feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:37:31 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/internal/command/action_v2_execution_test.go
+++ b/internal/command/action_v2_execution_test.go
@@ -7,6 +7,7 @@ import (

 	"github.com/stretchr/testify/assert"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/execution"
@@ -172,6 +173,12 @@ func TestCommands_SetExecutionRequest(t *testing.T) {
 								"https://example.com",
 								time.Second,
 								true,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("12345678"),
+								},
 							),
 						),
 					),
@@ -221,6 +228,12 @@ func TestCommands_SetExecutionRequest(t *testing.T) {
 								"https://example.com",
 								time.Second,
 								true,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("12345678"),
+								},
 							),
 						),
 					),
@@ -270,6 +283,12 @@ func TestCommands_SetExecutionRequest(t *testing.T) {
 								"https://example.com",
 								time.Second,
 								true,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("12345678"),
+								},
 							),
 						),
 					),
@@ -836,6 +855,12 @@ func TestCommands_SetExecutionResponse(t *testing.T) {
 							"https://example.com",
 							time.Second,
 							true,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("12345678"),
+							},
 						),
 					),
 					expectPushFailed(
@@ -930,6 +955,12 @@ func TestCommands_SetExecutionResponse(t *testing.T) {
 								"https://example.com",
 								time.Second,
 								true,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("12345678"),
+								},
 							),
 						),
 					),
--- a/internal/command/action_v2_target.go
+++ b/internal/command/action_v2_target.go
@@ -5,6 +5,8 @@ import (
 	"net/url"
 	"time"

+	"github.com/zitadel/zitadel/internal/command/preparation"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 	"github.com/zitadel/zitadel/internal/repository/target"
@@ -19,6 +21,8 @@ type AddTarget struct {
 	Endpoint         string
 	Timeout          time.Duration
 	InterruptOnError bool
+
+	SigningKey string
 }

 func (a *AddTarget) IsValid() error {
@@ -58,7 +62,11 @@ func (c *Commands) AddTarget(ctx context.Context, add *AddTarget, resourceOwner
 	if wm.State.Exists() {
 		return nil, zerrors.ThrowAlreadyExists(nil, "INSTANCE-9axkz0jvzm", "Errors.Target.AlreadyExists")
 	}
-
+	code, err := c.newSigningKey(ctx, c.eventstore.Filter, c.targetEncryption) //nolint
+	if err != nil {
+		return nil, err
+	}
+	add.SigningKey = code.PlainCode()
 	pushedEvents, err := c.eventstore.Push(ctx, target.NewAddedEvent(
 		ctx,
 		TargetAggregateFromWriteModel(&wm.WriteModel),
@@ -67,6 +75,7 @@ func (c *Commands) AddTarget(ctx context.Context, add *AddTarget, resourceOwner
 		add.Endpoint,
 		add.Timeout,
 		add.InterruptOnError,
+		code.Crypted,
 	))
 	if err != nil {
 		return nil, err
@@ -85,6 +94,9 @@ type ChangeTarget struct {
 	Endpoint         *string
 	Timeout          *time.Duration
 	InterruptOnError *bool
+
+	ExpirationSigningKey bool
+	SigningKey           *string
 }

 func (a *ChangeTarget) IsValid() error {
@@ -120,6 +132,17 @@ func (c *Commands) ChangeTarget(ctx context.Context, change *ChangeTarget, resou
 	if !existing.State.Exists() {
 		return nil, zerrors.ThrowNotFound(nil, "COMMAND-xj14f2cccn", "Errors.Target.NotFound")
 	}
+
+	var changedSigningKey *crypto.CryptoValue
+	if change.ExpirationSigningKey {
+		code, err := c.newSigningKey(ctx, c.eventstore.Filter, c.targetEncryption) //nolint
+		if err != nil {
+			return nil, err
+		}
+		changedSigningKey = code.Crypted
+		change.SigningKey = &code.Plain
+	}
+
 	changedEvent := existing.NewChangedEvent(
 		ctx,
 		TargetAggregateFromWriteModel(&existing.WriteModel),
@@ -127,7 +150,9 @@ func (c *Commands) ChangeTarget(ctx context.Context, change *ChangeTarget, resou
 		change.TargetType,
 		change.Endpoint,
 		change.Timeout,
-		change.InterruptOnError)
+		change.InterruptOnError,
+		changedSigningKey,
+	)
 	if changedEvent == nil {
 		return writeModelToObjectDetails(&existing.WriteModel), nil
 	}
@@ -184,3 +209,7 @@ func (c *Commands) getTargetWriteModelByID(ctx context.Context, id string, resou
 	}
 	return wm, nil
 }
+
+func (c *Commands) newSigningKey(ctx context.Context, filter preparation.FilterToQueryReducer, alg crypto.EncryptionAlgorithm) (*EncryptedCode, error) {
+	return c.newEncryptedCodeWithDefault(ctx, filter, domain.SecretGeneratorTypeSigningKey, alg, c.defaultSecretGenerators.SigningKey)
+}
--- a/internal/command/action_v2_target_model.go
+++ b/internal/command/action_v2_target_model.go
@@ -5,6 +5,7 @@ import (
 	"slices"
 	"time"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/target"
@@ -18,6 +19,7 @@ type TargetWriteModel struct {
 	Endpoint         string
 	Timeout          time.Duration
 	InterruptOnError bool
+	SigningKey       *crypto.CryptoValue

 	State domain.TargetState
 }
@@ -41,6 +43,7 @@ func (wm *TargetWriteModel) Reduce() error {
 			wm.Endpoint = e.Endpoint
 			wm.Timeout = e.Timeout
 			wm.State = domain.TargetActive
+			wm.SigningKey = e.SigningKey
 		case *target.ChangedEvent:
 			if e.Name != nil {
 				wm.Name = *e.Name
@@ -57,6 +60,9 @@ func (wm *TargetWriteModel) Reduce() error {
 			if e.InterruptOnError != nil {
 				wm.InterruptOnError = *e.InterruptOnError
 			}
+			if e.SigningKey != nil {
+				wm.SigningKey = e.SigningKey
+			}
 		case *target.RemovedEvent:
 			wm.State = domain.TargetRemoved
 		}
@@ -84,6 +90,7 @@ func (wm *TargetWriteModel) NewChangedEvent(
 	endpoint *string,
 	timeout *time.Duration,
 	interruptOnError *bool,
+	signingKey *crypto.CryptoValue,
 ) *target.ChangedEvent {
 	changes := make([]target.Changes, 0)
 	if name != nil && wm.Name != *name {
@@ -101,6 +108,10 @@ func (wm *TargetWriteModel) NewChangedEvent(
 	if interruptOnError != nil && wm.InterruptOnError != *interruptOnError {
 		changes = append(changes, target.ChangeInterruptOnError(*interruptOnError))
 	}
+	// if signingkey is set, update it as it is encrypted
+	if signingKey != nil {
+		changes = append(changes, target.ChangeSigningKey(signingKey))
+	}
 	if len(changes) == 0 {
 		return nil
 	}
--- a/internal/command/action_v2_target_model_test.go
+++ b/internal/command/action_v2_target_model_test.go
@@ -7,6 +7,7 @@ import (

 	"github.com/stretchr/testify/assert"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/target"
@@ -20,6 +21,12 @@ func targetAddEvent(aggID, resourceOwner string) *target.AddedEvent {
 		"https://example.com",
 		time.Second,
 		false,
+		&crypto.CryptoValue{
+			CryptoType: crypto.TypeEncryption,
+			Algorithm:  "enc",
+			KeyID:      "id",
+			Crypted:    []byte("12345678"),
+		},
 	)
 }

--- a/internal/command/action_v2_target_test.go
+++ b/internal/command/action_v2_target_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
@@ -19,8 +20,10 @@ import (

 func TestCommands_AddTarget(t *testing.T) {
 	type fields struct {
-		eventstore  func(t *testing.T) *eventstore.Eventstore
-		idGenerator id.Generator
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		idGenerator                 id.Generator
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx           context.Context
@@ -132,10 +135,18 @@ func TestCommands_AddTarget(t *testing.T) {
 							"https://example.com",
 							time.Second,
 							false,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("12345678"),
+							},
 						),
 					),
 				),
-				idGenerator: mock.ExpectID(t, "id1"),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     &SecretGenerators{},
 			},
 			args{
 				ctx: context.Background(),
@@ -186,7 +197,9 @@ func TestCommands_AddTarget(t *testing.T) {
 						targetAddEvent("id1", "instance"),
 					),
 				),
-				idGenerator: mock.ExpectID(t, "id1"),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     &SecretGenerators{},
 			},
 			args{
 				ctx: context.Background(),
@@ -219,7 +232,9 @@ func TestCommands_AddTarget(t *testing.T) {
 						}(),
 					),
 				),
-				idGenerator: mock.ExpectID(t, "id1"),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     &SecretGenerators{},
 			},
 			args{
 				ctx: context.Background(),
@@ -244,8 +259,10 @@ func TestCommands_AddTarget(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:  tt.fields.eventstore(t),
-				idGenerator: tt.fields.idGenerator,
+				eventstore:                  tt.fields.eventstore(t),
+				idGenerator:                 tt.fields.idGenerator,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
 			}
 			details, err := c.AddTarget(tt.args.ctx, tt.args.add, tt.args.resourceOwner)
 			if tt.res.err == nil {
@@ -264,7 +281,9 @@ func TestCommands_AddTarget(t *testing.T) {

 func TestCommands_ChangeTarget(t *testing.T) {
 	type fields struct {
-		eventstore func(t *testing.T) *eventstore.Eventstore
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx           context.Context
@@ -510,10 +529,18 @@ func TestCommands_ChangeTarget(t *testing.T) {
 								target.ChangeTargetType(domain.TargetTypeCall),
 								target.ChangeTimeout(10 * time.Second),
 								target.ChangeInterruptOnError(true),
+								target.ChangeSigningKey(&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("12345678"),
+								}),
 							},
 						),
 					),
 				),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     &SecretGenerators{},
 			},
 			args{
 				ctx: context.Background(),
@@ -521,11 +548,12 @@ func TestCommands_ChangeTarget(t *testing.T) {
 					ObjectRoot: models.ObjectRoot{
 						AggregateID: "id1",
 					},
-					Name:             gu.Ptr("name2"),
-					Endpoint:         gu.Ptr("https://example2.com"),
-					TargetType:       gu.Ptr(domain.TargetTypeCall),
-					Timeout:          gu.Ptr(10 * time.Second),
-					InterruptOnError: gu.Ptr(true),
+					Name:                 gu.Ptr("name2"),
+					Endpoint:             gu.Ptr("https://example2.com"),
+					TargetType:           gu.Ptr(domain.TargetTypeCall),
+					Timeout:              gu.Ptr(10 * time.Second),
+					InterruptOnError:     gu.Ptr(true),
+					ExpirationSigningKey: true,
 				},
 				resourceOwner: "instance",
 			},
@@ -540,7 +568,9 @@ func TestCommands_ChangeTarget(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore(t),
+				eventstore:                  tt.fields.eventstore(t),
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
 			}
 			details, err := c.ChangeTarget(tt.args.ctx, tt.args.change, tt.args.resourceOwner)
 			if tt.res.err == nil {
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -54,6 +54,7 @@ type Commands struct {
 	smtpEncryption                  crypto.EncryptionAlgorithm
 	smsEncryption                   crypto.EncryptionAlgorithm
 	userEncryption                  crypto.EncryptionAlgorithm
+	targetEncryption                crypto.EncryptionAlgorithm
 	userPasswordHasher              *crypto.Hasher
 	secretHasher                    *crypto.Hasher
 	machineKeySize                  int
@@ -108,7 +109,7 @@ func StartCommands(
 	externalDomain string,
 	externalSecure bool,
 	externalPort uint16,
-	idpConfigEncryption, otpEncryption, smtpEncryption, smsEncryption, userEncryption, domainVerificationEncryption, oidcEncryption, samlEncryption crypto.EncryptionAlgorithm,
+	idpConfigEncryption, otpEncryption, smtpEncryption, smsEncryption, userEncryption, domainVerificationEncryption, oidcEncryption, samlEncryption, targetEncryption crypto.EncryptionAlgorithm,
 	httpClient *http.Client,
 	permissionCheck domain.PermissionCheck,
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
@@ -153,6 +154,7 @@ func StartCommands(
 		smtpEncryption:                  smtpEncryption,
 		smsEncryption:                   smsEncryption,
 		userEncryption:                  userEncryption,
+		targetEncryption:                targetEncryption,
 		userPasswordHasher:              userPasswordHasher,
 		secretHasher:                    secretHasher,
 		machineKeySize:                  int(defaults.SecretGenerators.MachineKeySize),
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -157,6 +157,7 @@ type SecretGenerators struct {
 	OTPSMS                   *crypto.GeneratorConfig
 	OTPEmail                 *crypto.GeneratorConfig
 	InviteCode               *crypto.GeneratorConfig
+	SigningKey               *crypto.GeneratorConfig
 }

 type ZitadelConfig struct {