fix: use hash to compare user metadata value (#10749)

# Which Problems Are Solved Depending on the metadata values (already existing), the newly created index (#10415) cannot be created or error in the future. # How the Problems Are Solved - Create the index using `sha256` and change the query to use sha256 as well when comparing bytes values such as user_metadata. - Added a setup step to cleanup potentially created index on `projections.user_metadata5` # Additional Changes None # Additional Context - relates to #10415 - requires backport to v4.x (cherry picked from commit 57e8033b6e)
2025-12-02 13:42:23 +00:00 · 2025-09-18 11:50:56 +02:00
parent eb18bf3ae6
commit 3667e0dac9
7 changed files with 40 additions and 8 deletions
--- a/cmd/setup/65.go
+++ b/cmd/setup/65.go
@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 65.sql
+	userMetadata5Index string
+)
+
+type FixUserMetadata5Index struct {
+	dbClient *database.DB
+}
+
+func (mig *FixUserMetadata5Index) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, userMetadata5Index)
+	return err
+}
+
+func (mig *FixUserMetadata5Index) String() string {
+	return "65_fix_user_metadata5_index"
+}
--- a/cmd/setup/65.sql
+++ b/cmd/setup/65.sql
@@ -0,0 +1,3 @@
+ALTER INDEX IF EXISTS projections.user_metadata5_metadata_key_idx
+    RENAME TO user_metadata5_key_idx;
+DROP INDEX IF EXISTS projections.user_metadata5_metadata_value_idx;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -161,6 +161,7 @@ type Steps struct {
 	s62HTTPProviderAddSigningKey            *HTTPProviderAddSigningKey
 	s63AlterResourceCounts                  *AlterResourceCounts
 	s64ChangePushPosition                   *ChangePushPosition
+	s65FixUserMetadata5Index                *FixUserMetadata5Index
 }

 func MustNewSteps(v *viper.Viper) *Steps {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -222,6 +222,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s62HTTPProviderAddSigningKey = &HTTPProviderAddSigningKey{dbClient: dbClient}
 	steps.s63AlterResourceCounts = &AlterResourceCounts{dbClient: dbClient}
 	steps.s64ChangePushPosition = &ChangePushPosition{dbClient: dbClient}
+	steps.s65FixUserMetadata5Index = &FixUserMetadata5Index{dbClient: dbClient}

 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -274,6 +275,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s62HTTPProviderAddSigningKey,
 		steps.s63AlterResourceCounts,
 		steps.s64ChangePushPosition,
+		steps.s65FixUserMetadata5Index,
 	} {
 		setupErr = executeMigration(ctx, eventstoreClient, step, "migration failed")
 		if setupErr != nil {
--- a/internal/query/projection/user_metadata.go
+++ b/internal/query/projection/user_metadata.go
@@ -49,8 +49,8 @@ func (*userMetadataProjection) Init() *old_handler.Check {
 		},
 			handler.NewPrimaryKey(UserMetadataColumnInstanceID, UserMetadataColumnUserID, UserMetadataColumnKey),
 			handler.WithIndex(handler.NewIndex("resource_owner", []string{UserGrantResourceOwner})),
-			handler.WithIndex(handler.NewIndex("metadata_key", []string{UserMetadataColumnKey})),
-			handler.WithIndex(handler.NewIndex("metadata_value", []string{UserMetadataColumnValue})),
+			handler.WithIndex(handler.NewIndex("key", []string{UserMetadataColumnKey})),
+			handler.WithIndex(handler.NewIndex("value", []string{"sha256(" + UserMetadataColumnValue + ")"})),
 		),
 	)
 }
--- a/internal/query/search_query.go
+++ b/internal/query/search_query.go
@@ -648,13 +648,12 @@ func (q *BytesQuery) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
 func (q *BytesQuery) comp() sq.Sqlizer {
 	switch q.Compare {
 	case BytesEquals:
-		return sq.Eq{q.Column.identifier(): q.Value}
+		return sq.Expr("sha256("+q.Column.identifier()+") = sha256(?)", q.Value)
 	case BytesNotEquals:
-		return sq.NotEq{q.Column.identifier(): q.Value}
+		return sq.Expr("sha256("+q.Column.identifier()+") <> sha256(?)", q.Value)
 	case bytesCompareMax:
 		return nil
 	}
-
 	return nil
 }

--- a/internal/query/search_query_test.go
+++ b/internal/query/search_query_test.go
@@ -2287,7 +2287,7 @@ func TestBytesQuery_comp(t *testing.T) {
 				Compare: BytesEquals,
 			},
 			want: want{
-				query: sq.Eq{"test_table.test_col": []byte("foo")},
+				query: sq.Expr("sha256(test_table.test_col) = sha256(?)", []byte("foo")),
 			},
 		},
 		{
@@ -2298,7 +2298,7 @@ func TestBytesQuery_comp(t *testing.T) {
 				Compare: BytesNotEquals,
 			},
 			want: want{
-				query: sq.NotEq{"test_table.test_col": []byte("foo")},
+				query: sq.Expr("sha256(test_table.test_col) <> sha256(?)", []byte("foo")),
 			},
 		},
 		{
@@ -2322,7 +2322,7 @@ func TestBytesQuery_comp(t *testing.T) {
 			},
 			want: want{
 				err:   true,
-				query: sq.Eq{"": []byte("foo")},
+				query: sq.Expr("sha256() = sha256(?)", []byte("foo")),
 			},
 		},
 	}