├── config ├── webhook │ ├── manifests.yaml │ ├── kustomization.yaml │ ├── service.yaml │ └── kustomizeconfig.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── rbac │ ├── role_binding.yaml │ ├── auth_proxy_role_binding.yaml │ ├── leader_election_role_binding.yaml │ ├── auth_proxy_role.yaml │ ├── kustomization.yaml │ ├── auth_proxy_service.yaml │ ├── leader_election_role.yaml │ └── role.yaml ├── crd │ ├── patches │ │ ├── cainjection_in_oauth2clients.yaml │ │ └── webhook_in_oauth2clients.yaml │ ├── kustomizeconfig.yaml │ └── kustomization.yaml ├── default │ ├── manager_image_patch.yaml │ ├── manager_prometheus_metrics_patch.yaml │ ├── manager_webhook_patch.yaml │ ├── webhookcainjection_patch.yaml │ ├── manager_auth_proxy_patch.yaml │ └── kustomization.yaml ├── certmanager │ ├── kustomizeconfig.yaml │ ├── kustomization.yaml │ └── certificate.yaml └── samples │ ├── hydra_v1alpha1_oauth2client_user_credentials.yaml │ ├── hydra_v1alpha1_oauth2client_custom_namespace.yaml │ └── hydra_v1alpha1_oauth2client.yaml ├── .github ├── CODEOWNERS ├── config.yml ├── FUNDING.yml ├── workflows │ ├── format.yml │ ├── labels.yml │ ├── closed_references.yml │ ├── licenses.yml │ ├── cve-scan.yaml │ ├── conventional_commits.yml │ ├── stale.yml │ └── ci.yaml ├── auto_assign.yml ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── FEATURE-REQUEST.yml │ ├── BUG-REPORT.yml │ └── DESIGN-DOC.yml ├── actions │ └── deps-setup │ │ └── action.yaml └── pull_request_template.md ├── .reference-ignore ├── .prettierignore ├── .reports └── dep-licenses.csv ├── .deps ├── k3d.yaml ├── kubectl.yaml └── kustomize.yaml ├── PROJECT ├── package.json ├── .docker ├── Dockerfile-release ├── Dockerfile-build └── Dockerfile-kubebuilder ├── .gitignore ├── hack └── boilerplate.go.txt ├── api └── v1alpha1 │ ├── groupversion_info.go │ ├── zz_generated.deepcopy.go │ └── oauth2client_types_test.go ├── renovate.json ├── helpers ├── http_client.go └── http_client_test.go ├── docs ├── README.md └── assets │ ├── synchronization-mode.svg │ └── workflow.svg ├── .goreleaser.yml ├── SECURITY.md ├── controllers ├── suite_test.go └── mocks │ └── hydra │ └── Client.go ├── hydra ├── types_test.go ├── client.go ├── types.go └── client_test.go ├── README.md ├── main.go ├── go.mod ├── CODE_OF_CONDUCT.md ├── Makefile ├── LICENSE └── CONTRIBUTING.md /config/webhook/manifests.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @piotrmsc @Demonsthere 2 | -------------------------------------------------------------------------------- /.reference-ignore: -------------------------------------------------------------------------------- 1 | **/node_modules 2 | docs 3 | CHANGELOG.md 4 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | api/v1alpha1/zz_generated.deepcopy.go 2 | CHANGELOG.md 3 | .github/pull_request_template.md 4 | CONTRIBUTING.md 5 | -------------------------------------------------------------------------------- /config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /.reports/dep-licenses.csv: -------------------------------------------------------------------------------- 1 | 2 | "github.com/stretchr/testify","MIT" 3 | "k8s.io/api","Apache-2.0" 4 | "k8s.io/apimachinery","Apache-2.0" 5 | "k8s.io/client-go","Apache-2.0" 6 | 7 | -------------------------------------------------------------------------------- /.deps/k3d.yaml: -------------------------------------------------------------------------------- 1 | # renovate: datasource=github-releases depName=k3d-io/k3d 2 | version: v5.8.3 3 | url: https://github.com/rancher/k3d/releases/download/{{.Version}}/k3d-{{.Os}}-{{.Architecture}} 4 | -------------------------------------------------------------------------------- /.deps/kubectl.yaml: -------------------------------------------------------------------------------- 1 | # renovate: datasource=github-releases depName=kubernetes/kubernetes 2 | version: v1.34.1 3 | url: https://dl.k8s.io/release/{{.Version}}/bin/{{.Os}}/{{.Architecture}}/kubectl 4 | -------------------------------------------------------------------------------- /.github/config.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/config.yml 3 | 4 | todo: 5 | keyword: "@todo" 6 | label: todo 7 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | version: "3" 2 | domain: ory.sh 3 | repo: github.com/ory/hydra-maester 4 | projectName: hydra-maester 5 | layout: 6 | - go.kubebuilder.io/v4 7 | resources: 8 | - group: hydra 9 | version: v1alpha1 10 | kind: OAuth2Client -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "private": true, 3 | "prettier": "ory-prettier-styles", 4 | "devDependencies": { 5 | "license-checker": "^25.0.1", 6 | "ory-prettier-styles": "1.3.0", 7 | "prettier": "3.7.1" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: webhook-service 5 | namespace: system 6 | spec: 7 | ports: 8 | - port: 443 9 | targetPort: 443 10 | selector: 11 | control-plane: controller-manager 12 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/FUNDING.yml 3 | 4 | # These are supported funding model platforms 5 | 6 | # github: 7 | patreon: _ory 8 | open_collective: ory 9 | -------------------------------------------------------------------------------- /.docker/Dockerfile-release: -------------------------------------------------------------------------------- 1 | # Use distroless as minimal base image to package the manager binary 2 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 3 | FROM gcr.io/distroless/static:nonroot 4 | WORKDIR / 5 | COPY manager . 6 | USER 65532:65532 7 | 8 | ENTRYPOINT ["/manager"] 9 | -------------------------------------------------------------------------------- /.deps/kustomize.yaml: -------------------------------------------------------------------------------- 1 | # renovate: datasource=github-releases depName=kubernetes-sigs/kustomize extractVersion=^kustomize\/v(?\d+\.\d+\.\d+)$ 2 | version: v5.7.1 3 | url: https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F{{.Version}}/kustomize_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz 4 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_oauth2clients.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 8 | name: oauth2clients.hydra.ory.sh 9 | -------------------------------------------------------------------------------- /config/default/manager_image_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | # Change the value of image field below to your controller image URL 11 | - image: controller:latest 12 | name: manager 13 | imagePullPolicy: IfNotPresent 14 | -------------------------------------------------------------------------------- /.github/workflows/format.yml: -------------------------------------------------------------------------------- 1 | name: Format 2 | 3 | on: 4 | pull_request: 5 | push: 6 | 7 | jobs: 8 | format: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v6 12 | - uses: actions/setup-go@v6 13 | with: 14 | go-version: "1.25" 15 | - run: make format 16 | - name: Indicate formatting issues 17 | run: git diff HEAD --exit-code --color 18 | -------------------------------------------------------------------------------- /.docker/Dockerfile-build: -------------------------------------------------------------------------------- 1 | FROM golang:1.25 AS builder 2 | WORKDIR /go/src/app 3 | COPY . . 4 | RUN make manager 5 | 6 | # Use distroless as minimal base image to package the manager binary 7 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 8 | FROM gcr.io/distroless/static:nonroot 9 | WORKDIR / 10 | COPY --from=builder /go/src/app/manager . 11 | USER 65532:65532 12 | 13 | ENTRYPOINT ["/manager"] 14 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | # Comment the following 3 lines if you want to disable 7 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 8 | # which protects your /metrics endpoint. 9 | - auth_proxy_service.yaml 10 | - auth_proxy_role.yaml 11 | - auth_proxy_role_binding.yaml 12 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "8443" 6 | prometheus.io/scheme: https 7 | prometheus.io/scrape: "true" 8 | labels: 9 | control-plane: controller-manager 10 | name: controller-manager-metrics-service 11 | namespace: system 12 | spec: 13 | ports: 14 | - name: https 15 | port: 8443 16 | targetPort: https 17 | selector: 18 | control-plane: controller-manager 19 | -------------------------------------------------------------------------------- /.docker/Dockerfile-kubebuilder: -------------------------------------------------------------------------------- 1 | FROM golang:1.25 AS builder 2 | WORKDIR /go/src/app 3 | 4 | ENV PATH=$PATH:/go/src/app/.bin 5 | 6 | COPY . . 7 | RUN make test &&\ 8 | make manager 9 | 10 | # Use distroless as minimal base image to package the manager binary 11 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 12 | FROM gcr.io/distroless/static:nonroot 13 | WORKDIR / 14 | COPY --from=builder /go/src/app/manager . 15 | USER 65532:65532 16 | 17 | ENTRYPOINT ["/manager"] 18 | -------------------------------------------------------------------------------- /config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: certmanager.k8s.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: certmanager.k8s.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: certmanager.k8s.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: certmanager.k8s.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | .bin/ 8 | bin 9 | .bin 10 | 11 | # Test binary, build with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Kubernetes Generated files - skip generated files, except for vendored files 18 | 19 | !vendor/**/zz_generated.* 20 | 21 | # editor and IDE paraphernalia 22 | .idea 23 | *.swp 24 | *.swo 25 | *~ 26 | 27 | config/default/manager_image_patch.yaml-e 28 | /manager 29 | 30 | node_modules/ 31 | dist/ 32 | -------------------------------------------------------------------------------- /config/default/manager_prometheus_metrics_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch enables Prometheus scraping for the manager pod. 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | metadata: 10 | annotations: 11 | prometheus.io/scrape: "true" 12 | spec: 13 | containers: 14 | # Expose the prometheus metrics on default port 15 | - name: manager 16 | ports: 17 | - containerPort: 8080 18 | name: metrics 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /.github/auto_assign.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/auto_assign.yml 3 | 4 | # Set to true to add reviewers to pull requests 5 | addReviewers: true 6 | 7 | # Set to true to add assignees to pull requests 8 | addAssignees: true 9 | 10 | # A list of reviewers to be added to pull requests (GitHub user name) 11 | assignees: 12 | - ory/maintainers 13 | 14 | # A number of reviewers added to the pull request 15 | # Set 0 to add all the reviewers (default: 0) 16 | numberOfReviewers: 0 17 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml 3 | 4 | blank_issues_enabled: false 5 | contact_links: 6 | - name: Ory Ory Hydra Maester Forum 7 | url: https://github.com/orgs/ory/discussions 8 | about: 9 | Please ask and answer questions here, show your implementations and 10 | discuss ideas. 11 | - name: Ory Chat 12 | url: https://www.ory.com/chat 13 | about: 14 | Hang out with other Ory community members to ask and answer questions. 15 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright © 2023 Ory Corp 3 | SPDX-License-Identifier: Apache-2.0 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | */ -------------------------------------------------------------------------------- /config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1beta1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 16 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_oauth2clients.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: oauth2clients.hydra.ory.sh 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /.github/workflows/labels.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/labels.yml 3 | 4 | name: Synchronize Issue Labels 5 | 6 | on: 7 | workflow_dispatch: 8 | push: 9 | branches: 10 | - master 11 | 12 | jobs: 13 | milestone: 14 | if: github.repository_owner == 'ory' 15 | name: Synchronize Issue Labels 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v6 20 | - name: Synchronize Issue Labels 21 | uses: ory/label-sync-action@v0 22 | with: 23 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 24 | dry: false 25 | forced: true 26 | -------------------------------------------------------------------------------- /config/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: manager-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - secrets 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - hydra.ory.sh 21 | resources: 22 | - oauth2clients 23 | verbs: 24 | - create 25 | - delete 26 | - get 27 | - list 28 | - patch 29 | - update 30 | - watch 31 | - apiGroups: 32 | - hydra.ory.sh 33 | resources: 34 | - oauth2clients/status 35 | verbs: 36 | - get 37 | - patch 38 | - update 39 | -------------------------------------------------------------------------------- /config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | # the following config is for teaching kustomize how to do var substitution 5 | vars: 6 | - name: NAMESPACE # namespace of the service and the certificate CR 7 | objref: 8 | kind: Service 9 | version: v1 10 | name: webhook-service 11 | fieldref: 12 | fieldpath: metadata.namespace 13 | - name: CERTIFICATENAME 14 | objref: 15 | kind: Certificate 16 | group: certmanager.k8s.io 17 | version: v1alpha1 18 | name: serving-cert # this name should match the one in certificate.yaml 19 | - name: SERVICENAME 20 | objref: 21 | kind: Service 22 | version: v1 23 | name: webhook-service 24 | 25 | configurations: 26 | - kustomizeconfig.yaml 27 | -------------------------------------------------------------------------------- /api/v1alpha1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | // Package v1alpha1 contains API Schema definitions for the hydra v1alpha1 API group 5 | // +kubebuilder:object:generate=true 6 | // +groupName=hydra.ory.sh 7 | package v1alpha1 8 | 9 | import ( 10 | "k8s.io/apimachinery/pkg/runtime/schema" 11 | "sigs.k8s.io/controller-runtime/pkg/scheme" 12 | ) 13 | 14 | var ( 15 | // GroupVersion is group version used to register these objects 16 | GroupVersion = schema.GroupVersion{Group: "hydra.ory.sh", Version: "v1alpha1"} 17 | 18 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 19 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 20 | 21 | // AddToScheme adds the types in this group-version to the given scheme. 22 | AddToScheme = SchemeBuilder.AddToScheme 23 | ) 24 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/hydra.ory.sh_oauth2clients.yaml 6 | # +kubebuilder:scaffold:crdkustomizeresource 7 | 8 | patches: 9 | # [WEBHOOK] patches here are for enabling the conversion webhook for each CRD 10 | #- patches/webhook_in_oauth2clients.yaml 11 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 12 | 13 | # [CAINJECTION] patches here are for enabling the CA injection for each CRD 14 | #- patches/cainjection_in_oauth2clients.yaml 15 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 16 | 17 | # the following config is for teaching kustomize how to do kustomization for CRDs. 18 | configurations: 19 | - kustomizeconfig.yaml 20 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the controller manager, 2 | # it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 14 | args: 15 | - "--secure-listen-address=127.0.0.1:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | name: https 22 | - name: manager 23 | args: 24 | - "--metrics-addr=127.0.0.1:8080" 25 | -------------------------------------------------------------------------------- /config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | apiVersion: certmanager.k8s.io/v1alpha1 4 | kind: Issuer 5 | metadata: 6 | name: selfsigned-issuer 7 | namespace: system 8 | spec: 9 | selfSigned: {} 10 | --- 11 | apiVersion: certmanager.k8s.io/v1alpha1 12 | kind: Certificate 13 | metadata: 14 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 15 | namespace: system 16 | spec: 17 | # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize 18 | commonName: $(SERVICENAME).$(NAMESPACE).svc 19 | dnsNames: 20 | - $(SERVICENAME).$(NAMESPACE).svc.cluster.local 21 | issuerRef: 22 | kind: Issuer 23 | name: selfsigned-issuer 24 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 25 | -------------------------------------------------------------------------------- /config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: my-secret-456 5 | namespace: default 6 | type: Opaque 7 | data: 8 | CLIENT_ID: MDA5MDA5MDA= 9 | CLIENT_SECRET: czNjUjM3cDRzc1ZWMHJEMTIzNA== 10 | --- 11 | apiVersion: hydra.ory.sh/v1alpha1 12 | kind: OAuth2Client 13 | metadata: 14 | name: my-oauth2-client-2 15 | namespace: default 16 | spec: 17 | grantTypes: 18 | - client_credentials 19 | - implicit 20 | - authorization_code 21 | - refresh_token 22 | responseTypes: 23 | - id_token 24 | - code 25 | - token 26 | scope: "read write" 27 | secretName: my-secret-456 28 | # these are optional 29 | redirectUris: 30 | - https://client/account 31 | - http://localhost:8080 32 | postLogoutRedirectUris: 33 | - https://client/logout 34 | audience: 35 | - audience-a 36 | - audience-b 37 | hydraAdmin: {} 38 | tokenEndpointAuthMethod: client_secret_basic 39 | -------------------------------------------------------------------------------- /.github/workflows/closed_references.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/closed_references.yml 3 | 4 | name: Closed Reference Notifier 5 | 6 | on: 7 | schedule: 8 | - cron: "0 0 * * *" 9 | workflow_dispatch: 10 | inputs: 11 | issueLimit: 12 | description: Max. number of issues to create 13 | required: true 14 | default: "5" 15 | 16 | jobs: 17 | find_closed_references: 18 | if: github.repository_owner == 'ory' 19 | runs-on: ubuntu-latest 20 | name: Find closed references 21 | steps: 22 | - uses: actions/checkout@v6 23 | - uses: actions/setup-node@v2-beta 24 | with: 25 | node-version: "24" 26 | - uses: ory/closed-reference-notifier@v1 27 | with: 28 | token: ${{ secrets.GITHUB_TOKEN }} 29 | issueLabels: upstream,good first issue,help wanted 30 | issueLimit: ${{ github.event.inputs.issueLimit || '5' }} 31 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: system 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | containers: 26 | - command: 27 | - /manager 28 | args: 29 | - --enable-leader-election 30 | - --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address 31 | image: controller:latest 32 | name: manager 33 | resources: 34 | limits: 35 | cpu: 100m 36 | memory: 30Mi 37 | requests: 38 | cpu: 100m 39 | memory: 20Mi 40 | terminationGracePeriodSeconds: 10 41 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client_custom_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: custom-namespace 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: my-secret-123 11 | namespace: custom-namespace 12 | type: Opaque 13 | data: 14 | CLIENT_ID: NDI0MjQyNDI= 15 | CLIENT_SECRET: czNjUjM3cDRzc1ZWMHJENDMyMQ== 16 | --- 17 | apiVersion: hydra.ory.sh/v1alpha1 18 | kind: OAuth2Client 19 | metadata: 20 | name: my-oauth2-client-3 21 | namespace: custom-namespace 22 | spec: 23 | grantTypes: 24 | - client_credentials 25 | - implicit 26 | - authorization_code 27 | - refresh_token 28 | responseTypes: 29 | - id_token 30 | - code 31 | - token 32 | scope: "read write" 33 | secretName: my-secret-123 34 | # these are optional 35 | redirectUris: 36 | - https://client/account 37 | - http://localhost:8080 38 | postLogoutRedirectUris: 39 | - https://client/logout 40 | audience: 41 | - audience-a 42 | - audience-b 43 | hydraAdmin: {} 44 | tokenEndpointAuthMethod: client_secret_basic 45 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["config:recommended"], 4 | "packageRules": [ 5 | { 6 | "description": "Github workflows and actions", 7 | "enabled": true, 8 | "groupName": "github Actions", 9 | "matchFileNames": [".github/**"] 10 | }, 11 | { 12 | "description": "Docker image", 13 | "enabled": true, 14 | "groupName": "docker images", 15 | "matchFileNames": [".docker/**"] 16 | } 17 | ], 18 | "customManagers": [ 19 | { 20 | "customType": "regex", 21 | "description": "Consolidated version/image updates for Makefile and .deps yaml files", 22 | "fileMatch": ["^Makefile$", "^.deps/.*.yaml$"], 23 | "matchStrings": [ 24 | "# renovate: datasource=(?.*?) depName=(?[^\\s]+)(?: extractVersion=(?[^\\s]+))?\\n(?:(?[A-Z0-9_]+) ?\\?= ?|version: )(?.*)" 25 | ], 26 | "datasourceTemplate": "{{{ datasource }}}", 27 | "depNameTemplate": "{{{ depName }}}", 28 | "extractVersionTemplate": "{{{ extractVersion }}}" 29 | } 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: hydra-maester-system 3 | 4 | # Value of this field is prepended to the 5 | # names of all resources, e.g. a deployment named 6 | # "wordpress" becomes "alices-wordpress". 7 | # Note that it should also match with the prefix (text before '-') of the namespace 8 | # field above. 9 | namePrefix: hydra-maester- 10 | 11 | # Labels to add to all resources and selectors. 12 | #commonLabels: 13 | # someName: someValue 14 | 15 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml 16 | #- ../webhook 17 | # [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required. 18 | #- ../certmanager 19 | 20 | # Protect the /metrics endpoint by putting it behind auth. 21 | # Only one of manager_auth_proxy_patch.yaml and 22 | # manager_prometheus_metrics_patch.yaml should be enabled. 23 | apiVersion: kustomize.config.k8s.io/v1beta1 24 | kind: Kustomization 25 | resources: 26 | - ../crd 27 | - ../rbac 28 | - ../manager 29 | patches: 30 | - path: manager_image_patch.yaml 31 | - path: manager_auth_proxy_patch.yaml 32 | -------------------------------------------------------------------------------- /.github/workflows/licenses.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/licenses.yml 3 | 4 | name: Licenses 5 | 6 | on: 7 | pull_request: 8 | push: 9 | branches: 10 | - main 11 | - v3 12 | - master 13 | 14 | jobs: 15 | licenses: 16 | name: License compliance 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Install script 20 | uses: ory/ci/licenses/setup@master 21 | with: 22 | token: ${{ secrets.ORY_BOT_PAT || secrets.GITHUB_TOKEN }} 23 | - name: Check licenses 24 | uses: ory/ci/licenses/check@master 25 | - name: Write, commit, push licenses 26 | uses: ory/ci/licenses/write@master 27 | if: 28 | ${{ github.ref == 'refs/heads/main' || github.ref == 29 | 'refs/heads/master' || github.ref == 'refs/heads/v3' }} 30 | with: 31 | author-email: 32 | ${{ secrets.ORY_BOT_PAT && 33 | '60093411+ory-bot@users.noreply.github.com' || 34 | format('{0}@users.noreply.github.com', github.actor) }} 35 | author-name: ${{ secrets.ORY_BOT_PAT && 'ory-bot' || github.actor }} 36 | -------------------------------------------------------------------------------- /helpers/http_client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package helpers 5 | 6 | import ( 7 | "crypto/tls" 8 | "net/http" 9 | "os" 10 | 11 | ctrl "sigs.k8s.io/controller-runtime" 12 | 13 | httptransport "github.com/go-openapi/runtime/client" 14 | ) 15 | 16 | func CreateHttpClient(insecureSkipVerify bool, tlsTrustStore string) (*http.Client, error) { 17 | setupLog := ctrl.Log.WithName("setup") 18 | tr := &http.Transport{} 19 | httpClient := &http.Client{} 20 | if insecureSkipVerify { 21 | setupLog.Info("configuring TLS with InsecureSkipVerify") 22 | tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} 23 | httpClient.Transport = tr 24 | } 25 | if tlsTrustStore != "" { 26 | if _, err := os.Stat(tlsTrustStore); err != nil { 27 | return nil, err 28 | } 29 | 30 | setupLog.Info("configuring TLS with tlsTrustStore") 31 | ops := httptransport.TLSClientOptions{ 32 | CA: tlsTrustStore, 33 | InsecureSkipVerify: insecureSkipVerify, 34 | } 35 | if tlsClient, err := httptransport.TLSClient(ops); err != nil { 36 | setupLog.Error(err, "Error while getting TLSClient, default http client will be used") 37 | return tlsClient, nil 38 | } 39 | } 40 | return httpClient, nil 41 | } 42 | -------------------------------------------------------------------------------- /helpers/http_client_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package helpers_test 5 | 6 | import ( 7 | "os" 8 | "testing" 9 | 10 | "github.com/ory/hydra-maester/helpers" 11 | 12 | "github.com/stretchr/testify/require" 13 | ) 14 | 15 | func TestCreateHttpClient(t *testing.T) { 16 | t.Run("should create insecureSkipVerify client", func(t *testing.T) { 17 | client, err := helpers.CreateHttpClient(true, "") 18 | require.NotNil(t, client) 19 | require.Nil(t, err) 20 | }) 21 | 22 | t.Run("should create client with and tlsTrustStore", func(t *testing.T) { 23 | file, err := os.CreateTemp("", "test") 24 | require.Nil(t, err) 25 | client, err := helpers.CreateHttpClient(true, file.Name()) 26 | defer os.Remove(file.Name()) 27 | require.NotNil(t, client) 28 | require.Nil(t, err) 29 | }) 30 | 31 | t.Run("should not create client with and wrong tlsTrustStore", func(t *testing.T) { 32 | client, err := helpers.CreateHttpClient(true, "/somefile") 33 | require.Nil(t, client) 34 | require.NotNil(t, err) 35 | require.Equal(t, err.Error(), "stat /somefile: no such file or directory") 36 | }) 37 | 38 | t.Run("should create client without and tlsTrustStore", func(t *testing.T) { 39 | client, err := helpers.CreateHttpClient(true, "") 40 | require.NotNil(t, client) 41 | require.Nil(t, err) 42 | }) 43 | } 44 | -------------------------------------------------------------------------------- /.github/actions/deps-setup/action.yaml: -------------------------------------------------------------------------------- 1 | name: "Dependencies setup" 2 | description: "Sets up dependencies, uses cache to speedup execution" 3 | runs: 4 | using: "composite" 5 | steps: 6 | - name: Extract branch name 7 | shell: bash 8 | run: | 9 | echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> "$GITHUB_ENV" 10 | id: extract_branch 11 | 12 | - uses: actions/cache@v4 13 | id: cache-packages 14 | with: 15 | path: | 16 | ~/go/pkg/mod 17 | ~/go/bin 18 | ~/.config/helm 19 | ~/.local/share/helm 20 | ~/.cache/helm 21 | ${{ github.workspace }}/.bin 22 | key: 23 | ${{ runner.os }}-${{ steps.extract_branch.outputs.branch }}-${{ 24 | hashFiles('**/go.sum', '.deps/*') }} 25 | restore-keys: | 26 | ${{ runner.os }}-${{ steps.extract_branch.outputs.branch }}- 27 | 28 | - name: Setup dependencies 29 | if: steps.cache-packages.outputs.cache-hit != 'true' 30 | shell: bash 31 | env: 32 | HELM_INSTALL_DIR: ${{ github.workspace }}/.bin 33 | HELM_PLUGINS: ${{ github.workspace }}/.bin/plugins 34 | K3D_INSTALL_DIR: ${{ github.workspace }}/.bin 35 | run: | 36 | #Export .bin into PATH so k3d doesn't fail when installing 37 | export PATH=".bin:$PATH" 38 | echo "PATH=.bin:$PATH" >> $GITHUB_ENV 39 | make deps 40 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hydra.ory.sh/v1alpha1 2 | kind: OAuth2Client 3 | metadata: 4 | name: my-oauth2-client 5 | namespace: default 6 | spec: 7 | grantTypes: 8 | - client_credentials 9 | - implicit 10 | - authorization_code 11 | - refresh_token 12 | responseTypes: 13 | - id_token 14 | - code 15 | - token 16 | - code token 17 | - code id_token 18 | - id_token token 19 | - code id_token token 20 | scope: "read write" 21 | secretName: my-secret-123 22 | # these are optional 23 | redirectUris: 24 | - https://client/account 25 | - http://localhost:8080 26 | requestUris: 27 | - https://client/request 28 | - https://client/par-request 29 | postLogoutRedirectUris: 30 | - https://client/logout 31 | audience: 32 | - audience-a 33 | - audience-b 34 | hydraAdmin: 35 | # if hydraAdmin is specified, all of these fields are requried, 36 | # but they can be empty/0 37 | url: http://hydra-admin.namespace.cluster.domain 38 | port: 4445 39 | endpoint: /clients 40 | forwardedProto: https 41 | tokenEndpointAuthMethod: client_secret_basic 42 | # Additional optional fields 43 | accessTokenStrategy: jwt 44 | clientUri: https://example.com 45 | contacts: 46 | - admin@example.com 47 | - support@example.com 48 | policyUri: https://example.com/privacy 49 | tosUri: https://example.com/terms 50 | subjectType: public 51 | skipLogoutConsent: false 52 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Design 2 | 3 | ## Controller design 4 | 5 | The controller listens for Custom Resource which defines client registration 6 | request. Once Custom resource is created, the controller register oauth2 client 7 | in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the 8 | client in hydra are be stored in the kubernetes as a secret and referenced in 9 | the applied CR. Reference is used to identify in which kubernetes secret are 10 | stored mentioned properties. Secret iscreated in the same namespace of applied 11 | CR. By default controller should be deployed in the same pod as hydra. Service 12 | discovery will come in place in the future. 13 | 14 | Custom Resource should be Namespace scoped to enable isolation in k8s. It is 15 | represented in the diagram 16 | 17 | ![diagram](./assets/workflow.svg) 18 | 19 | ## Synchronization mode 20 | 21 | Additionally, controller supports synchronization mode, where it tries to 22 | register all clients in hydra. Synchronization is an optional mode, enabled via 23 | config, which is meant for use cases where hydra is deployed with in memory 24 | storage. If hydra pod is restarted for some reason then it does not have client 25 | in its storage. With synchronization mode the controller makes sure that hydra 26 | has up to date clients. Synchronization is done by making POST request to hydra 27 | with payload describing all client information including clientID,clientSecret 28 | and Identifier of last applied client. If client exists in hydra storage 409 is 29 | returned which is considered as ok and synchronization continues with other 30 | clients. 31 | 32 | ![diagram](./assets/synchronization-mode.svg) 33 | -------------------------------------------------------------------------------- /.github/workflows/cve-scan.yaml: -------------------------------------------------------------------------------- 1 | name: Docker Image Scan 2 | on: 3 | push: 4 | branches: 5 | - "master" 6 | tags: 7 | - "v*.*.*" 8 | pull_request: 9 | branches: 10 | - "master" 11 | 12 | jobs: 13 | docker: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v6 18 | - uses: actions/setup-go@v6 19 | name: Setup Golang 20 | with: 21 | go-version: "1.25" 22 | - name: Set up QEMU 23 | uses: docker/setup-qemu-action@v3 24 | - name: Set up Docker Buildx 25 | uses: docker/setup-buildx-action@v3 26 | - name: Build images 27 | shell: bash 28 | run: | 29 | make docker-build-notest 30 | - name: Anchore Scanner 31 | uses: anchore/scan-action@v7 32 | id: grype-scan 33 | with: 34 | image: controller:latest 35 | fail-build: true 36 | severity-cutoff: high 37 | debug: false 38 | acs-report-enable: true 39 | - name: Anchore upload scan SARIF report 40 | if: always() 41 | uses: github/codeql-action/upload-sarif@v4 42 | with: 43 | sarif_file: ${{ steps.grype-scan.outputs.sarif }} 44 | - name: Trivy Scanner 45 | uses: aquasecurity/trivy-action@master 46 | if: ${{ always() }} 47 | with: 48 | image-ref: controller:latest 49 | format: "table" 50 | exit-code: "42" 51 | ignore-unfixed: true 52 | vuln-type: "os,library" 53 | severity: "CRITICAL,HIGH" 54 | - name: Dockle Linter 55 | uses: erzz/dockle-action@v1.4.0 56 | if: ${{ always() }} 57 | with: 58 | image: controller:latest 59 | exit-code: 42 60 | failure-threshold: fatal 61 | -------------------------------------------------------------------------------- /.github/workflows/conventional_commits.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/conventional_commits.yml 3 | 4 | name: Conventional commits 5 | 6 | # This GitHub CI Action enforces that pull request titles follow conventional commits. 7 | # More info at https://www.conventionalcommits.org. 8 | # 9 | # The Ory-wide defaults for commit titles and scopes are below. 10 | # Your repository can add/replace elements via a configuration file at the path below. 11 | # More info at https://github.com/ory/ci/blob/master/conventional_commit_config/README.md 12 | 13 | on: 14 | pull_request_target: 15 | types: 16 | - edited 17 | - opened 18 | - ready_for_review 19 | - reopened 20 | # pull_request: # for debugging, uses config in local branch but supports only Pull Requests from this repo 21 | 22 | jobs: 23 | main: 24 | name: Validate PR title 25 | runs-on: ubuntu-latest 26 | steps: 27 | - uses: actions/checkout@v6 28 | - id: config 29 | uses: ory/ci/conventional_commit_config@master 30 | with: 31 | config_path: .github/conventional_commits.json 32 | default_types: | 33 | feat 34 | fix 35 | revert 36 | docs 37 | style 38 | refactor 39 | test 40 | build 41 | autogen 42 | security 43 | ci 44 | chore 45 | default_scopes: | 46 | deps 47 | docs 48 | default_require_scope: false 49 | - uses: amannn/action-semantic-pull-request@v6 50 | env: 51 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 52 | with: 53 | types: ${{ steps.config.outputs.types }} 54 | scopes: ${{ steps.config.outputs.scopes }} 55 | requireScope: ${{ steps.config.outputs.requireScope }} 56 | subjectPattern: ^(?![A-Z]).+$ 57 | subjectPatternError: | 58 | The subject should start with a lowercase letter, yours is uppercase: 59 | "{subject}" 60 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # This is an example goreleaser.yaml file with some sane defaults. 2 | # Make sure to check the documentation at http://goreleaser.com 3 | project_name: hydra-maester 4 | version: 2 5 | before: 6 | hooks: 7 | - "go mod download" 8 | 9 | builds: 10 | - id: linux-amd64 11 | flags: 12 | - -a 13 | binary: manager 14 | env: 15 | - CGO_ENABLED=0 16 | goarch: 17 | - amd64 18 | goos: 19 | - linux 20 | - id: linux-arm64 21 | flags: 22 | - -a 23 | binary: manager 24 | env: 25 | - CGO_ENABLED=0 26 | goarch: 27 | - arm64 28 | goos: 29 | - linux 30 | - id: linux-i386 31 | flags: 32 | - -a 33 | binary: manager 34 | env: 35 | - CGO_ENABLED=0 36 | goarch: 37 | - 386 38 | goos: 39 | - linux 40 | - id: darwin-amd64 41 | flags: 42 | - -a 43 | binary: manager 44 | env: 45 | - CGO_ENABLED=0 46 | goarch: 47 | - amd64 48 | goos: 49 | - darwin 50 | - id: darwin-arm64 51 | flags: 52 | - -a 53 | binary: manager 54 | env: 55 | - CGO_ENABLED=0 56 | goarch: 57 | - arm64 58 | goos: 59 | - darwin 60 | 61 | snapshot: 62 | version_template: "{{ .Tag }}-next" 63 | 64 | changelog: 65 | sort: asc 66 | use: github-native 67 | 68 | dockers: 69 | - image_templates: 70 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 71 | - "oryd/hydra-maester:{{ .ShortCommit }}-amd64" 72 | goarch: amd64 73 | build_flag_templates: 74 | - "--platform=linux/amd64" 75 | dockerfile: ".docker/Dockerfile-release" 76 | ids: 77 | - "linux-amd64" 78 | - image_templates: 79 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 80 | - "oryd/hydra-maester:{{ .ShortCommit }}-arm64" 81 | goarch: arm64 82 | build_flag_templates: 83 | - "--platform=linux/arm64" 84 | dockerfile: ".docker/Dockerfile-release" 85 | ids: 86 | - "linux-arm64" 87 | 88 | docker_manifests: 89 | - name_template: "oryd/hydra-maester:{{ .Tag }}" 90 | id: "tag" 91 | image_templates: 92 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 93 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 94 | - name_template: "oryd/hydra-maester:latest" 95 | id: "latest" 96 | image_templates: 97 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 98 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 99 | 100 | release: 101 | prerelease: auto 102 | name_template: "{{ .Tag }}" 103 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 12 | 13 | ## Related Issue or Design Document 14 | 15 | 29 | 30 | ## Checklist 31 | 32 | 36 | 37 | - [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md) and signed the CLA. 38 | - [ ] I have referenced an issue containing the design document if my change introduces a new feature. 39 | - [ ] I have read the [security policy](../security/policy). 40 | - [ ] I confirm that this pull request does not address a security vulnerability. 41 | If this pull request addresses a security vulnerability, 42 | I confirm that I got approval (please contact [security@ory.com](mailto:security@ory.com)) from the maintainers to push the changes. 43 | - [ ] I have added tests that prove my fix is effective or that my feature works. 44 | - [ ] I have added the necessary documentation within the code base (if appropriate). 45 | 46 | ## Further comments 47 | 48 | 52 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Ory Security Policy 5 | 6 | This policy outlines Ory's security commitments and practices for users across 7 | different licensing and deployment models. 8 | 9 | To learn more about Ory's security service level agreements (SLAs) and 10 | processes, please [contact us](https://www.ory.com/contact/). 11 | 12 | ## Ory Network Users 13 | 14 | - **Security SLA:** Ory addresses vulnerabilities in the Ory Network according 15 | to the following guidelines: 16 | - Critical: Typically addressed within 14 days. 17 | - High: Typically addressed within 30 days. 18 | - Medium: Typically addressed within 90 days. 19 | - Low: Typically addressed within 180 days. 20 | - Informational: Addressed as necessary. 21 | These timelines are targets and may vary based on specific circumstances. 22 | - **Release Schedule:** Updates are deployed to the Ory Network as 23 | vulnerabilities are resolved. 24 | - **Version Support:** The Ory Network always runs the latest version, ensuring 25 | up-to-date security fixes. 26 | 27 | ## Ory Enterprise License Customers 28 | 29 | - **Security SLA:** Ory addresses vulnerabilities based on their severity: 30 | - Critical: Typically addressed within 14 days. 31 | - High: Typically addressed within 30 days. 32 | - Medium: Typically addressed within 90 days. 33 | - Low: Typically addressed within 180 days. 34 | - Informational: Addressed as necessary. 35 | These timelines are targets and may vary based on specific circumstances. 36 | - **Release Schedule:** Updates are made available as vulnerabilities are 37 | resolved. Ory works closely with enterprise customers to ensure timely updates 38 | that align with their operational needs. 39 | - **Version Support:** Ory may provide security support for multiple versions, 40 | depending on the terms of the enterprise agreement. 41 | 42 | ## Apache 2.0 License Users 43 | 44 | - **Security SLA:** Ory does not provide a formal SLA for security issues under 45 | the Apache 2.0 License. 46 | - **Release Schedule:** Releases prioritize new functionality and include fixes 47 | for known security vulnerabilities at the time of release. While major 48 | releases typically occur one to two times per year, Ory does not guarantee a 49 | fixed release schedule. 50 | - **Version Support:** Security patches are only provided for the latest release 51 | version. 52 | 53 | ## Reporting a Vulnerability 54 | 55 | For details on how to report security vulnerabilities, visit our 56 | [security policy documentation](https://www.ory.com/docs/ecosystem/security). 57 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/stale.yml 3 | 4 | name: "Close Stale Issues" 5 | on: 6 | workflow_dispatch: 7 | schedule: 8 | - cron: "0 0 * * *" 9 | 10 | jobs: 11 | stale: 12 | if: github.repository_owner == 'ory' 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/stale@v10 16 | with: 17 | repo-token: ${{ secrets.GITHUB_TOKEN }} 18 | stale-issue-message: | 19 | Hello contributors! 20 | 21 | I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue 22 | 23 | - open a PR referencing and resolving the issue; 24 | - leave a comment on it and discuss ideas on how you could contribute towards resolving it; 25 | - leave a comment and describe in detail why this issue is critical for your use case; 26 | - open a new issue with updated details and a plan for resolving the issue. 27 | 28 | Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. 29 | 30 | Unfortunately, [burnout](https://www.jeffgeerling.com/blog/2016/why-i-close-prs-oss-project-maintainer-notes) has become a [topic](https://opensource.guide/best-practices/#its-okay-to-hit-pause) of [concern](https://docs.brew.sh/Maintainers-Avoiding-Burnout) amongst open-source projects. 31 | 32 | It can lead to severe personal and health issues as well as [opening](https://haacked.com/archive/2019/05/28/maintainer-burnout/) catastrophic [attack vectors](https://www.gradiant.org/en/blog/open-source-maintainer-burnout-as-an-attack-surface/). 33 | 34 | The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. 35 | 36 | If this issue was marked as stale erroneously you can exempt it by adding the `backlog` label, assigning someone, or setting a milestone for it. 37 | 38 | Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! 39 | 40 | Thank you 🙏✌️ 41 | stale-issue-label: "stale" 42 | exempt-issue-labels: "bug,blocking,docs,backlog" 43 | days-before-stale: 365 44 | days-before-close: 30 45 | exempt-milestones: true 46 | exempt-assignees: true 47 | only-pr-labels: "stale" 48 | -------------------------------------------------------------------------------- /controllers/suite_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package controllers_test 5 | 6 | import ( 7 | "context" 8 | "path/filepath" 9 | "testing" 10 | 11 | . "github.com/onsi/ginkgo" 12 | . "github.com/onsi/gomega" 13 | 14 | "k8s.io/client-go/kubernetes/scheme" 15 | "k8s.io/client-go/rest" 16 | "k8s.io/client-go/util/retry" 17 | "sigs.k8s.io/controller-runtime/pkg/client" 18 | "sigs.k8s.io/controller-runtime/pkg/envtest" 19 | logf "sigs.k8s.io/controller-runtime/pkg/log" 20 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 21 | "sigs.k8s.io/controller-runtime/pkg/manager" 22 | "sigs.k8s.io/controller-runtime/pkg/reconcile" 23 | // +kubebuilder:scaffold:imports 24 | ) 25 | 26 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to 27 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. 28 | 29 | var cfg *rest.Config 30 | var k8sClient client.Client 31 | var testEnv *envtest.Environment 32 | 33 | func TestAPIs(t *testing.T) { 34 | RegisterFailHandler(Fail) 35 | 36 | RunSpecsWithDefaultAndCustomReporters(t, 37 | "Controller Suite", 38 | []Reporter{}) 39 | } 40 | 41 | var _ = BeforeSuite(func(done Done) { 42 | logf.SetLogger(zap.New(zap.UseDevMode(true), zap.WriteTo(GinkgoWriter))) 43 | 44 | By("bootstrapping test environment") 45 | testEnv = &envtest.Environment{ 46 | CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, 47 | } 48 | 49 | var err error 50 | cfg, err = testEnv.Start() 51 | Expect(err).ToNot(HaveOccurred()) 52 | Expect(cfg).ToNot(BeNil()) 53 | 54 | // +kubebuilder:scaffold:scheme 55 | 56 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 57 | Expect(err).ToNot(HaveOccurred()) 58 | Expect(k8sClient).ToNot(BeNil()) 59 | 60 | close(done) 61 | }, 60) 62 | 63 | var _ = AfterSuite(func() { 64 | By("tearing down the test environment") 65 | 66 | // Need to retry a bit if the first stop fails due to a bug: 67 | // https://github.com/kubernetes-sigs/controller-runtime/issues/1571 68 | err := retry.OnError(retry.DefaultBackoff, func(err error) bool { 69 | return true 70 | }, func() error { 71 | return testEnv.Stop() 72 | }) 73 | Expect(err).NotTo(HaveOccurred()) 74 | }) 75 | 76 | // SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and 77 | // writes the request to requests after Reconcile is finished. 78 | func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) { 79 | requests := make(chan reconcile.Request) 80 | fn := reconcile.Func(func(ctx context.Context, req reconcile.Request) (reconcile.Result, error) { 81 | result, err := inner.Reconcile(ctx, req) 82 | requests <- req 83 | return result, err 84 | }) 85 | return fn, requests 86 | } 87 | 88 | // StartTestManager adds recFn 89 | func StartTestManager(mgr manager.Manager) context.Context { 90 | ctx := context.Background() 91 | 92 | go func() { 93 | defer GinkgoRecover() 94 | defer ctx.Done() 95 | Expect(mgr.Start(ctx)).NotTo(HaveOccurred()) 96 | }() 97 | return ctx 98 | } 99 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml 3 | 4 | description: 5 | "Suggest an idea for this project without a plan for implementation" 6 | labels: 7 | - feat 8 | name: "Feature Request" 9 | body: 10 | - attributes: 11 | value: | 12 | Thank you for suggesting an idea for this project! 13 | 14 | If you already have a plan to implement a feature or a change, please create a [design document](https://github.com/aeneasr/gh-template-test/issues/new?assignees=&labels=rfc&template=DESIGN-DOC.yml) instead if the change is non-trivial! 15 | type: markdown 16 | - attributes: 17 | label: "Preflight checklist" 18 | options: 19 | - label: 20 | "I could not find a solution in the existing issues, docs, nor 21 | discussions." 22 | required: true 23 | - label: 24 | "I agree to follow this project's [Code of 25 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 26 | required: true 27 | - label: 28 | "I have read and am following this repository's [Contribution 29 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 30 | required: true 31 | - label: 32 | "I have joined the [Ory Community Slack](https://slack.ory.com)." 33 | - label: 34 | "I am signed up to the [Ory Security Patch 35 | Newsletter](https://www.ory.com/l/sign-up-newsletter)." 36 | id: checklist 37 | type: checkboxes 38 | - attributes: 39 | description: 40 | "Enter the slug or API URL of the affected Ory Network project. Leave 41 | empty when you are self-hosting." 42 | label: "Ory Network Project" 43 | placeholder: "https://.projects.oryapis.com" 44 | id: ory-network-project 45 | type: input 46 | - attributes: 47 | description: 48 | "Is your feature request related to a problem? Please describe." 49 | label: "Describe your problem" 50 | placeholder: 51 | "A clear and concise description of what the problem is. Ex. I'm always 52 | frustrated when [...]" 53 | id: problem 54 | type: textarea 55 | validations: 56 | required: true 57 | - attributes: 58 | description: | 59 | Describe the solution you'd like 60 | placeholder: | 61 | A clear and concise description of what you want to happen. 62 | label: "Describe your ideal solution" 63 | id: solution 64 | type: textarea 65 | validations: 66 | required: true 67 | - attributes: 68 | description: "Describe alternatives you've considered" 69 | label: "Workarounds or alternatives" 70 | id: alternatives 71 | type: textarea 72 | validations: 73 | required: true 74 | - attributes: 75 | description: "What version of our software are you running?" 76 | label: Version 77 | id: version 78 | type: input 79 | validations: 80 | required: true 81 | - attributes: 82 | description: 83 | "Add any other context or screenshots about the feature request here." 84 | label: Additional Context 85 | id: additional 86 | type: textarea 87 | -------------------------------------------------------------------------------- /controllers/mocks/hydra/Client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | // Code generated by mockery v1.0.0. DO NOT EDIT. 5 | 6 | package mocks 7 | 8 | import ( 9 | hydra "github.com/ory/hydra-maester/hydra" 10 | mock "github.com/stretchr/testify/mock" 11 | ) 12 | 13 | // Client is an autogenerated mock type for the Client type 14 | type Client struct { 15 | mock.Mock 16 | } 17 | 18 | // DeleteOAuth2Client provides a mock function with given fields: id 19 | func (_m *Client) DeleteOAuth2Client(id string) error { 20 | ret := _m.Called(id) 21 | 22 | var r0 error 23 | if rf, ok := ret.Get(0).(func(string) error); ok { 24 | r0 = rf(id) 25 | } else { 26 | r0 = ret.Error(0) 27 | } 28 | 29 | return r0 30 | } 31 | 32 | // GetOAuth2Client provides a mock function with given fields: id 33 | func (_m *Client) GetOAuth2Client(id string) (*hydra.OAuth2ClientJSON, bool, error) { 34 | ret := _m.Called(id) 35 | 36 | var r0 *hydra.OAuth2ClientJSON 37 | if rf, ok := ret.Get(0).(func(string) *hydra.OAuth2ClientJSON); ok { 38 | r0 = rf(id) 39 | } else { 40 | if ret.Get(0) != nil { 41 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 42 | } 43 | } 44 | 45 | var r1 bool 46 | if rf, ok := ret.Get(1).(func(string) bool); ok { 47 | r1 = rf(id) 48 | } else { 49 | r1 = ret.Get(1).(bool) 50 | } 51 | 52 | var r2 error 53 | if rf, ok := ret.Get(2).(func(string) error); ok { 54 | r2 = rf(id) 55 | } else { 56 | r2 = ret.Error(2) 57 | } 58 | 59 | return r0, r1, r2 60 | } 61 | 62 | // ListOAuth2Client provides a mock function with given fields: 63 | func (_m *Client) ListOAuth2Client() ([]*hydra.OAuth2ClientJSON, error) { 64 | ret := _m.Called() 65 | 66 | var r0 []*hydra.OAuth2ClientJSON 67 | if rf, ok := ret.Get(0).(func() []*hydra.OAuth2ClientJSON); ok { 68 | r0 = rf() 69 | } else { 70 | if ret.Get(0) != nil { 71 | r0 = ret.Get(0).([]*hydra.OAuth2ClientJSON) 72 | } 73 | } 74 | 75 | var r1 error 76 | if rf, ok := ret.Get(1).(func() error); ok { 77 | r1 = rf() 78 | } else { 79 | r1 = ret.Error(1) 80 | } 81 | 82 | return r0, r1 83 | } 84 | 85 | // PostOAuth2Client provides a mock function with given fields: o 86 | func (_m *Client) PostOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { 87 | ret := _m.Called(o) 88 | 89 | var r0 *hydra.OAuth2ClientJSON 90 | if rf, ok := ret.Get(0).(func(*hydra.OAuth2ClientJSON) *hydra.OAuth2ClientJSON); ok { 91 | r0 = rf(o) 92 | } else { 93 | if ret.Get(0) != nil { 94 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 95 | } 96 | } 97 | 98 | var r1 error 99 | if rf, ok := ret.Get(1).(func(*hydra.OAuth2ClientJSON) error); ok { 100 | r1 = rf(o) 101 | } else { 102 | r1 = ret.Error(1) 103 | } 104 | 105 | return r0, r1 106 | } 107 | 108 | // PutOAuth2Client provides a mock function with given fields: o 109 | func (_m *Client) PutOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { 110 | ret := _m.Called(o) 111 | 112 | var r0 *hydra.OAuth2ClientJSON 113 | if rf, ok := ret.Get(0).(func(*hydra.OAuth2ClientJSON) *hydra.OAuth2ClientJSON); ok { 114 | r0 = rf(o) 115 | } else { 116 | if ret.Get(0) != nil { 117 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 118 | } 119 | } 120 | 121 | var r1 error 122 | if rf, ok := ret.Get(1).(func(*hydra.OAuth2ClientJSON) error); ok { 123 | r1 = rf(o) 124 | } else { 125 | r1 = ret.Error(1) 126 | } 127 | 128 | return r0, r1 129 | } 130 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/BUG-REPORT.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml 3 | 4 | description: "Create a bug report" 5 | labels: 6 | - bug 7 | name: "Bug Report" 8 | body: 9 | - attributes: 10 | value: "Thank you for taking the time to fill out this bug report!\n" 11 | type: markdown 12 | - attributes: 13 | label: "Preflight checklist" 14 | options: 15 | - label: 16 | "I could not find a solution in the existing issues, docs, nor 17 | discussions." 18 | required: true 19 | - label: 20 | "I agree to follow this project's [Code of 21 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 22 | required: true 23 | - label: 24 | "I have read and am following this repository's [Contribution 25 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 26 | required: true 27 | - label: 28 | "I have joined the [Ory Community Slack](https://slack.ory.com)." 29 | - label: 30 | "I am signed up to the [Ory Security Patch 31 | Newsletter](https://www.ory.com/l/sign-up-newsletter)." 32 | id: checklist 33 | type: checkboxes 34 | - attributes: 35 | description: 36 | "Enter the slug or API URL of the affected Ory Network project. Leave 37 | empty when you are self-hosting." 38 | label: "Ory Network Project" 39 | placeholder: "https://.projects.oryapis.com" 40 | id: ory-network-project 41 | type: input 42 | - attributes: 43 | description: "A clear and concise description of what the bug is." 44 | label: "Describe the bug" 45 | placeholder: "Tell us what you see!" 46 | id: describe-bug 47 | type: textarea 48 | validations: 49 | required: true 50 | - attributes: 51 | description: | 52 | Clear, formatted, and easy to follow steps to reproduce the behavior: 53 | placeholder: | 54 | Steps to reproduce the behavior: 55 | 56 | 1. Run `docker run ....` 57 | 2. Make API Request to with `curl ...` 58 | 3. Request fails with response: `{"some": "error"}` 59 | label: "Reproducing the bug" 60 | id: reproduce-bug 61 | type: textarea 62 | validations: 63 | required: true 64 | - attributes: 65 | description: 66 | "Please copy and paste any relevant log output. This will be 67 | automatically formatted into code, so no need for backticks. Please 68 | redact any sensitive information" 69 | label: "Relevant log output" 70 | render: shell 71 | placeholder: | 72 | log=error .... 73 | id: logs 74 | type: textarea 75 | - attributes: 76 | description: 77 | "Please copy and paste any relevant configuration. This will be 78 | automatically formatted into code, so no need for backticks. Please 79 | redact any sensitive information!" 80 | label: "Relevant configuration" 81 | render: yml 82 | placeholder: | 83 | server: 84 | admin: 85 | port: 1234 86 | id: config 87 | type: textarea 88 | - attributes: 89 | description: "What version of our software are you running?" 90 | label: Version 91 | id: version 92 | type: input 93 | validations: 94 | required: true 95 | - attributes: 96 | label: "On which operating system are you observing this issue?" 97 | options: 98 | - Ory Network 99 | - macOS 100 | - Linux 101 | - Windows 102 | - FreeBSD 103 | - Other 104 | id: operating-system 105 | type: dropdown 106 | - attributes: 107 | label: "In which environment are you deploying?" 108 | options: 109 | - Ory Network 110 | - Docker 111 | - "Docker Compose" 112 | - "Kubernetes with Helm" 113 | - Kubernetes 114 | - Binary 115 | - Other 116 | id: deployment 117 | type: dropdown 118 | - attributes: 119 | description: "Add any other context about the problem here." 120 | label: Additional Context 121 | id: additional 122 | type: textarea 123 | -------------------------------------------------------------------------------- /hydra/types_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2024 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra_test 5 | 6 | import ( 7 | "testing" 8 | 9 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 10 | "github.com/ory/hydra-maester/hydra" 11 | "github.com/stretchr/testify/assert" 12 | ) 13 | 14 | func TestTypes(t *testing.T) { 15 | t.Run("Test ScopeArray", func(t *testing.T) { 16 | c := hydrav1alpha1.OAuth2Client{ 17 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 18 | ScopeArray: []string{"scope1", "scope2"}, 19 | }, 20 | } 21 | 22 | var parsedClient, err = hydra.FromOAuth2Client(&c) 23 | if err != nil { 24 | assert.Fail(t, "unexpected error: %s", err) 25 | } 26 | 27 | assert.Equal(t, "scope1 scope2", parsedClient.Scope) 28 | }) 29 | 30 | t.Run("Test having both Scope and ScopeArray", func(t *testing.T) { 31 | c := hydrav1alpha1.OAuth2Client{ 32 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 33 | Scope: "scope3", 34 | ScopeArray: []string{"scope1", "scope2"}, 35 | }, 36 | } 37 | 38 | var parsedClient, err = hydra.FromOAuth2Client(&c) 39 | if err != nil { 40 | assert.Fail(t, "unexpected error: %s", err) 41 | } 42 | 43 | assert.Equal(t, "scope1 scope2 scope3", parsedClient.Scope) 44 | }) 45 | 46 | t.Run("Test having jwks uri", func(t *testing.T) { 47 | c := hydrav1alpha1.OAuth2Client{ 48 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 49 | JwksUri: "https://ory.sh/jwks.json", 50 | }, 51 | } 52 | 53 | var parsedClient, err = hydra.FromOAuth2Client(&c) 54 | if err != nil { 55 | assert.Fail(t, "unexpected error: %s", err) 56 | } 57 | 58 | assert.Equal(t, "https://ory.sh/jwks.json", parsedClient.JwksUri) 59 | }) 60 | 61 | t.Run("Test jwks uri is required when token endpoint auth method is private_key_jwt", func(t *testing.T) { 62 | c := hydrav1alpha1.OAuth2Client{ 63 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 64 | TokenEndpointAuthMethod: "private_key_jwt", 65 | }, 66 | } 67 | 68 | var _, err = hydra.FromOAuth2Client(&c) 69 | 70 | assert.ErrorContains(t, err, "JwksUri") 71 | }) 72 | 73 | t.Run("Test RequestURIs conversion", func(t *testing.T) { 74 | c := hydrav1alpha1.OAuth2Client{ 75 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 76 | RequestURIs: []hydrav1alpha1.RedirectURI{ 77 | "https://example.com/request1", 78 | "https://example.com/request2", 79 | }, 80 | }, 81 | } 82 | 83 | var parsedClient, err = hydra.FromOAuth2Client(&c) 84 | if err != nil { 85 | assert.Fail(t, "unexpected error: %s", err) 86 | } 87 | 88 | expected := []string{"https://example.com/request1", "https://example.com/request2"} 89 | assert.Equal(t, expected, parsedClient.RequestURIs) 90 | }) 91 | 92 | t.Run("Test AccessTokenStrategy field", func(t *testing.T) { 93 | c := hydrav1alpha1.OAuth2Client{ 94 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 95 | AccessTokenStrategy: "jwt", 96 | }, 97 | } 98 | 99 | var parsedClient, err = hydra.FromOAuth2Client(&c) 100 | if err != nil { 101 | assert.Fail(t, "unexpected error: %s", err) 102 | } 103 | 104 | assert.Equal(t, "jwt", parsedClient.AccessTokenStrategy) 105 | }) 106 | 107 | t.Run("Test multiple new fields", func(t *testing.T) { 108 | c := hydrav1alpha1.OAuth2Client{ 109 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 110 | ClientUri: "https://example.com", 111 | Contacts: []string{"admin@example.com", "support@example.com"}, 112 | PolicyUri: "https://example.com/privacy", 113 | TosUri: "https://example.com/terms", 114 | SubjectType: "public", 115 | SkipLogoutConsent: true, 116 | ClientSecretExpiresAt: 1234567890, 117 | }, 118 | } 119 | 120 | var parsedClient, err = hydra.FromOAuth2Client(&c) 121 | if err != nil { 122 | assert.Fail(t, "unexpected error: %s", err) 123 | } 124 | 125 | assert.Equal(t, "https://example.com", parsedClient.ClientUri) 126 | assert.Equal(t, []string{"admin@example.com", "support@example.com"}, parsedClient.Contacts) 127 | assert.Equal(t, "https://example.com/privacy", parsedClient.PolicyUri) 128 | assert.Equal(t, "https://example.com/terms", parsedClient.TosUri) 129 | assert.Equal(t, "public", parsedClient.SubjectType) 130 | assert.Equal(t, true, parsedClient.SkipLogoutConsent) 131 | assert.Equal(t, int64(1234567890), parsedClient.ClientSecretExpiresAt) 132 | }) 133 | } 134 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | - [Ory Hydra Maester](#ory-hydra-maester) 5 | - [Prerequisites](#prerequisites) 6 | - [Design](#design) 7 | - [How to use it](#how-to-use-it) 8 | - [Command-line flags](#command-line-flags) 9 | - [Development](#development) 10 | - [Testing](#testing) 11 | 12 | 13 | 14 | # Ory Hydra Maester 15 | 16 | ⚠️ ⚠️ ⚠️ 17 | 18 | > Ory Hydra Maester is developed by the Ory community and is not actively 19 | > maintained by Ory core maintainers due to lack of resources, time, and 20 | > knolwedge. As such please be aware that there might be issues with the system. 21 | > If you have ideas for better testing and development principles please open an 22 | > issue or PR! 23 | 24 | ⚠️ ⚠️ ⚠️ 25 | 26 | This project contains a Kubernetes controller that uses Custom Resources (CR) to 27 | manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of 28 | `oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes 29 | corresponding OAuth2 clients by communicating with ORY Hydra's API. 30 | 31 | Visit Hydra-maester's 32 | [chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) 33 | and view [sample OAuth2 client resources](config/samples) to learn more about 34 | the `oauth2clients.hydra.ory.sh/v1alpha1` CR. 35 | 36 | The project is based on 37 | [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder). 38 | 39 | ## Prerequisites 40 | 41 | - recent version of Go language with support for modules (e.g: 1.12.6) 42 | - make 43 | - kubectl 44 | - kustomize 45 | - [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running 46 | tests 47 | - [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing 48 | - access to K8s environment: minikube or a remote K8s cluster 49 | - [mockery](https://github.com/vektra/mockery) to generate mocks for testing 50 | purposes 51 | 52 | ## Design 53 | 54 | Take a look at [Design Readme](./docs/README.md). 55 | 56 | ## How to use it 57 | 58 | - `make test` to run tests 59 | - `make test-integration` to run integration tests 60 | - `make install` to generate CRD file from go sources and install it on the 61 | cluster 62 | - `export HYDRA_URL={HYDRA_SERVICE_URL} && make run` to run the controller 63 | 64 | To deploy the controller, edit the value of the `--hydra-url` argument in the 65 | [manager.yaml](config/manager/manager.yaml) file and run `make deploy`. 66 | 67 | ### Command-line flags 68 | 69 | | Name | Required | Description | Default value | Example values | 70 | | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------- | 71 | | **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` | 72 | | **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` | 73 | | **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` | 74 | | **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` | 75 | | **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` | 76 | | **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` | 77 | 78 | ### Environmental Variables 79 | 80 | | Variable name | Default value | Example value | 81 | | :---------------------- | ------------------- | --------------------- | 82 | | `**CLIENT_ID_KEY**` | `**CLIENT_ID**` | `**MY_SECRET_NAME**` | 83 | | `**CLIENT_SECRET_KEY**` | `**CLIENT_SECRET**` | `**MY_SECRET_VALUE**` | 84 | 85 | ## Development 86 | 87 | ### Testing 88 | 89 | Use mockery to generate mock types that implement existing interfaces. To 90 | generate a mock type for an interface, navigate to the directory containing that 91 | interface and run this command: 92 | 93 | ``` 94 | mockery -name={INTERFACE_NAME} 95 | ``` 96 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package main 5 | 6 | import ( 7 | "flag" 8 | "fmt" 9 | "os" 10 | "time" 11 | 12 | "sigs.k8s.io/controller-runtime/pkg/cache" 13 | "sigs.k8s.io/controller-runtime/pkg/metrics/server" 14 | 15 | "github.com/ory/hydra-maester/hydra" 16 | 17 | apiv1 "k8s.io/api/core/v1" 18 | "k8s.io/apimachinery/pkg/runtime" 19 | _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" 20 | ctrl "sigs.k8s.io/controller-runtime" 21 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 22 | 23 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 24 | "github.com/ory/hydra-maester/controllers" 25 | // +kubebuilder:scaffold:imports 26 | ) 27 | 28 | var ( 29 | scheme = runtime.NewScheme() 30 | setupLog = ctrl.Log.WithName("setup") 31 | ) 32 | 33 | func init() { 34 | _ = apiv1.AddToScheme(scheme) 35 | _ = hydrav1alpha1.AddToScheme(scheme) 36 | // +kubebuilder:scaffold:scheme 37 | } 38 | 39 | func main() { 40 | var ( 41 | metricsAddr, hydraURL, endpoint, forwardedProto, syncPeriod, tlsTrustStore, namespace, leaderElectorNs string 42 | hydraPort int 43 | enableLeaderElection, insecureSkipVerify bool 44 | ) 45 | 46 | flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") 47 | flag.StringVar(&hydraURL, "hydra-url", "", "The address of ORY Hydra") 48 | flag.IntVar(&hydraPort, "hydra-port", 4445, "Port ORY Hydra is listening on") 49 | flag.StringVar(&endpoint, "endpoint", "/clients", "ORY Hydra's client endpoint") 50 | flag.StringVar(&forwardedProto, "forwarded-proto", "", "If set, this adds the value as the X-Forwarded-Proto header in requests to the ORY Hydra admin server") 51 | flag.StringVar(&tlsTrustStore, "tls-trust-store", "", "trust store certificate path. If set ca will be set in http client to connect with hydra admin") 52 | flag.StringVar(&syncPeriod, "sync-period", "10h", "Determines the minimum frequency at which watched resources are reconciled") 53 | flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") 54 | flag.BoolVar(&insecureSkipVerify, "insecure-skip-verify", false, "If set, http client will be configured to skip insecure verification to connect with hydra admin") 55 | flag.StringVar(&namespace, "namespace", "", "Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces.") 56 | flag.StringVar(&leaderElectorNs, "leader-elector-namespace", "", "Leader elector namespace where controller should be set.") 57 | flag.Parse() 58 | 59 | ctrl.SetLogger(zap.New(zap.UseDevMode(true))) 60 | 61 | syncPeriodParsed, err := time.ParseDuration(syncPeriod) 62 | if err != nil { 63 | setupLog.Error(err, "unable to start manager") 64 | os.Exit(1) 65 | } 66 | 67 | mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ 68 | Scheme: scheme, 69 | Metrics: server.Options{ 70 | BindAddress: metricsAddr, 71 | }, 72 | LeaderElection: enableLeaderElection, 73 | Cache: cache.Options{ 74 | SyncPeriod: &syncPeriodParsed, 75 | DefaultNamespaces: map[string]cache.Config{ 76 | os.Getenv("NAMESPACE"): {}, 77 | }, 78 | }, 79 | LeaderElectionNamespace: leaderElectorNs, 80 | }) 81 | if err != nil { 82 | setupLog.Error(err, "unable to start manager") 83 | os.Exit(1) 84 | } 85 | 86 | if hydraURL == "" { 87 | setupLog.Error(fmt.Errorf("hydra URL can't be empty"), "unable to create controller", "controller", "OAuth2Client") 88 | os.Exit(1) 89 | } 90 | 91 | defaultSpec := hydrav1alpha1.OAuth2ClientSpec{ 92 | HydraAdmin: hydrav1alpha1.HydraAdmin{ 93 | URL: hydraURL, 94 | Port: hydraPort, 95 | Endpoint: endpoint, 96 | ForwardedProto: forwardedProto, 97 | }, 98 | } 99 | if tlsTrustStore != "" { 100 | if _, err := os.Stat(tlsTrustStore); err != nil { 101 | setupLog.Error(err, "cannot parse tls trust store") 102 | os.Exit(1) 103 | } 104 | } 105 | 106 | hydraClient, err := hydra.New(defaultSpec, tlsTrustStore, insecureSkipVerify) 107 | if err != nil { 108 | setupLog.Error(err, "making default hydra client", "controller", "OAuth2Client") 109 | os.Exit(1) 110 | 111 | } 112 | 113 | err = controllers.New( 114 | mgr.GetClient(), 115 | hydraClient, 116 | ctrl.Log.WithName("controllers").WithName("OAuth2Client"), 117 | controllers.WithNamespace(namespace), 118 | ).SetupWithManager(mgr) 119 | if err != nil { 120 | setupLog.Error(err, "unable to create controller", "controller", "OAuth2Client") 121 | os.Exit(1) 122 | } 123 | // +kubebuilder:scaffold:builder 124 | 125 | setupLog.Info("starting manager") 126 | if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { 127 | setupLog.Error(err, "problem running manager") 128 | os.Exit(1) 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/ory/hydra-maester 2 | 3 | go 1.25.1 4 | 5 | require ( 6 | github.com/go-logr/logr v1.4.3 7 | github.com/go-openapi/runtime v0.29.2 8 | github.com/go-playground/validator/v10 v10.28.0 9 | github.com/google/uuid v1.6.0 10 | github.com/onsi/ginkgo v1.16.5 11 | github.com/onsi/gomega v1.38.2 12 | github.com/stretchr/testify v1.11.1 13 | golang.org/x/net v0.47.0 14 | k8s.io/api v0.34.2 15 | k8s.io/apiextensions-apiserver v0.34.2 16 | k8s.io/apimachinery v0.34.2 17 | k8s.io/client-go v0.34.2 18 | k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 19 | sigs.k8s.io/controller-runtime v0.22.4 20 | ) 21 | 22 | require ( 23 | github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect 24 | github.com/beorn7/perks v1.0.1 // indirect 25 | github.com/cespare/xxhash/v2 v2.3.0 // indirect 26 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 27 | github.com/emicklei/go-restful/v3 v3.12.2 // indirect 28 | github.com/evanphx/json-patch/v5 v5.9.11 // indirect 29 | github.com/fsnotify/fsnotify v1.9.0 // indirect 30 | github.com/fxamacker/cbor/v2 v2.9.0 // indirect 31 | github.com/gabriel-vasile/mimetype v1.4.10 // indirect 32 | github.com/go-logr/stdr v1.2.2 // indirect 33 | github.com/go-logr/zapr v1.3.0 // indirect 34 | github.com/go-openapi/analysis v0.24.1 // indirect 35 | github.com/go-openapi/errors v0.22.4 // indirect 36 | github.com/go-openapi/jsonpointer v0.22.1 // indirect 37 | github.com/go-openapi/jsonreference v0.21.3 // indirect 38 | github.com/go-openapi/loads v0.23.2 // indirect 39 | github.com/go-openapi/spec v0.22.1 // indirect 40 | github.com/go-openapi/strfmt v0.25.0 // indirect 41 | github.com/go-openapi/swag v0.23.0 // indirect 42 | github.com/go-openapi/swag/conv v0.25.1 // indirect 43 | github.com/go-openapi/swag/fileutils v0.25.1 // indirect 44 | github.com/go-openapi/swag/jsonname v0.25.1 // indirect 45 | github.com/go-openapi/swag/jsonutils v0.25.1 // indirect 46 | github.com/go-openapi/swag/loading v0.25.1 // indirect 47 | github.com/go-openapi/swag/mangling v0.25.1 // indirect 48 | github.com/go-openapi/swag/stringutils v0.25.1 // indirect 49 | github.com/go-openapi/swag/typeutils v0.25.1 // indirect 50 | github.com/go-openapi/swag/yamlutils v0.25.1 // indirect 51 | github.com/go-openapi/validate v0.25.1 // indirect 52 | github.com/go-playground/locales v0.14.1 // indirect 53 | github.com/go-playground/universal-translator v0.18.1 // indirect 54 | github.com/go-viper/mapstructure/v2 v2.4.0 // indirect 55 | github.com/gogo/protobuf v1.3.2 // indirect 56 | github.com/google/btree v1.1.3 // indirect 57 | github.com/google/gnostic-models v0.7.0 // indirect 58 | github.com/google/go-cmp v0.7.0 // indirect 59 | github.com/josharian/intern v1.0.0 // indirect 60 | github.com/json-iterator/go v1.1.12 // indirect 61 | github.com/leodido/go-urn v1.4.0 // indirect 62 | github.com/mailru/easyjson v0.7.7 // indirect 63 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 64 | github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect 65 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 66 | github.com/nxadm/tail v1.4.8 // indirect 67 | github.com/oklog/ulid v1.3.1 // indirect 68 | github.com/onsi/ginkgo/v2 v2.26.0 // indirect 69 | github.com/pkg/errors v0.9.1 // indirect 70 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 71 | github.com/prometheus/client_golang v1.22.0 // indirect 72 | github.com/prometheus/client_model v0.6.1 // indirect 73 | github.com/prometheus/common v0.62.0 // indirect 74 | github.com/prometheus/procfs v0.15.1 // indirect 75 | github.com/spf13/pflag v1.0.6 // indirect 76 | github.com/stretchr/objx v0.5.2 // indirect 77 | github.com/x448/float16 v0.8.4 // indirect 78 | go.mongodb.org/mongo-driver v1.17.6 // indirect 79 | go.opentelemetry.io/auto/sdk v1.2.1 // indirect 80 | go.opentelemetry.io/otel v1.38.0 // indirect 81 | go.opentelemetry.io/otel/metric v1.38.0 // indirect 82 | go.opentelemetry.io/otel/trace v1.38.0 // indirect 83 | go.uber.org/multierr v1.11.0 // indirect 84 | go.uber.org/zap v1.27.0 // indirect 85 | go.yaml.in/yaml/v2 v2.4.2 // indirect 86 | go.yaml.in/yaml/v3 v3.0.4 // indirect 87 | golang.org/x/crypto v0.45.0 // indirect 88 | golang.org/x/oauth2 v0.27.0 // indirect 89 | golang.org/x/sync v0.18.0 // indirect 90 | golang.org/x/sys v0.38.0 // indirect 91 | golang.org/x/term v0.37.0 // indirect 92 | golang.org/x/text v0.31.0 // indirect 93 | golang.org/x/time v0.9.0 // indirect 94 | gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect 95 | google.golang.org/protobuf v1.36.7 // indirect 96 | gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect 97 | gopkg.in/inf.v0 v0.9.1 // indirect 98 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect 99 | gopkg.in/yaml.v3 v3.0.1 // indirect 100 | k8s.io/klog/v2 v2.130.1 // indirect 101 | k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect 102 | sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect 103 | sigs.k8s.io/randfill v1.0.0 // indirect 104 | sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect 105 | sigs.k8s.io/yaml v1.6.0 // indirect 106 | ) 107 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | push: 4 | branches: 5 | - "master" 6 | tags: 7 | - "v*" 8 | pull_request: 9 | 10 | concurrency: 11 | group: ci-${{ github.ref }} 12 | cancel-in-progress: true 13 | 14 | jobs: 15 | dependencies: 16 | name: Prepare Dependencies 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v6 21 | - uses: actions/setup-go@v6 22 | with: 23 | go-version: "1.25" 24 | - name: Setup dependencies 25 | uses: ./.github/actions/deps-setup 26 | 27 | detect-repo-changes: 28 | name: Detected Repo Changes 29 | runs-on: ubuntu-latest 30 | outputs: 31 | code-changed: ${{ steps.filter.outputs.code }} 32 | dockerfile-changed: ${{ steps.filter.outputs.docker }} 33 | cicd-definition-changed: ${{ steps.filter.outputs.cicd-definitions }} 34 | steps: 35 | - name: Checkout 36 | uses: actions/checkout@v6 37 | - uses: dorny/paths-filter@v3.0.2 38 | id: filter 39 | with: 40 | base: master 41 | filters: | 42 | code: 43 | - 'api/**' 44 | - 'config/**' 45 | - 'controllers/**' 46 | - 'helpers/**' 47 | - 'hydra/**' 48 | - 'go.mod' 49 | - 'go.sum' 50 | - '*.go' 51 | - 'PROJECT' 52 | docker: 53 | - '.docker/**' 54 | cicd-definitions: 55 | - '.github/workflows/**' 56 | - '.github/actions/**' 57 | - 'Makefile' 58 | 59 | gha-lint: 60 | name: Lint GithubAction files 61 | if: | 62 | needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' 63 | needs: 64 | - detect-repo-changes 65 | runs-on: ubuntu-latest 66 | steps: 67 | - name: Checkout 68 | uses: actions/checkout@v6 69 | - name: actionlint 70 | id: actionlint 71 | uses: raven-actions/actionlint@v2 72 | with: 73 | fail-on-error: true 74 | 75 | test-build: 76 | name: Compile and test 77 | runs-on: ubuntu-latest 78 | if: | 79 | needs.detect-repo-changes.outputs.code-changed == 'true' || 80 | needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' || 81 | github.ref_type == 'tag' 82 | needs: 83 | - detect-repo-changes 84 | - dependencies 85 | steps: 86 | - name: Checkout 87 | uses: actions/checkout@v6 88 | - name: Checkout dependencies 89 | uses: ./.github/actions/deps-setup 90 | - uses: actions/setup-go@v6 91 | with: 92 | go-version: "1.25" 93 | cache: false 94 | - name: Build 95 | run: make manager 96 | - name: Test 97 | run: make test 98 | 99 | test-integration: 100 | name: Run integration tests 101 | runs-on: ubuntu-latest 102 | if: | 103 | needs.detect-repo-changes.outputs.code-changed == 'true' || 104 | needs.detect-repo-changes.outputs.dockerfile-changed == 'true' || 105 | needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' || 106 | github.ref_type == 'tag' 107 | needs: 108 | - detect-repo-changes 109 | - dependencies 110 | steps: 111 | - name: Checkout 112 | uses: actions/checkout@v6 113 | - name: Checkout dependencies 114 | uses: ./.github/actions/deps-setup 115 | - uses: actions/setup-go@v6 116 | with: 117 | go-version: "1.25" 118 | cache: false 119 | - name: Test 120 | run: make test-integration 121 | 122 | test-docker: 123 | name: Build docker image 124 | runs-on: ubuntu-latest 125 | if: | 126 | needs.detect-repo-changes.outputs.dockerfile-changed == 'true' || 127 | needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' || 128 | github.ref_type == 'tag' 129 | needs: 130 | - detect-repo-changes 131 | - dependencies 132 | steps: 133 | - name: Checkout 134 | uses: actions/checkout@v6 135 | - name: Checkout dependencies 136 | uses: ./.github/actions/deps-setup 137 | - name: Build image 138 | run: make docker-build-notest 139 | 140 | release: 141 | if: github.ref_type == 'tag' 142 | needs: 143 | - test-build 144 | - test-integration 145 | - test-docker 146 | runs-on: ubuntu-latest 147 | steps: 148 | - name: Checkout 149 | uses: actions/checkout@v6 150 | - name: Checkout dependencies 151 | uses: ./.github/actions/deps-setup 152 | - name: Set up Go 153 | uses: actions/setup-go@v6 154 | with: 155 | go-version: "1.25" 156 | - name: Login to Docker Hub 157 | uses: docker/login-action@v3 158 | with: 159 | username: ${{ secrets.DOCKERHUB_USERNAME }} 160 | password: ${{ secrets.DOCKERHUB_PASSWORD }} 161 | - name: Run GoReleaser 162 | uses: goreleaser/goreleaser-action@v6 163 | with: 164 | distribution: goreleaser 165 | version: latest 166 | args: release --clean 167 | env: 168 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 169 | -------------------------------------------------------------------------------- /hydra/client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra 5 | 6 | import ( 7 | "bytes" 8 | "encoding/json" 9 | "fmt" 10 | "io" 11 | "net/http" 12 | "net/url" 13 | "path" 14 | 15 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 16 | "github.com/ory/hydra-maester/helpers" 17 | ) 18 | 19 | type Client interface { 20 | GetOAuth2Client(id string) (*OAuth2ClientJSON, bool, error) 21 | ListOAuth2Client() ([]*OAuth2ClientJSON, error) 22 | PostOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) 23 | PutOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) 24 | DeleteOAuth2Client(id string) error 25 | } 26 | 27 | type InternalClient struct { 28 | HydraURL url.URL 29 | HTTPClient *http.Client 30 | ForwardedProto string 31 | } 32 | 33 | // New returns a new hydra InternalClient instance. 34 | func New(spec hydrav1alpha1.OAuth2ClientSpec, tlsTrustStore string, insecureSkipVerify bool) (Client, error) { 35 | address := fmt.Sprintf("%s:%d", spec.HydraAdmin.URL, spec.HydraAdmin.Port) 36 | u, err := url.Parse(address) 37 | if err != nil { 38 | return nil, err 39 | } 40 | 41 | c, err := helpers.CreateHttpClient(insecureSkipVerify, tlsTrustStore) 42 | if err != nil { 43 | return nil, err 44 | } 45 | 46 | client := &InternalClient{ 47 | HydraURL: *u.ResolveReference(&url.URL{Path: spec.HydraAdmin.Endpoint}), 48 | HTTPClient: c, 49 | } 50 | 51 | if spec.HydraAdmin.ForwardedProto != "" && spec.HydraAdmin.ForwardedProto != "off" { 52 | client.ForwardedProto = spec.HydraAdmin.ForwardedProto 53 | } 54 | 55 | return client, nil 56 | } 57 | 58 | func (c *InternalClient) GetOAuth2Client(id string) (*OAuth2ClientJSON, bool, error) { 59 | var jsonClient *OAuth2ClientJSON 60 | 61 | req, err := c.newRequest(http.MethodGet, id, nil) 62 | if err != nil { 63 | return nil, false, err 64 | } 65 | 66 | resp, err := c.do(req, &jsonClient) 67 | if err != nil { 68 | return nil, false, err 69 | } 70 | 71 | switch resp.StatusCode { 72 | case http.StatusOK: 73 | return jsonClient, true, nil 74 | case http.StatusNotFound, http.StatusUnauthorized: 75 | return nil, false, nil 76 | default: 77 | return nil, false, fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 78 | } 79 | } 80 | 81 | func (c *InternalClient) ListOAuth2Client() ([]*OAuth2ClientJSON, error) { 82 | var jsonClientList []*OAuth2ClientJSON 83 | 84 | req, err := c.newRequest(http.MethodGet, "", nil) 85 | if err != nil { 86 | return nil, err 87 | } 88 | 89 | resp, err := c.do(req, &jsonClientList) 90 | if err != nil { 91 | return nil, err 92 | } 93 | 94 | switch resp.StatusCode { 95 | case http.StatusOK: 96 | return jsonClientList, nil 97 | default: 98 | return nil, fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 99 | } 100 | } 101 | 102 | func (c *InternalClient) PostOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { 103 | var jsonClient *OAuth2ClientJSON 104 | 105 | req, err := c.newRequest(http.MethodPost, "", o) 106 | if err != nil { 107 | return nil, err 108 | } 109 | 110 | resp, err := c.do(req, &jsonClient) 111 | if err != nil { 112 | return nil, err 113 | } 114 | 115 | switch resp.StatusCode { 116 | case http.StatusCreated: 117 | return jsonClient, nil 118 | case http.StatusConflict: 119 | return nil, fmt.Errorf("%s %s http request failed: requested ID already exists", req.Method, req.URL) 120 | default: 121 | return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) 122 | } 123 | } 124 | 125 | func (c *InternalClient) PutOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { 126 | var jsonClient *OAuth2ClientJSON 127 | 128 | req, err := c.newRequest(http.MethodPut, *o.ClientID, o) 129 | if err != nil { 130 | return nil, err 131 | } 132 | 133 | resp, err := c.do(req, &jsonClient) 134 | if err != nil { 135 | return nil, err 136 | } 137 | 138 | if resp.StatusCode != http.StatusOK { 139 | return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) 140 | } 141 | 142 | return jsonClient, nil 143 | } 144 | 145 | func (c *InternalClient) DeleteOAuth2Client(id string) error { 146 | req, err := c.newRequest(http.MethodDelete, id, nil) 147 | if err != nil { 148 | return err 149 | } 150 | 151 | resp, err := c.do(req, nil) 152 | if err != nil { 153 | return err 154 | } 155 | 156 | switch resp.StatusCode { 157 | case http.StatusNoContent: 158 | return nil 159 | case http.StatusNotFound: 160 | fmt.Printf("InternalClient with id %s does not exist", id) 161 | return nil 162 | default: 163 | return fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 164 | } 165 | } 166 | 167 | func (c *InternalClient) newRequest(method, relativePath string, body interface{}) (*http.Request, error) { 168 | var buf io.ReadWriter 169 | if body != nil { 170 | buf = new(bytes.Buffer) 171 | err := json.NewEncoder(buf).Encode(body) 172 | if err != nil { 173 | return nil, err 174 | } 175 | } 176 | 177 | u := c.HydraURL 178 | u.Path = path.Join(u.Path, relativePath) 179 | 180 | req, err := http.NewRequest(method, u.String(), buf) 181 | if err != nil { 182 | return nil, err 183 | } 184 | 185 | if c.ForwardedProto != "" { 186 | req.Header.Add("X-Forwarded-Proto", c.ForwardedProto) 187 | } 188 | 189 | if body != nil { 190 | req.Header.Set("Content-Type", "application/json") 191 | } 192 | req.Header.Set("Accept", "application/json") 193 | 194 | return req, nil 195 | 196 | } 197 | 198 | func (c *InternalClient) do(req *http.Request, v interface{}) (*http.Response, error) { 199 | resp, err := c.HTTPClient.Do(req) 200 | if err != nil { 201 | return nil, err 202 | } 203 | 204 | defer resp.Body.Close() 205 | if v != nil && resp.StatusCode < 300 { 206 | err = json.NewDecoder(resp.Body).Decode(v) 207 | } 208 | return resp, err 209 | } 210 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Contributor Covenant Code of Conduct 5 | 6 | ## Our Pledge 7 | 8 | We as members, contributors, and leaders pledge to make participation in our 9 | community a harassment-free experience for everyone, regardless of age, body 10 | size, visible or invisible disability, ethnicity, sex characteristics, gender 11 | identity and expression, level of experience, education, socio-economic status, 12 | nationality, personal appearance, race, caste, color, religion, or sexual 13 | identity and orientation. 14 | 15 | We pledge to act and interact in ways that contribute to an open, welcoming, 16 | diverse, inclusive, and healthy community. 17 | 18 | ## Our Standards 19 | 20 | Examples of behavior that contributes to a positive environment for our 21 | community include: 22 | 23 | - Demonstrating empathy and kindness toward other people 24 | - Being respectful of differing opinions, viewpoints, and experiences 25 | - Giving and gracefully accepting constructive feedback 26 | - Accepting responsibility and apologizing to those affected by our mistakes, 27 | and learning from the experience 28 | - Focusing on what is best not just for us as individuals, but for the overall 29 | community 30 | 31 | Examples of unacceptable behavior include: 32 | 33 | - The use of sexualized language or imagery, and sexual attention or advances of 34 | any kind 35 | - Trolling, insulting or derogatory comments, and personal or political attacks 36 | - Public or private harassment 37 | - Publishing others' private information, such as a physical or email address, 38 | without their explicit permission 39 | - Other conduct which could reasonably be considered inappropriate in a 40 | professional setting 41 | 42 | ## Open Source Community Support 43 | 44 | Ory Open source software is collaborative and based on contributions by 45 | developers in the Ory community. There is no obligation from Ory to help with 46 | individual problems. If Ory open source software is used in production in a 47 | for-profit company or enterprise environment, we mandate a paid support contract 48 | where Ory is obligated under their service level agreements (SLAs) to offer a 49 | defined level of availability and responsibility. For more information about 50 | paid support please contact us at sales@ory.com. 51 | 52 | ## Enforcement Responsibilities 53 | 54 | Community leaders are responsible for clarifying and enforcing our standards of 55 | acceptable behavior and will take appropriate and fair corrective action in 56 | response to any behavior that they deem inappropriate, threatening, offensive, 57 | or harmful. 58 | 59 | Community leaders have the right and responsibility to remove, edit, or reject 60 | comments, commits, code, wiki edits, issues, and other contributions that are 61 | not aligned to this Code of Conduct, and will communicate reasons for moderation 62 | decisions when appropriate. 63 | 64 | ## Scope 65 | 66 | This Code of Conduct applies within all community spaces, and also applies when 67 | an individual is officially representing the community in public spaces. 68 | Examples of representing our community include using an official e-mail address, 69 | posting via an official social media account, or acting as an appointed 70 | representative at an online or offline event. 71 | 72 | ## Enforcement 73 | 74 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 75 | reported to the community leaders responsible for enforcement at 76 | [office@ory.com](mailto:office@ory.com). All complaints will be reviewed and 77 | investigated promptly and fairly. 78 | 79 | All community leaders are obligated to respect the privacy and security of the 80 | reporter of any incident. 81 | 82 | ## Enforcement Guidelines 83 | 84 | Community leaders will follow these Community Impact Guidelines in determining 85 | the consequences for any action they deem in violation of this Code of Conduct: 86 | 87 | ### 1. Correction 88 | 89 | **Community Impact**: Use of inappropriate language or other behavior deemed 90 | unprofessional or unwelcome in the community. 91 | 92 | **Consequence**: A private, written warning from community leaders, providing 93 | clarity around the nature of the violation and an explanation of why the 94 | behavior was inappropriate. A public apology may be requested. 95 | 96 | ### 2. Warning 97 | 98 | **Community Impact**: A violation through a single incident or series of 99 | actions. 100 | 101 | **Consequence**: A warning with consequences for continued behavior. No 102 | interaction with the people involved, including unsolicited interaction with 103 | those enforcing the Code of Conduct, for a specified period of time. This 104 | includes avoiding interactions in community spaces as well as external channels 105 | like social media. Violating these terms may lead to a temporary or permanent 106 | ban. 107 | 108 | ### 3. Temporary Ban 109 | 110 | **Community Impact**: A serious violation of community standards, including 111 | sustained inappropriate behavior. 112 | 113 | **Consequence**: A temporary ban from any sort of interaction or public 114 | communication with the community for a specified period of time. No public or 115 | private interaction with the people involved, including unsolicited interaction 116 | with those enforcing the Code of Conduct, is allowed during this period. 117 | Violating these terms may lead to a permanent ban. 118 | 119 | ### 4. Permanent Ban 120 | 121 | **Community Impact**: Demonstrating a pattern of violation of community 122 | standards, including sustained inappropriate behavior, harassment of an 123 | individual, or aggression toward or disparagement of classes of individuals. 124 | 125 | **Consequence**: A permanent ban from any sort of public interaction within the 126 | community. 127 | 128 | ## Attribution 129 | 130 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 131 | version 2.1, available at 132 | [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. 133 | 134 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 135 | enforcement ladder][mozilla coc]. 136 | 137 | For answers to common questions about this code of conduct, see the FAQ at 138 | [https://www.contributor-covenant.org/faq][faq]. Translations are available at 139 | [https://www.contributor-covenant.org/translations][translations]. 140 | 141 | [homepage]: https://www.contributor-covenant.org 142 | [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html 143 | [mozilla coc]: https://github.com/mozilla/diversity 144 | [faq]: https://www.contributor-covenant.org/faq 145 | [translations]: https://www.contributor-covenant.org/translations 146 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ifeq ($(OS),Windows_NT) 2 | ifeq ($(PROCESSOR_ARCHITECTURE),AMD64) 3 | ARCH=amd64 4 | OS=windows 5 | endif 6 | else 7 | UNAME_S := $(shell uname -s) 8 | ifeq ($(UNAME_S),Linux) 9 | OS=linux 10 | ARCH=amd64 11 | ifneq ($(TERM),) 12 | export TERM := xterm 13 | endif 14 | ifndef TERM 15 | export TERM := xterm 16 | endif 17 | 18 | endif 19 | ifeq ($(UNAME_S),Darwin) 20 | OS=darwin 21 | ifeq ($(shell uname -m),x86_64) 22 | ARCH=amd64 23 | endif 24 | ifeq ($(shell uname -m),arm64) 25 | ARCH=arm64 26 | endif 27 | ifneq ("$(wildcard .bin/with_brew)","") 28 | BREW=true 29 | endif 30 | ifeq ($(BREW),true) 31 | ifeq ($(shell which brew),brew not found) 32 | BREW=false 33 | else 34 | BREW_FORMULA:=$(shell brew list --formula -1) 35 | endif 36 | endif 37 | endif 38 | endif 39 | ##@ Build Dependencies 40 | 41 | ## Location to install dependencies to 42 | LOCALBIN ?= $(shell pwd)/.bin 43 | $(LOCALBIN): 44 | mkdir -p $(LOCALBIN) 45 | 46 | SHELL=/bin/bash -euo pipefail 47 | 48 | export PATH := .bin:${PATH} 49 | export PWD := $(shell pwd) 50 | 51 | # renovate: datasource=docker depName=docker.io/rancher/k3s 52 | K3SIMAGE_VERSION ?= v1.34.2-k3s1 53 | export K3SIMAGE := ${K3SIMAGE_VERSION} 54 | 55 | ## Tool Binaries 56 | CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen 57 | ENVTEST ?= $(LOCALBIN)/setup-envtest 58 | 59 | ## Tool Versions 60 | # renovate: datasource=github-releases depName=kubernetes-sigs/controller-tools 61 | CONTROLLER_TOOLS_VERSION ?= v0.19.0 62 | # renovate: datasource=github-releases depName=kubernetes/kubernetes 63 | ENVTEST_K8S_VERSION ?= 1.34.1 64 | 65 | # Image URL to use all building/pushing image targets 66 | IMG ?= controller:latest 67 | 68 | run-with-cleanup = $(1) && $(2) || (ret=$$?; $(2) && exit $$ret) 69 | 70 | # find or download controller-gen 71 | # download controller-gen if necessary 72 | .PHONY: controller-gen 73 | controller-gen: $(CONTROLLER_GEN) 74 | $(CONTROLLER_GEN): $(LOCALBIN) 75 | test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ 76 | GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) 77 | 78 | ## Download envtest-setup locally if necessary. 79 | .PHONY: envtest 80 | envtest: $(ENVTEST) 81 | $(ENVTEST): $(LOCALBIN) 82 | test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest 83 | 84 | .bin/ory: Makefile 85 | curl https://raw.githubusercontent.com/ory/meta/master/install.sh | bash -s -- -b .bin ory 86 | touch .bin/ory 87 | 88 | .bin/kubectl: Makefile 89 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/kubectl.yaml); \ 90 | echo "Downloading 'kubectl' $${URL}...."; \ 91 | curl -Lo .bin/kubectl $${URL}; \ 92 | chmod +x .bin/kubectl; 93 | 94 | .bin/kustomize: Makefile 95 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/kustomize.yaml); \ 96 | echo "Downloading 'kustomize' $${URL}...."; \ 97 | curl -L $${URL} | tar -xmz -C .bin kustomize; \ 98 | chmod +x .bin/kustomize; 99 | 100 | .bin/k3d: Makefile 101 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/k3d.yaml); \ 102 | echo "Downloading 'k3d' $${URL}...."; \ 103 | curl -Lo .bin/k3d $${URL}; \ 104 | chmod +x .bin/k3d; 105 | 106 | .PHONY: deps 107 | deps: .bin/ory .bin/k3d .bin/kubectl .bin/kustomize envtest controller-gen 108 | 109 | .PHONY: all 110 | all: manager 111 | 112 | # Run tests 113 | .PHONY: test 114 | test: manifests generate vet envtest 115 | KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out 116 | 117 | .PHONY: k3d-up 118 | k3d-up: 119 | k3d cluster create --image docker.io/rancher/k3s:$${K3SIMAGE} ory \ 120 | --api-port 127.0.0.1:6443 \ 121 | --k3s-arg=--tls-san="127.0.0.1@server:0" \ 122 | --k3s-arg=--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,ServiceAccount@server:0" \ 123 | --k3s-arg=feature-gates="NamespaceDefaultLabelName=true@server:0"; 124 | 125 | .PHONY: k3d-down 126 | k3d-down: 127 | k3d cluster delete ory || true 128 | 129 | .PHONY: k3d-deploy 130 | k3d-deploy: manager-ci manifests docker-build-notest k3d-up 131 | kubectl config set-context k3d-ory 132 | k3d image load controller:latest -c ory 133 | kubectl apply -f config/crd/bases 134 | kustomize build config/default | kubectl apply -f - 135 | 136 | .PHONY: k3d-test 137 | k3d-test: k3d-deploy 138 | kubectl config set-context k3d-ory 139 | go install github.com/onsi/ginkgo/ginkgo@latest 140 | USE_EXISTING_CLUSTER=true ginkgo -v ./controllers/... 141 | 142 | # Run integration tests on local cluster 143 | .PHONY: test-integration 144 | test-integration: 145 | $(call run-with-cleanup, $(MAKE) k3d-test, $(MAKE) k3d-down) 146 | 147 | # Build manager binary 148 | .PHONY: manager 149 | manager: generate vet 150 | CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -a -o manager main.go 151 | 152 | # Build manager binary for CI 153 | .PHONY: manager-ci 154 | manager-ci: generate vet 155 | CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go 156 | 157 | # Run against the configured Kubernetes cluster in ~/.kube/config 158 | .PHONY: run 159 | run: generate vet 160 | go run ./main.go --hydra-url ${HYDRA_URL} 161 | 162 | # Install CRDs into a cluster 163 | .PHONY: install 164 | install: manifests 165 | kubectl apply -f config/crd/bases 166 | 167 | # Deploy controller in the configured Kubernetes cluster in ~/.kube/config 168 | .PHONY: deploy 169 | deploy: manifests 170 | kubectl apply -f config/crd/bases 171 | kustomize build config/default | kubectl apply -f - 172 | 173 | # Generate manifests e.g. CRD, RBAC etc. 174 | .PHONY: manifests 175 | manifests: controller-gen 176 | $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases 177 | 178 | # Format the source code 179 | format: .bin/ory node_modules 180 | .bin/ory dev headers copyright --type=open-source 181 | go fmt ./... 182 | npm exec -- prettier --write . 183 | 184 | # Run go vet against code 185 | .PHONY: vet 186 | vet: 187 | go vet ./... 188 | 189 | # Generate code 190 | .PHONY: generate 191 | generate: controller-gen 192 | $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." 193 | 194 | # Build the docker image 195 | .PHONY: docker-build-notest 196 | docker-build-notest: 197 | docker build . -t ${IMG} -f .docker/Dockerfile-build 198 | @echo "updating kustomize image patch file for manager resource" 199 | sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/default/manager_image_patch.yaml 200 | 201 | .PHONY: docker-build 202 | docker-build: test docker-build-notest 203 | 204 | # Push the docker image 205 | .PHONY: docker-push 206 | docker-push: 207 | docker push ${IMG} 208 | 209 | licenses: .bin/licenses node_modules # checks open-source licenses 210 | .bin/licenses 211 | 212 | .bin/licenses: Makefile 213 | curl https://raw.githubusercontent.com/ory/ci/master/licenses/install | sh 214 | 215 | node_modules: package-lock.json 216 | npm ci 217 | touch node_modules 218 | -------------------------------------------------------------------------------- /api/v1alpha1/zz_generated.deepcopy.go: -------------------------------------------------------------------------------- 1 | //go:build !ignore_autogenerated 2 | 3 | /* 4 | Copyright © 2023 Ory Corp 5 | SPDX-License-Identifier: Apache-2.0 6 | 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at 10 | 11 | http://www.apache.org/licenses/LICENSE-2.0 12 | 13 | Unless required by applicable law or agreed to in writing, software 14 | distributed under the License is distributed on an "AS IS" BASIS, 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | See the License for the specific language governing permissions and 17 | limitations under the License. 18 | */ 19 | 20 | // Code generated by controller-gen. DO NOT EDIT. 21 | 22 | package v1alpha1 23 | 24 | import ( 25 | runtime "k8s.io/apimachinery/pkg/runtime" 26 | ) 27 | 28 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 29 | func (in *HydraAdmin) DeepCopyInto(out *HydraAdmin) { 30 | *out = *in 31 | } 32 | 33 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HydraAdmin. 34 | func (in *HydraAdmin) DeepCopy() *HydraAdmin { 35 | if in == nil { 36 | return nil 37 | } 38 | out := new(HydraAdmin) 39 | in.DeepCopyInto(out) 40 | return out 41 | } 42 | 43 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 44 | func (in *OAuth2Client) DeepCopyInto(out *OAuth2Client) { 45 | *out = *in 46 | out.TypeMeta = in.TypeMeta 47 | in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) 48 | in.Spec.DeepCopyInto(&out.Spec) 49 | in.Status.DeepCopyInto(&out.Status) 50 | } 51 | 52 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2Client. 53 | func (in *OAuth2Client) DeepCopy() *OAuth2Client { 54 | if in == nil { 55 | return nil 56 | } 57 | out := new(OAuth2Client) 58 | in.DeepCopyInto(out) 59 | return out 60 | } 61 | 62 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 63 | func (in *OAuth2Client) DeepCopyObject() runtime.Object { 64 | if c := in.DeepCopy(); c != nil { 65 | return c 66 | } 67 | return nil 68 | } 69 | 70 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 71 | func (in *OAuth2ClientCondition) DeepCopyInto(out *OAuth2ClientCondition) { 72 | *out = *in 73 | } 74 | 75 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientCondition. 76 | func (in *OAuth2ClientCondition) DeepCopy() *OAuth2ClientCondition { 77 | if in == nil { 78 | return nil 79 | } 80 | out := new(OAuth2ClientCondition) 81 | in.DeepCopyInto(out) 82 | return out 83 | } 84 | 85 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 86 | func (in *OAuth2ClientList) DeepCopyInto(out *OAuth2ClientList) { 87 | *out = *in 88 | out.TypeMeta = in.TypeMeta 89 | in.ListMeta.DeepCopyInto(&out.ListMeta) 90 | if in.Items != nil { 91 | in, out := &in.Items, &out.Items 92 | *out = make([]OAuth2Client, len(*in)) 93 | for i := range *in { 94 | (*in)[i].DeepCopyInto(&(*out)[i]) 95 | } 96 | } 97 | } 98 | 99 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientList. 100 | func (in *OAuth2ClientList) DeepCopy() *OAuth2ClientList { 101 | if in == nil { 102 | return nil 103 | } 104 | out := new(OAuth2ClientList) 105 | in.DeepCopyInto(out) 106 | return out 107 | } 108 | 109 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 110 | func (in *OAuth2ClientList) DeepCopyObject() runtime.Object { 111 | if c := in.DeepCopy(); c != nil { 112 | return c 113 | } 114 | return nil 115 | } 116 | 117 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 118 | func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) { 119 | *out = *in 120 | if in.GrantTypes != nil { 121 | in, out := &in.GrantTypes, &out.GrantTypes 122 | *out = make([]GrantType, len(*in)) 123 | copy(*out, *in) 124 | } 125 | if in.ResponseTypes != nil { 126 | in, out := &in.ResponseTypes, &out.ResponseTypes 127 | *out = make([]ResponseType, len(*in)) 128 | copy(*out, *in) 129 | } 130 | if in.RedirectURIs != nil { 131 | in, out := &in.RedirectURIs, &out.RedirectURIs 132 | *out = make([]RedirectURI, len(*in)) 133 | copy(*out, *in) 134 | } 135 | if in.RequestURIs != nil { 136 | in, out := &in.RequestURIs, &out.RequestURIs 137 | *out = make([]RedirectURI, len(*in)) 138 | copy(*out, *in) 139 | } 140 | if in.PostLogoutRedirectURIs != nil { 141 | in, out := &in.PostLogoutRedirectURIs, &out.PostLogoutRedirectURIs 142 | *out = make([]RedirectURI, len(*in)) 143 | copy(*out, *in) 144 | } 145 | if in.AllowedCorsOrigins != nil { 146 | in, out := &in.AllowedCorsOrigins, &out.AllowedCorsOrigins 147 | *out = make([]RedirectURI, len(*in)) 148 | copy(*out, *in) 149 | } 150 | if in.Audience != nil { 151 | in, out := &in.Audience, &out.Audience 152 | *out = make([]string, len(*in)) 153 | copy(*out, *in) 154 | } 155 | if in.ScopeArray != nil { 156 | in, out := &in.ScopeArray, &out.ScopeArray 157 | *out = make([]string, len(*in)) 158 | copy(*out, *in) 159 | } 160 | out.HydraAdmin = in.HydraAdmin 161 | out.TokenLifespans = in.TokenLifespans 162 | in.Metadata.DeepCopyInto(&out.Metadata) 163 | if in.Contacts != nil { 164 | in, out := &in.Contacts, &out.Contacts 165 | *out = make([]string, len(*in)) 166 | copy(*out, *in) 167 | } 168 | } 169 | 170 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec. 171 | func (in *OAuth2ClientSpec) DeepCopy() *OAuth2ClientSpec { 172 | if in == nil { 173 | return nil 174 | } 175 | out := new(OAuth2ClientSpec) 176 | in.DeepCopyInto(out) 177 | return out 178 | } 179 | 180 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 181 | func (in *OAuth2ClientStatus) DeepCopyInto(out *OAuth2ClientStatus) { 182 | *out = *in 183 | out.ReconciliationError = in.ReconciliationError 184 | if in.Conditions != nil { 185 | in, out := &in.Conditions, &out.Conditions 186 | *out = make([]OAuth2ClientCondition, len(*in)) 187 | copy(*out, *in) 188 | } 189 | } 190 | 191 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientStatus. 192 | func (in *OAuth2ClientStatus) DeepCopy() *OAuth2ClientStatus { 193 | if in == nil { 194 | return nil 195 | } 196 | out := new(OAuth2ClientStatus) 197 | in.DeepCopyInto(out) 198 | return out 199 | } 200 | 201 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 202 | func (in *ReconciliationError) DeepCopyInto(out *ReconciliationError) { 203 | *out = *in 204 | } 205 | 206 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReconciliationError. 207 | func (in *ReconciliationError) DeepCopy() *ReconciliationError { 208 | if in == nil { 209 | return nil 210 | } 211 | out := new(ReconciliationError) 212 | in.DeepCopyInto(out) 213 | return out 214 | } 215 | 216 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 217 | func (in *TokenLifespans) DeepCopyInto(out *TokenLifespans) { 218 | *out = *in 219 | } 220 | 221 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenLifespans. 222 | func (in *TokenLifespans) DeepCopy() *TokenLifespans { 223 | if in == nil { 224 | return nil 225 | } 226 | out := new(TokenLifespans) 227 | in.DeepCopyInto(out) 228 | return out 229 | } 230 | -------------------------------------------------------------------------------- /api/v1alpha1/oauth2client_types_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package v1alpha1 5 | 6 | import ( 7 | "fmt" 8 | "path/filepath" 9 | "strings" 10 | "testing" 11 | 12 | "github.com/stretchr/testify/assert" 13 | "github.com/stretchr/testify/require" 14 | "golang.org/x/net/context" 15 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 16 | "k8s.io/apimachinery/pkg/types" 17 | "k8s.io/client-go/kubernetes/scheme" 18 | "k8s.io/client-go/rest" 19 | "sigs.k8s.io/controller-runtime/pkg/client" 20 | "sigs.k8s.io/controller-runtime/pkg/envtest" 21 | ) 22 | 23 | var ( 24 | k8sClient client.Client 25 | cfg *rest.Config 26 | testEnv *envtest.Environment 27 | key types.NamespacedName 28 | created, fetched *OAuth2Client 29 | createErr, getErr, deleteErr error 30 | ) 31 | 32 | func TestCreateAPI(t *testing.T) { 33 | 34 | runEnv(t) 35 | defer stopEnv(t) 36 | 37 | t.Run("should handle an object properly", func(t *testing.T) { 38 | 39 | key = types.NamespacedName{ 40 | Name: "foo", 41 | Namespace: "default", 42 | } 43 | 44 | t.Run("by creating an API object if it meets CRD requirements without optional parameters", func(t *testing.T) { 45 | 46 | resetTestClient() 47 | 48 | createErr = k8sClient.Create(context.TODO(), created) 49 | require.NoError(t, createErr) 50 | 51 | fetched = &OAuth2Client{} 52 | getErr = k8sClient.Get(context.TODO(), key, fetched) 53 | require.NoError(t, getErr) 54 | assert.Equal(t, created, fetched) 55 | 56 | deleteErr = k8sClient.Delete(context.TODO(), created) 57 | require.NoError(t, deleteErr) 58 | 59 | getErr = k8sClient.Get(context.TODO(), key, created) 60 | require.Error(t, getErr) 61 | }) 62 | 63 | t.Run("by creating an API object if it meets CRD requirements with optional parameters", func(t *testing.T) { 64 | 65 | resetTestClient() 66 | 67 | created.Spec.RedirectURIs = []RedirectURI{"https://client/account", "http://localhost:8080/account"} 68 | created.Spec.HydraAdmin = HydraAdmin{ 69 | URL: "http://localhost", 70 | Port: 4445, 71 | // Endpoint: "/clients", 72 | ForwardedProto: "https", 73 | } 74 | 75 | createErr = k8sClient.Create(context.TODO(), created) 76 | require.NoError(t, createErr) 77 | 78 | fetched = &OAuth2Client{} 79 | getErr = k8sClient.Get(context.TODO(), key, fetched) 80 | require.NoError(t, getErr) 81 | assert.Equal(t, created, fetched) 82 | 83 | deleteErr = k8sClient.Delete(context.TODO(), created) 84 | require.NoError(t, deleteErr) 85 | 86 | getErr = k8sClient.Get(context.TODO(), key, created) 87 | require.Error(t, getErr) 88 | }) 89 | 90 | t.Run("by failing if the requested object doesn't meet CRD requirements", func(t *testing.T) { 91 | 92 | for desc, modifyClient := range map[string]func(){ 93 | "invalid grant type": func() { created.Spec.GrantTypes = []GrantType{"invalid"} }, 94 | "invalid response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid", "code"} }, 95 | "invalid composite response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid code", "code id_token"} }, 96 | "missing secret name": func() { created.Spec.SecretName = "" }, 97 | "invalid redirect URI": func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} }, 98 | "invalid logout redirect URI": func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} }, 99 | "invalid hydra url": func() { created.Spec.HydraAdmin.URL = "invalid" }, 100 | "invalid hydra url too long": func() { created.Spec.HydraAdmin.URL = "https://" + strings.Repeat("a", 260) }, 101 | "invalid hydra port high": func() { created.Spec.HydraAdmin.Port = 65536 }, 102 | "invalid hydra endpoint": func() { created.Spec.HydraAdmin.Endpoint = "invalid" }, 103 | "invalid hydra forwarded proto": func() { created.Spec.HydraAdmin.ForwardedProto = "invalid" }, 104 | "invalid lifespan authorization code access token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan = "invalid" }, 105 | "invalid lifespan authorization code id token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan = "invalid" }, 106 | "invalid lifespan authorization code refresh token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan = "invalid" }, 107 | "invalid lifespan client credentials access token": func() { created.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan = "invalid" }, 108 | "invalid lifespan implicit access token": func() { created.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan = "invalid" }, 109 | "invalid lifespan implicit id token": func() { created.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan = "invalid" }, 110 | "invalid lifespan jwt bearer access token": func() { created.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan = "invalid" }, 111 | "invalid lifespan refresh token access token": func() { created.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan = "invalid" }, 112 | "invalid lifespan refresh token id token": func() { created.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan = "invalid" }, 113 | "invalid lifespan refresh token refresh token": func() { created.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan = "invalid" }, 114 | "invalid deletion policy": func() { created.Spec.DeletionPolicy = "invalid" }, 115 | } { 116 | t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { 117 | resetTestClient() 118 | modifyClient() 119 | createErr = k8sClient.Create(context.TODO(), created) 120 | require.Error(t, createErr) 121 | }) 122 | } 123 | }) 124 | 125 | t.Run("by creating an object if it passes validation", func(t *testing.T) { 126 | for desc, modifyClient := range map[string]func(){ 127 | "single response type": func() { created.Spec.ResponseTypes = []ResponseType{"token", "id_token", "code"} }, 128 | "double response type": func() { created.Spec.ResponseTypes = []ResponseType{"id_token token", "code id_token", "code token"} }, 129 | "triple response type": func() { created.Spec.ResponseTypes = []ResponseType{"code id_token token"} }, 130 | } { 131 | t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { 132 | resetTestClient() 133 | modifyClient() 134 | require.NoError(t, k8sClient.Create(context.TODO(), created)) 135 | require.NoError(t, k8sClient.Delete(context.TODO(), created)) 136 | }) 137 | } 138 | }) 139 | }) 140 | } 141 | 142 | func runEnv(t *testing.T) { 143 | 144 | testEnv = &envtest.Environment{ 145 | CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, 146 | } 147 | 148 | err := SchemeBuilder.AddToScheme(scheme.Scheme) 149 | require.NoError(t, err) 150 | 151 | cfg, err = testEnv.Start() 152 | require.NoError(t, err) 153 | require.NotNil(t, cfg) 154 | 155 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 156 | require.NoError(t, err) 157 | require.NotNil(t, k8sClient) 158 | 159 | } 160 | 161 | func stopEnv(t *testing.T) { 162 | err := testEnv.Stop() 163 | require.NoError(t, err) 164 | } 165 | 166 | func resetTestClient() { 167 | created = &OAuth2Client{ 168 | ObjectMeta: metav1.ObjectMeta{ 169 | Name: "foo", 170 | Namespace: "default", 171 | }, 172 | Spec: OAuth2ClientSpec{ 173 | GrantTypes: []GrantType{"implicit", "client_credentials", "authorization_code", "refresh_token"}, 174 | ResponseTypes: []ResponseType{"id_token", "code", "token"}, 175 | Scope: "read,write", 176 | SecretName: "secret-name", 177 | TokenLifespans: TokenLifespans{}, 178 | }, 179 | } 180 | } 181 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/DESIGN-DOC.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml 3 | 4 | description: 5 | "A design document is needed for non-trivial changes to the code base." 6 | labels: 7 | - rfc 8 | name: "Design Document" 9 | body: 10 | - attributes: 11 | value: | 12 | Thank you for writing this design document. 13 | 14 | One of the key elements of Ory's software engineering culture is the use of defining software designs through design docs. These are relatively informal documents that the primary author or authors of a software system or application create before they embark on the coding project. The design doc documents the high level implementation strategy and key design decisions with emphasis on the trade-offs that were considered during those decisions. 15 | 16 | Ory is leaning heavily on [Google's design docs process](https://www.industrialempathy.com/posts/design-docs-at-google/) 17 | and [Golang Proposals](https://github.com/golang/proposal). 18 | 19 | Writing a design doc before contributing your change ensures that your ideas are checked with 20 | the community and maintainers. It will save you a lot of time developing things that might need to be changed 21 | after code reviews, and your pull requests will be merged faster. 22 | type: markdown 23 | - attributes: 24 | label: "Preflight checklist" 25 | options: 26 | - label: 27 | "I could not find a solution in the existing issues, docs, nor 28 | discussions." 29 | required: true 30 | - label: 31 | "I agree to follow this project's [Code of 32 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 33 | required: true 34 | - label: 35 | "I have read and am following this repository's [Contribution 36 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 37 | required: true 38 | - label: 39 | "I have joined the [Ory Community Slack](https://slack.ory.com)." 40 | - label: 41 | "I am signed up to the [Ory Security Patch 42 | Newsletter](https://www.ory.com/l/sign-up-newsletter)." 43 | id: checklist 44 | type: checkboxes 45 | - attributes: 46 | description: 47 | "Enter the slug or API URL of the affected Ory Network project. Leave 48 | empty when you are self-hosting." 49 | label: "Ory Network Project" 50 | placeholder: "https://.projects.oryapis.com" 51 | id: ory-network-project 52 | type: input 53 | - attributes: 54 | description: | 55 | This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts. 56 | label: "Context and scope" 57 | id: scope 58 | type: textarea 59 | validations: 60 | required: true 61 | 62 | - attributes: 63 | description: | 64 | A short list of bullet points of what the goals of the system are, and, sometimes more importantly, what non-goals are. Note, that non-goals aren’t negated goals like “The system shouldn’t crash”, but rather things that could reasonably be goals, but are explicitly chosen not to be goals. A good example would be “ACID compliance”; when designing a database, you’d certainly want to know whether that is a goal or non-goal. And if it is a non-goal you might still select a solution that provides it, if it doesn’t introduce trade-offs that prevent achieving the goals. 65 | label: "Goals and non-goals" 66 | id: goals 67 | type: textarea 68 | validations: 69 | required: true 70 | 71 | - attributes: 72 | description: | 73 | This section should start with an overview and then go into details. 74 | The design doc is the place to write down the trade-offs you made in designing your software. Focus on those trade-offs to produce a useful document with long-term value. That is, given the context (facts), goals and non-goals (requirements), the design doc is the place to suggest solutions and show why a particular solution best satisfies those goals. 75 | 76 | The point of writing a document over a more formal medium is to provide the flexibility to express the problem at hand in an appropriate manner. Because of this, there is no explicit guidance on how to actually describe the design. 77 | label: "The design" 78 | id: design 79 | type: textarea 80 | validations: 81 | required: true 82 | 83 | - attributes: 84 | description: | 85 | If the system under design exposes an API, then sketching out that API is usually a good idea. In most cases, however, one should withstand the temptation to copy-paste formal interface or data definitions into the doc as these are often verbose, contain unnecessary detail and quickly get out of date. Instead, focus on the parts that are relevant to the design and its trade-offs. 86 | label: "APIs" 87 | id: apis 88 | type: textarea 89 | 90 | - attributes: 91 | description: | 92 | Systems that store data should likely discuss how and in what rough form this happens. Similar to the advice on APIs, and for the same reasons, copy-pasting complete schema definitions should be avoided. Instead, focus on the parts that are relevant to the design and its trade-offs. 93 | label: "Data storage" 94 | id: persistence 95 | type: textarea 96 | 97 | - attributes: 98 | description: | 99 | Design docs should rarely contain code, or pseudo-code except in situations where novel algorithms are described. As appropriate, link to prototypes that show the feasibility of the design. 100 | label: "Code and pseudo-code" 101 | id: pseudocode 102 | type: textarea 103 | 104 | - attributes: 105 | description: | 106 | One of the primary factors that would influence the shape of a software design and hence the design doc, is the degree of constraint of the solution space. 107 | 108 | On one end of the extreme is the “greenfield software project”, where all we know are the goals, and the solution can be whatever makes the most sense. Such a document may be wide-ranging, but it also needs to quickly define a set of rules that allow zooming in on a manageable set of solutions. 109 | 110 | On the other end are systems where the possible solutions are very well defined, but it isn't at all obvious how they could even be combined to achieve the goals. This may be a legacy system that is difficult to change and wasn't designed to do what you want it to do or a library design that needs to operate within the constraints of the host programming language. 111 | 112 | In this situation, you may be able to enumerate all the things you can do relatively easily, but you need to creatively put those things together to achieve the goals. There may be multiple solutions, and none of them are great, and hence such a document should focus on selecting the best way given all identified trade-offs. 113 | label: "Degree of constraint" 114 | id: constrait 115 | type: textarea 116 | 117 | - attributes: 118 | description: | 119 | This section lists alternative designs that would have reasonably achieved similar outcomes. The focus should be on the trade-offs that each respective design makes and how those trade-offs led to the decision to select the design that is the primary topic of the document. 120 | 121 | While it is fine to be succinct about a solution that ended up not being selected, this section is one of the most important ones as it shows very explicitly why the selected solution is the best given the project goals and how other solutions, that the reader may be wondering about, introduce trade-offs that are less desirable given the goals. 122 | 123 | label: Alternatives considered 124 | id: alternatives 125 | type: textarea 126 | -------------------------------------------------------------------------------- /docs/assets/synchronization-mode.svg: -------------------------------------------------------------------------------- 1 | 2 |
POST /clients
POST /clients
Hydra
Hydra
Cron Job
Cron Job
Response
201 or 409
Response <br>201 or 409
yes
yes
no
no
Fetch all CRs + their secrets
Fetch all CRs + their secrets
K8s
K8s -------------------------------------------------------------------------------- /hydra/types.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra 5 | 6 | import ( 7 | "encoding/json" 8 | "fmt" 9 | "strings" 10 | 11 | "github.com/go-playground/validator/v10" 12 | 13 | "k8s.io/utils/ptr" 14 | 15 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 16 | ) 17 | 18 | // OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra 19 | type OAuth2ClientJSON struct { 20 | ClientName string `json:"client_name,omitempty"` 21 | ClientID *string `json:"client_id,omitempty"` 22 | Secret *string `json:"client_secret,omitempty"` 23 | GrantTypes []string `json:"grant_types"` 24 | RedirectURIs []string `json:"redirect_uris,omitempty"` 25 | RequestURIs []string `json:"request_uris,omitempty"` 26 | PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"` 27 | AllowedCorsOrigins []string `json:"allowed_cors_origins,omitempty"` 28 | ResponseTypes []string `json:"response_types,omitempty"` 29 | Audience []string `json:"audience,omitempty"` 30 | Scope string `json:"scope"` 31 | SkipConsent bool `json:"skip_consent,omitempty"` 32 | Owner string `json:"owner"` 33 | TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"` 34 | Metadata json.RawMessage `json:"metadata,omitempty"` 35 | JwksUri string `json:"jwks_uri,omitempty" validate:"required_if=TokenEndpointAuthMethod private_key_jwt"` 36 | FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required"` 37 | FrontChannelLogoutURI string `json:"frontchannel_logout_uri"` 38 | BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required"` 39 | BackChannelLogoutURI string `json:"backchannel_logout_uri"` 40 | AuthorizationCodeGrantAccessTokenLifespan string `json:"authorization_code_grant_access_token_lifespan,omitempty"` 41 | AuthorizationCodeGrantIdTokenLifespan string `json:"authorization_code_grant_id_token_lifespan,omitempty"` 42 | AuthorizationCodeGrantRefreshTokenLifespan string `json:"authorization_code_grant_refresh_token_lifespan,omitempty"` 43 | ClientCredentialsGrantAccessTokenLifespan string `json:"client_credentials_grant_access_token_lifespan,omitempty"` 44 | ImplicitGrantAccessTokenLifespan string `json:"implicit_grant_access_token_lifespan,omitempty"` 45 | ImplicitGrantIdTokenLifespan string `json:"implicit_grant_id_token_lifespan,omitempty"` 46 | JwtBearerGrantAccessTokenLifespan string `json:"jwt_bearer_grant_access_token_lifespan,omitempty"` 47 | RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"` 48 | RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"` 49 | RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"` 50 | LogoUri string `json:"logo_uri,omitempty"` 51 | AccessTokenStrategy string `json:"access_token_strategy,omitempty"` 52 | ClientSecretExpiresAt int64 `json:"client_secret_expires_at,omitempty"` 53 | ClientUri string `json:"client_uri,omitempty"` 54 | Contacts []string `json:"contacts,omitempty"` 55 | CreatedAt string `json:"created_at,omitempty"` 56 | PolicyUri string `json:"policy_uri,omitempty"` 57 | RegistrationAccessToken string `json:"registration_access_token,omitempty"` 58 | RegistrationClientUri string `json:"registration_client_uri,omitempty"` 59 | RequestObjectSigningAlg string `json:"request_object_signing_alg,omitempty"` 60 | SectorIdentifierUri string `json:"sector_identifier_uri,omitempty"` 61 | SkipLogoutConsent bool `json:"skip_logout_consent,omitempty"` 62 | SubjectType string `json:"subject_type,omitempty"` 63 | TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg,omitempty"` 64 | TosUri string `json:"tos_uri,omitempty"` 65 | UpdatedAt string `json:"updated_at,omitempty"` 66 | UserinfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"` 67 | } 68 | 69 | // Oauth2ClientCredentials represents client ID and password fetched from a 70 | // Kubernetes secret 71 | type Oauth2ClientCredentials struct { 72 | ID []byte 73 | Password []byte 74 | } 75 | 76 | func (oj *OAuth2ClientJSON) WithCredentials(credentials *Oauth2ClientCredentials) *OAuth2ClientJSON { 77 | oj.ClientID = ptr.To(string(credentials.ID)) 78 | if credentials.Password != nil { 79 | oj.Secret = ptr.To(string(credentials.Password)) 80 | } 81 | return oj 82 | } 83 | 84 | // FromOAuth2Client converts an OAuth2Client into a OAuth2ClientJSON object that represents an OAuth2 InternalClient digestible by ORY Hydra 85 | func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error) { 86 | meta, err := json.Marshal(c.Spec.Metadata) 87 | if err != nil { 88 | return nil, fmt.Errorf("unable to encode `metadata` property value to json: %w", err) 89 | } 90 | 91 | if c.Spec.Scope != "" { 92 | fmt.Println("Property `scope` in client '" + c.Name + "' is deprecated. Rather use scopeArray.") 93 | } 94 | 95 | var scope = c.Spec.Scope 96 | if c.Spec.ScopeArray != nil { 97 | scope = strings.Trim(strings.Join(c.Spec.ScopeArray, " ")+" "+scope, " ") 98 | } 99 | 100 | client := &OAuth2ClientJSON{ 101 | ClientName: c.Spec.ClientName, 102 | GrantTypes: grantToStringSlice(c.Spec.GrantTypes), 103 | ResponseTypes: responseToStringSlice(c.Spec.ResponseTypes), 104 | RedirectURIs: redirectToStringSlice(c.Spec.RedirectURIs), 105 | RequestURIs: redirectToStringSlice(c.Spec.RequestURIs), 106 | PostLogoutRedirectURIs: redirectToStringSlice(c.Spec.PostLogoutRedirectURIs), 107 | AllowedCorsOrigins: redirectToStringSlice(c.Spec.AllowedCorsOrigins), 108 | Audience: c.Spec.Audience, 109 | Scope: scope, 110 | SkipConsent: c.Spec.SkipConsent, 111 | Owner: fmt.Sprintf("%s/%s", c.Name, c.Namespace), 112 | TokenEndpointAuthMethod: string(c.Spec.TokenEndpointAuthMethod), 113 | Metadata: meta, 114 | JwksUri: c.Spec.JwksUri, 115 | FrontChannelLogoutURI: c.Spec.FrontChannelLogoutURI, 116 | FrontChannelLogoutSessionRequired: c.Spec.FrontChannelLogoutSessionRequired, 117 | BackChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired, 118 | BackChannelLogoutURI: c.Spec.BackChannelLogoutURI, 119 | AuthorizationCodeGrantAccessTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan, 120 | AuthorizationCodeGrantIdTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan, 121 | AuthorizationCodeGrantRefreshTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan, 122 | ClientCredentialsGrantAccessTokenLifespan: c.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan, 123 | ImplicitGrantAccessTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan, 124 | ImplicitGrantIdTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan, 125 | JwtBearerGrantAccessTokenLifespan: c.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan, 126 | RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan, 127 | RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan, 128 | RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan, 129 | LogoUri: c.Spec.LogoUri, 130 | AccessTokenStrategy: c.Spec.AccessTokenStrategy, 131 | ClientSecretExpiresAt: c.Spec.ClientSecretExpiresAt, 132 | ClientUri: c.Spec.ClientUri, 133 | Contacts: c.Spec.Contacts, 134 | PolicyUri: c.Spec.PolicyUri, 135 | RequestObjectSigningAlg: c.Spec.RequestObjectSigningAlg, 136 | SectorIdentifierUri: c.Spec.SectorIdentifierUri, 137 | SkipLogoutConsent: c.Spec.SkipLogoutConsent, 138 | SubjectType: c.Spec.SubjectType, 139 | TokenEndpointAuthSigningAlg: c.Spec.TokenEndpointAuthSigningAlg, 140 | TosUri: c.Spec.TosUri, 141 | UserinfoSignedResponseAlg: c.Spec.UserinfoSignedResponseAlg, 142 | } 143 | 144 | validate := validator.New() 145 | if err := validate.Struct(client); err != nil { 146 | return nil, err 147 | } 148 | 149 | return client, nil 150 | } 151 | 152 | func responseToStringSlice(rt []hydrav1alpha1.ResponseType) []string { 153 | var output = make([]string, len(rt)) 154 | for i, elem := range rt { 155 | output[i] = string(elem) 156 | } 157 | return output 158 | } 159 | 160 | func grantToStringSlice(gt []hydrav1alpha1.GrantType) []string { 161 | var output = make([]string, len(gt)) 162 | for i, elem := range gt { 163 | output[i] = string(elem) 164 | } 165 | return output 166 | } 167 | 168 | func redirectToStringSlice(ru []hydrav1alpha1.RedirectURI) []string { 169 | var output = make([]string, len(ru)) 170 | for i, elem := range ru { 171 | output[i] = string(elem) 172 | } 173 | return output 174 | } 175 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Contribute to Ory Ory Hydra Maester 5 | 6 | 7 | 8 | 9 | - [Introduction](#introduction) 10 | - [FAQ](#faq) 11 | - [How can I contribute?](#how-can-i-contribute) 12 | - [Communication](#communication) 13 | - [Contribute examples or community projects](#contribute-examples-or-community-projects) 14 | - [Contribute code](#contribute-code) 15 | - [Contribute documentation](#contribute-documentation) 16 | - [Disclosing vulnerabilities](#disclosing-vulnerabilities) 17 | - [Code style](#code-style) 18 | - [Working with forks](#working-with-forks) 19 | - [Conduct](#conduct) 20 | 21 | 22 | 23 | ## Introduction 24 | 25 | _Please note_: We take Ory Ory Hydra Maester's security and our users' trust very 26 | seriously. If you believe you have found a security issue in Ory Ory Hydra Maester, 27 | please disclose it by contacting us at security@ory.com. 28 | 29 | There are many ways in which you can contribute. The goal of this document is to 30 | provide a high-level overview of how you can get involved in Ory. 31 | 32 | As a potential contributor, your changes and ideas are welcome at any hour of 33 | the day or night, on weekdays, weekends, and holidays. Please do not ever 34 | hesitate to ask a question or send a pull request. 35 | 36 | If you are unsure, just ask or submit the issue or pull request anyways. You 37 | won't be yelled at for giving it your best effort. The worst that can happen is 38 | that you'll be politely asked to change something. We appreciate any sort of 39 | contributions and don't want a wall of rules to get in the way of that. 40 | 41 | That said, if you want to ensure that a pull request is likely to be merged, 42 | talk to us! You can find out our thoughts and ensure that your contribution 43 | won't clash with Ory 44 | Ory Hydra Maester's direction. A great way to 45 | do this is via 46 | [Ory Ory Hydra Maester Discussions](https://github.com/orgs/ory/discussions) 47 | or the [Ory Chat](https://www.ory.com/chat). 48 | 49 | ## FAQ 50 | 51 | - I am new to the community. Where can I find the 52 | [Ory Community Code of Conduct?](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md) 53 | 54 | - I have a question. Where can I get 55 | [answers to questions regarding Ory Ory Hydra Maester?](#communication) 56 | 57 | - I would like to contribute but I am not sure how. Are there 58 | [easy ways to contribute?](#how-can-i-contribute) 59 | [Or good first issues?](https://github.com/search?l=&o=desc&q=label%3A%22help+wanted%22+label%3A%22good+first+issue%22+is%3Aopen+user%3Aory+user%3Aory-corp&s=updated&type=Issues) 60 | 61 | - I want to talk to other Ory Ory Hydra Maester users. 62 | [How can I become a part of the community?](#communication) 63 | 64 | - I would like to know what I am agreeing to when I contribute to Ory 65 | Ory Hydra Maester. 66 | Does Ory have 67 | [a Contributors License Agreement?](https://cla-assistant.io/ory/hydra-maester) 68 | 69 | - I would like updates about new versions of Ory Ory Hydra Maester. 70 | [How are new releases announced?](https://www.ory.com/l/sign-up-newsletter) 71 | 72 | ## How can I contribute? 73 | 74 | If you want to start to contribute code right away, take a look at the 75 | [list of good first issues](https://github.com/ory/hydra-maester/labels/good%20first%20issue). 76 | 77 | There are many other ways you can contribute. Here are a few things you can do 78 | to help out: 79 | 80 | - **Give us a star.** It may not seem like much, but it really makes a 81 | difference. This is something that everyone can do to help out Ory Ory Hydra Maester. 82 | Github stars help the project gain visibility and stand out. 83 | 84 | - **Join the community.** Sometimes helping people can be as easy as listening 85 | to their problems and offering a different perspective. Join our Slack, have a 86 | look at discussions in the forum and take part in community events. More info 87 | on this in [Communication](#communication). 88 | 89 | - **Answer discussions.** At all times, there are several unanswered discussions 90 | on GitHub. You can see an 91 | [overview here](https://github.com/discussions?discussions_q=is%3Aunanswered+org%3Aory+sort%3Aupdated-desc). 92 | If you think you know an answer or can provide some information that might 93 | help, please share it! Bonus: You get GitHub achievements for answered 94 | discussions. 95 | 96 | - **Help with open issues.** We have a lot of open issues for Ory Ory Hydra Maester and 97 | some of them may lack necessary information, some are duplicates of older 98 | issues. You can help out by guiding people through the process of filling out 99 | the issue template, asking for clarifying information or pointing them to 100 | existing issues that match their description of the problem. 101 | 102 | - **Review documentation changes.** Most documentation just needs a review for 103 | proper spelling and grammar. If you think a document can be improved in any 104 | way, feel free to hit the `edit` button at the top of the page. More info on 105 | contributing to the documentation [here](#contribute-documentation). 106 | 107 | - **Help with tests.** Pull requests may lack proper tests or test plans. These 108 | are needed for the change to be implemented safely. 109 | 110 | ## Communication 111 | 112 | We use [Slack](https://www.ory.com/chat). You are welcome to drop in and ask 113 | questions, discuss bugs and feature requests, talk to other users of Ory, etc. 114 | 115 | Check out [Ory Ory Hydra Maester Discussions](https://github.com/orgs/ory/discussions). This is a great place for 116 | in-depth discussions and lots of code examples, logs and similar data. 117 | 118 | You can also join our community calls if you want to speak to the Ory team 119 | directly or ask some questions. You can find more info and participate in 120 | [Slack](https://www.ory.com/chat) in the #community-call channel. 121 | 122 | If you want to receive regular notifications about updates to Ory Ory Hydra Maester, 123 | consider joining the mailing list. We will _only_ send you vital information on 124 | the projects that you are interested in. 125 | 126 | Also, [follow us on Twitter](https://twitter.com/orycorp). 127 | 128 | ## Contribute examples or community projects 129 | 130 | One of the most impactful ways to contribute is by adding code examples or other 131 | Ory-related code. You can find an overview of community code in the 132 | [awesome-ory](https://github.com/ory/awesome-ory) repository. 133 | 134 | _If you would like to contribute a new example, we would love to hear from you!_ 135 | 136 | Please [open a pull request at awesome-ory](https://github.com/ory/awesome-ory/) 137 | to add your example or Ory-related project to the awesome-ory README. 138 | 139 | ## Contribute code 140 | 141 | Unless you are fixing a known bug, we **strongly** recommend discussing it with 142 | the core team via a GitHub issue or [in our chat](https://www.ory.com/chat) 143 | before getting started to ensure your work is consistent with Ory Ory Hydra Maester's 144 | roadmap and architecture. 145 | 146 | All contributions are made via pull requests. To make a pull request, you will 147 | need a GitHub account; if you are unclear on this process, see GitHub's 148 | documentation on [forking](https://help.github.com/articles/fork-a-repo) and 149 | [pull requests](https://help.github.com/articles/using-pull-requests). Pull 150 | requests should be targeted at the `master` branch. Before creating a pull 151 | request, go through this checklist: 152 | 153 | 1. Create a feature branch off of `master` so that changes do not get mixed up. 154 | 1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local 155 | changes against the `master` branch. 156 | 1. Run the full project test suite with the `go test -tags sqlite ./...` (or 157 | equivalent) command and confirm that it passes. 158 | 1. Run `make format` 159 | 1. Add a descriptive prefix to commits. This ensures a uniform commit history 160 | and helps structure the changelog. Please refer to this 161 | [Convential Commits configuration](https://github.com/ory/hydra-maester/blob/master/.github/workflows/conventional_commits.yml) 162 | for the list of accepted prefixes. You can read more about the Conventional 163 | Commit specification 164 | [at their site](https://www.conventionalcommits.org/en/v1.0.0/). 165 | 166 | If a pull request is not ready to be reviewed yet 167 | [it should be marked as a "Draft"](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request). 168 | 169 | Before your contributions can be reviewed you need to sign our 170 | [Contributor License Agreement](https://cla-assistant.io/ory/hydra-maester). 171 | 172 | This agreement defines the terms under which your code is contributed to Ory. 173 | More specifically it declares that you have the right to, and actually do, grant 174 | us the rights to use your contribution. You can see the Apache 2.0 license under 175 | which our projects are published 176 | [here](https://github.com/ory/meta/blob/master/LICENSE). 177 | 178 | When pull requests fail the automated testing stages (for example unit or E2E 179 | tests), authors are expected to update their pull requests to address the 180 | failures until the tests pass. 181 | 182 | Pull requests eligible for review 183 | 184 | 1. follow the repository's code formatting conventions; 185 | 2. include tests that prove that the change works as intended and does not add 186 | regressions; 187 | 3. document the changes in the code and/or the project's documentation; 188 | 4. pass the CI pipeline; 189 | 5. have signed our 190 | [Contributor License Agreement](https://cla-assistant.io/ory/hydra-maester); 191 | 6. include a proper git commit message following the 192 | [Conventional Commit Specification](https://www.conventionalcommits.org/en/v1.0.0/). 193 | 194 | If all of these items are checked, the pull request is ready to be reviewed and 195 | you should change the status to "Ready for review" and 196 | [request review from a maintainer](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review). 197 | 198 | Reviewers will approve the pull request once they are satisfied with the patch. 199 | 200 | ## Contribute documentation 201 | 202 | Please provide documentation when changing, removing, or adding features. All 203 | Ory Documentation resides in the 204 | [Ory documentation repository](https://github.com/ory/docs/). For further 205 | instructions please head over to the Ory Documentation 206 | [README.md](https://github.com/ory/docs/blob/master/README.md). 207 | 208 | ## Disclosing vulnerabilities 209 | 210 | Please disclose vulnerabilities exclusively to 211 | [security@ory.com](mailto:security@ory.com). Do not use GitHub issues. 212 | 213 | ## Code style 214 | 215 | Please run `make format` to format all source code following the Ory standard. 216 | 217 | ### Working with forks 218 | 219 | ```bash 220 | # First you clone the original repository 221 | git clone git@github.com:ory/ory/hydra-maester.git 222 | 223 | # Next you add a git remote that is your fork: 224 | git remote add fork git@github.com:/ory/hydra-maester.git 225 | 226 | # Next you fetch the latest changes from origin for master: 227 | git fetch origin 228 | git checkout master 229 | git pull --rebase 230 | 231 | # Next you create a new feature branch off of master: 232 | git checkout my-feature-branch 233 | 234 | # Now you do your work and commit your changes: 235 | git add -A 236 | git commit -a -m "fix: this is the subject line" -m "This is the body line. Closes #123" 237 | 238 | # And the last step is pushing this to your fork 239 | git push -u fork my-feature-branch 240 | ``` 241 | 242 | Now go to the project's GitHub Pull Request page and click "New pull request" 243 | 244 | ## Conduct 245 | 246 | Whether you are a regular contributor or a newcomer, we care about making this 247 | community a safe place for you and we've got your back. 248 | 249 | [Ory Community Code of Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md) 250 | 251 | We welcome discussion about creating a welcoming, safe, and productive 252 | environment for the community. If you have any questions, feedback, or concerns 253 | [please let us know](https://www.ory.com/chat). 254 | -------------------------------------------------------------------------------- /docs/assets/workflow.svg: -------------------------------------------------------------------------------- 1 | 2 |
Create  Client Request CR
Create  Client Request CR
Notify about  CR
Notify about  CR
CRUD Oauth2 client in Hydra
CRUD Oauth2 client in Hydra
Kubernetes
Kubernetes
Hydra Maester
Hydra Maester
Hydra
Hydra
Developer
Developer
Validate CR
Validate CR
Validate CR
Validate CR
Create secret with
 ID,clientID, client secret 
[Not supported by viewer] -------------------------------------------------------------------------------- /hydra/client_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra_test 5 | 6 | import ( 7 | "encoding/json" 8 | "errors" 9 | "fmt" 10 | "net/http" 11 | "net/http/httptest" 12 | "net/url" 13 | "strings" 14 | "testing" 15 | 16 | "github.com/stretchr/testify/assert" 17 | "github.com/stretchr/testify/require" 18 | "k8s.io/utils/ptr" 19 | 20 | "github.com/ory/hydra-maester/hydra" 21 | ) 22 | 23 | const ( 24 | clientsEndpoint = "/clients" 25 | schemeHTTP = "http" 26 | 27 | testID = "test-id" 28 | testClient = `{"client_id":"test-id","owner":"test-name","scope":"some,scopes","grant_types":["type1"],"token_endpoint_auth_method":"client_secret_basic"}` 29 | testClientCreated = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"audience":["audience-a","audience-b"],"token_endpoint_auth_method":"client_secret_basic","backchannel_logout_uri":"https://localhost/backchannel-logout","frontchannel_logout_uri":"https://localhost/frontchannel-logout"}` 30 | testClientUpdated = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"audience":["audience-c"],"token_endpoint_auth_method":"client_secret_basic"}` 31 | testClientList = `{"client_id":"test-id-4","owner":"test-name-4","scope":"scope1 scope2","grant_types":["type4"],"token_endpoint_auth_method":"client_secret_basic"}` 32 | testClientList2 = `{"client_id":"test-id-5","owner":"test-name-5","scope":"scope3 scope4","grant_types":["type5"],"token_endpoint_auth_method":"client_secret_basic"}` 33 | testClientWithMetadataCreated = `{"client_id":"test-id-21","client_secret":"TmGkvcY7k526","owner":"test-name-21","scope":"some,other,scopes","grant_types":["type2"],"token_endpoint_auth_method":"client_secret_basic","metadata":{"property1":1,"property2":"2"},"backchannel_logout_uri":"https://localhost/backchannel-logout","frontchannel_logout_uri":"https://localhost/frontchannel-logout"}` 34 | 35 | statusNotFoundBody = `{"error":"Not Found","error_description":"Unable to locate the requested resource","status_code":404,"request_id":"id"}` 36 | statusUnauthorizedBody = `{"error":"The request could not be authorized","error_description":"The requested OAuth 2.0 client does not exist or you did not provide the necessary credentials","status_code":401,"request_id":"id"}` 37 | statusConflictBody = `{"error":"Unable to insert or update resource because a resource with that value exists already","error_description":"","status_code":409,"request_id":"id"` 38 | statusInternalServerErrorBody = "the server encountered an internal error or misconfiguration and was unable to complete your request" 39 | ) 40 | 41 | type server struct { 42 | statusCode int 43 | respBody string 44 | err error 45 | } 46 | 47 | var testOAuthJSONPost = &hydra.OAuth2ClientJSON{ 48 | Scope: "some,other,scopes", 49 | GrantTypes: []string{"type2"}, 50 | Owner: "test-name-2", 51 | Audience: []string{"audience-a", "audience-b"}, 52 | FrontChannelLogoutURI: "https://localhost/frontchannel-logout", 53 | FrontChannelLogoutSessionRequired: false, 54 | BackChannelLogoutURI: "https://localhost/backchannel-logout", 55 | BackChannelLogoutSessionRequired: false, 56 | AuthorizationCodeGrantAccessTokenLifespan: "6h", 57 | } 58 | 59 | var testOAuthJSONPut = &hydra.OAuth2ClientJSON{ 60 | ClientID: ptr.To("test-id-3"), 61 | Scope: "yet,another,scope", 62 | GrantTypes: []string{"type3"}, 63 | Owner: "test-name-3", 64 | Audience: []string{"audience-c"}, 65 | } 66 | 67 | func TestCRUD(t *testing.T) { 68 | 69 | assert := assert.New(t) 70 | 71 | c := hydra.InternalClient{ 72 | HTTPClient: &http.Client{}, 73 | HydraURL: url.URL{Scheme: schemeHTTP}, 74 | } 75 | 76 | t.Run("method=get", func(t *testing.T) { 77 | 78 | for d, tc := range map[string]server{ 79 | "getting registered client": { 80 | http.StatusOK, 81 | testClient, 82 | nil, 83 | }, 84 | "getting unregistered client": { 85 | http.StatusNotFound, 86 | statusNotFoundBody, 87 | nil, 88 | }, 89 | "getting unauthorized request": { 90 | http.StatusUnauthorized, 91 | statusUnauthorizedBody, 92 | nil, 93 | }, 94 | "internal server error when requesting": { 95 | http.StatusInternalServerError, 96 | statusInternalServerErrorBody, 97 | errors.New("http request returned unexpected status code"), 98 | }, 99 | } { 100 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 101 | 102 | //given 103 | shouldFind := tc.statusCode == http.StatusOK 104 | 105 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 106 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 107 | assert.Equal(http.MethodGet, req.Method) 108 | w.WriteHeader(tc.statusCode) 109 | w.Write([]byte(tc.respBody)) 110 | if shouldFind { 111 | w.Header().Set("Content-type", "application/json") 112 | } 113 | }) 114 | runServer(&c, h) 115 | 116 | //when 117 | o, found, err := c.GetOAuth2Client(testID) 118 | 119 | //then 120 | if tc.err == nil { 121 | require.NoError(t, err) 122 | } else { 123 | require.Error(t, err) 124 | assert.Contains(err.Error(), tc.err.Error()) 125 | } 126 | 127 | assert.Equal(shouldFind, found) 128 | if shouldFind { 129 | require.NotNil(t, o) 130 | var expected hydra.OAuth2ClientJSON 131 | json.Unmarshal([]byte(testClient), &expected) 132 | assert.Equal(&expected, o) 133 | } 134 | }) 135 | } 136 | }) 137 | 138 | t.Run("method=post", func(t *testing.T) { 139 | 140 | for d, tc := range map[string]server{ 141 | "with new client": { 142 | http.StatusCreated, 143 | testClientCreated, 144 | nil, 145 | }, 146 | "with new client with metadata": { 147 | http.StatusCreated, 148 | testClientWithMetadataCreated, 149 | nil, 150 | }, 151 | "with existing client": { 152 | http.StatusConflict, 153 | statusConflictBody, 154 | errors.New("requested ID already exists"), 155 | }, 156 | "internal server error when requesting": { 157 | http.StatusInternalServerError, 158 | statusInternalServerErrorBody, 159 | errors.New("http request returned unexpected status code"), 160 | }, 161 | } { 162 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 163 | var ( 164 | err error 165 | o *hydra.OAuth2ClientJSON 166 | expected *hydra.OAuth2ClientJSON 167 | ) 168 | //given 169 | new := tc.statusCode == http.StatusCreated 170 | newWithMetadata := d == "with new client with metadata" 171 | 172 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 173 | assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 174 | assert.Equal(http.MethodPost, req.Method) 175 | w.WriteHeader(tc.statusCode) 176 | w.Write([]byte(tc.respBody)) 177 | if new { 178 | w.Header().Set("Content-type", "application/json") 179 | } 180 | }) 181 | runServer(&c, h) 182 | 183 | //when 184 | if newWithMetadata { 185 | meta, _ := json.Marshal(map[string]interface{}{ 186 | "property1": float64(1), 187 | "property2": "2", 188 | }) 189 | var testOAuthJSONPost2 = &hydra.OAuth2ClientJSON{ 190 | Scope: "some,other,scopes", 191 | GrantTypes: []string{"type2"}, 192 | Owner: "test-name-21", 193 | Metadata: meta, 194 | FrontChannelLogoutURI: "https://localhost/frontchannel-logout", 195 | FrontChannelLogoutSessionRequired: false, 196 | BackChannelLogoutURI: "https://localhost/backchannel-logout", 197 | BackChannelLogoutSessionRequired: false, 198 | } 199 | o, err = c.PostOAuth2Client(testOAuthJSONPost2) 200 | expected = testOAuthJSONPost2 201 | } else { 202 | o, err = c.PostOAuth2Client(testOAuthJSONPost) 203 | expected = testOAuthJSONPost 204 | } 205 | 206 | //then 207 | if tc.err == nil { 208 | require.NoError(t, err) 209 | } else { 210 | require.Error(t, err) 211 | assert.Contains(err.Error(), tc.err.Error()) 212 | } 213 | 214 | if new { 215 | require.NotNil(t, o) 216 | assert.Equal(expected.Scope, o.Scope) 217 | assert.Equal(expected.GrantTypes, o.GrantTypes) 218 | assert.Equal(expected.Owner, o.Owner) 219 | assert.Equal(expected.Audience, o.Audience) 220 | assert.NotNil(o.Secret) 221 | assert.NotNil(o.ClientID) 222 | assert.NotNil(o.TokenEndpointAuthMethod) 223 | assert.Equal(expected.FrontChannelLogoutURI, o.FrontChannelLogoutURI) 224 | assert.Equal(expected.FrontChannelLogoutSessionRequired, o.FrontChannelLogoutSessionRequired) 225 | assert.Equal(expected.BackChannelLogoutURI, o.BackChannelLogoutURI) 226 | assert.Equal(expected.BackChannelLogoutSessionRequired, o.BackChannelLogoutSessionRequired) 227 | if expected.TokenEndpointAuthMethod != "" { 228 | assert.Equal(expected.TokenEndpointAuthMethod, o.TokenEndpointAuthMethod) 229 | } 230 | if newWithMetadata { 231 | assert.NotNil(o.Metadata) 232 | assert.True(len(o.Metadata) > 0) 233 | for key := range o.Metadata { 234 | assert.Equal(o.Metadata[key], expected.Metadata[key]) 235 | } 236 | } else { 237 | assert.Nil(o.Metadata) 238 | } 239 | } 240 | }) 241 | } 242 | }) 243 | 244 | t.Run("method=put", func(t *testing.T) { 245 | for d, tc := range map[string]server{ 246 | "with registered client": { 247 | http.StatusOK, 248 | testClientUpdated, 249 | nil, 250 | }, 251 | "internal server error when requesting": { 252 | http.StatusInternalServerError, 253 | statusInternalServerErrorBody, 254 | errors.New("http request returned unexpected status code"), 255 | }, 256 | } { 257 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 258 | 259 | ok := tc.statusCode == http.StatusOK 260 | 261 | //given 262 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 263 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), *testOAuthJSONPut.ClientID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 264 | assert.Equal(http.MethodPut, req.Method) 265 | w.WriteHeader(tc.statusCode) 266 | w.Write([]byte(tc.respBody)) 267 | if ok { 268 | w.Header().Set("Content-type", "application/json") 269 | } 270 | }) 271 | runServer(&c, h) 272 | 273 | //when 274 | o, err := c.PutOAuth2Client(testOAuthJSONPut) 275 | 276 | //then 277 | if tc.err == nil { 278 | require.NoError(t, err) 279 | } else { 280 | require.Error(t, err) 281 | assert.Contains(err.Error(), tc.err.Error()) 282 | } 283 | 284 | if ok { 285 | require.NotNil(t, o) 286 | 287 | assert.Equal(testOAuthJSONPut.Scope, o.Scope) 288 | assert.Equal(testOAuthJSONPut.GrantTypes, o.GrantTypes) 289 | assert.Equal(testOAuthJSONPut.ClientID, o.ClientID) 290 | assert.Equal(testOAuthJSONPut.Owner, o.Owner) 291 | assert.Equal(testOAuthJSONPut.Audience, o.Audience) 292 | assert.NotNil(o.Secret) 293 | } 294 | }) 295 | } 296 | }) 297 | 298 | t.Run("method=delete", func(t *testing.T) { 299 | 300 | for d, tc := range map[string]server{ 301 | "with registered client": { 302 | statusCode: http.StatusNoContent, 303 | }, 304 | "with unregistered client": { 305 | statusCode: http.StatusNotFound, 306 | respBody: statusNotFoundBody, 307 | }, 308 | "internal server error when requesting": { 309 | statusCode: http.StatusInternalServerError, 310 | respBody: statusInternalServerErrorBody, 311 | err: errors.New("http request returned unexpected status code"), 312 | }, 313 | } { 314 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 315 | 316 | //given 317 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 318 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 319 | assert.Equal(http.MethodDelete, req.Method) 320 | w.WriteHeader(tc.statusCode) 321 | }) 322 | runServer(&c, h) 323 | 324 | //when 325 | err := c.DeleteOAuth2Client(testID) 326 | 327 | //then 328 | if tc.err == nil { 329 | require.NoError(t, err) 330 | } else { 331 | require.Error(t, err) 332 | assert.Contains(err.Error(), tc.err.Error()) 333 | } 334 | }) 335 | } 336 | }) 337 | 338 | t.Run("method=list", func(t *testing.T) { 339 | 340 | for d, tc := range map[string]server{ 341 | "no clients": { 342 | http.StatusOK, 343 | `[]`, 344 | nil, 345 | }, 346 | "one client": { 347 | http.StatusOK, 348 | fmt.Sprintf("[%s]", testClientList), 349 | nil, 350 | }, 351 | "more clients": { 352 | http.StatusOK, 353 | fmt.Sprintf("[%s,%s]", testClientList, testClientList2), 354 | nil, 355 | }, 356 | "internal server error when requesting": { 357 | http.StatusInternalServerError, 358 | statusInternalServerErrorBody, 359 | errors.New("http request returned unexpected status code"), 360 | }, 361 | } { 362 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 363 | 364 | //given 365 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 366 | assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 367 | assert.Equal(http.MethodGet, req.Method) 368 | w.WriteHeader(tc.statusCode) 369 | w.Write([]byte(tc.respBody)) 370 | w.Header().Set("Content-type", "application/json") 371 | 372 | }) 373 | runServer(&c, h) 374 | 375 | //when 376 | list, err := c.ListOAuth2Client() 377 | 378 | //then 379 | if tc.err == nil { 380 | require.NoError(t, err) 381 | require.NotNil(t, list) 382 | var expectedList []*hydra.OAuth2ClientJSON 383 | json.Unmarshal([]byte(tc.respBody), &expectedList) 384 | assert.Equal(expectedList, list) 385 | } else { 386 | require.Error(t, err) 387 | assert.Contains(err.Error(), tc.err.Error()) 388 | } 389 | }) 390 | } 391 | }) 392 | 393 | t.Run("default parameters", func(t *testing.T) { 394 | var input = &hydra.OAuth2ClientJSON{ 395 | Scope: "some,other,scopes", 396 | GrantTypes: []string{"type2"}, 397 | Owner: "test-name-2", 398 | } 399 | assert.Equal(input.TokenEndpointAuthMethod, "") 400 | b, _ := json.Marshal(input) 401 | payload := string(b) 402 | assert.Equal(strings.Index(payload, "token_endpoint_auth_method"), -1) 403 | 404 | input = &hydra.OAuth2ClientJSON{ 405 | Scope: "some,other,scopes", 406 | GrantTypes: []string{"type2"}, 407 | Owner: "test-name-3", 408 | TokenEndpointAuthMethod: "none", 409 | } 410 | b, _ = json.Marshal(input) 411 | payload = string(b) 412 | assert.True(strings.Index(payload, "token_endpoint_auth_method") > 0) 413 | }) 414 | } 415 | 416 | func runServer(c *hydra.InternalClient, h http.HandlerFunc) { 417 | s := httptest.NewServer(h) 418 | serverUrl, _ := url.Parse(s.URL) 419 | c.HydraURL = *serverUrl.ResolveReference(&url.URL{Path: clientsEndpoint}) 420 | } 421 | --------------------------------------------------------------------------------