feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:17:32 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -29,10 +29,11 @@ type Queries struct {
 	client       *database.DB
 	caches       *Caches

-	keyEncryptionAlgorithm crypto.EncryptionAlgorithm
-	idpConfigEncryption    crypto.EncryptionAlgorithm
-	sessionTokenVerifier   func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error)
-	checkPermission        domain.PermissionCheck
+	keyEncryptionAlgorithm    crypto.EncryptionAlgorithm
+	idpConfigEncryption       crypto.EncryptionAlgorithm
+	targetEncryptionAlgorithm crypto.EncryptionAlgorithm
+	sessionTokenVerifier      func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error)
+	checkPermission           domain.PermissionCheck

 	DefaultLanguage                     language.Tag
 	mutex                               sync.Mutex
@@ -52,7 +53,7 @@ func StartQueries(
 	cacheConnectors connector.Connectors,
 	projections projection.Config,
 	defaults sd.SystemDefaults,
-	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm crypto.EncryptionAlgorithm,
+	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm, targetEncryptionAlgorithm crypto.EncryptionAlgorithm,
 	zitadelRoles []authz.RoleMapping,
 	sessionTokenVerifier func(ctx context.Context, sessionToken string, sessionID string, tokenID string) (err error),
 	permissionCheck func(q *Queries) domain.PermissionCheck,
@@ -70,6 +71,7 @@ func StartQueries(
 		zitadelRoles:                        zitadelRoles,
 		keyEncryptionAlgorithm:              keyEncryptionAlgorithm,
 		idpConfigEncryption:                 idpConfigEncryption,
+		targetEncryptionAlgorithm:           targetEncryptionAlgorithm,
 		sessionTokenVerifier:                sessionTokenVerifier,
 		multifactors: domain.MultifactorConfigs{
 			OTP: domain.OTPConfig{