feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:07:31 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/proto/zitadel/resources/action/v3alpha/action_service.proto
+++ b/proto/zitadel/resources/action/v3alpha/action_service.proto
@@ -408,6 +408,12 @@ message CreateTargetRequest {

 message CreateTargetResponse {
  zitadel.resources.object.v3alpha.Details details = 1;
+  // Key used to sign and check payload sent to the target.
+  string signing_key = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"98KmsU67\""
+    }
+  ];
 }

 message PatchTargetRequest {
@@ -433,6 +439,12 @@ message PatchTargetRequest {

 message PatchTargetResponse {
  zitadel.resources.object.v3alpha.Details details = 1;
+  // Key used to sign and check payload sent to the target.
+  optional string signing_key = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"98KmsU67\""
+    }
+  ];
 }

 message DeleteTargetRequest {
--- a/proto/zitadel/resources/action/v3alpha/target.proto
+++ b/proto/zitadel/resources/action/v3alpha/target.proto
@@ -9,6 +9,7 @@ import "google/protobuf/struct.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 import "validate/validate.proto";
 import "zitadel/protoc_gen_zitadel/v2/options.proto";
+import "google/protobuf/timestamp.proto";

 import "zitadel/resources/object/v3alpha/object.proto";

@@ -51,6 +52,11 @@ message Target {
 message GetTarget {
  zitadel.resources.object.v3alpha.Details details = 1;
  Target config = 2;
+  string signing_key = 3 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"98KmsU67\""
+    }
+  ];
 }

 message PatchTarget {
@@ -84,6 +90,21 @@ message PatchTarget {
      max_length: 1000
    }
  ];
+  // Regenerate the key used for signing and checking the payload sent to the target.
+  // Set the graceful period for the existing key. During that time, the previous
+  // signing key and the new one will be used to sign the request to allow you a smooth
+  // transition onf your API.
+  //
+  // Note that we currently only allow an immediate rotation ("0s") and will support
+  // longer expirations in the future.
+  optional google.protobuf.Duration expiration_signing_key = 7 [
+    (validate.rules).duration = {const: {seconds: 0, nanos: 0}},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"0s\""
+      minimum: 0
+      maximum: 0
+    }
+  ];
 }