Merge remote-tracking branch 'origin/master' into hperl/improve-batch…

…-patch-identities-error-messages

.github/workflows/ci.yaml

@@ -28,7 +28,7 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:14
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
@@ -111,15 +111,15 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:14
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:5.7
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -222,15 +222,15 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:14
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:5.7
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:

Makefile

@@ -32,9 +32,8 @@ $(call make-lint-dependency)
 	echo "deprecated usage, use docs/cli instead"
 	go build -o .bin/clidoc ./cmd/clidoc/.
 
-.PHONY: .bin/yq
-.bin/yq:
-	go build -o .bin/yq github.com/mikefarah/yq/v4
+.bin/yq: Makefile
+	GOBIN=$(PWD)/.bin go install github.com/mikefarah/yq/[email protected]
 
 .PHONY: docs/cli
 docs/cli:
@@ -58,17 +57,31 @@ docs/swagger:
 	curl https://raw.githubusercontent.com/ory/meta/master/install.sh | bash -s -- -b .bin ory v0.2.2
 	touch -a -m .bin/ory
 
+.bin/buf: Makefile
+	curl -sSL \
+	"https://github.com/bufbuild/buf/releases/download/v1.39.0/buf-$(shell uname -s)-$(shell uname -m).tar.gz" | \
+	tar -xvzf - -C ".bin/" --strip-components=2 buf/bin/buf buf/bin/protoc-gen-buf-breaking buf/bin/protoc-gen-buf-lint 
+	touch -a -m .bin/buf
+
 .PHONY: lint
 lint: .bin/golangci-lint
-	golangci-lint run -v --timeout 10m ./...
+	.bin/golangci-lint run -v --timeout 10m ./...
+	.bin/buf lint
 
 .PHONY: mocks
 mocks: .bin/mockgen
 	mockgen -mock_names Manager=MockLoginExecutorDependencies -package internal -destination internal/hook_login_executor_dependencies.go github.com/ory/kratos/selfservice loginExecutorDependencies
 
+.PHONY: proto
+proto: gen/oidc/v1/state.pb.go
+
+gen/oidc/v1/state.pb.go: proto/oidc/v1/state.proto buf.yaml buf.gen.yaml .bin/buf .bin/goimports
+	.bin/buf generate
+	.bin/goimports -w gen/
+
 .PHONY: install
 install:
-	GO111MODULE=on go install -tags sqlite .
+	go install -tags sqlite .
 
 .PHONY: test-resetdb
 test-resetdb:
@@ -163,11 +176,12 @@ authors:  # updates the AUTHORS file
 
 # Formats the code
 .PHONY: format
-format: .bin/goimports .bin/ory node_modules
-	.bin/ory dev headers copyright --exclude=internal/httpclient --exclude=internal/client-go --exclude test/e2e/proxy/node_modules --exclude test/e2e/node_modules --exclude node_modules
+format: .bin/goimports .bin/ory node_modules .bin/buf
+	.bin/ory dev headers copyright --exclude=gen --exclude=internal/httpclient --exclude=internal/client-go --exclude test/e2e/proxy/node_modules --exclude test/e2e/node_modules --exclude node_modules
 	goimports -w -local github.com/ory .
 	npm exec -- prettier --write 'test/e2e/**/*{.ts,.js}'
 	npm exec -- prettier --write '.github'
+	.bin/buf format --write
 
 # Build local docker image
 .PHONY: docker

buf.gen.yaml

@@ -0,0 +1,12 @@
+version: v2
+managed:
+  enabled: true
+  override:
+    - file_option: go_package_prefix
+      value: github.com/ory/kratos
+plugins:
+  - remote: buf.build/protocolbuffers/go
+    out: gen
+    opt: paths=source_relative
+inputs:
+  - directory: proto

buf.yaml

@@ -0,0 +1,9 @@
+version: v2
+modules:
+  - path: proto
+lint:
+  use:
+    - DEFAULT
+breaking:
+  use:
+    - FILE

cipher/chacha20.go

@@ -8,6 +8,7 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"io"
+	"math"
 
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/chacha20poly1305"
@@ -43,6 +44,11 @@ func (c *XChaCha20Poly1305) Encrypt(ctx context.Context, message []byte) (string
 		return "", herodot.ErrInternalServerError.WithWrap(err).WithReason("Unable to generate key")
 	}
 
+	// Make sure the size calculation does not overflow.
+	if len(message) > math.MaxInt-aead.NonceSize()-aead.Overhead() {
+		return "", errors.WithStack(herodot.ErrInternalServerError.WithReason("plaintext too large"))
+	}
+
 	nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(message)+aead.Overhead())
 	_, err = io.ReadFull(rand.Reader, nonce)
 	if err != nil {

cmd/identities/get_test.go

@@ -5,7 +5,6 @@ package identities_test
 
 import (
 	"context"
-	"encoding/hex"
 	"encoding/json"
 	"testing"
 
@@ -63,10 +62,12 @@ func TestGetCmd(t *testing.T) {
 				return out
 			}
 			transform := func(token string) string {
-				if !encrypt {
-					return token
+				if encrypt {
+					s, err := reg.Cipher(context.Background()).Encrypt(context.Background(), []byte(token))
+					require.NoError(t, err)
+					return s
 				}
-				return hex.EncodeToString([]byte(token))
+				return token
 			}
 			return identity.Credentials{
 				Type:        identity.CredentialsTypeOIDC,

cmd/identities/helpers_test.go

@@ -21,7 +21,7 @@ import (
 	"github.com/ory/kratos/internal/testhelpers"
 )
 
-func setup(t *testing.T, newCmd func() *cobra.Command) (driver.Registry, *cmdx.CommandExecuter) {
+func setup(t *testing.T, newCmd func() *cobra.Command) (*driver.RegistryDefault, *cmdx.CommandExecuter) {
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	_, admin := testhelpers.NewKratosServerWithCSRF(t, reg)
 	testhelpers.SetDefaultIdentitySchema(conf, "file://./stubs/identity.schema.json")

driver/config/config_test.go

@@ -993,15 +993,13 @@ func TestIdentitySchemaValidation(t *testing.T) {
 	}
 
 	t.Run("case=skip invalid schema validation", func(t *testing.T) {
-		ctx := ctx
 		_, err := config.New(ctx, logrusx.New("", ""), os.Stderr, &contextx.Default{},
 			configx.WithConfigFiles("stub/.kratos.invalid.identities.yaml"),
 			configx.SkipValidation())
 		assert.NoError(t, err)
 	})
 
 	t.Run("case=invalid schema should throw error", func(t *testing.T) {
-		ctx := ctx
 		var stdErr bytes.Buffer
 		_, err := config.New(ctx, logrusx.New("", ""), &stdErr, &contextx.Default{},
 			configx.WithConfigFiles("stub/.kratos.invalid.identities.yaml"))
@@ -1011,27 +1009,24 @@ func TestIdentitySchemaValidation(t *testing.T) {
 	})
 
 	t.Run("case=must fail on loading unreachable schemas", func(t *testing.T) {
-		ctx = config.SetValidateIdentitySchemaResilientClientOptions(ctx, []httpx.ResilientOptions{
+		// we make sure that the test runs into DNS issues instead of the context being canceled
+		ctx := config.SetValidateIdentitySchemaResilientClientOptions(ctx, []httpx.ResilientOptions{
 			httpx.ResilientClientWithMaxRetry(0),
-			httpx.ResilientClientWithConnectionTimeout(time.Nanosecond),
+			httpx.ResilientClientWithConnectionTimeout(5 * time.Second),
 		})
 
-		ctx, cancel := context.WithTimeout(ctx, time.Second*30)
-		t.Cleanup(cancel)
-
-		err := make(chan error, 1)
+		err := make(chan error)
 		go func(err chan error) {
 			_, e := config.New(ctx, logrusx.New("", ""), os.Stderr, &contextx.Default{},
 				configx.WithConfigFiles("stub/.kratos.mock.identities.yaml"))
 			err <- e
 		}(err)
 
 		select {
-		case <-ctx.Done():
-			panic("the test could not complete as the context timed out before the identity schema loader timed out")
+		case <-time.After(5 * time.Second):
+			t.Fatal("the test could not complete as the context timed out before the identity schema loader timed out")
 		case e := <-err:
-			assert.Error(t, e)
-			assert.Contains(t, e.Error(), "Client.Timeout")
+			assert.ErrorContains(t, e, "no such host")
 		}
 	})