Skip to content

fix: improved SSRF protection (#3669) #1631

fix: improved SSRF protection (#3669)

fix: improved SSRF protection (#3669) #1631

Workflow file for this run

name: CI Tasks for Ory Hydra
on:
push:
branches:
- master
tags:
- "*"
pull_request:
# Cancel in-progress runs in current workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
oidc-conformity:
name: Run OIDC conformity tests
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: ory/ci/checkout@master
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
- uses: actions/setup-go@v3
with:
go-version: "1.21"
- name: Start service
run: ./test/conformance/start.sh
- name: Run tests
run: ./test/conformance/test.sh -v -short -parallel 16
sdk-generate:
name: Generate SDKs
runs-on: ubuntu-latest
outputs:
sdk-cache-key: ${{ steps.sdk-generate.outputs.sdk-cache-key }}
steps:
- uses: ory/ci/sdk/generate@master
with:
token: ${{ secrets.ORY_BOT_PAT }}
id: sdk-generate
test:
name: Run tests and lints
runs-on: ubuntu-latest
needs:
- sdk-generate
services:
postgres:
image: postgres:11.8
env:
POSTGRES_DB: postgres
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
mysql:
image: mysql:8.0.26
env:
MYSQL_ROOT_PASSWORD: test
ports:
- 3306:3306
env:
TEST_DATABASE_POSTGRESQL: "postgres://test:test@localhost:5432/postgres?sslmode=disable"
TEST_DATABASE_MYSQL: "mysql://root:test@(localhost:3306)/mysql?multiStatements=true&parseTime=true"
TEST_DATABASE_COCKROACHDB: "cockroach://root@localhost:26257/defaultdb?sslmode=disable"
steps:
- run: |
docker create --name cockroach -p 26257:26257 \
cockroachdb/cockroach:v22.1.10 start-single-node --insecure
docker start cockroach
name: Start CockroachDB
- uses: ory/ci/checkout@master
with:
fetch-depth: 2
- uses: actions/cache@v2
with:
path: |
internal/httpclient
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
- uses: actions/setup-go@v4
with:
go-version: "1.21"
- run: go list -json > go.list
- name: Run nancy
uses: sonatype-nexus-community/[email protected]
with:
nancyVersion: v1.0.42
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v3
env:
GOGC: 100
with:
args: --timeout 10m0s
version: v1.53.2
skip-pkg-cache: true
- name: Run go-acc (tests)
run: |
make .bin/go-acc
.bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1
- name: Submit to Codecov
run: |
bash <(curl -s https://codecov.io/bash)
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
test-hsm:
name: Run HSM tests
needs:
- sdk-generate
runs-on: ubuntu-latest
env:
HSM_ENABLED: true
HSM_LIBRARY: /usr/lib/softhsm/libsofthsm2.so
HSM_TOKEN_LABEL: hydra
HSM_PIN: 1234
steps:
- uses: ory/ci/checkout@master
- uses: actions/cache@v2
with:
path: |
internal/httpclient
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
- uses: actions/setup-go@v3
with:
go-version: "1.21"
- name: Setup HSM libs and packages
run: |
sudo apt install -y softhsm opensc
sudo rm -rf /var/lib/softhsm/tokens
sudo mkdir -p /var/lib/softhsm/tokens
sudo chmod -R a+rwx /var/lib/softhsm
sudo chmod a+rx /etc/softhsm
sudo chmod a+r /etc/softhsm/*
- name: HSM tests
run: |
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
go test -p 1 -failfast -short -timeout=20m -tags=sqlite,hsm ./...
test-e2e:
name: Run end-to-end tests
runs-on: ubuntu-latest
needs:
- sdk-generate
strategy:
matrix:
database: ["memory", "postgres", "mysql", "cockroach"]
args: ["", "--jwt"]
services:
postgres:
image: postgres:11.8
env:
POSTGRES_DB: postgres
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
mysql:
image: mysql:8.0.26
env:
MYSQL_ROOT_PASSWORD: test
ports:
- 3306:3306
env:
TEST_DATABASE_POSTGRESQL: "postgres://test:test@localhost:5432/postgres?sslmode=disable"
TEST_DATABASE_MYSQL: "mysql://root:test@(localhost:3306)/mysql?multiStatements=true&parseTime=true"
TEST_DATABASE_COCKROACHDB: "cockroach://root@localhost:26257/defaultdb?sslmode=disable"
steps:
- run: |
docker create --name cockroach -p 26257:26257 \
cockroachdb/cockroach:v22.1.10 start-single-node --insecure
docker start cockroach
name: Start CockroachDB
- uses: ory/ci/checkout@master
- uses: actions/setup-go@v3
with:
go-version: "1.21"
- uses: actions/cache@v2
with:
path: ./test/e2e/hydra
key: ${{ runner.os }}-hydra
- uses: actions/cache@v2
with:
path: |
internal/httpclient
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
- run: ./test/e2e/circle-ci.bash ${{ matrix.database }} ${{ matrix.args }}
docs-cli:
runs-on: ubuntu-latest
name: Build CLI docs
needs:
- test
steps:
- uses: ory/ci/docs/cli-next@master
with:
token: ${{ secrets.ORY_BOT_PAT }}
output-dir: docs/hydra/cli
changelog:
name: Generate changelog
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' || github.ref_name == 'master' }}
needs:
- test
- test-hsm
- test-e2e
steps:
- uses: ory/ci/changelog@master
with:
token: ${{ secrets.ORY_BOT_PAT }}
sdk-release:
name: Release SDKs
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' }}
needs:
- test
- test-hsm
- sdk-generate
- release
steps:
- uses: ory/ci/sdk/release@master
with:
swag-spec-location: spec/api.json
token: ${{ secrets.ORY_BOT_PAT }}
release:
name: Generate release
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' }}
needs:
- oidc-conformity
- test
- test-hsm
- test-e2e
- changelog
steps:
- uses: ory/ci/releaser@master
with:
token: ${{ secrets.ORY_BOT_PAT }}
goreleaser_key: ${{ secrets.GORELEASER_KEY }}
cosign_pwd: ${{ secrets.COSIGN_PWD }}
docker_username: ${{ secrets.DOCKERHUB_USERNAME }}
docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
render-version-schema:
name: Render version schema
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' }}
needs:
- release
steps:
- uses: ory/ci/releaser/render-version-schema@master
with:
schema-path: .schema/config.schema.json
token: ${{ secrets.ORY_BOT_PAT }}
newsletter-draft:
name: Draft newsletter
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' }}
needs:
- release
steps:
- uses: ory/ci/newsletter@master
with:
mailchimp_list_id: f605a41b53
mailchmip_segment_id: 6479481
mailchimp_api_key: ${{ secrets.MAILCHIMP_API_KEY }}
draft: "true"
ssh_key: ${{ secrets.ORY_BOT_SSH_KEY }}
slack-approval-notification:
name: Pending approval Slack notification
runs-on: ubuntu-latest
if: ${{ github.ref_type == 'tag' }}
needs:
- newsletter-draft
steps:
- uses: ory/ci/newsletter/slack-notify@master
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
newsletter-send:
name: Send newsletter
runs-on: ubuntu-latest
needs:
- newsletter-draft
if: ${{ github.ref_type == 'tag' }}
environment: production
steps:
- uses: ory/ci/newsletter@master
with:
mailchimp_list_id: f605a41b53
mailchmip_segment_id: 6479481
mailchimp_api_key: ${{ secrets.MAILCHIMP_API_KEY }}
draft: "false"
ssh_key: ${{ secrets.ORY_BOT_SSH_KEY }}