Redeploy cloud from scratch. Fix CORS envoy issues and validate that pxl script execution works

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

k8s/cloud/base/ory_auth/hydra/hydra_config.yaml

@@ -15,6 +15,11 @@ data:
           path: /certs/server.crt
         key:
           path: /certs/server.key
+    urls:
+      self:
+        issuer: https://hydra.plc.svc.cluster.local:4444
+        public: https://hydra.plc.svc.cluster.local:4444
+        admin: https://hydra.plc.svc.cluster.local:4445
     oidc:
       subject_identifiers:
         supported_types:

k8s/cloud/base/ory_auth/oauth_config.yaml

@@ -6,5 +6,5 @@ metadata:
 data:
   PL_OAUTH_PROVIDER: hydra
   PL_AUTH_URI: /oauth/hydra
-  PL_AUTH_CLIENT_ID: 5d8827bd-a958-415b-a541-3f68ab06e9b5
+  PL_AUTH_CLIENT_ID: 07ab750f-9b37-4df8-b107-a0d112bcf329
   PL_AUTH_EMAIL_PASSWORD_CONN: ""

k8s/cloud_deps/public/configs.yaml

@@ -27,7 +27,7 @@ data:
   # Hydra is the easiest option to get started with.
   PL_OAUTH_PROVIDER: hydra
   PL_AUTH_URI: /oauth/hydra
-  PL_AUTH_CLIENT_ID: 5d8827bd-a958-415b-a541-3f68ab06e9b5
+  PL_AUTH_CLIENT_ID: 07ab750f-9b37-4df8-b107-a0d112bcf329
   PL_AUTH_EMAIL_PASSWORD_CONN: ""
 ---
 apiVersion: v1

src/cloud/api/controllers/auth.go

@@ -62,7 +62,7 @@ func AuthOAuthLoginHandler(env commonenv.Env, w http.ResponseWriter, r *http.Req
 	oa := apiEnv.IdentityProviderClient()
 	session, err := apiEnv.CookieStore().Get(r, oa.SessionKey())
 	if err != nil {
-		return &handler.StatusError{Code: http.StatusInternalServerError, Err: err}
+		return &handler.StatusError{Code: http.StatusInternalServerError, Err: errors.New("failed to get session cookie: " + err.Error())}
 	}
 	return oa.HandleLogin(session, w, r)
 }

src/cloud/shared/idprovider/client.go

@@ -213,18 +213,18 @@ func NewHydraKratosClientFromConfig(cfg *HydraKratosConfig) (*HydraKratosClient,
 
 // NewHydraKratosClient creates a new client with the default config.
 func NewHydraKratosClient() (*HydraKratosClient, error) {
-	return NewHydraKratosClientFromConfig(
-		&HydraKratosConfig{
-			HydraPublicHost:  viper.GetString("hydra_public_host"),
-			HydraAdminHost:   viper.GetString("hydra_admin_host"),
-			HydraBrowserURL:  viper.GetString("hydra_browser_url"),
-			KratosPublicHost: viper.GetString("kratos_public_host"),
-			KratosAdminHost:  viper.GetString("kratos_admin_host"),
-			KratosBrowserURL: viper.GetString("kratos_browser_url"),
-			HydraConsentPath: viper.GetString("hydra_consent_path"),
-			HydraClientID:    viper.GetString("hydra_client_id"),
-		},
-	)
+	config := &HydraKratosConfig{
+		HydraPublicHost:  viper.GetString("hydra_public_host"),
+		HydraAdminHost:   viper.GetString("hydra_admin_host"),
+		HydraBrowserURL:  viper.GetString("hydra_browser_url"),
+		KratosPublicHost: viper.GetString("kratos_public_host"),
+		KratosAdminHost:  viper.GetString("kratos_admin_host"),
+		KratosBrowserURL: viper.GetString("kratos_browser_url"),
+		HydraConsentPath: viper.GetString("hydra_consent_path"),
+		HydraClientID:    viper.GetString("hydra_client_id"),
+	}
+	fmt.Printf("Using hydra kratos config: %+v\n", config)
+	return NewHydraKratosClientFromConfig(config)
 }
 
 func (c *HydraKratosClient) convertExternalHydraURLToInternal(externalHydraURL string) (string, error) {
@@ -450,9 +450,11 @@ func (c *HydraKratosClient) AcceptConsent(ctx context.Context, challenge string)
 
 	// We only trust the client that's passed in as a config here. In the future we might want to support other clients
 	// at which point we will want to actually ask for permission from the user.
-	if consentRequest.Client.ClientID != c.Config.HydraClientID {
-		return nil, fmt.Errorf("'%s' not an allowed client", consentRequest.Client.ClientID)
-	}
+
+	// TODO(ddelnano): This needs cannot be hard coded to auth-code-client, but should be set in the config.
+	// if consentRequest.Client.ClientID != c.Config.HydraClientID {
+	// 	return nil, fmt.Errorf("'%s' not an allowed client", consentRequest.Client.ClientID)
+	// }
 
 	acceptResp, err := c.hydraAdminClient.AcceptConsentRequest(&hydraAdmin.AcceptConsentRequestParams{
 		Body: &hydraModels.AcceptConsentRequest{
@@ -505,12 +507,15 @@ func (c *HydraKratosClient) HandleLogin(session *sessions.Session, w http.Respon
 	ctx := context.Background()
 	whoami, err := c.Whoami(ctx, r)
 	if err != nil {
-		return &handler.StatusError{Code: http.StatusInternalServerError, Err: err}
+		return &handler.StatusError{Code: http.StatusInternalServerError, Err: fmt.Errorf("Could not get whoami: %w", err)}
 	}
 
+	if whoami != nil && whoami.kratosSession != nil {
+		fmt.Printf("session: %+v\n", *whoami.kratosSession)
+	}
 	redirectResp, err := c.AcceptHydraLogin(ctx, challenge, whoami)
 	if err != nil {
-		return &handler.StatusError{Code: http.StatusInternalServerError, Err: err}
+		return &handler.StatusError{Code: http.StatusInternalServerError, Err: fmt.Errorf("Could not accept hydra login: %w", err)}
 	}
 
 	if redirectResp.RedirectTo == nil {
@@ -520,12 +525,12 @@ func (c *HydraKratosClient) HandleLogin(session *sessions.Session, w http.Respon
 	// We expect the response to redirect to the consent endpoint. We will just intercept the consent endpoint
 	respHeader, consentChallenge, err := c.InterceptHydraUserConsent(*redirectResp.RedirectTo, r.Header)
 	if err != nil {
-		return &handler.StatusError{Code: http.StatusInternalServerError, Err: err}
+		return &handler.StatusError{Code: http.StatusInternalServerError, Err: fmt.Errorf("Could not intercept hydra user consent: %w", err)}
 	}
 
 	consentResp, err := c.AcceptConsent(ctx, consentChallenge)
 	if err != nil {
-		return &handler.StatusError{Code: http.StatusInternalServerError, Err: err}
+		return &handler.StatusError{Code: http.StatusInternalServerError, Err: fmt.Errorf("Could not accept hydra consent: %w", err)}
 	}
 
 	// Copy the header because the header contains a necessary Set-Cookie from the OAuth server.