fix: improve key rotation (#1328)

* fix: improve key rotation * update oidc pkg version
2025-08-15 00:57:36 +00:00 · 2021-02-23 08:32:00 +01:00
parent 428ef4acdb
commit 57b277bc7c
18 changed files with 232 additions and 60 deletions
--- a/internal/key/model/key_view.go
+++ b/internal/key/model/key_view.go
@@ -22,6 +22,7 @@ type SigningKey struct {
 	ID        string
 	Algorithm string
 	Key       interface{}
+	Sequence  uint64
 }

 type PublicKey struct {
@@ -84,6 +85,7 @@ func SigningKeyFromKeyView(key *KeyView, alg crypto.EncryptionAlgorithm) (*Signi
 		ID:        key.ID,
 		Algorithm: key.Algorithm,
 		Key:       privateKey,
+		Sequence:  key.Sequence,
 	}, nil
 }

--- a/internal/key/repository/view/key.go
+++ b/internal/key/repository/view/key.go
@@ -3,6 +3,7 @@ package view
 import (
 	"time"

+	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/view/repository"

 	"github.com/jinzhu/gorm"
@@ -22,15 +23,30 @@ func KeyByIDAndType(db *gorm.DB, table, keyID string, private bool) (*model.KeyV
 	return key, err
 }

-func GetSigningKey(db *gorm.DB, table string) (*model.KeyView, error) {
-	key := new(model.KeyView)
-	query := repository.PrepareGetByQuery(table,
-		model.KeySearchQuery{Key: key_model.KeySearchKeyPrivate, Method: global_model.SearchMethodEquals, Value: true},
-		model.KeySearchQuery{Key: key_model.KeySearchKeyUsage, Method: global_model.SearchMethodEquals, Value: key_model.KeyUsageSigning},
-		model.KeySearchQuery{Key: key_model.KeySearchKeyExpiry, Method: global_model.SearchMethodGreaterThan, Value: time.Now().UTC()},
+func GetSigningKey(db *gorm.DB, table string, expiry time.Time) (*model.KeyView, error) {
+	if expiry.IsZero() {
+		expiry = time.Now().UTC()
+	}
+	keys := make([]*model.KeyView, 0)
+	query := repository.PrepareSearchQuery(table,
+		model.KeySearchRequest{
+			Queries: []*key_model.KeySearchQuery{
+				{Key: key_model.KeySearchKeyPrivate, Method: global_model.SearchMethodEquals, Value: true},
+				{Key: key_model.KeySearchKeyUsage, Method: global_model.SearchMethodEquals, Value: key_model.KeyUsageSigning},
+				{Key: key_model.KeySearchKeyExpiry, Method: global_model.SearchMethodGreaterThan, Value: time.Now().UTC()},
+			},
+			SortingColumn: key_model.KeySearchKeyExpiry,
+			Limit:         1,
+		},
 	)
-	err := query(db, key)
-	return key, err
+	_, err := query(db, &keys)
+	if err != nil {
+		return nil, err
+	}
+	if len(keys) != 1 {
+		return nil, caos_errs.ThrowNotFound(err, "VIEW-BGD41", "key not found")
+	}
+	return keys[0], nil
 }

 func GetActivePublicKeys(db *gorm.DB, table string) ([]*model.KeyView, error) {
--- a/internal/key/repository/view/model/key.go
+++ b/internal/key/repository/view/model/key.go
@@ -45,7 +45,7 @@ func KeysFromPairEvent(event *models.Event) (*KeyView, *KeyView, error) {
 		Algorithm: pair.Algorithm,
 		Usage:     pair.Usage,
 		Key:       pair.PrivateKey.Key,
-		Sequence:  pair.Sequence,
+		Sequence:  event.Sequence,
 	}
 	publicKey := &KeyView{
 		ID:        event.AggregateID,
@@ -54,7 +54,7 @@ func KeysFromPairEvent(event *models.Event) (*KeyView, *KeyView, error) {
 		Algorithm: pair.Algorithm,
 		Usage:     pair.Usage,
 		Key:       pair.PublicKey.Key,
-		Sequence:  pair.Sequence,
+		Sequence:  event.Sequence,
 	}
 	return privateKey, publicKey, nil
 }
--- a/internal/key/repository/view/query.go
+++ b/internal/key/repository/view/query.go
@@ -0,0 +1,11 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/repository/iam"
+)
+
+func KeyPairQuery(latestSequence uint64) *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
+		SequenceGreater(latestSequence)
+}