy+t0902CaLWM4Z745MkOa8=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=