mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-07 06:02:04 +00:00
feat: token introspection, api clients and auth method private_key_jwt (#1276)
* introspect * testingapplication key * date * client keys * fix client keys * fix client keys * access tokens only for users * AuthMethodPrivateKeyJWT * client keys * set introspection info correctly * managae apis * update oidc pkg * cleanup * merge msater * set current sequence in migration * set current sequence in migration * set current sequence in migration * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * DeleteAuthNKeysByObjectID * ensure authn keys uptodate * update oidc version * merge master * merge master Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
This commit is contained in:
Livio Amstutz
@@ -84,6 +84,8 @@ func (a *Application) Reduce(event *models.Event) (err error) {
|
||||
case es_model.ApplicationChanged,
|
||||
es_model.OIDCConfigAdded,
|
||||
es_model.OIDCConfigChanged,
|
||||
es_model.APIConfigAdded,
|
||||
es_model.APIConfigChanged,
|
||||
es_model.ApplicationDeactivated,
|
||||
es_model.ApplicationReactivated:
|
||||
err = app.SetData(event)
|
||||
|
||||
120
internal/auth/repository/eventsourcing/handler/authn_keys.go
Normal file
120
internal/auth/repository/eventsourcing/handler/authn_keys.go
Normal file
@@ -0,0 +1,120 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/caos/logging"
|
||||
|
||||
"github.com/caos/zitadel/internal/eventstore"
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/models"
|
||||
"github.com/caos/zitadel/internal/eventstore/query"
|
||||
"github.com/caos/zitadel/internal/eventstore/spooler"
|
||||
key_model "github.com/caos/zitadel/internal/key/repository/view/model"
|
||||
proj_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
|
||||
user_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
|
||||
)
|
||||
|
||||
const (
|
||||
authnKeysTable = "auth.authn_keys"
|
||||
)
|
||||
|
||||
type AuthNKeys struct {
|
||||
handler
|
||||
subscription *eventstore.Subscription
|
||||
}
|
||||
|
||||
func newAuthNKeys(handler handler) *AuthNKeys {
|
||||
h := &AuthNKeys{
|
||||
handler: handler,
|
||||
}
|
||||
|
||||
h.subscribe()
|
||||
|
||||
return h
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) subscribe() {
|
||||
k.subscription = k.es.Subscribe(k.AggregateTypes()...)
|
||||
go func() {
|
||||
for event := range k.subscription.Events {
|
||||
query.ReduceEvent(k, event)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) ViewModel() string {
|
||||
return authnKeysTable
|
||||
}
|
||||
|
||||
func (_ *AuthNKeys) AggregateTypes() []es_models.AggregateType {
|
||||
return []es_models.AggregateType{user_model.UserAggregate, proj_model.ProjectAggregate}
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) CurrentSequence() (uint64, error) {
|
||||
sequence, err := k.view.GetLatestAuthNKeySequence()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return sequence.CurrentSequence, nil
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := k.view.GetLatestAuthNKeySequence()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return es_models.NewSearchQuery().
|
||||
AggregateTypeFilter(k.AggregateTypes()...).
|
||||
LatestSequenceFilter(sequence.CurrentSequence), nil
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) Reduce(event *es_models.Event) (err error) {
|
||||
switch event.AggregateType {
|
||||
case user_model.UserAggregate,
|
||||
proj_model.ProjectAggregate:
|
||||
err = k.processAuthNKeys(event)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) processAuthNKeys(event *es_models.Event) (err error) {
|
||||
key := new(key_model.AuthNKeyView)
|
||||
switch event.Type {
|
||||
case user_model.MachineKeyAdded,
|
||||
proj_model.ClientKeyAdded:
|
||||
err = key.AppendEvent(event)
|
||||
if key.ExpirationDate.Before(time.Now()) {
|
||||
return k.view.ProcessedAuthNKeySequence(event)
|
||||
}
|
||||
case user_model.MachineKeyRemoved:
|
||||
err = key.SetUserData(event)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return k.view.DeleteAuthNKey(key.ID, event)
|
||||
case proj_model.ClientKeyRemoved:
|
||||
err = key.SetClientData(event)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return k.view.DeleteAuthNKey(key.ID, event)
|
||||
case user_model.UserRemoved,
|
||||
proj_model.ApplicationRemoved:
|
||||
return k.view.DeleteAuthNKeysByObjectID(event.AggregateID, event)
|
||||
default:
|
||||
return k.view.ProcessedAuthNKeySequence(event)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return k.view.PutAuthNKey(key, event)
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) OnError(event *es_models.Event, err error) error {
|
||||
logging.LogWithFields("SPOOL-S9fe", "id", event.AggregateID).WithError(err).Warn("something went wrong in authn key handler")
|
||||
return spooler.HandleError(event, err, k.view.GetLatestAuthNKeyFailedEvent, k.view.ProcessedAuthNKeyFailedEvent, k.view.ProcessedAuthNKeySequence, k.errorCountUntilSkip)
|
||||
}
|
||||
|
||||
func (k *AuthNKeys) OnSuccess() error {
|
||||
return spooler.HandleSuccess(k.view.UpdateAuthNKeySpoolerRunTimestamp)
|
||||
}
|
||||
@@ -71,7 +71,7 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
|
||||
repos.OrgEvents,
|
||||
repos.IamEvents,
|
||||
systemDefaults.IamID),
|
||||
newMachineKeys(
|
||||
newAuthNKeys(
|
||||
handler{view, bulkLimit, configs.cycleDuration("MachineKey"), errorCount, es}),
|
||||
newLoginPolicy(
|
||||
handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount, es}),
|
||||
|
||||
@@ -1,110 +0,0 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/caos/logging"
|
||||
|
||||
"github.com/caos/zitadel/internal/eventstore"
|
||||
es_models "github.com/caos/zitadel/internal/eventstore/models"
|
||||
"github.com/caos/zitadel/internal/eventstore/query"
|
||||
"github.com/caos/zitadel/internal/eventstore/spooler"
|
||||
"github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
|
||||
usr_model "github.com/caos/zitadel/internal/user/repository/view/model"
|
||||
)
|
||||
|
||||
const (
|
||||
machineKeysTable = "auth.machine_keys"
|
||||
)
|
||||
|
||||
type MachineKeys struct {
|
||||
handler
|
||||
subscription *eventstore.Subscription
|
||||
}
|
||||
|
||||
func newMachineKeys(handler handler) *MachineKeys {
|
||||
h := &MachineKeys{
|
||||
handler: handler,
|
||||
}
|
||||
|
||||
h.subscribe()
|
||||
|
||||
return h
|
||||
}
|
||||
|
||||
func (k *MachineKeys) subscribe() {
|
||||
k.subscription = k.es.Subscribe(k.AggregateTypes()...)
|
||||
go func() {
|
||||
for event := range k.subscription.Events {
|
||||
query.ReduceEvent(k, event)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
func (k *MachineKeys) ViewModel() string {
|
||||
return machineKeysTable
|
||||
}
|
||||
|
||||
func (_ *MachineKeys) AggregateTypes() []es_models.AggregateType {
|
||||
return []es_models.AggregateType{model.UserAggregate}
|
||||
}
|
||||
|
||||
func (k *MachineKeys) CurrentSequence() (uint64, error) {
|
||||
sequence, err := k.view.GetLatestMachineKeySequence()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return sequence.CurrentSequence, nil
|
||||
}
|
||||
|
||||
func (k *MachineKeys) EventQuery() (*es_models.SearchQuery, error) {
|
||||
sequence, err := k.view.GetLatestMachineKeySequence()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return es_models.NewSearchQuery().
|
||||
AggregateTypeFilter(k.AggregateTypes()...).
|
||||
LatestSequenceFilter(sequence.CurrentSequence), nil
|
||||
}
|
||||
|
||||
func (k *MachineKeys) Reduce(event *es_models.Event) (err error) {
|
||||
switch event.AggregateType {
|
||||
case model.UserAggregate:
|
||||
err = k.processMachineKeys(event)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func (k *MachineKeys) processMachineKeys(event *es_models.Event) (err error) {
|
||||
key := new(usr_model.MachineKeyView)
|
||||
switch event.Type {
|
||||
case model.MachineKeyAdded:
|
||||
err = key.AppendEvent(event)
|
||||
if key.ExpirationDate.Before(time.Now()) {
|
||||
return k.view.ProcessedMachineKeySequence(event)
|
||||
}
|
||||
case model.MachineKeyRemoved:
|
||||
err = key.SetData(event)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return k.view.DeleteMachineKey(key.ID, event)
|
||||
case model.UserRemoved:
|
||||
return k.view.DeleteMachineKeysByUserID(event.AggregateID, event)
|
||||
default:
|
||||
return k.view.ProcessedMachineKeySequence(event)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return k.view.PutMachineKey(key, event)
|
||||
}
|
||||
|
||||
func (k *MachineKeys) OnError(event *es_models.Event, err error) error {
|
||||
logging.LogWithFields("SPOOL-S9fe", "id", event.AggregateID).WithError(err).Warn("something went wrong in machine key handler")
|
||||
return spooler.HandleError(event, err, k.view.GetLatestMachineKeyFailedEvent, k.view.ProcessedMachineKeyFailedEvent, k.view.ProcessedMachineKeySequence, k.errorCountUntilSkip)
|
||||
}
|
||||
|
||||
func (k *MachineKeys) OnSuccess() error {
|
||||
return spooler.HandleSuccess(k.view.UpdateMachineKeySpoolerRunTimestamp)
|
||||
}
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"encoding/json"
|
||||
|
||||
"github.com/caos/logging"
|
||||
|
||||
caos_errs "github.com/caos/zitadel/internal/errors"
|
||||
"github.com/caos/zitadel/internal/eventstore"
|
||||
"github.com/caos/zitadel/internal/eventstore/models"
|
||||
@@ -71,9 +72,6 @@ func (t *Token) EventQuery() (*models.SearchQuery, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return es_models.NewSearchQuery().
|
||||
AggregateTypeFilter(user_es_model.UserAggregate, project_es_model.ProjectAggregate).
|
||||
LatestSequenceFilter(sequence.CurrentSequence), nil
|
||||
|
||||
Reference in New Issue
Block a user