TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 03:24:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: handle first key rotation on newly created instance (#3118)

Browse Source
This commit is contained in:
Livio Amstutz 2022-01-28 09:24:34 +01:00 committed by GitHub
parent e99b7f4972
commit 990be687c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/api/oidc/key.go
View File

@ -70,7 +70,11 @@ func (o *OPStorage) getSigningKey(ctx context.Context, renewTimer *time.Timer, k
return return
} }
if len(keys.Keys) == 0 { if len(keys.Keys) == 0 {
o.refreshSigningKey(ctx, keyCh, o.signingKeyAlgorithm, keys.LatestSequence) var sequence uint64
if keys.LatestSequence != nil {
sequence = keys.LatestSequence.Sequence
}
o.refreshSigningKey(ctx, keyCh, o.signingKeyAlgorithm, sequence)
checkAfter := o.resetTimer(renewTimer, true) checkAfter := o.resetTimer(renewTimer, true)
logging.Log("OIDC-ASDf3").Infof("next signing key check in %s", checkAfter) logging.Log("OIDC-ASDf3").Infof("next signing key check in %s", checkAfter)
return return
@ -94,12 +98,12 @@ func (o *OPStorage) resetTimer(timer *time.Timer, shortRefresh bool) (nextCheck
return maxLifetime - o.signingKeyGracefulPeriod - o.signingKeyRotationCheck return maxLifetime - o.signingKeyGracefulPeriod - o.signingKeyRotationCheck
} }
func (o *OPStorage) refreshSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, algorithm string, sequence *query.LatestSequence) { func (o *OPStorage) refreshSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, algorithm string, sequence uint64) {
if o.currentKey != nil && o.currentKey.Expiry().Before(time.Now().UTC()) { if o.currentKey != nil && o.currentKey.Expiry().Before(time.Now().UTC()) {
logging.Log("OIDC-ADg26").Info("unset current signing key") logging.Log("OIDC-ADg26").Info("unset current signing key")
keyCh <- jose.SigningKey{} keyCh <- jose.SigningKey{}
} }
ok, err := o.ensureIsLatestKey(ctx, sequence.Sequence) ok, err := o.ensureIsLatestKey(ctx, sequence)
if err != nil { if err != nil {
logging.Log("OIDC-sdz53").WithError(err).Error("could not ensure latest key") logging.Log("OIDC-sdz53").WithError(err).Error("could not ensure latest key")
return return

5
internal/query/key.go
View File

@ -219,7 +219,10 @@ func (q *Queries) ActivePrivateSigningKey(ctx context.Context, t time.Time) (*Pr
return nil, err return nil, err
} }
keys.LatestSequence, err = q.latestSequence(ctx, keyTable) keys.LatestSequence, err = q.latestSequence(ctx, keyTable)
return keys, err if !errors.IsNotFound(err) {
return keys, err
}
return keys, nil
} }
func preparePublicKeysQuery() (sq.SelectBuilder, func(*sql.Rows) (*PublicKeys, error)) { func preparePublicKeysQuery() (sq.SelectBuilder, func(*sql.Rows) (*PublicKeys, error)) {