Resolve broken tests (#262)

CHANGELOG.md

@@ -1218,7 +1218,7 @@
 - Return arrays instead of null on rule creation Add circleci configuration file
   Add circleci configuration file
 
-  ##  circleci co
+  ## circleci co
 
 - Add circleci configuration file
 

README.md

@@ -317,7 +317,8 @@ Howard Edidin, Ken Adler Oz Haven, Stefan Hans, TheCrealm
 ## Sponsors
 
 Support this project by becoming a sponsor. Your logo will show up here with a
-link to your website. [a href="ctive.com/ory/sponsor/0/website" target="_blank""
+link to your website. [a href="ctive.com/ory/sponsor/0/website"
+target="\_blank""
 
 ]
 

UPGRADE.md

@@ -8,7 +8,6 @@ before finalizing the upgrade process.
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
-
 - [master](#master)
 - [v0.19.0-beta.1+oryOS.13](#v0190-beta1oryos13)
   - [Config changes](#config-changes)
@@ -49,16 +48,19 @@ before finalizing the upgrade process.
 
 ### Config changes
 
-This release homogenizes all configuration settings. Previously all handlers (mutators, authenticators, and authorizers)
-had two different types of config: global and per access rule.
+This release homogenizes all configuration settings. Previously all handlers
+(mutators, authenticators, and authorizers) had two different types of config:
+global and per access rule.
 
-With this release, all handlers have the same configuration for global and per access rule. For example, the `id_token`
-handler requires the `issuer_url`. Previously, this value was only configurable in the global config. Now, it
-can be set on a per rule basis as well as globally. The global config will always be used as a fallback when no
-access rule specific configuration is set.
+With this release, all handlers have the same configuration for global and per
+access rule. For example, the `id_token` handler requires the `issuer_url`.
+Previously, this value was only configurable in the global config. Now, it can
+be set on a per rule basis as well as globally. The global config will always be
+used as a fallback when no access rule specific configuration is set.
 
-For this to work, the ORY Oathkeeper configuration file has changed when it comes to mutators, authenticaotrs, and
-authorizers. Instead of defining the config at the same level as the `enabled` flag, it is now nested in a subkey
+For this to work, the ORY Oathkeeper configuration file has changed when it
+comes to mutators, authenticaotrs, and authorizers. Instead of defining the
+config at the same level as the `enabled` flag, it is now nested in a subkey
 "config":
 
 ```
@@ -76,8 +78,9 @@ authorizers:
 
 ### Hydrator Mutator
 
-The Hydrator mutator has two configuration keys `api.retry.number` and `api.retry.delayInMilliseconds`. These have
-been renamed for consistency reasons to: `api.retry.number_of_retries` and `api.retry.delay_in_milliseconds`.
+The Hydrator mutator has two configuration keys `api.retry.number` and
+`api.retry.delayInMilliseconds`. These have been renamed for consistency reasons
+to: `api.retry.number_of_retries` and `api.retry.delay_in_milliseconds`.
 
 ## v0.18.0-beta.1+oryOS.12
 

api/credential.go

@@ -79,7 +79,7 @@ func (h *CredentialsHandler) wellKnown(w http.ResponseWriter, r *http.Request, _
 }
 
 func (h *CredentialsHandler) jwksURLs() ([]url.URL, error) {
-	t := map[url.URL]bool{}
+	t := map[string]bool{}
 	for _, u := range h.c.JSONWebKeyURLs() {
 		t[u] = true
 	}
@@ -92,22 +92,21 @@ func (h *CredentialsHandler) jwksURLs() ([]url.URL, error) {
 		for _, m := range r.Mutators {
 			if m.Handler == new(mutate.MutatorIDToken).GetID() {
 				u := gjson.GetBytes(m.Config, "jwks_url").String()
-				if len(u) == 0 {
-					continue
+				if len(u) > 0 {
+					t[u] = true
 				}
-				uu, err := url.Parse(u)
-				if err != nil {
-					return nil, err
-				}
-				t[*uu] = true
 			}
 		}
 	}
 
 	result := make([]url.URL, len(t))
 	i := 0
 	for u := range t {
-		result[i] = u
+		uu, err := url.Parse(u)
+		if err != nil {
+			return nil, err
+		}
+		result[i] = *uu
 		i++
 	}
 

driver/configuration/provider.go

@@ -34,7 +34,7 @@ type Provider interface {
 
 	ToScopeStrategy(value string, key string) fosite.ScopeStrategy
 	ParseURLs(sources []string) ([]url.URL, error)
-	JSONWebKeyURLs() []url.URL
+	JSONWebKeyURLs() []string
 }
 
 type ProviderAuthenticators interface {

driver/configuration/provider_viper.go

@@ -59,7 +59,7 @@ const (
 	ViperKeyMutatorHydratorIsEnabled = "mutators.hydrator.enabled"
 
 	ViperKeyMutatorIDTokenIsEnabled = "mutators.id_token.enabled"
-	ViperKeyMutatorIDTokenJWKSURL   = "mutators.id_token.jwks_url"
+	ViperKeyMutatorIDTokenJWKSURL   = "mutators.id_token.config.jwks_url"
 )
 
 // Authenticators
@@ -284,6 +284,6 @@ func (v *ViperProvider) MutatorConfig(id string, override json.RawMessage, dest
 	return v.PipelineConfig("mutators", id, override, dest)
 }
 
-func (v *ViperProvider) JSONWebKeyURLs() []url.URL {
-	return []url.URL{*v.getURL(viperx.GetString(v.l, ViperKeyMutatorIDTokenJWKSURL, ""), ViperKeyMutatorIDTokenJWKSURL)}
+func (v *ViperProvider) JSONWebKeyURLs() []string {
+	return viperx.GetStringSlice(v.l, ViperKeyMutatorIDTokenJWKSURL, []string{})
 }

driver/configuration/provider_viper_public_test.go

@@ -61,6 +61,21 @@ func TestPipelineConfig(t *testing.T) {
 		assert.Equal(t, "http://override-url/foo", dec.Api.URL)
 		assert.Equal(t, 15, dec.Api.Retry.NumberOfRetries)
 	})
+
+	t.Run("case=should pass array values", func(t *testing.T) {
+		var dec authn.AuthenticatorOAuth2JWTConfiguration
+		require.NoError(t, p.PipelineConfig("authenticators", "jwt", json.RawMessage(`{}`), &dec))
+		assert.Equal(t,
+			[]string{"https://my-website.com/.well-known/jwks.json", "https://my-other-website.com/.well-known/jwks.json", "file://path/to/local/jwks.json"},
+			dec.JWKSURLs,
+		)
+
+		require.NoError(t, p.PipelineConfig("authenticators", "jwt", json.RawMessage(`{"jwks_urls":["http://foo"]}`), &dec))
+		assert.Equal(t,
+			[]string{"http://foo"},
+			dec.JWKSURLs,
+		)
+	})
 }
 
 func TestViperProvider(t *testing.T) {

pipeline/authn/authenticator_jwt.go

@@ -1,7 +1,6 @@
 package authn
 
 import (
-	"bytes"
 	"encoding/json"
 	"net/http"
 
@@ -68,20 +67,14 @@ func (a *AuthenticatorJWT) Config(config json.RawMessage) (*AuthenticatorOAuth2J
 }
 
 func (a *AuthenticatorJWT) Authenticate(r *http.Request, config json.RawMessage, _ pipeline.Rule) (*AuthenticationSession, error) {
-	var cf AuthenticatorOAuth2JWTConfiguration
 	token := helper.BearerTokenFromRequest(r)
 	if token == "" {
 		return nil, errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
-	if len(config) == 0 {
-		config = []byte("{}")
-	}
-
-	d := json.NewDecoder(bytes.NewBuffer(config))
-	d.DisallowUnknownFields()
-	if err := d.Decode(&cf); err != nil {
-		return nil, errors.WithStack(err)
+	cf, err := a.Config(config)
+	if err != nil {
+		return nil, err
 	}
 
 	if len(cf.AllowedAlgorithms) == 0 {

pipeline/authn/authenticator_oauth2_client_credentials.go

@@ -1,7 +1,6 @@
 package authn
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
@@ -10,9 +9,10 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/ory/oathkeeper/driver/configuration"
-	"github.com/ory/oathkeeper/pipeline"
 	"github.com/ory/x/httpx"
 
+	"github.com/ory/oathkeeper/pipeline"
+
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/clientcredentials"
 
@@ -55,23 +55,16 @@ func (a *AuthenticatorOAuth2ClientCredentials) Config(config json.RawMessage) (*
 }
 
 func (a *AuthenticatorOAuth2ClientCredentials) Authenticate(r *http.Request, config json.RawMessage, _ pipeline.Rule) (*AuthenticationSession, error) {
-	var cf AuthenticatorOAuth2Configuration
-	if len(config) == 0 {
-		config = []byte("{}")
-	}
-
-	d := json.NewDecoder(bytes.NewBuffer(config))
-	d.DisallowUnknownFields()
-	if err := d.Decode(&cf); err != nil {
-		return nil, errors.WithStack(err)
+	cf, err := a.Config(config)
+	if err != nil {
+		return nil, err
 	}
 
 	user, password, ok := r.BasicAuth()
 	if !ok {
 		return nil, errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
-	var err error
 	user, err = url.QueryUnescape(user)
 	if err != nil {
 		return nil, errors.Wrapf(helper.ErrUnauthorized, err.Error())

pipeline/authn/authenticator_oauth2_client_credentials_test.go

@@ -78,7 +78,7 @@ func TestAuthenticatorOAuth2ClientCredentials(t *testing.T) {
 		{
 			r:         &http.Request{Header: http.Header{}},
 			expectErr: authn.ErrAuthenticatorNotResponsible,
-			config:    json.RawMessage(`{"token_url":""}`),
+			config:    json.RawMessage(`{"token_url":"http://foo"}`),
 		},
 		{
 			r:         authInvalid,

pipeline/authn/authenticator_oauth2_introspection.go

@@ -1,7 +1,6 @@
 package authn
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -66,16 +65,9 @@ type AuthenticatorOAuth2IntrospectionResult struct {
 
 func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, config json.RawMessage, _ pipeline.Rule) (*AuthenticationSession, error) {
 	var i AuthenticatorOAuth2IntrospectionResult
-	var cf AuthenticatorOAuth2IntrospectionConfiguration
-
-	if len(config) == 0 {
-		config = []byte("{}")
-	}
-
-	d := json.NewDecoder(bytes.NewBuffer(config))
-	d.DisallowUnknownFields()
-	if err := d.Decode(&cf); err != nil {
-		return nil, errors.WithStack(err)
+	cf, err := a.Config(config)
+	if err != nil {
+		return nil, err
 	}
 
 	token := helper.BearerTokenFromRequest(r)

test/e2e/config.yml

@@ -7,7 +7,7 @@ mutators:
     enabled: true
     config:
       issuer_url: https://my-oathkeeper/
-     jwks_url: file://./jwks-idt.json
+      jwks_url: file://./jwks-idt.json
 
 authorizers:
   allow: