fix: enable env vars in setup steps (and deprecate admin subcommand) (#3871)

* fix: enable env vars in setup steps (and deprecate admin subcommand) * fix tests and error text
2025-08-12 11:27:33 +00:00 · 2022-06-27 12:32:34 +02:00
parent 30f553dea1
commit 12d4d3ea0b
53 changed files with 44 additions and 31 deletions
--- a/cmd/start/config.go
+++ b/cmd/start/config.go
@@ -0,0 +1,89 @@
+package start
+
+import (
+	"time"
+
+	"github.com/mitchellh/mapstructure"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
+	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/api/oidc"
+	"github.com/zitadel/zitadel/internal/api/ui/console"
+	"github.com/zitadel/zitadel/internal/api/ui/login"
+	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/config/hook"
+	"github.com/zitadel/zitadel/internal/config/network"
+	"github.com/zitadel/zitadel/internal/config/systemdefaults"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/notification"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	static_config "github.com/zitadel/zitadel/internal/static/config"
+	tracing "github.com/zitadel/zitadel/internal/telemetry/tracing/config"
+)
+
+type Config struct {
+	Log               *logging.Config
+	Port              uint16
+	ExternalPort      uint16
+	ExternalDomain    string
+	ExternalSecure    bool
+	TLS               network.TLS
+	HTTP2HostHeader   string
+	HTTP1HostHeader   string
+	WebAuthNName      string
+	Database          database.Config
+	Tracing           tracing.Config
+	Projections       projection.Config
+	Auth              auth_es.Config
+	Admin             admin_es.Config
+	UserAgentCookie   *middleware.UserAgentCookieConfig
+	OIDC              oidc.Config
+	Login             login.Config
+	Console           console.Config
+	Notification      notification.Config
+	AssetStorage      static_config.AssetStorageConfig
+	InternalAuthZ     internal_authz.Config
+	SystemDefaults    systemdefaults.SystemDefaults
+	EncryptionKeys    *encryptionKeyConfig
+	DefaultInstance   command.InstanceSetup
+	AuditLogRetention time.Duration
+	SystemAPIUsers    map[string]*internal_authz.SystemAPIUser
+	CustomerPortal    string
+}
+
+func MustNewConfig(v *viper.Viper) *Config {
+	config := new(Config)
+
+	err := v.Unmarshal(config,
+		viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
+			hook.Base64ToBytesHookFunc(),
+			hook.TagToLanguageHookFunc(),
+			mapstructure.StringToTimeDurationHookFunc(),
+			mapstructure.StringToSliceHookFunc(","),
+		)),
+	)
+	err = config.Log.SetLogger()
+	logging.OnError(err).Fatal("unable to set logger")
+
+	err = config.Tracing.NewTracer()
+	logging.OnError(err).Fatal("unable to set tracer")
+
+	return config
+}
+
+type encryptionKeyConfig struct {
+	DomainVerification   *crypto.KeyConfig
+	IDPConfig            *crypto.KeyConfig
+	OIDC                 *crypto.KeyConfig
+	OTP                  *crypto.KeyConfig
+	SMS                  *crypto.KeyConfig
+	SMTP                 *crypto.KeyConfig
+	User                 *crypto.KeyConfig
+	CSRFCookieKeyID      string
+	UserAgentCookieKeyID string
+}
--- a/cmd/start/encryption_keys.go
+++ b/cmd/start/encryption_keys.go
@@ -0,0 +1,106 @@
+package start
+
+import (
+	"github.com/zitadel/zitadel/internal/crypto"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
+)
+
+var (
+	defaultKeyIDs = []string{
+		"domainVerificationKey",
+		"idpConfigKey",
+		"oidcKey",
+		"otpKey",
+		"smsKey",
+		"smtpKey",
+		"userKey",
+		"csrfCookieKey",
+		"userAgentCookieKey",
+	}
+)
+
+type encryptionKeys struct {
+	DomainVerification crypto.EncryptionAlgorithm
+	IDPConfig          crypto.EncryptionAlgorithm
+	OIDC               crypto.EncryptionAlgorithm
+	OTP                crypto.EncryptionAlgorithm
+	SMS                crypto.EncryptionAlgorithm
+	SMTP               crypto.EncryptionAlgorithm
+	User               crypto.EncryptionAlgorithm
+	CSRFCookieKey      []byte
+	UserAgentCookieKey []byte
+	OIDCKey            []byte
+}
+
+func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyStorage) (keys *encryptionKeys, err error) {
+	if err := verifyDefaultKeys(keyStorage); err != nil {
+		return nil, err
+	}
+	keys = new(encryptionKeys)
+	keys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	key, err := crypto.LoadKey(keyConfig.OIDC.EncryptionKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.OIDCKey = []byte(key)
+	keys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.CSRFCookieKey = []byte(key)
+	key, err = crypto.LoadKey(keyConfig.UserAgentCookieKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	keys.UserAgentCookieKey = []byte(key)
+	return keys, nil
+}
+
+func verifyDefaultKeys(keyStorage crypto.KeyStorage) (err error) {
+	keys := make([]*crypto.Key, 0, len(defaultKeyIDs))
+	for _, keyID := range defaultKeyIDs {
+		_, err := crypto.LoadKey(keyID, keyStorage)
+		if err == nil {
+			continue
+		}
+		key, err := crypto.NewKey(keyID)
+		if err != nil {
+			return err
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil
+	}
+	if err := keyStorage.CreateKeys(keys...); err != nil {
+		return caos_errs.ThrowInternal(err, "START-aGBq2", "cannot create default keys")
+	}
+	return nil
+}
--- a/cmd/start/flags.go
+++ b/cmd/start/flags.go
@@ -0,0 +1,35 @@
+package start
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+
+	"github.com/zitadel/zitadel/cmd/key"
+	"github.com/zitadel/zitadel/cmd/tls"
+)
+
+var tlsMode *string
+
+func startFlags(cmd *cobra.Command) {
+	bindUint16Flag(cmd, "port", "port to run ZITADEL on")
+	bindStringFlag(cmd, "externalDomain", "domain ZITADEL will be exposed on")
+	bindStringFlag(cmd, "externalPort", "port ZITADEL will be exposed on")
+
+	tls.AddTLSModeFlag(cmd)
+	key.AddMasterKeyFlag(cmd)
+}
+
+func bindStringFlag(cmd *cobra.Command, name, description string) {
+	cmd.PersistentFlags().String(name, viper.GetString(name), description)
+	viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
+}
+
+func bindUint16Flag(cmd *cobra.Command, name, description string) {
+	cmd.PersistentFlags().Uint16(name, uint16(viper.GetUint(name)), description)
+	viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
+}
+
+func bindBoolFlag(cmd *cobra.Command, name, description string) {
+	cmd.PersistentFlags().Bool(name, viper.GetBool(name), description)
+	viper.BindPFlag(name, cmd.PersistentFlags().Lookup(name))
+}
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -0,0 +1,273 @@
+package start
+
+import (
+	"context"
+	"crypto/tls"
+	"database/sql"
+	_ "embed"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/gorilla/mux"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+	"github.com/zitadel/oidc/v2/pkg/op"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+
+	"github.com/zitadel/zitadel/cmd/key"
+	cmd_tls "github.com/zitadel/zitadel/cmd/tls"
+	admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
+	"github.com/zitadel/zitadel/internal/api"
+	"github.com/zitadel/zitadel/internal/api/assets"
+	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/admin"
+	"github.com/zitadel/zitadel/internal/api/grpc/auth"
+	"github.com/zitadel/zitadel/internal/api/grpc/management"
+	"github.com/zitadel/zitadel/internal/api/grpc/system"
+	http_util "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/api/oidc"
+	"github.com/zitadel/zitadel/internal/api/ui/console"
+	"github.com/zitadel/zitadel/internal/api/ui/login"
+	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/zitadel/zitadel/internal/authz"
+	authz_repo "github.com/zitadel/zitadel/internal/authz/repository"
+	"github.com/zitadel/zitadel/internal/command"
+	cryptoDB "github.com/zitadel/zitadel/internal/crypto/database"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/notification"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/static"
+	"github.com/zitadel/zitadel/internal/webauthn"
+	"github.com/zitadel/zitadel/openapi"
+)
+
+func New() *cobra.Command {
+	start := &cobra.Command{
+		Use:   "start",
+		Short: "starts ZITADEL instance",
+		Long: `starts ZITADEL.
+Requirements:
+- cockroachdb`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := cmd_tls.ModeFromFlag(cmd)
+			if err != nil {
+				return err
+			}
+			config := MustNewConfig(viper.GetViper())
+			masterKey, err := key.MasterKey(cmd)
+			if err != nil {
+				return err
+			}
+
+			return startZitadel(config, masterKey)
+		},
+	}
+
+	startFlags(start)
+
+	return start
+}
+
+func startZitadel(config *Config, masterKey string) error {
+	ctx := context.Background()
+
+	dbClient, err := database.Connect(config.Database)
+	if err != nil {
+		return fmt.Errorf("cannot start client for projection: %w", err)
+	}
+
+	keyStorage, err := cryptoDB.NewKeyStorage(dbClient, masterKey)
+	if err != nil {
+		return fmt.Errorf("cannot start key storage: %w", err)
+	}
+	keys, err := ensureEncryptionKeys(config.EncryptionKeys, keyStorage)
+	if err != nil {
+		return err
+	}
+
+	eventstoreClient, err := eventstore.Start(dbClient)
+	if err != nil {
+		return fmt.Errorf("cannot start eventstore for queries: %w", err)
+	}
+
+	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, keys.OIDC, config.InternalAuthZ.RolePermissionMappings)
+	if err != nil {
+		return fmt.Errorf("cannot start queries: %w", err)
+	}
+
+	authZRepo, err := authz.Start(queries, dbClient, keys.OIDC)
+	if err != nil {
+		return fmt.Errorf("error starting authz repo: %w", err)
+	}
+
+	storage, err := config.AssetStorage.NewStorage(dbClient)
+	if err != nil {
+		return fmt.Errorf("cannot start asset storage client: %w", err)
+	}
+	webAuthNConfig := &webauthn.Config{
+		DisplayName:    config.WebAuthNName,
+		ExternalSecure: config.ExternalSecure,
+	}
+	commands, err := command.StartCommands(
+		eventstoreClient,
+		config.SystemDefaults,
+		config.InternalAuthZ.RolePermissionMappings,
+		storage,
+		webAuthNConfig,
+		config.ExternalDomain,
+		config.ExternalSecure,
+		config.ExternalPort,
+		keys.IDPConfig,
+		keys.OTP,
+		keys.SMTP,
+		keys.SMS,
+		keys.User,
+		keys.DomainVerification,
+		keys.OIDC,
+	)
+	if err != nil {
+		return fmt.Errorf("cannot start commands: %w", err)
+	}
+
+	notification.Start(config.Notification, config.ExternalPort, config.ExternalSecure, commands, queries, dbClient, assets.HandlerPrefix, config.SystemDefaults.Notifications.FileSystemPath, keys.User, keys.SMTP, keys.SMS)
+
+	router := mux.NewRouter()
+	tlsConfig, err := config.TLS.Config()
+	if err != nil {
+		return err
+	}
+	err = startAPIs(ctx, router, commands, queries, eventstoreClient, dbClient, config, storage, authZRepo, keys)
+	if err != nil {
+		return err
+	}
+	return listen(ctx, router, config.Port, tlsConfig)
+}
+
+func startAPIs(ctx context.Context, router *mux.Router, commands *command.Commands, queries *query.Queries, eventstore *eventstore.Eventstore, dbClient *sql.DB, config *Config, store static.Storage, authZRepo authz_repo.Repository, keys *encryptionKeys) error {
+	repo := struct {
+		authz_repo.Repository
+		*query.Queries
+	}{
+		authZRepo,
+		queries,
+	}
+	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), config.SystemAPIUsers)
+	tlsConfig, err := config.TLS.Config()
+	if err != nil {
+		return err
+	}
+	apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader)
+	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User)
+	if err != nil {
+		return fmt.Errorf("error starting auth repo: %w", err)
+	}
+	adminRepo, err := admin_es.Start(config.Admin, store, dbClient)
+	if err != nil {
+		return fmt.Errorf("error starting admin repo: %w", err)
+	}
+	if err := apis.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.Database.Database, config.DefaultInstance)); err != nil {
+		return err
+	}
+	if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.Database, commands, queries, adminRepo, config.ExternalSecure, keys.User)); err != nil {
+		return err
+	}
+	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
+		return err
+	}
+	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
+		return err
+	}
+
+	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader, login.IgnoreInstanceEndpoints...)
+	apis.RegisterHandler(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator(), store, queries, instanceInterceptor.Handler))
+
+	userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, keys.UserAgentCookieKey, id.SonyFlakeGenerator(), config.ExternalSecure, login.EndpointResources)
+	if err != nil {
+		return err
+	}
+
+	openAPIHandler, err := openapi.Start()
+	if err != nil {
+		return fmt.Errorf("unable to start openapi handler: %w", err)
+	}
+	apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)
+
+	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
+	if err != nil {
+		return fmt.Errorf("unable to start oidc provider: %w", err)
+	}
+
+	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler, config.CustomerPortal)
+	if err != nil {
+		return fmt.Errorf("unable to start console: %w", err)
+	}
+	apis.RegisterHandler(console.HandlerPrefix, c)
+
+	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, console.HandlerPrefix+"/", op.AuthCallbackURL(oidcProvider), config.ExternalSecure, userAgentInterceptor, op.NewIssuerInterceptor(oidcProvider.IssuerFromRequest).Handler, instanceInterceptor.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
+	if err != nil {
+		return fmt.Errorf("unable to start login: %w", err)
+	}
+	apis.RegisterHandler(login.HandlerPrefix, l.Handler())
+
+	//handle oidc at last, to be able to handle the root
+	//we might want to change that in the future
+	//esp. if we want to have multiple well-known endpoints
+	//it might make sense to handle the discovery endpoint and oauth and oidc prefixes individually
+	//but this will require a change in the oidc lib
+	apis.RegisterHandler("", oidcProvider.HttpHandler())
+	return nil
+}
+
+func listen(ctx context.Context, router *mux.Router, port uint16, tlsConfig *tls.Config) error {
+	http2Server := &http2.Server{}
+	http1Server := &http.Server{Handler: h2c.NewHandler(router, http2Server), TLSConfig: tlsConfig}
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return fmt.Errorf("tcp listener on %d failed: %w", port, err)
+	}
+
+	errCh := make(chan error)
+
+	go func() {
+		logging.Infof("server is listening on %s", lis.Addr().String())
+		if tlsConfig != nil {
+			//we don't need to pass the files here, because we already initialized the TLS config on the server
+			errCh <- http1Server.ServeTLS(lis, "", "")
+		} else {
+			errCh <- http1Server.Serve(lis)
+		}
+	}()
+
+	shutdown := make(chan os.Signal, 1)
+	signal.Notify(shutdown, os.Interrupt, syscall.SIGTERM)
+
+	select {
+	case err := <-errCh:
+		return fmt.Errorf("error starting server: %w", err)
+	case <-shutdown:
+		ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+		defer cancel()
+		return shutdownServer(ctx, http1Server)
+	case <-ctx.Done():
+		return shutdownServer(ctx, http1Server)
+	}
+}
+
+func shutdownServer(ctx context.Context, server *http.Server) error {
+	err := server.Shutdown(ctx)
+	if err != nil {
+		return fmt.Errorf("could not shutdown gracefully: %w", err)
+	}
+	logging.New().Info("server shutdown gracefully")
+	return nil
+}
--- a/cmd/start/start_from_init.go
+++ b/cmd/start/start_from_init.go
@@ -0,0 +1,49 @@
+package start
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/cmd/initialise"
+	"github.com/zitadel/zitadel/cmd/key"
+	"github.com/zitadel/zitadel/cmd/setup"
+	"github.com/zitadel/zitadel/cmd/tls"
+)
+
+func NewStartFromInit() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "start-from-init",
+		Short: "cold starts zitadel",
+		Long: `cold starts ZITADEL.
+First the minimum requirements to start ZITADEL are set up.
+Second the initial events are created.
+Last ZITADEL starts.
+
+Requirements:
+- cockroachdb`,
+		Run: func(cmd *cobra.Command, args []string) {
+			err := tls.ModeFromFlag(cmd)
+			logging.OnError(err).Fatal("invalid tlsMode")
+
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Panic("No master key provided")
+
+			initialise.InitAll(initialise.MustNewConfig(viper.GetViper()))
+
+			setupConfig := setup.MustNewConfig(viper.GetViper())
+			setupSteps := setup.MustNewSteps(viper.New())
+			setup.Setup(setupConfig, setupSteps, masterKey)
+
+			startConfig := MustNewConfig(viper.GetViper())
+
+			err = startZitadel(startConfig, masterKey)
+			logging.OnError(err).Fatal("unable to start zitadel")
+		},
+	}
+
+	startFlags(cmd)
+	setup.Flags(cmd)
+
+	return cmd
+}