feat: enable JSONNet templating for password migration hook (#4390)

This enables JSONNet body templating for the password migration hook.
There is also a significant refactoring of some internals around webhook config handling.

Author: zepatrik

cmd/daemon/serve.go

@@ -9,6 +9,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/ory/kratos/x/nosurfx"
+
 	"github.com/pkg/errors"
 	"github.com/rs/cors"
 	"github.com/spf13/cobra"
@@ -97,7 +99,7 @@ func servePublic(ctx context.Context, r driver.Registry, cmd *cobra.Command, slO
 	n.Use(r.PrometheusManager())
 
 	router := x.NewRouterPublic()
-	csrf := x.NewCSRFHandler(router, r)
+	csrf := nosurfx.NewCSRFHandler(router, r)
 
 	// we need to always load the CORS middleware even if it is disabled, to allow hot-enabling CORS
 	n.UseFunc(func(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {

courier/courier_dispatcher.go

@@ -31,7 +31,7 @@ func (c *courier) channels(ctx context.Context, id string) (Channel, error) {
 			}
 			return courierChannel, nil
 		case "http":
-			return newHttpChannel(channel.ID, channel.RequestConfig, c.deps), nil
+			return newHttpChannel(channel.ID, &channel.RequestConfig, c.deps), nil
 		default:
 			return nil, errors.Errorf("unknown courier channel type: %s", channel.Type)
 		}

courier/handler.go

@@ -7,6 +7,9 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/ory/kratos/x/nosurfx"
+	"github.com/ory/kratos/x/redir"
+
 	"github.com/gofrs/uuid"
 
 	"github.com/ory/herodot"
@@ -29,7 +32,7 @@ type (
 	handlerDependencies interface {
 		x.WriterProvider
 		x.LoggingProvider
-		x.CSRFProvider
+		nosurfx.CSRFProvider
 		PersistenceProvider
 		config.Provider
 	}
@@ -47,8 +50,8 @@ func NewHandler(r handlerDependencies) *Handler {
 
 func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) {
 	h.r.CSRFHandler().IgnoreGlobs(x.AdminPrefix+AdminRouteListMessages, AdminRouteListMessages)
-	public.GET(x.AdminPrefix+AdminRouteListMessages, x.RedirectToAdminRoute(h.r))
-	public.GET(x.AdminPrefix+AdminRouteGetMessage, x.RedirectToAdminRoute(h.r))
+	public.GET(x.AdminPrefix+AdminRouteListMessages, redir.RedirectToAdminRoute(h.r))
+	public.GET(x.AdminPrefix+AdminRouteGetMessage, redir.RedirectToAdminRoute(h.r))
 }
 
 func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin) {

courier/http_channel.go

@@ -5,11 +5,8 @@ package courier
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 
-	"github.com/tidwall/gjson"
-
 	"github.com/pkg/errors"
 
 	"github.com/ory/kratos/courier/template"
@@ -22,7 +19,7 @@ import (
 type (
 	httpChannel struct {
 		id            string
-		requestConfig json.RawMessage
+		requestConfig *request.Config
 		d             channelDependencies
 	}
 	channelDependencies interface {
@@ -36,7 +33,7 @@ type (
 
 var _ Channel = new(httpChannel)
 
-func newHttpChannel(id string, requestConfig json.RawMessage, d channelDependencies) *httpChannel {
+func newHttpChannel(id string, requestConfig *request.Config, d channelDependencies) *httpChannel {
 	return &httpChannel{
 		id:            id,
 		requestConfig: requestConfig,
@@ -96,7 +93,7 @@ func (c *httpChannel) Dispatch(ctx context.Context, msg Message) (err error) {
 	}
 
 	logger := c.d.Logger().
-		WithField("http_server", gjson.GetBytes(c.requestConfig, "url").String()).
+		WithField("http_server", c.requestConfig.URL).
 		WithField("message_id", msg.ID).
 		WithField("message_nid", msg.NID).
 		WithField("message_type", msg.Type).

driver/config/config.go

@@ -18,30 +18,29 @@ import (
 	"testing"
 	"time"
 
-	"go.opentelemetry.io/otel/trace/noop"
-
-	"github.com/ory/x/crdbx"
-	"github.com/ory/x/pointerx"
-
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/gofrs/uuid"
 	"github.com/inhies/go-bytesize"
 	"github.com/pkg/errors"
 	"github.com/rs/cors"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace/noop"
 	"golang.org/x/net/publicsuffix"
 
 	"github.com/ory/herodot"
 	"github.com/ory/jsonschema/v3"
 	"github.com/ory/jsonschema/v3/httploader"
 	"github.com/ory/kratos/embedx"
+	"github.com/ory/kratos/request"
 	"github.com/ory/x/configx"
 	"github.com/ory/x/contextx"
+	"github.com/ory/x/crdbx"
 	"github.com/ory/x/httpx"
 	"github.com/ory/x/jsonschemax"
 	"github.com/ory/x/logrusx"
 	"github.com/ory/x/otelx"
+	"github.com/ory/x/pointerx"
 	"github.com/ory/x/stringsx"
 	"github.com/ory/x/tlsx"
 	"github.com/ory/x/watcherx"
@@ -286,11 +285,10 @@ type (
 		PlainText string `json:"plaintext"`
 	}
 	CourierChannel struct {
-		ID               string          `json:"id" koanf:"id"`
-		Type             string          `json:"type" koanf:"type"`
-		SMTPConfig       *SMTPConfig     `json:"smtp_config" koanf:"smtp_config"`
-		RequestConfig    json.RawMessage `json:"request_config" koanf:"-"`
-		RequestConfigRaw map[string]any  `json:"-" koanf:"request_config"`
+		ID            string         `json:"id" koanf:"id"`
+		Type          string         `json:"type" koanf:"type"`
+		SMTPConfig    *SMTPConfig    `json:"smtp_config" koanf:"smtp_config"`
+		RequestConfig request.Config `json:"request_config" koanf:"request_config"`
 	}
 	SMTPConfig struct {
 		ConnectionURI  string            `json:"connection_uri" koanf:"connection_uri"`
@@ -302,8 +300,8 @@ type (
 		LocalName      string            `json:"local_name" koanf:"local_name"`
 	}
 	PasswordMigrationHook struct {
-		Enabled bool            `json:"enabled" koanf:"enabled"`
-		Config  json.RawMessage `json:"config" koanf:"config"`
+		Enabled bool           `json:"enabled" koanf:"enabled"`
+		Config  request.Config `json:"config" koanf:"config"`
 	}
 	Config struct {
 		l                  *logrusx.Logger
@@ -1238,17 +1236,6 @@ func (p *Config) CourierChannels(ctx context.Context) (ccs []*CourierChannel, _
 	if err := p.GetProvider(ctx).Koanf.Unmarshal(ViperKeyCourierChannels, &ccs); err != nil {
 		return nil, errors.WithStack(err)
 	}
-	if len(ccs) != 0 {
-		for _, c := range ccs {
-			if c.RequestConfigRaw != nil {
-				var err error
-				c.RequestConfig, err = json.Marshal(c.RequestConfigRaw)
-				if err != nil {
-					return nil, errors.WithStack(err)
-				}
-			}
-		}
-	}
 
 	// load legacy configs
 	channel := CourierChannel{
@@ -1260,9 +1247,7 @@ func (p *Config) CourierChannels(ctx context.Context) (ccs []*CourierChannel, _
 			return nil, errors.WithStack(err)
 		}
 	} else {
-		var err error
-		channel.RequestConfig, err = json.Marshal(p.GetProvider(ctx).Get(ViperKeyCourierHTTPRequestConfig))
-		if err != nil {
+		if err := p.GetProvider(ctx).Koanf.Unmarshal(ViperKeyCourierHTTPRequestConfig, &channel.RequestConfig); err != nil {
 			return nil, errors.WithStack(err)
 		}
 	}
@@ -1687,7 +1672,7 @@ func (p *Config) PasswordMigrationHook(ctx context.Context) *PasswordMigrationHo
 		return hook
 	}
 
-	hook.Config, _ = json.Marshal(p.GetProvider(ctx).Get(ViperKeyPasswordMigrationHook + ".config"))
+	_ = p.GetProvider(ctx).Unmarshal(ViperKeyPasswordMigrationHook+".config", &hook.Config)
 
 	return hook
 }

driver/registry.go

@@ -31,6 +31,7 @@ import (
 	password2 "github.com/ory/kratos/selfservice/strategy/password"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/x"
+	"github.com/ory/kratos/x/nosurfx"
 	"github.com/ory/nosurf"
 	"github.com/ory/x/contextx"
 	"github.com/ory/x/dbal"
@@ -51,7 +52,7 @@ type Registry interface {
 	WithJsonnetVMProvider(jsonnetsecure.VMProvider) Registry
 
 	WithCSRFHandler(c nosurf.Handler)
-	WithCSRFTokenGenerator(cg x.CSRFToken)
+	WithCSRFTokenGenerator(cg nosurfx.CSRFToken)
 
 	MetricsHandler() *prometheus.Handler
 	HealthHandler(ctx context.Context) *healthx.Handler
@@ -70,7 +71,7 @@ type Registry interface {
 	WithConfig(c *config.Config) Registry
 	WithContextualizer(ctxer contextx.Contextualizer) Registry
 
-	x.CSRFProvider
+	nosurfx.CSRFProvider
 	x.WriterProvider
 	x.LoggingProvider
 	x.HTTPClientProvider
@@ -151,7 +152,7 @@ type Registry interface {
 	recovery.HandlerProvider
 	recovery.StrategyProvider
 
-	x.CSRFTokenGeneratorProvider
+	nosurfx.CSRFTokenGeneratorProvider
 }
 
 func NewRegistryFromDSN(ctx context.Context, c *config.Config, l *logrusx.Logger) (Registry, error) {

driver/registry_default.go

@@ -12,6 +12,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/x/nosurfx"
+
 	"github.com/lestrrat-go/jwx/jwk"
 
 	"github.com/ory/kratos/selfservice/strategy/idfirst"
@@ -157,7 +159,7 @@ type RegistryDefault struct {
 	buildHash    string
 	buildDate    string
 
-	csrfTokenGenerator x.CSRFToken
+	csrfTokenGenerator nosurfx.CSRFToken
 
 	jsonnetVMProvider jsonnetsecure.VMProvider
 	jsonnetPool       jsonnetsecure.Pool
@@ -830,13 +832,13 @@ func (m *RegistryDefault) Ping() error {
 	return m.persister.Ping(context.Background())
 }
 
-func (m *RegistryDefault) WithCSRFTokenGenerator(cg x.CSRFToken) {
+func (m *RegistryDefault) WithCSRFTokenGenerator(cg nosurfx.CSRFToken) {
 	m.csrfTokenGenerator = cg
 }
 
 func (m *RegistryDefault) GenerateCSRFToken(r *http.Request) string {
 	if m.csrfTokenGenerator == nil {
-		m.csrfTokenGenerator = x.DefaultCSRFToken
+		m.csrfTokenGenerator = nosurfx.DefaultCSRFToken
 	}
 	return m.csrfTokenGenerator(r)
 }

driver/registry_default_hooks.go

@@ -4,7 +4,13 @@
 package driver
 
 import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/pkg/errors"
+
 	"github.com/ory/kratos/driver/config"
+	"github.com/ory/kratos/request"
 	"github.com/ory/kratos/selfservice/hook"
 )
 
@@ -57,44 +63,61 @@ func (m *RegistryDefault) WithExtraHandlers(handlers []NewHandlerRegistrar) {
 	m.extraHandlerFactories = handlers
 }
 
-func (m *RegistryDefault) getHooks(credentialsType string, configs []config.SelfServiceHook) (i []interface{}) {
+func getHooks[T any](m *RegistryDefault, credentialsType string, configs []config.SelfServiceHook) ([]T, error) {
+	hooks := make([]T, 0, len(configs))
+
 	var addSessionIssuer bool
+allHooksLoop:
 	for _, h := range configs {
 		switch h.Name {
 		case hook.KeySessionIssuer:
 			// The session issuer hook always needs to come last.
 			addSessionIssuer = true
 		case hook.KeySessionDestroyer:
-			i = append(i, m.HookSessionDestroyer())
+			if h, ok := any(m.HookSessionDestroyer()).(T); ok {
+				hooks = append(hooks, h)
+			}
 		case hook.KeyWebHook:
-			i = append(i, hook.NewWebHook(m, h.Config))
+			cfg := request.Config{}
+			if err := json.Unmarshal(h.Config, &cfg); err != nil {
+				m.l.WithError(err).WithField("raw_config", string(h.Config)).Error("failed to unmarshal hook configuration, ignoring hook")
+				return nil, errors.WithStack(fmt.Errorf("failed to unmarshal webhook configuration for %s: %w", credentialsType, err))
+			}
+			if h, ok := any(hook.NewWebHook(m, &cfg)).(T); ok {
+				hooks = append(hooks, h)
+			}
 		case hook.KeyAddressVerifier:
-			i = append(i, m.HookAddressVerifier())
+			if h, ok := any(m.HookAddressVerifier()).(T); ok {
+				hooks = append(hooks, h)
+			}
 		case hook.KeyVerificationUI:
-			i = append(i, m.HookShowVerificationUI())
+			if h, ok := any(m.HookShowVerificationUI()).(T); ok {
+				hooks = append(hooks, h)
+			}
 		case hook.KeyVerifier:
-			i = append(i, m.HookVerifier())
+			if h, ok := any(m.HookVerifier()).(T); ok {
+				hooks = append(hooks, h)
+			}
 		default:
-			var found bool
 			for name, m := range m.injectedSelfserviceHooks {
 				if name == h.Name {
-					i = append(i, m(h))
-					found = true
-					break
+					if h, ok := m(h).(T); ok {
+						hooks = append(hooks, h)
+					}
+					continue allHooksLoop
 				}
 			}
-			if found {
-				continue
-			}
 			m.l.
 				WithField("for", credentialsType).
 				WithField("hook", h.Name).
 				Warn("A configuration for a non-existing hook was found and will be ignored.")
 		}
 	}
 	if addSessionIssuer {
-		i = append(i, m.HookSessionIssuer())
+		if h, ok := any(m.HookSessionIssuer()).(T); ok {
+			hooks = append(hooks, h)
+		}
 	}
 
-	return i
+	return hooks, nil
 }