diff --git a/cmd/zitadel/main.go b/cmd/zitadel/main.go index 2b27e31e2b..687a8d7ca5 100644 --- a/cmd/zitadel/main.go +++ b/cmd/zitadel/main.go @@ -174,7 +174,7 @@ func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsReposit apis.RegisterServer(ctx, auth.CreateServer(command, query, authRepo)) } if *oidcEnabled { - op := oidc.NewProvider(ctx, conf.API.OIDC, command, query, authRepo, *localDevMode) + op := oidc.NewProvider(ctx, conf.API.OIDC, command, query, authRepo, conf.SystemDefaults.KeyConfig.EncryptionConfig, *localDevMode) apis.RegisterHandler("/oauth/v2", op.HttpHandler()) } apis.Start(ctx) diff --git a/console/src/app/modules/form-field/animations.ts b/console/src/app/modules/form-field/animations.ts index ca0647cdc5..784902bc87 100644 --- a/console/src/app/modules/form-field/animations.ts +++ b/console/src/app/modules/form-field/animations.ts @@ -8,7 +8,6 @@ export const cnslFormFieldAnimations: { } = { /** Animation that transitions the form field's error and hint messages. */ transitionMessages: trigger('transitionMessages', [ - // TODO(mmalerba): Use angular animations for label animation as well. state('enter', style({ opacity: 1, transform: 'translateY(0%)' })), transition('void => enter', [ style({ opacity: 0, transform: 'translateY(-100%)' }), diff --git a/console/src/app/modules/form-field/form-field.component.ts b/console/src/app/modules/form-field/form-field.component.ts index 4089c87fc6..c498d6ac25 100644 --- a/console/src/app/modules/form-field/form-field.component.ts +++ b/console/src/app/modules/form-field/form-field.component.ts @@ -63,8 +63,6 @@ export class CnslFormFieldComponent extends CnslFormFieldBase implements OnDestr @ContentChild(MatFormFieldControl) _controlNonStatic!: MatFormFieldControl; @ContentChild(MatFormFieldControl, { static: true }) _controlStatic!: MatFormFieldControl; get _control(): MatFormFieldControl { - // TODO(crisbeto): we need this workaround in order to support both Ivy and ViewEngine. - // We should clean this up once Ivy is the default renderer. return this._explicitFormFieldControl || this._controlNonStatic || this._controlStatic; } set _control(value: MatFormFieldControl) { @@ -139,7 +137,6 @@ export class CnslFormFieldComponent extends CnslFormFieldBase implements OnDestr if (this._control) { const ids: string[] = []; - // TODO(wagnermaciel): Remove the type check when we find the root cause of this bug. if (this._control.userAriaDescribedBy && typeof this._control.userAriaDescribedBy === 'string') { ids.push(...this._control.userAriaDescribedBy.split(' ')); diff --git a/console/src/app/modules/input/input.directive.ts b/console/src/app/modules/input/input.directive.ts index c9277b55c0..d048851da1 100644 --- a/console/src/app/modules/input/input.directive.ts +++ b/console/src/app/modules/input/input.directive.ts @@ -226,8 +226,6 @@ export class InputDirective extends _MatInputMixinBase implements MatFormFieldCo @Optional() @Self() @Inject(MAT_INPUT_VALUE_ACCESSOR) inputValueAccessor: any, private _autofillMonitor: AutofillMonitor, ngZone: NgZone, - // TODO: Remove this once the legacy appearance has been removed. We only need - // to inject the form-field for determining whether the placeholder has been promoted. @Optional() @Inject(MAT_FORM_FIELD) private _formField?: MatFormField) { super(_defaultErrorStateMatcher, _parentForm, _parentFormGroup, ngControl); @@ -320,7 +318,6 @@ export class InputDirective extends _MatInputMixinBase implements MatFormFieldCo // We have to use a `HostListener` here in order to support both Ivy and ViewEngine. // In Ivy the `host` bindings will be merged when this class is extended, whereas in // ViewEngine they're overwritten. - // TODO(crisbeto): we move this back into `host` once Ivy is turned on by default. /** Callback for the cases where the focused state of the input changes. */ // tslint:disable:no-host-decorator-in-concrete @HostListener('focus', ['true']) @@ -336,7 +333,6 @@ export class InputDirective extends _MatInputMixinBase implements MatFormFieldCo // We have to use a `HostListener` here in order to support both Ivy and ViewEngine. // In Ivy the `host` bindings will be merged when this class is extended, whereas in // ViewEngine they're overwritten. - // TODO(crisbeto): we move this back into `host` once Ivy is turned on by default. // tslint:disable-next-line:no-host-decorator-in-concrete @HostListener('input') _onInput(): void { @@ -353,8 +349,6 @@ export class InputDirective extends _MatInputMixinBase implements MatFormFieldCo private _dirtyCheckPlaceholder(): void { // If we're hiding the native placeholder, it should also be cleared from the DOM, otherwise // screen readers will read it out twice: once from the label and once from the attribute. - // TODO: can be removed once we get rid of the `legacy` style for the form field, because it's - // the only one that supports promoting the placeholder to a label. const placeholder = this._formField?._hideControlPlaceholder?.() ? null : this.placeholder; if (placeholder !== this._previousPlaceholder) { const element = this._elementRef.nativeElement; diff --git a/internal/api/oidc/op.go b/internal/api/oidc/op.go index 5272ac11fe..a6a3152baa 100644 --- a/internal/api/oidc/op.go +++ b/internal/api/oidc/op.go @@ -12,6 +12,7 @@ import ( "github.com/caos/zitadel/internal/auth/repository" "github.com/caos/zitadel/internal/command" "github.com/caos/zitadel/internal/config/types" + "github.com/caos/zitadel/internal/crypto" "github.com/caos/zitadel/internal/id" "github.com/caos/zitadel/internal/query" "github.com/caos/zitadel/internal/telemetry/metrics" @@ -57,9 +58,16 @@ type OPStorage struct { signingKeyAlgorithm string } -func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, localDevMode bool) op.OpenIDProvider { +func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, keyConfig *crypto.KeyConfig, localDevMode bool) op.OpenIDProvider { cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode) logging.Log("OIDC-sd4fd").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("cannot user agent handler") + tokenKey, err := crypto.LoadKey(keyConfig, keyConfig.EncryptionKeyID) + logging.Log("OIDC-ADvbv").OnError(err).Panic("cannot load OP crypto key") + cryptoKey := []byte(tokenKey) + if len(cryptoKey) != 32 { + logging.Log("OIDC-Dsfds").Panic("OP crypto key must be exactly 32 bytes") + } + copy(config.OPConfig.CryptoKey[:], cryptoKey) config.OPConfig.CodeMethodS256 = true metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount} provider, err := op.NewOpenIDProvider( diff --git a/internal/auth/repository/eventsourcing/eventstore/key.go b/internal/auth/repository/eventsourcing/eventstore/key.go index 47f65b87aa..ed0ff57e29 100644 --- a/internal/auth/repository/eventsourcing/eventstore/key.go +++ b/internal/auth/repository/eventsourcing/eventstore/key.go @@ -131,7 +131,8 @@ func (k *KeyRepository) refreshSigningKey(ctx context.Context, key *model.KeyVie } signingKey, err := model.SigningKeyFromKeyView(key, k.KeyAlgorithm) if err != nil { - return false, err + logging.Log("EVENT-HJd92").WithError(err).Error("signing key cannot be decrypted -> immediate refresh") + return k.refreshSigningKey(ctx, nil, keyCh, algorithm) } k.currentKeyID = signingKey.ID k.currentKeyExpiration = key.Expiry diff --git a/internal/auth/repository/eventsourcing/repository.go b/internal/auth/repository/eventsourcing/repository.go index 3259bde2de..e0710162c4 100644 --- a/internal/auth/repository/eventsourcing/repository.go +++ b/internal/auth/repository/eventsourcing/repository.go @@ -107,7 +107,8 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, co IAMID: systemDefaults.IamID, }, eventstore.TokenRepo{ - View: view, + View: view, + Eventstore: es, }, eventstore.KeyRepository{ View: view, diff --git a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go index cf65ea3a4e..09031577b0 100644 --- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go +++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go @@ -26,7 +26,7 @@ import ( ) type TokenVerifierRepo struct { - TokenVerificationKey [32]byte + TokenVerificationKey crypto.EncryptionAlgorithm IAMID string Eventstore v1.Eventstore View *view.View @@ -68,8 +68,7 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang, resourceOwner string, err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() - //TODO: use real key - tokenIDSubject, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32])) + tokenIDSubject, err := repo.TokenVerificationKey.DecryptString([]byte(tokenString), repo.TokenVerificationKey.EncryptionKeyID()) if err != nil { return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token") } diff --git a/internal/authz/repository/eventsourcing/repository.go b/internal/authz/repository/eventsourcing/repository.go index dbe02d8c1f..4136a32f2f 100644 --- a/internal/authz/repository/eventsourcing/repository.go +++ b/internal/authz/repository/eventsourcing/repository.go @@ -3,6 +3,7 @@ package eventsourcing import ( "context" + "github.com/caos/zitadel/internal/crypto" "github.com/caos/zitadel/internal/eventstore/v1" "github.com/caos/zitadel/internal/query" @@ -49,6 +50,11 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, qu spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, systemDefaults) + keyAlgorithm, err := crypto.NewAESCrypto(systemDefaults.KeyConfig.EncryptionConfig) + if err != nil { + return nil, err + } + return &EsRepository{ spool, eventstore.UserGrantRepo{ @@ -62,10 +68,10 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, qu IAMV2Query: queries, }, eventstore.TokenVerifierRepo{ - //TODO: Add Token Verification Key - Eventstore: es, - IAMID: systemDefaults.IamID, - View: view, + TokenVerificationKey: keyAlgorithm, + Eventstore: es, + IAMID: systemDefaults.IamID, + View: view, }, }, nil }