[pull] master from ory:master

.github/workflows/ci.yaml

@@ -85,7 +85,7 @@ jobs:
         name: Install node deps
       - name: Run golangci-lint
         if: ${{ github.ref_type != 'tag' }}
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         env:
           GOGC: 100
         with:

driver/config/config.go

@@ -26,7 +26,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/rs/cors"
 	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel/trace/noop"
 	"golang.org/x/net/publicsuffix"
 
 	"github.com/ory/kratos/x"
@@ -451,10 +450,6 @@ func (p *Config) validateIdentitySchemas(ctx context.Context) error {
 		httpx.ResilientClientWithLogger(p.l),
 		httpx.ResilientClientWithMaxRetry(2),
 		httpx.ResilientClientWithConnectionTimeout(30 * time.Second),
-		// Tracing still works correctly even though we pass a no-op tracer
-		// here, because the otelhttp package will preferentially use the
-		// tracer from the incoming request context over this one.
-		httpx.ResilientClientWithTracer(noop.NewTracerProvider().Tracer("github.com/ory/kratos/driver/config")),
 	}
 
 	if o, ok := ctx.Value(validateIdentitySchemasClientKey).([]httpx.ResilientOptions); ok {

oryx/Makefile

@@ -13,7 +13,7 @@ format: .bin/ory node_modules
 	npm exec -- prettier --write .
 
 .bin/golangci-lint: Makefile
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b .bin v1.64.8
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b .bin v2.4.0
 
 .bin/licenses: Makefile
 	curl https://raw.githubusercontent.com/ory/ci/master/licenses/install | sh

oryx/httpx/resilient_client.go

@@ -10,7 +10,6 @@ import (
 	"net/http"
 	"time"
 
-	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/oauth2"
 
 	"github.com/hashicorp/go-retryablehttp"
@@ -20,16 +19,12 @@ import (
 
 type resilientOptions struct {
 	c                    *http.Client
-	oauthConfig          *oauth2.Config
-	oauthToken           *oauth2.Token
 	l                    interface{}
 	retryWaitMin         time.Duration
 	retryWaitMax         time.Duration
 	retryMax             int
 	noInternalIPs        bool
 	internalIPExceptions []string
-	ipV6                 bool
-	tracer               trace.Tracer
 }
 
 func newResilientOptions() *resilientOptions {
@@ -40,20 +35,12 @@ func newResilientOptions() *resilientOptions {
 		retryWaitMax: 30 * time.Second,
 		retryMax:     4,
 		l:            log.New(io.Discard, "", log.LstdFlags),
-		ipV6:         true,
 	}
 }
 
 // ResilientOptions is a set of options for the ResilientClient.
 type ResilientOptions func(o *resilientOptions)
 
-// ResilientClientWithTracer wraps the http clients transport with a tracing instrumentation
-func ResilientClientWithTracer(tracer trace.Tracer) ResilientOptions {
-	return func(o *resilientOptions) {
-		o.tracer = tracer
-	}
-}
-
 // ResilientClientWithMaxRetry sets the maximum number of retries.
 func ResilientClientWithMaxRetry(retryMax int) ResilientOptions {
 	return func(o *resilientOptions) {
@@ -104,12 +91,6 @@ func ResilientClientAllowInternalIPRequestsTo(urlGlobs ...string) ResilientOptio
 	}
 }
 
-func ResilientClientNoIPv6() ResilientOptions {
-	return func(o *resilientOptions) {
-		o.ipV6 = false
-	}
-}
-
 // NewResilientClient creates a new ResilientClient.
 func NewResilientClient(opts ...ResilientOptions) *retryablehttp.Client {
 	o := newResilientOptions()
@@ -119,12 +100,12 @@ func NewResilientClient(opts ...ResilientOptions) *retryablehttp.Client {
 
 	if o.noInternalIPs {
 		o.c.Transport = &noInternalIPRoundTripper{
-			onWhitelist:          ifelse(o.ipV6, allowInternalAllowIPv6, allowInternalProhibitIPv6),
-			notOnWhitelist:       ifelse(o.ipV6, prohibitInternalAllowIPv6, prohibitInternalProhibitIPv6),
+			onWhitelist:          allowInternalAllowIPv6,
+			notOnWhitelist:       prohibitInternalAllowIPv6,
 			internalIPExceptions: o.internalIPExceptions,
 		}
 	} else {
-		o.c.Transport = ifelse(o.ipV6, allowInternalAllowIPv6, allowInternalProhibitIPv6)
+		o.c.Transport = allowInternalAllowIPv6
 	}
 
 	cl := retryablehttp.NewClient()
@@ -155,10 +136,3 @@ func SetOAuth2(ctx context.Context, cl *retryablehttp.Client, c OAuth2Config, t
 type OAuth2Config interface {
 	Client(context.Context, *oauth2.Token) *http.Client
 }
-
-func ifelse[A any](b bool, x, y A) A {
-	if b {
-		return x
-	}
-	return y
-}

oryx/httpx/ssrf.go

@@ -55,10 +55,8 @@ func (n noInternalIPRoundTripper) RoundTrip(request *http.Request) (*http.Respon
 }
 
 var (
-	prohibitInternalAllowIPv6    http.RoundTripper
-	prohibitInternalProhibitIPv6 http.RoundTripper
-	allowInternalAllowIPv6       http.RoundTripper
-	allowInternalProhibitIPv6    http.RoundTripper
+	prohibitInternalAllowIPv6 http.RoundTripper
+	allowInternalAllowIPv6    http.RoundTripper
 )
 
 func init() {
@@ -79,7 +77,6 @@ func init() {
 	t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return d.DialContext(ctx, "tcp4", addr)
 	}
-	prohibitInternalProhibitIPv6 = OTELTraceTransport(t)
 }
 
 func init() {
@@ -122,7 +119,6 @@ func init() {
 	t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return d.DialContext(ctx, "tcp4", addr)
 	}
-	allowInternalProhibitIPv6 = OTELTraceTransport(t)
 }
 
 func newDefaultTransport() (*http.Transport, *net.Dialer) {

oryx/jsonnetsecure/jsonnet.go

@@ -65,6 +65,12 @@ func newVMOptions() *vmOptions {
 	}
 }
 
+func WithContext(ctx context.Context) Option {
+	return func(o *vmOptions) {
+		o.ctx = ctx
+	}
+}
+
 func WithProcessPool(p Pool) Option {
 	return func(o *vmOptions) {
 		pool, _ := p.(*pool)

oryx/jsonnetsecure/provider.go

@@ -41,6 +41,7 @@ func NewTestProvider(t testing.TB) *TestProvider {
 
 func (p *TestProvider) JsonnetVM(ctx context.Context) (VM, error) {
 	return MakeSecureVM(
+		WithContext(ctx),
 		WithProcessPool(p.pool),
 		WithJsonnetBinary(p.jsonnetBinary),
 	), nil
@@ -52,6 +53,7 @@ func (p *DefaultProvider) JsonnetVM(ctx context.Context) (VM, error) {
 		return nil, err
 	}
 	return MakeSecureVM(
+		WithContext(ctx),
 		WithJsonnetBinary(self),
 		WithProcessArgs(p.Subcommand),
 		WithProcessPool(p.Pool),

selfservice/strategy/password/validator.go

@@ -13,8 +13,6 @@ import (
 	"strings"
 	"time"
 
-	"go.opentelemetry.io/otel/trace/noop"
-
 	"github.com/ory/kratos/text"
 
 	"github.com/arbovm/levenshtein"
@@ -85,10 +83,7 @@ func NewDefaultPasswordValidatorStrategy(reg validatorDependencies) (*DefaultPas
 	return &DefaultPasswordValidator{
 		Client: httpx.NewResilientClient(
 			httpx.ResilientClientWithConnectionTimeout(time.Second),
-			// Tracing still works correctly even though we pass a no-op tracer
-			// here, because the otelhttp package will preferentially use the
-			// tracer from the incoming request context over this one.
-			httpx.ResilientClientWithTracer(noop.NewTracerProvider().Tracer("github.com/ory/kratos/selfservice/strategy/password"))),
+		),
 		reg:                       reg,
 		hashes:                    cache,
 		minIdentifierPasswordDist: 5, maxIdentifierPasswordSubstrThreshold: 0.5,