From 6d271649434f322137ecf5c67e9ba6510980e9c1 Mon Sep 17 00:00:00 2001 From: Mangaal Date: Thu, 30 Apr 2026 15:52:18 +0530 Subject: [PATCH 1/8] fix CVE-2026-32282 Signed-off-by: Mangaal --- .github/workflows/ci.yaml | 4 ++-- Dockerfile | 2 +- go.mod | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f24ad2809c..8613bf7d7b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -71,7 +71,7 @@ jobs: - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version: "1.24" + go-version: "1.26.2" - name: Download tool dependencies run: make deps @@ -142,7 +142,7 @@ jobs: - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version: "1.24" + go-version: "1.26.2" - name: Download golangci-lint run: make bin/golangci-lint diff --git a/Dockerfile b/Dockerfile index 3ebb8f9353..887ec9b23d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_IMAGE=alpine FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx -FROM --platform=$BUILDPLATFORM golang:1.24.3-alpine3.20@sha256:9f98e9893fbc798c710f3432baa1e0ac6127799127c3101d2c263c3a954f0abe AS builder +FROM --platform=$BUILDPLATFORM golang:1.26.2-alpine3.22 AS builder COPY --from=xx / / diff --git a/go.mod b/go.mod index ee51dde597..f7f8a2bd57 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/dexidp/dex go 1.24.0 +toolchain go1.26.2 + require ( cloud.google.com/go/compute/metadata v0.7.0 entgo.io/ent v0.14.4 From e3ac51acbd59fbed5ba5498025899b8b286a8e34 Mon Sep 17 00:00:00 2001 From: Mangaal Date: Thu, 30 Apr 2026 18:50:22 +0530 Subject: [PATCH 2/8] fix cve by upgrading go version to go1.25.9 Signed-off-by: Mangaal --- .github/workflows/ci.yaml | 4 ++-- Dockerfile | 2 +- go.mod | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8613bf7d7b..4f4ebce510 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -71,7 +71,7 @@ jobs: - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version: "1.26.2" + go-version: "1.25.9" - name: Download tool dependencies run: make deps @@ -142,7 +142,7 @@ jobs: - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: - go-version: "1.26.2" + go-version: "1.25.9" - name: Download golangci-lint run: make bin/golangci-lint diff --git a/Dockerfile b/Dockerfile index 887ec9b23d..ae6b53a496 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_IMAGE=alpine FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx -FROM --platform=$BUILDPLATFORM golang:1.26.2-alpine3.22 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.9-alpine3.22 AS builder COPY --from=xx / / diff --git a/go.mod b/go.mod index f7f8a2bd57..d6cfb7faf9 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/dexidp/dex go 1.24.0 -toolchain go1.26.2 +toolchain go1.25.9 require ( cloud.google.com/go/compute/metadata v0.7.0 From 4f9b7bf1230f427d18c42d90acb6e1538ec0475a Mon Sep 17 00:00:00 2001 From: Mangaal Date: Mon, 4 May 2026 15:22:27 +0530 Subject: [PATCH 3/8] fix lint issue Signed-off-by: Mangaal --- .golangci.yml | 190 +++++++++--------- Makefile | 2 +- .../atlassiancrowd/atlassiancrowd_test.go | 8 +- server/oauth2.go | 16 +- server/rotation.go | 2 +- storage/conformance/conformance.go | 2 +- storage/kubernetes/lock.go | 6 +- storage/kubernetes/storage.go | 32 +-- storage/kubernetes/types.go | 12 +- 9 files changed, 140 insertions(+), 130 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index d54dcb183f..d086a606f6 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,97 +1,107 @@ -run: - timeout: 4m - -linters-settings: - depguard: - rules: - deprecated: - deny: - - pkg: "io/ioutil" - desc: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead." - gci: - sections: - - standard - - default - - prefix(github.com/dexidp/dex) - goimports: - local-prefixes: github.com/dexidp/dex - +version: "2" linters: - disable-all: true - enable: - - depguard - - dogsled - - exhaustive - - gci - - gochecknoinits - - gocritic - - gofmt - - gofumpt - - goimports - - goprintffuncname - - gosimple - - govet - - ineffassign - - misspell - - nakedret - - nolintlint - - prealloc - # - revive - # - sqlclosecheck - - staticcheck - - stylecheck - - unconvert - - unused - - whitespace + default: none + enable: + - depguard + - dogsled + - exhaustive + - gochecknoinits + - gocritic + - goprintffuncname + - govet + - ineffassign + - misspell + - nakedret + - nolintlint + - prealloc + - staticcheck + - unconvert + - unused + - whitespace - # Disable temporarily until everything works with Go 1.20 - # - bodyclose - # - rowserrcheck - # - tparallel - # - unparam + # Disable temporarily until everything works with Go 1.20 + # - bodyclose + # - rowserrcheck + # - tparallel + # - unparam - # Disable temporarily until everything works with Go 1.18 - - typecheck + # Disable temporarily until the following issue is resolved: + # https://github.com/golangci/golangci-lint/issues/3086 + - sqlclosecheck - # Disable temporarily until the following issue is resolved: https://github.com/golangci/golangci-lint/issues/3086 - # - sqlclosecheck + # TODO: fix linter errors before enabling + # - exhaustivestruct + # - gochecknoglobals + # - errorlint + # - gocognit + # - godot + # - nlreturn + # - noctx + # - revive + # - wrapcheck - # TODO: fix linter errors before enabling - # - exhaustivestruct - # - gochecknoglobals - # - errorlint - # - gocognit - # - godot - # - nlreturn - # - noctx - # - revive - # - wrapcheck + # TODO: fix linter errors before enabling (from original config) + # - dupl + # - errcheck + # - goconst + # - gocyclo + # - gosec + # - lll + # - scopelint - # TODO: fix linter errors before enabling (from original config) - # - dupl - # - errcheck - # - goconst - # - gocyclo - # - gosec - # - lll - # - scopelint + # unused + # - goheader + # - gomodguard - # unused - # - goheader - # - gomodguard - - # don't enable: - # - asciicheck - # - funlen - # - godox - # - goerr113 - # - gomnd - # - interfacer - # - maligned - # - nestif - # - testpackage - # - wsl - -issues: - exclude-dirs: - - storage/ent/db # generated ent code + # don't enable: + # - asciicheck + # - funlen + # - godox + # - goerr113 + # - gomnd + # - interfacer + # - maligned + # - nestif + # - testpackage + # - wsl + settings: + depguard: + rules: + deprecated: + deny: + - pkg: io/ioutil + desc: The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead. + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - storage/ent/db + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - gci + - gofmt + - gofumpt + - goimports + settings: + gci: + sections: + - standard + - default + - prefix(github.com/dexidp/dex) + goimports: + local-prefixes: + - github.com/dexidp/dex + exclusions: + generated: lax + paths: + - storage/ent/db + - third_party$ + - builtin$ + - examples$ diff --git a/Makefile b/Makefile index 349dbc578c..20d41e7488 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ export GOBIN=$(PWD)/bin LD_FLAGS="-w -X main.version=$(VERSION)" # Dependency versions -GOLANGCI_VERSION = 1.64.5 +GOLANGCI_VERSION = 2.10.1 GOTESTSUM_VERSION ?= 1.12.0 PROTOC_VERSION = 29.3 diff --git a/connector/atlassiancrowd/atlassiancrowd_test.go b/connector/atlassiancrowd/atlassiancrowd_test.go index 9471fb80c0..d2970bb23c 100644 --- a/connector/atlassiancrowd/atlassiancrowd_test.go +++ b/connector/atlassiancrowd/atlassiancrowd_test.go @@ -124,19 +124,19 @@ func TestIdentityFromCrowdUser(t *testing.T) { // unset expectEquals(t, i.PreferredUsername, "") - c.Config.PreferredUsernameField = "key" + c.PreferredUsernameField = "key" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "12345") - c.Config.PreferredUsernameField = "name" + c.PreferredUsernameField = "name" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "testuser") - c.Config.PreferredUsernameField = "email" + c.PreferredUsernameField = "email" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "testuser@example.com") - c.Config.PreferredUsernameField = "invalidstring" + c.PreferredUsernameField = "invalidstring" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "") } diff --git a/server/oauth2.go b/server/oauth2.go index 18cc3dd46d..5401000fc0 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -402,16 +402,16 @@ func (s *Server) newIDToken(ctx context.Context, clientID string, claims storage } for _, scope := range scopes { - switch { - case scope == scopeEmail: + switch scope { + case scopeEmail: tok.Email = claims.Email tok.EmailVerified = &claims.EmailVerified - case scope == scopeGroups: + case scopeGroups: tok.Groups = claims.Groups - case scope == scopeProfile: + case scopeProfile: tok.Name = claims.Username tok.PreferredUsername = claims.PreferredUsername - case scope == scopeFederatedID: + case scopeFederatedID: tok.FederatedIDClaims = &federatedIDClaims{ ConnectorID: connID, UserID: claims.UserID, @@ -518,7 +518,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques if codeChallengeMethod != codeChallengeMethodS256 && codeChallengeMethod != codeChallengeMethodPlain { description := fmt.Sprintf("Unsupported PKCE challenge method (%q).", codeChallengeMethod) - return nil, newRedirectedErr(errInvalidRequest, description) + return nil, newRedirectedErr(errInvalidRequest, "%s", description) } var ( @@ -602,7 +602,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques if rt.token { if redirectURI == redirectURIOOB { err := fmt.Sprintf("Cannot use response type 'token' with redirect_uri '%s'.", redirectURIOOB) - return nil, newRedirectedErr(errInvalidRequest, err) + return nil, newRedirectedErr(errInvalidRequest, "%s", err) } } @@ -720,7 +720,7 @@ func (s *storageKeySet) VerifySignature(ctx context.Context, jwt string) (payloa break } - skeys, err := s.Storage.GetKeys(ctx) + skeys, err := s.GetKeys(ctx) if err != nil { return nil, err } diff --git a/server/rotation.go b/server/rotation.go index 286b4b57af..49ba7f27f6 100644 --- a/server/rotation.go +++ b/server/rotation.go @@ -128,7 +128,7 @@ func (k keyRotator) rotate() error { } var nextRotation time.Time - err = k.Storage.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) { + err = k.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) { tNow := k.now() // if you are running multiple instances of dex, another instance diff --git a/storage/conformance/conformance.go b/storage/conformance/conformance.go index 58ae3d958d..c3f22be82a 100644 --- a/storage/conformance/conformance.go +++ b/storage/conformance/conformance.go @@ -508,7 +508,7 @@ func testPasswordCRUD(t *testing.T, s storage.Storage) { password1.Username = "jane doe" getAndCompare("jane@example.com", password1) - var passwordList []storage.Password + passwordList := make([]storage.Password, 0, 2) passwordList = append(passwordList, password1, password2) listAndCompare := func(want []storage.Password) { diff --git a/storage/kubernetes/lock.go b/storage/kubernetes/lock.go index c67380dcc0..ddb3499751 100644 --- a/storage/kubernetes/lock.go +++ b/storage/kubernetes/lock.go @@ -58,7 +58,7 @@ func (l *refreshTokenLock) Unlock(id string) { } r.Annotations = nil - err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) + err = l.cli.put(resourceRefreshToken, r.Name, r) if err != nil { l.cli.logger.Debug("failed to release lock for refresh token", "token_id", id, "err", err) } @@ -82,7 +82,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) { } r.Annotations = lockData - err := l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) + err := l.cli.put(resourceRefreshToken, r.Name, r) if err == nil { return false, nil } @@ -108,7 +108,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) { // Lock time is out, lets break the lock and take the advantage r.Annotations = lockData - err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) + err = l.cli.put(resourceRefreshToken, r.Name, r) if err == nil { // break lock annotation return false, nil diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go index eae5b7a6de..2bc9115095 100644 --- a/storage/kubernetes/storage.go +++ b/storage/kubernetes/storage.go @@ -155,16 +155,16 @@ func (cli *client) registerCustomResources() (ok bool) { r := definitions[i] var i interface{} - cli.logger.Info("checking if custom resource has already been created...", "object", r.ObjectMeta.Name) + cli.logger.Info("checking if custom resource has already been created...", "object", r.Name) if err := cli.listN(r.Spec.Names.Plural, &i, 1); err == nil { - cli.logger.Info("the custom resource already available, skipping create", "object", r.ObjectMeta.Name) + cli.logger.Info("the custom resource already available, skipping create", "object", r.Name) continue } else { - cli.logger.Info("failed to list custom resource, attempting to create", "object", r.ObjectMeta.Name, "err", err) + cli.logger.Info("failed to list custom resource, attempting to create", "object", r.Name, "err", err) } err = cli.postResource(cli.crdAPIVersion, "", "customresourcedefinitions", r) - resourceName = r.ObjectMeta.Name + resourceName = r.Name if err != nil { switch err { @@ -423,7 +423,7 @@ func (cli *client) DeleteClient(ctx context.Context, id string) error { if err != nil { return err } - return cli.delete(resourceClient, c.ObjectMeta.Name) + return cli.delete(resourceClient, c.Name) } func (cli *client) DeleteRefresh(ctx context.Context, id string) error { @@ -436,7 +436,7 @@ func (cli *client) DeletePassword(ctx context.Context, email string) error { if err != nil { return err } - return cli.delete(resourcePassword, p.ObjectMeta.Name) + return cli.delete(resourcePassword, p.Name) } func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, connID string) error { @@ -445,7 +445,7 @@ func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, con if err != nil { return err } - return cli.delete(resourceOfflineSessions, o.ObjectMeta.Name) + return cli.delete(resourceOfflineSessions, o.Name) } func (cli *client) DeleteConnector(ctx context.Context, id string) error { @@ -475,7 +475,7 @@ func (cli *client) UpdateRefreshToken(ctx context.Context, id string, updater fu newToken := cli.fromStorageRefreshToken(updated) newToken.ObjectMeta = r.ObjectMeta - return cli.put(resourceRefreshToken, r.ObjectMeta.Name, newToken) + return cli.put(resourceRefreshToken, r.Name, newToken) }) } @@ -493,7 +493,7 @@ func (cli *client) UpdateClient(ctx context.Context, id string, updater func(old newClient := cli.fromStorageClient(updated) newClient.ObjectMeta = c.ObjectMeta - return cli.put(resourceClient, c.ObjectMeta.Name, newClient) + return cli.put(resourceClient, c.Name, newClient) } func (cli *client) UpdatePassword(ctx context.Context, email string, updater func(old storage.Password) (storage.Password, error)) error { @@ -510,7 +510,7 @@ func (cli *client) UpdatePassword(ctx context.Context, email string, updater fun newPassword := cli.fromStoragePassword(updated) newPassword.ObjectMeta = p.ObjectMeta - return cli.put(resourcePassword, p.ObjectMeta.Name, newPassword) + return cli.put(resourcePassword, p.Name, newPassword) } func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, connID string, updater func(old storage.OfflineSessions) (storage.OfflineSessions, error)) error { @@ -527,7 +527,7 @@ func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, con newOfflineSessions := cli.fromStorageOfflineSessions(updated) newOfflineSessions.ObjectMeta = o.ObjectMeta - return cli.put(resourceOfflineSessions, o.ObjectMeta.Name, newOfflineSessions) + return cli.put(resourceOfflineSessions, o.Name, newOfflineSessions) }) } @@ -621,7 +621,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st var delErr error for _, authRequest := range authRequests.AuthRequests { if now.After(authRequest.Expiry) { - if err := cli.delete(resourceAuthRequest, authRequest.ObjectMeta.Name); err != nil { + if err := cli.delete(resourceAuthRequest, authRequest.Name); err != nil { cli.logger.Error("failed to delete auth request", "err", err) delErr = fmt.Errorf("failed to delete auth request: %v", err) } @@ -639,7 +639,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, authCode := range authCodes.AuthCodes { if now.After(authCode.Expiry) { - if err := cli.delete(resourceAuthCode, authCode.ObjectMeta.Name); err != nil { + if err := cli.delete(resourceAuthCode, authCode.Name); err != nil { cli.logger.Error("failed to delete auth code", "err", err) delErr = fmt.Errorf("failed to delete auth code: %v", err) } @@ -654,7 +654,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, deviceRequest := range deviceRequests.DeviceRequests { if now.After(deviceRequest.Expiry) { - if err := cli.delete(resourceDeviceRequest, deviceRequest.ObjectMeta.Name); err != nil { + if err := cli.delete(resourceDeviceRequest, deviceRequest.Name); err != nil { cli.logger.Error("failed to delete device request", "err", err) delErr = fmt.Errorf("failed to delete device request: %v", err) } @@ -669,7 +669,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, deviceToken := range deviceTokens.DeviceTokens { if now.After(deviceToken.Expiry) { - if err := cli.delete(resourceDeviceToken, deviceToken.ObjectMeta.Name); err != nil { + if err := cli.delete(resourceDeviceToken, deviceToken.Name); err != nil { cli.logger.Error("failed to delete device token", "err", err) delErr = fmt.Errorf("failed to delete device token: %v", err) } @@ -726,7 +726,7 @@ func (cli *client) UpdateDeviceToken(ctx context.Context, deviceCode string, upd newToken := cli.fromStorageDeviceToken(updated) newToken.ObjectMeta = r.ObjectMeta - return cli.put(resourceDeviceToken, r.ObjectMeta.Name, newToken) + return cli.put(resourceDeviceToken, r.Name, newToken) }) } diff --git a/storage/kubernetes/types.go b/storage/kubernetes/types.go index c126ddc087..64ed489ec5 100644 --- a/storage/kubernetes/types.go +++ b/storage/kubernetes/types.go @@ -369,7 +369,7 @@ type AuthRequestList struct { func toStorageAuthRequest(req AuthRequest) storage.AuthRequest { a := storage.AuthRequest{ - ID: req.ObjectMeta.Name, + ID: req.Name, ClientID: req.ClientID, ResponseTypes: req.ResponseTypes, Scopes: req.Scopes, @@ -526,7 +526,7 @@ func (cli *client) fromStorageAuthCode(a storage.AuthCode) AuthCode { func toStorageAuthCode(a AuthCode) storage.AuthCode { return storage.AuthCode{ - ID: a.ObjectMeta.Name, + ID: a.Name, ClientID: a.ClientID, RedirectURI: a.RedirectURI, ConnectorID: a.ConnectorID, @@ -573,7 +573,7 @@ type RefreshList struct { func toStorageRefreshToken(r RefreshToken) storage.RefreshToken { return storage.RefreshToken{ - ID: r.ObjectMeta.Name, + ID: r.Name, Token: r.Token, ObsoleteToken: r.ObsoleteToken, CreatedAt: r.CreatedAt, @@ -733,7 +733,7 @@ func toStorageConnector(c Connector) storage.Connector { ID: c.ID, Type: c.Type, Name: c.Name, - ResourceVersion: c.ObjectMeta.ResourceVersion, + ResourceVersion: c.ResourceVersion, Config: c.Config, } } @@ -786,7 +786,7 @@ func (cli *client) fromStorageDeviceRequest(a storage.DeviceRequest) DeviceReque func toStorageDeviceRequest(req DeviceRequest) storage.DeviceRequest { return storage.DeviceRequest{ - UserCode: strings.ToUpper(req.ObjectMeta.Name), + UserCode: strings.ToUpper(req.Name), DeviceCode: req.DeviceCode, ClientID: req.ClientID, ClientSecret: req.ClientSecret, @@ -840,7 +840,7 @@ func (cli *client) fromStorageDeviceToken(t storage.DeviceToken) DeviceToken { func toStorageDeviceToken(t DeviceToken) storage.DeviceToken { return storage.DeviceToken{ - DeviceCode: t.ObjectMeta.Name, + DeviceCode: t.Name, Status: t.Status, Token: t.Token, Expiry: t.Expiry, From c3c4c35e8eb742425ecaa87b2d20f8e04a86dffd Mon Sep 17 00:00:00 2001 From: Mangaal Date: Mon, 4 May 2026 16:21:11 +0530 Subject: [PATCH 4/8] fix ci issue Signed-off-by: Mangaal --- .github/workflows/artifacts.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 71ea5308c9..650b624df9 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -205,7 +205,7 @@ jobs: restore-keys: trivy-cache- - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 with: input: image format: sarif diff --git a/Dockerfile b/Dockerfile index ae6b53a496..27749a831d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_IMAGE=alpine FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx -FROM --platform=$BUILDPLATFORM golang:1.25.9-alpine3.22 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.9-alpine3.22@sha256:ea77c38bc50df598f22ae02b729b9d37eb0d70ed72d6dd336b8d6c02ae2b8b09 AS builder COPY --from=xx / / From 67071dee427b0819608876b5c6a4d32229d0d5e8 Mon Sep 17 00:00:00 2001 From: Mangaal Date: Mon, 4 May 2026 16:34:35 +0530 Subject: [PATCH 5/8] fix test failure Signed-off-by: Mangaal --- storage/kubernetes/storage.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go index 2bc9115095..45fcaefd19 100644 --- a/storage/kubernetes/storage.go +++ b/storage/kubernetes/storage.go @@ -423,7 +423,7 @@ func (cli *client) DeleteClient(ctx context.Context, id string) error { if err != nil { return err } - return cli.delete(resourceClient, c.Name) + return cli.delete(resourceClient, c.ObjectMeta.Name) } func (cli *client) DeleteRefresh(ctx context.Context, id string) error { @@ -493,7 +493,7 @@ func (cli *client) UpdateClient(ctx context.Context, id string, updater func(old newClient := cli.fromStorageClient(updated) newClient.ObjectMeta = c.ObjectMeta - return cli.put(resourceClient, c.Name, newClient) + return cli.put(resourceClient, c.ObjectMeta.Name, newClient) } func (cli *client) UpdatePassword(ctx context.Context, email string, updater func(old storage.Password) (storage.Password, error)) error { From cc55b2353fb8546955f73e75e6f5b7e69d2df817 Mon Sep 17 00:00:00 2001 From: Mangaal Date: Tue, 5 May 2026 13:06:48 +0530 Subject: [PATCH 6/8] add timeout Signed-off-by: Mangaal --- .golangci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index d086a606f6..d6afa66fde 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,4 +1,6 @@ version: "2" +run: + timeout: 5m linters: default: none enable: From a6b9f091eb05d28869a98113f7835741bfe5cf3f Mon Sep 17 00:00:00 2001 From: Mangaal Date: Thu, 7 May 2026 11:10:47 +0530 Subject: [PATCH 7/8] sync with upstream Signed-off-by: Mangaal --- .golangci.yml | 77 +++++++++++-------- Makefile | 2 +- .../atlassiancrowd/atlassiancrowd_test.go | 8 +- go.mod | 4 +- server/oauth2.go | 16 ++-- server/rotation.go | 2 +- storage/conformance/conformance.go | 2 +- storage/kubernetes/lock.go | 6 +- storage/kubernetes/storage.go | 28 +++---- storage/kubernetes/types.go | 12 +-- 10 files changed, 85 insertions(+), 72 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index d6afa66fde..995913e58e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,14 +1,18 @@ version: "2" + run: timeout: 5m + linters: - default: none + disable: + - staticcheck + - errcheck enable: - depguard - dogsled - exhaustive - gochecknoinits - - gocritic + # - gocritic - goprintffuncname - govet - ineffassign @@ -16,7 +20,9 @@ linters: - nakedret - nolintlint - prealloc - - staticcheck + # - revive + # - sqlclosecheck + # - staticcheck - unconvert - unused - whitespace @@ -27,9 +33,8 @@ linters: # - tparallel # - unparam - # Disable temporarily until the following issue is resolved: - # https://github.com/golangci/golangci-lint/issues/3086 - - sqlclosecheck + # Disable temporarily until the following issue is resolved: https://github.com/golangci/golangci-lint/issues/3086 + # - sqlclosecheck # TODO: fix linter errors before enabling # - exhaustivestruct @@ -66,44 +71,54 @@ linters: # - nestif # - testpackage # - wsl + + exclusions: + rules: + - linters: + - errcheck + - noctx + path: _test.go + presets: + - comments + - std-error-handling + settings: + misspell: + locale: US + nolintlint: + allow-unused: false # report any unused nolint directives + require-specific: false # don't require nolint directives to be specific about which linter is being skipped + gocritic: + # Enable multiple checks by tags. See "Tags" section in https://github.com/go-critic/go-critic#usage. + enabled-tags: + - diagnostic + - experimental + - opinionated + - style + disabled-checks: + - importShadow + - unnamedResult depguard: rules: deprecated: deny: - - pkg: io/ioutil - desc: The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead. - exclusions: - generated: lax - presets: - - comments - - common-false-positives - - legacy - - std-error-handling - paths: - - storage/ent/db - - third_party$ - - builtin$ - - examples$ + - pkg: "io/ioutil" + desc: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead." + formatters: enable: - gci - gofmt - gofumpt - goimports + # - golines + settings: gci: sections: - standard - default - - prefix(github.com/dexidp/dex) - goimports: - local-prefixes: - - github.com/dexidp/dex - exclusions: - generated: lax - paths: - - storage/ent/db - - third_party$ - - builtin$ - - examples$ + - localmodule +# issues: +# exclude-dirs: +# - storage/ent/db # generated ent code \ No newline at end of file diff --git a/Makefile b/Makefile index 20d41e7488..800f95cf2b 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ export GOBIN=$(PWD)/bin LD_FLAGS="-w -X main.version=$(VERSION)" # Dependency versions -GOLANGCI_VERSION = 2.10.1 +GOLANGCI_VERSION = 2.4.1 GOTESTSUM_VERSION ?= 1.12.0 PROTOC_VERSION = 29.3 diff --git a/connector/atlassiancrowd/atlassiancrowd_test.go b/connector/atlassiancrowd/atlassiancrowd_test.go index d2970bb23c..9471fb80c0 100644 --- a/connector/atlassiancrowd/atlassiancrowd_test.go +++ b/connector/atlassiancrowd/atlassiancrowd_test.go @@ -124,19 +124,19 @@ func TestIdentityFromCrowdUser(t *testing.T) { // unset expectEquals(t, i.PreferredUsername, "") - c.PreferredUsernameField = "key" + c.Config.PreferredUsernameField = "key" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "12345") - c.PreferredUsernameField = "name" + c.Config.PreferredUsernameField = "name" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "testuser") - c.PreferredUsernameField = "email" + c.Config.PreferredUsernameField = "email" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "testuser@example.com") - c.PreferredUsernameField = "invalidstring" + c.Config.PreferredUsernameField = "invalidstring" i = c.identityFromCrowdUser(user) expectEquals(t, i.PreferredUsername, "") } diff --git a/go.mod b/go.mod index d6cfb7faf9..292f9a5eeb 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/dexidp/dex -go 1.24.0 - -toolchain go1.25.9 +go 1.25.9 require ( cloud.google.com/go/compute/metadata v0.7.0 diff --git a/server/oauth2.go b/server/oauth2.go index 5401000fc0..18cc3dd46d 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -402,16 +402,16 @@ func (s *Server) newIDToken(ctx context.Context, clientID string, claims storage } for _, scope := range scopes { - switch scope { - case scopeEmail: + switch { + case scope == scopeEmail: tok.Email = claims.Email tok.EmailVerified = &claims.EmailVerified - case scopeGroups: + case scope == scopeGroups: tok.Groups = claims.Groups - case scopeProfile: + case scope == scopeProfile: tok.Name = claims.Username tok.PreferredUsername = claims.PreferredUsername - case scopeFederatedID: + case scope == scopeFederatedID: tok.FederatedIDClaims = &federatedIDClaims{ ConnectorID: connID, UserID: claims.UserID, @@ -518,7 +518,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques if codeChallengeMethod != codeChallengeMethodS256 && codeChallengeMethod != codeChallengeMethodPlain { description := fmt.Sprintf("Unsupported PKCE challenge method (%q).", codeChallengeMethod) - return nil, newRedirectedErr(errInvalidRequest, "%s", description) + return nil, newRedirectedErr(errInvalidRequest, description) } var ( @@ -602,7 +602,7 @@ func (s *Server) parseAuthorizationRequest(r *http.Request) (*storage.AuthReques if rt.token { if redirectURI == redirectURIOOB { err := fmt.Sprintf("Cannot use response type 'token' with redirect_uri '%s'.", redirectURIOOB) - return nil, newRedirectedErr(errInvalidRequest, "%s", err) + return nil, newRedirectedErr(errInvalidRequest, err) } } @@ -720,7 +720,7 @@ func (s *storageKeySet) VerifySignature(ctx context.Context, jwt string) (payloa break } - skeys, err := s.GetKeys(ctx) + skeys, err := s.Storage.GetKeys(ctx) if err != nil { return nil, err } diff --git a/server/rotation.go b/server/rotation.go index 49ba7f27f6..286b4b57af 100644 --- a/server/rotation.go +++ b/server/rotation.go @@ -128,7 +128,7 @@ func (k keyRotator) rotate() error { } var nextRotation time.Time - err = k.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) { + err = k.Storage.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) { tNow := k.now() // if you are running multiple instances of dex, another instance diff --git a/storage/conformance/conformance.go b/storage/conformance/conformance.go index c3f22be82a..58ae3d958d 100644 --- a/storage/conformance/conformance.go +++ b/storage/conformance/conformance.go @@ -508,7 +508,7 @@ func testPasswordCRUD(t *testing.T, s storage.Storage) { password1.Username = "jane doe" getAndCompare("jane@example.com", password1) - passwordList := make([]storage.Password, 0, 2) + var passwordList []storage.Password passwordList = append(passwordList, password1, password2) listAndCompare := func(want []storage.Password) { diff --git a/storage/kubernetes/lock.go b/storage/kubernetes/lock.go index ddb3499751..c67380dcc0 100644 --- a/storage/kubernetes/lock.go +++ b/storage/kubernetes/lock.go @@ -58,7 +58,7 @@ func (l *refreshTokenLock) Unlock(id string) { } r.Annotations = nil - err = l.cli.put(resourceRefreshToken, r.Name, r) + err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) if err != nil { l.cli.logger.Debug("failed to release lock for refresh token", "token_id", id, "err", err) } @@ -82,7 +82,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) { } r.Annotations = lockData - err := l.cli.put(resourceRefreshToken, r.Name, r) + err := l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) if err == nil { return false, nil } @@ -108,7 +108,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) { // Lock time is out, lets break the lock and take the advantage r.Annotations = lockData - err = l.cli.put(resourceRefreshToken, r.Name, r) + err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r) if err == nil { // break lock annotation return false, nil diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go index 45fcaefd19..eae5b7a6de 100644 --- a/storage/kubernetes/storage.go +++ b/storage/kubernetes/storage.go @@ -155,16 +155,16 @@ func (cli *client) registerCustomResources() (ok bool) { r := definitions[i] var i interface{} - cli.logger.Info("checking if custom resource has already been created...", "object", r.Name) + cli.logger.Info("checking if custom resource has already been created...", "object", r.ObjectMeta.Name) if err := cli.listN(r.Spec.Names.Plural, &i, 1); err == nil { - cli.logger.Info("the custom resource already available, skipping create", "object", r.Name) + cli.logger.Info("the custom resource already available, skipping create", "object", r.ObjectMeta.Name) continue } else { - cli.logger.Info("failed to list custom resource, attempting to create", "object", r.Name, "err", err) + cli.logger.Info("failed to list custom resource, attempting to create", "object", r.ObjectMeta.Name, "err", err) } err = cli.postResource(cli.crdAPIVersion, "", "customresourcedefinitions", r) - resourceName = r.Name + resourceName = r.ObjectMeta.Name if err != nil { switch err { @@ -436,7 +436,7 @@ func (cli *client) DeletePassword(ctx context.Context, email string) error { if err != nil { return err } - return cli.delete(resourcePassword, p.Name) + return cli.delete(resourcePassword, p.ObjectMeta.Name) } func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, connID string) error { @@ -445,7 +445,7 @@ func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, con if err != nil { return err } - return cli.delete(resourceOfflineSessions, o.Name) + return cli.delete(resourceOfflineSessions, o.ObjectMeta.Name) } func (cli *client) DeleteConnector(ctx context.Context, id string) error { @@ -475,7 +475,7 @@ func (cli *client) UpdateRefreshToken(ctx context.Context, id string, updater fu newToken := cli.fromStorageRefreshToken(updated) newToken.ObjectMeta = r.ObjectMeta - return cli.put(resourceRefreshToken, r.Name, newToken) + return cli.put(resourceRefreshToken, r.ObjectMeta.Name, newToken) }) } @@ -510,7 +510,7 @@ func (cli *client) UpdatePassword(ctx context.Context, email string, updater fun newPassword := cli.fromStoragePassword(updated) newPassword.ObjectMeta = p.ObjectMeta - return cli.put(resourcePassword, p.Name, newPassword) + return cli.put(resourcePassword, p.ObjectMeta.Name, newPassword) } func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, connID string, updater func(old storage.OfflineSessions) (storage.OfflineSessions, error)) error { @@ -527,7 +527,7 @@ func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, con newOfflineSessions := cli.fromStorageOfflineSessions(updated) newOfflineSessions.ObjectMeta = o.ObjectMeta - return cli.put(resourceOfflineSessions, o.Name, newOfflineSessions) + return cli.put(resourceOfflineSessions, o.ObjectMeta.Name, newOfflineSessions) }) } @@ -621,7 +621,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st var delErr error for _, authRequest := range authRequests.AuthRequests { if now.After(authRequest.Expiry) { - if err := cli.delete(resourceAuthRequest, authRequest.Name); err != nil { + if err := cli.delete(resourceAuthRequest, authRequest.ObjectMeta.Name); err != nil { cli.logger.Error("failed to delete auth request", "err", err) delErr = fmt.Errorf("failed to delete auth request: %v", err) } @@ -639,7 +639,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, authCode := range authCodes.AuthCodes { if now.After(authCode.Expiry) { - if err := cli.delete(resourceAuthCode, authCode.Name); err != nil { + if err := cli.delete(resourceAuthCode, authCode.ObjectMeta.Name); err != nil { cli.logger.Error("failed to delete auth code", "err", err) delErr = fmt.Errorf("failed to delete auth code: %v", err) } @@ -654,7 +654,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, deviceRequest := range deviceRequests.DeviceRequests { if now.After(deviceRequest.Expiry) { - if err := cli.delete(resourceDeviceRequest, deviceRequest.Name); err != nil { + if err := cli.delete(resourceDeviceRequest, deviceRequest.ObjectMeta.Name); err != nil { cli.logger.Error("failed to delete device request", "err", err) delErr = fmt.Errorf("failed to delete device request: %v", err) } @@ -669,7 +669,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st for _, deviceToken := range deviceTokens.DeviceTokens { if now.After(deviceToken.Expiry) { - if err := cli.delete(resourceDeviceToken, deviceToken.Name); err != nil { + if err := cli.delete(resourceDeviceToken, deviceToken.ObjectMeta.Name); err != nil { cli.logger.Error("failed to delete device token", "err", err) delErr = fmt.Errorf("failed to delete device token: %v", err) } @@ -726,7 +726,7 @@ func (cli *client) UpdateDeviceToken(ctx context.Context, deviceCode string, upd newToken := cli.fromStorageDeviceToken(updated) newToken.ObjectMeta = r.ObjectMeta - return cli.put(resourceDeviceToken, r.Name, newToken) + return cli.put(resourceDeviceToken, r.ObjectMeta.Name, newToken) }) } diff --git a/storage/kubernetes/types.go b/storage/kubernetes/types.go index 64ed489ec5..c126ddc087 100644 --- a/storage/kubernetes/types.go +++ b/storage/kubernetes/types.go @@ -369,7 +369,7 @@ type AuthRequestList struct { func toStorageAuthRequest(req AuthRequest) storage.AuthRequest { a := storage.AuthRequest{ - ID: req.Name, + ID: req.ObjectMeta.Name, ClientID: req.ClientID, ResponseTypes: req.ResponseTypes, Scopes: req.Scopes, @@ -526,7 +526,7 @@ func (cli *client) fromStorageAuthCode(a storage.AuthCode) AuthCode { func toStorageAuthCode(a AuthCode) storage.AuthCode { return storage.AuthCode{ - ID: a.Name, + ID: a.ObjectMeta.Name, ClientID: a.ClientID, RedirectURI: a.RedirectURI, ConnectorID: a.ConnectorID, @@ -573,7 +573,7 @@ type RefreshList struct { func toStorageRefreshToken(r RefreshToken) storage.RefreshToken { return storage.RefreshToken{ - ID: r.Name, + ID: r.ObjectMeta.Name, Token: r.Token, ObsoleteToken: r.ObsoleteToken, CreatedAt: r.CreatedAt, @@ -733,7 +733,7 @@ func toStorageConnector(c Connector) storage.Connector { ID: c.ID, Type: c.Type, Name: c.Name, - ResourceVersion: c.ResourceVersion, + ResourceVersion: c.ObjectMeta.ResourceVersion, Config: c.Config, } } @@ -786,7 +786,7 @@ func (cli *client) fromStorageDeviceRequest(a storage.DeviceRequest) DeviceReque func toStorageDeviceRequest(req DeviceRequest) storage.DeviceRequest { return storage.DeviceRequest{ - UserCode: strings.ToUpper(req.Name), + UserCode: strings.ToUpper(req.ObjectMeta.Name), DeviceCode: req.DeviceCode, ClientID: req.ClientID, ClientSecret: req.ClientSecret, @@ -840,7 +840,7 @@ func (cli *client) fromStorageDeviceToken(t storage.DeviceToken) DeviceToken { func toStorageDeviceToken(t DeviceToken) storage.DeviceToken { return storage.DeviceToken{ - DeviceCode: t.Name, + DeviceCode: t.ObjectMeta.Name, Status: t.Status, Token: t.Token, Expiry: t.Expiry, From 00129587a1daadfbe62cf3a78e7c3dd9b765e6ce Mon Sep 17 00:00:00 2001 From: Mangaal Date: Thu, 7 May 2026 11:17:15 +0530 Subject: [PATCH 8/8] sync GOLANGCI_VERSION version Signed-off-by: Mangaal --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 800f95cf2b..61ec06bc12 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ export GOBIN=$(PWD)/bin LD_FLAGS="-w -X main.version=$(VERSION)" # Dependency versions -GOLANGCI_VERSION = 2.4.1 +GOLANGCI_VERSION = 2.4.0 GOTESTSUM_VERSION ?= 1.12.0 PROTOC_VERSION = 29.3