Upgrade go-jose library to v3

[sagikazarmark]

go-jose v2 is EOL as of 27 February: https://github.com/square/go-jose

This PR upgrades the API to use v3 of the library: https://github.com/go-jose/go-jose

[hashicorp-cla]

All committers have signed the CLA.

[cipherboy]

Many thanks for this, @sagikazarmark! Are you interested in another PR for the rest of Vault (the core server implementation)?

[cipherboy]

Ah yes, we can't update just the API's version without bumping it in the main /go.mod version as well:

Error: api/plugin_helpers.go:17:2: github.com/hashicorp/vault/api@v1.9.1 requires
	github.com/go-jose/go-jose/v3@v3.0.0: missing go.sum entry; to add it:
	go mod download github.com/go-jose/go-jose/v3
make: *** [Makefile:292: ci-build] Error 1
Error: Process completed with exit code 2.

I think go mod tidy is sufficient to fix this without having to update the main Vault version as well.

[sagikazarmark]

Sure, let me take a look.

[sagikazarmark]

@cipherboy ran go mod tidy.

[maxb]

Are you interested in another PR for the rest of Vault (the core server implementation)?

Maybe just do it all in this PR? It would be a bit weird to prioritize updating the single use-case in api, which is in code which is only used in Vault plugin development, and is disabled and skipped anyway, when running with a modern Vault version with modern go-plugin auto-mTLS support.

[sagikazarmark]

@maxb updated all occurrences in Vault code as well. The remaining imports are due to references to older versions of the api:

❯ grep -r square/go-jose .
./go.mod:       gopkg.in/square/go-jose.v2 v2.6.0 // indirect
./go.sum:gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./go.sum:gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./go.sum:gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
./go.sum:gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./sdk/go.mod:   gopkg.in/square/go-jose.v2 v2.6.0 // indirect
./sdk/go.sum:gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
./sdk/go.sum:gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/userpass/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/userpass/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/azure/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/azure/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/ldap/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/ldap/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/approle/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/approle/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/gcp/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/gcp/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/aws/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/aws/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
./api/auth/kubernetes/go.sum:gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
./api/auth/kubernetes/go.sum:gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

[cipherboy]

This looks good from my side. It appears the remaining usage of go-jose v2 is in the Okta plugin:

[cipherboy@xps15 okta]$ go mod why gopkg.in/square/go-jose.v2
# gopkg.in/square/go-jose.v2
github.com/hashicorp/vault/builtin/credential/okta
github.com/okta/okta-sdk-golang/v2/okta
gopkg.in/square/go-jose.v2

@miagilepner / @hghaf099, do either of you two know if there's a later version of okta-sdk-golang that uses go-jose v3?

[sagikazarmark]

@cipherboy doesn't look like it. I'm gonna send a PR to them as well, but I don't think that should be a blocker (not at least for merging the PR/an API release).

Auth libraries will also have the old jose library as a reference, until the API is updated: https://github.com/hashicorp/vault/tree/main/api/auth

[sagikazarmark]

okta/okta-sdk-golang#377

[swenson]

LGTM

[sagikazarmark]

@cipherboy @maxb anything else I need to do to get this merged? Thanks!

[cipherboy]

@sagikazarmark Many thanks for the ping :-) I've pushed a changelog entry for this one and set this to auto-merge.

[cipherboy]

@sagikazarmark Thank you for the PR! I've subscribed to the Okta PR so I'll get a reminder to update when that one merges.

[sagikazarmark]

Perfect! Thanks!

[sagikazarmark]

@cipherboy any ETA for the next API release?

[cipherboy]

@sagikazarmark I'm not sure the exact date, but within the coming weeks I'd expect: #20808

[sagikazarmark]

Thanks!