feat: encryption keys in database (#3265)

* enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message
2025-08-11 21:37:32 +00:00 · 2022-03-14 07:55:09 +01:00
parent 7899a0b851
commit 5463244376
57 changed files with 1618 additions and 471 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -5,13 +5,13 @@ import (
 	"time"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/crypto"

 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	cache "github.com/caos/zitadel/internal/auth_request/repository"
 	"github.com/caos/zitadel/internal/command"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
 	v1 "github.com/caos/zitadel/internal/eventstore/v1"
@@ -666,15 +666,20 @@ func queryLoginPolicyToDomain(policy *query.LoginPolicy) *domain.LoginPolicy {
 			CreationDate:  policy.CreationDate,
 			ChangeDate:    policy.ChangeDate,
 		},
-		Default:               policy.IsDefault,
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowRegister:         policy.AllowRegister,
-		AllowExternalIDP:      policy.AllowExternalIDPs,
-		ForceMFA:              policy.ForceMFA,
-		SecondFactors:         policy.SecondFactors,
-		MultiFactors:          policy.MultiFactors,
-		PasswordlessType:      policy.PasswordlessType,
-		HidePasswordReset:     policy.HidePasswordReset,
+		Default:                    policy.IsDefault,
+		AllowUsernamePassword:      policy.AllowUsernamePassword,
+		AllowRegister:              policy.AllowRegister,
+		AllowExternalIDP:           policy.AllowExternalIDPs,
+		ForceMFA:                   policy.ForceMFA,
+		SecondFactors:              policy.SecondFactors,
+		MultiFactors:               policy.MultiFactors,
+		PasswordlessType:           policy.PasswordlessType,
+		HidePasswordReset:          policy.HidePasswordReset,
+		PasswordCheckLifetime:      policy.PasswordCheckLifetime,
+		ExternalLoginCheckLifetime: policy.ExternalLoginCheckLifetime,
+		MFAInitSkipLifetime:        policy.MFAInitSkipLifetime,
+		SecondFactorCheckLifetime:  policy.SecondFactorCheckLifetime,
+		MultiFactorCheckLifetime:   policy.MultiFactorCheckLifetime,
 	}
 }

--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -33,19 +33,14 @@ type EsRepository struct {
 	eventstore.OrgRepository
 }

-func Start(conf Config, systemDefaults sd.SystemDefaults, command *command.Commands, queries *query.Queries, dbClient *sql.DB, keyConfig *crypto.KeyConfig, assetsPrefix string, userCrypto *crypto.AESCrypto) (*EsRepository, error) {
+func Start(conf Config, systemDefaults sd.SystemDefaults, command *command.Commands, queries *query.Queries, dbClient *sql.DB, assetsPrefix string, oidcEncryption crypto.EncryptionAlgorithm, userEncryption crypto.EncryptionAlgorithm) (*EsRepository, error) {
 	es, err := v1.Start(dbClient)
 	if err != nil {
 		return nil, err
 	}
-
-	keyAlgorithm, err := crypto.NewAESCrypto(keyConfig)
-	if err != nil {
-		return nil, err
-	}
 	idGenerator := id.SonyFlakeGenerator

-	view, err := auth_view.StartView(dbClient, keyAlgorithm, queries, idGenerator, assetsPrefix)
+	view, err := auth_view.StartView(dbClient, oidcEncryption, queries, idGenerator, assetsPrefix)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +75,7 @@ func Start(conf Config, systemDefaults sd.SystemDefaults, command *command.Comma
 			AuthRequests:              authReq,
 			View:                      view,
 			Eventstore:                es,
-			UserCodeAlg:               userCrypto,
+			UserCodeAlg:               userEncryption,
 			UserSessionViewProvider:   view,
 			UserViewProvider:          view,
 			UserCommandProvider:       command,
@@ -101,7 +96,7 @@ func Start(conf Config, systemDefaults sd.SystemDefaults, command *command.Comma
 			View:         view,
 			Eventstore:   es,
 			SearchLimit:  conf.SearchLimit,
-			KeyAlgorithm: keyAlgorithm,
+			KeyAlgorithm: oidcEncryption,
 		},
 		eventstore.UserSessionRepo{
 			View: view,