fix: use correct encryption keys in addHuman and set primary instance domain (#3486)

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-02-28 21:17:23 +00:00 · 2022-04-25 16:36:10 +02:00 · 2022-04-25 16:36:10 +02:00 · 7a507fe63c
commit 7a507fe63c
parent 0b6eb07e2d
5 changed files with 30 additions and 31 deletions
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -312,7 +312,7 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte

 	validations = append(validations,
 		AddOrgCommand(ctx, orgAgg, setup.Org.Name),
-		AddHumanCommand(userAgg, &setup.Org.Human, c.userPasswordAlg, c.smsEncryption, c.smtpEncryption, c.userEncryption),
+		AddHumanCommand(userAgg, &setup.Org.Human, c.userPasswordAlg, c.userEncryption),
 		c.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
 		c.AddInstanceMemberCommand(instanceAgg, userID, domain.RoleIAMOwner),

@ -357,10 +357,15 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup, exte

 		AddOIDCAppCommand(console, nil),
 		SetIAMConsoleID(instanceAgg, &console.ClientID, &setup.zitadel.consoleAppID),
-		c.addGeneratedInstanceDomain(ctx, instanceAgg, setup.InstanceName),
+	)
+	validations = append(validations,
+		c.addGeneratedInstanceDomain(ctx, instanceAgg, setup.InstanceName)...,
 	)
 	if setup.CustomDomain != "" {
-		validations = append(validations, c.addInstanceDomain(instanceAgg, setup.CustomDomain, false))
+		validations = append(validations,
+			c.addInstanceDomain(instanceAgg, setup.CustomDomain, false),
+			setPrimaryInstanceDomain(instanceAgg, setup.CustomDomain),
+		)
 	}

 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
--- a/internal/command/instance_domain.go
+++ b/internal/command/instance_domain.go
@ -68,9 +68,12 @@ func (c *Commands) RemoveInstanceDomain(ctx context.Context, instanceDomain stri
 	}, nil
 }

-func (c *Commands) addGeneratedInstanceDomain(ctx context.Context, a *instance.Aggregate, instanceName string) preparation.Validation {
+func (c *Commands) addGeneratedInstanceDomain(ctx context.Context, a *instance.Aggregate, instanceName string) []preparation.Validation {
 	domain := domain.NewGeneratedInstanceDomain(instanceName, authz.GetInstance(ctx).RequestedDomain())
-	return c.addInstanceDomain(a, domain, true)
+	return []preparation.Validation{
+		c.addInstanceDomain(a, domain, true),
+		setPrimaryInstanceDomain(a, domain),
+	}
 }

 func (c *Commands) addInstanceDomain(a *instance.Aggregate, instanceDomain string, generated bool) preparation.Validation {
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -37,7 +37,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (*domain.ObjectDet

 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter,
 		AddOrgCommand(ctx, orgAgg, o.Name),
-		AddHumanCommand(userAgg, &o.Human, c.userPasswordAlg, c.smsEncryption, c.smtpEncryption, c.userEncryption),
+		AddHumanCommand(userAgg, &o.Human, c.userPasswordAlg, c.userEncryption),
 		c.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
 	)
 	if err != nil {
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@ -63,7 +63,7 @@ func (c *Commands) AddHuman(ctx context.Context, resourceOwner string, human *Ad
 		return nil, err
 	}
 	agg := user.NewAggregate(userID, resourceOwner)
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, AddHumanCommand(agg, human, c.userPasswordAlg, c.smsEncryption, c.smtpEncryption, c.userEncryption))
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, AddHumanCommand(agg, human, c.userPasswordAlg, c.userEncryption))
 	if err != nil {
 		return nil, err
 	}
@ -89,7 +89,7 @@ type humanCreationCommand interface {
 	AddPasswordData(secret *crypto.CryptoValue, changeRequired bool)
 }

-func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.HashAlgorithm, phoneAlg, emailAlg, initCodeAlg crypto.EncryptionAlgorithm) preparation.Validation {
+func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.HashAlgorithm, codeAlg crypto.EncryptionAlgorithm) preparation.Validation {
 	return func() (_ preparation.CreateCommands, err error) {
 		if !human.Email.Valid() {
 			return nil, errors.ThrowInvalidArgument(nil, "USER-Ec7dM", "Errors.Invalid.Argument")
@ -174,7 +174,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			// email not verified or
 			// user not registered and password set
 			if human.shouldAddInitCode() {
-				value, expiry, err := newUserInitCode(ctx, filter, initCodeAlg)
+				value, expiry, err := newUserInitCode(ctx, filter, codeAlg)
 				if err != nil {
 					return nil, err
 				}
@ -184,7 +184,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			if human.Email.Verified {
 				cmds = append(cmds, user.NewHumanEmailVerifiedEvent(ctx, &a.Aggregate))
 			} else {
-				value, expiry, err := newEmailCode(ctx, filter, emailAlg)
+				value, expiry, err := newEmailCode(ctx, filter, codeAlg)
 				if err != nil {
 					return nil, err
 				}
@ -194,7 +194,7 @@ func AddHumanCommand(a *user.Aggregate, human *AddHuman, passwordAlg crypto.Hash
 			if human.Phone.Verified {
 				cmds = append(cmds, user.NewHumanPhoneVerifiedEvent(ctx, &a.Aggregate))
 			} else if human.Phone.Number != "" {
-				value, expiry, err := newPhoneCode(ctx, filter, phoneAlg)
+				value, expiry, err := newPhoneCode(ctx, filter, codeAlg)
 				if err != nil {
 					return nil, err
 				}
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@ -28,9 +28,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 		eventstore      *eventstore.Eventstore
 		idGenerator     id.Generator
 		userPasswordAlg crypto.HashAlgorithm
-		initCodeAlg     crypto.EncryptionAlgorithm
-		emailCodeAlg    crypto.EncryptionAlgorithm
-		phoneAlg        crypto.EncryptionAlgorithm
+		codeAlg         crypto.EncryptionAlgorithm
 	}
 	type args struct {
 		ctx             context.Context
@ -246,9 +244,8 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
-				idGenerator:  id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				initCodeAlg:  crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				emailCodeAlg: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				codeAlg:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -365,8 +362,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
-				initCodeAlg:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				emailCodeAlg:    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				codeAlg:         crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -460,7 +456,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
-				initCodeAlg:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				codeAlg:         crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -542,7 +538,7 @@ func TestCommandSide_AddHuman(t *testing.T) {
 					),
 				),
 				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				phoneAlg:    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				codeAlg:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -655,9 +651,8 @@ func TestCommandSide_AddHuman(t *testing.T) {
 						uniqueConstraintsFromEventConstraint(user.NewAddUsernameUniqueConstraint("username", "org1", true)),
 					),
 				),
-				idGenerator:  id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				initCodeAlg:  crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				emailCodeAlg: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				codeAlg:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
 				ctx:   context.Background(),
@ -691,10 +686,8 @@ func TestCommandSide_AddHuman(t *testing.T) {
 			r := &Commands{
 				eventstore:      tt.fields.eventstore,
 				userPasswordAlg: tt.fields.userPasswordAlg,
-				userEncryption:  tt.fields.initCodeAlg,
-				smtpEncryption:  tt.fields.emailCodeAlg,
+				userEncryption:  tt.fields.codeAlg,
 				idGenerator:     tt.fields.idGenerator,
-				smsEncryption:   tt.fields.phoneAlg,
 			}
 			got, err := r.AddHuman(tt.args.ctx, tt.args.orgID, tt.args.human)
 			if tt.res.err == nil {
@ -2828,9 +2821,7 @@ func TestAddHumanCommand(t *testing.T) {
 		human       *AddHuman
 		passwordAlg crypto.HashAlgorithm
 		filter      preparation.FilterToQueryReducer
-		phoneAlg    crypto.EncryptionAlgorithm
-		emailAlg    crypto.EncryptionAlgorithm
-		initCodeAlg crypto.EncryptionAlgorithm
+		codeAlg     crypto.EncryptionAlgorithm
 	}
 	agg := user.NewAggregate("id", "ro")
 	tests := []struct {
@ -2984,7 +2975,7 @@ func TestAddHumanCommand(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			AssertValidation(t, AddHumanCommand(tt.args.a, tt.args.human, tt.args.passwordAlg, tt.args.phoneAlg, tt.args.emailAlg, tt.args.initCodeAlg), tt.args.filter, tt.want)
+			AssertValidation(t, AddHumanCommand(tt.args.a, tt.args.human, tt.args.passwordAlg, tt.args.codeAlg), tt.args.filter, tt.want)
 		})
 	}
 }