From 855d6b1bd57d1f4177df23d6296f72ccc58dcf77 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Thu, 15 Jun 2023 08:16:39 +0200
Subject: [PATCH] fix: nil pointer on create instance add machine (#6000)

* fix: nil pointer on create instance add machine

* fix: instance setup with machine user pat

* fix: correct logic to write pat and key from setup without configurable scope

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 cmd/setup/03.go                               | 51 ++++++++++++++-----
 cmd/setup/config.go                           |  1 +
 cmd/setup/setup.go                            |  1 +
 cmd/setup/steps.yaml                          |  3 ++
 .../api/grpc/system/instance_converter.go     |  8 ++-
 5 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/cmd/setup/03.go b/cmd/setup/03.go
index 416010946a..ca1e0e21ca 100644
--- a/cmd/setup/03.go
+++ b/cmd/setup/03.go
@@ -23,10 +23,12 @@ type FirstInstance struct {
 	DefaultLanguage language.Tag
 	Org             command.OrgSetup
 	MachineKeyPath  string
+	PatPath         string
 
 	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	smtpEncryptionKey *crypto.KeyConfig
+	oidcEncryptionKey *crypto.KeyConfig
 	masterKey         string
 	db                *sql.DB
 	es                *eventstore.Eventstore
@@ -59,6 +61,14 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		return err
 	}
 
+	if err = verifyKey(mig.oidcEncryptionKey, keyStorage); err != nil {
+		return err
+	}
+	oidcEncryption, err := crypto.NewAESCrypto(mig.oidcEncryptionKey, keyStorage)
+	if err != nil {
+		return err
+	}
+
 	cmd, err := command.StartCommands(mig.es,
 		mig.defaults,
 		mig.zitadelRoles,
@@ -73,13 +83,12 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		nil,
 		userAlg,
 		nil,
-		nil,
+		oidcEncryption,
 		nil,
 		nil,
 		nil,
 		nil,
 	)
-
 	if err != nil {
 		return err
 	}
@@ -101,25 +110,43 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		}
 	}
 
-	_, _, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
-	if key == nil {
+	_, token, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
+	if err != nil {
+		return err
+	}
+	if mig.instanceSetup.Org.Machine != nil &&
+		((mig.instanceSetup.Org.Machine.Pat != nil && token == "") ||
+			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil)) {
 		return err
 	}
 
+	if key != nil {
+		keyDetails, err := key.Detail()
+		if err != nil {
+			return err
+		}
+		if err := outputStdoutOrPath(mig.MachineKeyPath, string(keyDetails)); err != nil {
+			return err
+		}
+	}
+	if token != "" {
+		if err := outputStdoutOrPath(mig.PatPath, token); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func outputStdoutOrPath(path string, content string) (err error) {
 	f := os.Stdout
-	if mig.MachineKeyPath != "" {
-		f, err = os.OpenFile(mig.MachineKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if path != "" {
+		f, err = os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
 		if err != nil {
 			return err
 		}
 		defer f.Close()
 	}
-
-	keyDetails, err := key.Detail()
-	if err != nil {
-		return err
-	}
-	_, err = fmt.Fprintln(f, string(keyDetails))
+	_, err = fmt.Fprintln(f, content)
 	return err
 }
 
diff --git a/cmd/setup/config.go b/cmd/setup/config.go
index 0d659e6e75..2f1bfbd6fa 100644
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -72,6 +72,7 @@ type Steps struct {
 type encryptionKeyConfig struct {
 	User *crypto.KeyConfig
 	SMTP *crypto.KeyConfig
+	OIDC *crypto.KeyConfig
 }
 
 func MustNewSteps(v *viper.Viper) *Steps {
diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go
index 3f42503c2f..76f9637a2e 100644
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -75,6 +75,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.FirstInstance.instanceSetup = config.DefaultInstance
 	steps.FirstInstance.userEncryptionKey = config.EncryptionKeys.User
 	steps.FirstInstance.smtpEncryptionKey = config.EncryptionKeys.SMTP
+	steps.FirstInstance.oidcEncryptionKey = config.EncryptionKeys.OIDC
 	steps.FirstInstance.masterKey = masterKey
 	steps.FirstInstance.db = dbClient.DB
 	steps.FirstInstance.es = eventstoreClient
diff --git a/cmd/setup/steps.yaml b/cmd/setup/steps.yaml
index e495276e52..3164ac2f4c 100644
--- a/cmd/setup/steps.yaml
+++ b/cmd/setup/steps.yaml
@@ -1,5 +1,6 @@
 FirstInstance:
   MachineKeyPath:
+  PatPath:
   InstanceName: ZITADEL
   DefaultLanguage: en
   Org:
@@ -30,6 +31,8 @@ FirstInstance:
       MachineKey:
         ExpirationDate:
         Type:
+      Pat:
+        ExpirationDate:
 
 CorrectCreationDate:
   FailAfter: 5m
diff --git a/internal/api/grpc/system/instance_converter.go b/internal/api/grpc/system/instance_converter.go
index 304ab19c24..9aeea3e2c8 100644
--- a/internal/api/grpc/system/instance_converter.go
+++ b/internal/api/grpc/system/instance_converter.go
@@ -113,13 +113,11 @@ func createInstancePbToAddMachine(req *system_pb.CreateInstanceRequest_Machine,
 			// Scopes are currently static and can not be overwritten
 			Scopes: []string{oidc.ScopeOpenID, z_oidc.ScopeUserMetaData, z_oidc.ScopeResourceOwner},
 		}
-
-		if !defaultMachine.Pat.ExpirationDate.IsZero() {
-			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
-		} else if req.PersonalAccessToken.ExpirationDate.IsValid() {
+		if req.GetPersonalAccessToken().GetExpirationDate().IsValid() {
 			pat.ExpirationDate = req.PersonalAccessToken.ExpirationDate.AsTime()
+		} else if defaultMachine.Pat != nil && !defaultMachine.Pat.ExpirationDate.IsZero() {
+			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
 		}
-
 		machine.Pat = &pat
 	}