fix: nil pointer on create instance add machine (#6000)

* fix: nil pointer on create instance add machine * fix: instance setup with machine user pat * fix: correct logic to write pat and key from setup without configurable scope --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-02-28 20:37:23 +00:00 · 2023-06-15 08:16:39 +02:00 · 2023-06-15 08:16:39 +02:00 · 855d6b1bd5
commit 855d6b1bd5
parent 2e323e8044
5 changed files with 47 additions and 17 deletions
--- a/cmd/setup/03.go
+++ b/cmd/setup/03.go
@ -23,10 +23,12 @@ type FirstInstance struct {
 	DefaultLanguage language.Tag
 	Org             command.OrgSetup
 	MachineKeyPath  string
+	PatPath         string

 	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	smtpEncryptionKey *crypto.KeyConfig
+	oidcEncryptionKey *crypto.KeyConfig
 	masterKey         string
 	db                *sql.DB
 	es                *eventstore.Eventstore
@ -59,6 +61,14 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		return err
 	}

+	if err = verifyKey(mig.oidcEncryptionKey, keyStorage); err != nil {
+		return err
+	}
+	oidcEncryption, err := crypto.NewAESCrypto(mig.oidcEncryptionKey, keyStorage)
+	if err != nil {
+		return err
+	}
+
 	cmd, err := command.StartCommands(mig.es,
 		mig.defaults,
 		mig.zitadelRoles,
@ -73,13 +83,12 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		nil,
 		userAlg,
 		nil,
-		nil,
+		oidcEncryption,
 		nil,
 		nil,
 		nil,
 		nil,
 	)
-
 	if err != nil {
 		return err
 	}
@ -101,25 +110,43 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		}
 	}

-	_, _, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
-	if key == nil {
+	_, token, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
+	if err != nil {
+		return err
+	}
+	if mig.instanceSetup.Org.Machine != nil &&
+		((mig.instanceSetup.Org.Machine.Pat != nil && token == "") ||
+			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil)) {
 		return err
 	}

+	if key != nil {
+		keyDetails, err := key.Detail()
+		if err != nil {
+			return err
+		}
+		if err := outputStdoutOrPath(mig.MachineKeyPath, string(keyDetails)); err != nil {
+			return err
+		}
+	}
+	if token != "" {
+		if err := outputStdoutOrPath(mig.PatPath, token); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func outputStdoutOrPath(path string, content string) (err error) {
 	f := os.Stdout
-	if mig.MachineKeyPath != "" {
-		f, err = os.OpenFile(mig.MachineKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if path != "" {
+		f, err = os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
 		if err != nil {
 			return err
 		}
 		defer f.Close()
 	}
-
-	keyDetails, err := key.Detail()
-	if err != nil {
-		return err
-	}
-	_, err = fmt.Fprintln(f, string(keyDetails))
+	_, err = fmt.Fprintln(f, content)
 	return err
 }

--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@ -72,6 +72,7 @@ type Steps struct {
 type encryptionKeyConfig struct {
 	User *crypto.KeyConfig
 	SMTP *crypto.KeyConfig
+	OIDC *crypto.KeyConfig
 }

 func MustNewSteps(v *viper.Viper) *Steps {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@ -75,6 +75,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.FirstInstance.instanceSetup = config.DefaultInstance
 	steps.FirstInstance.userEncryptionKey = config.EncryptionKeys.User
 	steps.FirstInstance.smtpEncryptionKey = config.EncryptionKeys.SMTP
+	steps.FirstInstance.oidcEncryptionKey = config.EncryptionKeys.OIDC
 	steps.FirstInstance.masterKey = masterKey
 	steps.FirstInstance.db = dbClient.DB
 	steps.FirstInstance.es = eventstoreClient
--- a/cmd/setup/steps.yaml
+++ b/cmd/setup/steps.yaml
@ -1,5 +1,6 @@
 FirstInstance:
  MachineKeyPath:
+  PatPath:
  InstanceName: ZITADEL
  DefaultLanguage: en
  Org:
@ -30,6 +31,8 @@ FirstInstance:
      MachineKey:
        ExpirationDate:
        Type:
+      Pat:
+        ExpirationDate:

 CorrectCreationDate:
  FailAfter: 5m
--- a/internal/api/grpc/system/instance_converter.go
+++ b/internal/api/grpc/system/instance_converter.go
@ -113,13 +113,11 @@ func createInstancePbToAddMachine(req *system_pb.CreateInstanceRequest_Machine,
 			// Scopes are currently static and can not be overwritten
 			Scopes: []string{oidc.ScopeOpenID, z_oidc.ScopeUserMetaData, z_oidc.ScopeResourceOwner},
 		}
-
-		if !defaultMachine.Pat.ExpirationDate.IsZero() {
-			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
-		} else if req.PersonalAccessToken.ExpirationDate.IsValid() {
+		if req.GetPersonalAccessToken().GetExpirationDate().IsValid() {
 			pat.ExpirationDate = req.PersonalAccessToken.ExpirationDate.AsTime()
+		} else if defaultMachine.Pat != nil && !defaultMachine.Pat.ExpirationDate.IsZero() {
+			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
 		}
-
 		machine.Pat = &pat
 	}