Merge branch 'master' into feat-rules-schema

Dockerfile-alpine → .docker/Dockerfile-alpine

@@ -1,15 +1,15 @@
-# To compile this image manually run:
-#
-# $ make docker
-FROM alpine:3.17.2
+FROM alpine:3.18.2
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
-RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates
+RUN apk --no-cache --update-cache --upgrade add ca-certificates
 
 COPY oathkeeper /usr/bin/oathkeeper
 
 USER ory
 
+EXPOSE 4455
+EXPOSE 4456
+
 ENTRYPOINT ["oathkeeper"]
 CMD ["serve"]

.docker/Dockerfile-build

@@ -0,0 +1,29 @@
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.20-bullseye AS builder
+
+WORKDIR /go/src/github.com/ory/oathkeeper
+
+RUN apt-get update && apt-get upgrade -y
+
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+ENV CGO_ENABLED 0
+ENV GO111MODULE on
+
+RUN go mod download
+
+COPY . .
+
+RUN go build -o /usr/bin/oathkeeper .
+
+#########################
+
+FROM gcr.io/distroless/static-debian11:nonroot AS runner
+
+COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper
+
+EXPOSE 4455 4456
+
+ENTRYPOINT ["oathkeeper"]
+CMD ["serve"]

.docker/Dockerfile-distroless-static

@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper
+EXPOSE 4455 4456
+
+ENTRYPOINT ["oathkeeper"]
+CMD ["oathkeeper"]

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -24,15 +24,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: "A clear and concise description of what the bug is."
       label: "Describe the bug"

.github/ISSUE_TEMPLATE/DESIGN-DOC.yml

@@ -35,15 +35,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: |
         This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -28,15 +28,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description:
         "Is your feature request related to a problem? Please describe."

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
       - uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: "1.20"
       - run: go list -json > go.list
       - name: Run nancy
         uses: sonatype-nexus-community/nancy-github-action@v1.0.2
@@ -47,7 +47,7 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.47.3
+          version: v1.52.2
           skip-go-installation: true
           skip-pkg-cache: true
       - name: Run go-acc (tests)
@@ -63,21 +63,15 @@ jobs:
     name: Run tests
     strategy:
       matrix:
-        name: ["reload", "e2e", "forwarded-header"]
+        name: ["reload", "e2e", "forwarded-header", "bearer-token"]
     needs:
       - sdk-generate
     steps:
       - uses: ory/ci/checkout@master
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.19"
-      - uses: actions/cache@v2
-        with:
-          path: ~/go/bin/oathkeeper
-          key: oathkeeper-${{ hashFiles('~/go/bin/oathkeeper') }}
+          go-version: "1.20"
       - run: |
-          make install
-          go version -m $(which oathkeeper) | grep "\w*build"
           ./test/${{ matrix.name }}/run.sh
 
   docs-cli:

.github/workflows/cve-scan.yaml

@@ -14,74 +14,71 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Build images
         shell: bash
         run: |
-          touch oathkeeper
-          DOCKER_BUILDKIT=1 docker build -t oryd/oathkeeper:${{ steps.vars.outputs.sha_short }} --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} .
-          DOCKER_BUILDKIT=1 docker build -t oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }} --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -f Dockerfile-alpine .
-          rm oathkeeper
+          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
       - name: Anchore Scanner
         uses: anchore/scan-action@v3
         id: grype-scan
         with:
-          image: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
           fail-build: true
           severity-cutoff: high
-          debug: false
-          acs-report-enable: true
-      - name: Anchore Scanner
-        uses: anchore/scan-action@v3
-        id: grype-scan-alpine
-        with:
-          image: oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }}
-          fail-build: true
-          severity-cutoff: high
-          debug: false
-          acs-report-enable: true
+          add-cpes-if-none: true
       - name: Inspect action SARIF report
         shell: bash
         if: ${{ always() }}
         run: |
           echo "::group::Anchore Scan Details"
           jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
-          jq '.runs[0].results' ${{ steps.grype-scan-alpine.outputs.sarif }}
           echo "::endgroup::"
-      - name: Trivy Scanner
-        uses: aquasecurity/trivy-action@master
-        if: ${{ always() }}
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          image-ref: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
-          format: "table"
-          exit-code: "42"
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: "CRITICAL,HIGH"
-      - name: Trivy Scanner 2
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/oathkeeper:alpine-${{ steps.vars.outputs.sha_short }}
+          image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+          scanners: "vuln,secret,config"
       - name: Dockle Linter
         uses: erzz/dockle-action@v1.3.2
         if: ${{ always() }}
         with:
-          image: oryd/oathkeeper:${{ steps.vars.outputs.sha_short }}
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
           exit-code: 42
-          failure-threshold: fatal
+          failure-threshold: high
+      - name: Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        id: hadolint
+        if: ${{ always() }}
+        with:
+          dockerfile: .docker/Dockerfile-build
+          verbose: true
+          format: "json"
+          failure-threshold: "error"
+      - name: View Hadolint results
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          echo "::group::Hadolint Scan Details"
+          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "::endgroup::"

.github/workflows/format.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: "1.20"
       - run: make format
       - name: Indicate formatting issues
         run: git diff HEAD --exit-code --color

.github/workflows/licenses.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.19"
+          go-version: "1.20"
       - uses: actions/setup-node@v2
         with:
           node-version: "18"

.goreleaser.yml

@@ -17,6 +17,7 @@ variables:
   buildinfo_hash: "github.com/ory/oathkeeper/x.Commit"
   buildinfo_tag: "github.com/ory/oathkeeper/x.Version"
   buildinfo_date: "github.com/ory/oathkeeper/x.Date"
-  dockerfile: "./Dockerfile-alpine"
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"
 
 project_name: oathkeeper

.prettierignore

@@ -0,0 +1 @@
+.schema/version.schema.json