chore: setup human admin on localhost

acceptance/setup.sh

@@ -30,7 +30,7 @@ TOKEN_RESPONSE=$(curl -s --request POST \
 echo "Got response from token endpoint:"
 echo "${TOKEN_RESPONSE}" | jq
 
-TOKEN=$(echo -n ${TOKEN_RESPONSE} | jq -r '.access_token')
+TOKEN=$(echo -n ${TOKEN_RESPONSE} | jq --raw-output '.access_token')
 echo "Extracted access token ${TOKEN}"
 
 ORG_RESPONSE=$(curl -s --request GET \
@@ -41,7 +41,7 @@ ORG_RESPONSE=$(curl -s --request GET \
 echo "Got default org response:"
 echo "${ORG_RESPONSE}" | jq
 
-ORG_ID=$(echo -n ${ORG_RESPONSE} | jq -r '.org.id')
+ORG_ID=$(echo -n ${ORG_RESPONSE} | jq --raw-output '.org.id')
 echo "Extracted default org id ${ORG_ID}"
 
 ENVIRONMENT_BACKUP_FILE=${WRITE_ENVIRONMENT_FILE}
@@ -69,4 +69,78 @@ echo "ZITADEL_API_URL=${AUDIENCE}
 ZITADEL_ORG_ID=${ORG_ID}
 ZITADEL_SERVICE_USER_TOKEN=${TOKEN}" > ${WRITE_ENVIRONMENT_FILE}
 echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
-cat ${WRITE_ENVIRONMENT_FILE}
+cat ${WRITE_ENVIRONMENT_FILE}
+
+if ! grep -q 'localhost' ${WRITE_ENVIRONMENT_FILE}; then
+  echo "Not developing against localhost, so creating a human user might not be necessary"
+  exit 0
+fi
+
+HUMAN_USER_USERNAME="zitadel-admin@zitadel.localhost"
+HUMAN_USER_PASSWORD="Password1!"
+
+HUMAN_USER_PAYLOAD=$(cat << EOM
+{
+  "userName": "${HUMAN_USER_USERNAME}",
+  "profile": {
+    "firstName": "ZITADEL",
+    "lastName": "Admin",
+    "displayName": "ZITADEL Admin",
+    "preferredLanguage": "en"
+  },
+  "email": {
+    "email": "zitadel-admin@zitadel.localhost",
+    "isEmailVerified": true
+  },
+  "password": "${HUMAN_USER_PASSWORD}",
+  "passwordChangeRequired": false
+}
+EOM
+)
+echo "Creating human user"
+echo "${HUMAN_USER_PAYLOAD}" | jq
+
+HUMAN_USER_RESPONSE=$(curl -s --request POST \
+  --url ${SERVICE}/management/v1/users/human/_import \
+  --header 'Content-Type: application/json' \
+  --header 'Accept: application/json' \
+  --header "Authorization: Bearer ${TOKEN}" \
+  --header "Host: ${AUDIENCE_HOST}" \
+  --data-raw "${HUMAN_USER_PAYLOAD}")
+echo "Create human user response"
+echo "${HUMAN_USER_RESPONSE}" | jq
+
+if [ "$(echo -n "${HUMAN_USER_RESPONSE}" | jq --raw-output '.code')" == "6" ]; then
+  echo "admin user already exists"
+  exit 0
+fi
+
+HUMAN_USER_ID=$(echo -n ${HUMAN_USER_RESPONSE} | jq --raw-output '.userId')
+echo "Extracted human user id ${HUMAN_USER_ID}"
+
+HUMAN_ADMIN_PAYLOAD=$(cat << EOM
+{
+  "userId": "${HUMAN_USER_ID}",
+  "roles": [
+    "IAM_OWNER"
+  ]
+}
+EOM
+)
+echo "Granting iam owner to human user"
+echo "${HUMAN_ADMIN_PAYLOAD}" | jq
+
+HUMAN_ADMIN_RESPONSE=$(curl -s --request POST \
+  --url ${SERVICE}/admin/v1/members \
+  --header 'Content-Type: application/json' \
+  --header 'Accept: application/json' \
+  --header "Authorization: Bearer ${TOKEN}" \
+  --header "Host: ${AUDIENCE_HOST}" \
+  --data-raw "${HUMAN_ADMIN_PAYLOAD}")
+
+echo "Grant iam owner to human user response"
+echo "${HUMAN_ADMIN_RESPONSE}" | jq
+
+echo "You can now log in at ${AUDIENCE}/ui/login"
+echo "username: ${HUMAN_USER_USERNAME}"
+echo "password: ${HUMAN_USER_PASSWORD}"

acceptance/zitadel.yaml

@@ -16,3 +16,7 @@ Logstore:
   Access:
     Stdout:
       Enabled: true
+
+DefaultInstance:
+  LoginPolicy:
+    MfaInitSkipLifetime: 0h