fix(import): add import for app and machine keys (#4536)

* fix(import): add import for app and machine keys * fix(export): add review changes * fix(import): Apply suggestions from code review Co-authored-by: Livio Spring <livio.a@gmail.com> * fix(import): add review changes Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:27:31 +00:00 · 2022-10-18 16:07:30 +01:00
parent 3270a94291
commit 556f381a5a
18 changed files with 648 additions and 131 deletions
--- a/internal/command/project_application_api.go
+++ b/internal/command/project_application_api.go
@@ -76,7 +76,7 @@ func (c *Commands) AddAPIApplicationWithID(ctx context.Context, apiApp *domain.A
 		return nil, err
 	}
 	if existingAPI.State != domain.AppStateUnspecified {
-		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-mabu12", "Errors.Application.AlreadyExisting")
+		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-mabu12", "Errors.Project.App.AlreadyExisting")
 	}
 	project, err := c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
 	if err != nil {
@@ -88,7 +88,7 @@ func (c *Commands) AddAPIApplicationWithID(ctx context.Context, apiApp *domain.A

 func (c *Commands) AddAPIApplication(ctx context.Context, apiApp *domain.APIApp, resourceOwner string, appSecretGenerator crypto.Generator) (_ *domain.APIApp, err error) {
 	if apiApp == nil || apiApp.AggregateID == "" {
-		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-5m9E", "Errors.Application.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-5m9E", "Errors.Project.App.Invalid")
 	}
 	project, err := c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
 	if err != nil {
@@ -96,7 +96,7 @@ func (c *Commands) AddAPIApplication(ctx context.Context, apiApp *domain.APIApp,
 	}

 	if !apiApp.IsValid() {
-		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-Bff2g", "Errors.Application.Invalid")
+		return nil, errors.ThrowInvalidArgument(nil, "PROJECT-Bff2g", "Errors.Project.App.Invalid")
 	}

 	appID, err := c.idGenerator.Next()
--- a/internal/command/project_application_key.go
+++ b/internal/command/project_application_key.go
@@ -6,8 +6,27 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/repository/project"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

+func (c *Commands) AddApplicationKeyWithID(ctx context.Context, key *domain.ApplicationKey, resourceOwner string) (_ *domain.ApplicationKey, err error) {
+	writeModel, err := c.applicationKeyWriteModelByID(ctx, key.AggregateID, key.ApplicationID, key.KeyID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if writeModel.State != domain.AppStateUnspecified {
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-so20alo", "Errors.Project.App.Key.AlreadyExisting")
+	}
+	application, err := c.getApplicationWriteModel(ctx, key.AggregateID, key.ApplicationID, resourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	if !application.State.Exists() {
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-sak24", "Errors.Project.App.NotFound")
+	}
+	return c.addApplicationKey(ctx, key, resourceOwner)
+}
+
 func (c *Commands) AddApplicationKey(ctx context.Context, key *domain.ApplicationKey, resourceOwner string) (_ *domain.ApplicationKey, err error) {
 	if key.AggregateID == "" || key.ApplicationID == "" {
 		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-55m9fs", "Errors.IDMissing")
@@ -17,12 +36,18 @@ func (c *Commands) AddApplicationKey(ctx context.Context, key *domain.Applicatio
 		return nil, err
 	}
 	if !application.State.Exists() {
-		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-sak25", "Errors.Application.NotFound")
+		return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-sak25", "Errors.Project.App.NotFound")
 	}
 	key.KeyID, err = c.idGenerator.Next()
 	if err != nil {
 		return nil, err
 	}
+
+	return c.addApplicationKey(ctx, key, resourceOwner)
+}
+
+func (c *Commands) addApplicationKey(ctx context.Context, key *domain.ApplicationKey, resourceOwner string) (_ *domain.ApplicationKey, err error) {
+
 	keyWriteModel := NewApplicationKeyWriteModel(key.AggregateID, key.ApplicationID, key.KeyID, resourceOwner)
 	err = c.eventstore.FilterToQueryReducer(ctx, keyWriteModel)
 	if err != nil {
@@ -37,11 +62,13 @@ func (c *Commands) AddApplicationKey(ctx context.Context, key *domain.Applicatio
 		return nil, err
 	}

-	err = domain.SetNewAuthNKeyPair(key, c.applicationKeySize)
-	if err != nil {
-		return nil, err
+	if len(key.PublicKey) == 0 {
+		err = domain.SetNewAuthNKeyPair(key, c.applicationKeySize)
+		if err != nil {
+			return nil, err
+		}
+		key.ClientID = keyWriteModel.ClientID
 	}
-	key.ClientID = keyWriteModel.ClientID

 	pushedEvents, err := c.eventstore.Push(ctx,
 		project.NewApplicationKeyAddedEvent(
@@ -61,7 +88,10 @@ func (c *Commands) AddApplicationKey(ctx context.Context, key *domain.Applicatio
 	if err != nil {
 		return nil, err
 	}
-	result := applicationKeyWriteModelToKey(keyWriteModel, key.PrivateKey)
+	result := applicationKeyWriteModelToKey(keyWriteModel)
+	if len(key.PrivateKey) > 0 {
+		result.PrivateKey = key.PrivateKey
+	}
 	return result, nil
 }

@@ -72,7 +102,7 @@ func (c *Commands) RemoveApplicationKey(ctx context.Context, projectID, applicat
 		return nil, err
 	}
 	if !keyWriteModel.State.Exists() {
-		return nil, errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.Application.Key.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.Project.App.Key.NotFound")
 	}

 	pushedEvents, err := c.eventstore.Push(ctx, project.NewApplicationKeyRemovedEvent(ctx, ProjectAggregateFromWriteModel(&keyWriteModel.WriteModel), keyID))
@@ -85,3 +115,18 @@ func (c *Commands) RemoveApplicationKey(ctx context.Context, projectID, applicat
 	}
 	return writeModelToObjectDetails(&keyWriteModel.WriteModel), nil
 }
+
+func (c *Commands) applicationKeyWriteModelByID(ctx context.Context, projectID, appID, keyID, resourceOwner string) (writeModel *ApplicationKeyWriteModel, err error) {
+	if appID == "" {
+		return nil, errors.ThrowInvalidArgument(nil, "COMMAND-029sn", "Errors.Project.App.NotFound")
+	}
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel = NewApplicationKeyWriteModel(projectID, appID, keyID, resourceOwner)
+	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
--- a/internal/command/project_application_oidc.go
+++ b/internal/command/project_application_oidc.go
@@ -40,7 +40,7 @@ type addOIDCApp struct {
 	ClientSecretPlain string
 }

-//AddOIDCAppCommand prepares the commands to add an oidc app. The ClientID will be set during the CreateCommands
+// AddOIDCAppCommand prepares the commands to add an oidc app. The ClientID will be set during the CreateCommands
 func (c *Commands) AddOIDCAppCommand(app *addOIDCApp, clientSecretAlg crypto.HashAlgorithm) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if app.ID == "" {
@@ -122,7 +122,7 @@ func (c *Commands) AddOIDCApplicationWithID(ctx context.Context, oidcApp *domain
 		return nil, err
 	}
 	if existingApp.State != domain.AppStateUnspecified {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-lxowmp", "Errors.Application.AlreadyExisting")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-lxowmp", "Errors.Project.App.AlreadyExisting")
 	}

 	project, err := c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
@@ -135,7 +135,7 @@ func (c *Commands) AddOIDCApplicationWithID(ctx context.Context, oidcApp *domain

 func (c *Commands) AddOIDCApplication(ctx context.Context, oidcApp *domain.OIDCApp, resourceOwner string, appSecretGenerator crypto.Generator) (_ *domain.OIDCApp, err error) {
 	if oidcApp == nil || oidcApp.AggregateID == "" {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-34Fm0", "Errors.Application.Invalid")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-34Fm0", "Errors.Project.App.Invalid")
 	}
 	project, err := c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
 	if err != nil {
@@ -143,7 +143,7 @@ func (c *Commands) AddOIDCApplication(ctx context.Context, oidcApp *domain.OIDCA
 	}

 	if oidcApp.AppName == "" || !oidcApp.IsValid() {
-		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-1n8df", "Errors.Application.Invalid")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "PROJECT-1n8df", "Errors.Project.App.Invalid")
 	}

 	appID, err := c.idGenerator.Next()
--- a/internal/command/project_converter.go
+++ b/internal/command/project_converter.go
@@ -98,7 +98,7 @@ func memberWriteModelToProjectGrantMember(writeModel *ProjectGrantMemberWriteMod
 	}
 }

-func applicationKeyWriteModelToKey(wm *ApplicationKeyWriteModel, privateKey []byte) *domain.ApplicationKey {
+func applicationKeyWriteModelToKey(wm *ApplicationKeyWriteModel) *domain.ApplicationKey {
 	return &domain.ApplicationKey{
 		ObjectRoot:     writeModelToObjectRoot(wm.WriteModel),
 		ApplicationID:  wm.AppID,
@@ -106,6 +106,5 @@ func applicationKeyWriteModelToKey(wm *ApplicationKeyWriteModel, privateKey []by
 		KeyID:          wm.KeyID,
 		Type:           wm.KeyType,
 		ExpirationDate: wm.ExpirationDate,
-		PrivateKey:     privateKey,
 	}
 }
--- a/internal/command/user_machine_key.go
+++ b/internal/command/user_machine_key.go
@@ -9,34 +9,51 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func (c *Commands) AddUserMachineKey(ctx context.Context, machineKey *domain.MachineKey, resourceOwner string) (*domain.MachineKey, error) {
-	err := c.checkUserExists(ctx, machineKey.AggregateID, resourceOwner)
+func (c *Commands) AddUserMachineKeyWithID(ctx context.Context, machineKey *domain.MachineKey, resourceOwner string) (*domain.MachineKey, error) {
+	writeModel, err := c.machineKeyWriteModelByID(ctx, machineKey.AggregateID, machineKey.KeyID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
+	if writeModel.State != domain.MachineKeyStateUnspecified {
+		return nil, errors.ThrowNotFound(nil, "COMMAND-p22101", "Errors.User.Machine.Key.AlreadyExisting")
+	}
+	return c.addUserMachineKey(ctx, machineKey, resourceOwner)
+}
+
+func (c *Commands) AddUserMachineKey(ctx context.Context, machineKey *domain.MachineKey, resourceOwner string) (*domain.MachineKey, error) {
 	keyID, err := c.idGenerator.Next()
 	if err != nil {
 		return nil, err
 	}
-	keyWriteModel := NewMachineKeyWriteModel(machineKey.AggregateID, keyID, resourceOwner)
-	err = c.eventstore.FilterToQueryReducer(ctx, keyWriteModel)
+	machineKey.KeyID = keyID
+	return c.addUserMachineKey(ctx, machineKey, resourceOwner)
+}
+
+func (c *Commands) addUserMachineKey(ctx context.Context, machineKey *domain.MachineKey, resourceOwner string) (*domain.MachineKey, error) {
+	err := c.checkUserExists(ctx, machineKey.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
-
-	if err = domain.EnsureValidExpirationDate(machineKey); err != nil {
+	keyWriteModel := NewMachineKeyWriteModel(machineKey.AggregateID, machineKey.KeyID, resourceOwner)
+	if err := c.eventstore.FilterToQueryReducer(ctx, keyWriteModel); err != nil {
 		return nil, err
 	}

-	if err = domain.SetNewAuthNKeyPair(machineKey, c.machineKeySize); err != nil {
+	if err := domain.EnsureValidExpirationDate(machineKey); err != nil {
 		return nil, err
 	}

+	if len(machineKey.PublicKey) == 0 {
+		if err := domain.SetNewAuthNKeyPair(machineKey, c.machineKeySize); err != nil {
+			return nil, err
+		}
+	}
+
 	events, err := c.eventstore.Push(ctx,
 		user.NewMachineKeyAddedEvent(
 			ctx,
 			UserAggregateFromWriteModel(&keyWriteModel.WriteModel),
-			keyID,
+			machineKey.KeyID,
 			machineKey.Type,
 			machineKey.ExpirationDate,
 			machineKey.PublicKey))
@@ -49,7 +66,9 @@ func (c *Commands) AddUserMachineKey(ctx context.Context, machineKey *domain.Mac
 	}

 	key := keyWriteModelToMachineKey(keyWriteModel)
-	key.PrivateKey = machineKey.PrivateKey
+	if len(machineKey.PrivateKey) > 0 {
+		key.PrivateKey = machineKey.PrivateKey
+	}
 	return key, nil
 }