feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:17:35 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -633,6 +633,9 @@ EncryptionKeys:
  User:
    EncryptionKeyID: "userKey" # ZITADEL_ENCRYPTIONKEYS_USER_ENCRYPTIONKEYID
    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_USER_DECRYPTIONKEYIDS (comma separated list)
+  Target:
+    EncryptionKeyID: "targetKey" # ZITADEL_ENCRYPTIONKEYS_TARGET_ENCRYPTIONKEYID
+    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_TARGET_DECRYPTIONKEYIDS (comma separated list)
  CSRFCookieKeyID: "csrfCookieKey" # ZITADEL_ENCRYPTIONKEYS_CSRFCOOKIEKEYID
  UserAgentCookieKeyID: "userAgentCookieKey" # ZITADEL_ENCRYPTIONKEYS_USERAGENTCOOKIEKEYID

@@ -910,6 +913,12 @@ DefaultInstance:
      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEUPPERLETTERS
      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEDIGITS
      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDESYMBOLS
+    SigningKey:
+      Length: 36 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_LENGTH
+      IncludeLowerLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDELOWERLETTERS
+      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEUPPERLETTERS
+      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEDIGITS
+      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDESYMBOLS
  PasswordComplexityPolicy:
    MinLength: 8 # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_MINLENGTH
    HasLowercase: true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASLOWERCASE
--- a/cmd/encryption/encryption_keys.go
+++ b/cmd/encryption/encryption_keys.go
@@ -17,6 +17,7 @@ var (
 		"smsKey",
 		"smtpKey",
 		"userKey",
+		"targetKey",
 		"csrfCookieKey",
 		"userAgentCookieKey",
 	}
@@ -31,6 +32,7 @@ type EncryptionKeyConfig struct {
 	SMS                  *crypto.KeyConfig
 	SMTP                 *crypto.KeyConfig
 	User                 *crypto.KeyConfig
+	Target               *crypto.KeyConfig
 	CSRFCookieKeyID      string
 	UserAgentCookieKeyID string
 }
@@ -44,6 +46,7 @@ type EncryptionKeys struct {
 	SMS                crypto.EncryptionAlgorithm
 	SMTP               crypto.EncryptionAlgorithm
 	User               crypto.EncryptionAlgorithm
+	Target             crypto.EncryptionAlgorithm
 	CSRFCookieKey      []byte
 	UserAgentCookieKey []byte
 	OIDCKey            []byte
@@ -91,6 +94,10 @@ func EnsureEncryptionKeys(ctx context.Context, keyConfig *EncryptionKeyConfig, k
 	if err != nil {
 		return nil, err
 	}
+	keys.Target, err = crypto.NewAESCrypto(keyConfig.Target, keyStorage)
+	if err != nil {
+		return nil, err
+	}
 	key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
 	if err != nil {
 		return nil, err
--- a/cmd/mirror/projections.go
+++ b/cmd/mirror/projections.go
@@ -145,6 +145,7 @@ func projections(
 		keys.OTP,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		config.InternalAuthZ.RolePermissionMappings,
 		sessionTokenVerifier,
 		func(q *query.Queries) domain.PermissionCheck {
@@ -183,6 +184,7 @@ func projections(
 		keys.DomainVerification,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		&http.Client{},
 		func(ctx context.Context, permission, orgID, resourceID string) (err error) {
 			return internal_authz.CheckPermission(ctx, authZRepo, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
--- a/cmd/setup/03.go
+++ b/cmd/setup/03.go
@@ -86,6 +86,7 @@ func (mig *FirstInstance) Execute(ctx context.Context, _ eventstore.Event) error
 		nil,
 		nil,
 		nil,
+		nil,
 		0,
 		0,
 		0,
--- a/cmd/setup/config_change.go
+++ b/cmd/setup/config_change.go
@@ -53,6 +53,7 @@ func (mig *externalConfigChange) Execute(ctx context.Context, _ eventstore.Event
 		nil,
 		nil,
 		nil,
+		nil,
 		0,
 		0,
 		0,
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -366,6 +366,7 @@ func initProjections(
 		keys.OTP,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		config.InternalAuthZ.RolePermissionMappings,
 		sessionTokenVerifier,
 		func(q *query.Queries) domain.PermissionCheck {
@@ -422,6 +423,7 @@ func initProjections(
 		keys.DomainVerification,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		&http.Client{},
 		permissionCheck,
 		sessionTokenVerifier,
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -196,6 +196,7 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
 		keys.OTP,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		config.InternalAuthZ.RolePermissionMappings,
 		sessionTokenVerifier,
 		func(q *query.Queries) domain.PermissionCheck {
@@ -245,6 +246,7 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
 		keys.DomainVerification,
 		keys.OIDC,
 		keys.SAML,
+		keys.Target,
 		&http.Client{},
 		permissionCheck,
 		sessionTokenVerifier,