build(deps): bump github/codeql-action/autobuild from 4.35.3 to 4.36.2

Bumps [github/codeql-action/autobuild](https://github.com/github/codeql-action) from 4.35.3 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](e46ed2cbd0...8aad20d150)

---
updated-dependencies:
- dependency-name: github/codeql-action/autobuild
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/codeql-analysis-go.yml

@@ -59,7 +59,7 @@ jobs:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e  # v4.36.2
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3

app/vmauth/example_config.yml

@@ -140,18 +140,6 @@ users:
   - "ProjectID: {{.MetricsProjectID}}"
   url_prefix: "http://vminsert:8480/insert/prometheus"
 
-# JWT-based routing that relies solely on custom claims.
-# The `vm_access` claim is missing, default value will be used.
-# e.g. {"role": "admin"}.
-- name: jwt-custom-claims
-  jwt:
-    skip_verify: true
-    vm_default_access_claim:
-        metrics_account_id: 1
-    match_claims:
-      role: admin
-  url_prefix: "http://vmselect-admin:8481/select/0/prometheus"
-
 # Requests without Authorization header are proxied according to `unauthorized_user` section.
 # Requests are proxied in round-robin fashion between `url_prefix` backends.
 # The deny_partial_response query arg is added to all the proxied requests.

app/vmauth/jwt.go

@@ -65,8 +65,6 @@ type JWTConfig struct {
 	MatchClaims       map[string]string `yaml:"match_claims,omitempty"`
 	parsedMatchClaims []*jwt.Claim
 
-	DefaultVMAccessClaim *jwt.VMAccessClaim `yaml:"default_vm_access_claim,omitempty"`
-
 	// verifierPool is used to verify JWT tokens.
 	// It is initialized from PublicKeys and/or PublicKeyFiles.
 	// In this case, it is initialized once at config reload and never updated until next reload
@@ -434,6 +432,7 @@ func validateJWTPlaceholdersForURL(up *URLPrefix, isAllowed bool) error {
 			}
 			if strings.Contains(p, placeholderPrefix) {
 				return fmt.Errorf("invalid placeholder found in URL request path: %q, supported values are: %s", bu.Path, strings.Join(allPlaceholders, ", "))
+
 			}
 		}
 		for param, values := range bu.Query() {
@@ -488,6 +487,7 @@ func hasAnyPlaceholders(u *url.URL) bool {
 				return true
 			}
 		}
+
 	}
 	return false
 }

app/vmauth/main.go

@@ -190,10 +190,6 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		if tkn == nil {
 			logger.Panicf("BUG: unexpected nil jwt token for user %q", ui.name())
 		}
-		if !tkn.HasVMAccessClaim() && ui.JWT.DefaultVMAccessClaim == nil {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-			return true
-		}
 		defer putToken(tkn)
 		processUserRequest(w, r, ui, tkn)
 		return true
@@ -428,12 +424,8 @@ func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo, tkn *j
 		}
 		targetURL := bu.url
 		if tkn != nil {
-			vmac := tkn.VMAccess()
-			if !tkn.HasVMAccessClaim() {
-				vmac = ui.JWT.DefaultVMAccessClaim
-			}
 			// for security reasons allow templating only for configured url values and headers
-			targetURL, hc = replaceJWTPlaceholders(bu, hc, vmac)
+			targetURL, hc = replaceJWTPlaceholders(bu, hc, tkn.VMAccess())
 		}
 		if isDefault {
 			// Don't change path and add request_path query param for default route.

app/vmauth/main_test.go

@@ -739,12 +739,6 @@ users:
 		"vm_access": map[string]any{},
 	}, false)
 
-	// token without vm_access claim, but with a custom claim usable for routing
-	roleToken := genToken(t, map[string]any{
-		"exp":  time.Now().Add(10 * time.Minute).Unix(),
-		"role": "admin",
-	}, true)
-
 	fullToken := genToken(t, map[string]any{
 		"exp": time.Now().Add(10 * time.Minute).Unix(),
 		"vm_access": map[string]any{
@@ -785,26 +779,6 @@ statusCode=401
 Unauthorized`
 	f(simpleCfgStr, request, responseExpected)
 
-	// token without vm_access claim is accepted when it
-	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
-	request.Header.Set(`Authorization`, `Bearer `+roleToken)
-	responseExpected = `
-statusCode=200
-path: /foo/abc
-query:
-headers:`
-	f(fmt.Sprintf(`
-users:
-- jwt:
-    public_keys:
-    - %q
-    default_vm_access_claim:
-      metrics_account_id: 10
-      metrics_project_id: 10
-    match_claims:
-      role: admin
-  url_prefix: {BACKEND}/foo`, string(publicKeyPEM)), request, responseExpected)
-
 	// expired token
 	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
 	request.Header.Set(`Authorization`, `Bearer `+expiredToken)

docs/victoriametrics/changelog/CHANGELOG.md

@@ -26,8 +26,6 @@ See also [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-rel
 
 ## tip
 
-* FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): add `default_vm_access_claim` field into `jwt` section of auth config. It could be used at [JWT claim placeholders](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-based-request-templating), if `JWT` token doesn't have `vm_access` claim. See [#11054](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11054).
-
 * BUGFIX: `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): propagate cache reset operation to `selectNode` when `/internal/resetRollupResultCache` is called. Previously, the propagation only happened when the `delete_series` API was called. See [#11112](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11112).
 * BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): fix possible unexpected increases in `rate_avg` and `rate_sum` if an out-of-order sample is ingested after the previous flush. See [#11140](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11140).
 

docs/victoriametrics/vmauth.md

@@ -270,7 +270,7 @@ users:
   url_prefix: "http://victoria-metrics:8428/"
 ```
 
-The `vm_access` claim is optional starting from {{% available_from "#" %}}: when present it is used for [request templating](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-based-request-templating), and when absent the default tenant `0:0` is assumed for any `vm_access`-based placeholders. Routing can rely solely on other token claims via [JWT claim matching](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-matching).
+JWT tokens must contain a `"vm_access": {}` claim, more on that in [JWT claim-based request templating](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-claim-based-request-templating)
 
 For testing, skip signature verification with `skip_verify: true` (not recommended for production).
 
@@ -520,8 +520,7 @@ for dynamic URL rewriting based on `vm_access` claim fields.
 
 `vmauth` can dynamically rewrite{{% available_from "v1.137.0" %}} upstream URLs and request headers using values from the JWT `vm_access` claim. 
 This enables routing different users to different backends or tenants based solely on the JWT token, 
-without maintaining separate user configs per tenant. In addition `vm_access` claim could be defined at `jwt` section with `default_vm_access_claim` {{% available_from "#" %}}.
-In this case, if JWT token doesn't have `vm_access` claim defined, value from `default_vm_access_claim` will be used for templaing.
+without maintaining separate user configs per tenant.
 
 Example: minimal valid JWT. If vm_access is empty, tenant `0:0` is assumed and no additional filters are applied.
 ```json
@@ -576,28 +575,6 @@ Placeholders are supported in the following locations:
 Placeholders are **not** supported in response headers. 
 They are also only valid for JWT-authenticated users — using them in configs for `username`/`password` or `bearer_token` users causes a configuration error.
 
-Example: default `vm_access` claim:
-
-```yaml
-users:
-- jwt:
-    default_vm_access_claim:
-      metrics_account_id: 10
-      metrics_project_id: 10
-      metrics_extra_filters:
-      - '{instance="sandbox"}'
-      metrics_extra_labels:
-      - team=dev
-      - env=dev
-    public_keys:
-    - |
-      -----BEGIN PUBLIC KEY-----
-      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-      -----END PUBLIC KEY-----
-  url_prefix: "http://vminsert:8480/insert/{{.MetricsAccountID}}:{{.MetricsProjectID}}/prometheus/?extra_filters={{.MetricsExtraFilters}}&extra_label={{.MetricsExtraLabels}}"
-```
-
-
 Example: route requests to the VictoriaMetrics single-node:
 
 ```yaml

lib/jwt/jwt.go

@@ -105,10 +105,6 @@ type body struct {
 	Scope         string `json:"scope,omitempty"`
 	vmAccessClaim VMAccessClaim
 
-	// hasVMAccess is set to true when the token body contains a `vm_access` claim.
-	// Presence enforcement is left to the caller via Token.HasVMAccess.
-	hasVMAccess bool
-
 	buf []byte
 	p   *fastjson.Parser
 
@@ -125,6 +121,7 @@ type body struct {
 }
 
 func (b *body) parse(src string) error {
+
 	var err error
 	b.buf, err = decodeB64(b.buf[:0], src)
 	if err != nil {
@@ -135,9 +132,6 @@ func (b *body) parse(src string) error {
 	if err != nil {
 		return err
 	}
-	if jv.Type() != fastjson.TypeObject {
-		return fmt.Errorf("unexpected non json object; type: %q", jv.Type())
-	}
 	if expObject := jv.Get("exp"); expObject != nil {
 		b.Exp, err = expObject.Int64()
 		if err != nil {
@@ -159,31 +153,30 @@ func (b *body) parse(src string) error {
 	}
 
 	vaObject := jv.Get("vm_access")
-	switch {
-	case vaObject == nil || vaObject.Type() == fastjson.TypeNull:
-		b.hasVMAccess = false
-	default:
-		// some IDPs encode custom claims as a string
-		// try parsing as an object and fallback to a string
-		switch vaObject.Type() {
-		case fastjson.TypeObject:
-			if err := b.vmAccessClaim.parseFrom(vaObject); err != nil {
-				return err
-			}
-		case fastjson.TypeString:
-			b.claimsParser = parserPool.Get()
-			va, err := b.claimsParser.ParseBytes(vaObject.GetStringBytes())
-			if err != nil {
-				return fmt.Errorf("cannot parse `vm_access` string json: %w", err)
-			}
-			if err := b.vmAccessClaim.parseFrom(va); err != nil {
-				return fmt.Errorf("cannot parse `vm_access` values from string json: %w", err)
-			}
-			b.vmAccessClaimObject = va
-		default:
-			return fmt.Errorf("unexpected type for `vm_access` field; got: %q, want object {}", vaObject.Type())
+	if vaObject == nil {
+		return ErrVMAccessFieldMissing
+	}
+	// some IDPs encode custom claims as a string
+	// try parsing as an object and fallback to a string
+	switch vaObject.Type() {
+	case fastjson.TypeObject:
+		if err := b.vmAccessClaim.parseFrom(vaObject); err != nil {
+			return err
 		}
-		b.hasVMAccess = true
+	case fastjson.TypeString:
+		b.claimsParser = parserPool.Get()
+		va, err := b.claimsParser.ParseBytes(vaObject.GetStringBytes())
+		if err != nil {
+			return fmt.Errorf("cannot parse `vm_access` string json: %w", err)
+		}
+		if err := b.vmAccessClaim.parseFrom(va); err != nil {
+			return fmt.Errorf("cannot parse `vm_access` values from string json: %w", err)
+		}
+		b.vmAccessClaimObject = va
+	case fastjson.TypeNull:
+		return ErrVMAccessFieldMissing
+	default:
+		return fmt.Errorf("unexpected type for `vm_access` field; got: %q, want object {}", vaObject.Type())
 	}
 	b.Jti = bytesutil.ToUnsafeString(jv.GetStringBytes("jti"))
 
@@ -225,7 +218,6 @@ func (b *body) reset() {
 	b.buf = b.buf[:0]
 	b.allClaims = nil
 	b.vmAccessClaim.reset()
-	b.hasVMAccess = false
 	if b.p != nil {
 		parserPool.Put(b.p)
 		b.p = nil
@@ -237,9 +229,11 @@ func (b *body) reset() {
 	if b.vmAccessClaimObject != nil {
 		b.vmAccessClaimObject = nil
 	}
+
 }
 
 // Parse parses JWT token from given source string
+//
 // Token field is valid until src is reachable
 func (t *Token) Parse(src string, enforceAuthPrefix bool) error {
 	if enforceAuthPrefix && (len(src) < len(prefix) || !strings.EqualFold(src[:len(prefix)], prefix)) {
@@ -274,11 +268,6 @@ func (t *Token) Parse(src string, enforceAuthPrefix bool) error {
 	return nil
 }
 
-// HasVMAccessClaim reports whether the parsed token contains a `vm_access` claim.
-func (t *Token) HasVMAccessClaim() bool {
-	return t.body.hasVMAccess
-}
-
 // Issuer returns `iss` claim value from token body
 func (t *Token) Issuer() string {
 	return t.body.Iss
@@ -382,30 +371,30 @@ func (t *Token) Reset() {
 
 // VMAccessClaim represent JWT claim object
 type VMAccessClaim struct {
-	MetricsExtraFilters    []string `json:"metrics_extra_filters,omitempty" yaml:"metrics_extra_filters,omitempty"`
-	MetricsExtraLabels     []string `json:"metrics_extra_labels,omitempty" yaml:"metrics_extra_labels,omitempty"`
-	LogsExtraFilters       []string `json:"logs_extra_filters,omitempty" yaml:"logs_extra_filters,omitempty"`
-	LogsExtraStreamFilters []string `json:"logs_extra_stream_filters,omitempty" yaml:"logs_extra_stream_filters,omitempty"`
+	MetricsExtraFilters    []string `json:"metrics_extra_filters,omitempty"`
+	MetricsExtraLabels     []string `json:"metrics_extra_labels,omitempty"`
+	LogsExtraFilters       []string `json:"logs_extra_filters,omitempty"`
+	LogsExtraStreamFilters []string `json:"logs_extra_stream_filters,omitempty"`
 
-	MetricsAccountID uint32 `json:"metrics_account_id,omitempty" yaml:"metrics_account_id,omitempty"`
-	MetricsProjectID uint32 `json:"metrics_project_id,omitempty" yaml:"metrics_project_id,omitempty"`
+	MetricsAccountID uint32 `json:"metrics_account_id,omitempty"`
+	MetricsProjectID uint32 `json:"metrics_project_id,omitempty"`
 
-	LogsAccountID uint32 `json:"logs_account_id,omitempty" yaml:"logs_account_id,omitempty"`
-	LogsProjectID uint32 `json:"logs_project_id,omitempty" yaml:"logs_project_id,omitempty"`
+	LogsAccountID uint32 `json:"logs_account_id,omitempty"`
+	LogsProjectID uint32 `json:"logs_project_id,omitempty"`
 
 	// Properties below are deprecated and retained only for compatibility with vmgateway, which is itself deprecated.
 
 	// promql filters applied to each select query
 	// Deprecated
-	ExtraFilters []string `json:"extra_filters,omitempty" yaml:"-"`
+	ExtraFilters []string `json:"extra_filters,omitempty"`
 	// Deprecated
-	Tenant TenantID `json:"tenant_id" yaml:"-"`
+	Tenant TenantID `json:"tenant_id"`
 	// role can be denied as 1 = read, 2 = write, 3 = read and write
 	// 0 = unconfigured - read and write
 	// Deprecated
-	Mode int `json:"mode,omitempty" yaml:"-"`
+	Mode int `json:"mode,omitempty"`
 	// Deprecated
-	Labels []string `json:"extra_labels,omitempty" yaml:"-"`
+	Labels []string `json:"extra_labels,omitempty"`
 	// labelsBuf holds allocated memory for Labels
 	// Deprecated
 	labelsBuf []byte
@@ -436,6 +425,7 @@ func (vac *VMAccessClaim) reset() {
 }
 
 func (vac *VMAccessClaim) parseFrom(jv *fastjson.Value) error {
+
 	if err := vac.Tenant.parseFrom(jv); err != nil {
 		return err
 	}
@@ -579,9 +569,6 @@ func NewToken(auth string, enforceAuthPrefix bool) (*Token, error) {
 	if err := t.parse(jwt[0], jwt[1], jwt[2]); err != nil {
 		return nil, err
 	}
-	if !t.body.hasVMAccess {
-		return nil, ErrVMAccessFieldMissing
-	}
 	return &t, nil
 }
 

lib/jwt/jwt_test.go

@@ -168,10 +168,17 @@ func TestParseJWTBody_Failure(t *testing.T) {
 		true,
 	)
 
-	// non-object body type
+	// invalid body type json
 	f(
 		`[]`,
-		`unexpected non json object; type: "array"`,
+		"missing `vm_access` claim",
+		true,
+	)
+
+	// missing vm_access claim
+	f(
+		`{}`,
+		"missing `vm_access` claim",
 		true,
 	)
 
@@ -182,6 +189,13 @@ func TestParseJWTBody_Failure(t *testing.T) {
 		true,
 	)
 
+	// vm_access claim null
+	f(
+		`{"vm_access": null}`,
+		"missing `vm_access` claim",
+		true,
+	)
+
 	// invalid vm_access: account_id type mismatch
 	f(
 		`{"vm_access": {"tenant_id": {"account_id": "1", "project_id": 5}}}`,
@@ -541,33 +555,6 @@ func TestParseJWTBody_Success(t *testing.T) {
 	)
 }
 
-func TestParseJWTBody_VMAccessPresence(t *testing.T) {
-	f := func(data string, wantHasVMAccess bool) {
-		t.Helper()
-
-		encodedLen := base64.RawURLEncoding.EncodedLen(len(data))
-		encoded := make([]byte, encodedLen)
-		base64.RawURLEncoding.Encode(encoded, []byte(data))
-
-		var b body
-		if err := b.parse(string(encoded)); err != nil {
-			t.Fatalf("unexpected error: %s", err)
-		}
-		if b.hasVMAccess != wantHasVMAccess {
-			t.Fatalf("unexpected hasVMAccess; got %v; want %v", b.hasVMAccess, wantHasVMAccess)
-		}
-	}
-
-	// vm_access claim is present
-	f(`{"vm_access": {}}`, true)
-	f(`{"vm_access": {"metrics_account_id": 1}}`, true)
-
-	// vm_access claim is absent or null - parsing must succeed with hasVMAccess=false
-	f(`{}`, false)
-	f(`{"vm_access": null}`, false)
-	f(`{"role": "admin"}`, false)
-}
-
 func TestNewTokenFromRequest_Failure(t *testing.T) {
 	f := func(r *http.Request) {
 		t.Helper()
@@ -879,6 +866,7 @@ func TestNewTokenFromRequest_Success(t *testing.T) {
 }
 
 func TestTokenMatchClaims(t *testing.T) {
+
 	/*
 		{
 		  "iss": "https://login.microsoftonline.com/-6691-4868-a77b-1b0f9bbe5f43/v2.0",