Merge branch 'ory:master' into 3631-steam-integration

.docker/Dockerfile-build

@@ -9,7 +9,6 @@ WORKDIR /go/src/github.com/ory/kratos
 
 COPY go.mod go.mod
 COPY go.sum go.sum
-COPY internal/httpclient/go.* internal/httpclient/
 COPY internal/client-go/go.* internal/client-go/
 
 ENV GO111MODULE on

.schema/version.schema.json

@@ -2,6 +2,23 @@
     "$id": "https://github.com/ory/kratos/.schema/versions.config.schema.json",
     "$schema": "http://json-schema.org/draft-07/schema#",
     "oneOf": [
+        {
+            "allOf": [
+                {
+                    "properties": {
+                        "version": {
+                            "const": "v1.1.0"
+                        }
+                    },
+                    "required": [
+                        "version"
+                    ]
+                },
+                {
+                    "$ref": "https://raw.githubusercontent.com/ory/kratos/v1.1.0/.schemastore/config.schema.json"
+                }
+            ]
+        },
         {
             "allOf": [
                 {

.schemastore/config.schema.json

@@ -150,7 +150,7 @@
           "format": "uri",
           "pattern": "^(http|https|file|base64)://",
           "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads",
-          "default": "base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmVjaXBpZW50OiBjdHguUmVjaXBpZW50LAogIHRlbXBsYXRlX3R5cGU6IGN0eC5UZW1wbGF0ZVR5cGUsCiAgdG86IGlmICJUZW1wbGF0ZURhdGEiIGluIGN0eCAmJiAiVG8iIGluIGN0eC5UZW1wbGF0ZURhdGEgdGhlbiBjdHguVGVtcGxhdGVEYXRhLlRvIGVsc2UgbnVsbCwKICByZWNvdmVyeV9jb2RlOiBpZiAiVGVtcGxhdGVEYXRhIiBpbiBjdHggJiYgIlJlY292ZXJ5Q29kZSIgaW4gY3R4LlRlbXBsYXRlRGF0YSB0aGVuIGN0eC5UZW1wbGF0ZURhdGEuUmVjb3ZlcnlDb2RlIGVsc2UgbnVsbCwKICByZWNvdmVyeV91cmw6IGlmICJUZW1wbGF0ZURhdGEiIGluIGN0eCAmJiAiUmVjb3ZlcnlVUkwiIGluIGN0eC5UZW1wbGF0ZURhdGEgdGhlbiBjdHguVGVtcGxhdGVEYXRhLlJlY292ZXJ5VVJMIGVsc2UgbnVsbCwKICB2ZXJpZmljYXRpb25fdXJsOiBpZiAiVGVtcGxhdGVEYXRhIiBpbiBjdHggJiYgIlZlcmlmaWNhdGlvblVSTCIgaW4gY3R4LlRlbXBsYXRlRGF0YSB0aGVuIGN0eC5UZW1wbGF0ZURhdGEuVmVyaWZpY2F0aW9uVVJMIGVsc2UgbnVsbCwKICB2ZXJpZmljYXRpb25fY29kZTogaWYgIlRlbXBsYXRlRGF0YSIgaW4gY3R4ICYmICJWZXJpZmljYXRpb25Db2RlIiBpbiBjdHguVGVtcGxhdGVEYXRhIHRoZW4gY3R4LlRlbXBsYXRlRGF0YS5WZXJpZmljYXRpb25Db2RlIGVsc2UgbnVsbCwKICBzdWJqZWN0OiBjdHguU3ViamVjdCwKICBib2R5OiBjdHguQm9keQp9Cg==",
+          "default": "base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmVjaXBpZW50OiBjdHgucmVjaXBpZW50LAogIHRlbXBsYXRlX3R5cGU6IGN0eC50ZW1wbGF0ZV90eXBlLAogIHRvOiBpZiAidGVtcGxhdGVfZGF0YSIgaW4gY3R4ICYmICJ0byIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS50byBlbHNlIG51bGwsCiAgcmVjb3ZlcnlfY29kZTogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAicmVjb3ZlcnlfY29kZSIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS5yZWNvdmVyeV9jb2RlIGVsc2UgbnVsbCwKICByZWNvdmVyeV91cmw6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInJlY292ZXJ5X3VybCIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS5yZWNvdmVyeV91cmwgZWxzZSBudWxsLAogIHZlcmlmaWNhdGlvbl91cmw6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInZlcmlmaWNhdGlvbl91cmwiIGluIGN0eC50ZW1wbGF0ZV9kYXRhIHRoZW4gY3R4LnRlbXBsYXRlX2RhdGEudmVyaWZpY2F0aW9uX3VybCBlbHNlIG51bGwsCiAgdmVyaWZpY2F0aW9uX2NvZGU6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInZlcmlmaWNhdGlvbl9jb2RlIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnZlcmlmaWNhdGlvbl9jb2RlIGVsc2UgbnVsbCwKICBzdWJqZWN0OiBjdHguc3ViamVjdCwKICBib2R5OiBjdHguYm9keQp9Cg==",
           "examples": [
             "file:///path/to/body.jsonnet",
             "file://./body.jsonnet",
@@ -2305,7 +2305,7 @@
       "additionalProperties": false
     },
     "tracing": {
-      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.611/otelx/config.schema.json"
+      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.614/otelx/config.schema.json"
     },
     "log": {
       "title": "Log",

cipher/chacha20.go

@@ -72,7 +72,7 @@ func (c *XChaCha20Poly1305) Decrypt(ctx context.Context, ciphertext string) ([]b
 	for i := range secrets {
 		aead, err := chacha20poly1305.NewX(secrets[i][:])
 		if err != nil {
-			return nil, errors.WithStack(herodot.ErrInternalServerError.WithWrap(err).WithReason("Unable to instanciate chacha20"))
+			return nil, errors.WithStack(herodot.ErrInternalServerError.WithWrap(err).WithReason("Unable to instantiate chacha20"))
 		}
 
 		if len(ciphertext) < aead.NonceSize() {

courier/smtp.go

@@ -12,6 +12,8 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/pkg/errors"
+
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/driver/config"
 
@@ -27,7 +29,7 @@ type SMTPClient struct {
 func NewSMTPClient(deps Dependencies, cfg *config.SMTPConfig) (*SMTPClient, error) {
 	uri, err := url.Parse(cfg.ConnectionURI)
 	if err != nil {
-		return nil, herodot.ErrInternalServerError.WithError(err.Error())
+		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The SMTP connection URI is malformed. Please contact a system administrator."))
 	}
 
 	var tlsCertificates []tls.Certificate

courier/smtp_test.go

@@ -35,6 +35,23 @@ import (
 	gomail "github.com/ory/mail/v3"
 )
 
+func TestNewSMTPClientPreventLeak(t *testing.T) {
+	// Test for https://hackerone.com/reports/2384028
+
+	ctx := context.Background()
+	conf, reg := internal.NewFastRegistryWithMocks(t)
+
+	invalidURL := "sm<>t>p://f%oo::bar:baz@my-server:1234:122/"
+	conf.MustSet(ctx, config.ViperKeyCourierSMTPURL, invalidURL)
+	channels, err := conf.CourierChannels(ctx)
+	require.NoError(t, err)
+	require.Len(t, channels, 1)
+
+	_, err = courier.NewSMTPClient(reg, channels[0].SMTPConfig)
+	require.Error(t, err)
+	assert.NotContains(t, err.Error(), invalidURL)
+}
+
 func TestNewSMTP(t *testing.T) {
 	ctx := context.Background()
 	conf, reg := internal.NewFastRegistryWithMocks(t)

courier/template/email/login_code_valid.go

@@ -18,10 +18,11 @@ type (
 		model *LoginCodeValidModel
 	}
 	LoginCodeValidModel struct {
-		To         string                 `json:"to"`
-		LoginCode  string                 `json:"login_code"`
-		Identity   map[string]interface{} `json:"identity"`
-		RequestURL string                 `json:"request_url"`
+		To               string                 `json:"to"`
+		LoginCode        string                 `json:"login_code"`
+		Identity         map[string]interface{} `json:"identity"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/recovery_code_invalid.go

@@ -18,8 +18,9 @@ type (
 		model *RecoveryCodeInvalidModel
 	}
 	RecoveryCodeInvalidModel struct {
-		To         string `json:"to"`
-		RequestURL string `json:"request_url"`
+		To               string                 `json:"to"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/recovery_code_valid.go

@@ -18,10 +18,11 @@ type (
 		model *RecoveryCodeValidModel
 	}
 	RecoveryCodeValidModel struct {
-		To           string                 `json:"to"`
-		RecoveryCode string                 `json:"recovery_code"`
-		Identity     map[string]interface{} `json:"identity"`
-		RequestURL   string                 `json:"request_url"`
+		To               string                 `json:"to"`
+		RecoveryCode     string                 `json:"recovery_code"`
+		Identity         map[string]interface{} `json:"identity"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/recovery_invalid.go

@@ -18,8 +18,9 @@ type (
 		m *RecoveryInvalidModel
 	}
 	RecoveryInvalidModel struct {
-		To         string `json:"to"`
-		RequestURL string `json:"request_url"`
+		To               string                 `json:"to"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/recovery_valid.go

@@ -18,10 +18,11 @@ type (
 		m *RecoveryValidModel
 	}
 	RecoveryValidModel struct {
-		To          string                 `json:"to"`
-		RecoveryURL string                 `json:"recovery_url"`
-		Identity    map[string]interface{} `json:"identity"`
-		RequestURL  string                 `json:"request_url"`
+		To               string                 `json:"to"`
+		RecoveryURL      string                 `json:"recovery_url"`
+		Identity         map[string]interface{} `json:"identity"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/registration_code_valid.go

@@ -22,6 +22,7 @@ type (
 		Traits           map[string]interface{} `json:"traits"`
 		RegistrationCode string                 `json:"registration_code"`
 		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/verification_code_invalid.go

@@ -18,8 +18,9 @@ type (
 		m *VerificationCodeInvalidModel
 	}
 	VerificationCodeInvalidModel struct {
-		To         string `json:"to"`
-		RequestURL string `json:"request_url"`
+		To               string                 `json:"to"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/verification_code_valid.go

@@ -23,6 +23,7 @@ type (
 		VerificationCode string                 `json:"verification_code"`
 		Identity         map[string]interface{} `json:"identity"`
 		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/verification_invalid.go

@@ -18,8 +18,9 @@ type (
 		m *VerificationInvalidModel
 	}
 	VerificationInvalidModel struct {
-		To         string `json:"to"`
-		RequestURL string `json:"request_url"`
+		To               string                 `json:"to"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/email/verification_valid.go

@@ -18,10 +18,11 @@ type (
 		m *VerificationValidModel
 	}
 	VerificationValidModel struct {
-		To              string                 `json:"to"`
-		VerificationURL string                 `json:"verification_url"`
-		Identity        map[string]interface{} `json:"identity"`
-		RequestURL      string                 `json:"request_url"`
+		To               string                 `json:"to"`
+		VerificationURL  string                 `json:"verification_url"`
+		Identity         map[string]interface{} `json:"identity"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/sms/login_code_valid.go

@@ -17,10 +17,11 @@ type (
 		model *LoginCodeValidModel
 	}
 	LoginCodeValidModel struct {
-		To         string                 `json:"to"`
-		LoginCode  string                 `json:"login_code"`
-		Identity   map[string]interface{} `json:"identity"`
-		RequestURL string                 `json:"request_url"`
+		To               string                 `json:"to"`
+		LoginCode        string                 `json:"login_code"`
+		Identity         map[string]interface{} `json:"identity"`
+		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

courier/template/sms/verification_code.go

@@ -22,6 +22,7 @@ type (
 		VerificationCode string                 `json:"verification_code"`
 		Identity         map[string]interface{} `json:"identity"`
 		RequestURL       string                 `json:"request_url"`
+		TransientPayload map[string]interface{} `json:"transient_payload"`
 	}
 )
 

driver/registry_default.go

@@ -475,7 +475,7 @@ func (m *RegistryDefault) Cipher(ctx context.Context) cipher.Cipher {
 			m.crypter = cipher.NewCryptAES(m)
 		default:
 			m.crypter = cipher.NewNoop(m)
-			m.l.Logger.Warning("No encryption configuration found. Default algorithm (noop) will be use that mean sensitive data will be recorded in plaintext")
+			m.l.Logger.Warning("No encryption configuration found. The default algorithm (noop) will be used, resulting in sensitive data being stored in plaintext")
 		}
 	}
 	return m.crypter

embedx/config.schema.json

@@ -436,7 +436,8 @@
             "dingtalk",
             "patreon",
             "linkedin",
-            "lark"
+            "lark",
+            "x"
           ],
           "examples": ["google"]
         },

go.mod

@@ -328,6 +328,7 @@ require (
 
 require (
 	github.com/coreos/go-oidc/v3 v3.9.0
+	github.com/dghubble/oauth1 v0.7.2
 	github.com/lestrrat-go/jwx/v2 v2.0.19
 )
 

go.sum

@@ -148,6 +148,8 @@ github.com/davidrjonas/semver-cli v0.0.0-20190116233701-ee19a9a0dda6/go.mod h1:+
 github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/dghubble/oauth1 v0.7.2 h1:pwcinOZy8z6XkNxvPmUDY52M7RDPxt0Xw1zgZ6Cl5JA=
+github.com/dghubble/oauth1 v0.7.2/go.mod h1:9erQdIhqhOHG/7K9s/tgh9Ks/AfoyrO5mW/43Lu2+kE=
 github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=
 github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA=

identity/.snapshots/TestWithDeclassifiedCredentials-case=oidc-credential=oidc.json

@@ -0,0 +1,22 @@
+{
+  "type": "oidc",
+  "identifiers": [
+    "bar",
+    "baz"
+  ],
+  "config": {
+    "providers": [
+      {
+        "initial_id_token": "foo",
+        "initial_access_token": "",
+        "initial_refresh_token": "",
+        "subject": "",
+        "provider": "",
+        "organization": ""
+      }
+    ]
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}

identity/.snapshots/TestWithDeclassifiedCredentials-case=oidc-credential=password.json

@@ -0,0 +1,10 @@
+{
+  "type": "password",
+  "identifiers": [
+    "zab",
+    "bar"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}

identity/.snapshots/TestWithDeclassifiedCredentials-case=oidc-credential=webauthn.json

@@ -0,0 +1,10 @@
+{
+  "type": "webauthn",
+  "identifiers": [
+    "foo",
+    "bar"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}

identity/credentials_oidc.go

@@ -32,8 +32,36 @@ type CredentialsOIDCProvider struct {
 	Organization        string `json:"organization,omitempty"`
 }
 
+// swagger:ignore
+type CredentialsOIDCEncryptedTokens struct {
+	RefreshToken string `json:"refresh_token,omitempty"`
+	IDToken      string `json:"id_token,omitempty"`
+	AccessToken  string `json:"access_token,omitempty"`
+}
+
+func (c *CredentialsOIDCEncryptedTokens) GetRefreshToken() string {
+	if c == nil {
+		return ""
+	}
+	return c.RefreshToken
+}
+
+func (c *CredentialsOIDCEncryptedTokens) GetAccessToken() string {
+	if c == nil {
+		return ""
+	}
+	return c.AccessToken
+}
+
+func (c *CredentialsOIDCEncryptedTokens) GetIDToken() string {
+	if c == nil {
+		return ""
+	}
+	return c.IDToken
+}
+
 // NewCredentialsOIDC creates a new OIDC credential.
-func NewCredentialsOIDC(idToken, accessToken, refreshToken, provider, subject, organization string) (*Credentials, error) {
+func NewCredentialsOIDC(tokens *CredentialsOIDCEncryptedTokens, provider, subject, organization string) (*Credentials, error) {
 	if provider == "" {
 		return nil, errors.New("received empty provider in oidc credentials")
 	}
@@ -48,9 +76,9 @@ func NewCredentialsOIDC(idToken, accessToken, refreshToken, provider, subject, o
 			{
 				Subject:             subject,
 				Provider:            provider,
-				InitialIDToken:      idToken,
-				InitialAccessToken:  accessToken,
-				InitialRefreshToken: refreshToken,
+				InitialIDToken:      tokens.GetIDToken(),
+				InitialAccessToken:  tokens.GetAccessToken(),
+				InitialRefreshToken: tokens.GetRefreshToken(),
 				Organization:        organization,
 			}},
 	}); err != nil {
@@ -65,6 +93,14 @@ func NewCredentialsOIDC(idToken, accessToken, refreshToken, provider, subject, o
 	}, nil
 }
 
+func (c *CredentialsOIDCProvider) GetTokens() *CredentialsOIDCEncryptedTokens {
+	return &CredentialsOIDCEncryptedTokens{
+		RefreshToken: c.InitialRefreshToken,
+		IDToken:      c.InitialIDToken,
+		AccessToken:  c.InitialAccessToken,
+	}
+}
+
 func OIDCUniqueID(provider, subject string) string {
 	return fmt.Sprintf("%s:%s", provider, subject)
 }