fix: v2 human command (#3435)

* add/register human command done

* validations

* crypto

* move clientid

* keys

* fix: clientID

* remove v2 package

* tests

* tests running

* revert old code

* instance domain from ctx

* chore: rename zitadel app ids

* comments

* fix: test

cmd/admin/initialise/sql/09_events_table.sql

@@ -12,14 +12,14 @@ CREATE TABLE eventstore.events (
 	, editor_user TEXT NOT NULL 
 	, editor_service TEXT NOT NULL
 	, resource_owner TEXT NOT NULL
-	, instance_id TEXT
+	, instance_id TEXT NOT NULL
 
-	, PRIMARY KEY (event_sequence DESC) USING HASH WITH BUCKET_COUNT = 10
-	, INDEX agg_type_agg_id (aggregate_type, aggregate_id)
-	, INDEX agg_type (aggregate_type)
-	, INDEX agg_type_seq (aggregate_type, event_sequence DESC) 
-		STORING (id, event_type, aggregate_id, aggregate_version, previous_aggregate_sequence, creation_date, event_data, editor_user, editor_service, resource_owner, instance_id, previous_aggregate_type_sequence)
-	, INDEX max_sequence (aggregate_type, aggregate_id, event_sequence DESC)
-	, CONSTRAINT previous_sequence_unique UNIQUE (previous_aggregate_sequence DESC)
-	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence)
+	, PRIMARY KEY (event_sequence DESC, instance_id) USING HASH WITH BUCKET_COUNT = 10
+	, INDEX agg_type_agg_id (aggregate_type, aggregate_id, instance_id)
+	, INDEX agg_type (aggregate_type, instance_id)
+	, INDEX agg_type_seq (aggregate_type, event_sequence DESC, instance_id) 
+		STORING (id, event_type, aggregate_id, aggregate_version, previous_aggregate_sequence, creation_date, event_data, editor_user, editor_service, resource_owner, previous_aggregate_type_sequence)
+	, INDEX max_sequence (aggregate_type, aggregate_id, event_sequence DESC, instance_id)
+	, CONSTRAINT previous_sequence_unique UNIQUE (previous_aggregate_sequence DESC, instance_id)
+	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence, instance_id)
 )

cmd/admin/setup/02.go

@@ -3,7 +3,6 @@ package setup
 import (
 	"context"
 	"database/sql"
-	_ "embed"
 )
 
 const (

cmd/admin/setup/03.go

@@ -2,21 +2,62 @@ package setup
 
 import (
 	"context"
+	"database/sql"
+	"fmt"
 
-	"github.com/caos/zitadel/internal/command/v2"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/command"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/crypto"
+	crypto_db "github.com/caos/zitadel/internal/crypto/database"
+	"github.com/caos/zitadel/internal/eventstore"
 )
 
 type DefaultInstance struct {
-	cmd           *command.Command
 	InstanceSetup command.InstanceSetup
+
+	userEncryptionKey *crypto.KeyConfig
+	masterKey         string
+	db                *sql.DB
+	es                *eventstore.Eventstore
+	domain            string
+	defaults          systemdefaults.SystemDefaults
+	zitadelRoles      []authz.RoleMapping
 }
 
 func (mig *DefaultInstance) Execute(ctx context.Context) error {
-	_, err := mig.cmd.SetUpInstance(ctx, &mig.InstanceSetup)
+	keyStorage, err := crypto_db.NewKeyStorage(mig.db, mig.masterKey)
+	if err != nil {
+		return fmt.Errorf("cannot start key storage: %w", err)
+	}
+	if err = verifyKey(mig.userEncryptionKey, keyStorage); err != nil {
+		return err
+	}
 
+	userAlg, err := crypto.NewAESCrypto(mig.userEncryptionKey, keyStorage)
+	if err != nil {
+		return err
+	}
+
+	cmd := command.NewCommandV2(mig.es, mig.defaults, userAlg, mig.zitadelRoles)
+
+	ctx = authz.WithRequestedDomain(ctx, mig.domain)
+	_, err = cmd.SetUpInstance(ctx, &mig.InstanceSetup)
 	return err
 }
 
 func (mig *DefaultInstance) String() string {
 	return "03_default_instance"
 }
+
+func verifyKey(key *crypto.KeyConfig, storage crypto.KeyStorage) (err error) {
+	_, err = crypto.LoadKey(key.EncryptionKeyID, storage)
+	if err == nil {
+		return nil
+	}
+	k, err := crypto.NewKey(key.EncryptionKeyID)
+	if err != nil {
+		return err
+	}
+	return storage.CreateKeys(k)
+}

cmd/admin/setup/config.go

@@ -10,6 +10,7 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/config/hook"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/database"
 )
 
@@ -21,6 +22,7 @@ type Config struct {
 	ExternalDomain string
 	ExternalSecure bool
 	Log            *logging.Config
+	EncryptionKeys *encryptionKeyConfig
 }
 
 func MustNewConfig(v *viper.Viper) *Config {
@@ -40,6 +42,10 @@ type Steps struct {
 	S3DefaultInstance *DefaultInstance
 }
 
+type encryptionKeyConfig struct {
+	User *crypto.KeyConfig
+}
+
 func MustNewSteps(v *viper.Viper) *Steps {
 	v.SetConfigType("yaml")
 	err := v.ReadConfig(bytes.NewBuffer(defaultSteps))

cmd/admin/setup/setup.go

@@ -8,8 +8,8 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
+	"github.com/caos/zitadel/cmd/admin/key"
 	http_util "github.com/caos/zitadel/internal/api/http"
-	"github.com/caos/zitadel/internal/command/v2"
 	"github.com/caos/zitadel/internal/database"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/migration"
@@ -31,12 +31,15 @@ Requirements:
 			config := MustNewConfig(viper.GetViper())
 			steps := MustNewSteps(viper.New())
 
-			Setup(config, steps)
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Panic("No master key provided")
+
+			Setup(config, steps, masterKey)
 		},
 	}
 }
 
-func Setup(config *Config, steps *Steps) {
+func Setup(config *Config, steps *Steps, masterKey string) {
 	dbClient, err := database.Connect(config.Database)
 	logging.OnError(err).Fatal("unable to connect to database")
 
@@ -44,11 +47,17 @@ func Setup(config *Config, steps *Steps) {
 	logging.OnError(err).Fatal("unable to start eventstore")
 	migration.RegisterMappers(eventstoreClient)
 
-	cmd := command.New(eventstoreClient, "localhost", config.SystemDefaults)
-
 	steps.s1ProjectionTable = &ProjectionTable{dbClient: dbClient}
 	steps.s2AssetsTable = &AssetTable{dbClient: dbClient}
-	steps.S3DefaultInstance.cmd = cmd
+	steps.S3DefaultInstance.es = eventstoreClient
+	steps.S3DefaultInstance.db = dbClient
+	steps.S3DefaultInstance.defaults = config.SystemDefaults
+	steps.S3DefaultInstance.masterKey = masterKey
+	steps.S3DefaultInstance.domain = config.SystemDefaults.Domain
+	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
+	steps.S3DefaultInstance.userEncryptionKey = config.EncryptionKeys.User
+	steps.S3DefaultInstance.InstanceSetup.Zitadel.IsDevMode = !config.ExternalSecure
+	steps.S3DefaultInstance.InstanceSetup.Zitadel.BaseURL = http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
 	steps.S3DefaultInstance.InstanceSetup.Zitadel.IsDevMode = !config.ExternalSecure
 	steps.S3DefaultInstance.InstanceSetup.Zitadel.BaseURL = http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
 

cmd/admin/setup/steps.yaml

@@ -8,11 +8,64 @@ S3DefaultInstance:
         LastName: Admin
         NickName:
         DisplayName:
-        Email: admin@zitadel.ch
+        Email: 
+          Address: admin@zitadel.ch
+          Verified: true
         PreferredLanguage:
         Gender:
         Phone:
+          Number:
+          Verified:
         Password: Password1!
+    SecretGenerators:
+      PasswordSaltCost: 14
+      ClientSecret:
+        Length: 64
+        IncludeLowerLetters: true
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      InitializeUserCode:
+        Length: 6
+        Expiry: '72h'
+        IncludeLowerLetters: false
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      EmailVerificationCode:
+        Length: 6
+        Expiry: '1h'
+        IncludeLowerLetters: false
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      PhoneVerificationCode:
+        Length: 6
+        Expiry: '1h'
+        IncludeLowerLetters: false
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      PasswordVerificationCode:
+        Length: 6
+        Expiry: '1h'
+        IncludeLowerLetters: false
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      PasswordlessInitCode:
+        Length: 12
+        Expiry: '1h'
+        IncludeLowerLetters: true
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
+      DomainVerification:
+        Length: 32
+        IncludeLowerLetters: true
+        IncludeUpperLetters: true
+        IncludeDigits: true
+        IncludeSymbols: false
     Features:
       TierName: Default Tier
       TierDescription: ""

cmd/admin/start/encryption_keys.go

@@ -32,26 +32,20 @@ type encryptionKeys struct {
 	OIDCKey            []byte
 }
 
-func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyStorage) (*encryptionKeys, error) {
-	keys, err := keyStorage.ReadKeys()
+func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyStorage) (keys *encryptionKeys, err error) {
+	if err := verifyDefaultKeys(keyStorage); err != nil {
+		return nil, err
+	}
+	keys = new(encryptionKeys)
+	keys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	if len(keys) == 0 {
-		if err := createDefaultKeys(keyStorage); err != nil {
-			return nil, err
-		}
-	}
-	encryptionKeys := new(encryptionKeys)
-	encryptionKeys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
+	keys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
-	if err != nil {
-		return nil, err
-	}
-	encryptionKeys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
+	keys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
 	if err != nil {
 		return nil, err
 	}
@@ -59,20 +53,20 @@ func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyS
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.OIDCKey = []byte(key)
-	encryptionKeys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
+	keys.OIDCKey = []byte(key)
+	keys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
+	keys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
+	keys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
+	keys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
 	if err != nil {
 		return nil, err
 	}
@@ -80,23 +74,30 @@ func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyS
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.CSRFCookieKey = []byte(key)
+	keys.CSRFCookieKey = []byte(key)
 	key, err = crypto.LoadKey(keyConfig.UserAgentCookieKeyID, keyStorage)
 	if err != nil {
 		return nil, err
 	}
-	encryptionKeys.UserAgentCookieKey = []byte(key)
-	return encryptionKeys, nil
+	keys.UserAgentCookieKey = []byte(key)
+	return keys, nil
 }
 
-func createDefaultKeys(keyStorage crypto.KeyStorage) error {
-	keys := make([]*crypto.Key, len(defaultKeyIDs))
-	for i, keyID := range defaultKeyIDs {
+func verifyDefaultKeys(keyStorage crypto.KeyStorage) (err error) {
+	keys := make([]*crypto.Key, 0, len(defaultKeyIDs))
+	for _, keyID := range defaultKeyIDs {
+		_, err := crypto.LoadKey(keyID, keyStorage)
+		if err == nil {
+			continue
+		}
 		key, err := crypto.NewKey(keyID)
 		if err != nil {
 			return err
 		}
-		keys[i] = key
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil
 	}
 	if err := keyStorage.CreateKeys(keys...); err != nil {
 		return caos_errs.ThrowInternal(err, "START-aGBq2", "cannot create default keys")

cmd/admin/start/start.go

@@ -21,7 +21,6 @@ import (
 	"golang.org/x/net/http2/h2c"
 
 	"github.com/caos/zitadel/cmd/admin/key"
-
 	admin_es "github.com/caos/zitadel/internal/admin/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/api"
 	"github.com/caos/zitadel/internal/api/assets"
@@ -118,7 +117,7 @@ func startZitadel(config *Config, masterKey string) error {
 		Origin:      http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure),
 		DisplayName: "ZITADEL",
 	}
-	commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ, storage, authZRepo, webAuthNConfig, keys.IDPConfig, keys.OTP, keys.SMTP, keys.SMS, keys.DomainVerification, keys.OIDC)
+	commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ, storage, authZRepo, webAuthNConfig, keys.IDPConfig, keys.OTP, keys.SMTP, keys.SMS, keys.User, keys.DomainVerification, keys.OIDC)
 	if err != nil {
 		return fmt.Errorf("cannot start commands: %w", err)
 	}

cmd/admin/start/start_from_init.go

@@ -3,6 +3,7 @@ package start
 import (
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/cmd/admin/initialise"
+	"github.com/caos/zitadel/cmd/admin/key"
 	"github.com/caos/zitadel/cmd/admin/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -20,16 +21,18 @@ Last ZITADEL starts.
 Requirements:
 - cockroachdb`,
 		Run: func(cmd *cobra.Command, args []string) {
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Panic("No master key provided")
+
 			initialise.InitAll(initialise.MustNewConfig(viper.GetViper()))
 
 			setupConfig := setup.MustNewConfig(viper.GetViper())
 			setupSteps := setup.MustNewSteps(viper.New())
-			setup.Setup(setupConfig, setupSteps)
+			setup.Setup(setupConfig, setupSteps, masterKey)
 
 			startConfig := MustNewConfig(viper.GetViper())
-			startMasterKey, _ := cmd.Flags().GetString(flagMasterKey)
 
-			err := startZitadel(startConfig, startMasterKey)
+			err = startZitadel(startConfig, masterKey)
 			logging.OnError(err).Fatal("unable to start zitadel")
 		},
 	}