feat: add apis and application keys (#1327)

* feat: add apis and application keys * VerifyOIDCClientSecret * Update internal/v2/repository/project/api_config.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/v2/repository/project/key.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fix append ApplicationKeyWriteModel Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 04:57:33 +00:00 · 2021-02-22 12:27:47 +01:00
parent a7cc57822b
commit 2ba56595b1
35 changed files with 1421 additions and 527 deletions
--- a/internal/api/grpc/management/application.go
+++ b/internal/api/grpc/management/application.go
@@ -2,6 +2,7 @@ package management

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"

 	"github.com/golang/protobuf/ptypes/empty"
@@ -32,13 +33,15 @@ func (s *Server) CreateOIDCApplication(ctx context.Context, in *management.OIDCA
 	}
 	return oidcAppFromDomain(app), nil
 }
+
 func (s *Server) CreateAPIApplication(ctx context.Context, in *management.APIApplicationCreate) (*management.Application, error) {
-	app, err := s.project.AddApplication(ctx, apiAppCreateToModel(in))
+	app, err := s.command.AddAPIApplication(ctx, apiAppCreateToModel(in), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return appFromModel(app), nil
+	return apiAppFromDomain(app), nil
 }
+
 func (s *Server) UpdateApplication(ctx context.Context, in *management.ApplicationUpdate) (*management.Application, error) {
 	app, err := s.command.ChangeApplication(ctx, in.ProjectId, appUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
@@ -46,10 +49,12 @@ func (s *Server) UpdateApplication(ctx context.Context, in *management.Applicati
 	}
 	return appFromDomain(app), nil
 }
+
 func (s *Server) DeactivateApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
 	err := s.command.DeactivateApplication(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
+
 func (s *Server) ReactivateApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
 	err := s.command.ReactivateApplication(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
@@ -69,15 +74,15 @@ func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *management
 }

 func (s *Server) UpdateApplicationAPIConfig(ctx context.Context, in *management.APIConfigUpdate) (*management.APIConfig, error) {
-	config, err := s.project.ChangeAPIConfig(ctx, apiConfigUpdateToModel(in))
+	config, err := s.command.ChangeAPIApplication(ctx, apiConfigUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return apiConfigFromModel(config), nil
+	return apiConfigFromDomain(config), nil
 }

 func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
-	config, err := s.command.ChangeOIDCApplicationSecret(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).ResourceOwner)
+	config, err := s.command.ChangeOIDCApplicationSecret(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -85,7 +90,7 @@ func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *management.
 }

 func (s *Server) RegenerateAPIClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
-	config, err := s.project.ChangeAPIConfigSecret(ctx, in.ProjectId, in.Id)
+	config, err := s.command.ChangeAPIApplicationSecret(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -117,14 +122,14 @@ func (s *Server) GetClientKey(ctx context.Context, req *management.ClientKeyIDRe
 }

 func (s *Server) AddClientKey(ctx context.Context, req *management.AddClientKeyRequest) (*management.AddClientKeyResponse, error) {
-	key, err := s.project.AddClientKey(ctx, addClientKeyToModel(req))
+	key, err := s.command.AddApplicationKey(ctx, addClientKeyToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return addClientKeyFromModel(key), nil
+	return addClientKeyFromDomain(key), nil
 }

 func (s *Server) DeleteClientKey(ctx context.Context, req *management.ClientKeyIDRequest) (*empty.Empty, error) {
-	err := s.project.RemoveClientKey(ctx, req.ProjectId, req.ApplicationId, req.KeyId)
+	err := s.command.RemoveApplicationKey(ctx, req.ProjectId, req.ApplicationId, req.KeyId, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
--- a/internal/api/grpc/management/application_converter.go
+++ b/internal/api/grpc/management/application_converter.go
@@ -61,11 +61,26 @@ func oidcAppFromDomain(app *domain.OIDCApp) *management.Application {
 	}
 }

+func apiAppFromDomain(app *domain.APIApp) *management.Application {
+	return &management.Application{
+		Id:         app.AppID,
+		State:      appStateFromDomain(app.State),
+		ChangeDate: timestamppb.New(app.ChangeDate),
+		Name:       app.AppName,
+		Sequence:   app.Sequence,
+		AppConfig:  apiAppConfigFromDomain(app),
+	}
+}
+
 func oidcAppConfigFromDomain(app *domain.OIDCApp) management.AppConfig {
 	return &management.Application_OidcConfig{
 		OidcConfig: oidcConfigFromDomain(app),
 	}
-	return nil
+}
+func apiAppConfigFromDomain(app *domain.APIApp) management.AppConfig {
+	return &management.Application_ApiConfig{
+		ApiConfig: apiConfigFromDomain(app),
+	}
 }

 func oidcConfigFromDomain(config *domain.OIDCApp) *management.OIDCConfig {
@@ -90,6 +105,14 @@ func oidcConfigFromDomain(config *domain.OIDCApp) *management.OIDCConfig {
 	}
 }

+func apiConfigFromDomain(config *domain.APIApp) *management.APIConfig {
+	return &management.APIConfig{
+		ClientId:       config.ClientID,
+		ClientSecret:   config.ClientSecretString,
+		AuthMethodType: apiAuthMethodTypeFromDomain(config.AuthMethodType),
+	}
+}
+
 func apiConfigFromModel(config *proj_model.APIConfig) *management.APIConfig {
 	return &management.APIConfig{
 		ClientId:       config.ClientID,
@@ -150,6 +173,16 @@ func oidcAppCreateToDomain(app *management.OIDCApplicationCreate) *domain.OIDCAp
 	}
 }

+func apiAppCreateToModel(app *management.APIApplicationCreate) *domain.APIApp {
+	return &domain.APIApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppName:        app.Name,
+		AuthMethodType: apiAuthMethodTypeToDomain(app.AuthMethodType),
+	}
+}
+
 func appUpdateToDomain(app *management.ApplicationUpdate) domain.Application {
 	return &domain.ChangeApp{
 		AppID:   app.Id,
@@ -157,29 +190,6 @@ func appUpdateToDomain(app *management.ApplicationUpdate) domain.Application {
 	}
 }

-func apiAppCreateToModel(app *management.APIApplicationCreate) *proj_model.Application {
-	return &proj_model.Application{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		Name: app.Name,
-		Type: proj_model.AppTypeAPI,
-		APIConfig: &proj_model.APIConfig{
-			AuthMethodType: apiAuthMethodTypeToModel(app.AuthMethodType),
-		},
-	}
-}
-
-func appUpdateToModel(app *management.ApplicationUpdate) *proj_model.Application {
-	return &proj_model.Application{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		AppID: app.Id,
-		Name:  app.Name,
-	}
-}
-
 func oidcConfigUpdateToDomain(app *management.OIDCConfigUpdate) *domain.OIDCApp {
 	return &domain.OIDCApp{
 		ObjectRoot: models.ObjectRoot{
@@ -201,13 +211,43 @@ func oidcConfigUpdateToDomain(app *management.OIDCConfigUpdate) *domain.OIDCApp
 	}
 }

-func apiConfigUpdateToModel(app *management.APIConfigUpdate) *proj_model.APIConfig {
-	return &proj_model.APIConfig{
+func apiConfigUpdateToDomain(app *management.APIConfigUpdate) *domain.APIApp {
+	return &domain.APIApp{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
 		},
 		AppID:          app.ApplicationId,
-		AuthMethodType: apiAuthMethodTypeToModel(app.AuthMethodType),
+		AuthMethodType: apiAuthMethodTypeToDomain(app.AuthMethodType),
+	}
+}
+
+func addClientKeyToDomain(key *management.AddClientKeyRequest) *domain.ApplicationKey {
+	expirationDate := time.Time{}
+	if key.ExpirationDate != nil {
+		expirationDate = key.ExpirationDate.AsTime()
+	}
+
+	return &domain.ApplicationKey{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: key.ProjectId,
+		},
+		ExpirationDate: expirationDate,
+		Type:           authNKeyTypeToDomain(key.Type),
+		ApplicationID:  key.ApplicationId,
+	}
+}
+
+func addClientKeyFromDomain(key *domain.ApplicationKey) *management.AddClientKeyResponse {
+	detail, err := key.Detail()
+	logging.Log("MANAG-adt42").OnError(err).Warn("unable to marshal key")
+
+	return &management.AddClientKeyResponse{
+		Id:             key.KeyID,
+		CreationDate:   timestamppb.New(key.CreationDate),
+		ExpirationDate: timestamppb.New(key.ExpirationDate),
+		Sequence:       key.Sequence,
+		KeyDetails:     detail,
+		Type:           authNKeyTypeFromDomain(key.Type),
 	}
 }

@@ -485,19 +525,32 @@ func oidcAuthMethodTypeFromDomain(authType domain.OIDCAuthMethodType) management
 		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
 	case domain.OIDCAuthMethodTypeNone:
 		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
+	case domain.OIDCAuthMethodTypePrivateKeyJWT:
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT
 	default:
 		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
 	}
 }

-func apiAuthMethodTypeToModel(authType management.APIAuthMethodType) proj_model.APIAuthMethodType {
+func apiAuthMethodTypeToDomain(authType management.APIAuthMethodType) domain.APIAuthMethodType {
 	switch authType {
 	case management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC:
-		return proj_model.APIAuthMethodTypeBasic
+		return domain.APIAuthMethodTypeBasic
 	case management.APIAuthMethodType_APIAUTHMETHODTYPE_PRIVATE_KEY_JWT:
-		return proj_model.APIAuthMethodTypePrivateKeyJWT
+		return domain.APIAuthMethodTypePrivateKeyJWT
 	default:
-		return proj_model.APIAuthMethodTypeBasic
+		return domain.APIAuthMethodTypeBasic
+	}
+}
+
+func apiAuthMethodTypeFromDomain(authType domain.APIAuthMethodType) management.APIAuthMethodType {
+	switch authType {
+	case domain.APIAuthMethodTypeBasic:
+		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
+	case domain.APIAuthMethodTypePrivateKeyJWT:
+		return management.APIAuthMethodType_APIAUTHMETHODTYPE_PRIVATE_KEY_JWT
+	default:
+		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
 	}
 }

@@ -558,6 +611,24 @@ func oidcVersionFromDomain(version domain.OIDCVersion) management.OIDCVersion {
 	}
 }

+func authNKeyTypeToDomain(keyType management.AuthNKeyType) domain.AuthNKeyType {
+	switch keyType {
+	case management.AuthNKeyType_AUTHNKEY_JSON:
+		return domain.AuthNKeyTypeJSON
+	default:
+		return domain.AuthNKeyTypeNONE
+	}
+}
+
+func authNKeyTypeFromDomain(typ domain.AuthNKeyType) management.AuthNKeyType {
+	switch typ {
+	case domain.AuthNKeyTypeJSON:
+		return management.AuthNKeyType_AUTHNKEY_JSON
+	default:
+		return management.AuthNKeyType_AUTHNKEY_UNSPECIFIED
+	}
+}
+
 func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
 	return &management.Changes{
 		Limit:   limit,
@@ -612,63 +683,6 @@ func clientKeyViewFromModel(key *key_model.AuthNKeyView) *management.ClientKeyVi
 	}
 }

-func addClientKeyToModel(key *management.AddClientKeyRequest) *proj_model.ClientKey {
-	expirationDate := time.Time{}
-	if key.ExpirationDate != nil {
-		var err error
-		expirationDate, err = ptypes.Timestamp(key.ExpirationDate)
-		logging.Log("MANAG-Dgt42").OnError(err).Debug("unable to parse expiration date")
-	}
-
-	return &proj_model.ClientKey{
-		ExpirationDate: expirationDate,
-		Type:           authNKeyTypeToModel(key.Type),
-		ApplicationID:  key.ApplicationId,
-		ObjectRoot:     models.ObjectRoot{AggregateID: key.ProjectId},
-	}
-}
-
-func addClientKeyFromModel(key *proj_model.ClientKey) *management.AddClientKeyResponse {
-	creationDate, err := ptypes.TimestampProto(key.CreationDate)
-	logging.Log("MANAG-FBzz4").OnError(err).Debug("unable to parse cretaion date")
-
-	expirationDate, err := ptypes.TimestampProto(key.ExpirationDate)
-	logging.Log("MANAG-sag21").OnError(err).Debug("unable to parse cretaion date")
-
-	detail, err := json.Marshal(struct {
-		Type     string `json:"type"`
-		KeyID    string `json:"keyId"`
-		Key      string `json:"key"`
-		AppID    string `json:"appId"`
-		ClientID string `json:"clientID"`
-	}{
-		Type:     "application",
-		KeyID:    key.KeyID,
-		Key:      string(key.PrivateKey),
-		AppID:    key.ApplicationID,
-		ClientID: key.ClientID,
-	})
-	logging.Log("MANAG-adt42").OnError(err).Warn("unable to marshall key")
-
-	return &management.AddClientKeyResponse{
-		Id:             key.KeyID,
-		CreationDate:   creationDate,
-		ExpirationDate: expirationDate,
-		Sequence:       key.Sequence,
-		KeyDetails:     detail,
-		Type:           authNKeyTypeFromModel(key.Type),
-	}
-}
-
-func authNKeyTypeToModel(typ management.AuthNKeyType) key_model.AuthNKeyType {
-	switch typ {
-	case management.AuthNKeyType_AUTHNKEY_JSON:
-		return key_model.AuthNKeyTypeJSON
-	default:
-		return key_model.AuthNKeyTypeNONE
-	}
-}
-
 func authNKeyTypeFromModel(typ key_model.AuthNKeyType) management.AuthNKeyType {
 	switch typ {
 	case key_model.AuthNKeyTypeJSON:
--- a/internal/api/grpc/management/user_machine_converter.go
+++ b/internal/api/grpc/management/user_machine_converter.go
@@ -116,18 +116,18 @@ func addMachineKeyFromDomain(key *domain.MachineKey) *management.AddMachineKeyRe
 	}
 }

-func machineKeyTypeToDomain(typ management.MachineKeyType) domain.MachineKeyType {
+func machineKeyTypeToDomain(typ management.MachineKeyType) domain.AuthNKeyType {
 	switch typ {
 	case management.MachineKeyType_MACHINEKEY_JSON:
-		return domain.MachineKeyTypeJSON
+		return domain.AuthNKeyTypeJSON
 	default:
-		return domain.MachineKeyTypeNONE
+		return domain.AuthNKeyTypeNONE
 	}
 }

-func machineKeyTypeFromDomain(typ domain.MachineKeyType) management.MachineKeyType {
+func machineKeyTypeFromDomain(typ domain.AuthNKeyType) management.MachineKeyType {
 	switch typ {
-	case domain.MachineKeyTypeJSON:
+	case domain.AuthNKeyTypeJSON:
 		return management.MachineKeyType_MACHINEKEY_JSON
 	default:
 		return management.MachineKeyType_MACHINEKEY_UNSPECIFIED