cmd: Deprecates connect command and introduces configurable credentials

This patch deprecates the `hydra connect` command as internal
access control has been removed from ORY Hydra and this command
no longer serves any purpose.

Instead, all commands are supplied with environment variables `HYDRA_URL`,
`OAUTH2_CLIENT_ID`, `OAUTH2_CLIENT_SECRET`, `OAUTH2_ACCESS_TOKEN`.

Please check out `hydra help <command>` for usage instructions. You
should also check out the upgrade guide for more detailed upgrade instructions.

This patch also renames some flags and command names which have been
documented in the upgrade guide.

Closes #841
Closes #840

UPGRADE.md

@@ -78,7 +78,10 @@ Additionally, flag `--dangerous-force-auto-logon` has been removed it has no eff
 
 ##### Access Control & `hydra connect`
 
-WHAT HAPPENED TO THIS COMMAND? TBD
+The command `hydra connect` has been removed as it no longer serves a purpose now that the internal access control
+has been removed. Every command you call now needs the environment variable `HYDRA_URL` (previously named `CLUSTER_URL`)
+which should point to ORY Hydra's URL. Removing this command has an additional benefit - privileged client IDs and secrets
+will no longer be stored in a plaintext file on your system if you use this command.
 
 As access control has been removed, most commands (except `token user`, `token client`, `token revoke`, `token introspect`)
 work without supplying any credentials at all. The listed exceptions support setting an OAuth 2.0 Client ID and Client Secret
@@ -87,6 +90,12 @@ using flags `--client-id` and `--client-secret` or environment variables `OAUTH2
 All other commands, such as `hydra clients create`, still support scenarios where you would need an OAuth2 Access Token.
 In those cases, you can supply the access token using flag `--access-token` or environment variable `OAUTH2_ACCESS_TOKEN`.
 
+All commands now support the `--endpoint` flag which sets the `HYDRA_URL` in case you don't want to use environment variables.
+
+#### `hydra token user`
+
+Flags `--id` and `--secret` are now called `--client-id` and `--client-secret`.
+
 #### `hydra token validate`
 
 This command has been renamed to `hydra token introspect` to properly reflect that you are performing OAuth 2.0

cmd/cli/handler.go

@@ -25,19 +25,19 @@ import (
 )
 
 type Handler struct {
-	Clients   *ClientHandler
-	Keys      *JWKHandler
-	Warden    *IntrospectionHandler
-	Token     *TokenHandler
-	Migration *MigrateHandler
+	Clients       *ClientHandler
+	Keys          *JWKHandler
+	Introspection *IntrospectionHandler
+	Token         *TokenHandler
+	Migration     *MigrateHandler
 }
 
 func NewHandler(c *config.Config) *Handler {
 	return &Handler{
-		Clients:   newClientHandler(c),
-		Keys:      newJWKHandler(c),
-		Warden:    newIntrospectionHandler(c),
-		Token:     newTokenHandler(c),
-		Migration: newMigrateHandler(c),
+		Clients:       newClientHandler(c),
+		Keys:          newJWKHandler(c),
+		Introspection: newIntrospectionHandler(c),
+		Token:         newTokenHandler(c),
+		Migration:     newMigrateHandler(c),
 	}
 }

cmd/cli/handler_client.go

@@ -21,13 +21,13 @@
 package cli
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
 	"strings"
 
-	"net/http"
-
 	"github.com/ory/hydra/config"
 	"github.com/ory/hydra/pkg"
 	hydra "github.com/ory/hydra/sdk/go/hydra/swagger"
@@ -45,13 +45,21 @@ func newClientHandler(c *config.Config) *ClientHandler {
 }
 
 func (h *ClientHandler) newClientManager(cmd *cobra.Command) *hydra.OAuth2Api {
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash())
-	c.Configuration.Transport = h.Config.OAuth2Client(cmd).Transport
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+
+	fakeTlsTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
+	c.Configuration.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: fakeTlsTermination},
+	}
 
 	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
 		c.Configuration.DefaultHeader["X-Forwarded-Proto"] = "https"
 	}
 
+	if token, _ := cmd.Flags().GetString("access-token"); token != "" {
+		c.Configuration.DefaultHeader["Authorization"] = "Bearer " + token
+	}
+
 	return c
 }
 
@@ -81,7 +89,7 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 	m := h.newClientManager(cmd)
 	responseTypes, _ := cmd.Flags().GetStringSlice("response-types")
 	grantTypes, _ := cmd.Flags().GetStringSlice("grant-types")
-	allowedScopes, _ := cmd.Flags().GetStringSlice("allowed-scopes")
+	allowedScopes, _ := cmd.Flags().GetStringSlice("scope")
 	callbacks, _ := cmd.Flags().GetStringSlice("callbacks")
 	name, _ := cmd.Flags().GetString("name")
 	secret, _ := cmd.Flags().GetString("secret")

cmd/cli/handler_introspection.go

@@ -21,6 +21,7 @@
 package cli
 
 import (
+	"crypto/tls"
 	//"context"
 	//"encoding/json"
 	"fmt"
@@ -45,14 +46,29 @@ func newIntrospectionHandler(c *config.Config) *IntrospectionHandler {
 	}
 }
 
-func (h *IntrospectionHandler) IsAuthorized(cmd *cobra.Command, args []string) {
+func (h *IntrospectionHandler) Introspect(cmd *cobra.Command, args []string) {
 	if len(args) != 1 {
 		fmt.Print(cmd.UsageString())
 		return
 	}
 
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash())
-	c.Configuration.Transport = h.Config.OAuth2Client(cmd).Transport
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+
+	clientID, _ := cmd.Flags().GetString("client-id")
+	clientSecret, _ := cmd.Flags().GetString("client-secret")
+	if clientID == "" || clientSecret == "" {
+		fmt.Print(cmd.UsageString())
+		fmt.Println("Please provide a Client ID and Client Secret using flags --client-id and --client-secret, or environment variables OAUTH2_CLIENT_ID and OAUTH2_CLIENT_SECRET.")
+		return
+	}
+
+	c.Configuration.Username = clientID
+	c.Configuration.Password = clientSecret
+
+	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
+	c.Configuration.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSTermination},
+	}
 
 	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
 		c.Configuration.DefaultHeader["X-Forwarded-Proto"] = "https"

cmd/cli/handler_jwk.go

@@ -21,6 +21,7 @@
 package cli
 
 import (
+	"crypto/tls"
 	"fmt"
 
 	"net/http"
@@ -35,12 +36,21 @@ type JWKHandler struct {
 }
 
 func (h *JWKHandler) newJwkManager(cmd *cobra.Command) *hydra.JsonWebKeyApi {
-	c := hydra.NewJsonWebKeyApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash())
-	c.Configuration.Transport = h.Config.OAuth2Client(cmd).Transport
+	c := hydra.NewJsonWebKeyApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+
+	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
+	c.Configuration.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSTermination},
+	}
+
 	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
 		c.Configuration.DefaultHeader["X-Forwarded-Proto"] = "https"
 	}
 
+	if token, _ := cmd.Flags().GetString("access-token"); token != "" {
+		c.Configuration.DefaultHeader["Authorization"] = "Bearer " + token
+	}
+
 	return c
 }
 

cmd/cli/handler_token.go

@@ -36,12 +36,21 @@ type TokenHandler struct {
 }
 
 func (h *TokenHandler) newTokenManager(cmd *cobra.Command) *hydra.OAuth2Api {
-	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash())
-	c.Configuration.Transport = h.Config.OAuth2Client(cmd).Transport
+	c := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+
+	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
+	c.Configuration.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSTermination},
+	}
+
 	if term, _ := cmd.Flags().GetBool("fake-tls-termination"); term {
 		c.Configuration.DefaultHeader["X-Forwarded-Proto"] = "https"
 	}
 
+	if token, _ := cmd.Flags().GetString("access-token"); token != "" {
+		c.Configuration.DefaultHeader["Authorization"] = "Bearer " + token
+	}
+
 	return c
 }
 
@@ -55,9 +64,23 @@ func (h *TokenHandler) RevokeToken(cmd *cobra.Command, args []string) {
 		return
 	}
 
-	handler := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash())
-	handler.Configuration.Username = h.Config.ClientID
-	handler.Configuration.Password = h.Config.ClientSecret
+	handler := hydra.NewOAuth2ApiWithBasePath(h.Config.GetClusterURLWithoutTailingSlash(cmd))
+
+	skipTLSTermination, _ := cmd.Flags().GetBool("skip-tls-verify")
+	handler.Configuration.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSTermination},
+	}
+
+	clientID, _ := cmd.Flags().GetString("client-id")
+	clientSecret, _ := cmd.Flags().GetString("client-secret")
+	if clientID == "" || clientSecret == "" {
+		fmt.Print(cmd.UsageString())
+		fmt.Println("Please provide a Client ID and Client Secret using flags --client-id and --client-secret, or environment variables OAUTH2_CLIENT_ID and OAUTH2_CLIENT_SECRET.")
+		return
+	}
+
+	handler.Configuration.Username = clientID
+	handler.Configuration.Password = clientSecret
 
 	if skip, _ := cmd.Flags().GetBool("skip-tls-verify"); skip {
 		handler.Configuration.Transport = &http.Transport{

cmd/clients.go

@@ -21,6 +21,8 @@
 package cmd
 
 import (
+	"os"
+
 	"github.com/spf13/cobra"
 )
 
@@ -34,7 +36,9 @@ var clientsCmd = &cobra.Command{
 func init() {
 	RootCmd.AddCommand(clientsCmd)
 	//clientsCmd.PersistentFlags().Bool("dry", false, "do not execute the command but show the corresponding curl command instead")
-	clientsCmd.PersistentFlags().Bool("fake-tls-termination", false, `fake tls termination by adding "X-Forwarded-Proto: https"" to http headers`)
+	clientsCmd.PersistentFlags().Bool("fake-tls-termination", false, `Fake tls termination by adding "X-Forwarded-Proto: https" to http headers`)
+	clientsCmd.PersistentFlags().String("access-token", os.Getenv("OAUTH2_ACCESS_TOKEN"), "Set an access token to be used in the Authorization header, defaults to environment variable ACCESS_TOKEN")
+	clientsCmd.PersistentFlags().String("endpoint", os.Getenv("HYDRA_URL"), "Set the URL where ORY Hydra is hosted, defaults to environment variable HYDRA_URL")
 
 	// Here you will define your flags and configuration settings.
 

cmd/keys.go

@@ -21,6 +21,8 @@
 package cmd
 
 import (
+	"os"
+
 	"github.com/spf13/cobra"
 )
 
@@ -33,7 +35,9 @@ var keysCmd = &cobra.Command{
 func init() {
 	RootCmd.AddCommand(keysCmd)
 	//keysCmd.PersistentFlags().Bool("dry", false, "do not execute the command but show the corresponding curl command instead")
-	keysCmd.PersistentFlags().Bool("fake-tls-termination", false, `fake tls termination by adding "X-Forwarded-Proto: https"" to http headers`)
+	keysCmd.PersistentFlags().Bool("fake-tls-termination", false, `fake tls termination by adding "X-Forwarded-Proto: https" to http headers`)
+	keysCmd.PersistentFlags().String("access-token", os.Getenv("OAUTH2_ACCESS_TOKEN"), "Set an access token to be used in the Authorization header, defaults to environment variable ACCESS_TOKEN")
+	keysCmd.PersistentFlags().String("endpoint", os.Getenv("HYDRA_URL"), "Set the URL where ORY Hydra is hosted, defaults to environment variable HYDRA_URL")
 
 	// Here you will define your flags and configuration settings.
 

cmd/root.go

@@ -76,8 +76,8 @@ func init() {
 	// Cobra supports Persistent Flags, which, if defined here,
 	// will be global for your application.
 
-	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.hydra.yaml)")
-	RootCmd.PersistentFlags().Bool("skip-tls-verify", false, "foolishly accept TLS certificates signed by unkown certificate authorities")
+	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "Config file (default is $HOME/.hydra.yaml)")
+	RootCmd.PersistentFlags().Bool("skip-tls-verify", false, "Foolishly accept TLS certificates signed by unkown certificate authorities")
 
 	// Cobra also supports local flags, which will only run
 	// when this action is called directly.