diff --git a/go.mod b/go.mod index 821a7a3a4..82dc3917f 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( github.com/swaggo/http-swagger v1.3.4 github.com/swaggo/swag v1.16.3 github.com/vektah/gqlparser/v2 v2.5.16 - github.com/zitadel/oidc v1.13.5 + github.com/zitadel/oidc/v3 v3.26.0 go.etcd.io/bbolt v1.3.10 golang.org/x/crypto v0.25.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 @@ -269,7 +269,6 @@ require ( github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/googleapis/gax-go/v2 v2.13.0 // indirect github.com/gopherjs/gopherjs v1.17.2 // indirect - github.com/gorilla/schema v1.4.1 // indirect github.com/gorilla/websocket v1.5.3 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect @@ -346,6 +345,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect + github.com/muhlemmer/gu v0.3.1 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/ncruces/go-strftime v0.1.9 // indirect @@ -432,6 +432,8 @@ require ( github.com/zclconf/go-cty v1.15.0 // indirect github.com/zclconf/go-cty-yaml v1.0.3 // indirect github.com/zeebo/errs v1.3.0 // indirect + github.com/zitadel/logging v0.6.0 // indirect + github.com/zitadel/schema v1.3.0 // indirect go.mongodb.org/mongo-driver v1.16.0 // indirect go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect go.opencensus.io v0.24.0 // indirect @@ -479,7 +481,6 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect helm.sh/helm/v3 v3.15.3 // indirect diff --git a/go.sum b/go.sum index 984094571..b54d871e5 100644 --- a/go.sum +++ b/go.sum @@ -682,6 +682,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl5 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= @@ -924,8 +926,6 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.2-0.20240619235004-db9d1d0073d2 h1:oZRjfKe/6Qh676XFYvylkCWd0gu8KVZeZYZwkNw6NAU= github.com/gorilla/mux v1.8.2-0.20240619235004-db9d1d0073d2/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E= -github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= @@ -1180,6 +1180,10 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI= github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA= +github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM= +github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM= +github.com/muhlemmer/httpforwarded v0.1.0 h1:x4DLrzXdliq8mprgUMR0olDvHGkou5BJsK/vWUetyzY= +github.com/muhlemmer/httpforwarded v0.1.0/go.mod h1:yo9czKedo2pdZhoXe+yDkGVbU0TJ0q9oQ90BVoDEtw0= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -1543,10 +1547,12 @@ github.com/zclconf/go-cty-yaml v1.0.3 h1:og/eOQ7lvA/WWhHGFETVWNduJM7Rjsv2RRpx1sd github.com/zclconf/go-cty-yaml v1.0.3/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -github.com/zitadel/logging v0.3.4 h1:9hZsTjMMTE3X2LUi0xcF9Q9EdLo+FAezeu52ireBbHM= -github.com/zitadel/logging v0.3.4/go.mod h1:aPpLQhE+v6ocNK0TWrBrd363hZ95KcI17Q1ixAQwZF0= -github.com/zitadel/oidc v1.13.5 h1:7jhh68NGZitLqwLiVU9Dtwa4IraJPFF1vS+4UupO93U= -github.com/zitadel/oidc v1.13.5/go.mod h1:rHs1DhU3Sv3tnI6bQRVlFa3u0lCwtR7S21WHY+yXgPA= +github.com/zitadel/logging v0.6.0 h1:t5Nnt//r+m2ZhhoTmoPX+c96pbMarqJvW1Vq6xFTank= +github.com/zitadel/logging v0.6.0/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow= +github.com/zitadel/oidc/v3 v3.26.0 h1:BG3OUK+JpuKz7YHJIyUxL5Sl2JV6ePkG42UP4Xv3J2w= +github.com/zitadel/oidc/v3 v3.26.0/go.mod h1:Cx6AYPTJO5q2mjqF3jaknbKOUjpq1Xui0SYvVhkKuXU= +github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0= +github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc= go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= go.mongodb.org/mongo-driver v1.16.0 h1:tpRsfBJMROVHKpdGyc1BBEzzjDUWjItxbVSZ8Ls4BQ4= @@ -2232,8 +2238,6 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0 h1:CuXP0Pjfw9rOuY6EP+UvtNvt5DSqHpIxILZKT/quCZI= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= diff --git a/pkg/api/authn.go b/pkg/api/authn.go index 0813273e2..dca550f38 100644 --- a/pkg/api/authn.go +++ b/pkg/api/authn.go @@ -25,9 +25,9 @@ import ( "github.com/gorilla/securecookie" "github.com/gorilla/sessions" godigest "github.com/opencontainers/go-digest" - "github.com/zitadel/oidc/pkg/client/rp" - httphelper "github.com/zitadel/oidc/pkg/http" - "github.com/zitadel/oidc/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/client/rp" + httphelper "github.com/zitadel/oidc/v3/pkg/http" + "github.com/zitadel/oidc/v3/pkg/oidc" "golang.org/x/crypto/bcrypt" "golang.org/x/oauth2" githubOAuth "golang.org/x/oauth2/github" @@ -334,7 +334,7 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun for provider := range ctlr.Config.HTTP.Auth.OpenID.Providers { if config.IsOpenIDSupported(provider) { - rp := NewRelyingPartyOIDC(ctlr.Config, provider, ctlr.Log) + rp := NewRelyingPartyOIDC(context.TODO(), ctlr.Config, provider, ctlr.Log) ctlr.RelyingParties[provider] = rp } else if config.IsOauth2Supported(provider) { rp := NewRelyingPartyGithub(ctlr.Config, provider, ctlr.Log) @@ -610,10 +610,10 @@ func (rh *RouteHandler) AuthURLHandler() http.HandlerFunc { } } -func NewRelyingPartyOIDC(config *config.Config, provider string, log log.Logger) rp.RelyingParty { +func NewRelyingPartyOIDC(ctx context.Context, config *config.Config, provider string, log log.Logger) rp.RelyingParty { issuer, clientID, clientSecret, redirectURI, scopes, options := getRelyingPartyArgs(config, provider, log) - relyingParty, err := rp.NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI, scopes, options...) + relyingParty, err := rp.NewRelyingPartyOIDC(ctx, issuer, clientID, clientSecret, redirectURI, scopes, options...) if err != nil { log.Panic().Err(err).Str("issuer", issuer).Str("redirectURI", redirectURI).Strs("scopes", scopes). Msg("failed to get new relying party oicd") diff --git a/pkg/api/controller.go b/pkg/api/controller.go index 8408f4c99..5a6d37a0e 100644 --- a/pkg/api/controller.go +++ b/pkg/api/controller.go @@ -15,7 +15,7 @@ import ( "time" "github.com/gorilla/mux" - "github.com/zitadel/oidc/pkg/client/rp" + "github.com/zitadel/oidc/v3/pkg/client/rp" "zotregistry.dev/zot/errors" "zotregistry.dev/zot/pkg/api/config" diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go index cd67fb5f6..2c74fc3fb 100644 --- a/pkg/api/controller_test.go +++ b/pkg/api/controller_test.go @@ -4068,6 +4068,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) { func TestNewRelyingPartyOIDC(t *testing.T) { Convey("Test NewRelyingPartyOIDC", t, func() { conf := config.New() + ctx := context.Background() mockOIDCServer, err := authutils.MockOIDCRun() if err != nil { @@ -4098,7 +4099,7 @@ func TestNewRelyingPartyOIDC(t *testing.T) { } Convey("provider not found in config", func() { - So(func() { _ = api.NewRelyingPartyOIDC(conf, "notDex", log.NewLogger("debug", "")) }, ShouldPanic) + So(func() { _ = api.NewRelyingPartyOIDC(ctx, conf, "notDex", log.NewLogger("debug", "")) }, ShouldPanic) }) Convey("key path not found on disk", func() { @@ -4106,7 +4107,7 @@ func TestNewRelyingPartyOIDC(t *testing.T) { oidcProviderCfg.KeyPath = "path/to/file" conf.HTTP.Auth.OpenID.Providers["oidc"] = oidcProviderCfg - So(func() { _ = api.NewRelyingPartyOIDC(conf, "oidc", log.NewLogger("debug", "")) }, ShouldPanic) + So(func() { _ = api.NewRelyingPartyOIDC(ctx, conf, "oidc", log.NewLogger("debug", "")) }, ShouldPanic) }) Convey("https callback", func() { @@ -4115,7 +4116,7 @@ func TestNewRelyingPartyOIDC(t *testing.T) { Key: ServerKey, } - rp := api.NewRelyingPartyOIDC(conf, "oidc", log.NewLogger("debug", "")) + rp := api.NewRelyingPartyOIDC(ctx, conf, "oidc", log.NewLogger("debug", "")) So(rp, ShouldNotBeNil) }) @@ -4124,7 +4125,7 @@ func TestNewRelyingPartyOIDC(t *testing.T) { oidcProvider.ClientSecret = "" conf.HTTP.Auth.OpenID.Providers["oidc"] = oidcProvider - rp := api.NewRelyingPartyOIDC(conf, "oidc", log.NewLogger("debug", "")) + rp := api.NewRelyingPartyOIDC(ctx, conf, "oidc", log.NewLogger("debug", "")) So(rp, ShouldNotBeNil) }) @@ -4133,7 +4134,7 @@ func TestNewRelyingPartyOIDC(t *testing.T) { oidcProvider.Issuer = "" conf.HTTP.Auth.OpenID.Providers["oidc"] = oidcProvider - So(func() { _ = api.NewRelyingPartyOIDC(conf, "oidc", log.NewLogger("debug", "")) }, ShouldPanic) + So(func() { _ = api.NewRelyingPartyOIDC(ctx, conf, "oidc", log.NewLogger("debug", "")) }, ShouldPanic) }) }) } diff --git a/pkg/api/routes.go b/pkg/api/routes.go index e4da26fec..b8cf0a362 100644 --- a/pkg/api/routes.go +++ b/pkg/api/routes.go @@ -29,8 +29,8 @@ import ( "github.com/opencontainers/distribution-spec/specs-go/v1/extensions" godigest "github.com/opencontainers/go-digest" ispec "github.com/opencontainers/image-spec/specs-go/v1" - "github.com/zitadel/oidc/pkg/client/rp" - "github.com/zitadel/oidc/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/client/rp" + "github.com/zitadel/oidc/v3/pkg/oidc" zerr "zotregistry.dev/zot/errors" "zotregistry.dev/zot/pkg/api/config" @@ -1873,9 +1873,9 @@ func (rh *RouteHandler) Logout(response http.ResponseWriter, request *http.Reque } // github Oauth2 CodeExchange callback. -func (rh *RouteHandler) GithubCodeExchangeCallback() rp.CodeExchangeCallback { +func (rh *RouteHandler) GithubCodeExchangeCallback() rp.CodeExchangeCallback[*oidc.IDTokenClaims] { return func(w http.ResponseWriter, r *http.Request, - tokens *oidc.Tokens, state string, relyingParty rp.RelyingParty, + tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, relyingParty rp.RelyingParty, ) { ctx := r.Context() @@ -1908,11 +1908,14 @@ func (rh *RouteHandler) GithubCodeExchangeCallback() rp.CodeExchangeCallback { } // Openid CodeExchange callback. -func (rh *RouteHandler) OpenIDCodeExchangeCallback() rp.CodeExchangeUserinfoCallback { - return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, - relyingParty rp.RelyingParty, info oidc.UserInfo, +func (rh *RouteHandler) OpenIDCodeExchangeCallback() rp.CodeExchangeUserinfoCallback[ + *oidc.IDTokenClaims, + *oidc.UserInfo, +] { + return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, + relyingParty rp.RelyingParty, info *oidc.UserInfo, ) { - email := info.GetEmail() + email := info.UserInfoEmail.Email if email == "" { rh.c.Log.Error().Msg("failed to set user record for empty email value") w.WriteHeader(http.StatusUnauthorized) @@ -1922,7 +1925,7 @@ func (rh *RouteHandler) OpenIDCodeExchangeCallback() rp.CodeExchangeUserinfoCall var groups []string - val, ok := info.GetClaim("groups").([]interface{}) + val, ok := info.Claims["groups"].([]interface{}) if !ok { rh.c.Log.Info().Msgf("failed to find any 'groups' claim for user %s", email) } diff --git a/pkg/api/routes_test.go b/pkg/api/routes_test.go index 3de252155..bc1554db5 100644 --- a/pkg/api/routes_test.go +++ b/pkg/api/routes_test.go @@ -19,8 +19,8 @@ import ( ispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/project-zot/mockoidc" . "github.com/smartystreets/goconvey/convey" - "github.com/zitadel/oidc/pkg/client/rp" - "github.com/zitadel/oidc/pkg/oidc" + "github.com/zitadel/oidc/v3/pkg/client/rp" + "github.com/zitadel/oidc/v3/pkg/oidc" "golang.org/x/oauth2" zerr "zotregistry.dev/zot/errors" @@ -105,7 +105,7 @@ func TestRoutes(t *testing.T) { request, _ := http.NewRequestWithContext(ctx, http.MethodGet, baseURL, nil) response := httptest.NewRecorder() - tokens := &oidc.Tokens{} + tokens := &oidc.Tokens[*oidc.IDTokenClaims]{} relyingParty, err := rp.NewRelyingPartyOAuth(&oauth2.Config{}) So(err, ShouldBeNil)