2022-02-09 14:01:19 +00:00
|
|
|
package start
|
|
|
|
|
|
|
|
import (
|
2022-02-14 16:22:30 +00:00
|
|
|
"context"
|
|
|
|
"database/sql"
|
2022-02-09 14:01:19 +00:00
|
|
|
_ "embed"
|
2022-02-14 16:22:30 +00:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"os/signal"
|
|
|
|
"syscall"
|
|
|
|
"time"
|
2022-02-09 14:01:19 +00:00
|
|
|
|
|
|
|
"github.com/caos/logging"
|
2022-02-14 16:22:30 +00:00
|
|
|
"github.com/gorilla/mux"
|
|
|
|
"github.com/mitchellh/mapstructure"
|
2022-02-09 14:01:19 +00:00
|
|
|
"github.com/spf13/cobra"
|
2022-02-14 16:22:30 +00:00
|
|
|
"github.com/spf13/viper"
|
|
|
|
"golang.org/x/net/http2"
|
|
|
|
"golang.org/x/net/http2/h2c"
|
|
|
|
|
|
|
|
admin_es "github.com/caos/zitadel/internal/admin/repository/eventsourcing"
|
|
|
|
"github.com/caos/zitadel/internal/api"
|
|
|
|
"github.com/caos/zitadel/internal/api/assets"
|
|
|
|
internal_authz "github.com/caos/zitadel/internal/api/authz"
|
|
|
|
"github.com/caos/zitadel/internal/api/grpc/admin"
|
|
|
|
"github.com/caos/zitadel/internal/api/grpc/auth"
|
|
|
|
"github.com/caos/zitadel/internal/api/grpc/management"
|
|
|
|
http_util "github.com/caos/zitadel/internal/api/http"
|
|
|
|
"github.com/caos/zitadel/internal/api/http/middleware"
|
|
|
|
"github.com/caos/zitadel/internal/api/oidc"
|
|
|
|
"github.com/caos/zitadel/internal/api/ui/console"
|
|
|
|
"github.com/caos/zitadel/internal/api/ui/login"
|
|
|
|
auth_es "github.com/caos/zitadel/internal/auth/repository/eventsourcing"
|
|
|
|
"github.com/caos/zitadel/internal/authz"
|
|
|
|
authz_repo "github.com/caos/zitadel/internal/authz/repository"
|
|
|
|
"github.com/caos/zitadel/internal/command"
|
|
|
|
"github.com/caos/zitadel/internal/config/systemdefaults"
|
|
|
|
"github.com/caos/zitadel/internal/crypto"
|
2022-03-14 06:55:09 +00:00
|
|
|
cryptoDB "github.com/caos/zitadel/internal/crypto/database"
|
2022-02-14 16:22:30 +00:00
|
|
|
"github.com/caos/zitadel/internal/database"
|
|
|
|
"github.com/caos/zitadel/internal/domain"
|
|
|
|
"github.com/caos/zitadel/internal/eventstore"
|
|
|
|
"github.com/caos/zitadel/internal/id"
|
|
|
|
"github.com/caos/zitadel/internal/notification"
|
|
|
|
"github.com/caos/zitadel/internal/query"
|
|
|
|
"github.com/caos/zitadel/internal/query/projection"
|
|
|
|
"github.com/caos/zitadel/internal/static"
|
|
|
|
static_config "github.com/caos/zitadel/internal/static/config"
|
|
|
|
"github.com/caos/zitadel/internal/webauthn"
|
|
|
|
"github.com/caos/zitadel/openapi"
|
2022-02-09 14:01:19 +00:00
|
|
|
)
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
const (
|
|
|
|
flagMasterKey = "masterkey"
|
|
|
|
)
|
|
|
|
|
2022-02-09 14:01:19 +00:00
|
|
|
func New() *cobra.Command {
|
2022-02-14 16:22:30 +00:00
|
|
|
start := &cobra.Command{
|
2022-02-09 14:01:19 +00:00
|
|
|
Use: "start",
|
|
|
|
Short: "starts ZITADEL instance",
|
|
|
|
Long: `starts ZITADEL.
|
|
|
|
Requirements:
|
|
|
|
- cockroachdb`,
|
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
2022-02-14 16:22:30 +00:00
|
|
|
config := new(startConfig)
|
|
|
|
err := viper.Unmarshal(config, viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
|
|
|
|
mapstructure.StringToTimeDurationHookFunc(),
|
|
|
|
mapstructure.StringToSliceHookFunc(":"),
|
|
|
|
)))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
err = config.Log.SetLogger()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
masterKey, _ := cmd.Flags().GetString("masterkey")
|
|
|
|
return startZitadel(config, masterKey)
|
2022-02-09 14:01:19 +00:00
|
|
|
},
|
|
|
|
}
|
2022-02-14 16:22:30 +00:00
|
|
|
bindUint16Flag(start, "port", "port to run ZITADEL on")
|
|
|
|
bindStringFlag(start, "externalDomain", "domain ZITADEL will be exposed on")
|
|
|
|
bindStringFlag(start, "externalPort", "port ZITADEL will be exposed on")
|
|
|
|
bindBoolFlag(start, "externalSecure", "if ZITADEL will be served on HTTPS")
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
start.PersistentFlags().String(flagMasterKey, "", "masterkey for en/decryption keys")
|
|
|
|
|
2022-02-14 16:22:30 +00:00
|
|
|
return start
|
|
|
|
}
|
|
|
|
|
|
|
|
func bindStringFlag(cmd *cobra.Command, name, description string) {
|
|
|
|
cmd.PersistentFlags().String(name, viper.GetString(name), description)
|
|
|
|
viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
|
|
|
|
}
|
|
|
|
|
|
|
|
func bindUint16Flag(cmd *cobra.Command, name, description string) {
|
|
|
|
cmd.PersistentFlags().Uint16(name, uint16(viper.GetUint(name)), description)
|
|
|
|
viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
|
|
|
|
}
|
|
|
|
|
|
|
|
func bindBoolFlag(cmd *cobra.Command, name, description string) {
|
|
|
|
cmd.PersistentFlags().Bool(name, viper.GetBool(name), description)
|
|
|
|
viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
|
|
|
|
}
|
|
|
|
|
|
|
|
type startConfig struct {
|
|
|
|
Log *logging.Config
|
|
|
|
Port uint16
|
|
|
|
ExternalPort uint16
|
|
|
|
ExternalDomain string
|
|
|
|
ExternalSecure bool
|
|
|
|
Database database.Config
|
2022-03-14 06:55:09 +00:00
|
|
|
Projections projection.Config
|
2022-02-14 16:22:30 +00:00
|
|
|
AuthZ authz.Config
|
|
|
|
Auth auth_es.Config
|
|
|
|
Admin admin_es.Config
|
|
|
|
UserAgentCookie *middleware.UserAgentCookieConfig
|
|
|
|
OIDC oidc.Config
|
|
|
|
Login login.Config
|
|
|
|
Console console.Config
|
|
|
|
Notification notification.Config
|
|
|
|
AssetStorage static_config.AssetStorageConfig
|
|
|
|
InternalAuthZ internal_authz.Config
|
|
|
|
SystemDefaults systemdefaults.SystemDefaults
|
2022-03-14 06:55:09 +00:00
|
|
|
EncryptionKeys *encryptionKeyConfig
|
2022-02-14 16:22:30 +00:00
|
|
|
}
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
type encryptionKeyConfig struct {
|
|
|
|
DomainVerification *crypto.KeyConfig
|
|
|
|
IDPConfig *crypto.KeyConfig
|
|
|
|
OIDC *crypto.KeyConfig
|
|
|
|
OTP *crypto.KeyConfig
|
|
|
|
SMS *crypto.KeyConfig
|
|
|
|
SMTP *crypto.KeyConfig
|
|
|
|
User *crypto.KeyConfig
|
|
|
|
CSRFCookieKeyID string
|
|
|
|
UserAgentCookieKeyID string
|
2022-02-14 16:22:30 +00:00
|
|
|
}
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
func startZitadel(config *startConfig, masterKey string) error {
|
2022-02-14 16:22:30 +00:00
|
|
|
ctx := context.Background()
|
|
|
|
keyChan := make(chan interface{})
|
|
|
|
|
|
|
|
dbClient, err := database.Connect(config.Database)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot start client for projection: %w", err)
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
|
|
|
|
keyStorage, err := cryptoDB.NewKeyStorage(dbClient, masterKey)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot start key storage: %w", err)
|
|
|
|
}
|
|
|
|
keys, err := ensureEncryptionKeys(config.EncryptionKeys, keyStorage)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-02-14 16:22:30 +00:00
|
|
|
var storage static.Storage
|
|
|
|
//TODO: enable when storage is implemented again
|
|
|
|
//if *assetsEnabled {
|
|
|
|
//storage, err = config.AssetStorage.Config.NewStorage()
|
|
|
|
//logging.Log("MAIN-Bfhe2").OnError(err).Fatal("Unable to start asset storage")
|
|
|
|
//}
|
|
|
|
eventstoreClient, err := eventstore.Start(dbClient)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot start eventstore for queries: %w", err)
|
|
|
|
}
|
2022-02-16 15:49:17 +00:00
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, keys.OIDC, keyChan, config.InternalAuthZ.RolePermissionMappings)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot start queries: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
authZRepo, err := authz.Start(config.AuthZ, config.SystemDefaults, queries, dbClient, keys.OIDC)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error starting authz repo: %w", err)
|
|
|
|
}
|
|
|
|
webAuthNConfig := webauthn.Config{
|
|
|
|
ID: config.ExternalDomain,
|
|
|
|
Origin: http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure),
|
|
|
|
DisplayName: "ZITADEL",
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ, storage, authZRepo, webAuthNConfig, keys.IDPConfig, keys.OTP, keys.SMTP, keys.SMS, keys.DomainVerification, keys.OIDC)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot start commands: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
notification.Start(config.Notification, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.User, keys.SMTP, keys.SMS)
|
2022-02-14 16:22:30 +00:00
|
|
|
|
|
|
|
router := mux.NewRouter()
|
2022-03-14 06:55:09 +00:00
|
|
|
err = startAPIs(ctx, router, commands, queries, eventstoreClient, dbClient, keyChan, config, storage, authZRepo, keys)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return listen(ctx, router, config.Port)
|
|
|
|
}
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
func startAPIs(ctx context.Context, router *mux.Router, commands *command.Commands, queries *query.Queries, eventstore *eventstore.Eventstore, dbClient *sql.DB, keyChan chan interface{}, config *startConfig, store static.Storage, authZRepo authz_repo.Repository, keys *encryptionKeys) error {
|
2022-02-14 16:22:30 +00:00
|
|
|
repo := struct {
|
|
|
|
authz_repo.Repository
|
|
|
|
*query.Queries
|
|
|
|
}{
|
|
|
|
authZRepo,
|
|
|
|
queries,
|
|
|
|
}
|
|
|
|
verifier := internal_authz.Start(repo)
|
|
|
|
|
2022-02-16 15:49:17 +00:00
|
|
|
apis := api.New(config.Port, router, &repo, config.InternalAuthZ, config.ExternalSecure)
|
2022-03-14 06:55:09 +00:00
|
|
|
authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.OIDC, keys.User)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error starting auth repo: %w", err)
|
|
|
|
}
|
|
|
|
adminRepo, err := admin_es.Start(config.Admin, store, dbClient, login.HandlerPrefix)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error starting admin repo: %w", err)
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
if err := apis.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, config.SystemDefaults.Domain, assets.HandlerPrefix, keys.User)); err != nil {
|
2022-02-14 16:22:30 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
|
2022-02-14 16:22:30 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
|
2022-02-14 16:22:30 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
apis.RegisterHandler(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator, store, queries))
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, keys.UserAgentCookieKey, config.ExternalDomain, id.SonyFlakeGenerator, config.ExternalSecure)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
issuer := oidc.Issuer(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
|
2022-03-14 06:55:09 +00:00
|
|
|
oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, issuer, login.DefaultLoggedOutPath, commands, queries, authRepo, config.SystemDefaults.KeyConfig, keys.OIDC, keys.OIDCKey, eventstore, dbClient, keyChan, userAgentInterceptor)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to start oidc provider: %w", err)
|
|
|
|
}
|
|
|
|
apis.RegisterHandler(oidc.HandlerPrefix, oidcProvider.HttpHandler())
|
|
|
|
|
|
|
|
openAPIHandler, err := openapi.Start()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to start openapi handler: %w", err)
|
|
|
|
}
|
|
|
|
apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)
|
|
|
|
|
|
|
|
consoleID, err := consoleClientID(ctx, queries)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to get client_id for console: %w", err)
|
|
|
|
}
|
2022-03-14 06:55:09 +00:00
|
|
|
baseURL := http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
|
|
|
|
c, err := console.Start(config.Console, config.ExternalDomain, baseURL, issuer, consoleID)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to start console: %w", err)
|
|
|
|
}
|
|
|
|
apis.RegisterHandler(console.HandlerPrefix, c)
|
|
|
|
|
2022-03-14 06:55:09 +00:00
|
|
|
l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix, config.ExternalDomain, baseURL, oidc.AuthCallback, config.ExternalSecure, userAgentInterceptor, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
|
2022-02-14 16:22:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to start login: %w", err)
|
|
|
|
}
|
|
|
|
apis.RegisterHandler(login.HandlerPrefix, l.Handler())
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func listen(ctx context.Context, router *mux.Router, port uint16) error {
|
|
|
|
http2Server := &http2.Server{}
|
|
|
|
http1Server := &http.Server{Handler: h2c.NewHandler(router, http2Server)}
|
|
|
|
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("tcp listener on %d failed: %w", port, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
errCh := make(chan error)
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
logging.Infof("server is listening on %s", lis.Addr().String())
|
|
|
|
errCh <- http1Server.Serve(lis)
|
|
|
|
}()
|
|
|
|
|
|
|
|
shutdown := make(chan os.Signal, 1)
|
|
|
|
signal.Notify(shutdown, os.Interrupt, syscall.SIGTERM)
|
|
|
|
|
|
|
|
select {
|
|
|
|
case err := <-errCh:
|
|
|
|
return fmt.Errorf("error starting server: %w", err)
|
|
|
|
case <-shutdown:
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
return shutdownServer(ctx, http1Server)
|
|
|
|
case <-ctx.Done():
|
|
|
|
return shutdownServer(ctx, http1Server)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func shutdownServer(ctx context.Context, server *http.Server) error {
|
|
|
|
err := server.Shutdown(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not shutdown gracefully: %w", err)
|
|
|
|
}
|
|
|
|
logging.New().Info("server shutdown gracefully")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
//TODO:!!??!!
|
|
|
|
func consoleClientID(ctx context.Context, queries *query.Queries) (string, error) {
|
|
|
|
iam, err := queries.IAMByID(ctx, domain.IAMID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
projectID, err := query.NewAppProjectIDSearchQuery(iam.IAMProjectID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
name, err := query.NewAppNameSearchQuery(query.TextContainsIgnoreCase, "console") //TODO:!!??!!
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
apps, err := queries.SearchApps(ctx, &query.AppSearchQueries{
|
|
|
|
Queries: []query.SearchQuery{projectID, name},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
if len(apps.Apps) != 1 || apps.Apps[0].OIDCConfig == nil {
|
|
|
|
return "", errors.New("invalid app")
|
|
|
|
}
|
|
|
|
return apps.Apps[0].OIDCConfig.ClientID, nil
|
2022-02-09 14:01:19 +00:00
|
|
|
}
|