fix: nil pointer on create instance add machine (#6000)

* fix: nil pointer on create instance add machine * fix: instance setup with machine user pat * fix: correct logic to write pat and key from setup without configurable scope --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
zitadel · Jun 15, 2023 · 855d6b1 · 855d6b1 · vercel · Jun 15, 2023
1 parent 2e323e8
commit 855d6b1
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 17 deletions.
diff --git a/cmd/setup/03.go b/cmd/setup/03.go
@@ -23,10 +23,12 @@ type FirstInstance struct {
 	DefaultLanguage language.Tag
 	Org             command.OrgSetup
 	MachineKeyPath  string
+	PatPath         string
 
 	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	smtpEncryptionKey *crypto.KeyConfig
+	oidcEncryptionKey *crypto.KeyConfig
 	masterKey         string
 	db                *sql.DB
 	es                *eventstore.Eventstore
@@ -59,6 +61,14 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		return err
 	}
 
+	if err = verifyKey(mig.oidcEncryptionKey, keyStorage); err != nil {
+		return err
+	}
+	oidcEncryption, err := crypto.NewAESCrypto(mig.oidcEncryptionKey, keyStorage)
+	if err != nil {
+		return err
+	}
+
 	cmd, err := command.StartCommands(mig.es,
 		mig.defaults,
 		mig.zitadelRoles,
@@ -73,13 +83,12 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		nil,
 		userAlg,
 		nil,
-		nil,
+		oidcEncryption,
 		nil,
 		nil,
 		nil,
 		nil,
 	)
-
 	if err != nil {
 		return err
 	}
@@ -101,25 +110,43 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		}
 	}
 
-	_, _, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
-	if key == nil {
+	_, token, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
+	if err != nil {
+		return err
+	}
+	if mig.instanceSetup.Org.Machine != nil &&
+		((mig.instanceSetup.Org.Machine.Pat != nil && token == "") ||
+			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil)) {
 		return err
 	}
 
-	f := os.Stdout
-	if mig.MachineKeyPath != "" {
-		f, err = os.OpenFile(mig.MachineKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if key != nil {
+		keyDetails, err := key.Detail()
 		if err != nil {
 			return err
 		}
-		defer f.Close()
+		if err := outputStdoutOrPath(mig.MachineKeyPath, string(keyDetails)); err != nil {
+			return err
+		}
 	}
+	if token != "" {
+		if err := outputStdoutOrPath(mig.PatPath, token); err != nil {
+			return err
+		}
+	}
+	return nil
+}
 
-	keyDetails, err := key.Detail()
-	if err != nil {
-		return err
+func outputStdoutOrPath(path string, content string) (err error) {
+	f := os.Stdout
+	if path != "" {
+		f, err = os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
 	}
-	_, err = fmt.Fprintln(f, string(keyDetails))
+	_, err = fmt.Fprintln(f, content)
 	return err
 }
 

diff --git a/cmd/setup/config.go b/cmd/setup/config.go
@@ -72,6 +72,7 @@ type Steps struct {
 type encryptionKeyConfig struct {
 	User *crypto.KeyConfig
 	SMTP *crypto.KeyConfig
+	OIDC *crypto.KeyConfig
 }
 
 func MustNewSteps(v *viper.Viper) *Steps {

diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go
@@ -75,6 +75,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.FirstInstance.instanceSetup = config.DefaultInstance
 	steps.FirstInstance.userEncryptionKey = config.EncryptionKeys.User
 	steps.FirstInstance.smtpEncryptionKey = config.EncryptionKeys.SMTP
+	steps.FirstInstance.oidcEncryptionKey = config.EncryptionKeys.OIDC
 	steps.FirstInstance.masterKey = masterKey
 	steps.FirstInstance.db = dbClient.DB
 	steps.FirstInstance.es = eventstoreClient

diff --git a/cmd/setup/steps.yaml b/cmd/setup/steps.yaml
@@ -1,5 +1,6 @@
 FirstInstance:
   MachineKeyPath:
+  PatPath:
   InstanceName: ZITADEL
   DefaultLanguage: en
   Org:
@@ -30,6 +31,8 @@ FirstInstance:
       MachineKey:
         ExpirationDate:
         Type:
+      Pat:
+        ExpirationDate:
 
 CorrectCreationDate:
   FailAfter: 5m

diff --git a/internal/api/grpc/system/instance_converter.go b/internal/api/grpc/system/instance_converter.go
@@ -113,13 +113,11 @@ func createInstancePbToAddMachine(req *system_pb.CreateInstanceRequest_Machine,
 			// Scopes are currently static and can not be overwritten
 			Scopes: []string{oidc.ScopeOpenID, z_oidc.ScopeUserMetaData, z_oidc.ScopeResourceOwner},
 		}
-
-		if !defaultMachine.Pat.ExpirationDate.IsZero() {
-			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
-		} else if req.PersonalAccessToken.ExpirationDate.IsValid() {
+		if req.GetPersonalAccessToken().GetExpirationDate().IsValid() {
 			pat.ExpirationDate = req.PersonalAccessToken.ExpirationDate.AsTime()
+		} else if defaultMachine.Pat != nil && !defaultMachine.Pat.ExpirationDate.IsZero() {
+			pat.ExpirationDate = defaultMachine.Pat.ExpirationDate
 		}
-
 		machine.Pat = &pat
 	}