feat: dynamic issuer (#3481)

* feat: dynamic issuer * dynamic domain handling * key rotation durations * feat: dynamic issuer * make webauthn displayname dynamic
2025-08-12 03:57:32 +00:00 · 2022-04-25 10:01:17 +02:00
parent 3d5891eb11
commit 75ec73ca4a
41 changed files with 403 additions and 348 deletions
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	errs "errors"
+	"strings"
 	"time"

 	sq "github.com/Masterminds/squirrel"
@@ -163,9 +164,9 @@ func (q *Queries) Instance(ctx context.Context) (*Instance, error) {
 }

 func (q *Queries) InstanceByHost(ctx context.Context, host string) (authz.Instance, error) {
-	stmt, scan := prepareInstanceQuery(host)
+	stmt, scan := prepareInstanceDomainQuery(host)
 	query, args, err := stmt.Where(sq.Eq{
-		InstanceColumnID.identifier(): "system", //TODO: change column to domain when available
+		InstanceDomainDomainCol.identifier(): strings.Split(host, ":")[0],
 	}).ToSql()
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "QUERY-SAfg2", "Errors.Query.SQLStatement")
@@ -279,3 +280,47 @@ func prepareInstancesQuery() (sq.SelectBuilder, func(*sql.Rows) (*Instances, err
 			}, nil
 		}
 }
+
+func prepareInstanceDomainQuery(host string) (sq.SelectBuilder, func(*sql.Row) (*Instance, error)) {
+	return sq.Select(
+			InstanceColumnID.identifier(),
+			InstanceColumnCreationDate.identifier(),
+			InstanceColumnChangeDate.identifier(),
+			InstanceColumnSequence.identifier(),
+			InstanceColumnGlobalOrgID.identifier(),
+			InstanceColumnProjectID.identifier(),
+			InstanceColumnConsoleID.identifier(),
+			InstanceColumnConsoleAppID.identifier(),
+			InstanceColumnSetupStarted.identifier(),
+			InstanceColumnSetupDone.identifier(),
+			InstanceColumnDefaultLanguage.identifier(),
+		).
+			From(instanceTable.identifier()).
+			LeftJoin(join(InstanceDomainInstanceIDCol, InstanceColumnID)).
+			PlaceholderFormat(sq.Dollar),
+		func(row *sql.Row) (*Instance, error) {
+			instance := &Instance{Host: host}
+			lang := ""
+			err := row.Scan(
+				&instance.ID,
+				&instance.CreationDate,
+				&instance.ChangeDate,
+				&instance.Sequence,
+				&instance.GlobalOrgID,
+				&instance.IAMProjectID,
+				&instance.ConsoleID,
+				&instance.ConsoleAppID,
+				&instance.SetupStarted,
+				&instance.SetupDone,
+				&lang,
+			)
+			if err != nil {
+				if errs.Is(err, sql.ErrNoRows) {
+					return nil, errors.ThrowNotFound(err, "QUERY-n0wng", "Errors.IAM.NotFound")
+				}
+				return nil, errors.ThrowInternal(err, "QUERY-d9nw", "Errors.Internal")
+			}
+			instance.DefaultLanguage = language.Make(lang)
+			return instance, nil
+		}
+}
--- a/internal/query/projection/key.go
+++ b/internal/query/projection/key.go
@@ -40,10 +40,9 @@ const (
 type KeyProjection struct {
 	crdb.StatementHandler
 	encryptionAlgorithm crypto.EncryptionAlgorithm
-	keyChan             chan<- interface{}
 }

-func NewKeyProjection(ctx context.Context, config crdb.StatementHandlerConfig, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, keyChan chan<- interface{}) *KeyProjection {
+func NewKeyProjection(ctx context.Context, config crdb.StatementHandlerConfig, keyEncryptionAlgorithm crypto.EncryptionAlgorithm) *KeyProjection {
 	p := new(KeyProjection)
 	config.ProjectionName = KeyProjectionTable
 	config.Reducers = p.reducers()
@@ -56,7 +55,7 @@ func NewKeyProjection(ctx context.Context, config crdb.StatementHandlerConfig, k
 			crdb.NewColumn(KeyColumnInstanceID, crdb.ColumnTypeText),
 			crdb.NewColumn(KeyColumnSequence, crdb.ColumnTypeInt64),
 			crdb.NewColumn(KeyColumnAlgorithm, crdb.ColumnTypeText, crdb.Default("")),
-			crdb.NewColumn(KeyColumnUse, crdb.ColumnTypeText, crdb.Default("")),
+			crdb.NewColumn(KeyColumnUse, crdb.ColumnTypeEnum, crdb.Default(0)),
 		},
 			crdb.NewPrimaryKey(KeyColumnInstanceID, KeyColumnID),
 			crdb.WithConstraint(crdb.NewConstraint("id_unique", []string{KeyColumnID})),
@@ -79,7 +78,6 @@ func NewKeyProjection(ctx context.Context, config crdb.StatementHandlerConfig, k
 		),
 	)
 	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
-	p.keyChan = keyChan
 	p.encryptionAlgorithm = keyEncryptionAlgorithm

 	return p
@@ -130,9 +128,6 @@ func (p *KeyProjection) reduceKeyPairAdded(event eventstore.Event) (*handler.Sta
 			},
 			crdb.WithTableSuffix(privateKeyTableSuffix),
 		))
-		if p.keyChan != nil {
-			p.keyChan <- true
-		}
 	}
 	if e.PublicKey.Expiry.After(time.Now()) {
 		publicKey, err := crypto.Decrypt(e.PublicKey.Key, p.encryptionAlgorithm)
--- a/internal/query/projection/projection.go
+++ b/internal/query/projection/projection.go
@@ -17,7 +17,7 @@ const (
 	FailedEventsTable = "projections.failed_events"
 )

-func Start(ctx context.Context, sqlClient *sql.DB, es *eventstore.Eventstore, config Config, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, keyChan chan<- interface{}) error {
+func Start(ctx context.Context, sqlClient *sql.DB, es *eventstore.Eventstore, config Config, keyEncryptionAlgorithm crypto.EncryptionAlgorithm) error {
 	projectionConfig := crdb.StatementHandlerConfig{
 		ProjectionHandlerConfig: handler.ProjectionHandlerConfig{
 			HandlerConfig: handler.HandlerConfig{
@@ -74,7 +74,7 @@ func Start(ctx context.Context, sqlClient *sql.DB, es *eventstore.Eventstore, co
 	NewSMSConfigProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["sms_config"]))
 	NewOIDCSettingsProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["oidc_settings"]))
 	NewDebugNotificationProviderProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["debug_notification_provider"]))
-	NewKeyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["keys"]), keyEncryptionAlgorithm, keyChan)
+	NewKeyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["keys"]), keyEncryptionAlgorithm)
 	return nil
 }

--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -37,7 +37,7 @@ type Queries struct {
 	zitadelRoles                        []authz.RoleMapping
 }

-func StartQueries(ctx context.Context, es *eventstore.Eventstore, sqlClient *sql.DB, projections projection.Config, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, keyChan chan<- interface{}, zitadelRoles []authz.RoleMapping) (repo *Queries, err error) {
+func StartQueries(ctx context.Context, es *eventstore.Eventstore, sqlClient *sql.DB, projections projection.Config, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, zitadelRoles []authz.RoleMapping) (repo *Queries, err error) {
 	statikLoginFS, err := fs.NewWithNamespace("login")
 	if err != nil {
 		return nil, fmt.Errorf("unable to start login statik dir")
@@ -66,7 +66,7 @@ func StartQueries(ctx context.Context, es *eventstore.Eventstore, sqlClient *sql
 	keypair.RegisterEventMappers(repo.eventstore)
 	usergrant.RegisterEventMappers(repo.eventstore)

-	err = projection.Start(ctx, sqlClient, es, projections, keyEncryptionAlgorithm, keyChan)
+	err = projection.Start(ctx, sqlClient, es, projections, keyEncryptionAlgorithm)
 	if err != nil {
 		return nil, err
 	}