fix: setup instance domain handling (#3529)

2025-08-13 13:01:38 +00:00 · 2022-04-28 10:30:41 +02:00
parent 70e98460ab
commit 00f7dbe875
16 changed files with 152 additions and 113 deletions
--- a/internal/api/grpc/admin/user_converter.go
+++ b/internal/api/grpc/admin/user_converter.go
@@ -14,16 +14,16 @@ func setUpOrgHumanToCommand(human *admin_grpc.SetUpOrgRequest_Human) command.Add
 	lang, err := language.Parse(human.Profile.PreferredLanguage)
 	logging.OnError(err).Debug("unable to parse language")
 	return command.AddHuman{
-		Username:      human.UserName,
-		FirstName:     human.Profile.FirstName,
-		LastName:      human.Profile.LastName,
-		NickName:      human.Profile.NickName,
-		DisplayName:   human.Profile.DisplayName,
-		PreferredLang: lang,
-		Gender:        user_grpc.GenderToDomain(human.Profile.Gender),
-		Email:         setUpOrgHumanEmailToDomain(human.Email),
-		Phone:         setUpOrgHumanPhoneToDomain(human.Phone),
-		Password:      human.Password,
+		Username:          human.UserName,
+		FirstName:         human.Profile.FirstName,
+		LastName:          human.Profile.LastName,
+		NickName:          human.Profile.NickName,
+		DisplayName:       human.Profile.DisplayName,
+		PreferredLanguage: lang,
+		Gender:            user_grpc.GenderToDomain(human.Profile.Gender),
+		Email:             setUpOrgHumanEmailToDomain(human.Email),
+		Phone:             setUpOrgHumanPhoneToDomain(human.Phone),
+		Password:          human.Password,
 	}
 }

--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -209,12 +209,8 @@ func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequ
 			Address:  req.Email.Email,
 			Verified: req.Email.IsEmailVerified,
 		},
-		PreferredLang: lang,
-		Gender:        user_grpc.GenderToDomain(req.Profile.Gender),
-		Phone: command.Phone{
-			Number:   req.Phone.Phone,
-			Verified: req.Phone.IsPhoneVerified,
-		},
+		PreferredLanguage:      lang,
+		Gender:                 user_grpc.GenderToDomain(req.Profile.Gender),
 		Password:               req.InitialPassword,
 		PasswordChangeRequired: true,
 		Passwordless:           false,
--- a/internal/api/grpc/system/instance.go
+++ b/internal/api/grpc/system/instance.go
@@ -41,7 +41,7 @@ func (s *Server) GetInstance(ctx context.Context, req *system_pb.GetInstanceRequ
 }

 func (s *Server) AddInstance(ctx context.Context, req *system_pb.AddInstanceRequest) (*system_pb.AddInstanceResponse, error) {
-	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance), s.ExternalSecure)
+	id, details, err := s.command.SetUpInstance(ctx, AddInstancePbToSetupInstance(req, s.DefaultInstance))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/system/instance_converter.go
+++ b/internal/api/grpc/system/instance_converter.go
@@ -1,13 +1,14 @@
 package system

 import (
+	"golang.org/x/text/language"
+
 	instance_grpc "github.com/zitadel/zitadel/internal/api/grpc/instance"
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	instance_pb "github.com/zitadel/zitadel/pkg/grpc/instance"
 	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
-	"golang.org/x/text/language"
 )

 func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInstance command.InstanceSetup) *command.InstanceSetup {
@@ -35,7 +36,7 @@ func AddInstancePbToSetupInstance(req *system_pb.AddInstanceRequest, defaultInst
 		if req.OwnerProfile.PreferredLanguage != "" {
 			lang, err := language.Parse(req.OwnerProfile.PreferredLanguage)
 			if err == nil {
-				defaultInstance.Org.Human.PreferredLang = lang
+				defaultInstance.Org.Human.PreferredLanguage = lang
 			}
 		}
 	}
--- a/internal/api/grpc/system/server.go
+++ b/internal/api/grpc/system/server.go
@@ -25,7 +25,6 @@ type Server struct {
 	query           *query.Queries
 	administrator   repository.AdministratorRepository
 	DefaultInstance command.InstanceSetup
-	ExternalSecure  bool
 }

 type Config struct {
@@ -36,13 +35,12 @@ func CreateServer(command *command.Commands,
 	query *query.Queries,
 	repo repository.Repository,
 	defaultInstance command.InstanceSetup,
-	externalSecure bool) *Server {
+) *Server {
 	return &Server{
 		command:         command,
 		query:           query,
 		administrator:   repo,
 		DefaultInstance: defaultInstance,
-		ExternalSecure:  externalSecure,
 	}
 }

--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -10,6 +10,7 @@ import (
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/repository/action"
@@ -28,6 +29,7 @@ type Commands struct {
 	static         static.Storage
 	idGenerator    id.Generator
 	zitadelRoles   []authz.RoleMapping
+	externalDomain string
 	externalSecure bool
 	externalPort   uint16

@@ -62,6 +64,7 @@ func StartCommands(es *eventstore.Eventstore,
 	staticStore static.Storage,
 	authZRepo authz_repo.Repository,
 	webAuthN *webauthn_helper.Config,
+	externalDomain string,
 	externalSecure bool,
 	externalPort uint16,
 	idpConfigEncryption,
@@ -72,11 +75,15 @@ func StartCommands(es *eventstore.Eventstore,
 	domainVerificationEncryption,
 	oidcEncryption crypto.EncryptionAlgorithm,
 ) (repo *Commands, err error) {
+	if externalDomain == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Df21s", "not external domain specified")
+	}
 	repo = &Commands{
 		eventstore:            es,
 		static:                staticStore,
 		idGenerator:           id.SonyFlakeGenerator,
 		zitadelRoles:          zitadelRoles,
+		externalDomain:        externalDomain,
 		externalSecure:        externalSecure,
 		externalPort:          externalPort,
 		keySize:               defaults.KeyConfig.Size,
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -157,7 +157,7 @@ func (s *InstanceSetup) generateIDs() (err error) {
 	return nil
 }

-func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, externalSecure bool) (string, *domain.ObjectDetails, error) {
+func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (string, *domain.ObjectDetails, error) {
 	instanceID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
 		return "", nil, err
@@ -167,8 +167,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		return "", nil, err
 	}

-	requestedDomain := authz.GetInstance(ctx).RequestedDomain()
-	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), requestedDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})
+	ctx = authz.SetCtxData(authz.WithRequestedDomain(authz.WithInstanceID(ctx, instanceID), c.externalDomain), authz.CtxData{OrgID: instanceID, ResourceOwner: instanceID})

 	orgID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
@@ -185,8 +184,6 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 	}
 	ctx = authz.WithConsole(ctx, setup.zitadel.projectID, setup.zitadel.consoleAppID)

-	setup.Org.Human.PasswordChangeRequired = true
-
 	instanceAgg := instance.NewAggregate(instanceID)
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user.NewAggregate(userID, orgID)
@@ -302,7 +299,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte
 		ApplicationType:          domain.OIDCApplicationTypeUserAgent,
 		AuthMethodType:           domain.OIDCAuthMethodTypeNone,
 		PostLogoutRedirectUris:   []string{},
-		DevMode:                  !externalSecure,
+		DevMode:                  !c.externalSecure,
 		AccessTokenType:          domain.OIDCTokenTypeBearer,
 		AccessTokenRoleAssertion: false,
 		IDTokenRoleAssertion:     false,
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@@ -39,8 +39,8 @@ type AddHuman struct {
 	DisplayName string
 	// Email is required
 	Email Email
-	// PreferredLang is required
-	PreferredLang language.Tag
+	// PreferredLanguage is required
+	PreferredLanguage language.Tag
 	// Gender is required
 	Gender domain.Gender
 	//Phone represents an international phone number
@@ -98,6 +98,9 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			return nil, errors.ThrowInvalidArgument(nil, "V2-zzad3", "Errors.Invalid.Argument")
 		}

+		if human.PreferredLanguage == language.Und {
+			return nil, errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument")
+		}
 		if human.FirstName = strings.TrimSpace(human.FirstName); human.FirstName == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument")
 		}
@@ -130,7 +133,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,
@@ -144,7 +147,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 					human.LastName,
 					human.NickName,
 					human.DisplayName,
-					human.PreferredLang,
+					human.PreferredLanguage,
 					human.Gender,
 					human.Email.Address,
 					domainPolicy.UserLoginMustBeDomain,
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@@ -93,6 +93,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@@ -130,6 +131,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 			},
 			res: res{
@@ -210,7 +212,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 									"lastname",
 									"",
 									"firstname lastname",
-									language.Und,
+									language.English,
 									domain.GenderUnspecified,
 									"email@test.ch",
 									true,
@@ -257,6 +259,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -375,6 +378,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Email: Email{
 						Address: "email@test.ch",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -470,6 +474,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Address:  "email@test.ch",
 						Verified: true,
 					},
+					PreferredLanguage:      language.English,
 					PasswordChangeRequired: true,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
@@ -554,6 +559,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					Phone: Phone{
 						Number: "+41711234567",
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -668,6 +674,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						Number:   "+41711234567",
 						Verified: true,
 					},
+					PreferredLanguage: language.English,
 				},
 				secretGenerator: GetMockSecretGenerator(t),
 			},
@@ -920,8 +927,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: true,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -940,7 +948,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -1001,8 +1009,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1022,7 +1031,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1094,8 +1103,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1117,7 +1127,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1203,8 +1213,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						ChangeRequired: false,
 					},
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1226,7 +1237,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress:    "email@test.ch",
@@ -1312,8 +1323,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@@ -1339,7 +1351,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -1411,8 +1423,9 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 				human: &domain.Human{
 					Username: "username",
 					Profile: &domain.Profile{
-						FirstName: "firstname",
-						LastName:  "lastname",
+						FirstName:         "firstname",
+						LastName:          "lastname",
+						PreferredLanguage: language.English,
 					},
 					Password: &domain.Password{
 						SecretString:   "password",
@@ -1439,7 +1452,7 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 						FirstName:         "firstname",
 						LastName:          "lastname",
 						DisplayName:       "firstname lastname",
-						PreferredLanguage: language.Und,
+						PreferredLanguage: language.English,
 					},
 					Email: &domain.Email{
 						EmailAddress: "email@test.ch",
@@ -2767,7 +2780,7 @@ func newAddHumanEvent(password string, changeRequired bool, phone string) *user.
 		"lastname",
 		"",
 		"firstname lastname",
-		language.Und,
+		language.English,
 		domain.GenderUnspecified,
 		"email@test.ch",
 		true,
@@ -2844,7 +2857,7 @@ func TestAddHumanCommand(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid first name",
+			name: "invalid preferred language",
 			args: args{
 				a: agg,
 				human: &AddHuman{
@@ -2854,6 +2867,22 @@ func TestAddHumanCommand(t *testing.T) {
 					},
 				},
 			},
+			want: Want{
+				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-Sfd11", "Errors.Invalid.Argument"),
+			},
+		},
+		{
+			name: "invalid first name",
+			args: args{
+				a: agg,
+				human: &AddHuman{
+					Username:          "username",
+					PreferredLanguage: language.English,
+					Email: Email{
+						Address: "support@zitadel.ch",
+					},
+				},
+			},
 			want: Want{
 				ValidationErr: errors.ThrowInvalidArgument(nil, "USER-UCej2", "Errors.Invalid.Argument"),
 			},
@@ -2863,9 +2892,10 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Username:  "username",
-					FirstName: "hurst",
-					Email:     Email{Address: "support@zitadel.ch"},
+					Username:          "username",
+					PreferredLanguage: language.English,
+					FirstName:         "hurst",
+					Email:             Email{Address: "support@zitadel.ch"},
 				},
 			},
 			want: Want{
@@ -2877,11 +2907,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch"},
-					FirstName: "gigi",
-					LastName:  "giraffe",
-					Password:  "short",
-					Username:  "username",
+					Email:             Email{Address: "support@zitadel.ch"},
+					PreferredLanguage: language.English,
+					FirstName:         "gigi",
+					LastName:          "giraffe",
+					Password:          "short",
+					Username:          "username",
 				},
 				filter: NewMultiFilter().Append(
 					func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
@@ -2919,11 +2950,12 @@ func TestAddHumanCommand(t *testing.T) {
 			args: args{
 				a: agg,
 				human: &AddHuman{
-					Email:     Email{Address: "support@zitadel.ch", Verified: true},
-					FirstName: "gigi",
-					LastName:  "giraffe",
-					Password:  "",
-					Username:  "username",
+					Email:             Email{Address: "support@zitadel.ch", Verified: true},
+					PreferredLanguage: language.English,
+					FirstName:         "gigi",
+					LastName:          "giraffe",
+					Password:          "",
+					Username:          "username",
 				},
 				passwordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
 				filter: NewMultiFilter().Append(
@@ -2963,7 +2995,7 @@ func TestAddHumanCommand(t *testing.T) {
 						"giraffe",
 						"",
 						"gigi giraffe",
-						language.Und,
+						language.English,
 						0,
 						"support@zitadel.ch",
 						true,