From aefa80623ee942254653b03ef4b273ae2779af0e Mon Sep 17 00:00:00 2001
From: Henning Perl <henning.perl@ory.sh>
Date: Tue, 28 Jan 2025 15:15:30 +0100
Subject: [PATCH] fix: allow patching some /credentials sub-paths (#4277)

<!--
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request.

This text will be included in the changelog. If applicable, include
links to documentation or pieces of code.
If your change includes breaking changes please add a code block
documenting the breaking change:

```
BREAKING CHANGES: This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
behavior please do baz.
```
-->

## Related issue(s)

<!--
If this pull request

1. is a fix for a known bug, link the issue where the bug was reported
in the format of `#1234`;
2. is a fix for a previously unknown bug, explain the bug and how to
reproduce it in this pull request;
3. implements a new feature, link the issue containing the design
document in the format of `#1234`;
4. improves the documentation, no issue reference is required.

Pull requests introducing new features, which do not have a design
document linked are more likely to be rejected and take on average 2-8
weeks longer to
get merged.

You can discuss changes with maintainers either in the Github
Discussions in this repository or
join the [Ory Chat](https://www.ory.sh/chat).
-->

## Checklist

<!--
Put an `x` in the boxes that apply. You can also fill these out after
creating the PR.

Please be aware that pull requests must have all boxes ticked in order
to be merged.

If you're unsure about any of them, don't hesitate to ask. We're here to
help!
-->

- [ ] I have read the [contributing
guidelines](../blob/master/CONTRIBUTING.md).
- [ ] I have referenced an issue containing the design document if my
change
      introduces a new feature.
- [ ] I am following the
[contributing code
guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
- [ ] I have read the [security policy](../security/policy).
- [ ] I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability,
I
      confirm that I got the approval (please contact
[security@ory.sh](mailto:security@ory.sh)) from the maintainers to push
      the changes.
- [ ] I have added tests that prove my fix is effective or that my
feature
      works.
- [ ] I have added or changed [the
documentation](https://github.com/ory/docs).

## Further Comments

<!--
If this is a relatively large or complex change, kick off the discussion
by explaining why you chose the solution
you did and what alternatives you considered, etc...
-->
---
 identity/handler.go      | 2 +-
 identity/handler_test.go | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/identity/handler.go b/identity/handler.go
index 938344fb48fc..759db3306cf7 100644
--- a/identity/handler.go
+++ b/identity/handler.go
@@ -916,7 +916,7 @@ func (h *Handler) patch(w http.ResponseWriter, r *http.Request, ps httprouter.Pa
 
 	patchedIdentity := WithAdminMetadataInJSON(*identity)
 
-	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/**"); err != nil {
+	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/oidc/**"); err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(
 			herodot.
 				ErrBadRequest.
diff --git a/identity/handler_test.go b/identity/handler_test.go
index 2d002b9ee056..0b9b6ec2f3b2 100644
--- a/identity/handler_test.go
+++ b/identity/handler_test.go
@@ -1227,7 +1227,7 @@ func TestHandler(t *testing.T) {
 		}
 	})
 
-	t.Run("case=PATCH should fail to update credential password", func(t *testing.T) {
+	t.Run("case=PATCH should allow to update credential password", func(t *testing.T) {
 		uuid := x.NewUUID().String()
 		email := uuid + "@ory.sh"
 		password := "ljanf123akf"
@@ -1247,9 +1247,12 @@ func TestHandler(t *testing.T) {
 					{"op": "replace", "path": "/credentials/password/config/hashed_password", "value": "foo"},
 				}
 
-				res := send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusBadRequest, &patch)
+				send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusOK, &patch)
 
-				assert.EqualValues(t, "patch includes denied path: /credentials/password/config/hashed_password", res.Get("error.message").String(), "%s", res.Raw)
+				updated, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, i.ID)
+				require.NoError(t, err)
+				assert.Equal(t, "foo",
+					gjson.GetBytes(updated.Credentials[identity.CredentialsTypePassword].Config, "hashed_password").String())
 			})
 		}
 	})