Merge branch 'main' into next

# Conflicts:
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go

cmd/setup/03.go

@@ -21,7 +21,7 @@ import (
 type FirstInstance struct {
 	InstanceName    string
 	DefaultLanguage language.Tag
-	Org             command.OrgSetup
+	Org             command.InstanceOrgSetup
 	MachineKeyPath  string
 	PatPath         string
 

cmd/setup/12.go

@@ -0,0 +1,26 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+var (
+	//go:embed 12/12_add_otp_columns.sql
+	addOTPColumns string
+)
+
+type AddOTPColumns struct {
+	dbClient *database.DB
+}
+
+func (mig *AddOTPColumns) Execute(ctx context.Context) error {
+	_, err := mig.dbClient.ExecContext(ctx, addOTPColumns)
+	return err
+}
+
+func (mig *AddOTPColumns) String() string {
+	return "12_auth_users_otp_columns"
+}

cmd/setup/12/12_add_otp_columns.sql

@@ -0,0 +1,2 @@
+ALTER TABLE auth.users2 ADD COLUMN otp_sms_added BOOL DEFAULT false;
+ALTER TABLE auth.users2 ADD COLUMN otp_email_added BOOL DEFAULT false;

cmd/setup/config.go

@@ -67,6 +67,7 @@ type Steps struct {
 	s9EventstoreIndexes2 *EventstoreIndexesNew
 	CorrectCreationDate  *CorrectCreationDate
 	AddEventCreatedAt    *AddEventCreatedAt
+	s12AddOTPColumns     *AddOTPColumns
 }
 
 type encryptionKeyConfig struct {

cmd/setup/setup.go

@@ -94,6 +94,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.CorrectCreationDate.dbClient = dbClient
 	steps.AddEventCreatedAt.dbClient = dbClient
 	steps.AddEventCreatedAt.step10 = steps.CorrectCreationDate
+	steps.s12AddOTPColumns = &AddOTPColumns{dbClient: dbClient}
 
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -134,6 +135,8 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	logging.OnError(err).Fatal("unable to migrate step 10")
 	err = migration.Migrate(ctx, eventstoreClient, steps.AddEventCreatedAt)
 	logging.OnError(err).Fatal("unable to migrate step 11")
+	err = migration.Migrate(ctx, eventstoreClient, steps.s12AddOTPColumns)
+	logging.OnError(err).Fatal("unable to migrate step 12")
 
 	for _, repeatableStep := range repeatableSteps {
 		err = migration.Migrate(ctx, eventstoreClient, repeatableStep)

cmd/setup/steps.yaml

@@ -1,41 +1,53 @@
 FirstInstance:
-  MachineKeyPath:
-  PatPath:
-  InstanceName: ZITADEL
-  DefaultLanguage: en
+  # The machine key from the section FirstInstance.Org.Machine.MachineKey is written to the MachineKeyPath.
+  MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
+  # The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.
+  PatPath: # ZITADEL_FIRSTINSTANCE_PATPATH
+  InstanceName: ZITADEL # ZITADEL_FIRSTINSTANCE_INSTANCENAME
+  DefaultLanguage: en # ZITADEL_FIRSTINSTANCE_DEFAULTLANGUAGE
   Org:
-    Name: ZITADEL
+    Name: ZITADEL # ZITADEL_FIRSTINSTANCE_ORG_NAME
+    # In the FirstInstance.Org.Human section, the initial organization's admin user with the role IAM_OWNER is defined.
+    # ZITADEL either creates a human user or a machine user.
+    # If FirstInstance.Org.Machine.Machine is defined, a service user is created with the IAM_OWNER role, not a human user.
     Human:
-      # in case that UserLoginMustBeDomain is false (default) and you don't overwrite the username with an email,
+      # In case UserLoginMustBeDomain is false (default) and you don't overwrite the username with an email,
       # it will be suffixed by the org domain (org-name + domain from config).
-      # for example: zitadel-admin in org ZITADEL on domain.tld -> zitadel-admin@zitadel.domain.tld
-      UserName: zitadel-admin
-      FirstName: ZITADEL
-      LastName: Admin
-      NickName:
-      DisplayName:
+      # for example zitadel-admin in org ZITADEL on domain.tld -> zitadel-admin@zitadel.domain.tld
+      UserName: zitadel-admin # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME
+      FirstName: ZITADEL # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_FIRSTNAME
+      LastName: Admin # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_LASTNAME
+      NickName: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_NICKNAME
+      DisplayName: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_DISPLAYNAME
       Email:
-        Address: #uses the username if empty
-        Verified: true
-      PreferredLanguage: en
-      Gender:
+        # uses the username if empty
+        Address: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS
+        Verified: true # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED
+      PreferredLanguage: en # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE
+      Gender: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_GENDER
       Phone:
-        Number:
-        Verified:
-      Password: Password1!
-      PasswordChangeRequired: true
+        Number: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PHONE_NUMBER
+        Verified: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PHONE_VERIFIED
+      Password: Password1! # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD
+      PasswordChangeRequired: true # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED
+    # In the FirstInstance.Org.Machine section, the initial organization's admin user with the role IAM_OWNER is defined.
+    # ZITADEL either creates a human user or a machine user.
+    # If FirstInstance.Org.Machine.Machine is defined, a service user is created with the IAM_OWNER role, not a human user.
     Machine:
       Machine:
-        Username:
-        Name:
+        Username: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_USERNAME
+        Name: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_NAME
       MachineKey:
-        ExpirationDate:
-        Type:
+        # date format: 2023-01-01T00:00:00Z
+        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_EXPIRATIONDATE
+        # Currently, the only supported value is 1 for JSON
+        Type: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE
       Pat:
-        ExpirationDate:
+        # date format: 2023-01-01T00:00:00Z
+        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE
 
 CorrectCreationDate:
-  FailAfter: 5m
+  FailAfter: 5m # ZITADEL_CORRECTCREATIONDATE_FAILAFTER
 
 AddEventCreatedAt:
-  BulkAmount: 100
+  BulkAmount: 100 # ZITADEL_ADDEVENTCREATEDAT_BULKAMOUNT

cmd/start/start.go

@@ -36,6 +36,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/auth"
 	"github.com/zitadel/zitadel/internal/api/grpc/management"
 	oidc_v2 "github.com/zitadel/zitadel/internal/api/grpc/oidc/v2"
+	"github.com/zitadel/zitadel/internal/api/grpc/org/v2"
 	"github.com/zitadel/zitadel/internal/api/grpc/session/v2"
 	"github.com/zitadel/zitadel/internal/api/grpc/settings/v2"
 	"github.com/zitadel/zitadel/internal/api/grpc/system"
@@ -351,6 +352,9 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, settings.CreateServer(commands, queries, config.ExternalSecure)); err != nil {
 		return err
 	}
+	if err := apis.RegisterService(ctx, org.CreateServer(commands, queries, permissionCheck)); err != nil {
+		return err
+	}
 	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader, login.IgnoreInstanceEndpoints...)
 	assetsCache := middleware.AssetsCacheInterceptor(config.AssetStorage.Cache.MaxAge, config.AssetStorage.Cache.SharedMaxAge)
 	apis.RegisterHandlerOnPrefix(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator(), store, queries, middleware.CallDurationHandler, instanceInterceptor.Handler, assetsCache.Handler, limitingAccessInterceptor.Handle))