pixie-io
diff --git a/‎go.mod‎
Lines changed: 3 additions & 12 deletions b/‎go.mod‎
Lines changed: 3 additions & 12 deletions
diff --git a/‎go.sum‎
Lines changed: 6 additions & 151 deletions b/‎go.sum‎
Lines changed: 6 additions & 151 deletions
diff --git a/‎go_deps.bzl‎
Lines changed: 19 additions & 201 deletions b/‎go_deps.bzl‎
Lines changed: 19 additions & 201 deletions
diff --git a/‎src/cloud/shared/idprovider/BUILD.bazel‎
Lines changed: 2 additions & 7 deletions b/‎src/cloud/shared/idprovider/BUILD.bazel‎
Lines changed: 2 additions & 7 deletions
diff --git a/‎src/cloud/shared/idprovider/client.go‎
Lines changed: 37 additions & 56 deletions b/‎src/cloud/shared/idprovider/client.go‎
Lines changed: 37 additions & 56 deletions
diff --git a/‎src/cloud/shared/idprovider/client_test.go‎
Lines changed: 30 additions & 33 deletions b/‎src/cloud/shared/idprovider/client_test.go‎
Lines changed: 30 additions & 33 deletions
@@ -22,8 +22,6 @@ require (
 	github.com/fatih/color v1.14.1
 	github.com/gdamore/tcell v1.3.0
 	github.com/getsentry/sentry-go v0.20.0
-	github.com/go-openapi/runtime v0.19.26
-	github.com/go-openapi/strfmt v0.21.3
 	github.com/gofrs/uuid v4.0.0+incompatible
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang-migrate/migrate v3.5.4+incompatible
@@ -50,7 +48,7 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/olivere/elastic/v7 v7.0.12
 	github.com/ory/dockertest/v3 v3.8.1
-	github.com/ory/hydra-client-go v1.9.2
+	github.com/ory/hydra-client-go/v2 v2.2.0
 	github.com/ory/kratos-client-go v1.3.8
 	github.com/phayes/freeport v0.0.0-20171002181615-b8543db493a5
 	github.com/prometheus/client_golang v1.14.0
@@ -80,7 +78,7 @@ require (
 	golang.org/x/exp v0.0.0-20230307190834-24139beb5833
 	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.36.0
-	golang.org/x/oauth2 v0.6.0
+	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
 	golang.org/x/term v0.29.0
@@ -151,14 +149,9 @@ require (
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/goccy/go-yaml v1.9.8 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
@@ -244,7 +237,6 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
 	github.com/xanzy/ssh-agent v0.2.1 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
@@ -256,7 +248,6 @@ require (
 	go.etcd.io/etcd/client/v2 v2.305.8 // indirect
 	go.etcd.io/etcd/pkg/v3 v3.5.8 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.8 // indirect
-	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
@@ -276,7 +267,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.29.1 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/launchdarkly/go-jsonstream.v1 v1.0.1 // indirect
 
@@ -24,12 +24,8 @@ go_library(
     visibility = ["//src/cloud:__subpackages__"],
     deps = [
         "//src/shared/services/handler",
-        "@com_github_go_openapi_runtime//client",
-        "@com_github_go_openapi_strfmt//:strfmt",
         "@com_github_gorilla_sessions//:sessions",
-        "@com_github_ory_hydra_client_go//client",
-        "@com_github_ory_hydra_client_go//client/admin",
-        "@com_github_ory_hydra_client_go//models",
+        "@com_github_ory_hydra_client_go_v2//:hydra-client-go",
         "@com_github_ory_kratos_client_go//:kratos-client-go",
         "@com_github_sirupsen_logrus//:logrus",
         "@com_github_spf13_pflag//:pflag",
@@ -47,8 +43,7 @@ pl_go_test(
     embed = [":idprovider"],
     deps = [
         "@com_github_gorilla_sessions//:sessions",
-        "@com_github_ory_hydra_client_go//client/admin",
-        "@com_github_ory_hydra_client_go//models",
+        "@com_github_ory_hydra_client_go_v2//:hydra-client-go",
         "@com_github_ory_kratos_client_go//:kratos-client-go",
         "@com_github_stretchr_testify//assert",
         "@com_github_stretchr_testify//require",
 
@@ -31,12 +31,8 @@ import (
 	"os"
 	"strings"
 
-	httptransport "github.com/go-openapi/runtime/client"
-	"github.com/go-openapi/strfmt"
 	"github.com/gorilla/sessions"
-	hydra "github.com/ory/hydra-client-go/client"
-	hydraAdmin "github.com/ory/hydra-client-go/client/admin"
-	hydraModels "github.com/ory/hydra-client-go/models"
+	hydra "github.com/ory/hydra-client-go/v2"
 	kratos "github.com/ory/kratos-client-go"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
@@ -89,10 +85,10 @@ type HydraKratosConfig struct {
 const HydraLoginStateKey string = "hydra_login_state"
 
 type hydraAdminClientService interface {
-	AcceptConsentRequest(params *hydraAdmin.AcceptConsentRequestParams) (*hydraAdmin.AcceptConsentRequestOK, error)
-	AcceptLoginRequest(params *hydraAdmin.AcceptLoginRequestParams) (*hydraAdmin.AcceptLoginRequestOK, error)
-	GetConsentRequest(params *hydraAdmin.GetConsentRequestParams) (*hydraAdmin.GetConsentRequestOK, error)
-	IntrospectOAuth2Token(params *hydraAdmin.IntrospectOAuth2TokenParams) (*hydraAdmin.IntrospectOAuth2TokenOK, error)
+	AcceptOAuth2ConsentRequest(context.Context) hydra.OAuth2APIAcceptOAuth2ConsentRequestRequest
+	AcceptOAuth2LoginRequest(context.Context) hydra.OAuth2APIAcceptOAuth2LoginRequestRequest
+	GetOAuth2ConsentRequest(context.Context) hydra.OAuth2APIGetOAuth2ConsentRequestRequest
+	IntrospectOAuth2Token(context.Context) hydra.OAuth2APIIntrospectOAuth2TokenRequest
 }
 
 type kratosPublicClientService interface {
@@ -142,17 +138,18 @@ func createHTTPClient() (*http.Client, error) {
 	return client, nil
 }
 
-func createRuntime(path string, client *http.Client) (*httptransport.Runtime, error) {
-	u, err := url.Parse(path)
+func createHydraClient(host string, client *http.Client) (*hydra.APIClient, error) {
+	u, err := url.Parse(host)
 	if err != nil {
 		return nil, err
 	}
-	return httptransport.NewWithClient(
-		u.Host,
-		u.Path,
-		[]string{u.Scheme},
-		client,
-	), nil
+
+	conf := hydra.NewConfiguration()
+	conf.Host = u.Host
+	conf.Scheme = u.Scheme
+	conf.Servers = hydra.ServerConfigurations{{URL: host}}
+	conf.HTTPClient = client
+	return hydra.NewAPIClient(conf), nil
 }
 
 func createKratosClient(host string, client *http.Client) (*kratos.APIClient, error) {
@@ -180,12 +177,10 @@ func NewHydraKratosClientFromConfig(cfg *HydraKratosConfig) (*HydraKratosClient,
 		}
 	}
 
-	hydraAdminRuntime, err := createRuntime(cfg.HydraAdminHost, httpClient)
+	hydraAdminClient, err := createHydraClient(cfg.HydraAdminHost, httpClient)
 	if err != nil {
 		return nil, err
 	}
-	// We specify the Admin client to avoid confusing bugs because the Public client is held behind a different endpoint.
-	hydraAdminClient := hydra.New(hydraAdminRuntime, strfmt.NewFormats()).Admin
 
 	// One can theoretically send public requests to the Admin Host but then kratos will
 	// 302 the requests to the public host/port.
@@ -205,7 +200,7 @@ func NewHydraKratosClientFromConfig(cfg *HydraKratosConfig) (*HydraKratosClient,
 	return &HydraKratosClient{
 		Config:             cfg,
 		httpClient:         httpClient,
-		hydraAdminClient:   hydraAdminClient,
+		hydraAdminClient:   hydraAdminClient.OAuth2API,
 		kratosAdminClient:  kratosAdminClient.IdentityAPI,
 		kratosPublicClient: kratosPublicClient.FrontendAPI,
 	}, nil
@@ -374,19 +369,14 @@ type RedirectResponse struct {
 // AcceptHydraLogin sends a request to accept the login on the hydra endpoint.
 func (c *HydraKratosClient) AcceptHydraLogin(ctx context.Context, challenge string, whoamiResp *Whoami) (*RedirectResponse, error) {
 	subject := whoamiResp.ID()
-	params := &hydraAdmin.AcceptLoginRequestParams{
-		Body: &hydraModels.AcceptLoginRequest{
-			Context: whoamiResp.kratosSession,
-			Subject: &subject,
-		},
-		LoginChallenge: challenge,
-		Context:        ctx,
-	}
-	resp, err := c.hydraAdminClient.AcceptLoginRequest(params)
+	body := hydra.NewAcceptOAuth2LoginRequest(subject)
+	body.SetContext(whoamiResp.kratosSession)
+	
+	resp, _, err := c.hydraAdminClient.AcceptOAuth2LoginRequest(ctx).LoginChallenge(challenge).AcceptOAuth2LoginRequest(*body).Execute()
 	if err != nil {
 		return nil, err
 	}
-	return &RedirectResponse{RedirectTo: resp.GetPayload().RedirectTo}, nil
+	return &RedirectResponse{RedirectTo: &resp.RedirectTo}, nil
 }
 
 // InterceptHydraUserConsent performs the user consent flow bypassing normal user interaction. Hydra uses
@@ -432,43 +422,35 @@ func (c *HydraKratosClient) AcceptConsent(ctx context.Context, challenge string)
 	if challenge == "" {
 		return nil, fmt.Errorf("challenge is empty")
 	}
-	resp, err := c.hydraAdminClient.GetConsentRequest(&hydraAdmin.GetConsentRequestParams{
-		ConsentChallenge: challenge,
-		Context:          ctx,
-	})
+	resp, _, err := c.hydraAdminClient.GetOAuth2ConsentRequest(ctx).ConsentChallenge(challenge).Execute()
 	if err != nil {
 		log.Debug("error on hydra.consentRequest:")
 		return nil, err
 	}
 
-	if resp.GetPayload() == nil {
+	if resp == nil {
 		log.Debug("consent request payload is empty")
-		return nil, err
+		return nil, fmt.Errorf("consent request payload is empty")
 	}
 
-	consentRequest := resp.GetPayload()
-
 	// We only trust the client that's passed in as a config here. In the future we might want to support other clients
 	// at which point we will want to actually ask for permission from the user.
 
 	// TODO(ddelnano): This needs cannot be hard coded to auth-code-client, but should be set in the config.
-	// if consentRequest.Client.ClientID != c.Config.HydraClientID {
-	// 	return nil, fmt.Errorf("'%s' not an allowed client", consentRequest.Client.ClientID)
+	// if resp.Client.ClientId != c.Config.HydraClientID {
+	// 	return nil, fmt.Errorf("'%s' not an allowed client", resp.Client.ClientId)
 	// }
 
-	acceptResp, err := c.hydraAdminClient.AcceptConsentRequest(&hydraAdmin.AcceptConsentRequestParams{
-		Body: &hydraModels.AcceptConsentRequest{
-			GrantScope:               consentRequest.RequestedScope,
-			GrantAccessTokenAudience: consentRequest.RequestedAccessTokenAudience,
-		},
-		ConsentChallenge: challenge,
-		Context:          ctx,
-	})
+	body := hydra.NewAcceptOAuth2ConsentRequest()
+	body.SetGrantScope(resp.RequestedScope)
+	body.SetGrantAccessTokenAudience(resp.RequestedAccessTokenAudience)
+
+	acceptResp, _, err := c.hydraAdminClient.AcceptOAuth2ConsentRequest(ctx).ConsentChallenge(challenge).AcceptOAuth2ConsentRequest(*body).Execute()
 	if err != nil {
 		log.Debug("error on hydra.AcceptConsentRequest:")
 		return nil, err
 	}
-	return &RedirectResponse{RedirectTo: acceptResp.GetPayload().RedirectTo}, nil
+	return &RedirectResponse{RedirectTo: &acceptResp.RedirectTo}, nil
 }
 
 // HandleLogin handles the login for Hydra and Kratos.
@@ -554,16 +536,15 @@ func (c *HydraKratosClient) SessionKey() string {
 
 // GetUserIDFromToken returns the userID from the subject portion of the access token.
 func (c *HydraKratosClient) GetUserIDFromToken(ctx context.Context, token string) (string, error) {
-	params := &hydraAdmin.IntrospectOAuth2TokenParams{
-		Context: ctx,
-		Token:   token,
-	}
-	res, err := c.hydraAdminClient.IntrospectOAuth2Token(params)
+	res, _, err := c.hydraAdminClient.IntrospectOAuth2Token(ctx).Token(token).Execute()
 	if err != nil {
 		return "", err
 	}
 
-	return res.GetPayload().Sub, nil
+	if res.Sub == nil {
+		return "", fmt.Errorf("token introspection returned nil subject")
+	}
+	return *res.Sub, nil
 }
 
 // KratosUserInfo contains the user information format as stored in Kratos.
 
@@ -26,8 +26,7 @@ import (
 	"testing"
 
 	"github.com/gorilla/sessions"
-	hydraAdmin "github.com/ory/hydra-client-go/client/admin"
-	hydraModels "github.com/ory/hydra-client-go/models"
+	hydra "github.com/ory/hydra-client-go/v2"
 	kratos "github.com/ory/kratos-client-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -45,7 +44,7 @@ type testClientConfig struct {
 	idpConsentPath          string
 	hydraBrowserURL         string
 	hydraConsentPath        string
-	introspectOAuth2TokenFn *func(params *hydraAdmin.IntrospectOAuth2TokenParams) (*hydraAdmin.IntrospectOAuth2TokenOK, error)
+	introspectOAuth2TokenFn func(string) (*hydra.IntrospectOAuth2TokenResponse, error)
 }
 
 func fillDefaults(p *testClientConfig) *testClientConfig {
@@ -97,11 +96,9 @@ func makeClientFromConfig(t *testing.T, p *testClientConfig) (*HydraKratosClient
 		http.Redirect(w, r, consentURL.String(), http.StatusFound)
 	}))
 
-	acceptConsentRequestFn := func(params *hydraAdmin.AcceptConsentRequestParams) (*hydraAdmin.AcceptConsentRequestOK, error) {
-		return &hydraAdmin.AcceptConsentRequestOK{
-			Payload: &hydraModels.CompletedRequest{
-				RedirectTo: &p.postLoginRedirect,
-			},
+	acceptConsentRequestFn := func(challenge string, body *hydra.AcceptOAuth2ConsentRequest) (*hydra.OAuth2RedirectTo, error) {
+		return &hydra.OAuth2RedirectTo{
+			RedirectTo: &p.postLoginRedirect,
 		}, nil
 	}
 
@@ -116,7 +113,7 @@ func makeClientFromConfig(t *testing.T, p *testClientConfig) (*HydraKratosClient
 		hydraAdminClient: &fakeHydraAdminClient{
 			introspectOAuth2TokenFn: p.introspectOAuth2TokenFn,
 			redirect:                p.hydraBrowserURL + p.hydraConsentPath,
-			acceptConsentRequestFn:  &acceptConsentRequestFn,
+			acceptConsentRequestFn:  acceptConsentRequestFn,
 		},
 		kratosPublicClient: &kratosFakeAPI{},
 		kratosAdminClient:  &kratosFakeAPI{},
@@ -238,15 +235,18 @@ func TestRedirectToLogin(t *testing.T) {
 
 func TestAcceptHydraLogin(t *testing.T) {
 	loginChallenge := "abcdefgh"
-	acceptLoginRequestFn := func(params *hydraAdmin.AcceptLoginRequestParams) (*hydraAdmin.AcceptLoginRequestOK, error) {
+	acceptLoginRequestFn := func(challenge string, body *hydra.AcceptOAuth2LoginRequest) (*hydra.OAuth2RedirectTo, error) {
 		// Make sure the loginChallenge is forwarded.
-		assert.Equal(t, params.LoginChallenge, loginChallenge)
-		// Call the original login request to handle the rest.
-		return (&fakeHydraAdminClient{}).AcceptLoginRequest(params)
+		assert.Equal(t, challenge, loginChallenge)
+		// Return a redirect response
+		redirect := "/redirect"
+		return &hydra.OAuth2RedirectTo{
+			RedirectTo: &redirect,
+		}, nil
 	}
 	c, cleanup := makeClient(t)
 	c.hydraAdminClient = &fakeHydraAdminClient{
-		acceptLoginRequestFn: &acceptLoginRequestFn,
+		acceptLoginRequestFn: acceptLoginRequestFn,
 	}
 	defer cleanup()
 
@@ -309,35 +309,32 @@ func TestInterceptHydraConsent(t *testing.T) {
 
 func TestAcceptConsent(t *testing.T) {
 	consentChallenge := "123456789"
-	getConsentRequestFn := func(params *hydraAdmin.GetConsentRequestParams) (*hydraAdmin.GetConsentRequestOK, error) {
-		assert.Equal(t, consentChallenge, params.ConsentChallenge)
-		return &hydraAdmin.GetConsentRequestOK{
-			Payload: &hydraModels.ConsentRequest{
-				Client: &hydraModels.OAuth2Client{
-					ClientID: "hydra_client_id",
-				},
-				RequestedScope:               []string{"openid", "offline"},
-				RequestedAccessTokenAudience: []string{"api"},
+	getConsentRequestFn := func(challenge string) (*hydra.OAuth2ConsentRequest, error) {
+		assert.Equal(t, consentChallenge, challenge)
+		clientID := "hydra_client_id"
+		return &hydra.OAuth2ConsentRequest{
+			Client: &hydra.OAuth2Client{
+				ClientId: &clientID,
 			},
+			RequestedScope:               []string{"openid", "offline"},
+			RequestedAccessTokenAudience: []string{"api"},
 		}, nil
 	}
 	redirectURL := "/oauth2/auth"
-	acceptConsentRequestFn := func(params *hydraAdmin.AcceptConsentRequestParams) (*hydraAdmin.AcceptConsentRequestOK, error) {
-		assert.ElementsMatch(t, []string{"openid", "offline"}, params.Body.GrantScope)
-		assert.ElementsMatch(t, []string{"api"}, params.Body.GrantAccessTokenAudience)
-		assert.Equal(t, consentChallenge, params.ConsentChallenge)
-		return &hydraAdmin.AcceptConsentRequestOK{
-			Payload: &hydraModels.CompletedRequest{
-				RedirectTo: &redirectURL,
-			},
+	acceptConsentRequestFn := func(challenge string, body *hydra.AcceptOAuth2ConsentRequest) (*hydra.OAuth2RedirectTo, error) {
+		assert.ElementsMatch(t, []string{"openid", "offline"}, body.GrantScope)
+		assert.ElementsMatch(t, []string{"api"}, body.GrantAccessTokenAudience)
+		assert.Equal(t, consentChallenge, challenge)
+		return &hydra.OAuth2RedirectTo{
+			RedirectTo: &redirectURL,
 		}, nil
 	}
 	hydraAdminClient := &fakeHydraAdminClient{
 		redirect:               "/",
 		consentChallenge:       consentChallenge,
 		oauthClientID:          "hydra_client_id",
-		getConsentRequestFn:    &getConsentRequestFn,
-		acceptConsentRequestFn: &acceptConsentRequestFn,
+		getConsentRequestFn:    getConsentRequestFn,
+		acceptConsentRequestFn: acceptConsentRequestFn,
 	}
 	c := HydraKratosClient{
 		Config: &HydraKratosConfig{