feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 19:17:32 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/internal/repository/target/target.go
+++ b/internal/repository/target/target.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 )
@@ -18,11 +19,12 @@ const (
 type AddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	Name             string            `json:"name"`
-	TargetType       domain.TargetType `json:"targetType"`
-	Endpoint         string            `json:"endpoint"`
-	Timeout          time.Duration     `json:"timeout"`
-	InterruptOnError bool              `json:"interruptOnError"`
+	Name             string              `json:"name"`
+	TargetType       domain.TargetType   `json:"targetType"`
+	Endpoint         string              `json:"endpoint"`
+	Timeout          time.Duration       `json:"timeout"`
+	InterruptOnError bool                `json:"interruptOnError"`
+	SigningKey       *crypto.CryptoValue `json:"signingKey"`
 }

 func (e *AddedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
@@ -45,22 +47,24 @@ func NewAddedEvent(
 	endpoint string,
 	timeout time.Duration,
 	interruptOnError bool,
+	signingKey *crypto.CryptoValue,
 ) *AddedEvent {
 	return &AddedEvent{
 		*eventstore.NewBaseEventForPush(
 			ctx, aggregate, AddedEventType,
 		),
-		name, targetType, endpoint, timeout, interruptOnError}
+		name, targetType, endpoint, timeout, interruptOnError, signingKey}
 }

 type ChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	Name             *string            `json:"name,omitempty"`
-	TargetType       *domain.TargetType `json:"targetType,omitempty"`
-	Endpoint         *string            `json:"endpoint,omitempty"`
-	Timeout          *time.Duration     `json:"timeout,omitempty"`
-	InterruptOnError *bool              `json:"interruptOnError,omitempty"`
+	Name             *string             `json:"name,omitempty"`
+	TargetType       *domain.TargetType  `json:"targetType,omitempty"`
+	Endpoint         *string             `json:"endpoint,omitempty"`
+	Timeout          *time.Duration      `json:"timeout,omitempty"`
+	InterruptOnError *bool               `json:"interruptOnError,omitempty"`
+	SigningKey       *crypto.CryptoValue `json:"signingKey,omitempty"`

 	oldName string
 }
@@ -134,6 +138,12 @@ func ChangeInterruptOnError(interruptOnError bool) func(event *ChangedEvent) {
 	}
 }

+func ChangeSigningKey(signingKey *crypto.CryptoValue) func(event *ChangedEvent) {
+	return func(e *ChangedEvent) {
+		e.SigningKey = signingKey
+	}
+}
+
 type RemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`