Merge branch 'master' into fix/escape_pipe_char_for_consent_flow

.github/workflows/ci.yaml

@@ -94,7 +94,7 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.55.2
+          version: v1.61.0
           skip-pkg-cache: true
       - name: Run go-acc (tests)
         run: |

.github/workflows/pm.yml

@@ -0,0 +1,29 @@
+name: Synchronize with product board
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+
+jobs:
+  automate:
+    if: github.event.pull_request.head.repo.fork == false
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: ory-corp/[email protected]
+        with:
+          organization: ory-corp
+          project: 5
+          token: ${{ secrets.ORY_BOT_PAT }}
+          todoLabel: "Needs Triage"
+          statusName: Status
+          statusValue: "Needs Triage"
+          includeEffort: "false"
+          monthlyMilestoneName: Roadmap Monthly
+          quarterlyMilestoneName: Roadmap

.golangci.yml

@@ -8,11 +8,9 @@ linters:
     - goimports
   disable:
     - ineffassign
-    - deadcode
     - unused
-    - structcheck
 
-run:
-  skip-files:
+issues:
+  exclude-files:
     - ".+_test.go"
     - ".+_test_.+.go"

.schema/config.schema.json

@@ -40,7 +40,7 @@
         },
         "mode": {
           "type": "integer",
-          "description": "Mode of unix socket in numeric form",
+          "description": "Mode of unix socket in numeric form, base 10.",
           "default": 493,
           "minimum": 0,
           "maximum": 511
@@ -1168,7 +1168,7 @@
       "examples": ["cpu"]
     },
     "tracing": {
-      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.612-0.20240130132700-6275e3f1ad0d/otelx/config.schema.json"
+      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.612/otelx/config.schema.json"
     },
     "sqa": {
       "type": "object",

Makefile

@@ -5,7 +5,7 @@ export PATH 					:= .bin:${PATH}
 export PWD 						:= $(shell pwd)
 export IMAGE_TAG 			:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
-GOLANGCI_LINT_VERSION = 1.55.2
+GOLANGCI_LINT_VERSION = 1.61.0
 
 GO_DEPENDENCIES = github.com/ory/go-acc \
 				  github.com/golang/mock/mockgen \

client/validator.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/url"
 	"strings"
 
@@ -233,6 +234,7 @@ func (v *Validator) ValidateSectorIdentifierURL(ctx context.Context, location st
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithDebug(fmt.Sprintf("Unable to connect to URL set by sector_identifier_uri: %s", err)))
 	}
 	defer response.Body.Close()
+	response.Body = io.NopCloser(io.LimitReader(response.Body, 5<<20 /* 5 MiB */))
 
 	var urls []string
 	if err := json.NewDecoder(response.Body).Decode(&urls); err != nil {

cmd/.snapshots/TestUpdateClient-case=updates_from_file-file=from_disk.json

@@ -0,0 +1,24 @@
+{
+  "client_name": "updated through file from disk",
+  "client_secret_expires_at": 0,
+  "client_uri": "",
+  "grant_types": [
+    "implicit"
+  ],
+  "jwks": {},
+  "logo_uri": "",
+  "metadata": {},
+  "owner": "",
+  "policy_uri": "",
+  "request_object_signing_alg": "RS256",
+  "response_types": [
+    "code"
+  ],
+  "scope": "offline_access offline openid",
+  "skip_consent": false,
+  "skip_logout_consent": false,
+  "subject_type": "public",
+  "token_endpoint_auth_method": "client_secret_basic",
+  "tos_uri": "",
+  "userinfo_signed_response_alg": "none"
+}

cmd/.snapshots/TestUpdateClient-case=updates_from_file-file=stdin.json

@@ -0,0 +1,24 @@
+{
+  "client_name": "updated through file stdin",
+  "client_secret_expires_at": 0,
+  "client_uri": "",
+  "grant_types": [
+    "implicit"
+  ],
+  "jwks": {},
+  "logo_uri": "",
+  "metadata": {},
+  "owner": "",
+  "policy_uri": "",
+  "request_object_signing_alg": "RS256",
+  "response_types": [
+    "code"
+  ],
+  "scope": "offline_access offline openid",
+  "skip_consent": false,
+  "skip_logout_consent": false,
+  "subject_type": "public",
+  "token_endpoint_auth_method": "client_secret_basic",
+  "tos_uri": "",
+  "userinfo_signed_response_alg": "none"
+}

cmd/cli/handler_migrate.go

@@ -5,15 +5,13 @@ package cli
 
 import (
 	"bytes"
-	"context"
 	"fmt"
 	"io"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
-	"time"
 
 	"github.com/ory/x/popx"
 	"github.com/ory/x/servicelocatorx"
@@ -22,8 +20,6 @@ import (
 
 	"github.com/ory/x/configx"
 
-	"github.com/ory/x/errorsx"
-
 	"github.com/ory/x/cmdx"
 
 	"github.com/spf13/cobra"
@@ -317,96 +313,26 @@ func (h *MigrateHandler) makePersister(cmd *cobra.Command, args []string) (p per
 	return d.Persister(), nil
 }
 
-func (h *MigrateHandler) MigrateSQL(cmd *cobra.Command, args []string) (err error) {
+func (h *MigrateHandler) MigrateSQLUp(cmd *cobra.Command, args []string) (err error) {
 	p, err := h.makePersister(cmd, args)
 	if err != nil {
 		return err
 	}
-	conn := p.Connection(context.Background())
-	if conn == nil {
-		_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Migrations can only be executed against a SQL-compatible driver but DSN is not a SQL source.")
-		return cmdx.FailSilently(cmd)
-	}
-
-	if err := conn.Open(); err != nil {
-		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not open the database connection:\n%+v\n", err)
-		return cmdx.FailSilently(cmd)
-	}
-
-	// convert migration tables
-	if err := p.PrepareMigration(context.Background()); err != nil {
-		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not convert the migration table:\n%+v\n", err)
-		return cmdx.FailSilently(cmd)
-	}
-
-	// print migration status
-	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "The following migration is planned:")
+	return popx.MigrateSQLUp(cmd, p)
+}
 
-	status, err := p.MigrationStatus(context.Background())
+func (h *MigrateHandler) MigrateSQLDown(cmd *cobra.Command, args []string) (err error) {
+	p, err := h.makePersister(cmd, args)
 	if err != nil {
-		fmt.Fprintf(cmd.ErrOrStderr(), "Could not get the migration status:\n%+v\n", errorsx.WithStack(err))
-		return cmdx.FailSilently(cmd)
-	}
-	_ = status.Write(os.Stdout)
-
-	if !flagx.MustGetBool(cmd, "yes") {
-		_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "To skip the next question use flag --yes (at your own risk).")
-		if !cmdx.AskForConfirmation("Do you wish to execute this migration plan?", nil, nil) {
-			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Migration aborted.")
-			return nil
-		}
-	}
-
-	// apply migrations
-	if err := p.MigrateUp(context.Background()); err != nil {
-		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not apply migrations:\n%+v\n", errorsx.WithStack(err))
-		return cmdx.FailSilently(cmd)
+		return err
 	}
-
-	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Successfully applied migrations!")
-	return nil
+	return popx.MigrateSQLDown(cmd, p)
 }
 
 func (h *MigrateHandler) MigrateStatus(cmd *cobra.Command, args []string) error {
 	p, err := h.makePersister(cmd, args)
 	if err != nil {
 		return err
 	}
-	conn := p.Connection(context.Background())
-	if conn == nil {
-		_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Migrations can only be checked against a SQL-compatible driver but DSN is not a SQL source.")
-		return cmdx.FailSilently(cmd)
-	}
-
-	if err := conn.Open(); err != nil {
-		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not open the database connection:\n%+v\n", err)
-		return cmdx.FailSilently(cmd)
-	}
-
-	block := flagx.MustGetBool(cmd, "block")
-	ctx := cmd.Context()
-	s, err := p.MigrationStatus(ctx)
-	if err != nil {
-		_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not get migration status: %+v\n", err)
-		return cmdx.FailSilently(cmd)
-	}
-
-	for block && s.HasPending() {
-		_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Waiting for migrations to finish...\n")
-		for _, m := range s {
-			if m.State == popx.Pending {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), " - %s\n", m.Name)
-			}
-		}
-		time.Sleep(time.Second)
-		s, err = p.MigrationStatus(ctx)
-		if err != nil {
-			_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "Could not get migration status: %+v\n", err)
-			return cmdx.FailSilently(cmd)
-		}
-	}
-
-	cmdx.PrintTable(cmd, s)
-	return nil
-
+	return popx.MigrateStatus(cmd, p)
 }

cmd/cmd_create_client.go

@@ -17,6 +17,8 @@ import (
 )
 
 const (
+	flagFile = "file"
+
 	flagClientAccessTokenStrategy               = "access-token-strategy"
 	flagClientAllowedCORSOrigin                 = "allowed-cors-origin"
 	flagClientAudience                          = "audience"
@@ -87,7 +89,10 @@ To encrypt an auto-generated OAuth2 Client Secret, use flags ` + "`--pgp-key`" +
 			}
 
 			secret := flagx.MustGetString(cmd, flagClientSecret)
-			cl := clientFromFlags(cmd)
+			cl, err := clientFromFlags(cmd)
+			if err != nil {
+				return err
+			}
 			cl.ClientId = pointerx.Ptr(flagx.MustGetString(cmd, flagClientId))
 
 			//nolint:bodyclose

cmd/cmd_helper_client.go

@@ -5,6 +5,8 @@ package cmd
 
 import (
 	"encoding/json"
+	"fmt"
+	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -16,7 +18,24 @@ import (
 	"github.com/ory/x/pointerx"
 )
 
-func clientFromFlags(cmd *cobra.Command) hydra.OAuth2Client {
+func clientFromFlags(cmd *cobra.Command) (hydra.OAuth2Client, error) {
+	if filename := flagx.MustGetString(cmd, flagFile); filename != "" {
+		src := cmd.InOrStdin()
+		if filename != "-" {
+			f, err := os.Open(filename)
+			if err != nil {
+				return hydra.OAuth2Client{}, fmt.Errorf("unable to open file %q: %w", filename, err)
+			}
+			defer f.Close()
+			src = f
+		}
+		client := hydra.OAuth2Client{}
+		if err := json.NewDecoder(src).Decode(&client); err != nil {
+			return hydra.OAuth2Client{}, fmt.Errorf("unable to decode JSON: %w", err)
+		}
+		return client, nil
+	}
+
 	return hydra.OAuth2Client{
 		AccessTokenStrategy:               pointerx.Ptr(flagx.MustGetString(cmd, flagClientAccessTokenStrategy)),
 		AllowedCorsOrigins:                flagx.MustGetStringSlice(cmd, flagClientAllowedCORSOrigin),
@@ -47,7 +66,7 @@ func clientFromFlags(cmd *cobra.Command) hydra.OAuth2Client {
 		SubjectType:                       pointerx.Ptr(flagx.MustGetString(cmd, flagClientSubjectType)),
 		TokenEndpointAuthMethod:           pointerx.Ptr(flagx.MustGetString(cmd, flagClientTokenEndpointAuthMethod)),
 		TosUri:                            pointerx.Ptr(flagx.MustGetString(cmd, flagClientTOSURI)),
-	}
+	}, nil
 }
 
 func registerEncryptFlags(flags *pflag.FlagSet) {
@@ -58,6 +77,8 @@ func registerEncryptFlags(flags *pflag.FlagSet) {
 }
 
 func registerClientFlags(flags *pflag.FlagSet) {
+	flags.String(flagFile, "", "Read a JSON file representing a client from this location. If set, the other client flags are ignored.")
+
 	flags.String(flagClientMetadata, "{}", "Metadata is an arbitrary JSON String of your choosing.")
 	flags.String(flagClientOwner, "", "The owner of this client, typically email addresses or a user ID.")
 	flags.StringSlice(flagClientContact, nil, "A list representing ways to contact people responsible for this client, typically email addresses.")