feat: add personal access tokens for service users (#2974)

* feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 04:07:31 +00:00 · 2022-02-08 09:37:28 +01:00
parent 3bf9adece5
commit 699fdaf68e
32 changed files with 1838 additions and 30 deletions
--- a/internal/domain/authn_key.go
+++ b/internal/domain/authn_key.go
@@ -1,27 +1,16 @@
 package domain

 import (
-	"time"
-
 	"github.com/caos/logging"

 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 )

-var (
-	//most of us won't survive until 12-31-9999 23:59:59, maybe ZITADEL does
-	defaultExpDate = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
-)
-
-type AuthNKey interface {
-}
-
 type authNKey interface {
 	setPublicKey([]byte)
 	setPrivateKey([]byte)
-	expirationDate() time.Time
-	setExpirationDate(time.Time)
+	expiration
 }

 type AuthNKeyType int32
@@ -50,16 +39,6 @@ func (key *MachineKey) GenerateNewMachineKeyPair(keySize int) error {
 	return nil
 }

-func EnsureValidExpirationDate(key authNKey) error {
-	if key.expirationDate().IsZero() {
-		key.setExpirationDate(defaultExpDate)
-	}
-	if key.expirationDate().Before(time.Now()) {
-		return errors.ThrowInvalidArgument(nil, "AUTHN-dv3t5", "Errors.AuthNKey.ExpireBeforeNow")
-	}
-	return nil
-}
-
 func SetNewAuthNKeyPair(key authNKey, keySize int) error {
 	privateKey, publicKey, err := NewAuthNKeyPair(keySize)
 	if err != nil {
--- a/internal/domain/expiration.go
+++ b/internal/domain/expiration.go
@@ -0,0 +1,36 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+var (
+	//most of us won't survive until 12-31-9999 23:59:59, maybe ZITADEL does
+	defaultExpDate = time.Date(9999, time.December, 31, 23, 59, 59, 0, time.UTC)
+)
+
+type expiration interface {
+	expirationDate() time.Time
+	setExpirationDate(time.Time)
+}
+
+func EnsureValidExpirationDate(key expiration) error {
+	date, err := ValidateExpirationDate(key.expirationDate())
+	if err != nil {
+		return err
+	}
+	key.setExpirationDate(date)
+	return nil
+}
+
+func ValidateExpirationDate(date time.Time) (time.Time, error) {
+	if date.IsZero() {
+		return defaultExpDate, nil
+	}
+	if date.Before(time.Now()) {
+		return time.Time{}, errors.ThrowInvalidArgument(nil, "DOMAIN-dv3t5", "Errors.AuthNKey.ExpireBeforeNow")
+	}
+	return date, nil
+}
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -53,3 +53,17 @@ const (
 func (f UserAuthMethodType) Valid() bool {
 	return f >= 0 && f < userAuthMethodTypeCount
 }
+
+type PersonalAccessTokenState int32
+
+const (
+	PersonalAccessTokenStateUnspecified PersonalAccessTokenState = iota
+	PersonalAccessTokenStateActive
+	PersonalAccessTokenStateRemoved
+
+	personalAccessTokenStateCount
+)
+
+func (f PersonalAccessTokenState) Valid() bool {
+	return f >= 0 && f < personalAccessTokenStateCount
+}