2022-01-12 13:22:04 +01:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
2023-10-19 12:34:00 +02:00
|
|
|
"github.com/go-jose/go-jose/v3"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/logging"
|
2023-10-19 12:34:00 +02:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
2022-01-12 13:22:04 +01:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/errors"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
2022-10-20 13:36:52 +01:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/keypair"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2022-01-12 13:22:04 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
locksTable = "projections.locks"
|
|
|
|
signingKey = "signing_key"
|
2022-04-25 10:01:17 +02:00
|
|
|
oidcUser = "OIDC"
|
|
|
|
|
|
|
|
retryBackoff = 500 * time.Millisecond
|
|
|
|
retryCount = 3
|
|
|
|
lockDuration = retryCount * retryBackoff * 5
|
|
|
|
gracefulPeriod = 10 * time.Minute
|
2022-01-12 13:22:04 +01:00
|
|
|
)
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SigningKey wraps the query.PrivateKey to implement the op.SigningKey interface
|
2022-04-25 10:01:17 +02:00
|
|
|
type SigningKey struct {
|
|
|
|
algorithm jose.SignatureAlgorithm
|
|
|
|
id string
|
|
|
|
key interface{}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SigningKey) SignatureAlgorithm() jose.SignatureAlgorithm {
|
|
|
|
return s.algorithm
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SigningKey) Key() interface{} {
|
|
|
|
return s.key
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SigningKey) ID() string {
|
|
|
|
return s.id
|
|
|
|
}
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// PublicKey wraps the query.PublicKey to implement the op.Key interface
|
2022-04-25 10:01:17 +02:00
|
|
|
type PublicKey struct {
|
|
|
|
key query.PublicKey
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *PublicKey) Algorithm() jose.SignatureAlgorithm {
|
|
|
|
return jose.SignatureAlgorithm(s.key.Algorithm())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *PublicKey) Use() string {
|
|
|
|
return s.key.Use().String()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *PublicKey) Key() interface{} {
|
|
|
|
return s.key.Key()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *PublicKey) ID() string {
|
|
|
|
return s.key.ID()
|
|
|
|
}
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// KeySet implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) KeySet(ctx context.Context) (keys []op.Key, err error) {
|
2022-01-12 13:22:04 +01:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
2022-04-25 10:01:17 +02:00
|
|
|
err = retry(func() error {
|
|
|
|
publicKeys, err := o.query.ActivePublicKeys(ctx, time.Now())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
keys = make([]op.Key, len(publicKeys.Keys))
|
|
|
|
for i, key := range publicKeys.Keys {
|
|
|
|
keys[i] = &PublicKey{key}
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
return nil
|
|
|
|
})
|
|
|
|
return keys, err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SignatureAlgorithms implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) SignatureAlgorithms(ctx context.Context) ([]jose.SignatureAlgorithm, error) {
|
|
|
|
key, err := o.SigningKey(ctx)
|
2022-01-12 13:22:04 +01:00
|
|
|
if err != nil {
|
2022-11-30 17:01:17 +01:00
|
|
|
logging.WithError(err).Warn("unable to fetch signing key")
|
2022-04-25 10:01:17 +02:00
|
|
|
return nil, err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
return []jose.SignatureAlgorithm{key.SignatureAlgorithm()}, nil
|
|
|
|
}
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SigningKey implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) SigningKey(ctx context.Context) (key op.SigningKey, err error) {
|
|
|
|
err = retry(func() error {
|
|
|
|
key, err = o.getSigningKey(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2022-01-28 09:24:34 +01:00
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
if key == nil {
|
|
|
|
return errors.ThrowInternal(nil, "test", "test")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
return key, err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) getSigningKey(ctx context.Context) (op.SigningKey, error) {
|
|
|
|
keys, err := o.query.ActivePrivateSigningKey(ctx, time.Now().Add(gracefulPeriod))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if len(keys.Keys) > 0 {
|
|
|
|
return o.privateKeyToSigningKey(selectSigningKey(keys.Keys))
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2023-10-19 12:19:10 +02:00
|
|
|
var position float64
|
|
|
|
if keys.State != nil {
|
|
|
|
position = keys.State.Position
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2023-10-19 12:19:10 +02:00
|
|
|
return nil, o.refreshSigningKey(ctx, o.signingKeyAlgorithm, position)
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2023-10-19 12:19:10 +02:00
|
|
|
func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, position float64) error {
|
|
|
|
ok, err := o.ensureIsLatestKey(ctx, position)
|
2022-04-25 10:01:17 +02:00
|
|
|
if err != nil || !ok {
|
|
|
|
return errors.ThrowInternal(err, "OIDC-ASfh3", "cannot ensure that projection is up to date")
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
err = o.lockAndGenerateSigningKeyPair(ctx, algorithm)
|
2022-04-25 10:01:17 +02:00
|
|
|
if err != nil {
|
|
|
|
return errors.ThrowInternal(err, "OIDC-ADh31", "could not create signing key")
|
|
|
|
}
|
|
|
|
return errors.ThrowInternal(nil, "OIDC-Df1bh", "")
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2023-10-19 12:19:10 +02:00
|
|
|
func (o *OPStorage) ensureIsLatestKey(ctx context.Context, position float64) (bool, error) {
|
2022-01-12 13:22:04 +01:00
|
|
|
maxSequence, err := o.getMaxKeySequence(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("error retrieving new events: %w", err)
|
|
|
|
}
|
2023-10-19 12:19:10 +02:00
|
|
|
return position >= maxSequence, nil
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) privateKeyToSigningKey(key query.PrivateKey) (_ op.SigningKey, err error) {
|
2022-01-12 13:22:04 +01:00
|
|
|
keyData, err := crypto.Decrypt(key.Key(), o.encAlg)
|
|
|
|
if err != nil {
|
2022-04-25 10:01:17 +02:00
|
|
|
return nil, err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
privateKey, err := crypto.BytesToPrivateKey(keyData)
|
|
|
|
if err != nil {
|
2022-04-25 10:01:17 +02:00
|
|
|
return nil, err
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
return &SigningKey{
|
|
|
|
algorithm: jose.SignatureAlgorithm(key.Algorithm()),
|
|
|
|
key: privateKey,
|
|
|
|
id: key.ID(),
|
|
|
|
}, nil
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm string) error {
|
2022-04-05 07:58:09 +02:00
|
|
|
logging.Info("lock and generate signing key pair")
|
2022-01-12 13:22:04 +01:00
|
|
|
|
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
errs := o.locker.Lock(ctx, lockDuration, authz.GetInstance(ctx).InstanceID())
|
2022-01-12 13:22:04 +01:00
|
|
|
err, ok := <-errs
|
|
|
|
if err != nil || !ok {
|
|
|
|
if errors.IsErrorAlreadyExists(err) {
|
|
|
|
return nil
|
|
|
|
}
|
2023-04-25 19:20:59 +02:00
|
|
|
logging.OnError(err).Debug("initial lock failed")
|
2022-01-12 13:22:04 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-04-25 10:01:17 +02:00
|
|
|
return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), algorithm)
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
2023-10-19 12:19:10 +02:00
|
|
|
func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {
|
2022-01-12 13:22:04 +01:00
|
|
|
return o.eventstore.LatestSequence(ctx,
|
|
|
|
eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
|
2022-04-25 10:01:17 +02:00
|
|
|
ResourceOwner(authz.GetInstance(ctx).InstanceID()).
|
2023-10-19 12:19:10 +02:00
|
|
|
AwaitOpenTransactions().
|
2023-02-27 22:36:43 +01:00
|
|
|
AllowTimeTravel().
|
2022-01-12 13:22:04 +01:00
|
|
|
AddQuery().
|
2023-10-19 12:19:10 +02:00
|
|
|
AggregateTypes(keypair.AggregateType).
|
|
|
|
EventTypes(
|
|
|
|
keypair.AddedEventType,
|
|
|
|
).
|
|
|
|
Or().
|
|
|
|
AggregateTypes(instance.AggregateType).
|
|
|
|
EventTypes(instance.InstanceRemovedEventType).
|
2022-01-12 13:22:04 +01:00
|
|
|
Builder(),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func selectSigningKey(keys []query.PrivateKey) query.PrivateKey {
|
|
|
|
return keys[len(keys)-1]
|
|
|
|
}
|
2022-04-25 10:01:17 +02:00
|
|
|
|
|
|
|
func setOIDCCtx(ctx context.Context) context.Context {
|
|
|
|
return authz.SetCtxData(ctx, authz.CtxData{UserID: oidcUser, OrgID: authz.GetInstance(ctx).InstanceID()})
|
|
|
|
}
|
|
|
|
|
|
|
|
func retry(retryable func() error) (err error) {
|
|
|
|
for i := 0; i < retryCount; i++ {
|
|
|
|
err = retryable()
|
|
|
|
if err == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2022-05-02 17:26:54 +02:00
|
|
|
time.Sleep(retryBackoff)
|
2022-04-25 10:01:17 +02:00
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|