feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 19:07:30 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/internal/command/action_v2_target_model.go
+++ b/internal/command/action_v2_target_model.go
@@ -5,6 +5,7 @@ import (
 	"slices"
 	"time"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/target"
@@ -18,6 +19,7 @@ type TargetWriteModel struct {
 	Endpoint         string
 	Timeout          time.Duration
 	InterruptOnError bool
+	SigningKey       *crypto.CryptoValue

 	State domain.TargetState
 }
@@ -41,6 +43,7 @@ func (wm *TargetWriteModel) Reduce() error {
 			wm.Endpoint = e.Endpoint
 			wm.Timeout = e.Timeout
 			wm.State = domain.TargetActive
+			wm.SigningKey = e.SigningKey
 		case *target.ChangedEvent:
 			if e.Name != nil {
 				wm.Name = *e.Name
@@ -57,6 +60,9 @@ func (wm *TargetWriteModel) Reduce() error {
 			if e.InterruptOnError != nil {
 				wm.InterruptOnError = *e.InterruptOnError
 			}
+			if e.SigningKey != nil {
+				wm.SigningKey = e.SigningKey
+			}
 		case *target.RemovedEvent:
 			wm.State = domain.TargetRemoved
 		}
@@ -84,6 +90,7 @@ func (wm *TargetWriteModel) NewChangedEvent(
 	endpoint *string,
 	timeout *time.Duration,
 	interruptOnError *bool,
+	signingKey *crypto.CryptoValue,
 ) *target.ChangedEvent {
 	changes := make([]target.Changes, 0)
 	if name != nil && wm.Name != *name {
@@ -101,6 +108,10 @@ func (wm *TargetWriteModel) NewChangedEvent(
 	if interruptOnError != nil && wm.InterruptOnError != *interruptOnError {
 		changes = append(changes, target.ChangeInterruptOnError(*interruptOnError))
 	}
+	// if signingkey is set, update it as it is encrypted
+	if signingKey != nil {
+		changes = append(changes, target.ChangeSigningKey(signingKey))
+	}
 	if len(changes) == 0 {
 		return nil
 	}