sdk: Move to go-swagger code generator (ory#1347)

Signed-off-by: aeneasr <[email protected]>
kanatmg · Apr 9, 2019 · 6829a58 · 6829a58
1 parent fe720cb
commit 6829a58
Show file tree

Hide file tree

Showing 370 changed files with 30,887 additions and 6,735 deletions.
diff --git a/.gitignore b/.gitignore
@@ -18,4 +18,5 @@ hydra-docker-bin
 cookies.txt
 vendor/
 LICENSE.txt
-hydra
+./hydra
+!./hydra/
diff --git a/Makefile b/Makefile
@@ -54,23 +54,22 @@ sqlbin:
 
 # Runs all code generators
 .PHONY: gen
-gen: mocks sqlbin sdks
+gen: mocks sqlbin sdk
 
 # Generates the SDKs
-.PHONY: sdks
-sdks:
+.PHONY: sdk
+sdk:
 		GO111MODULE=on go mod tidy
 		GO111MODULE=on go mod vendor
 		GO111MODULE=off swagger generate spec -m -o ./docs/api.swagger.json
 		GO111MODULE=off swagger validate ./docs/api.swagger.json
 
-		rm -rf ./sdk/go/hydra/swagger
+		rm -rf ./sdk/go/hydra/*
 		rm -rf ./sdk/js/swagger
 		rm -rf ./sdk/php/swagger
 		rm -rf ./sdk/java
 
-		# swagger generate client -f ./docs/api.swagger.json -t sdk/go
-		java -jar scripts/swagger-codegen-cli-2.2.3.jar generate -i ./docs/api.swagger.json -l go -o ./sdk/go/hydra/swagger
+		GO111MODULE=off swagger generate client -f ./docs/api.swagger.json -t sdk/go/hydra -A Ory_Hydra
 		java -jar scripts/swagger-codegen-cli-2.2.3.jar generate -i ./docs/api.swagger.json -l javascript -o ./sdk/js/swagger
 		java -jar scripts/swagger-codegen-cli-2.2.3.jar generate -i ./docs/api.swagger.json -l php -o sdk/php/ \
 			--invoker-package Hydra\\SDK --git-repo-id swagger --git-user-id ory --additional-properties "packagePath=swagger,description=Client for Hydra"
@@ -87,9 +86,6 @@ sdks:
 
 		cd sdk/go; goreturns -w -i -local github.com/ory $$(listx .)
 
-		git checkout HEAD -- sdk/go/hydra/swagger/configuration.go
-		git checkout HEAD -- sdk/go/hydra/swagger/api_client.go
-
 		rm -f ./sdk/js/swagger/package.json
 		rm -rf ./sdk/js/swagger/test
 		rm -f ./sdk/php/swagger/composer.json ./sdk/php/swagger/phpunit.xml.dist

diff --git a/UPGRADE.md b/UPGRADE.md
@@ -131,6 +131,52 @@ Do you want the latest features and patches without work and hassle? Are you loo
 secure deployment with zero effort? We can run it for you! If you're interested,
 [contact us now](mailto:[email protected])!
 
+## 1.0.0-rc.9
+
+### Go SDK
+
+The Go SDK is now being generated using `go-swagger`. The SDK generated using `swagger-codegen` is no longer supported.
+The old Go SDK is still available but moved to a new path. To use it, change:
+
+```
+- import "github.com/ory/hydra/sdk/go/hydra"
+- import "github.com/ory/hydra/sdk/go/hydra/swagger"
+
++ import hydra "github.com/ory/hydra-legacy-sdk"
++ import "github.com/ory/hydra-legacy-sdk/swagger"
+```
+
+### Accepting Login and Consent Requests
+
+Previously, login and consent requests were accepted/rejected by doing one of:
+
+```
+PUT /oauth2/auth/requests/login/{challenge}/accept
+PUT /oauth2/auth/requests/login/{challenge}/reject
+PUT /oauth2/auth/requests/consent/{challenge}/accept
+PUT /oauth2/auth/requests/consent/{challenge}/reject
+```
+
+We observed login/consent apps that did not properly sanitize the `{challenge}` parameter, making it possible to
+escape the path by using `..` in the challenge parameter (e.g. `http://my-login-app/login?challenge=../../whatever`)
+causing the login/consent app to execute a request it is not supposed to be making (e.g. `/oauth2/auth/requests/login/../../whatever/accept`).
+
+From now on, the challenge has to be sent using a query parameter instead:
+
+```
+PUT /oauth2/auth/requests/login/accept?challenge={challenge}
+PUT /oauth2/auth/requests/login/reject?challenge={challenge}
+PUT /oauth2/auth/requests/consent/accept?challenge={challenge}
+PUT /oauth2/auth/requests/consent/reject?challenge={challenge}
+```
+
+Implementers will still need to make sure that `challenge` is properly (query) scaped, but it's generally easier to secure than
+a path parameter.
+
+We've decided to make this a hard breaking change in order to force everybody to check if their application is vulnerable to this
+issue and to upgrade their code. The required code change is minimal but the resulting security improvements are potentially
+large.
+
 ## 1.0.0-rc.7
 
 ### Configuration changes

diff --git a/client/client.go b/client/client.go
@@ -107,6 +107,9 @@ type Client struct {
 	// secret will expire or 0 if it will not expire. The time is
 	// represented as the number of seconds from 1970-01-01T00:00:00Z as
 	// measured in UTC until the date/time of expiration.
+	//
+	// This feature is currently not supported and it's value will always
+	// be set to 0.
 	SecretExpiresAt int `json:"client_secret_expires_at"`
 
 	// SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a

diff --git a/client/handler.go b/client/handler.go
@@ -74,9 +74,8 @@ func (h *Handler) SetRoutes(admin *x.RouterAdmin) {
 //     Schemes: http, https
 //
 //     Responses:
-//       200: oAuth2Client
-//       401: genericError
-//       403: genericError
+//       201: oAuth2Client
+//       409: genericError
 //       500: genericError
 func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	var c Client
@@ -133,8 +132,6 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 //
 //     Responses:
 //       200: oAuth2Client
-//       401: genericError
-//       403: genericError
 //       500: genericError
 func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var c Client
@@ -183,8 +180,6 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.P
 //
 //     Responses:
 //       200: oAuth2ClientList
-//       401: genericError
-//       403: genericError
 //       500: genericError
 func (h *Handler) List(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	limit, offset := pagination.Parse(r, 100, 0, 500)
@@ -224,8 +219,7 @@ func (h *Handler) List(w http.ResponseWriter, r *http.Request, ps httprouter.Par
 //
 //     Responses:
 //       200: oAuth2Client
-//       401: genericError
-//       403: genericError
+//       404: genericError
 //       500: genericError
 func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var id = ps.ByName("id")
@@ -258,8 +252,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 //
 //     Responses:
 //       204: emptyResponse
-//       401: genericError
-//       403: genericError
+//       404: genericError
 //       500: genericError
 func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var id = ps.ByName("id")