TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-10-15 11:50:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add publickey endpoints

Browse Source
This commit is contained in:
Stefan Benz
2024-09-26 19:15:03 +02:00
parent f7b6dafe81
commit 1afd9bc198
14 changed files with 1350 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

458
internal/api/grpc/resources/user/v3alpha/integration_test/publickey_test.go Normal file
View File

@@ -0,0 +1,458 @@
//go:build integration
package user_test
import (
"context"
"testing"
"github.com/brianvoe/gofakeit/v6"
"github.com/stretchr/testify/assert"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
resource_object "github.com/zitadel/zitadel/pkg/grpc/resources/object/v3alpha"
user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
)
func TestServer_AddPublicKey(t *testing.T) {
t.Parallel()
instance := integration.NewInstance(CTX)
ensureFeatureEnabled(t, instance)
isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
schema := []byte(`{
"$schema": "urn:zitadel:schema:v1",
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}`)
schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
type res struct {
want *resource_object.Details
}
tests := []struct {
name string
ctx context.Context
dep func(req *user.AddPublicKeyRequest) error
req *user.AddPublicKeyRequest
res res
wantErr bool
}{
{
name: "publickey add, no context",
ctx: context.Background(),
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
wantErr: true,
},
{
name: "publickey add, no permission",
ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
wantErr: true,
},
{
name: "publickey add, publickey empty",
ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_PublicKey{PublicKey: &user.ProvidedPublicKey{PublicKey: []byte("")}},
},
},
wantErr: true,
},
{
name: "publickey add, user not existing in org",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: "notexisting",
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
wantErr: true,
},
{
name: "publickey add, user not existing",
ctx: isolatedIAMOwnerCTX,
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
Id: "notexisting",
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
wantErr: true,
},
{
name: "publickey add, ok",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
res: res{
want: &resource_object.Details{
Changed: timestamppb.Now(),
Owner: &object.Owner{
Type: object.OwnerType_OWNER_TYPE_ORG,
Id: orgResp.GetOrganizationId(),
},
},
},
},
{
name: "publickey add, no org, ok",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
res: res{
want: &resource_object.Details{
Changed: timestamppb.Now(),
Owner: &object.Owner{
Type: object.OwnerType_OWNER_TYPE_ORG,
Id: orgResp.GetOrganizationId(),
},
},
},
},
{
name: "publickey add, expirationdate, ok",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_PublicKey{PublicKey: &user.ProvidedPublicKey{PublicKey: []byte(gofakeit.BitcoinPrivateKey())}},
},
},
res: res{
want: &resource_object.Details{
Changed: timestamppb.Now(),
Owner: &object.Owner{
Type: object.OwnerType_OWNER_TYPE_ORG,
Id: orgResp.GetOrganizationId(),
},
},
},
},
{
name: "publickey add, generated, ok",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.AddPublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.AddPublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKey: &user.SetPublicKey{
Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
},
},
res: res{
want: &resource_object.Details{
Changed: timestamppb.Now(),
Owner: &object.Owner{
Type: object.OwnerType_OWNER_TYPE_ORG,
Id: orgResp.GetOrganizationId(),
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.dep != nil {
err := tt.dep(tt.req)
assert.NoError(t, err)
}
got, err := instance.Client.UserV3Alpha.AddPublicKey(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
integration.AssertResourceDetails(t, tt.res.want, got.Details)
})
}
}
func TestServer_DeletePublicKey(t *testing.T) {
t.Parallel()
instance := integration.NewInstance(CTX)
ensureFeatureEnabled(t, instance)
isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
schema := []byte(`{
"$schema": "urn:zitadel:schema:v1",
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}`)
schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
type res struct {
want *resource_object.Details
}
tests := []struct {
name string
ctx context.Context
dep func(req *user.RemovePublicKeyRequest) error
req *user.RemovePublicKeyRequest
res res
wantErr bool
}{
{
name: "publickey delete, no context",
ctx: context.Background(),
dep: func(req *user.RemovePublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
req.PublicKeyId = publickeyResp.GetPublicKeyId()
return nil
},
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
},
wantErr: true,
},
{
name: "publickey delete, no permission",
ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
dep: func(req *user.RemovePublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
req.PublicKeyId = publickeyResp.GetPublicKeyId()
return nil
},
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
},
wantErr: true,
},
{
name: "publickey remove, id empty",
ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKeyId: "notempty",
},
wantErr: true,
},
{
name: "publickey delete, userid empty",
ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
Id: "notempty",
},
wantErr: true,
},
{
name: "publickey remove, not existing",
ctx: isolatedIAMOwnerCTX,
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
PublicKeyId: "notempty",
Id: "notexisting",
},
wantErr: true,
},
{
name: "publickey remove, no publickey",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.RemovePublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
return nil
},
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
},
wantErr: true,
},
{
name: "publickey remove, ok",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.RemovePublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
req.PublicKeyId = publickeyResp.GetPublicKeyId()
return nil
},
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
},
res: res{
want: &resource_object.Details{
Changed: timestamppb.Now(),
Owner: &object.Owner{
Type: object.OwnerType_OWNER_TYPE_ORG,
Id: orgResp.GetOrganizationId(),
},
},
},
},
{
name: "publickey remove, already removed",
ctx: isolatedIAMOwnerCTX,
dep: func(req *user.RemovePublicKeyRequest) error {
userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
req.Id = userResp.GetDetails().GetId()
resp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, []byte(gofakeit.BitcoinPrivateKey()))
req.PublicKeyId = resp.GetPublicKeyId()
instance.RemoveAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, req.PublicKeyId)
return nil
},
req: &user.RemovePublicKeyRequest{
Organization: &object.Organization{
Property: &object.Organization_OrgId{
OrgId: orgResp.GetOrganizationId(),
},
},
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if tt.dep != nil {
err := tt.dep(tt.req)
assert.NoError(t, err)
}
got, err := instance.Client.UserV3Alpha.RemovePublicKey(tt.ctx, tt.req)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
integration.AssertResourceDetails(t, tt.res.want, got.Details)
})
}
}

47
internal/api/grpc/resources/user/v3alpha/publickey.go Normal file
View File

@@ -0,0 +1,47 @@
package user
import (
"context"
resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
"github.com/zitadel/zitadel/internal/command"
object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
)
func (s *Server) AddPublicKey(ctx context.Context, req *user.AddPublicKeyRequest) (_ *user.AddPublicKeyResponse, err error) {
if err := checkUserSchemaEnabled(ctx); err != nil {
return nil, err
}
pk := addPublicKeyRequestToAddPublicKey(req)
details, err := s.command.AddPublicKey(ctx, pk)
if err != nil {
return nil, err
}
return &user.AddPublicKeyResponse{
Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
PublicKeyId: details.ID,
PrivateKey: pk.PrivateKey,
}, nil
}
func addPublicKeyRequestToAddPublicKey(req *user.AddPublicKeyRequest) *command.AddPublicKey {
return &command.AddPublicKey{
ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
UserID: req.GetId(),
PublicKey: req.GetPublicKey().GetPublicKey().GetPublicKey(),
}
}
func (s *Server) RemovePublicKey(ctx context.Context, req *user.RemovePublicKeyRequest) (_ *user.RemovePublicKeyResponse, err error) {
if err := checkUserSchemaEnabled(ctx); err != nil {
return nil, err
}
details, err := s.command.DeletePublicKey(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId(), req.GetPublicKeyId())
if err != nil {
return nil, err
}
return &user.RemovePublicKeyResponse{
Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
}, nil
}

4
internal/api/grpc/resources/userschema/v3alpha/query.go
View File

@@ -146,8 +146,8 @@ func authenticatorTypeToPb(authenticator domain.AuthenticatorType) schema.Authen
return schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_EMAIL
case domain.AuthenticatorTypeOTPSMS:
return schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_SMS
case domain.AuthenticatorTypeAuthenticationKey:
return schema.AuthenticatorType_AUTHENTICATOR_TYPE_AUTHENTICATION_KEY
case domain.AuthenticatorTypePublicKey:
return schema.AuthenticatorType_AUTHENTICATOR_TYPE_PUBLIC_KEY
case domain.AuthenticatorTypeIdentityProvider:
return schema.AuthenticatorType_AUTHENTICATOR_TYPE_IDENTITY_PROVIDER
case domain.AuthenticatorTypeUnspecified:

4
internal/api/grpc/resources/userschema/v3alpha/userschema.go
View File

@@ -149,8 +149,8 @@ func authenticatorTypeToDomain(authenticator schema.AuthenticatorType) domain.Au
return domain.AuthenticatorTypeOTPEmail
case schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_SMS:
return domain.AuthenticatorTypeOTPSMS
case schema.AuthenticatorType_AUTHENTICATOR_TYPE_AUTHENTICATION_KEY:
return domain.AuthenticatorTypeAuthenticationKey
case schema.AuthenticatorType_AUTHENTICATOR_TYPE_PUBLIC_KEY:
return domain.AuthenticatorTypePublicKey
case schema.AuthenticatorType_AUTHENTICATOR_TYPE_IDENTITY_PROVIDER:
return domain.AuthenticatorTypeIdentityProvider
default:

11
internal/command/user_v3.go
View File

@@ -207,3 +207,14 @@ func existingSchema(ctx context.Context, c *Commands, resourceOwner, id string)
}
return writeModel, nil
}
func existingSchemaWithAuthenticator(ctx context.Context, c *Commands, resourceOwner, id string, authenticator domain.AuthenticatorType) (*UserSchemaWriteModel, error) {
writeModel, err := c.getSchemaWriteModelByID(ctx, resourceOwner, id)
if err != nil {
return nil, err
}
if !writeModel.Exists() {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists")
}
return writeModel, nil
}

99
internal/command/user_v3_publickey.go Normal file
View File

@@ -0,0 +1,99 @@
package command
import (
"context"
"time"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/zerrors"
)
type AddPublicKey struct {
ResourceOwner string
UserID string
ExpirationDate time.Time
PublicKey []byte
PrivateKey []byte
}
func (wm *AddPublicKey) GetExpirationDate() time.Time {
return wm.ExpirationDate
}
func (wm *AddPublicKey) SetExpirationDate(date time.Time) {
wm.ExpirationDate = date
}
func (wm *AddPublicKey) SetPublicKey(data []byte) {
wm.PublicKey = data
}
func (wm *AddPublicKey) SetPrivateKey(data []byte) {
wm.PrivateKey = data
}
func (c *Commands) AddPublicKey(ctx context.Context, pk *AddPublicKey) (*domain.ObjectDetails, error) {
if pk.UserID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing")
}
schemauser, err := existingSchemaUser(ctx, c, pk.ResourceOwner, pk.UserID)
if err != nil {
return nil, err
}
_, err = existingSchema(ctx, c, "", schemauser.SchemaID)
if err != nil {
return nil, err
}
// TODO check for possible authenticators
id, err := c.idGenerator.Next()
if err != nil {
return nil, err
}
writeModel, err := c.getSchemaPublicKeyWM(ctx, schemauser.ResourceOwner, schemauser.AggregateID, id)
if err != nil {
return nil, err
}
if len(pk.PublicKey) == 0 {
if err := domain.SetNewAuthNKeyPair(pk, c.machineKeySize); err != nil {
return nil, err
}
}
events, err := writeModel.NewCreate(ctx, pk.ExpirationDate, pk.PublicKey)
if err != nil {
return nil, err
}
return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
}
func (c *Commands) DeletePublicKey(ctx context.Context, resourceOwner, userID, id string) (*domain.ObjectDetails, error) {
if userID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing")
}
if id == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing")
}
writeModel, err := c.getSchemaPublicKeyWM(ctx, resourceOwner, userID, id)
if err != nil {
return nil, err
}
events, err := writeModel.NewDelete(ctx)
if err != nil {
return nil, err
}
return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
}
func (c *Commands) getSchemaPublicKeyWM(ctx context.Context, resourceOwner, userID, id string) (*PublicKeyV3WriteModel, error) {
writeModel := NewPublicKeyV3WriteModel(resourceOwner, userID, id, c.checkPermission)
if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
return nil, err
}
return writeModel, nil
}

127
internal/command/user_v3_publickey_model.go Normal file
View File

@@ -0,0 +1,127 @@
package command
import (
"context"
"time"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/repository/user/authenticator"
"github.com/zitadel/zitadel/internal/zerrors"
)
type PublicKeyV3WriteModel struct {
eventstore.WriteModel
UserID string
ExpirationDate time.Time
PrivateKey []byte
PublicKey []byte
checkPermission domain.PermissionCheck
}
func (wm *PublicKeyV3WriteModel) GetWriteModel() *eventstore.WriteModel {
return &wm.WriteModel
}
func NewPublicKeyV3WriteModel(resourceOwner, userID, id string, checkPermission domain.PermissionCheck) *PublicKeyV3WriteModel {
return &PublicKeyV3WriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: id,
ResourceOwner: resourceOwner,
},
UserID: userID,
checkPermission: checkPermission,
}
}
func (wm *PublicKeyV3WriteModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *authenticator.PublicKeyCreatedEvent:
if e.UserID != wm.UserID {
continue
}
wm.UserID = e.UserID
wm.PublicKey = e.PublicKey
wm.ExpirationDate = e.ExpirationDate
case *authenticator.PublicKeyDeletedEvent:
wm.UserID = ""
wm.PublicKey = nil
wm.ExpirationDate = time.Time{}
}
}
return wm.WriteModel.Reduce()
}
func (wm *PublicKeyV3WriteModel) Query() *eventstore.SearchQueryBuilder {
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
ResourceOwner(wm.ResourceOwner).
AddQuery().
AggregateTypes(authenticator.AggregateType).
AggregateIDs(wm.AggregateID).
EventTypes(
authenticator.PublicKeyCreatedType,
authenticator.PublicKeyDeletedType,
).Builder()
}
func (wm *PublicKeyV3WriteModel) checkPermissionWrite(ctx context.Context) error {
if wm.UserID == authz.GetCtxData(ctx).UserID {
return nil
}
if err := wm.checkPermission(ctx, domain.PermissionUserWrite, wm.ResourceOwner, wm.UserID); err != nil {
return err
}
return nil
}
func (wm *PublicKeyV3WriteModel) NewCreate(
ctx context.Context,
expirationDate time.Time,
publicKey []byte,
) ([]eventstore.Command, error) {
if err := wm.NotExists(); err != nil {
return nil, err
}
if err := wm.checkPermissionWrite(ctx); err != nil {
return nil, err
}
return []eventstore.Command{
authenticator.NewPublicKeyCreatedEvent(ctx,
AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
wm.UserID,
expirationDate,
publicKey,
),
}, nil
}
func (wm *PublicKeyV3WriteModel) NewDelete(ctx context.Context) ([]eventstore.Command, error) {
if err := wm.Exists(); err != nil {
return nil, err
}
if err := wm.checkPermissionWrite(ctx); err != nil {
return nil, err
}
return []eventstore.Command{
authenticator.NewPublicKeyDeletedEvent(ctx,
AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
),
}, nil
}
func (wm *PublicKeyV3WriteModel) Exists() error {
if len(wm.PublicKey) == 0 {
return zerrors.ThrowNotFound(nil, "TODO", "TODO")
}
return nil
}
func (wm *PublicKeyV3WriteModel) NotExists() error {
if err := wm.Exists(); err != nil {
return nil
}
return zerrors.ThrowAlreadyExists(nil, "TODO", "TODO")
}

395
internal/command/user_v3_publickey_test.go Normal file
View File

@@ -0,0 +1,395 @@
package command
import (
"context"
"errors"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/id"
"github.com/zitadel/zitadel/internal/id/mock"
"github.com/zitadel/zitadel/internal/repository/user/authenticator"
"github.com/zitadel/zitadel/internal/zerrors"
)
func filterPublicKeyExisting() expect {
return expectFilter(
eventFromEventPusher(
authenticator.NewPublicKeyCreatedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
"user1",
time.Time{},
[]byte("something"),
),
),
)
}
func TestCommands_AddPublicKey(t *testing.T) {
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
idGenerator id.Generator
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
user *AddPublicKey
}
type res struct {
details *domain.ObjectDetails
err func(error) bool
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"no userID, error",
fields{
eventstore: expectEventstore(),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing"))
},
},
},
{
"user not existing, error",
fields{
eventstore: expectEventstore(
expectFilter(),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{
UserID: "notexisting",
},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-syHyCsGmvM", "Errors.User.NotFound"))
},
},
},
{
"no permission, error",
fields{
eventstore: expectEventstore(
filterSchemaUserExisting(),
filterSchemaExisting(),
expectFilter(),
),
checkPermission: newMockPermissionCheckNotAllowed(),
idGenerator: mock.ExpectID(t, "pk1"),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{
UserID: "user1",
PublicKey: []byte("something"),
},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
},
},
},
{
"userschema not existing, error",
fields{
eventstore: expectEventstore(
filterSchemaUserExisting(),
expectFilter(),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{
UserID: "user1",
},
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists"))
},
},
},
{
"publickey added, ok",
fields{
eventstore: expectEventstore(
filterSchemaUserExisting(),
filterSchemaExisting(),
expectFilter(),
expectPush(
authenticator.NewPublicKeyCreatedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
"user1",
time.Time{},
[]byte("something"),
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
idGenerator: mock.ExpectID(t, "pk1"),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{
UserID: "user1",
PublicKey: []byte("something"),
},
},
res{
details: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
{
"publickey added, expirationdate, ok",
fields{
eventstore: expectEventstore(
filterSchemaUserExisting(),
filterSchemaExisting(),
expectFilter(),
expectPush(
authenticator.NewPublicKeyCreatedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
"user1",
time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
[]byte("something"),
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
idGenerator: mock.ExpectID(t, "pk1"),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
user: &AddPublicKey{
UserID: "user1",
PublicKey: []byte("something"),
ExpirationDate: time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
},
},
res{
details: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
idGenerator: tt.fields.idGenerator,
checkPermission: tt.fields.checkPermission,
}
details, err := c.AddPublicKey(tt.args.ctx, tt.args.user)
if tt.res.err == nil {
assert.NoError(t, err)
}
if tt.res.err != nil && !tt.res.err(err) {
t.Errorf("got wrong err: %v ", err)
}
if tt.res.err == nil {
assertObjectDetails(t, tt.res.details, details)
}
})
}
}
func TestCommands_DeletePublicKey(t *testing.T) {
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
checkPermission domain.PermissionCheck
}
type args struct {
ctx context.Context
resourceOwner string
userID string
id string
}
type res struct {
details *domain.ObjectDetails
err func(error) bool
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"no userID, error",
fields{
eventstore: expectEventstore(),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
id: "",
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing"))
},
},
},
{
"no ID, error",
fields{
eventstore: expectEventstore(),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
userID: "user1",
id: "",
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing"))
},
},
},
{
"pk not existing, error",
fields{
eventstore: expectEventstore(
expectFilter(),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
userID: "user1",
id: "notexisting",
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
},
},
},
{
"pk already removed, error",
fields{
eventstore: expectEventstore(
expectFilter(
eventFromEventPusher(
authenticator.NewPublicKeyCreatedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
"user1",
time.Time{},
[]byte("something"),
),
),
eventFromEventPusher(
authenticator.NewPublicKeyDeletedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
),
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
userID: "user1",
id: "notexisting",
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
},
},
},
{
"no permission, error",
fields{
eventstore: expectEventstore(
filterPublicKeyExisting(),
),
checkPermission: newMockPermissionCheckNotAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
userID: "user1",
id: "pk1",
},
res{
err: func(err error) bool {
return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
},
},
},
{
"pk removed, ok",
fields{
eventstore: expectEventstore(
filterPublicKeyExisting(),
expectPush(
authenticator.NewPublicKeyDeletedEvent(
context.Background(),
&authenticator.NewAggregate("pk1", "org1").Aggregate,
),
),
),
checkPermission: newMockPermissionCheckAllowed(),
},
args{
ctx: authz.NewMockContext("instanceID", "", ""),
userID: "user1",
id: "pk1",
},
res{
details: &domain.ObjectDetails{
ResourceOwner: "org1",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
checkPermission: tt.fields.checkPermission,
}
details, err := c.DeletePublicKey(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.id)
if tt.res.err == nil {
assert.NoError(t, err)
}
if tt.res.err != nil && !tt.res.err(err) {
t.Errorf("got wrong err: %v ", err)
}
if tt.res.err == nil {
assertObjectDetails(t, tt.res.details, details)
}
})
}
}

4
internal/command/user_v3_username.go
View File

@@ -38,7 +38,6 @@ func (c *Commands) AddUsername(ctx context.Context, username *AddUsername) (*dom
if err != nil {
return nil, err
}
events, err := writeModel.NewCreate(ctx, username.IsOrgSpecific, username.Username)
if err != nil {
return nil, err
@@ -46,7 +45,7 @@ func (c *Commands) AddUsername(ctx context.Context, username *AddUsername) (*dom
return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
}
func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id string) (_ *domain.ObjectDetails, err error) {
func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id string) (*domain.ObjectDetails, error) {
if userID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-J6ybG5WZiy", "Errors.IDMissing")
}
@@ -58,7 +57,6 @@ func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id
if err != nil {
return nil, err
}
events, err := writeModel.NewDelete(ctx)
if err != nil {
return nil, err

2
internal/domain/user_schema.go
View File

@@ -20,7 +20,7 @@ const (
AuthenticatorTypeTOTP
AuthenticatorTypeOTPEmail
AuthenticatorTypeOTPSMS
AuthenticatorTypeAuthenticationKey
AuthenticatorTypePublicKey
AuthenticatorTypeIdentityProvider
authenticatorTypeCount
)

24
internal/integration/client.go
View File

@@ -830,6 +830,30 @@ func (i *Instance) RemoveAuthenticatorPassword(ctx context.Context, orgID string
return user
}
func (i *Instance) AddAuthenticatorPublicKey(ctx context.Context, orgID string, userID string, pk []byte) *user_v3alpha.AddPublicKeyResponse {
user, err := i.Client.UserV3Alpha.AddPublicKey(ctx, &user_v3alpha.AddPublicKeyRequest{
Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
Id: userID,
PublicKey: &user_v3alpha.SetPublicKey{
Type: &user_v3alpha.SetPublicKey_PublicKey{PublicKey: &user_v3alpha.ProvidedPublicKey{
PublicKey: pk,
}},
},
})
logging.OnError(err).Fatal("create pk")
return user
}
func (i *Instance) RemoveAuthenticatorPublicKey(ctx context.Context, orgID string, userid, id string) *user_v3alpha.RemovePublicKeyResponse {
user, err := i.Client.UserV3Alpha.RemovePublicKey(ctx, &user_v3alpha.RemovePublicKeyRequest{
Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
Id: userid,
PublicKeyId: id,
})
logging.OnError(err).Fatal("remove pk")
return user
}
func (i *Instance) UpdateSchemaUserEmail(ctx context.Context, orgID string, userID string, email string) *user_v3alpha.SetContactEmailResponse {
user, err := i.Client.UserV3Alpha.SetContactEmail(ctx, &user_v3alpha.SetContactEmailRequest{
Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},

94
proto/zitadel/resources/user/v3alpha/authenticator.proto
View File

@@ -26,7 +26,7 @@ message Authenticators {
// A list of the user's one-time-password (OTP) Email authenticators.
repeated OTPEmail otp_email = 6;
// A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
repeated AuthenticationKey authentication_keys = 7;
repeated PublicKey public_keys = 7;
// A list of the user's linked identity providers (IDPs).
repeated IdentityProvider identity_providers = 8;
}
@@ -52,29 +52,6 @@ message Username {
bool is_organization_specific = 3;
}
message SetUsername {
// Set the user's username. This will be used for identification during authentication.
string username = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"gigi-giraffe\"";
}
];
// By default username must be unique across all organizations in an instance.
// This option allow to restrict the uniqueness to the user's own organization.
// As a result, this username can only be used if the authentication is limited
// to the corresponding organization.
//
// This can be useful if you provide multiple usernames for a single user, where one
// if specific to your organization, e.g.:
// - gigi-giraffe@zitadel.com (unique across organizations)
// - gigi-giraffe (unique only inside the ZITADEL organization)
bool is_organization_specific = 2;
}
message Password {
// States the time the password was last changed.
google.protobuf.Timestamp last_changed = 1 [
@@ -204,16 +181,16 @@ message TOTP {
bool is_verified = 3;
}
message AuthenticationKey {
// ID is the read-only unique identifier of the authentication key.
string authentication_key_id = 1 [
message PublicKey {
// ID is the read-only unique identifier of the public key.
string public_key_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
zitadel.resources.object.v3alpha.Details details = 2;
// the file type of the key
AuthNKeyType type = 3 [
PublicKeyType type = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"KEY_TYPE_JSON\"";
}
@@ -226,9 +203,9 @@ message AuthenticationKey {
];
}
enum AuthNKeyType {
AUTHN_KEY_TYPE_UNSPECIFIED = 0;
AUTHN_KEY_TYPE_JSON = 1;
enum PublicKeyType {
PUBLIC_KEY_TYPE_UNSPECIFIED = 0;
PUBLIC_KEY_TYPE_JSON = 1;
}
message IdentityProvider {
@@ -262,6 +239,30 @@ message IdentityProvider {
message SetAuthenticators {
repeated SetUsername usernames = 1;
SetPassword password = 2;
SetPublicKey public_key = 3;
}
message SetUsername {
// Set the user's username. This will be used for identification during authentication.
string username = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"gigi-giraffe\"";
}
];
// By default username must be unique across all organizations in an instance.
// This option allow to restrict the uniqueness to the user's own organization.
// As a result, this username can only be used if the authentication is limited
// to the corresponding organization.
//
// This can be useful if you provide multiple usernames for a single user, where one
// if specific to your organization, e.g.:
// - gigi-giraffe@zitadel.com (unique across organizations)
// - gigi-giraffe (unique only inside the ZITADEL organization)
bool is_organization_specific = 2;
}
message SetPassword {
@@ -316,6 +317,37 @@ message SetPassword {
}
}
message SetPublicKey {
// After the expiration date, the key will no longer be usable for authentication.
optional google.protobuf.Timestamp expiration_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"3019-04-01T08:45:00.000000Z\"";
}
];
oneof type {
// Let ZITADEL generate the key and return the private key.
GeneratedKey generated_key = 2;
// Let ZITADEL send the link to the user via SMS.
ProvidedPublicKey public_key = 3;
}
}
message GeneratedKey {}
message ProvidedPublicKey {
// Public key provided to persist.
bytes public_key = 2 [
(validate.rules).bytes = {min_len: 1, max_len: 4048},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 4048;
example: "\"AAAAC3NzaC1lZDI1NTE5AAAAIGmP5kqmZFDw/FbYr+//2bC7OVSTqPqUKet8539icStf\"";
}
];
}
message SendPasswordResetEmail {
// Optionally set a url_template, which will be used in the password reset mail
// sent by ZITADEL to guide the user to your password change page.

119
proto/zitadel/resources/user/v3alpha/user_service.proto
View File

@@ -642,6 +642,57 @@ service ZITADELUsers {
};
}
// Add a public key
//
// Add a new public key to a user. The public key will be used to identify the user on authentication.
rpc AddPublicKey (AddPublicKeyRequest) returns (AddPublicKeyResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/users/{id}/publickey"
body: "publickey"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Username successfully added";
}
};
};
}
// Remove a public key
//
// Remove an existing public key of a user, so it cannot be used for authentication anymore.
rpc RemovePublicKey (RemovePublicKeyRequest) returns (RemovePublicKeyResponse) {
option (google.api.http) = {
delete: "/resources/v3alpha/users/{id}/publickey/{publickey_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Username successfully removed";
}
};
};
}
// Start a WebAuthN registration
//
// Start the registration of a new WebAuthN device (e.g. Passkeys) for a user.
@@ -1645,6 +1696,74 @@ message RemovePasswordResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message AddPublicKeyRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
// Optionally expect the user to be in this organization.
optional zitadel.object.v3alpha.Organization organization = 2;
// unique identifier of the user.
string id = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
// Set the user's new public key.
SetPublicKey public_key = 4;
}
message AddPublicKeyResponse {
zitadel.resources.object.v3alpha.Details details = 1;
// unique identifier of the public key.
string public_key_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
bytes private_key = 3;
}
message RemovePublicKeyRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
// Optionally expect the user to be in this organization.
optional zitadel.object.v3alpha.Organization organization = 2;
// unique identifier of the user.
string id = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
// unique identifier of the public key.
string public_key_id = 4 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629023906488334\"";
}
];
}
message RemovePublicKeyResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message StartWebAuthNRegistrationRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

2
proto/zitadel/resources/userschema/v3alpha/user_schema.proto
View File

@@ -206,6 +206,6 @@ enum AuthenticatorType {
AUTHENTICATOR_TYPE_TOTP = 4;
AUTHENTICATOR_TYPE_OTP_EMAIL = 5;
AUTHENTICATOR_TYPE_OTP_SMS = 6;
AUTHENTICATOR_TYPE_AUTHENTICATION_KEY = 7;
AUTHENTICATOR_TYPE_PUBLIC_KEY = 7;
AUTHENTICATOR_TYPE_IDENTITY_PROVIDER = 8;
}