feat: handle instance from context (#3382)

* commander * commander * selber! * move to packages * fix(errors): implement Is interface * test: command * test: commands * add init steps * setup tenant * add default step yaml * possibility to set password * merge v2 into v2-commander * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: rename iam command side to instance * fix: search query builder can filter events in memory * fix: filters for add member * fix(setup): add `ExternalSecure` to config * chore: name iam to instance * fix: matching * remove unsued func * base url * base url * test(command): filter funcs * test: commands * fix: rename orgiampolicy to domain policy * start from init * commands * config * fix indexes and add constraints * fixes * fix: merge conflicts * fix: protos * fix: md files * setup * add deprecated org iam policy again * typo * fix search query * fix filter * Apply suggestions from code review * remove custom org from org setup * add todos for verification * change apps creation * simplify package structure * fix error * move preparation helper for tests * fix unique constraints * fix config mapping in setup * fix error handling in encryption_keys.go * fix projection config * fix query from old views to projection * fix setup of mgmt api * set iam project and fix instance projection * fix tokens view * fix steps.yaml and defaults.yaml * fix projections * change instance context to interface * instance interceptors and additional events in setup * cleanup * tests for interceptors * fix label policy * add todo * single api endpoint in environment.json Co-authored-by: adlerhurst <silvan.reusser@gmail.com> Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2025-08-11 21:37:32 +00:00 · 2022-03-29 11:53:19 +02:00
parent c5b99274d7
commit 958362e6c9
101 changed files with 1520 additions and 274 deletions
--- a/cmd/admin/setup/01_sql/auth.sql
+++ b/cmd/admin/setup/01_sql/auth.sql
@@ -127,6 +127,7 @@ CREATE TABLE auth.tokens (
    audience STRING[] NULL,
    preferred_language STRING NULL,
    refresh_token_id STRING NULL,
+    is_pat BOOL NOT NULL DEFAULT false,
    instance_id STRING NULL,

    PRIMARY KEY (id),
--- a/cmd/admin/setup/steps.yaml
+++ b/cmd/admin/setup/steps.yaml
@@ -22,7 +22,7 @@ S2DefaultInstance:
    PasswordAgePolicy:
      ExpireWarnDays: 0
      MaxAgeDays: 0
-    OrgIAMPolicy:
+    DomainPolicy:
      UserLoginMustBeDomain: true
    LoginPolicy:
      AllowUsernamePassword: true
--- a/cmd/admin/start/config.go
+++ b/cmd/admin/start/config.go
@@ -2,6 +2,8 @@ package start

 import (
 	"github.com/caos/logging"
+	"github.com/spf13/viper"
+
 	admin_es "github.com/caos/zitadel/internal/admin/repository/eventsourcing"
 	internal_authz "github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/http/middleware"
@@ -16,7 +18,6 @@ import (
 	"github.com/caos/zitadel/internal/notification"
 	"github.com/caos/zitadel/internal/query/projection"
 	static_config "github.com/caos/zitadel/internal/static/config"
-	"github.com/spf13/viper"
 )

 type Config struct {
@@ -25,6 +26,8 @@ type Config struct {
 	ExternalPort    uint16
 	ExternalDomain  string
 	ExternalSecure  bool
+	HTTP2HostHeader string
+	HTTP1HostHeader string
 	Database        database.Config
 	Projections     projection.Config
 	AuthZ           authz.Config
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	_ "embed"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -139,7 +138,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	}
 	verifier := internal_authz.Start(repo)

-	apis := api.New(config.Port, router, &repo, config.InternalAuthZ, config.ExternalSecure)
+	apis := api.New(config.Port, router, &repo, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader)
 	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.OIDC, keys.User)
 	if err != nil {
 		return fmt.Errorf("error starting auth repo: %w", err)
@@ -164,9 +163,10 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return err
 	}
+	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader)

 	issuer := oidc.Issuer(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
-	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, issuer, login.DefaultLoggedOutPath, commands, queries, authRepo, config.SystemDefaults.KeyConfig, keys.OIDC, keys.OIDCKey, eventstore, dbClient, keyChan, userAgentInterceptor)
+	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, issuer, login.DefaultLoggedOutPath, commands, queries, authRepo, config.SystemDefaults.KeyConfig, keys.OIDC, keys.OIDCKey, eventstore, dbClient, keyChan, userAgentInterceptor, instanceInterceptor.Handler)
 	if err != nil {
 		return fmt.Errorf("unable to start oidc provider: %w", err)
 	}
@@ -178,18 +178,14 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	}
 	apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)

-	consoleID, err := consoleClientID(ctx, queries)
-	if err != nil {
-		return fmt.Errorf("unable to get client_id for console: %w", err)
-	}
 	baseURL := http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
-	c, err := console.Start(config.Console, config.ExternalDomain, baseURL, issuer, consoleID)
+	c, err := console.Start(config.Console, config.ExternalDomain, baseURL, issuer, instanceInterceptor.Handler)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
 	}
 	apis.RegisterHandler(console.HandlerPrefix, c)

-	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix, config.ExternalDomain, baseURL, oidc.AuthCallback, config.ExternalSecure, userAgentInterceptor, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
+	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix, config.ExternalDomain, baseURL, oidc.AuthCallback, config.ExternalSecure, userAgentInterceptor, instanceInterceptor.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
 	if err != nil {
 		return fmt.Errorf("unable to start login: %w", err)
 	}
@@ -236,29 +232,3 @@ func shutdownServer(ctx context.Context, server *http.Server) error {
 	logging.New().Info("server shutdown gracefully")
 	return nil
 }
-
-//TODO:!!??!!
-func consoleClientID(ctx context.Context, queries *query.Queries) (string, error) {
-	iam, err := queries.Instance(ctx)
-	if err != nil {
-		return "", err
-	}
-	projectID, err := query.NewAppProjectIDSearchQuery(iam.IAMProjectID)
-	if err != nil {
-		return "", err
-	}
-	name, err := query.NewAppNameSearchQuery(query.TextContainsIgnoreCase, "console") //TODO:!!??!!
-	if err != nil {
-		return "", err
-	}
-	apps, err := queries.SearchApps(ctx, &query.AppSearchQueries{
-		Queries: []query.SearchQuery{projectID, name},
-	})
-	if err != nil {
-		return "", err
-	}
-	if len(apps.Apps) != 1 || apps.Apps[0].OIDCConfig == nil {
-		return "", errors.New("invalid app")
-	}
-	return apps.Apps[0].OIDCConfig.ClientID, nil
-}