feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 14:47:33 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/internal/api/grpc/resources/action/v3alpha/target.go
+++ b/internal/api/grpc/resources/action/v3alpha/target.go
@@ -25,7 +25,8 @@ func (s *Server) CreateTarget(ctx context.Context, req *action.CreateTargetReque
 		return nil, err
 	}
 	return &action.CreateTargetResponse{
-		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_INSTANCE, instanceID),
+		Details:    resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_INSTANCE, instanceID),
+		SigningKey: add.SigningKey,
 	}, nil
 }

@@ -34,12 +35,14 @@ func (s *Server) PatchTarget(ctx context.Context, req *action.PatchTargetRequest
 		return nil, err
 	}
 	instanceID := authz.GetInstance(ctx).InstanceID()
-	details, err := s.command.ChangeTarget(ctx, patchTargetToCommand(req), instanceID)
+	patch := patchTargetToCommand(req)
+	details, err := s.command.ChangeTarget(ctx, patch, instanceID)
 	if err != nil {
 		return nil, err
 	}
 	return &action.PatchTargetResponse{
-		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_INSTANCE, instanceID),
+		Details:    resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_INSTANCE, instanceID),
+		SigningKey: patch.SigningKey,
 	}, nil
 }

@@ -83,6 +86,12 @@ func createTargetToCommand(req *action.CreateTargetRequest) *command.AddTarget {
 }

 func patchTargetToCommand(req *action.PatchTargetRequest) *command.ChangeTarget {
+	expirationSigningKey := false
+	// TODO handle expiration, currently only immediate expiration is supported
+	if req.GetTarget().GetExpirationSigningKey() != nil {
+		expirationSigningKey = true
+	}
+
 	reqTarget := req.GetTarget()
 	if reqTarget == nil {
 		return nil
@@ -91,8 +100,9 @@ func patchTargetToCommand(req *action.PatchTargetRequest) *command.ChangeTarget
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: req.GetId(),
 		},
-		Name:     reqTarget.Name,
-		Endpoint: reqTarget.Endpoint,
+		Name:                 reqTarget.Name,
+		Endpoint:             reqTarget.Endpoint,
+		ExpirationSigningKey: expirationSigningKey,
 	}
 	if reqTarget.TargetType != nil {
 		switch t := reqTarget.GetTargetType().(type) {