feat: setup and iam commands (#99)

* start org * refactor(eventstore): filter in sql for querier * feat(eventstore): Aggregate precondition preconditions are checked right before insert. Insert is still transaction save * feat(eventstore): check preconditions in repository * test(eventstore): test precondition in models * test(eventstore): precondition-tests * start org * refactor(eventstore): filter in sql for querier * feat(eventstore): Aggregate precondition preconditions are checked right before insert. Insert is still transaction save * feat(admin): start implement org * feat(eventstore): check preconditions in repository * fix(eventstore): data as NULL if empty refactor(eventstore): naming in sequence methods * feat(admin): org command side * feat(management): start org-repo * feat(org): member * fix: replace ObjectRoot.ID with ObjectRoot.AggregateID * aggregateID * add remove,change member * refactor(org): namings * refactor(eventstore): querier as type * fix(precondition): rename validation from precondition to validation * test(eventstore): isErr func instead of wantErr bool * fix(tests): Data * fix(eventstore): correct check for existing events in push, simplify insert statement * fix(eventstore): aggregate id public * test(org): eventsourcing * test(org): eventstore * test(org): deactivate, reactivate, orgbyid * test(org): getMemberByIDs * tests * running tests * add config * add user repo to admin * thorw not found if no org found * iam setup * eventstore tests done * setup iam * lauft * iam eventstore * validate if user is already member of org * modules * delete unused file * iam member * add member validation test * iam member * return error if unable to validat member * generate org id once, set resourceowner of org * start iam repo * set resourceowner on unique aggregates * setup user const * better code * generate files * fix tests * Update internal/admin/repository/eventsourcing/repository.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * set ctx data Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-11 21:47:32 +00:00 · 2020-05-18 11:32:16 +02:00
parent b9c938594c
commit 8203f2dad3
30 changed files with 16472 additions and 13368 deletions
--- a/internal/admin/repository/eventsourcing/repository.go
+++ b/internal/admin/repository/eventsourcing/repository.go
@@ -3,10 +3,14 @@ package eventsourcing
 import (
 	"context"

+	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/eventstore"
+	"github.com/caos/zitadel/internal/admin/repository/eventsourcing/setup"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
 	es_int "github.com/caos/zitadel/internal/eventstore"
+	es_iam "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	es_org "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	es_proj "github.com/caos/zitadel/internal/project/repository/eventsourcing"
 	es_usr "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )

@@ -36,9 +40,24 @@ func Start(conf Config, systemDefaults sd.SystemDefaults) (*EsRepository, error)
 	//conf.Spooler.EsClient = es.Client
 	//conf.Spooler.SQL = sql
 	//spool := spooler.StartSpooler(conf.Spooler)
+	iam, err := es_iam.StartIam(es_iam.IamConfig{
+		Eventstore: es,
+		Cache:      conf.Eventstore.Cache,
+	}, systemDefaults)
+	if err != nil {
+		return nil, err
+	}

 	org := es_org.StartOrg(es_org.OrgConfig{Eventstore: es})

+	project, err := es_proj.StartProject(es_proj.ProjectConfig{
+		Eventstore: es,
+		Cache:      conf.Eventstore.Cache,
+	}, systemDefaults)
+	if err != nil {
+		return nil, err
+	}
+
 	user, err := es_usr.StartUser(es_usr.UserConfig{
 		Eventstore: es,
 		Cache:      conf.Eventstore.Cache,
@@ -46,6 +65,11 @@ func Start(conf Config, systemDefaults sd.SystemDefaults) (*EsRepository, error)
 	if err != nil {
 		return nil, err
 	}
+
+	eventstoreRepos := setup.EventstoreRepos{OrgEvents: org, UserEvents: user, ProjectEvents: project, IamEvents: iam}
+	err = setup.StartSetup(systemDefaults, eventstoreRepos).Execute()
+	logging.Log("SERVE-k280HZ").OnError(err).Panic("failed to execute setup")
+
 	return &EsRepository{
 		OrgRepo: eventstore.OrgRepo{
 			Eventstore:     es,
--- a/internal/admin/repository/eventsourcing/setup/setup.go
+++ b/internal/admin/repository/eventsourcing/setup/setup.go
@@ -0,0 +1,365 @@
+package setup
+
+import (
+	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/config/types"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
+)
+
+type Setup struct {
+	repos       EventstoreRepos
+	iamID       string
+	setUpConfig types.IAMSetUp
+}
+
+type EventstoreRepos struct {
+	IamEvents     *iam_event.IamEventstore
+	OrgEvents     *org_event.OrgEventstore
+	UserEvents    *usr_event.UserEventstore
+	ProjectEvents *proj_event.ProjectEventstore
+}
+
+type initializer struct {
+	*Setup
+	createdUsers    map[string]*usr_model.User
+	createdOrgs     map[string]*org_model.Org
+	createdProjects map[string]*proj_model.Project
+}
+
+const (
+	OrgOwnerRole                     = "ORG_OWNER"
+	SETUP_USER                       = "SETUP"
+	OIDCResponseType_CODE            = "CODE"
+	OIDCResponseType_ID_TOKEN        = "ID_TOKEN"
+	OIDCResponseType_TOKEN           = "TOKEN"
+	OIDCGrantType_AUTHORIZATION_CODE = "AUTHORIZATION_CODE"
+	OIDCGrantType_IMPLICIT           = "IMPLICIT"
+	OIDCGrantType_REFRESH_TOKEN      = "REFRESH_TOKEN"
+	OIDCApplicationType_NATIVE       = "NATIVE"
+	OIDCApplicationType_USER_AGENT   = "USER_AGENT"
+	OIDCApplicationType_WEB          = "WEB"
+	OIDCAuthMethodType_NONE          = "NONE"
+	OIDCAuthMethodType_BASIC         = "BASIC"
+	OIDCAuthMethodType_POST          = "POST"
+)
+
+func StartSetup(sd systemdefaults.SystemDefaults, repos EventstoreRepos) *Setup {
+	return &Setup{
+		repos:       repos,
+		iamID:       sd.IamID,
+		setUpConfig: sd.SetUp,
+	}
+}
+
+func (s *Setup) Execute() error {
+	ctx := context.Background()
+	iam, err := s.repos.IamEvents.IamByID(ctx, s.iamID)
+	if err != nil && !caos_errs.IsNotFound(err) {
+		return err
+	}
+	if iam != nil && iam.SetUpDone {
+		return nil
+	}
+
+	if (iam != nil && !iam.SetUpStarted) || caos_errs.IsNotFound(err) {
+		ctx = setSetUpContextData(ctx, s.iamID)
+		iam, err = s.repos.IamEvents.StartSetup(ctx, s.iamID)
+		if err != nil {
+			return err
+		}
+	}
+
+	setUp := &initializer{
+		Setup:           s,
+		createdUsers:    make(map[string]*usr_model.User),
+		createdOrgs:     make(map[string]*org_model.Org),
+		createdProjects: make(map[string]*proj_model.Project),
+	}
+
+	err = setUp.orgs(ctx, s.setUpConfig.Orgs)
+	if err != nil {
+		logging.Log("SETUP-p4oWq").WithError(err).Error("unable to set up orgs")
+		return err
+	}
+
+	ctx = setSetUpContextData(ctx, s.iamID)
+	err = setUp.iamOwners(ctx, s.setUpConfig.Owners)
+	if err != nil {
+		logging.Log("SETUP-WHr01").WithError(err).Error("unable to set up iam owners")
+		return err
+	}
+
+	err = setUp.setGlobalOrg(ctx)
+	if err != nil {
+		logging.Log("SETUP-0874m").WithError(err).Error("unable to set global org")
+		return err
+	}
+
+	err = setUp.setIamProject(ctx)
+	if err != nil {
+		logging.Log("SETUP-kaWjq").WithError(err).Error("unable to set citadel project")
+		return err
+	}
+
+	iam, err = s.repos.IamEvents.SetupDone(ctx, s.iamID)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (setUp *initializer) orgs(ctx context.Context, orgs []types.Org) error {
+	for _, iamOrg := range orgs {
+		org, err := setUp.org(ctx, iamOrg)
+		if err != nil {
+			logging.LogWithFields("SETUP-IlLif", "Org", iamOrg.Name).WithError(err).Error("unable to create org")
+			return err
+		}
+		setUp.createdOrgs[iamOrg.Name] = org
+
+		ctx = setSetUpContextData(ctx, org.AggregateID)
+		err = setUp.users(ctx, iamOrg.Users)
+		if err != nil {
+			logging.LogWithFields("SETUP-8zfwz", "Org", iamOrg.Name).WithError(err).Error("unable to set up org users")
+			return err
+		}
+
+		err = setUp.orgOwners(ctx, org, iamOrg.Owners)
+		if err != nil {
+			logging.LogWithFields("SETUP-0874m", "Org", iamOrg.Name).WithError(err).Error("unable to set up org owners")
+			return err
+		}
+
+		err = setUp.projects(ctx, iamOrg.Projects)
+		if err != nil {
+			logging.LogWithFields("SETUP-wUzqY", "Org", iamOrg.Name).WithError(err).Error("unable to set up org projects")
+			return err
+		}
+	}
+	return nil
+}
+
+func (setUp *initializer) org(ctx context.Context, org types.Org) (*org_model.Org, error) {
+	ctx = setSetUpContextData(ctx, "")
+	createOrg := &org_model.Org{
+		Name:   org.Name,
+		Domain: org.Domain,
+	}
+	return setUp.repos.OrgEvents.CreateOrg(ctx, createOrg)
+}
+
+func (setUp *initializer) iamOwners(ctx context.Context, owners []string) error {
+	for _, iamOwner := range owners {
+		user, ok := setUp.createdUsers[iamOwner]
+		if !ok {
+			logging.LogWithFields("SETUP-8siew", "Owner", iamOwner).Error("unable to add user to iam members")
+			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-su6L3", "unable to add user to iam members")
+		}
+		_, err := setUp.repos.IamEvents.AddIamMember(ctx, &iam_model.IamMember{ObjectRoot: models.ObjectRoot{AggregateID: setUp.iamID}, UserID: user.AggregateID, Roles: []string{"IAM_OWNER"}})
+		if err != nil {
+			logging.Log("SETUP-LM7rI").WithError(err).Error("unable to add iam administrator to iam members as owner")
+			return err
+		}
+	}
+	return nil
+}
+
+func (setUp *initializer) setGlobalOrg(ctx context.Context) error {
+	globalOrg, ok := setUp.createdOrgs[setUp.setUpConfig.GlobalOrg]
+	if !ok {
+		logging.LogWithFields("SETUP-FBhs9", "GlobalOrg", setUp.setUpConfig.GlobalOrg).Error("global org not created")
+		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-4GwU7", "global org not created: %v", setUp.setUpConfig.GlobalOrg)
+	}
+
+	_, err := setUp.repos.IamEvents.SetGlobalOrg(ctx, setUp.iamID, globalOrg.AggregateID)
+	logging.Log("SETUP-uGMA3").OnError(err).Error("unable to set global org on iam")
+	return err
+}
+
+func (setUp *initializer) setIamProject(ctx context.Context) error {
+	iamProject, ok := setUp.createdProjects[setUp.setUpConfig.IAMProject]
+	if !ok {
+		logging.LogWithFields("SETUP-SJFWP", "Iam Project", setUp.setUpConfig.IAMProject).Error("iam project created")
+		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-sGmQt", "iam project not created: %v", setUp.setUpConfig.IAMProject)
+	}
+
+	_, err := setUp.repos.IamEvents.SetIamProject(ctx, setUp.iamID, iamProject.AggregateID)
+	logging.Log("SETUP-i1pNh").OnError(err).Error("unable to set iam project on iam")
+	return err
+}
+
+func (setUp *initializer) users(ctx context.Context, users []types.User) error {
+	for _, user := range users {
+		created, err := setUp.user(ctx, user)
+		if err != nil {
+			logging.LogWithFields("SETUP-9soer", "Email", user.Email).WithError(err).Error("unable to create iam user")
+			return err
+		}
+		setUp.createdUsers[user.Email] = created
+	}
+	return nil
+}
+
+func (setUp *initializer) user(ctx context.Context, user types.User) (*usr_model.User, error) {
+	createUser := &usr_model.User{
+		Profile: &usr_model.Profile{
+			UserName:  user.UserName,
+			FirstName: user.FirstName,
+			LastName:  user.LastName,
+		},
+		Email: &usr_model.Email{
+			EmailAddress:    user.Email,
+			IsEmailVerified: true,
+		},
+		Password: &usr_model.Password{
+			SecretString: user.Password,
+		},
+	}
+	return setUp.repos.UserEvents.CreateUser(ctx, createUser)
+}
+
+func (setUp *initializer) orgOwners(ctx context.Context, org *org_model.Org, owners []string) error {
+	for _, orgOwner := range owners {
+		user, ok := setUp.createdUsers[orgOwner]
+		if !ok {
+			logging.LogWithFields("SETUP-s9ilr", "Owner", orgOwner).Error("unable to add user to org members")
+			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-s0prs", "unable to add user to org members: %v", orgOwner)
+		}
+		err := setUp.orgOwner(ctx, org, user)
+		if err != nil {
+			logging.Log("SETUP-s90oe").WithError(err).Error("unable to add global org admin to members of global org")
+			return err
+		}
+	}
+	return nil
+}
+
+func (setUp *initializer) orgOwner(ctx context.Context, org *org_model.Org, user *usr_model.User) error {
+	addMember := &org_model.OrgMember{
+		ObjectRoot: models.ObjectRoot{AggregateID: org.AggregateID},
+		UserID:     user.AggregateID,
+		Roles:      []string{OrgOwnerRole},
+	}
+	_, err := setUp.repos.OrgEvents.AddOrgMember(ctx, addMember)
+	return err
+}
+
+func (setUp *initializer) projects(ctx context.Context, projects []types.Project) error {
+	for _, project := range projects {
+		createdProject, err := setUp.project(ctx, project)
+		if err != nil {
+			return err
+		}
+		setUp.createdProjects[createdProject.Name] = createdProject
+		for _, oidc := range project.OIDCApps {
+			_, err := setUp.oidcApp(ctx, createdProject, oidc)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (setUp *initializer) project(ctx context.Context, project types.Project) (*proj_model.Project, error) {
+	addProject := &proj_model.Project{
+		Name: project.Name,
+	}
+	return setUp.repos.ProjectEvents.CreateProject(ctx, addProject)
+}
+
+func (setUp *initializer) oidcApp(ctx context.Context, project *proj_model.Project, oidc types.OIDCApp) (*proj_model.Application, error) {
+	addOIDCApp := &proj_model.Application{
+		ObjectRoot: models.ObjectRoot{AggregateID: project.AggregateID},
+		Name:       oidc.Name,
+		OIDCConfig: &proj_model.OIDCConfig{
+			RedirectUris:           oidc.RedirectUris,
+			ResponseTypes:          getOIDCResponseTypes(oidc.ResponseTypes),
+			GrantTypes:             getOIDCGrantTypes(oidc.GrantTypes),
+			ApplicationType:        getOIDCApplicationType(oidc.ApplicationType),
+			AuthMethodType:         getOIDCAuthMethod(oidc.AuthMethodType),
+			PostLogoutRedirectUris: oidc.PostLogoutRedirectUris,
+		},
+	}
+	return setUp.repos.ProjectEvents.AddApplication(ctx, addOIDCApp)
+}
+
+func getOIDCResponseTypes(responseTypes []string) []proj_model.OIDCResponseType {
+	types := make([]proj_model.OIDCResponseType, len(responseTypes))
+	for i, t := range responseTypes {
+		types[i] = getOIDCResponseType(t)
+	}
+	return types
+}
+
+func getOIDCResponseType(responseType string) proj_model.OIDCResponseType {
+	switch responseType {
+	case OIDCResponseType_CODE:
+		return proj_model.OIDCRESPONSETYPE_CODE
+	case OIDCResponseType_ID_TOKEN:
+		return proj_model.OIDCRESPONSETYPE_ID_TOKEN
+	case OIDCResponseType_TOKEN:
+		return proj_model.OIDCRESPONSETYPE_TOKEN
+	}
+	return proj_model.OIDCRESPONSETYPE_CODE
+}
+
+func getOIDCGrantTypes(grantTypes []string) []proj_model.OIDCGrantType {
+	types := make([]proj_model.OIDCGrantType, len(grantTypes))
+	for i, t := range grantTypes {
+		types[i] = getOIDCGrantType(t)
+	}
+	return types
+}
+
+func getOIDCGrantType(grantTypes string) proj_model.OIDCGrantType {
+	switch grantTypes {
+	case OIDCGrantType_AUTHORIZATION_CODE:
+		return proj_model.OIDCGRANTTYPE_AUTHORIZATION_CODE
+	case OIDCGrantType_IMPLICIT:
+		return proj_model.OIDCGRANTTYPE_IMPLICIT
+	case OIDCGrantType_REFRESH_TOKEN:
+		return proj_model.OIDCGRANTTYPE_REFRESH_TOKEN
+	}
+	return proj_model.OIDCGRANTTYPE_AUTHORIZATION_CODE
+}
+
+func getOIDCApplicationType(appType string) proj_model.OIDCApplicationType {
+	switch appType {
+	case OIDCApplicationType_NATIVE:
+		return proj_model.OIDCAPPLICATIONTYPE_NATIVE
+	case OIDCApplicationType_USER_AGENT:
+		return proj_model.OIDCAPPLICATIONTYPE_USER_AGENT
+	case OIDCApplicationType_WEB:
+		return proj_model.OIDCAPPLICATIONTYPE_WEB
+	}
+	return proj_model.OIDCAPPLICATIONTYPE_WEB
+}
+
+func getOIDCAuthMethod(authMethod string) proj_model.OIDCAuthMethodType {
+	switch authMethod {
+	case OIDCAuthMethodType_NONE:
+		return proj_model.OIDCAUTHMETHODTYPE_NONE
+	case OIDCAuthMethodType_BASIC:
+		return proj_model.OIDCAUTHMETHODTYPE_BASIC
+	case OIDCAuthMethodType_POST:
+		return proj_model.OIDCAUTHMETHODTYPE_POST
+	}
+	return proj_model.OIDCAUTHMETHODTYPE_NONE
+}
+
+func setSetUpContextData(ctx context.Context, orgID string) context.Context {
+	return auth.SetCtxData(ctx, auth.CtxData{UserID: SETUP_USER, OrgID: orgID})
+}