diff --git a/.envrc b/.envrc index 3335ff6d68..fb06536f72 100644 --- a/.envrc +++ b/.envrc @@ -1,7 +1,6 @@ -if ! has nix_direnv_version || ! nix_direnv_version 3.0.5; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.5/direnvrc" "sha256-RuwIS+QKFj/T9M2TFXScjBsLR6V3A17YVoEW/Q6AZ1w=" +if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" fi - -use flake +use flake . --impure dotenv_if_exists diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 0daaf3187c..6878c76c44 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -44,7 +44,6 @@ jobs: id-token: write security-events: write - outputs: name: ${{ steps.image-name.outputs.value }} digest: ${{ steps.build.outputs.digest }} @@ -203,8 +202,7 @@ jobs: with: path: cache/db key: trivy-cache-${{ steps.date.outputs.date }} - restore-keys: - trivy-cache- + restore-keys: trivy-cache- - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 @@ -212,12 +210,13 @@ jobs: input: image format: sarif output: trivy-results.sarif - scan-type: 'fs' - scan-ref: '.' + scan-type: "fs" + scan-ref: "." cache-dir: "./cache" - env: - TRIVY_SKIP_DB_UPDATE: true - TRIVY_SKIP_JAVA_DB_UPDATE: true + # Disable skipping trivy cache for now + # env: + # TRIVY_SKIP_DB_UPDATE: true + # TRIVY_SKIP_JAVA_DB_UPDATE: true ## Trivy-db uses `0600` permissions. ## But `action/cache` use `runner` user by default diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 558bee8732..c11e7ab258 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,7 +2,7 @@ name: CI on: push: - branches: [ master ] + branches: [master] pull_request: permissions: @@ -71,7 +71,7 @@ jobs: - name: Set up Go uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.21" + go-version: "1.23" - name: Download tool dependencies run: make deps @@ -142,7 +142,7 @@ jobs: - name: Set up Go uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: "1.21" + go-version: "1.23" - name: Download golangci-lint run: make bin/golangci-lint diff --git a/.gitignore b/.gitignore index 66dc41ccfe..11cfbe81a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +/.devenv/ /.direnv/ /.idea/ /bin/ diff --git a/.golangci.yml b/.golangci.yml index 7d631ed241..d54dcb183f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,28 +1,27 @@ run: timeout: 4m - skip-dirs: - - storage/ent/db # generated ent code linters-settings: depguard: - rules: - deprecated: - deny: - - pkg: "io/ioutil" - desc: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead." + rules: + deprecated: + deny: + - pkg: "io/ioutil" + desc: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead." gci: - local-prefixes: github.com/dexidp/dex + sections: + - standard + - default + - prefix(github.com/dexidp/dex) goimports: local-prefixes: github.com/dexidp/dex - linters: disable-all: true enable: - depguard - dogsled - exhaustive - - exportloopref - gci - gochecknoinits - gocritic @@ -92,3 +91,7 @@ linters: # - nestif # - testpackage # - wsl + +issues: + exclude-dirs: + - storage/ent/db # generated ent code diff --git a/Makefile b/Makefile index e808890e6d..a0939f96d2 100644 --- a/Makefile +++ b/Makefile @@ -18,8 +18,8 @@ export GOBIN=$(PWD)/bin LD_FLAGS="-w -X main.version=$(VERSION)" # Dependency versions -GOLANGCI_VERSION = 1.56.2 -GOTESTSUM_VERSION ?= 1.10.1 +GOLANGCI_VERSION = 1.63.4 +GOTESTSUM_VERSION ?= 1.12.0 PROTOC_VERSION = 24.4 PROTOC_GEN_GO_VERSION = 1.32.0 diff --git a/api/v2/go.mod b/api/v2/go.mod index 2e44fa83b3..1e5863cd6b 100644 --- a/api/v2/go.mod +++ b/api/v2/go.mod @@ -1,6 +1,6 @@ module github.com/dexidp/dex/api/v2 -go 1.21 +go 1.23 require ( google.golang.org/grpc v1.65.0 diff --git a/connector/saml/saml.go b/connector/saml/saml.go index bc8ef726ce..3e44b477e3 100644 --- a/connector/saml/saml.go +++ b/connector/saml/saml.go @@ -467,7 +467,7 @@ func (p *provider) validateStatus(status *status) error { if statusMessage != nil && statusMessage.Value != "" { errorMessage += " -> " + statusMessage.Value } - return fmt.Errorf(errorMessage) + return errors.New(errorMessage) } return nil } diff --git a/examples/go.mod b/examples/go.mod index 5da715d464..5f6f81a502 100644 --- a/examples/go.mod +++ b/examples/go.mod @@ -1,6 +1,6 @@ module github.com/dexidp/dex/examples -go 1.21 +go 1.23 require ( github.com/coreos/go-oidc/v3 v3.11.0 diff --git a/flake.lock b/flake.lock index b547f3f59b..625e2c1253 100644 --- a/flake.lock +++ b/flake.lock @@ -1,58 +1,292 @@ { "nodes": { - "flake-utils": { + "cachix": { "inputs": { - "systems": "systems" + "devenv": [ + "devenv" + ], + "flake-compat": [ + "devenv" + ], + "git-hooks": [ + "devenv" + ], + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", + "owner": "cachix", + "repo": "cachix", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "latest", + "repo": "cachix", + "type": "github" + } + }, + "devenv": { + "inputs": { + "cachix": "cachix", + "flake-compat": "flake-compat", + "git-hooks": "git-hooks", + "nix": "nix", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1736426010, + "narHash": "sha256-d0rE+u8/rQjXLvDobz1StGTfqvRKvq+8kVsHnIGVD1o=", + "owner": "cachix", + "repo": "devenv", + "rev": "1c384bc4be3ee571511fbbc6fdc94fe47d60f6cf", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "devenv", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "devenv" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "devenv", + "nixpkgs" + ], + "nixpkgs-stable": [ + "devenv" + ] + }, + "locked": { + "lastModified": 1730302582, + "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "devenv", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-compat": [ + "devenv" + ], + "flake-parts": "flake-parts", + "libgit2": "libgit2", + "nixpkgs": "nixpkgs_2", + "nixpkgs-23-11": [ + "devenv" + ], + "nixpkgs-regression": [ + "devenv" + ], + "pre-commit-hooks": [ + "devenv" + ] }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "lastModified": 1727438425, + "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", + "owner": "domenkozar", + "repo": "nix", + "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", + "owner": "domenkozar", + "ref": "devenv-2.24", + "repo": "nix", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1708807242, - "narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=", + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "type": "github" }, "original": { - "id": "nixpkgs", + "owner": "NixOS", "ref": "nixos-unstable", - "type": "indirect" + "repo": "nixpkgs", + "type": "github" } }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs-lib": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" } }, - "systems": { + "nixpkgs_2": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "lastModified": 1717432640, + "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1716977621, + "narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=", + "owner": "cachix", + "repo": "devenv-nixpkgs", + "rev": "4267e705586473d3e5c8d50299e71503f16a6fb6", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "rolling", + "repo": "devenv-nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1736241350, + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", "type": "github" } + }, + "root": { + "inputs": { + "devenv": "devenv", + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_4" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8b82d70740..f6dea3b8a1 100644 --- a/flake.nix +++ b/flake.nix @@ -1,27 +1,58 @@ { - description = "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors"; - inputs = { - nixpkgs.url = "nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + flake-parts.url = "github:hercules-ci/flake-parts"; + devenv.url = "github:cachix/devenv"; }; - outputs = { self, nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - buildDeps = with pkgs; [ git go_1_21 gnumake ]; - devDeps = with pkgs; - buildDeps ++ [ - golangci-lint - gotestsum - protobuf - protoc-gen-go - protoc-gen-go-grpc - kind - ]; - in - { devShell = pkgs.mkShell { buildInputs = devDeps; }; } - ); + outputs = + inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { + imports = [ + inputs.devenv.flakeModule + ]; + + systems = [ + "x86_64-linux" + "x86_64-darwin" + "aarch64-darwin" + "aarch64-linux" + ]; + + perSystem = + { + pkgs, + lib, + system, + ... + }: + rec { + devenv.shells = { + default = { + languages = { + go = { + enable = true; + package = pkgs.go_1_23; + }; + }; + + packages = with pkgs; [ + gnumake + + golangci-lint + gotestsum + protobuf + protoc-gen-go + protoc-gen-go-grpc + kind + ]; + + # https://github.com/cachix/devenv/issues/528#issuecomment-1556108767 + containers = pkgs.lib.mkForce { }; + }; + + ci = devenv.shells.default; + }; + }; + }; } diff --git a/go.mod b/go.mod index 5dfc4a8b05..3d5441ebf3 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/dexidp/dex -go 1.21 +go 1.23 require ( cloud.google.com/go/compute/metadata v0.5.2 diff --git a/server/introspectionhandler.go b/server/introspectionhandler.go index ffcbb13679..802e29b6e7 100644 --- a/server/introspectionhandler.go +++ b/server/introspectionhandler.go @@ -170,7 +170,7 @@ func (s *Server) getTokenFromRequest(r *http.Request) (string, TokenTypeEnum, er return "", 0, newIntrospectBadRequestError(fmt.Sprintf("HTTP method is \"%s\", expected \"POST\".", r.Method)) } else if err := r.ParseForm(); err != nil { return "", 0, newIntrospectBadRequestError("Unable to parse HTTP body, make sure to send a properly formatted form request body.") - } else if r.PostForm == nil || len(r.PostForm) == 0 { + } else if len(r.PostForm) == 0 { return "", 0, newIntrospectBadRequestError("The POST body can not be empty.") } else if !r.PostForm.Has("token") { return "", 0, newIntrospectBadRequestError("The POST body doesn't contain 'token' parameter.") diff --git a/storage/ent/mysql_test.go b/storage/ent/mysql_test.go index f3e198aa72..345632e043 100644 --- a/storage/ent/mysql_test.go +++ b/storage/ent/mysql_test.go @@ -31,7 +31,9 @@ func mysqlTestConfig(host string, port uint64) *MySQL { Port: uint16(port), }, SSL: SSL{ - Mode: mysqlSSLSkipVerify, + // This was originally mysqlSSLSkipVerify. It lead to handshake errors. + // See https://github.com/go-sql-driver/mysql/issues/1635 for more details. + Mode: mysqlSSLFalse, }, params: map[string]string{ "innodb_lock_wait_timeout": "1",