Merge b7382f3 into 5535fcb

ory · May 24, 2023 · 331041b · 331041b
2 parents 5535fcb + b7382f3
commit 331041b
Show file tree

Hide file tree

Showing 23 changed files with 414 additions and 53 deletions.
diff --git a/.schema/openapi/patches/identity.yaml b/.schema/openapi/patches/identity.yaml
@@ -11,6 +11,14 @@
     - oidc
     - webauthn
     - lookup_secret
+- op: add
+  path: /paths/~1admin~1identities~1{id}/get/parameters/1/schema/items/enum
+  value:
+    - password
+    - totp
+    - oidc
+    - webauthn
+    - lookup_secret
 - op: remove
   path: /components/schemas/updateIdentityBody/properties/metadata_admin/type
 - op: remove

diff --git a/Makefile b/Makefile
@@ -48,7 +48,7 @@ docs/swagger:
 	npx @redocly/openapi-cli preview-docs spec/swagger.json
 
 .bin/golangci-lint: Makefile
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -d -b .bin v1.50.1
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -d -b .bin v1.52.2
 
 .bin/hydra: Makefile
 	bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -d -b .bin hydra v2.0.2

diff --git a/examples/go/identity/get/main.go b/examples/go/identity/get/main.go
@@ -19,7 +19,7 @@ func getIdentity() *ory.Identity {
 	ctx := context.Background()
 	created := pkg.CreateIdentity(client)
 
-	identity, res, err := client.IdentityApi.GetIdentity(ctx, created.Id).Execute()
+	identity, res, err := client.IdentityApi.GetIdentity(ctx, created.Id).IncludeCredential([]string{"password"}).Execute()
 	pkg.SDKExitOnError(err, res)
 
 	return identity

diff --git a/...credentials-case=should_get_identity_with_password_and_webauthn_credentials_included.json b/...credentials-case=should_get_identity_with_password_and_webauthn_credentials_included.json
@@ -0,0 +1,40 @@
+{
+  "credentials": {
+    "oidc": {
+      "type": "oidc",
+      "identifiers": [
+        "bar",
+        "baz"
+      ],
+      "version": 0
+    },
+    "password": {
+      "type": "password",
+      "identifiers": [
+        "bar",
+        "zab"
+      ],
+      "config": {
+        "some": "secret"
+      },
+      "version": 0
+    },
+    "webauthn": {
+      "type": "webauthn",
+      "identifiers": [
+        "bar",
+        "foo"
+      ],
+      "config": {
+        "some": "secret",
+        "user_handle": "rVIFaWRcTTuQLkXFmQWpgA=="
+      },
+      "version": 1
+    }
+  },
+  "schema_id": "default",
+  "state": "active",
+  "traits": {},
+  "metadata_public": null,
+  "metadata_admin": null
+}
diff --git a/...dentity_with_credentials-case=should_get_identity_with_password_credentials_included.json b/...dentity_with_credentials-case=should_get_identity_with_password_credentials_included.json
@@ -0,0 +1,36 @@
+{
+  "credentials": {
+    "oidc": {
+      "type": "oidc",
+      "identifiers": [
+        "bar",
+        "baz"
+      ],
+      "version": 0
+    },
+    "password": {
+      "type": "password",
+      "identifiers": [
+        "bar",
+        "zab"
+      ],
+      "config": {
+        "some": "secret"
+      },
+      "version": 0
+    },
+    "webauthn": {
+      "type": "webauthn",
+      "identifiers": [
+        "bar",
+        "foo"
+      ],
+      "version": 1
+    }
+  },
+  "schema_id": "default",
+  "state": "active",
+  "traits": {},
+  "metadata_public": null,
+  "metadata_admin": null
+}
diff --git a/..._get_identity_with_credentials-case=should_get_identity_without_credentials_included.json b/..._get_identity_with_credentials-case=should_get_identity_without_credentials_included.json
@@ -0,0 +1,33 @@
+{
+  "credentials": {
+    "oidc": {
+      "type": "oidc",
+      "identifiers": [
+        "bar",
+        "baz"
+      ],
+      "version": 0
+    },
+    "password": {
+      "type": "password",
+      "identifiers": [
+        "bar",
+        "zab"
+      ],
+      "version": 0
+    },
+    "webauthn": {
+      "type": "webauthn",
+      "identifiers": [
+        "bar",
+        "foo"
+      ],
+      "version": 1
+    }
+  },
+  "schema_id": "default",
+  "state": "active",
+  "traits": {},
+  "metadata_public": null,
+  "metadata_admin": null
+}
diff --git a/identity/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=oidc.json b/identity/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=oidc.json
@@ -0,0 +1,10 @@
+{
+  "type": "oidc",
+  "identifiers": [
+    "bar",
+    "baz"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/...ty/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=password.json b/...ty/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=password.json
@@ -0,0 +1,13 @@
+{
+  "type": "password",
+  "identifiers": [
+    "zab",
+    "bar"
+  ],
+  "config": {
+    "some": "secret"
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/...ty/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=webauthn.json b/...ty/.snapshots/TestWithDeclassifiedCredentials-case=include-multi-credential=webauthn.json
@@ -0,0 +1,13 @@
+{
+  "type": "webauthn",
+  "identifiers": [
+    "foo",
+    "bar"
+  ],
+  "config": {
+    "some": "secret"
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/...ity/.snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=oidc.json b/...ity/.snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=oidc.json
@@ -0,0 +1,10 @@
+{
+  "type": "oidc",
+  "identifiers": [
+    "bar",
+    "baz"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/....snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=password.json b/....snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=password.json
@@ -0,0 +1,10 @@
+{
+  "type": "password",
+  "identifiers": [
+    "zab",
+    "bar"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/....snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=webauthn.json b/....snapshots/TestWithDeclassifiedCredentials-case=include-webauthn-credential=webauthn.json
@@ -0,0 +1,13 @@
+{
+  "type": "webauthn",
+  "identifiers": [
+    "foo",
+    "bar"
+  ],
+  "config": {
+    "some": "secret"
+  },
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=oidc.json b/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=oidc.json
@@ -0,0 +1,10 @@
+{
+  "type": "oidc",
+  "identifiers": [
+    "bar",
+    "baz"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=password.json b/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=password.json
@@ -0,0 +1,10 @@
+{
+  "type": "password",
+  "identifiers": [
+    "zab",
+    "bar"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=webauthn.json b/identity/.snapshots/TestWithDeclassifiedCredentials-case=no-include-credential=webauthn.json
@@ -0,0 +1,10 @@
+{
+  "type": "webauthn",
+  "identifiers": [
+    "foo",
+    "bar"
+  ],
+  "version": 0,
+  "created_at": "0001-01-01T00:00:00Z",
+  "updated_at": "0001-01-01T00:00:00Z"
+}
diff --git a/identity/credentials.go b/identity/credentials.go
@@ -77,6 +77,24 @@ const (
 	CredentialsTypeRecoveryCode CredentialsType = "code_recovery"
 )
 
+// ParseCredentialsType parses a string into a CredentialsType or returns false as the second argument.
+func ParseCredentialsType(in string) (CredentialsType, bool) {
+	for _, t := range []CredentialsType{
+		CredentialsTypePassword,
+		CredentialsTypeOIDC,
+		CredentialsTypeTOTP,
+		CredentialsTypeLookup,
+		CredentialsTypeWebAuthn,
+		CredentialsTypeRecoveryLink,
+		CredentialsTypeRecoveryCode,
+	} {
+		if t.String() == in {
+			return t, true
+		}
+	}
+	return "", false
+}
+
 // Credentials represents a specific credential type
 //
 // swagger:model identityCredentials

diff --git a/identity/credentials_test.go b/identity/credentials_test.go
@@ -6,6 +6,8 @@ package identity
 import (
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/mohae/deepcopy"
 	"github.com/stretchr/testify/assert"
 
@@ -29,3 +31,29 @@ func TestAALOrder(t *testing.T) {
 	assert.True(t, AuthenticatorAssuranceLevel1 < AuthenticatorAssuranceLevel3)
 	assert.True(t, AuthenticatorAssuranceLevel2 < AuthenticatorAssuranceLevel3)
 }
+
+func TestParseCredentialsType(t *testing.T) {
+	for _, tc := range []struct {
+		input    string
+		expected CredentialsType
+	}{
+		{"password", CredentialsTypePassword},
+		{"oidc", CredentialsTypeOIDC},
+		{"totp", CredentialsTypeTOTP},
+		{"webauthn", CredentialsTypeWebAuthn},
+		{"lookup_secret", CredentialsTypeLookup},
+		{"link_recovery", CredentialsTypeRecoveryLink},
+		{"code_recovery", CredentialsTypeRecoveryCode},
+	} {
+		t.Run("case="+tc.input, func(t *testing.T) {
+			actual, ok := ParseCredentialsType(tc.input)
+			require.True(t, ok)
+			assert.Equal(t, tc.expected, actual)
+		})
+	}
+
+	t.Run("case=unknown", func(t *testing.T) {
+		_, ok := ParseCredentialsType("unknown")
+		require.False(t, ok)
+	})
+}
diff --git a/identity/handler.go b/identity/handler.go
@@ -204,8 +204,8 @@ type getIdentity struct {
 
 	// Include Credentials in Response
 	//
-	// Currently, only `oidc` is supported. This will return the initial OAuth 2.0 Access,
-	// Refresh and (optionally) OpenID Connect ID Token.
+	// Include any credential, for example `password` or `oidc`, in the response. When set to `oidc`, This will return
+	// the initial OAuth 2.0 Access Token, OAuth 2.0 Refresh Token and the OpenID Connect ID Token if available.
 	//
 	// required: false
 	// in: query
@@ -241,21 +241,24 @@ func (h *Handler) get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 		return
 	}
 
-	if declassify := r.URL.Query().Get("include_credential"); declassify == "oidc" {
-		emit, err := i.WithDeclassifiedCredentialsOIDC(r.Context(), h.r)
-		if err != nil {
-			h.r.Writer().WriteError(w, r, err)
+	includeCredentials := r.URL.Query()["include_credential"]
+	var declassify []CredentialsType
+	for _, v := range includeCredentials {
+		tc, ok := ParseCredentialsType(v)
+		if ok {
+			declassify = append(declassify, tc)
+		} else {
+			h.r.Writer().WriteError(w, r, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Invalid value `%s` for parameter `include_credential`.", declassify)))
 			return
 		}
-		h.r.Writer().Write(w, r, WithCredentialsAndAdminMetadataInJSON(*emit))
-		return
-	} else if len(declassify) > 0 {
-		h.r.Writer().WriteError(w, r, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Invalid value `%s` for parameter `include_credential`.", declassify)))
-		return
-
 	}
 
-	h.r.Writer().Write(w, r, WithCredentialsMetadataAndAdminMetadataInJSON(*i))
+	emit, err := i.WithDeclassifiedCredentials(r.Context(), h.r, declassify)
+	if err != nil {
+		h.r.Writer().WriteError(w, r, err)
+		return
+	}
+	h.r.Writer().Write(w, r, WithCredentialsAndAdminMetadataInJSON(*emit))
 }
 
 // Create Identity Parameters

diff --git a/identity/handler_test.go b/identity/handler_test.go
@@ -436,6 +436,33 @@ func TestHandler(t *testing.T) {
 			}
 		})
 
+		t.Run("case=should get identity with credentials", func(t *testing.T) {
+			i := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+			credentials := map[identity.CredentialsType]identity.Credentials{
+				identity.CredentialsTypePassword: {Identifiers: []string{"zab", "bar"}, Type: identity.CredentialsTypePassword, Config: sqlxx.JSONRawMessage("{\"some\" : \"secret\"}")},
+				identity.CredentialsTypeOIDC:     {Type: identity.CredentialsTypeOIDC, Identifiers: []string{"bar", "baz"}, Config: sqlxx.JSONRawMessage("{\"some\" : \"secret\"}")},
+				identity.CredentialsTypeWebAuthn: {Type: identity.CredentialsTypeWebAuthn, Identifiers: []string{"foo", "bar"}, Config: sqlxx.JSONRawMessage("{\"some\" : \"secret\", \"user_handle\": \"rVIFaWRcTTuQLkXFmQWpgA==\"}")},
+			}
+			i.Credentials = credentials
+			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), i))
+
+			excludeKeys := snapshotx.ExceptNestedKeys("id", "created_at", "updated_at", "schema_url", "state_changed_at")
+			t.Run("case=should get identity without credentials included", func(t *testing.T) {
+				res := get(t, adminTS, "/identities/"+i.ID.String(), http.StatusOK)
+				snapshotx.SnapshotT(t, json.RawMessage(res.Raw), excludeKeys)
+			})
+
+			t.Run("case=should get identity with password credentials included", func(t *testing.T) {
+				res := get(t, adminTS, "/identities/"+i.ID.String()+"?include_credential=password", http.StatusOK)
+				snapshotx.SnapshotT(t, json.RawMessage(res.Raw), excludeKeys)
+			})
+
+			t.Run("case=should get identity with password and webauthn credentials included", func(t *testing.T) {
+				res := get(t, adminTS, "/identities/"+i.ID.String()+"?include_credential=password&include_credential=webauthn", http.StatusOK)
+				snapshotx.SnapshotT(t, json.RawMessage(res.Raw), excludeKeys)
+			})
+		})
+
 		t.Run("case=should pass if no oidc credentials are set", func(t *testing.T) {
 			for name, ts := range map[string]*httptest.Server{"public": publicTS, "admin": adminTS} {
 				t.Run("endpoint="+name, func(t *testing.T) {