diff --git a/.github/workflows/haskell-ci.yml b/.github/workflows/haskell-ci.yml index 25a28e5..6c419c6 100644 --- a/.github/workflows/haskell-ci.yml +++ b/.github/workflows/haskell-ci.yml @@ -8,9 +8,9 @@ # # For more information, see https://github.com/haskell-CI/haskell-ci # -# version: 0.16.3 +# version: 0.19.20250315 # -# REGENDATA ("0.16.3",["github","cabal.project"]) +# REGENDATA ("0.19.20250315",["github","cabal.project"]) # name: Haskell-CI on: @@ -23,28 +23,33 @@ on: jobs: linux: name: Haskell-CI - Linux - ${{ matrix.compiler }} - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 timeout-minutes: 60 container: - image: buildpack-deps:bionic + image: buildpack-deps:jammy continue-on-error: ${{ matrix.allow-failure }} strategy: matrix: include: - - compiler: ghc-9.6.2 + - compiler: ghc-9.8.4 compilerKind: ghc - compilerVersion: 9.6.2 + compilerVersion: 9.8.4 setup-method: ghcup allow-failure: true - - compiler: ghc-9.4.5 + - compiler: ghc-9.6.6 compilerKind: ghc - compilerVersion: 9.4.5 + compilerVersion: 9.6.6 setup-method: ghcup allow-failure: true - - compiler: ghc-9.2.7 + - compiler: ghc-9.4.8 compilerKind: ghc - compilerVersion: 9.2.7 + compilerVersion: 9.4.8 + setup-method: ghcup + allow-failure: true + - compiler: ghc-9.2.8 + compilerKind: ghc + compilerVersion: 9.2.8 setup-method: ghcup allow-failure: true - compiler: ghc-9.0.2 @@ -59,15 +64,29 @@ jobs: allow-failure: false fail-fast: false steps: - - name: apt + - name: apt-get install run: | apt-get update apt-get install -y --no-install-recommends gnupg ca-certificates dirmngr curl git software-properties-common libtinfo5 + - name: Install GHCup + run: | mkdir -p "$HOME/.ghcup/bin" - curl -sL https://downloads.haskell.org/ghcup/0.1.19.2/x86_64-linux-ghcup-0.1.19.2 > "$HOME/.ghcup/bin/ghcup" + curl -sL https://downloads.haskell.org/ghcup/0.1.40.0/x86_64-linux-ghcup-0.1.40.0 > "$HOME/.ghcup/bin/ghcup" chmod a+x "$HOME/.ghcup/bin/ghcup" + - name: Install cabal-install + run: | + "$HOME/.ghcup/bin/ghcup" install cabal 3.12.1.0 || (cat "$HOME"/.ghcup/logs/*.* && false) + echo "CABAL=$HOME/.ghcup/bin/cabal-3.12.1.0 -vnormal+nowrap" >> "$GITHUB_ENV" + - name: Install GHC (GHCup) + if: matrix.setup-method == 'ghcup' + run: | "$HOME/.ghcup/bin/ghcup" install ghc "$HCVER" || (cat "$HOME"/.ghcup/logs/*.* && false) - "$HOME/.ghcup/bin/ghcup" install cabal 3.10.1.0 || (cat "$HOME"/.ghcup/logs/*.* && false) + HC=$("$HOME/.ghcup/bin/ghcup" whereis ghc "$HCVER") + HCPKG=$(echo "$HC" | sed 's#ghc$#ghc-pkg#') + HADDOCK=$(echo "$HC" | sed 's#ghc$#haddock#') + echo "HC=$HC" >> "$GITHUB_ENV" + echo "HCPKG=$HCPKG" >> "$GITHUB_ENV" + echo "HADDOCK=$HADDOCK" >> "$GITHUB_ENV" env: HCKIND: ${{ matrix.compilerKind }} HCNAME: ${{ matrix.compiler }} @@ -78,19 +97,12 @@ jobs: echo "LANG=C.UTF-8" >> "$GITHUB_ENV" echo "CABAL_DIR=$HOME/.cabal" >> "$GITHUB_ENV" echo "CABAL_CONFIG=$HOME/.cabal/config" >> "$GITHUB_ENV" - HCDIR=/opt/$HCKIND/$HCVER - HC=$HOME/.ghcup/bin/$HCKIND-$HCVER - echo "HC=$HC" >> "$GITHUB_ENV" - echo "HCPKG=$HOME/.ghcup/bin/$HCKIND-pkg-$HCVER" >> "$GITHUB_ENV" - echo "HADDOCK=$HOME/.ghcup/bin/haddock-$HCVER" >> "$GITHUB_ENV" - echo "CABAL=$HOME/.ghcup/bin/cabal-3.10.1.0 -vnormal+nowrap" >> "$GITHUB_ENV" HCNUMVER=$(${HC} --numeric-version|perl -ne '/^(\d+)\.(\d+)\.(\d+)(\.(\d+))?$/; print(10000 * $1 + 100 * $2 + ($3 == 0 ? $5 != 1 : $3))') echo "HCNUMVER=$HCNUMVER" >> "$GITHUB_ENV" echo "ARG_TESTS=--enable-tests" >> "$GITHUB_ENV" echo "ARG_BENCH=--enable-benchmarks" >> "$GITHUB_ENV" echo "HEADHACKAGE=false" >> "$GITHUB_ENV" echo "ARG_COMPILER=--$HCKIND --with-compiler=$HC" >> "$GITHUB_ENV" - echo "GHCJSARITH=0" >> "$GITHUB_ENV" env: HCKIND: ${{ matrix.compilerKind }} HCNAME: ${{ matrix.compiler }} @@ -140,7 +152,7 @@ jobs: chmod a+x $HOME/.cabal/bin/cabal-plan cabal-plan --version - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: path: source - name: initial cabal.project for sdist @@ -175,15 +187,10 @@ jobs: location: https://github.com/biocad/bcd-log tag: 16808faa4db0d3d94ff4006c5ca88691551ebe40 - source-repository-package - type: git - location: https://github.com/biocad/openid-connect.git - tag: fd2a7dd8cf518bfa90ea5111e09d88069630563a - source-repository-package type: git location: https://github.com/maksbotan/generic-override.git - tag: a91ca0b369a668db71a22c118f4b0e546c4cb8d2 + tag: 79432eaa084705d6ac3f5b877287a74815a8eb71 subdir: generic-override source-repository-package @@ -192,7 +199,7 @@ jobs: tag: 79432eaa084705d6ac3f5b877287a74815a8eb71 subdir: generic-override-aeson EOF - $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: $_ installed\n" unless /^(web-template)$/; }' >> cabal.project.local + $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: any.$_ installed\n" unless /^(web-template)$/; }' >> cabal.project.local cat cabal.project cat cabal.project.local - name: dump install plan @@ -200,7 +207,7 @@ jobs: $CABAL v2-build $ARG_COMPILER $ARG_TESTS $ARG_BENCH --dry-run all cabal-plan - name: restore cache - uses: actions/cache/restore@v3 + uses: actions/cache/restore@v4 with: key: ${{ runner.os }}-${{ matrix.compiler }}-${{ github.sha }} path: ~/.cabal/store @@ -227,8 +234,8 @@ jobs: rm -f cabal.project.local $CABAL v2-build $ARG_COMPILER --disable-tests --disable-benchmarks all - name: save cache - uses: actions/cache/save@v3 if: always() + uses: actions/cache/save@v4 with: key: ${{ runner.os }}-${{ matrix.compiler }}-${{ github.sha }} path: ~/.cabal/store diff --git a/CHANGELOG.md b/CHANGELOG.md index dd763b1..63700ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.1.3.16] - 2025-03-27 +### Changed +- `Permit` does not overwrite 403 response description of deeper layers. + ## [0.1.3.15] - 2023-11-20 ### Changed - `WithDescription` does not clash between different fields with the same type. diff --git a/cabal.project b/cabal.project index e0cbb9b..d1615a1 100644 --- a/cabal.project +++ b/cabal.project @@ -10,18 +10,12 @@ source-repository-package tag: 16808faa4db0d3d94ff4006c5ca88691551ebe40 --sha256: E/VW3Xb7Nvefle2QkTckuWn8QB2YhbBCEBVO2y/xcbo= -source-repository-package - type: git - location: https://github.com/biocad/openid-connect.git - tag: fd2a7dd8cf518bfa90ea5111e09d88069630563a - --sha256: 1yz04a0y88652dfd1rgswf2qm7g3wxvc52931d0l60xy4awjj536 - source-repository-package type: git location: https://github.com/maksbotan/generic-override.git - tag: a91ca0b369a668db71a22c118f4b0e546c4cb8d2 + tag: 79432eaa084705d6ac3f5b877287a74815a8eb71 subdir: generic-override - --sha256: 0bhqnz36l8a1fyh63r5fr1v6mav7ri1s7xsysvdjlm0qq7mndpgf + --sha256: 1qqb39lw71q7637bh2xpdcxrkyh9r6r55z2xmkgcgbwvx0wi5l9l source-repository-package type: git diff --git a/src/Web/Template/Servant/Auth.hs b/src/Web/Template/Servant/Auth.hs index 3be5653..f55c259 100644 --- a/src/Web/Template/Servant/Auth.hs +++ b/src/Web/Template/Servant/Auth.hs @@ -5,6 +5,9 @@ {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE TemplateHaskell #-} +-- unregisteredClaims is deprecated in jose, we don't want to fix that now. +{-# OPTIONS_GHC -Wno-deprecations #-} + module Web.Template.Servant.Auth ( CbdAuth , OIDCAuth @@ -54,7 +57,7 @@ import Data.OpenApi.Internal (ApiKeyLocation (..), ApiKeyPara SecurityRequirement (..), SecurityScheme (..), SecuritySchemeType (..)) import Data.OpenApi.Lens (components, description, security, securitySchemes) -import Data.OpenApi.Operation (allOperations, setResponse) +import Data.OpenApi.Operation (allOperations, setResponse, setResponseWith) import qualified Data.Text as T import Data.Time.Clock (NominalDiffTime, UTCTime, addUTCTime, diffUTCTime, getCurrentTime, nominalDiffTimeToSeconds) @@ -370,7 +373,10 @@ instance ( HasOpenApi api , KnownSymbols roles ) => HasOpenApi (Permit roles :> api) where toOpenApi _ = toOpenApi @api Proxy - & setResponse 403 (return $ mempty & description .~ descr) + -- If there is already 'Permit' on deeper API levels with 403 response, + -- we should not override it. It may have stricter restrictions, that + -- need to be represented in Swagger. + & setResponseWith const 403 (return $ mempty & description .~ descr) where descr = "Action not permitted. Allowed for: " <> intercalate ", " (symbolsVal (Proxy :: Proxy roles)) @@ -406,7 +412,11 @@ unauth500 = delayedFailFatal $ err500 } swaggerUiIndexBCDTemplate :: Text +#if MIN_VERSION_file_embed_lzma(0,1,0) +swaggerUiIndexBCDTemplate = $$(embedText "index.html.tmpl") +#else swaggerUiIndexBCDTemplate = $(embedText "index.html.tmpl") +#endif -- | Version of 'Servant.Swagger.UI.swaggerSchemaUIServer' that uses -- our @index.html@ template to enable PKCE auth flow and prefill diff --git a/web-template.cabal b/web-template.cabal index 70703ce..e485cff 100644 --- a/web-template.cabal +++ b/web-template.cabal @@ -1,5 +1,5 @@ name: web-template -version: 0.1.3.15 +version: 0.1.3.16 synopsis: Web template description: Web template includes: @@ -22,9 +22,10 @@ cabal-version: >=1.10 tested-with: GHC ==8.10.7 || ==9.0.2 - || ==9.2.7 - || ==9.4.5 - || ==9.6.2 + || ==9.2.8 + || ==9.4.8 + || ==9.6.6 + || ==9.8.4 library hs-source-dirs: src