From 9eeedc06408c447077b630fff65e9ca4ed1ec59a Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Tue, 8 Nov 2022 13:16:34 +0100 Subject: [PATCH] fix: use process-isolated Jsonnet VM (#2869) Co-authored-by: hperl <34397+hperl@users.noreply.github.com> --- cmd/jsonnet/lint.go | 3 +- cmd/root.go | 5 +- courier/courier.go | 2 + courier/sms.go | 4 +- driver/registry.go | 3 + driver/registry_default.go | 17 +++- go.mod | 2 +- go.sum | 2 + internal/driver.go | 2 + request/builder.go | 75 ++++++++++------- request/builder_test.go | 84 ++++++++++++------- selfservice/hook/web_hook.go | 6 +- selfservice/hook/web_hook_integration_test.go | 17 +++- selfservice/strategy/oidc/strategy.go | 3 + .../strategy/oidc/strategy_registration.go | 8 +- 15 files changed, 159 insertions(+), 74 deletions(-) diff --git a/cmd/jsonnet/lint.go b/cmd/jsonnet/lint.go index 8a2cbf56cc57..0d81fcd16ddc 100644 --- a/cmd/jsonnet/lint.go +++ b/cmd/jsonnet/lint.go @@ -6,6 +6,7 @@ import ( "path/filepath" "strings" + "github.com/google/go-jsonnet" "github.com/google/go-jsonnet/linter" "github.com/spf13/cobra" @@ -30,7 +31,7 @@ func NewJsonnetLintCmd() *cobra.Command { ` + GlobHelp, Args: cobra.MinimumNArgs(1), Run: func(cmd *cobra.Command, args []string) { - vm := jsonnetsecure.MakeSecureVM() + vm := jsonnetsecure.MakeSecureVM().(*jsonnet.VM) for _, pattern := range args { files, err := filepath.Glob(pattern) diff --git a/cmd/root.go b/cmd/root.go index 641f81612cc9..0b9925fd8297 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -6,8 +6,8 @@ import ( "os" "github.com/ory/kratos/cmd/cleanup" - "github.com/ory/kratos/driver/config" + "github.com/ory/x/jsonnetsecure" "github.com/ory/kratos/cmd/courier" "github.com/ory/kratos/cmd/hashers" @@ -44,6 +44,9 @@ func NewRootCmd() (cmd *cobra.Command) { cmd.AddCommand(identities.NewValidateCmd()) cmd.AddCommand(cmdx.Version(&config.Version, &config.Commit, &config.Date)) + // Registers a hidden "jsonnet" subcommand for process-isolated Jsonnet VMs. + cmd.AddCommand(jsonnetsecure.NewJsonnetCmd()) + return cmd } diff --git a/courier/courier.go b/courier/courier.go index e29f1b1ce83b..e2b10fc3855d 100644 --- a/courier/courier.go +++ b/courier/courier.go @@ -5,6 +5,7 @@ import ( "time" "github.com/ory/kratos/courier/template" + "github.com/ory/x/jsonnetsecure" "github.com/cenkalti/backoff" "github.com/gofrs/uuid" @@ -21,6 +22,7 @@ type ( x.LoggingProvider ConfigProvider x.HTTPClientProvider + jsonnetsecure.VMProvider } Courier interface { diff --git a/courier/sms.go b/courier/sms.go index df2f7fdf02de..94c5f3da1982 100644 --- a/courier/sms.go +++ b/courier/sms.go @@ -80,12 +80,12 @@ func (c *courier) dispatchSMS(ctx context.Context, msg Message) error { return err } - builder, err := request.NewBuilder(c.smsClient.RequestConfig, c.deps.HTTPClient(ctx), c.deps.Logger()) + builder, err := request.NewBuilder(c.smsClient.RequestConfig, c.deps) if err != nil { return err } - req, err := builder.BuildRequest(&sendSMSRequestBody{ + req, err := builder.BuildRequest(ctx, &sendSMSRequestBody{ To: msg.Recipient, From: c.deps.CourierConfig().CourierSMSFrom(ctx), Body: body, diff --git a/driver/registry.go b/driver/registry.go index 8d4b6aceb953..ebe20809a2dd 100644 --- a/driver/registry.go +++ b/driver/registry.go @@ -4,6 +4,7 @@ import ( "context" "github.com/ory/x/contextx" + "github.com/ory/x/jsonnetsecure" "github.com/ory/x/otelx" prometheus "github.com/ory/x/prometheusx" @@ -48,6 +49,7 @@ type Registry interface { Init(ctx context.Context, ctxer contextx.Contextualizer, opts ...RegistryOption) error WithLogger(l *logrusx.Logger) Registry + WithJsonnetVMProvider(jsonnetsecure.VMProvider) Registry WithCSRFHandler(c nosurf.Handler) WithCSRFTokenGenerator(cg x.CSRFToken) @@ -73,6 +75,7 @@ type Registry interface { x.WriterProvider x.LoggingProvider x.HTTPClientProvider + jsonnetsecure.VMProvider continuity.ManagementProvider continuity.PersistenceProvider diff --git a/driver/registry_default.go b/driver/registry_default.go index 7b5ed17052af..648410b6cebe 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -9,6 +9,7 @@ import ( "time" "github.com/ory/x/contextx" + "github.com/ory/x/jsonnetsecure" "github.com/ory/x/popx" @@ -154,6 +155,15 @@ type RegistryDefault struct { buildDate string csrfTokenGenerator x.CSRFToken + + jsonnetVMProvider jsonnetsecure.VMProvider +} + +func (m *RegistryDefault) JsonnetVM(ctx context.Context) (jsonnetsecure.VM, error) { + if m.jsonnetVMProvider == nil { + m.jsonnetVMProvider = &jsonnetsecure.DefaultProvider{Subcommand: "jsonnet"} + } + return m.jsonnetVMProvider.JsonnetVM(ctx) } func (m *RegistryDefault) Audit() *logrusx.Logger { @@ -223,6 +233,11 @@ func (m *RegistryDefault) WithLogger(l *logrusx.Logger) Registry { return m } +func (m *RegistryDefault) WithJsonnetVMProvider(p jsonnetsecure.VMProvider) Registry { + m.jsonnetVMProvider = p + return m +} + func (m *RegistryDefault) LogoutHandler() *logout.Handler { if m.selfserviceLogoutHandler == nil { m.selfserviceLogoutHandler = logout.NewHandler(m) @@ -350,7 +365,7 @@ func (m *RegistryDefault) AllLoginStrategies() login.Strategies { return loginStrategies } -func (m *RegistryDefault) ActiveCredentialsCounterStrategies(ctx context.Context) (activeCredentialsCounterStrategies []identity.ActiveCredentialsCounter) { +func (m *RegistryDefault) ActiveCredentialsCounterStrategies(_ context.Context) (activeCredentialsCounterStrategies []identity.ActiveCredentialsCounter) { for _, strategy := range m.selfServiceStrategies() { if s, ok := strategy.(identity.ActiveCredentialsCounter); ok { activeCredentialsCounterStrategies = append(activeCredentialsCounterStrategies, s) diff --git a/go.mod b/go.mod index 7b025540d372..13725fc7974f 100644 --- a/go.mod +++ b/go.mod @@ -77,7 +77,7 @@ require ( github.com/ory/kratos-client-go v0.6.3-alpha.1 github.com/ory/mail/v3 v3.0.0 github.com/ory/nosurf v1.2.7 - github.com/ory/x v0.0.510 + github.com/ory/x v0.0.511-0.20221108105728-3fed9bc99daf github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 github.com/pkg/errors v0.9.1 github.com/pquerna/otp v1.3.0 diff --git a/go.sum b/go.sum index 299395f1cf08..8fe87daa674d 100644 --- a/go.sum +++ b/go.sum @@ -1145,6 +1145,8 @@ github.com/ory/x v0.0.506 h1:kqkGwRuhZsyLf2zgjIyOkuY1nRfbWu2aPOQTk03j6ZQ= github.com/ory/x v0.0.506/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= github.com/ory/x v0.0.510 h1:DksQNoq7ssdR76mhcNxzaGPKmzaQEKWg2kannGsD8+w= github.com/ory/x v0.0.510/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= +github.com/ory/x v0.0.511-0.20221108105728-3fed9bc99daf h1:sPEIGYHzmEu4tPiRUYgKfXPOAqneNuB1aaKvrT6aBXE= +github.com/ory/x v0.0.511-0.20221108105728-3fed9bc99daf/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= diff --git a/internal/driver.go b/internal/driver.go index 3ab4b4ecd309..fd7536162f30 100644 --- a/internal/driver.go +++ b/internal/driver.go @@ -6,6 +6,7 @@ import ( "testing" "github.com/ory/x/contextx" + "github.com/ory/x/jsonnetsecure" "github.com/gofrs/uuid" @@ -61,6 +62,7 @@ func NewFastRegistryWithMocks(t *testing.T) (*config.Config, *driver.RegistryDef return &hook.Error{Config: c.Config} }, }) + reg.WithJsonnetVMProvider(jsonnetsecure.NewTestProvider(t)) require.NoError(t, reg.Persister().MigrateUp(context.Background())) require.NotEqual(t, uuid.Nil, reg.Persister().NetworkID(context.Background())) diff --git a/request/builder.go b/request/builder.go index 9771d4457263..f1df2a4cb325 100644 --- a/request/builder.go +++ b/request/builder.go @@ -2,6 +2,7 @@ package request import ( "bytes" + "context" "encoding/json" "io" "net/http" @@ -9,15 +10,13 @@ import ( "reflect" "strings" - "github.com/ory/x/jsonnetsecure" - - "github.com/pkg/errors" - "github.com/google/go-jsonnet" "github.com/hashicorp/go-retryablehttp" + "github.com/pkg/errors" + "github.com/ory/kratos/x" "github.com/ory/x/fetcher" - "github.com/ory/x/logrusx" + "github.com/ory/x/jsonnetsecure" ) var ErrCancel = errors.New("request cancel by JsonNet") @@ -27,14 +26,20 @@ const ( ContentTypeJSON = "application/json" ) -type Builder struct { - r *retryablehttp.Request - log *logrusx.Logger - conf *Config - fetchClient *retryablehttp.Client -} +type ( + Dependencies interface { + x.LoggingProvider + x.HTTPClientProvider + jsonnetsecure.VMProvider + } + Builder struct { + r *retryablehttp.Request + conf *Config + Dependencies + } +) -func NewBuilder(config json.RawMessage, client *retryablehttp.Client, l *logrusx.Logger) (*Builder, error) { +func NewBuilder(config json.RawMessage, deps Dependencies) (*Builder, error) { c, err := parseConfig(config) if err != nil { return nil, err @@ -46,10 +51,9 @@ func NewBuilder(config json.RawMessage, client *retryablehttp.Client, l *logrusx } return &Builder{ - r: r, - log: l, - conf: c, - fetchClient: client, + r: r, + conf: c, + Dependencies: deps, }, nil } @@ -66,7 +70,7 @@ func (b *Builder) addAuth() error { return nil } -func (b *Builder) addBody(body interface{}) error { +func (b *Builder) addBody(ctx context.Context, body interface{}) error { if isNilInterface(body) { return nil } @@ -77,18 +81,18 @@ func (b *Builder) addBody(body interface{}) error { return errors.New("got empty template path for request with body") } - tpl, err := b.readTemplate() + tpl, err := b.readTemplate(ctx) if err != nil { return err } switch contentType { case ContentTypeForm: - if err := b.addURLEncodedBody(tpl, body); err != nil { + if err := b.addURLEncodedBody(ctx, tpl, body); err != nil { return err } case ContentTypeJSON: - if err := b.addJSONBody(tpl, body); err != nil { + if err := b.addJSONBody(ctx, tpl, body); err != nil { return err } default: @@ -98,7 +102,7 @@ func (b *Builder) addBody(body interface{}) error { return nil } -func (b *Builder) addJSONBody(template *bytes.Buffer, body interface{}) error { +func (b *Builder) addJSONBody(ctx context.Context, template *bytes.Buffer, body interface{}) error { buf := new(bytes.Buffer) enc := json.NewEncoder(buf) enc.SetEscapeHTML(false) @@ -108,10 +112,16 @@ func (b *Builder) addJSONBody(template *bytes.Buffer, body interface{}) error { return errors.WithStack(err) } - vm := jsonnetsecure.MakeSecureVM() + vm, err := b.JsonnetVM(ctx) + if err != nil { + return errors.WithStack(err) + } vm.TLACode("ctx", buf.String()) - res, err := vm.EvaluateAnonymousSnippet(b.conf.TemplateURI, template.String()) + res, err := vm.EvaluateAnonymousSnippet( + b.conf.TemplateURI, + template.String(), + ) if err != nil { // Unfortunately we can not use errors.As / errors.Is, see: // https://github.com/google/go-jsonnet/issues/592 @@ -130,7 +140,7 @@ func (b *Builder) addJSONBody(template *bytes.Buffer, body interface{}) error { return nil } -func (b *Builder) addURLEncodedBody(template *bytes.Buffer, body interface{}) error { +func (b *Builder) addURLEncodedBody(ctx context.Context, template *bytes.Buffer, body interface{}) error { buf := new(bytes.Buffer) enc := json.NewEncoder(buf) enc.SetEscapeHTML(false) @@ -140,7 +150,10 @@ func (b *Builder) addURLEncodedBody(template *bytes.Buffer, body interface{}) er return err } - vm := jsonnetsecure.MakeSecureVM() + vm, err := b.JsonnetVM(ctx) + if err != nil { + return err + } vm.TLACode("ctx", buf.String()) res, err := vm.EvaluateAnonymousSnippet(b.conf.TemplateURI, template.String()) @@ -167,7 +180,7 @@ func (b *Builder) addURLEncodedBody(template *bytes.Buffer, body interface{}) er return nil } -func (b *Builder) BuildRequest(body interface{}) (*retryablehttp.Request, error) { +func (b *Builder) BuildRequest(ctx context.Context, body interface{}) (*retryablehttp.Request, error) { b.r.Header = b.conf.Header if err := b.addAuth(); err != nil { return nil, err @@ -176,7 +189,7 @@ func (b *Builder) BuildRequest(body interface{}) (*retryablehttp.Request, error) // According to the HTTP spec any request method, but TRACE is allowed to // have a body. Even this is a bad practice for some of them, like for GET if b.conf.Method != http.MethodTrace { - if err := b.addBody(body); err != nil { + if err := b.addBody(ctx, body); err != nil { return nil, err } } @@ -184,20 +197,22 @@ func (b *Builder) BuildRequest(body interface{}) (*retryablehttp.Request, error) return b.r, nil } -func (b *Builder) readTemplate() (*bytes.Buffer, error) { +func (b *Builder) readTemplate(ctx context.Context) (*bytes.Buffer, error) { templateURI := b.conf.TemplateURI if templateURI == "" { return nil, nil } - f := fetcher.NewFetcher(fetcher.WithClient(b.fetchClient)) + f := fetcher.NewFetcher(fetcher.WithClient(b.HTTPClient(ctx))) tpl, err := f.Fetch(templateURI) if errors.Is(err, fetcher.ErrUnknownScheme) { // legacy filepath templateURI = "file://" + templateURI - b.log.WithError(err).Warnf("support for filepaths without a 'file://' scheme will be dropped in the next release, please use %s instead in your config", templateURI) + b.Logger().WithError(err).Warnf( + "support for filepaths without a 'file://' scheme will be dropped in the next release, please use %s instead in your config", + templateURI) tpl, err = f.Fetch(templateURI) } diff --git a/request/builder_test.go b/request/builder_test.go index 5b993f1f3b15..869a039d19d9 100644 --- a/request/builder_test.go +++ b/request/builder_test.go @@ -1,6 +1,7 @@ package request import ( + "context" _ "embed" "encoding/base64" "encoding/json" @@ -11,6 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/ory/kratos/x" + "github.com/ory/x/jsonnetsecure" "github.com/ory/x/logrusx" ) @@ -81,11 +84,13 @@ func TestBuildRequest(t *testing.T) { Body: "test-sms-body", }, expectedBody: "{\n \"Body\": \"test-sms-body\",\n \"From\": \"+12288534869\",\n \"To\": \"+15056445993\"\n}\n", - rawConfig: fmt.Sprintf(`{ + rawConfig: fmt.Sprintf( + `{ "url": "https://test.kratos.ory.sh/my_endpoint1", "method": "POST", "body": "base64://%s" - }`, base64.StdEncoding.EncodeToString(testJSONNetTemplate)), + }`, base64.StdEncoding.EncodeToString(testJSONNetTemplate), + ), }, { name: "POST request with custom header", @@ -234,50 +239,67 @@ func TestBuildRequest(t *testing.T) { }`, }, } { - t.Run("request-type="+tc.name, func(t *testing.T) { - l := logrusx.New("kratos", "test") + t.Run( + "request-type="+tc.name, func(t *testing.T) { + rb, err := NewBuilder(json.RawMessage(tc.rawConfig), newTestDependencyProvider(t)) + require.NoError(t, err) - rb, err := NewBuilder(json.RawMessage(tc.rawConfig), nil, l) - require.NoError(t, err) + assert.Equal(t, tc.bodyTemplateURI, rb.conf.TemplateURI) + assert.Equal(t, tc.authStrategy, rb.conf.Auth.Type) - assert.Equal(t, tc.bodyTemplateURI, rb.conf.TemplateURI) - assert.Equal(t, tc.authStrategy, rb.conf.Auth.Type) + req, err := rb.BuildRequest(context.Background(), tc.body) + require.NoError(t, err) - req, err := rb.BuildRequest(tc.body) - require.NoError(t, err) + assert.Equal(t, tc.url, req.URL.String()) + assert.Equal(t, tc.method, req.Method) - assert.Equal(t, tc.url, req.URL.String()) - assert.Equal(t, tc.method, req.Method) + if tc.body != nil { + requestBody, err := req.BodyBytes() + require.NoError(t, err) - if tc.body != nil { - requestBody, err := req.BodyBytes() - require.NoError(t, err) - - assert.Equal(t, tc.expectedBody, string(requestBody)) - } + assert.Equal(t, tc.expectedBody, string(requestBody)) + } - if tc.expectedHeader != nil { - mustContainHeader(t, tc.expectedHeader, req.Header) - } - }) + if tc.expectedHeader != nil { + mustContainHeader(t, tc.expectedHeader, req.Header) + } + }, + ) } - t.Run("cancel request", func(t *testing.T) { - l := logrusx.New("kratos", "test") - - rb, err := NewBuilder(json.RawMessage(`{ + t.Run( + "cancel request", func(t *testing.T) { + rb, err := NewBuilder(json.RawMessage( + `{ "url": "https://test.kratos.ory.sh/my_endpoint6", "method": "POST", "body": "file://./stub/cancel_body.jsonnet" -}`), nil, l) - require.NoError(t, err) +}`, + ), newTestDependencyProvider(t)) + require.NoError(t, err) + + _, err = rb.BuildRequest(context.Background(), json.RawMessage(`{}`)) + require.ErrorIs(t, err, ErrCancel) + }, + ) +} - _, err = rb.BuildRequest(json.RawMessage(`{}`)) - require.ErrorIs(t, err, ErrCancel) - }) +type testDependencyProvider struct { + x.SimpleLoggerWithClient + *jsonnetsecure.TestProvider +} + +func newTestDependencyProvider(t *testing.T) *testDependencyProvider { + return &testDependencyProvider{ + SimpleLoggerWithClient: x.SimpleLoggerWithClient{ + L: logrusx.New("kratos", "test"), + }, + TestProvider: jsonnetsecure.NewTestProvider(t), + } } func mustContainHeader(t *testing.T, expected http.Header, actual http.Header) { + t.Helper() for k := range expected { require.Contains(t, actual, k) assert.Equal(t, expected[k], actual[k]) diff --git a/selfservice/hook/web_hook.go b/selfservice/hook/web_hook.go index df53cb0a6379..9e80059221eb 100644 --- a/selfservice/hook/web_hook.go +++ b/selfservice/hook/web_hook.go @@ -12,6 +12,7 @@ import ( "go.opentelemetry.io/otel/trace" "github.com/ory/kratos/ui/node" + "github.com/ory/x/jsonnetsecure" "github.com/ory/kratos/identity" "github.com/ory/kratos/request" @@ -39,6 +40,7 @@ type ( x.LoggingProvider x.HTTPClientProvider x.TracingProvider + jsonnetsecure.VMProvider } templateContext struct { @@ -208,12 +210,12 @@ func (e *WebHook) execute(ctx context.Context, data *templateContext) error { span.SetAttributes(otelx.StringAttrs(attrs)...) defer span.End() - builder, err := request.NewBuilder(e.conf, e.deps.HTTPClient(ctx), e.deps.Logger()) + builder, err := request.NewBuilder(e.conf, e.deps) if err != nil { return err } - req, err := builder.BuildRequest(data) + req, err := builder.BuildRequest(ctx, data) if errors.Is(err, request.ErrCancel) { return nil } else if err != nil { diff --git a/selfservice/hook/web_hook_integration_test.go b/selfservice/hook/web_hook_integration_test.go index 017f38c5e23c..9fd9e448c8aa 100644 --- a/selfservice/hook/web_hook_integration_test.go +++ b/selfservice/hook/web_hook_integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/ory/kratos/schema" "github.com/ory/kratos/text" + "github.com/ory/x/jsonnetsecure" "github.com/ory/x/otelx" "github.com/ory/kratos/driver/config" @@ -50,7 +51,13 @@ import ( func TestWebHooks(t *testing.T) { _, reg := internal.NewFastRegistryWithMocks(t) logger := logrusx.New("kratos", "test") - whDeps := x.SimpleLoggerWithClient{L: logger, C: reg.HTTPClient(context.Background()), T: otelx.NewNoop(logger, &otelx.Config{ServiceName: "kratos"})} + whDeps := struct { + x.SimpleLoggerWithClient + *jsonnetsecure.TestProvider + }{ + x.SimpleLoggerWithClient{L: logger, C: reg.HTTPClient(context.Background()), T: otelx.NewNoop(logger, &otelx.Config{ServiceName: "kratos"})}, + jsonnetsecure.NewTestProvider(t), + } type WebHookRequest struct { Body string Headers http.Header @@ -728,7 +735,13 @@ func TestDisallowPrivateIPRanges(t *testing.T) { conf.MustSet(ctx, config.ViperKeyClientHTTPNoPrivateIPRanges, true) conf.MustSet(ctx, config.ViperKeyClientHTTPPrivateIPExceptionURLs, []string{"http://localhost/exception"}) logger := logrusx.New("kratos", "test") - whDeps := x.SimpleLoggerWithClient{L: logger, C: reg.HTTPClient(context.Background()), T: otelx.NewNoop(logger, conf.Tracing(ctx))} + whDeps := struct { + x.SimpleLoggerWithClient + *jsonnetsecure.TestProvider + }{ + x.SimpleLoggerWithClient{L: logger, C: reg.HTTPClient(context.Background()), T: otelx.NewNoop(logger, &otelx.Config{ServiceName: "kratos"})}, + jsonnetsecure.NewTestProvider(t), + } req := &http.Request{ Header: map[string][]string{"Some-Header": {"Some-Value"}}, diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index 16f914edcc5e..b27531855403 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -11,6 +11,7 @@ import ( "strings" "github.com/ory/kratos/cipher" + "github.com/ory/x/jsonnetsecure" "github.com/ory/kratos/text" @@ -93,6 +94,8 @@ type dependencies interface { continuity.ManagementProvider cipher.Provider + + jsonnetsecure.VMProvider } func isForced(req interface{}) bool { diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go index a8c6b6ed783f..69609854717d 100644 --- a/selfservice/strategy/oidc/strategy_registration.go +++ b/selfservice/strategy/oidc/strategy_registration.go @@ -6,8 +6,6 @@ import ( "net/http" "time" - "github.com/ory/x/jsonnetsecure" - "github.com/ory/herodot" "github.com/ory/x/fetcher" @@ -252,7 +250,11 @@ func (s *Strategy) createIdentity(w http.ResponseWriter, r *http.Request, a *reg return nil, s.handleError(w, r, a, provider.Config().ID, nil, err) } - vm := jsonnetsecure.MakeSecureVM() + vm, err := s.d.JsonnetVM(r.Context()) + if err != nil { + return nil, s.handleError(w, r, a, provider.Config().ID, nil, err) + } + vm.ExtCode("claims", jsonClaims.String()) evaluated, err := vm.EvaluateAnonymousSnippet(provider.Config().Mapper, jn.String()) if err != nil {