feat: encryption keys in database (#3265)

* enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message
2025-12-01 15:15:56 +00:00 · 2022-03-14 07:55:09 +01:00
parent 7899a0b851
commit 5463244376
57 changed files with 1618 additions and 471 deletions
--- a/cmd/admin/start/encryption_keys.go
+++ b/cmd/admin/start/encryption_keys.go
@@ -0,0 +1,105 @@
+package start
+
+import (
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+)
+
+var (
+	defaultKeyIDs = []string{
+		"domainVerificationKey",
+		"idpConfigKey",
+		"oidcKey",
+		"otpKey",
+		"smsKey",
+		"smtpKey",
+		"userKey",
+		"csrfCookieKey",
+		"userAgentCookieKey",
+	}
+)
+
+type encryptionKeys struct {
+	DomainVerification crypto.EncryptionAlgorithm
+	IDPConfig          crypto.EncryptionAlgorithm
+	OIDC               crypto.EncryptionAlgorithm
+	OTP                crypto.EncryptionAlgorithm
+	SMS                crypto.EncryptionAlgorithm
+	SMTP               crypto.EncryptionAlgorithm
+	User               crypto.EncryptionAlgorithm
+	CSRFCookieKey      []byte
+	UserAgentCookieKey []byte
+	OIDCKey            []byte
+}
+
+func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyStorage) (*encryptionKeys, error) {
+	keys, err := keyStorage.ReadKeys()
+	if err != nil {
+		return nil, nil
+	}
+	if len(keys) == 0 {
+		if err := createDefaultKeys(keyStorage); err != nil {
+			return nil, err
+		}
+	}
+	encryptionKeys := new(encryptionKeys)
+	encryptionKeys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	key, err := crypto.LoadKey(keyConfig.OIDC.EncryptionKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.OIDCKey = []byte(key)
+	encryptionKeys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.CSRFCookieKey = []byte(key)
+	key, err = crypto.LoadKey(keyConfig.UserAgentCookieKeyID, keyStorage)
+	if err != nil {
+		return nil, err
+	}
+	encryptionKeys.UserAgentCookieKey = []byte(key)
+	return encryptionKeys, nil
+}
+
+func createDefaultKeys(keyStorage crypto.KeyStorage) error {
+	keys := make([]*crypto.Key, len(defaultKeyIDs))
+	for i, keyID := range defaultKeyIDs {
+		key, err := crypto.NewKey(keyID)
+		if err != nil {
+			return err
+		}
+		keys[i] = key
+	}
+	if err := keyStorage.CreateKeys(keys...); err != nil {
+		return caos_errs.ThrowInternal(err, "START-aGBq2", "cannot create default keys")
+	}
+	return nil
+}
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@@ -39,6 +39,7 @@ import (
 	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/crypto"
+	cryptoDB "github.com/caos/zitadel/internal/crypto/database"
 	"github.com/caos/zitadel/internal/database"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore"
@@ -52,6 +53,10 @@ import (
 	"github.com/caos/zitadel/openapi"
 )

+const (
+	flagMasterKey = "masterkey"
+)
+
 func New() *cobra.Command {
 	start := &cobra.Command{
 		Use:   "start",
@@ -72,7 +77,8 @@ Requirements:
 			if err != nil {
 				return err
 			}
-			return startZitadel(config)
+			masterKey, _ := cmd.Flags().GetString("masterkey")
+			return startZitadel(config, masterKey)
 		},
 	}
 	bindUint16Flag(start, "port", "port to run ZITADEL on")
@@ -80,6 +86,8 @@ Requirements:
 	bindStringFlag(start, "externalPort", "port ZITADEL will be exposed on")
 	bindBoolFlag(start, "externalSecure", "if ZITADEL will be served on HTTPS")

+	start.PersistentFlags().String(flagMasterKey, "", "masterkey for en/decryption keys")
+
 	return start
 }

@@ -105,7 +113,7 @@ type startConfig struct {
 	ExternalDomain  string
 	ExternalSecure  bool
 	Database        database.Config
-	Projections     projectionConfig
+	Projections     projection.Config
 	AuthZ           authz.Config
 	Auth            auth_es.Config
 	Admin           admin_es.Config
@@ -117,14 +125,22 @@ type startConfig struct {
 	AssetStorage    static_config.AssetStorageConfig
 	InternalAuthZ   internal_authz.Config
 	SystemDefaults  systemdefaults.SystemDefaults
+	EncryptionKeys  *encryptionKeyConfig
 }

-type projectionConfig struct {
-	projection.Config
-	KeyConfig *crypto.KeyConfig
+type encryptionKeyConfig struct {
+	DomainVerification   *crypto.KeyConfig
+	IDPConfig            *crypto.KeyConfig
+	OIDC                 *crypto.KeyConfig
+	OTP                  *crypto.KeyConfig
+	SMS                  *crypto.KeyConfig
+	SMTP                 *crypto.KeyConfig
+	User                 *crypto.KeyConfig
+	CSRFCookieKeyID      string
+	UserAgentCookieKeyID string
 }

-func startZitadel(config *startConfig) error {
+func startZitadel(config *startConfig, masterKey string) error {
 	ctx := context.Background()
 	keyChan := make(chan interface{})

@@ -132,6 +148,16 @@ func startZitadel(config *startConfig) error {
 	if err != nil {
 		return fmt.Errorf("cannot start client for projection: %w", err)
 	}
+
+	keyStorage, err := cryptoDB.NewKeyStorage(dbClient, masterKey)
+	if err != nil {
+		return fmt.Errorf("cannot start key storage: %w", err)
+	}
+	keys, err := ensureEncryptionKeys(config.EncryptionKeys, keyStorage)
+	if err != nil {
+		return err
+	}
+
 	var storage static.Storage
 	//TODO: enable when storage is implemented again
 	//if *assetsEnabled {
@@ -142,22 +168,13 @@ func startZitadel(config *startConfig) error {
 	if err != nil {
 		return fmt.Errorf("cannot start eventstore for queries: %w", err)
 	}
-	smtpPasswordCrypto, err := crypto.NewAESCrypto(config.SystemDefaults.SMTPPasswordVerificationKey)
-	if err != nil {
-		return fmt.Errorf("cannot create smtp crypto: %w", err)
-	}

-	smsCrypto, err := crypto.NewAESCrypto(config.SystemDefaults.SMSVerificationKey)
-	if err != nil {
-		return fmt.Errorf("cannot create smtp crypto: %w", err)
-	}
-
-	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections.Config, config.SystemDefaults, config.Projections.KeyConfig, keyChan, config.InternalAuthZ.RolePermissionMappings)
+	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, keys.OIDC, keyChan, config.InternalAuthZ.RolePermissionMappings)
 	if err != nil {
 		return fmt.Errorf("cannot start queries: %w", err)
 	}

-	authZRepo, err := authz.Start(config.AuthZ, config.SystemDefaults, queries, dbClient, config.OIDC.KeyConfig)
+	authZRepo, err := authz.Start(config.AuthZ, config.SystemDefaults, queries, dbClient, keys.OIDC)
 	if err != nil {
 		return fmt.Errorf("error starting authz repo: %w", err)
 	}
@@ -166,22 +183,22 @@ func startZitadel(config *startConfig) error {
 		Origin:      http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure),
 		DisplayName: "ZITADEL",
 	}
-	commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ, storage, authZRepo, config.OIDC.KeyConfig, webAuthNConfig, smtpPasswordCrypto, smsCrypto)
+	commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ, storage, authZRepo, webAuthNConfig, keys.IDPConfig, keys.OTP, keys.SMTP, keys.SMS, keys.DomainVerification, keys.OIDC)
 	if err != nil {
 		return fmt.Errorf("cannot start commands: %w", err)
 	}

-	notification.Start(config.Notification, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, smtpPasswordCrypto, smsCrypto)
+	notification.Start(config.Notification, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.User, keys.SMTP, keys.SMS)

 	router := mux.NewRouter()
-	err = startAPIs(ctx, router, commands, queries, eventstoreClient, dbClient, keyChan, config, storage, authZRepo)
+	err = startAPIs(ctx, router, commands, queries, eventstoreClient, dbClient, keyChan, config, storage, authZRepo, keys)
 	if err != nil {
 		return err
 	}
 	return listen(ctx, router, config.Port)
 }

-func startAPIs(ctx context.Context, router *mux.Router, commands *command.Commands, queries *query.Queries, eventstore *eventstore.Eventstore, dbClient *sql.DB, keyChan chan interface{}, config *startConfig, store static.Storage, authZRepo authz_repo.Repository) error {
+func startAPIs(ctx context.Context, router *mux.Router, commands *command.Commands, queries *query.Queries, eventstore *eventstore.Eventstore, dbClient *sql.DB, keyChan chan interface{}, config *startConfig, store static.Storage, authZRepo authz_repo.Repository, keys *encryptionKeys) error {
 	repo := struct {
 		authz_repo.Repository
 		*query.Queries
@@ -192,11 +209,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	verifier := internal_authz.Start(repo)

 	apis := api.New(config.Port, router, &repo, config.InternalAuthZ, config.ExternalSecure)
-	userEncryptionAlgorithm, err := crypto.NewAESCrypto(config.SystemDefaults.UserVerificationKey)
-	if err != nil {
-		return nil
-	}
-	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, config.OIDC.KeyConfig, assets.HandlerPrefix, userEncryptionAlgorithm)
+	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.OIDC, keys.User)
 	if err != nil {
 		return fmt.Errorf("error starting auth repo: %w", err)
 	}
@@ -204,25 +217,25 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
-	if err := apis.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, config.SystemDefaults.Domain, assets.HandlerPrefix, userEncryptionAlgorithm)); err != nil {
+	if err := apis.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, config.SystemDefaults.Domain, assets.HandlerPrefix, keys.User)); err != nil {
 		return err
 	}
-	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, assets.HandlerPrefix, userEncryptionAlgorithm)); err != nil {
+	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
 		return err
 	}
-	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, assets.HandlerPrefix, userEncryptionAlgorithm)); err != nil {
+	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
 		return err
 	}

 	apis.RegisterHandler(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator, store, queries))

-	userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, config.ExternalDomain, id.SonyFlakeGenerator, config.ExternalSecure)
+	userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, keys.UserAgentCookieKey, config.ExternalDomain, id.SonyFlakeGenerator, config.ExternalSecure)
 	if err != nil {
 		return err
 	}

 	issuer := oidc.Issuer(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
-	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, issuer, login.DefaultLoggedOutPath, commands, queries, authRepo, config.SystemDefaults.KeyConfig, eventstore, dbClient, keyChan, userAgentInterceptor)
+	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, issuer, login.DefaultLoggedOutPath, commands, queries, authRepo, config.SystemDefaults.KeyConfig, keys.OIDC, keys.OIDCKey, eventstore, dbClient, keyChan, userAgentInterceptor)
 	if err != nil {
 		return fmt.Errorf("unable to start oidc provider: %w", err)
 	}
@@ -238,13 +251,14 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("unable to get client_id for console: %w", err)
 	}
-	c, err := console.Start(config.Console, config.ExternalDomain, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), issuer, consoleID)
+	baseURL := http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
+	c, err := console.Start(config.Console, config.ExternalDomain, baseURL, issuer, consoleID)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
 	}
 	apis.RegisterHandler(console.HandlerPrefix, c)

-	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix, config.ExternalDomain, oidc.AuthCallback, config.ExternalSecure, userAgentInterceptor, userEncryptionAlgorithm)
+	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix, config.ExternalDomain, baseURL, oidc.AuthCallback, config.ExternalSecure, userAgentInterceptor, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
 	if err != nil {
 		return fmt.Errorf("unable to start login: %w", err)
 	}