zitadel/internal/query/certificate.go

package query

import (
	"context"
	"database/sql"
	"time"

	sq "github.com/Masterminds/squirrel"

	"github.com/zitadel/zitadel/internal/api/authz"
	"github.com/zitadel/zitadel/internal/api/call"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/query/projection"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

type Certificate interface {
	Key
	Expiry() time.Time
	Key() *crypto.CryptoValue
	Certificate() []byte
}

type Certificates struct {
	SearchResponse
	Certificates []Certificate
}

type rsaCertificate struct {
	key
	expiry      time.Time
	privateKey  *crypto.CryptoValue
	certificate []byte
}

func (c *rsaCertificate) Expiry() time.Time {
	return c.expiry
}

func (c *rsaCertificate) Key() *crypto.CryptoValue {
	return c.privateKey
}

func (c *rsaCertificate) Certificate() []byte {
	return c.certificate
}

var (
	certificateTable = table{
		name:          projection.CertificateTable,
		instanceIDCol: projection.CertificateColumnInstanceID,
	}
	CertificateColID = Column{
		name:  projection.CertificateColumnID,
		table: certificateTable,
	}
	CertificateColExpiry = Column{
		name:  projection.CertificateColumnExpiry,
		table: certificateTable,
	}
	CertificateColCertificate = Column{
		name:  projection.CertificateColumnCertificate,
		table: certificateTable,
	}
)

func (q *Queries) ActiveCertificates(ctx context.Context, t time.Time, usage crypto.KeyUsage) (certs *Certificates, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	query, scan := prepareCertificateQuery(ctx, q.client)
	if t.IsZero() {
		t = time.Now()
	}
	stmt, args, err := query.Where(
		sq.And{
			sq.Eq{
				KeyColInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
				KeyColUse.identifier():        usage,
			},
			sq.Gt{CertificateColExpiry.identifier(): t},
			sq.Gt{KeyPrivateColExpiry.identifier(): t},
		},
	).OrderBy(KeyPrivateColExpiry.identifier()).ToSql()
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-SDfkg", "Errors.Query.SQLStatement")
	}

	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
		certs, err = scan(rows)
		return err
	}, stmt, args...)
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-Sgan4", "Errors.Internal")
	}

	certs.State, err = q.latestState(ctx, keyTable)
	if !zerrors.IsNotFound(err) {
		return certs, err
	}
	return certs, nil
}

func prepareCertificateQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*Certificates, error)) {
	return sq.Select(
			KeyColID.identifier(),
			KeyColCreationDate.identifier(),
			KeyColChangeDate.identifier(),
			KeyColSequence.identifier(),
			KeyColResourceOwner.identifier(),
			KeyColAlgorithm.identifier(),
			KeyColUse.identifier(),
			CertificateColExpiry.identifier(),
			CertificateColCertificate.identifier(),
			KeyPrivateColKey.identifier(),
			countColumn.identifier(),
		).From(keyTable.identifier()).
			LeftJoin(join(CertificateColID, KeyColID)).
			LeftJoin(join(KeyPrivateColID, KeyColID) + db.Timetravel(call.Took(ctx))).
			PlaceholderFormat(sq.Dollar),
		func(rows *sql.Rows) (*Certificates, error) {
			certificates := make([]Certificate, 0)
			var count uint64
			for rows.Next() {
				k := new(rsaCertificate)
				err := rows.Scan(
					&k.id,
					&k.creationDate,
					&k.changeDate,
					&k.sequence,
					&k.resourceOwner,
					&k.algorithm,
					&k.use,
					&k.expiry,
					&k.certificate,
					&k.privateKey,
					&count,
				)
				if err != nil {
					return nil, err
				}

				certificates = append(certificates, k)
			}

			if err := rows.Close(); err != nil {
				return nil, zerrors.ThrowInternal(err, "QUERY-rKd6k", "Errors.Query.CloseRows")
			}

			return &Certificates{
				Certificates: certificates,
				SearchResponse: SearchResponse{
					Count: count,
				},
			}, nil
		}
}
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`package query`

			`import (`
			`"context"`
			`"database/sql"`
			`"time"`

			`sq "github.com/Masterminds/squirrel"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`"github.com/zitadel/zitadel/internal/api/call"`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`"github.com/zitadel/zitadel/internal/crypto"`
			`"github.com/zitadel/zitadel/internal/query/projection"`
fix(query): add tracing for each method (#4777) * fix(query): add tracing for each method 2022-12-01 08:18:53 +00:00			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`"github.com/zitadel/zitadel/internal/zerrors"`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`)`

			`type Certificate interface {`
			`Key`
			`Expiry() time.Time`
			`Key() *crypto.CryptoValue`
			`Certificate() []byte`
			`}`

			`type Certificates struct {`
			`SearchResponse`
			`Certificates []Certificate`
			`}`

			`type rsaCertificate struct {`
			`key`
			`expiry time.Time`
			`privateKey *crypto.CryptoValue`
			`certificate []byte`
			`}`

			`func (c *rsaCertificate) Expiry() time.Time {`
			`return c.expiry`
			`}`

			`func (c rsaCertificate) Key() crypto.CryptoValue {`
			`return c.privateKey`
			`}`

			`func (c *rsaCertificate) Certificate() []byte {`
			`return c.certificate`
			`}`

			`var (`
			`certificateTable = table{`
fix: join on instanceIDs in queries (#4612) 2022-10-27 06:08:36 +00:00			`name: projection.CertificateTable,`
			`instanceIDCol: projection.CertificateColumnInstanceID,`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`
			`CertificateColID = Column{`
			`name: projection.CertificateColumnID,`
			`table: certificateTable,`
			`}`
			`CertificateColExpiry = Column{`
			`name: projection.CertificateColumnExpiry,`
			`table: certificateTable,`
			`}`
			`CertificateColCertificate = Column{`
			`name: projection.CertificateColumnCertificate,`
			`table: certificateTable,`
			`}`
			`)`

feat(v3alpha): web key resource (#8262) # Which Problems Are Solved Implement a new API service that allows management of OIDC signing web keys. This allows users to manage rotation of the instance level keys. which are currently managed based on expiry. The API accepts the generation of the following key types and parameters: - RSA keys with 2048, 3072 or 4096 bit in size and: - Signing with SHA-256 (RS256) - Signing with SHA-384 (RS384) - Signing with SHA-512 (RS512) - ECDSA keys with - P256 curve - P384 curve - P512 curve - ED25519 keys # How the Problems Are Solved Keys are serialized for storage using the JSON web key format from the `jose` library. This is the format that will be used by OIDC for signing, verification and publication. Each instance can have a number of key pairs. All existing public keys are meant to be used for token verification and publication the keys endpoint. Keys can be activated and the active private key is meant to sign new tokens. There is always exactly 1 active signing key: 1. When the first key for an instance is generated, it is automatically activated. 2. Activation of the next key automatically deactivates the previously active key. 3. Keys cannot be manually deactivated from the API 4. Active keys cannot be deleted # Additional Changes - Query methods that later will be used by the OIDC package are already implemented. Preparation for #8031 - Fix indentation in french translation for instance event - Move user_schema translations to consistent positions in all translation files # Additional Context - Closes #8030 - Part of #7809 --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2024-08-14 14:18:14 +00:00			`func (q Queries) ActiveCertificates(ctx context.Context, t time.Time, usage crypto.KeyUsage) (certs Certificates, err error) {`
fix(query): add tracing for each method (#4777) * fix(query): add tracing for each method 2022-12-01 08:18:53 +00:00			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`query, scan := prepareCertificateQuery(ctx, q.client)`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`if t.IsZero() {`
			`t = time.Now()`
			`}`
			`stmt, args, err := query.Where(`
			`sq.And{`
			`sq.Eq{`
			`KeyColInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),`
			`KeyColUse.identifier(): usage,`
			`},`
feat: remove org (#4148) * feat(command): remove org * refactor: imports, unused code, error handling * reduce org removed in action * add org deletion to projections * add org removal to projections * add org removal to projections * org removed projection * lint import * projections * fix: table names in tests * fix: table names in tests * logging * add org state * fix(domain): add Owner removed to object details * feat(ListQuery): add with owner removed * fix(org-delete): add bool to functions to select with owner removed * fix(org-delete): add bools to user grants with events to determine if dependencies lost owner * fix(org-delete): add unit tests for owner removed and org removed events * fix(org-delete): add handling of org remove for grants and members * fix(org-delete): correction of unit tests for owner removed * fix(org-delete): update projections, unit tests and get functions * fix(org-delete): add change date to authnkeys and owner removed to org metadata * fix(org-delete): include owner removed for login names * fix(org-delete): some column fixes in projections and build for queries with owner removed * indexes * fix(org-delete): include review changes * fix(org-delete): change user projection name after merge * fix(org-delete): include review changes for project grant where no project owner is necessary * fix(org-delete): include auth and adminapi tables with owner removed information * fix(org-delete): cleanup username and orgdomain uniqueconstraints when org is removed * fix(org-delete): add permissions for org.remove * remove unnecessary unique constraints * fix column order in primary keys * fix(org-delete): include review changes * fix(org-delete): add owner removed indexes and chang setup step to create tables * fix(org-delete): move PK order of instance_id and change added user_grant from review * fix(org-delete): no params for prepareUserQuery * change to step 6 * merge main * fix(org-delete): OldUserName rename to private * fix linting * cleanup * fix: remove org test * create prerelease * chore: delete org-delete as prerelease Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> 2022-11-30 16:01:17 +00:00			`sq.Gt{CertificateColExpiry.identifier(): t},`
			`sq.Gt{KeyPrivateColExpiry.identifier(): t},`
			`},`
			`).OrderBy(KeyPrivateColExpiry.identifier()).ToSql()`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return nil, zerrors.ThrowInternal(err, "QUERY-SDfkg", "Errors.Query.SQLStatement")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`

feat(storage): read only transactions (#6417) feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines 2023-08-22 12:49:02 +00:00			`err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {`
			`certs, err = scan(rows)`
			`return err`
			`}, stmt, args...)`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`if err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return nil, zerrors.ThrowInternal(err, "QUERY-Sgan4", "Errors.Internal")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`
feat(storage): read only transactions (#6417) feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines 2023-08-22 12:49:02 +00:00
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events. 2023-10-19 10:19:10 +00:00			`certs.State, err = q.latestState(ctx, keyTable)`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`if !zerrors.IsNotFound(err) {`
feat(storage): read only transactions (#6417) feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines 2023-08-22 12:49:02 +00:00			`return certs, err`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`
feat(storage): read only transactions (#6417) feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines 2023-08-22 12:49:02 +00:00			`return certs, nil`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`

perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`func prepareCertificateQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(sql.Rows) (Certificates, error)) {`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`return sq.Select(`
			`KeyColID.identifier(),`
			`KeyColCreationDate.identifier(),`
			`KeyColChangeDate.identifier(),`
			`KeyColSequence.identifier(),`
			`KeyColResourceOwner.identifier(),`
			`KeyColAlgorithm.identifier(),`
			`KeyColUse.identifier(),`
			`CertificateColExpiry.identifier(),`
			`CertificateColCertificate.identifier(),`
			`KeyPrivateColKey.identifier(),`
			`countColumn.identifier(),`
			`).From(keyTable.identifier()).`
			`LeftJoin(join(CertificateColID, KeyColID)).`
perf: query data `AS OF SYSTEM TIME` (#5231) Queries the data in the storage layser at the timestamp when the call hit the API layer 2023-02-27 21:36:43 +00:00			`LeftJoin(join(KeyPrivateColID, KeyColID) + db.Timetravel(call.Took(ctx))).`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`PlaceholderFormat(sq.Dollar),`
			`func(rows sql.Rows) (Certificates, error) {`
			`certificates := make([]Certificate, 0)`
			`var count uint64`
			`for rows.Next() {`
			`k := new(rsaCertificate)`
			`err := rows.Scan(`
			`&k.id,`
			`&k.creationDate,`
			`&k.changeDate,`
			`&k.sequence,`
			`&k.resourceOwner,`
			`&k.algorithm,`
			`&k.use,`
			`&k.expiry,`
			`&k.certificate,`
			`&k.privateKey,`
			`&count,`
			`)`
			`if err != nil {`
			`return nil, err`
			`}`

			`certificates = append(certificates, k)`
			`}`

			`if err := rows.Close(); err != nil {`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`return nil, zerrors.ThrowInternal(err, "QUERY-rKd6k", "Errors.Query.CloseRows")`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 16:18:08 +00:00			`}`

			`return &Certificates{`
			`Certificates: certificates,`
			`SearchResponse: SearchResponse{`
			`Count: count,`
			`},`
			`}, nil`
			`}`
			`}`