fixup! fixup! fixup! Merge branch 'main' into fix_adding_org_same_id_twice

cmd/defaults.yaml

@@ -526,13 +526,13 @@ OIDC:
       CharSet: "BCDFGHJKLMNPQRSTVWXZ" # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARSET
       CharAmount: 8 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARARMOUNT
       DashInterval: 4 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_DASHINTERVAL
-  DefaultLoginURLV2: "/login?authRequest=" # ZITADEL_OIDC_DEFAULTLOGINURLV2
-  DefaultLogoutURLV2: "/logout?post_logout_redirect=" # ZITADEL_OIDC_DEFAULTLOGOUTURLV2
+  DefaultLoginURLV2: "/ui/v2/login/login?authRequest=" # ZITADEL_OIDC_DEFAULTLOGINURLV2
+  DefaultLogoutURLV2: "/ui/v2/login/logout?post_logout_redirect=" # ZITADEL_OIDC_DEFAULTLOGOUTURLV2
   PublicKeyCacheMaxAge: 24h # ZITADEL_OIDC_PUBLICKEYCACHEMAXAGE
   DefaultBackChannelLogoutLifetime: 15m # ZITADEL_OIDC_DEFAULTBACKCHANNELLOGOUTLIFETIME
 
 SAML:
-  DefaultLoginURLV2: "/login?authRequest=" # ZITADEL_SAML_DEFAULTLOGINURLV2
+  DefaultLoginURLV2: "/ui/v2/login/login?samlRequest=" # ZITADEL_SAML_DEFAULTLOGINURLV2
   ProviderConfig:
     MetadataConfig:
       Path: "/metadata" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_PATH
@@ -839,6 +839,13 @@ DefaultInstance:
       Pat:
         # date format: 2023-01-01T00:00:00Z
         ExpirationDate: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE
+    LoginClient:
+      Machine:
+        Username: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME
+        Name: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME
+      Pat:
+        # date format: 2023-01-01T00:00:00Z
+        ExpirationDate: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE
   SecretGenerators:
     ClientSecret:
       Length: 64 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_LENGTH
@@ -1131,8 +1138,8 @@ DefaultInstance:
     # OIDCSingleV1SessionTermination: false # ZITADEL_DEFAULTINSTANCE_FEATURES_OIDCSINGLEV1SESSIONTERMINATION
     # DisableUserTokenEvent: false # ZITADEL_DEFAULTINSTANCE_FEATURES_DISABLEUSERTOKENEVENT
     # EnableBackChannelLogout: false # ZITADEL_DEFAULTINSTANCE_FEATURES_ENABLEBACKCHANNELLOGOUT
-    # LoginV2:
-    #  Required: false # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED
+    LoginV2:
+      Required: true # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED
     #  BaseURI: "" # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_BASEURI
     # PermissionCheckV2: false # ZITADEL_DEFAULTINSTANCE_FEATURES_PERMISSIONCHECKV2
     # ConsoleUseV2UserApi: false # ZITADEL_DEFAULTINSTANCE_FEATURES_CONSOLEUSEV2USERAPI
@@ -1196,6 +1203,37 @@ DefaultInstance:
 # If an audit log retention is set using an instance limit, it will overwrite the system default.
 AuditLogRetention: 0s # ZITADEL_AUDITLOGRETENTION
 
+# The ServicePing are periodic reports of analytics data and the usage of ZITADEL.
+# It is sent to a central endpoint to help us improve ZITADEL.
+# It's enabled by default, but you can opt out either completely or by disabling specific telemetry data.
+ServicePing:
+  # By setting Enabled to false, the service ping is disabled completely.
+  Enabled: true # ZITADEL_SERVICEPING_ENABLED
+  # The endpoint to which the reports are sent. The endpoint is used as a base path. Individual reports are sent to the endpoint with a specific path.
+  Endpoint: "https://zitadel.cloud/api/ping" # ZITADEL_SERVICEPING_ENDPOINT
+  # Interval at which the service ping is sent to the endpoint.
+  # The interval is in the format of a cron expression.
+  # By default, it is set to every day at midnight:
+  Interval: "0 0 * * *" # ZITADEL_SERVICEPING_INTERVAL
+  # Maximum number of attempts for each individual report to be sent.
+  # If one report fails, it will be retried up to this number of times.
+  # Other reports will still be handled in parallel and have their own retry count.
+  # This means if the base information only succeeded after 3 attempts,
+  # the resource count still has 5 attempts to be sent.
+  MaxAttempts: 5 # ZITADEL_SERVICEPING_MAXATTEMPTS
+  # The following features can be enabled or disabled individually.
+  # By default, all features are enabled.
+  # Note that if the service ping is enabled, base information about the system is always sent.
+  # This includes the version and the id, creation date and domains of all instances.
+  # If you disable a feature, it will not be sent in the service ping.
+  # Some features provide additional configuration options, if enabled.
+  Telemetry:
+    # ResourceCount is a periodic report of the number of resources in ZITADEL.
+    # This includes the number of users, organizations, projects, and other resources.
+    ResourceCount:
+        Enabled: true # ZITADEL_SERVICEPING_TELEMETRY_RESOURCECOUNT_ENABLED
+        BulkSize: 10000 # ZITADEL_SERVICEPING_TELEMETRY_RESOURCECOUNT_BULKSIZE
+
 InternalAuthZ:
   # Configure the RolePermissionMappings by environment variable using JSON notation:
   # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]'

cmd/setup/03.go

@@ -20,12 +20,13 @@ import (
 )
 
 type FirstInstance struct {
-	InstanceName    string
-	DefaultLanguage language.Tag
-	Org             command.InstanceOrgSetup
-	MachineKeyPath  string
-	PatPath         string
-	Features        *command.InstanceFeatures
+	InstanceName       string
+	DefaultLanguage    language.Tag
+	Org                command.InstanceOrgSetup
+	MachineKeyPath     string
+	PatPath            string
+	LoginClientPatPath string
+	Features           *command.InstanceFeatures
 
 	Skip bool
 
@@ -121,16 +122,18 @@ func (mig *FirstInstance) Execute(ctx context.Context, _ eventstore.Event) error
 		}
 	}
 
-	_, token, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
+	_, token, key, loginClientToken, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
 	if err != nil {
 		return err
 	}
-	if mig.instanceSetup.Org.Machine != nil &&
+	if (mig.instanceSetup.Org.Machine != nil &&
 		((mig.instanceSetup.Org.Machine.Pat != nil && token == "") ||
-			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil)) {
+			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil))) ||
+		(mig.instanceSetup.Org.LoginClient != nil &&
+			(mig.instanceSetup.Org.LoginClient.Pat != nil && loginClientToken == "")) {
 		return err
 	}
-	return mig.outputMachineAuthentication(key, token)
+	return mig.outputMachineAuthentication(key, token, loginClientToken)
 }
 
 func (mig *FirstInstance) verifyEncryptionKeys(ctx context.Context) (*crypto_db.Database, error) {
@@ -150,7 +153,7 @@ func (mig *FirstInstance) verifyEncryptionKeys(ctx context.Context) (*crypto_db.
 	return keyStorage, nil
 }
 
-func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, token string) error {
+func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, token, loginClientToken string) error {
 	if key != nil {
 		keyDetails, err := key.Detail()
 		if err != nil {
@@ -165,6 +168,11 @@ func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, t
 			return err
 		}
 	}
+	if loginClientToken != "" {
+		if err := outputStdoutOrPath(mig.LoginClientPatPath, loginClientToken); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 

cmd/setup/60.go

@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/serviceping"
+	"github.com/zitadel/zitadel/internal/v2/system"
+)
+
+type GenerateSystemID struct {
+	eventstore *eventstore.Eventstore
+}
+
+func (mig *GenerateSystemID) Execute(ctx context.Context, _ eventstore.Event) error {
+	id, err := serviceping.GenerateSystemID()
+	if err != nil {
+		return err
+	}
+	_, err = mig.eventstore.Push(ctx, system.NewIDGeneratedEvent(ctx, id))
+	return err
+}
+
+func (mig *GenerateSystemID) String() string {
+	return "60_generate_system_id"
+}

cmd/setup/config.go

@@ -156,6 +156,7 @@ type Steps struct {
 	s57CreateResourceCounts                 *CreateResourceCounts
 	s58ReplaceLoginNames3View               *ReplaceLoginNames3View
 	s59SetupWebkeys                         *SetupWebkeys
+	s60GenerateSystemID                     *GenerateSystemID
 	s61AddUIDniqueConstraintsForOrgs        *AddIDUniqueConstraintsForOrgs
 }
 

cmd/setup/setup.go

@@ -217,6 +217,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s56IDPTemplate6SAMLFederatedLogout = &IDPTemplate6SAMLFederatedLogout{dbClient: dbClient}
 	steps.s57CreateResourceCounts = &CreateResourceCounts{dbClient: dbClient}
 	steps.s58ReplaceLoginNames3View = &ReplaceLoginNames3View{dbClient: dbClient}
+	steps.s60GenerateSystemID = &GenerateSystemID{eventstore: eventstoreClient}
 	steps.s61AddUIDniqueConstraintsForOrgs = &AddIDUniqueConstraintsForOrgs{eventstore: eventstoreClient, dbClient: dbClient}
 
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
@@ -265,6 +266,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s56IDPTemplate6SAMLFederatedLogout,
 		steps.s57CreateResourceCounts,
 		steps.s58ReplaceLoginNames3View,
+		steps.s60GenerateSystemID,
 		steps.s61AddUIDniqueConstraintsForOrgs,
 	} {
 		setupErr = executeMigration(ctx, eventstoreClient, step, "migration failed")

cmd/setup/steps.yaml

@@ -6,6 +6,7 @@ FirstInstance:
   MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
   # The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.
   PatPath: # ZITADEL_FIRSTINSTANCE_PATPATH
+  LoginClientPatPath: # ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH
   InstanceName: ZITADEL # ZITADEL_FIRSTINSTANCE_INSTANCENAME
   DefaultLanguage: en # ZITADEL_FIRSTINSTANCE_DEFAULTLANGUAGE
   Org:
@@ -46,6 +47,13 @@ FirstInstance:
       Pat:
         # date format: 2023-01-01T00:00:00Z
         ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE
+    LoginClient:
+      Machine:
+        Username: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME
+        Name: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME
+      Pat:
+        # date format: 2023-01-01T00:00:00Z
+        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE
 
 CorrectCreationDate:
   FailAfter: 5m # ZITADEL_CORRECTCREATIONDATE_FAILAFTER

cmd/start/config.go

@@ -32,6 +32,7 @@ import (
 	"github.com/zitadel/zitadel/internal/logstore"
 	"github.com/zitadel/zitadel/internal/notification/handlers"
 	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/serviceping"
 	static_config "github.com/zitadel/zitadel/internal/static/config"
 	metrics "github.com/zitadel/zitadel/internal/telemetry/metrics/config"
 	profiler "github.com/zitadel/zitadel/internal/telemetry/profiler/config"
@@ -81,6 +82,7 @@ type Config struct {
 	LogStore            *logstore.Configs
 	Quotas              *QuotasConfig
 	Telemetry           *handlers.TelemetryPusherConfig
+	ServicePing         *serviceping.Config
 }
 
 type QuotasConfig struct {

cmd/start/start.go

@@ -99,6 +99,7 @@ import (
 	"github.com/zitadel/zitadel/internal/notification"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/queue"
+	"github.com/zitadel/zitadel/internal/serviceping"
 	"github.com/zitadel/zitadel/internal/static"
 	es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
 	es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
@@ -317,10 +318,20 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
 	)
 	execution.Start(ctx)
 
+	// the service ping and it's workers need to be registered before starting the queue
+	if err := serviceping.Register(ctx, q, queries, eventstoreClient, config.ServicePing); err != nil {
+		return err
+	}
+
 	if err = q.Start(ctx); err != nil {
 		return err
 	}
 
+	// the scheduler / periodic jobs need to be started after the queue already runs
+	if err = serviceping.Start(config.ServicePing, q); err != nil {
+		return err
+	}
+
 	router := mux.NewRouter()
 	tlsConfig, err := config.TLS.Config()
 	if err != nil {