zitadel/acceptance/setup.sh

#!/bin/sh

set -e

KEY=${KEY:-./machinekey/zitadel-admin-sa.json}
echo "Using key path ${KEY} to the instance admin service account."

AUDIENCE=${AUDIENCE:-http://localhost:8080}
echo "Using audience ${AUDIENCE} for which the key is used."

SERVICE=${SERVICE:-$AUDIENCE}
echo "Using the service ${SERVICE} to connect to ZITADEL. For example in docker compose this can differ from the audience."

WRITE_ENVIRONMENT_FILE=${WRITE_ENVIRONMENT_FILE:-$(dirname "$0")/../apps/login/.env.local}
echo "Writing environment file to ${WRITE_ENVIRONMENT_FILE} when done."

AUDIENCE_HOST="$(echo $AUDIENCE | cut -d/ -f3)"
echo "Deferred the Host header ${AUDIENCE_HOST} which will be sent in requests that ZITADEL then maps to a virtual instance"

JWT=$(zitadel-tools key2jwt --key ${KEY} --audience ${AUDIENCE})
echo "Created JWT from Admin service account key ${JWT}"

TOKEN_RESPONSE=$(curl -s --request POST \
  --url ${SERVICE}/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header "Host: ${AUDIENCE_HOST}" \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
  --data assertion="${JWT}")
echo "Got response from token endpoint:"
echo "${TOKEN_RESPONSE}" | jq

TOKEN=$(echo -n ${TOKEN_RESPONSE} | jq --raw-output '.access_token')
echo "Extracted access token ${TOKEN}"

ORG_RESPONSE=$(curl -s --request GET \
  --url ${SERVICE}/admin/v1/orgs/default \
  --header 'Accept: application/json' \
  --header "Authorization: Bearer ${TOKEN}" \
  --header "Host: ${AUDIENCE_HOST}")
echo "Got default org response:"
echo "${ORG_RESPONSE}" | jq

ORG_ID=$(echo -n ${ORG_RESPONSE} | jq --raw-output '.org.id')
echo "Extracted default org id ${ORG_ID}"

ENVIRONMENT_BACKUP_FILE=${WRITE_ENVIRONMENT_FILE}
# If the original file already exists, rename it
if [[ -e ${WRITE_ENVIRONMENT_FILE} ]]; then
    if grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then
      echo "Current environment file ${WRITE_ENVIRONMENT_FILE} contains localhost. Overwriting:"
      cat ${WRITE_ENVIRONMENT_FILE}
    else
      i=0
      # If a backup file already exists, increment counter until a free filename is found
      while [[ -e ${ENVIRONMENT_BACKUP_FILE}.${i}.bak ]]; do
          let "i++"
          if [[ ${i} -eq 50 ]]; then
              echo "Warning: Too many backup files (limit is 50), overwriting ${ENVIRONMENT_BACKUP_FILE}.${i}.bak"
              break
          fi
      done
      mv ${WRITE_ENVIRONMENT_FILE} ${ENVIRONMENT_BACKUP_FILE}.${i}.bak
      echo "Renamed existing environment file to ${ENVIRONMENT_BACKUP_FILE}.${i}.bak"
    fi
fi

echo "ZITADEL_API_URL=${AUDIENCE}
ZITADEL_ORG_ID=${ORG_ID}
ZITADEL_SERVICE_USER_TOKEN=${TOKEN}" > ${WRITE_ENVIRONMENT_FILE}
echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
cat ${WRITE_ENVIRONMENT_FILE}

if ! grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then
  echo "Not developing against localhost, so creating a human user might not be necessary"
  exit 0
fi

HUMAN_USER_USERNAME="zitadel-admin@zitadel.localhost"
HUMAN_USER_PASSWORD="Password1!"

HUMAN_USER_PAYLOAD=$(cat << EOM
{
  "userName": "${HUMAN_USER_USERNAME}",
  "profile": {
    "firstName": "ZITADEL",
    "lastName": "Admin",
    "displayName": "ZITADEL Admin",
    "preferredLanguage": "en"
  },
  "email": {
    "email": "zitadel-admin@zitadel.localhost",
    "isEmailVerified": true
  },
  "password": "${HUMAN_USER_PASSWORD}",
  "passwordChangeRequired": false
}
EOM
)
echo "Creating human user"
echo "${HUMAN_USER_PAYLOAD}" | jq

HUMAN_USER_RESPONSE=$(curl -s --request POST \
  --url ${SERVICE}/management/v1/users/human/_import \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header "Authorization: Bearer ${TOKEN}" \
  --header "Host: ${AUDIENCE_HOST}" \
  --data-raw "${HUMAN_USER_PAYLOAD}")
echo "Create human user response"
echo "${HUMAN_USER_RESPONSE}" | jq

if [ "$(echo -n "${HUMAN_USER_RESPONSE}" | jq --raw-output '.code')" == "6" ]; then
  echo "admin user already exists"
  exit 0
fi

HUMAN_USER_ID=$(echo -n ${HUMAN_USER_RESPONSE} | jq --raw-output '.userId')
echo "Extracted human user id ${HUMAN_USER_ID}"

HUMAN_ADMIN_PAYLOAD=$(cat << EOM
{
  "userId": "${HUMAN_USER_ID}",
  "roles": [
    "IAM_OWNER"
  ]
}
EOM
)
echo "Granting iam owner to human user"
echo "${HUMAN_ADMIN_PAYLOAD}" | jq

HUMAN_ADMIN_RESPONSE=$(curl -s --request POST \
  --url ${SERVICE}/admin/v1/members \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header "Authorization: Bearer ${TOKEN}" \
  --header "Host: ${AUDIENCE_HOST}" \
  --data-raw "${HUMAN_ADMIN_PAYLOAD}")

echo "Grant iam owner to human user response"
echo "${HUMAN_ADMIN_RESPONSE}" | jq

echo "You can now log in at ${AUDIENCE}/ui/login"
echo "username: ${HUMAN_USER_USERNAME}"
echo "password: ${HUMAN_USER_PASSWORD}"
chore: automate setup 2023-05-19 16:20:01 +02:00			`#!/bin/sh`

finish 2023-05-19 19:46:10 +02:00			`set -e`
chore: automate setup 2023-05-19 16:20:01 +02:00
			`KEY=${KEY:-./machinekey/zitadel-admin-sa.json}`
finish 2023-05-19 19:34:07 +02:00			`echo "Using key path ${KEY} to the instance admin service account."`

chore: automate setup 2023-05-19 16:20:01 +02:00			`AUDIENCE=${AUDIENCE:-http://localhost:8080}`
finish 2023-05-19 19:34:07 +02:00			`echo "Using audience ${AUDIENCE} for which the key is used."`

chore: automate setup 2023-05-19 16:20:01 +02:00			`SERVICE=${SERVICE:-$AUDIENCE}`
finish 2023-05-19 19:34:07 +02:00			`echo "Using the service ${SERVICE} to connect to ZITADEL. For example in docker compose this can differ from the audience."`

			`WRITE_ENVIRONMENT_FILE=${WRITE_ENVIRONMENT_FILE:-$(dirname "$0")/../apps/login/.env.local}`
			`echo "Writing environment file to ${WRITE_ENVIRONMENT_FILE} when done."`
chore: automate setup 2023-05-19 16:20:01 +02:00
			`AUDIENCE_HOST="$(echo $AUDIENCE \| cut -d/ -f3)"`
finish 2023-05-19 19:34:07 +02:00			`echo "Deferred the Host header ${AUDIENCE_HOST} which will be sent in requests that ZITADEL then maps to a virtual instance"`
chore: automate setup 2023-05-19 16:20:01 +02:00
			`JWT=$(zitadel-tools key2jwt --key ${KEY} --audience ${AUDIENCE})`
finish 2023-05-19 19:34:07 +02:00			`echo "Created JWT from Admin service account key ${JWT}"`
chore: automate setup 2023-05-19 16:20:01 +02:00
finish 2023-05-19 19:46:10 +02:00			`TOKEN_RESPONSE=$(curl -s --request POST \`
chore: automate setup 2023-05-19 16:20:01 +02:00			`--url ${SERVICE}/oauth/v2/token \`
			`--header 'Content-Type: application/x-www-form-urlencoded' \`
			`--header "Host: ${AUDIENCE_HOST}" \`
			`--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \`
add audience scope 2023-05-19 17:57:16 +02:00			`--data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \`
chore: automate setup 2023-05-19 16:20:01 +02:00			`--data assertion="${JWT}")`
finish 2023-05-19 19:34:07 +02:00			`echo "Got response from token endpoint:"`
			`echo "${TOKEN_RESPONSE}" \| jq`
chore: automate setup 2023-05-19 16:20:01 +02:00
chore: setup human admin on localhost 2023-05-24 20:50:54 +02:00			`TOKEN=$(echo -n ${TOKEN_RESPONSE} \| jq --raw-output '.access_token')`
finish 2023-05-19 19:34:07 +02:00			`echo "Extracted access token ${TOKEN}"`
chore: automate setup 2023-05-19 16:20:01 +02:00
finish 2023-05-19 19:46:10 +02:00			`ORG_RESPONSE=$(curl -s --request GET \`
chore: automate setup 2023-05-19 16:20:01 +02:00			`--url ${SERVICE}/admin/v1/orgs/default \`
			`--header 'Accept: application/json' \`
			`--header "Authorization: Bearer ${TOKEN}" \`
finish 2023-05-19 19:34:07 +02:00			`--header "Host: ${AUDIENCE_HOST}")`
			`echo "Got default org response:"`
			`echo "${ORG_RESPONSE}" \| jq`

chore: setup human admin on localhost 2023-05-24 20:50:54 +02:00			`ORG_ID=$(echo -n ${ORG_RESPONSE} \| jq --raw-output '.org.id')`
finish 2023-05-19 19:34:07 +02:00			`echo "Extracted default org id ${ORG_ID}"`

chore: backup automatically 2023-05-23 18:40:58 +02:00			`ENVIRONMENT_BACKUP_FILE=${WRITE_ENVIRONMENT_FILE}`
			`# If the original file already exists, rename it`
			`if [[ -e ${WRITE_ENVIRONMENT_FILE} ]]; then`
			`if grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then`
			`echo "Current environment file ${WRITE_ENVIRONMENT_FILE} contains localhost. Overwriting:"`
			`cat ${WRITE_ENVIRONMENT_FILE}`
			`else`
			`i=0`
			`# If a backup file already exists, increment counter until a free filename is found`
			`while [[ -e ${ENVIRONMENT_BACKUP_FILE}.${i}.bak ]]; do`
			`let "i++"`
			`if [[ ${i} -eq 50 ]]; then`
			`echo "Warning: Too many backup files (limit is 50), overwriting ${ENVIRONMENT_BACKUP_FILE}.${i}.bak"`
			`break`
			`fi`
			`done`
			`mv ${WRITE_ENVIRONMENT_FILE} ${ENVIRONMENT_BACKUP_FILE}.${i}.bak`
			`echo "Renamed existing environment file to ${ENVIRONMENT_BACKUP_FILE}.${i}.bak"`
			`fi`
			`fi`

finish 2023-05-19 19:34:07 +02:00			`echo "ZITADEL_API_URL=${AUDIENCE}`
			`ZITADEL_ORG_ID=${ORG_ID}`
			`ZITADEL_SERVICE_USER_TOKEN=${TOKEN}" > ${WRITE_ENVIRONMENT_FILE}`
			`echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"`
chore: setup human admin on localhost 2023-05-24 20:50:54 +02:00			`cat ${WRITE_ENVIRONMENT_FILE}`

			`if ! grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then`
			`echo "Not developing against localhost, so creating a human user might not be necessary"`
			`exit 0`
			`fi`

			`HUMAN_USER_USERNAME="zitadel-admin@zitadel.localhost"`
			`HUMAN_USER_PASSWORD="Password1!"`

			`HUMAN_USER_PAYLOAD=$(cat << EOM`
			`{`
			`"userName": "${HUMAN_USER_USERNAME}",`
			`"profile": {`
			`"firstName": "ZITADEL",`
			`"lastName": "Admin",`
			`"displayName": "ZITADEL Admin",`
			`"preferredLanguage": "en"`
			`},`
			`"email": {`
			`"email": "zitadel-admin@zitadel.localhost",`
			`"isEmailVerified": true`
			`},`
			`"password": "${HUMAN_USER_PASSWORD}",`
			`"passwordChangeRequired": false`
			`}`
			`EOM`
			`)`
			`echo "Creating human user"`
			`echo "${HUMAN_USER_PAYLOAD}" \| jq`

			`HUMAN_USER_RESPONSE=$(curl -s --request POST \`
			`--url ${SERVICE}/management/v1/users/human/_import \`
			`--header 'Content-Type: application/json' \`
			`--header 'Accept: application/json' \`
			`--header "Authorization: Bearer ${TOKEN}" \`
			`--header "Host: ${AUDIENCE_HOST}" \`
			`--data-raw "${HUMAN_USER_PAYLOAD}")`
			`echo "Create human user response"`
			`echo "${HUMAN_USER_RESPONSE}" \| jq`

			`if [ "$(echo -n "${HUMAN_USER_RESPONSE}" \| jq --raw-output '.code')" == "6" ]; then`
			`echo "admin user already exists"`
			`exit 0`
			`fi`

			`HUMAN_USER_ID=$(echo -n ${HUMAN_USER_RESPONSE} \| jq --raw-output '.userId')`
			`echo "Extracted human user id ${HUMAN_USER_ID}"`

			`HUMAN_ADMIN_PAYLOAD=$(cat << EOM`
			`{`
			`"userId": "${HUMAN_USER_ID}",`
			`"roles": [`
			`"IAM_OWNER"`
			`]`
			`}`
			`EOM`
			`)`
			`echo "Granting iam owner to human user"`
			`echo "${HUMAN_ADMIN_PAYLOAD}" \| jq`

			`HUMAN_ADMIN_RESPONSE=$(curl -s --request POST \`
			`--url ${SERVICE}/admin/v1/members \`
			`--header 'Content-Type: application/json' \`
			`--header 'Accept: application/json' \`
			`--header "Authorization: Bearer ${TOKEN}" \`
			`--header "Host: ${AUDIENCE_HOST}" \`
			`--data-raw "${HUMAN_ADMIN_PAYLOAD}")`

			`echo "Grant iam owner to human user response"`
			`echo "${HUMAN_ADMIN_RESPONSE}" \| jq`

			`echo "You can now log in at ${AUDIENCE}/ui/login"`
			`echo "username: ${HUMAN_USER_USERNAME}"`
			`echo "password: ${HUMAN_USER_PASSWORD}"`