chore(oidc): graduate webkey to stable (#10122)

# Which Problems Are Solved Stabilize the usage of webkeys. # How the Problems Are Solved - Remove all legacy signing key code from the OIDC API - Remove the webkey feature flag from proto - Remove the webkey feature flag from console - Cleanup documentation # Additional Changes - Resolved some canonical header linter errors in OIDC - Use the constant for `projections.lock` in the saml package. # Additional Context - Closes #10029 - After #10105 - After #10061
2025-08-11 19:07:30 +00:00 · 2025-06-26 19:17:45 +03:00
parent 1ebbe275b9
commit 016676e1dc
59 changed files with 203 additions and 1614 deletions
--- a/internal/query/key.go
+++ b/internal/query/key.go
@@ -1,20 +1,10 @@
 package query

 import (
-	"context"
-	"crypto/rsa"
-	"database/sql"
 	"time"

-	sq "github.com/Masterminds/squirrel"
-
-	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
-	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/query/projection"
-	"github.com/zitadel/zitadel/internal/repository/keypair"
-	"github.com/zitadel/zitadel/internal/telemetry/tracing"
-	"github.com/zitadel/zitadel/internal/zerrors"
 )

 type Key interface {
@@ -36,11 +26,6 @@ type PublicKey interface {
 	Key() interface{}
 }

-type PrivateKeys struct {
-	SearchResponse
-	Keys []PrivateKey
-}
-
 type PublicKeys struct {
 	SearchResponse
 	Keys []PublicKey
@@ -72,34 +57,6 @@ func (k *key) Sequence() uint64 {
 	return k.sequence
 }

-type privateKey struct {
-	key
-	expiry     time.Time
-	privateKey *crypto.CryptoValue
-}
-
-func (k *privateKey) Expiry() time.Time {
-	return k.expiry
-}
-
-func (k *privateKey) Key() *crypto.CryptoValue {
-	return k.privateKey
-}
-
-type rsaPublicKey struct {
-	key
-	expiry    time.Time
-	publicKey *rsa.PublicKey
-}
-
-func (r *rsaPublicKey) Expiry() time.Time {
-	return r.expiry
-}
-
-func (r *rsaPublicKey) Key() interface{} {
-	return r.publicKey
-}
-
 var (
 	keyTable = table{
 		name:          projection.KeyProjectionTable,
@@ -157,277 +114,3 @@ var (
 		table: keyPrivateTable,
 	}
 )
-
-var (
-	keyPublicTable = table{
-		name:          projection.KeyPublicTable,
-		instanceIDCol: projection.KeyPrivateColumnInstanceID,
-	}
-	KeyPublicColID = Column{
-		name:  projection.KeyPublicColumnID,
-		table: keyPublicTable,
-	}
-	KeyPublicColExpiry = Column{
-		name:  projection.KeyPublicColumnExpiry,
-		table: keyPublicTable,
-	}
-	KeyPublicColKey = Column{
-		name:  projection.KeyPublicColumnKey,
-		table: keyPublicTable,
-	}
-)
-
-func (q *Queries) ActivePublicKeys(ctx context.Context, t time.Time) (keys *PublicKeys, err error) {
-	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.EndWithError(err) }()
-
-	query, scan := preparePublicKeysQuery()
-	if t.IsZero() {
-		t = time.Now()
-	}
-	stmt, args, err := query.Where(
-		sq.And{
-			sq.Eq{KeyColInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()},
-			sq.Gt{KeyPublicColExpiry.identifier(): t},
-		}).ToSql()
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-SDFfg", "Errors.Query.SQLStatement")
-	}
-
-	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
-		keys, err = scan(rows)
-		return err
-	}, stmt, args...)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-Sghn4", "Errors.Internal")
-	}
-
-	keys.State, err = q.latestState(ctx, keyTable)
-	if !zerrors.IsNotFound(err) {
-		return keys, err
-	}
-	return keys, nil
-}
-
-func (q *Queries) ActivePrivateSigningKey(ctx context.Context, t time.Time) (keys *PrivateKeys, err error) {
-	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.EndWithError(err) }()
-
-	stmt, scan := preparePrivateKeysQuery()
-	if t.IsZero() {
-		t = time.Now()
-	}
-	query, args, err := stmt.Where(
-		sq.And{
-			sq.Eq{
-				KeyColUse.identifier():        crypto.KeyUsageSigning,
-				KeyColInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
-			},
-			sq.Gt{KeyPrivateColExpiry.identifier(): t},
-		}).OrderBy(KeyPrivateColExpiry.identifier()).ToSql()
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-SDff2", "Errors.Query.SQLStatement")
-	}
-
-	err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
-		keys, err = scan(rows)
-		return err
-	}, query, args...)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-WRFG4", "Errors.Internal")
-	}
-	keys.State, err = q.latestState(ctx, keyTable)
-	if !zerrors.IsNotFound(err) {
-		return keys, err
-	}
-	return keys, nil
-}
-
-func preparePublicKeysQuery() (sq.SelectBuilder, func(*sql.Rows) (*PublicKeys, error)) {
-	return sq.Select(
-			KeyColID.identifier(),
-			KeyColCreationDate.identifier(),
-			KeyColChangeDate.identifier(),
-			KeyColSequence.identifier(),
-			KeyColResourceOwner.identifier(),
-			KeyColAlgorithm.identifier(),
-			KeyColUse.identifier(),
-			KeyPublicColExpiry.identifier(),
-			KeyPublicColKey.identifier(),
-			countColumn.identifier(),
-		).From(keyTable.identifier()).
-			LeftJoin(join(KeyPublicColID, KeyColID)).
-			PlaceholderFormat(sq.Dollar),
-		func(rows *sql.Rows) (*PublicKeys, error) {
-			keys := make([]PublicKey, 0)
-			var count uint64
-			for rows.Next() {
-				k := new(rsaPublicKey)
-				var keyValue []byte
-				err := rows.Scan(
-					&k.id,
-					&k.creationDate,
-					&k.changeDate,
-					&k.sequence,
-					&k.resourceOwner,
-					&k.algorithm,
-					&k.use,
-					&k.expiry,
-					&keyValue,
-					&count,
-				)
-				if err != nil {
-					return nil, err
-				}
-				k.publicKey, err = crypto.BytesToPublicKey(keyValue)
-				if err != nil {
-					return nil, err
-				}
-				keys = append(keys, k)
-			}
-
-			if err := rows.Close(); err != nil {
-				return nil, zerrors.ThrowInternal(err, "QUERY-rKd6k", "Errors.Query.CloseRows")
-			}
-
-			return &PublicKeys{
-				Keys: keys,
-				SearchResponse: SearchResponse{
-					Count: count,
-				},
-			}, nil
-		}
-}
-
-func preparePrivateKeysQuery() (sq.SelectBuilder, func(*sql.Rows) (*PrivateKeys, error)) {
-	return sq.Select(
-			KeyColID.identifier(),
-			KeyColCreationDate.identifier(),
-			KeyColChangeDate.identifier(),
-			KeyColSequence.identifier(),
-			KeyColResourceOwner.identifier(),
-			KeyColAlgorithm.identifier(),
-			KeyColUse.identifier(),
-			KeyPrivateColExpiry.identifier(),
-			KeyPrivateColKey.identifier(),
-			countColumn.identifier(),
-		).From(keyTable.identifier()).
-			LeftJoin(join(KeyPrivateColID, KeyColID)).
-			PlaceholderFormat(sq.Dollar),
-		func(rows *sql.Rows) (*PrivateKeys, error) {
-			keys := make([]PrivateKey, 0)
-			var count uint64
-			for rows.Next() {
-				k := new(privateKey)
-				err := rows.Scan(
-					&k.id,
-					&k.creationDate,
-					&k.changeDate,
-					&k.sequence,
-					&k.resourceOwner,
-					&k.algorithm,
-					&k.use,
-					&k.expiry,
-					&k.privateKey,
-					&count,
-				)
-				if err != nil {
-					return nil, err
-				}
-				keys = append(keys, k)
-			}
-
-			if err := rows.Close(); err != nil {
-				return nil, zerrors.ThrowInternal(err, "QUERY-rKd6k", "Errors.Query.CloseRows")
-			}
-
-			return &PrivateKeys{
-				Keys: keys,
-				SearchResponse: SearchResponse{
-					Count: count,
-				},
-			}, nil
-		}
-}
-
-type PublicKeyReadModel struct {
-	eventstore.ReadModel
-
-	Algorithm string
-	Key       *crypto.CryptoValue
-	Expiry    time.Time
-	Usage     crypto.KeyUsage
-}
-
-func NewPublicKeyReadModel(keyID, resourceOwner string) *PublicKeyReadModel {
-	return &PublicKeyReadModel{
-		ReadModel: eventstore.ReadModel{
-			AggregateID:   keyID,
-			ResourceOwner: resourceOwner,
-		},
-	}
-}
-
-func (wm *PublicKeyReadModel) AppendEvents(events ...eventstore.Event) {
-	wm.ReadModel.AppendEvents(events...)
-}
-
-func (wm *PublicKeyReadModel) Reduce() error {
-	for _, event := range wm.Events {
-		switch e := event.(type) {
-		case *keypair.AddedEvent:
-			wm.Algorithm = e.Algorithm
-			wm.Key = e.PublicKey.Key
-			wm.Expiry = e.PublicKey.Expiry
-			wm.Usage = e.Usage
-		default:
-		}
-	}
-	return wm.ReadModel.Reduce()
-}
-
-func (wm *PublicKeyReadModel) Query() *eventstore.SearchQueryBuilder {
-	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
-		AwaitOpenTransactions().
-		ResourceOwner(wm.ResourceOwner).
-		AddQuery().
-		AggregateTypes(keypair.AggregateType).
-		AggregateIDs(wm.AggregateID).
-		EventTypes(keypair.AddedEventType).
-		Builder()
-}
-
-func (q *Queries) GetPublicKeyByID(ctx context.Context, keyID string) (_ PublicKey, err error) {
-	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.EndWithError(err) }()
-
-	model := NewPublicKeyReadModel(keyID, authz.GetInstance(ctx).InstanceID())
-	if err := q.eventstore.FilterToQueryReducer(ctx, model); err != nil {
-		return nil, err
-	}
-	if model.Algorithm == "" || model.Key == nil {
-		return nil, zerrors.ThrowNotFound(err, "QUERY-Ahf7x", "Errors.Key.NotFound")
-	}
-	keyValue, err := crypto.Decrypt(model.Key, q.keyEncryptionAlgorithm)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-Ie4oh", "Errors.Internal")
-	}
-	publicKey, err := crypto.BytesToPublicKey(keyValue)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-Kai2Z", "Errors.Internal")
-	}
-
-	return &rsaPublicKey{
-		key: key{
-			id:            model.AggregateID,
-			creationDate:  model.CreationDate,
-			changeDate:    model.ChangeDate,
-			sequence:      model.ProcessedSequence,
-			resourceOwner: model.ResourceOwner,
-			algorithm:     model.Algorithm,
-			use:           model.Usage,
-		},
-		expiry:    model.Expiry,
-		publicKey: publicKey,
-	}, nil
-}