2021-01-04 13:52:13 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
2022-10-17 19:19:15 +00:00
|
|
|
"context"
|
2023-09-29 09:26:14 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"encoding/pem"
|
|
|
|
"math/big"
|
2022-09-12 16:18:08 +00:00
|
|
|
"net/http"
|
2023-09-29 09:26:14 +00:00
|
|
|
"strconv"
|
2023-12-05 17:01:03 +00:00
|
|
|
"sync"
|
2021-05-20 11:33:35 +00:00
|
|
|
"time"
|
|
|
|
|
2023-12-05 17:01:03 +00:00
|
|
|
"github.com/zitadel/logging"
|
|
|
|
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
2022-09-12 16:18:08 +00:00
|
|
|
api_http "github.com/zitadel/zitadel/internal/api/http"
|
2022-10-17 19:19:15 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/command/preparation"
|
2022-04-26 23:01:45 +00:00
|
|
|
sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
2022-04-28 08:30:41 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/errors"
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/id"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/action"
|
2023-07-10 13:27:00 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/authrequest"
|
2023-09-29 08:21:32 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/feature"
|
2023-05-24 18:29:58 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/idpintent"
|
2022-04-26 23:01:45 +00:00
|
|
|
instance_repo "github.com/zitadel/zitadel/internal/repository/instance"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/keypair"
|
2023-10-25 11:42:00 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/limits"
|
2023-07-06 06:38:13 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/milestone"
|
2023-07-10 13:27:00 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/oidcsession"
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/org"
|
|
|
|
proj_repo "github.com/zitadel/zitadel/internal/repository/project"
|
2023-02-15 01:52:11 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/quota"
|
2023-11-22 09:29:38 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/restrictions"
|
2023-05-05 15:34:53 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/repository/session"
|
2022-04-26 23:01:45 +00:00
|
|
|
usr_repo "github.com/zitadel/zitadel/internal/repository/user"
|
|
|
|
usr_grant_repo "github.com/zitadel/zitadel/internal/repository/usergrant"
|
|
|
|
"github.com/zitadel/zitadel/internal/static"
|
2023-12-05 17:01:03 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2022-04-26 23:01:45 +00:00
|
|
|
webauthn_helper "github.com/zitadel/zitadel/internal/webauthn"
|
2021-01-04 13:52:13 +00:00
|
|
|
)
|
|
|
|
|
2021-02-24 10:17:39 +00:00
|
|
|
type Commands struct {
|
2022-09-12 16:18:08 +00:00
|
|
|
httpClient *http.Client
|
|
|
|
|
2023-12-05 17:01:03 +00:00
|
|
|
jobs sync.WaitGroup
|
|
|
|
|
2023-08-24 09:41:52 +00:00
|
|
|
checkPermission domain.PermissionCheck
|
|
|
|
newCode cryptoCodeFunc
|
|
|
|
newCodeWithDefault cryptoCodeWithDefaultFunc
|
2023-04-25 07:02:29 +00:00
|
|
|
|
2022-04-25 09:16:36 +00:00
|
|
|
eventstore *eventstore.Eventstore
|
|
|
|
static static.Storage
|
|
|
|
idGenerator id.Generator
|
|
|
|
zitadelRoles []authz.RoleMapping
|
2022-04-28 08:30:41 +00:00
|
|
|
externalDomain string
|
2022-04-25 09:16:36 +00:00
|
|
|
externalSecure bool
|
|
|
|
externalPort uint16
|
2021-01-04 13:52:13 +00:00
|
|
|
|
2023-07-10 13:27:00 +00:00
|
|
|
idpConfigEncryption crypto.EncryptionAlgorithm
|
|
|
|
smtpEncryption crypto.EncryptionAlgorithm
|
|
|
|
smsEncryption crypto.EncryptionAlgorithm
|
|
|
|
userEncryption crypto.EncryptionAlgorithm
|
2023-07-14 06:49:57 +00:00
|
|
|
userPasswordHasher *crypto.PasswordHasher
|
|
|
|
codeAlg crypto.HashAlgorithm
|
2023-07-10 13:27:00 +00:00
|
|
|
machineKeySize int
|
|
|
|
applicationKeySize int
|
|
|
|
domainVerificationAlg crypto.EncryptionAlgorithm
|
|
|
|
domainVerificationGenerator crypto.Generator
|
|
|
|
domainVerificationValidator func(domain, token, verifier string, checkType api_http.CheckType) error
|
|
|
|
sessionTokenCreator func(sessionID string) (id string, token string, err error)
|
|
|
|
sessionTokenVerifier func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
|
|
|
|
defaultAccessTokenLifetime time.Duration
|
|
|
|
defaultRefreshTokenLifetime time.Duration
|
|
|
|
defaultRefreshTokenIdleLifetime time.Duration
|
2021-02-12 15:51:12 +00:00
|
|
|
|
2023-08-23 08:04:29 +00:00
|
|
|
multifactors domain.MultifactorConfigs
|
|
|
|
webauthnConfig *webauthn_helper.Config
|
|
|
|
keySize int
|
|
|
|
keyAlgorithm crypto.EncryptionAlgorithm
|
|
|
|
certificateAlgorithm crypto.EncryptionAlgorithm
|
|
|
|
certKeySize int
|
|
|
|
privateKeyLifetime time.Duration
|
|
|
|
publicKeyLifetime time.Duration
|
|
|
|
certificateLifetime time.Duration
|
|
|
|
defaultSecretGenerators *SecretGenerators
|
2023-09-29 09:26:14 +00:00
|
|
|
|
|
|
|
samlCertificateAndKeyGenerator func(id string) ([]byte, []byte, error)
|
2021-01-04 13:52:13 +00:00
|
|
|
}
|
|
|
|
|
2023-04-25 07:02:29 +00:00
|
|
|
func StartCommands(
|
|
|
|
es *eventstore.Eventstore,
|
2022-02-16 15:49:17 +00:00
|
|
|
defaults sd.SystemDefaults,
|
2022-04-20 14:59:37 +00:00
|
|
|
zitadelRoles []authz.RoleMapping,
|
2022-02-16 15:49:17 +00:00
|
|
|
staticStore static.Storage,
|
2022-04-25 08:01:17 +00:00
|
|
|
webAuthN *webauthn_helper.Config,
|
2022-04-28 08:30:41 +00:00
|
|
|
externalDomain string,
|
2022-04-25 09:16:36 +00:00
|
|
|
externalSecure bool,
|
|
|
|
externalPort uint16,
|
2023-05-05 15:34:53 +00:00
|
|
|
idpConfigEncryption, otpEncryption, smtpEncryption, smsEncryption, userEncryption, domainVerificationEncryption, oidcEncryption, samlEncryption crypto.EncryptionAlgorithm,
|
2022-09-12 16:18:08 +00:00
|
|
|
httpClient *http.Client,
|
2023-05-05 15:34:53 +00:00
|
|
|
permissionCheck domain.PermissionCheck,
|
|
|
|
sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
|
2023-07-10 13:27:00 +00:00
|
|
|
defaultAccessTokenLifetime,
|
|
|
|
defaultRefreshTokenLifetime,
|
|
|
|
defaultRefreshTokenIdleLifetime time.Duration,
|
2023-08-23 08:04:29 +00:00
|
|
|
defaultSecretGenerators *SecretGenerators,
|
2022-02-16 15:49:17 +00:00
|
|
|
) (repo *Commands, err error) {
|
2022-04-28 08:30:41 +00:00
|
|
|
if externalDomain == "" {
|
2022-05-12 07:34:46 +00:00
|
|
|
return nil, errors.ThrowInvalidArgument(nil, "COMMAND-Df21s", "no external domain specified")
|
2022-04-28 08:30:41 +00:00
|
|
|
}
|
2023-05-05 15:34:53 +00:00
|
|
|
idGenerator := id.SonyFlakeGenerator()
|
|
|
|
// reuse the oidcEncryption to be able to handle both tokens in the interceptor later on
|
|
|
|
sessionAlg := oidcEncryption
|
2021-02-24 10:17:39 +00:00
|
|
|
repo = &Commands{
|
2023-07-10 13:27:00 +00:00
|
|
|
eventstore: es,
|
|
|
|
static: staticStore,
|
|
|
|
idGenerator: idGenerator,
|
|
|
|
zitadelRoles: zitadelRoles,
|
|
|
|
externalDomain: externalDomain,
|
|
|
|
externalSecure: externalSecure,
|
|
|
|
externalPort: externalPort,
|
|
|
|
keySize: defaults.KeyConfig.Size,
|
|
|
|
certKeySize: defaults.KeyConfig.CertificateSize,
|
|
|
|
privateKeyLifetime: defaults.KeyConfig.PrivateKeyLifetime,
|
|
|
|
publicKeyLifetime: defaults.KeyConfig.PublicKeyLifetime,
|
|
|
|
certificateLifetime: defaults.KeyConfig.CertificateLifetime,
|
|
|
|
idpConfigEncryption: idpConfigEncryption,
|
|
|
|
smtpEncryption: smtpEncryption,
|
|
|
|
smsEncryption: smsEncryption,
|
|
|
|
userEncryption: userEncryption,
|
|
|
|
domainVerificationAlg: domainVerificationEncryption,
|
|
|
|
keyAlgorithm: oidcEncryption,
|
|
|
|
certificateAlgorithm: samlEncryption,
|
|
|
|
webauthnConfig: webAuthN,
|
|
|
|
httpClient: httpClient,
|
|
|
|
checkPermission: permissionCheck,
|
|
|
|
newCode: newCryptoCode,
|
2023-08-24 09:41:52 +00:00
|
|
|
newCodeWithDefault: newCryptoCodeWithDefaultConfig,
|
2023-07-10 13:27:00 +00:00
|
|
|
sessionTokenCreator: sessionTokenCreator(idGenerator, sessionAlg),
|
|
|
|
sessionTokenVerifier: sessionTokenVerifier,
|
|
|
|
defaultAccessTokenLifetime: defaultAccessTokenLifetime,
|
|
|
|
defaultRefreshTokenLifetime: defaultRefreshTokenLifetime,
|
|
|
|
defaultRefreshTokenIdleLifetime: defaultRefreshTokenIdleLifetime,
|
2023-08-23 08:04:29 +00:00
|
|
|
defaultSecretGenerators: defaultSecretGenerators,
|
2023-09-29 09:26:14 +00:00
|
|
|
samlCertificateAndKeyGenerator: samlCertificateAndKeyGenerator(defaults.KeyConfig.Size),
|
2021-01-04 13:52:13 +00:00
|
|
|
}
|
2022-04-12 14:20:17 +00:00
|
|
|
|
2022-03-28 08:05:09 +00:00
|
|
|
instance_repo.RegisterEventMappers(repo.eventstore)
|
2021-01-18 10:24:15 +00:00
|
|
|
org.RegisterEventMappers(repo.eventstore)
|
2021-01-15 08:32:59 +00:00
|
|
|
usr_repo.RegisterEventMappers(repo.eventstore)
|
2021-01-22 12:31:52 +00:00
|
|
|
usr_grant_repo.RegisterEventMappers(repo.eventstore)
|
|
|
|
proj_repo.RegisterEventMappers(repo.eventstore)
|
2021-02-12 15:51:12 +00:00
|
|
|
keypair.RegisterEventMappers(repo.eventstore)
|
2021-09-27 11:43:49 +00:00
|
|
|
action.RegisterEventMappers(repo.eventstore)
|
2023-02-15 01:52:11 +00:00
|
|
|
quota.RegisterEventMappers(repo.eventstore)
|
2023-10-25 11:42:00 +00:00
|
|
|
limits.RegisterEventMappers(repo.eventstore)
|
2023-11-22 09:29:38 +00:00
|
|
|
restrictions.RegisterEventMappers(repo.eventstore)
|
2023-05-05 15:34:53 +00:00
|
|
|
session.RegisterEventMappers(repo.eventstore)
|
2023-05-24 18:29:58 +00:00
|
|
|
idpintent.RegisterEventMappers(repo.eventstore)
|
2023-07-10 13:27:00 +00:00
|
|
|
authrequest.RegisterEventMappers(repo.eventstore)
|
|
|
|
oidcsession.RegisterEventMappers(repo.eventstore)
|
2023-07-06 06:38:13 +00:00
|
|
|
milestone.RegisterEventMappers(repo.eventstore)
|
2023-09-29 08:21:32 +00:00
|
|
|
feature.RegisterEventMappers(repo.eventstore)
|
2021-01-04 13:52:13 +00:00
|
|
|
|
2023-07-14 06:49:57 +00:00
|
|
|
repo.codeAlg = crypto.NewBCrypt(defaults.SecretGenerators.PasswordSaltCost)
|
|
|
|
repo.userPasswordHasher, err = defaults.PasswordHasher.PasswordHasher()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-02-24 10:17:39 +00:00
|
|
|
repo.machineKeySize = int(defaults.SecretGenerators.MachineKeySize)
|
|
|
|
repo.applicationKeySize = int(defaults.SecretGenerators.ApplicationKeySize)
|
2021-01-12 11:59:51 +00:00
|
|
|
|
2021-03-01 07:48:50 +00:00
|
|
|
repo.multifactors = domain.MultifactorConfigs{
|
|
|
|
OTP: domain.OTPConfig{
|
2022-03-14 06:55:09 +00:00
|
|
|
CryptoMFA: otpEncryption,
|
2021-02-24 10:17:39 +00:00
|
|
|
Issuer: defaults.Multifactors.OTP.Issuer,
|
2021-01-15 08:32:59 +00:00
|
|
|
},
|
|
|
|
}
|
2021-01-18 10:24:15 +00:00
|
|
|
|
2021-02-24 10:17:39 +00:00
|
|
|
repo.domainVerificationGenerator = crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, repo.domainVerificationAlg)
|
2022-09-12 16:18:08 +00:00
|
|
|
repo.domainVerificationValidator = api_http.ValidateDomain
|
2021-01-04 13:52:13 +00:00
|
|
|
return repo, nil
|
|
|
|
}
|
|
|
|
|
2023-05-24 10:22:00 +00:00
|
|
|
type AppendReducer interface {
|
2022-01-03 08:19:07 +00:00
|
|
|
AppendEvents(...eventstore.Event)
|
2023-02-15 01:52:11 +00:00
|
|
|
// TODO: Why is it allowed to return an error here?
|
2021-02-18 13:48:27 +00:00
|
|
|
Reduce() error
|
2023-05-24 10:22:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Commands) pushAppendAndReduce(ctx context.Context, object AppendReducer, cmds ...eventstore.Command) error {
|
|
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return AppendAndReduce(object, events...)
|
|
|
|
}
|
|
|
|
|
|
|
|
func AppendAndReduce(object AppendReducer, events ...eventstore.Event) error {
|
2021-02-18 13:48:27 +00:00
|
|
|
object.AppendEvents(events...)
|
|
|
|
return object.Reduce()
|
|
|
|
}
|
2022-10-17 19:19:15 +00:00
|
|
|
|
|
|
|
func queryAndReduce(ctx context.Context, filter preparation.FilterToQueryReducer, wm eventstore.QueryReducer) error {
|
|
|
|
events, err := filter(ctx, wm.Query())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if len(events) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
wm.AppendEvents(events...)
|
|
|
|
return wm.Reduce()
|
|
|
|
}
|
|
|
|
|
|
|
|
type existsWriteModel interface {
|
|
|
|
Exists() bool
|
|
|
|
eventstore.QueryReducer
|
|
|
|
}
|
|
|
|
|
|
|
|
func exists(ctx context.Context, filter preparation.FilterToQueryReducer, wm existsWriteModel) (bool, error) {
|
|
|
|
err := queryAndReduce(ctx, filter, wm)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
return wm.Exists(), nil
|
|
|
|
}
|
2023-09-29 09:26:14 +00:00
|
|
|
|
|
|
|
func samlCertificateAndKeyGenerator(keySize int) func(id string) ([]byte, []byte, error) {
|
|
|
|
return func(id string) ([]byte, []byte, error) {
|
|
|
|
priv, pub, err := crypto.GenerateKeyPair(keySize)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
serial, err := strconv.Atoi(id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
template := x509.Certificate{
|
|
|
|
SerialNumber: big.NewInt(int64(serial)),
|
|
|
|
Subject: pkix.Name{
|
|
|
|
Organization: []string{"ZITADEL"},
|
|
|
|
SerialNumber: id,
|
|
|
|
},
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, errors.ThrowInternalf(err, "COMMAND-x92u101j", "failed to create certificate")
|
|
|
|
}
|
|
|
|
|
|
|
|
keyBlock := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}
|
|
|
|
certBlock := &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}
|
|
|
|
return pem.EncodeToMemory(keyBlock), pem.EncodeToMemory(certBlock), nil
|
|
|
|
}
|
|
|
|
}
|
2023-12-05 17:01:03 +00:00
|
|
|
|
|
|
|
// Close blocks until all async jobs are finished,
|
|
|
|
// the context expires or after eventstore.PushTimeout.
|
|
|
|
func (c *Commands) Close(ctx context.Context) error {
|
|
|
|
if c.eventstore.PushTimeout != 0 {
|
|
|
|
var cancel context.CancelFunc
|
|
|
|
ctx, cancel = context.WithTimeout(ctx, c.eventstore.PushTimeout)
|
|
|
|
defer cancel()
|
|
|
|
}
|
|
|
|
|
|
|
|
done := make(chan struct{})
|
|
|
|
go func() {
|
|
|
|
c.jobs.Wait()
|
|
|
|
close(done)
|
|
|
|
}()
|
|
|
|
select {
|
|
|
|
case <-done:
|
|
|
|
return nil
|
|
|
|
case <-ctx.Done():
|
|
|
|
return ctx.Err()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// asyncPush attempts to push events to the eventstore in a separate Go routine.
|
|
|
|
// This can be used to speed up request times when the outcome of the push is
|
|
|
|
// not important for business logic but have a pure logging function.
|
|
|
|
// For example this can be used for Secret Check Success and Failed events.
|
|
|
|
// On push error, a log line describing the error will be emitted.
|
|
|
|
func (c *Commands) asyncPush(ctx context.Context, cmds ...eventstore.Command) {
|
|
|
|
// Create a new context, as the request scoped context might get
|
|
|
|
// canceled before we where able to push.
|
|
|
|
// The eventstore has its own PushTimeout setting,
|
|
|
|
// so we don't need to have a context with timeout here.
|
|
|
|
ctx = context.WithoutCancel(ctx)
|
|
|
|
|
|
|
|
c.jobs.Add(1)
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
defer c.jobs.Done()
|
|
|
|
localCtx, span := tracing.NewSpan(ctx)
|
|
|
|
|
|
|
|
_, err := c.eventstore.Push(localCtx, cmds...)
|
|
|
|
if err != nil {
|
|
|
|
for _, cmd := range cmds {
|
|
|
|
logging.WithError(err).Errorf("could not push event %q", cmd.Type())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
|
|
|
}
|