fix(queries): authn keys (#2820)

* begin authn keys

* single table for state change

* add key type

* begin authn keys query

* query

* tests

* fix merge

* remove wrong migration version

* improve filter

* Update projection.go

* cleanup

internal/management/repository/eventsourcing/eventstore/project.go

@@ -18,8 +18,6 @@ import (
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	iam_view "github.com/caos/zitadel/internal/iam/repository/view"
-	key_model "github.com/caos/zitadel/internal/key/model"
-	key_view_model "github.com/caos/zitadel/internal/key/repository/view/model"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	proj_view "github.com/caos/zitadel/internal/project/repository/view"
@@ -116,59 +114,6 @@ func (repo *ProjectRepo) ApplicationChanges(ctx context.Context, projectID strin
 	return changes, nil
 }
 
-func (repo *ProjectRepo) SearchClientKeys(ctx context.Context, request *key_model.AuthNKeySearchRequest) (*key_model.AuthNKeySearchResponse, error) {
-	err := request.EnsureLimit(repo.SearchLimit)
-	if err != nil {
-		return nil, err
-	}
-	sequence, sequenceErr := repo.View.GetLatestAuthNKeySequence()
-	logging.Log("EVENT-ADwgw").OnError(sequenceErr).Warn("could not read latest authn key sequence")
-	keys, count, err := repo.View.SearchAuthNKeys(request)
-	if err != nil {
-		return nil, err
-	}
-	result := &key_model.AuthNKeySearchResponse{
-		Offset:      request.Offset,
-		Limit:       request.Limit,
-		TotalResult: count,
-		Result:      key_view_model.AuthNKeysToModel(keys),
-	}
-	if sequenceErr == nil {
-		result.Sequence = sequence.CurrentSequence
-		result.Timestamp = sequence.LastSuccessfulSpoolerRun
-	}
-	return result, nil
-}
-
-func (repo *ProjectRepo) GetClientKey(ctx context.Context, projectID, applicationID, keyID string) (*key_model.AuthNKeyView, error) {
-	key, viewErr := repo.View.AuthNKeyByIDs(applicationID, keyID)
-	if viewErr != nil {
-		return nil, viewErr
-	}
-
-	events, esErr := repo.getProjectEvents(ctx, projectID, key.Sequence)
-	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
-		return nil, caos_errs.ThrowNotFound(nil, "EVENT-SFf2g", "Errors.User.KeyNotFound")
-	}
-
-	if esErr != nil {
-		logging.Log("EVENT-ADbf2").WithError(viewErr).Debug("error retrieving new events")
-		return key_view_model.AuthNKeyToModel(key), nil
-	}
-
-	viewKey := *key
-	for _, event := range events {
-		err := key.AppendEventIfMyClientKey(event)
-		if err != nil {
-			return key_view_model.AuthNKeyToModel(&viewKey), nil
-		}
-		if key.State != int32(proj_model.AppStateActive) {
-			return nil, caos_errs.ThrowNotFound(nil, "EVENT-Adfg3", "Errors.User.KeyNotFound")
-		}
-	}
-	return key_view_model.AuthNKeyToModel(key), nil
-}
-
 func (repo *ProjectRepo) ProjectGrantMemberByID(ctx context.Context, projectID, userID string) (*proj_model.ProjectGrantMemberView, error) {
 	member, err := repo.View.ProjectGrantMemberByIDs(projectID, userID)
 	if err != nil {

internal/management/repository/eventsourcing/eventstore/user.go

@@ -14,8 +14,6 @@ import (
 	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
-	key_model "github.com/caos/zitadel/internal/key/model"
-	key_view_model "github.com/caos/zitadel/internal/key/repository/view/model"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	usr_view "github.com/caos/zitadel/internal/user/repository/view"
@@ -269,38 +267,6 @@ func (repo *UserRepo) ExternalIDPsByIDPConfigIDAndResourceOwner(ctx context.Cont
 	return model.ExternalIDPViewsToModel(externalIDPs), nil
 }
 
-func (repo *UserRepo) GetMachineKey(ctx context.Context, userID, keyID string) (*key_model.AuthNKeyView, error) {
-	key, err := repo.View.AuthNKeyByIDs(userID, keyID)
-	if err != nil {
-		return nil, err
-	}
-	return key_view_model.AuthNKeyToModel(key), nil
-}
-
-func (repo *UserRepo) SearchMachineKeys(ctx context.Context, request *key_model.AuthNKeySearchRequest) (*key_model.AuthNKeySearchResponse, error) {
-	err := request.EnsureLimit(repo.SearchLimit)
-	if err != nil {
-		return nil, err
-	}
-	sequence, seqErr := repo.View.GetLatestAuthNKeySequence()
-	logging.Log("EVENT-Sk8fs").OnError(seqErr).Warn("could not read latest authn key sequence")
-	keys, count, err := repo.View.SearchAuthNKeys(request)
-	if err != nil {
-		return nil, err
-	}
-	result := &key_model.AuthNKeySearchResponse{
-		Offset:      request.Offset,
-		Limit:       request.Limit,
-		TotalResult: count,
-		Result:      key_view_model.AuthNKeysToModel(keys),
-	}
-	if seqErr == nil {
-		result.Sequence = sequence.CurrentSequence
-		result.Timestamp = sequence.LastSuccessfulSpoolerRun
-	}
-	return result, nil
-}
-
 func (repo *UserRepo) EmailByID(ctx context.Context, userID string) (*usr_model.Email, error) {
 	user, err := repo.UserByID(ctx, userID)
 	if err != nil {

internal/management/repository/eventsourcing/handler/authn_keys.go

@@ -1,124 +0,0 @@
-package handler
-
-import (
-	"github.com/caos/zitadel/internal/eventstore/v1"
-	"time"
-
-	"github.com/caos/logging"
-
-	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/eventstore/v1/query"
-	"github.com/caos/zitadel/internal/eventstore/v1/spooler"
-	key_model "github.com/caos/zitadel/internal/key/repository/view/model"
-	proj_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
-	user_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
-)
-
-const (
-	authnKeysTable = "management.authn_keys"
-)
-
-type AuthNKeys struct {
-	handler
-	subscription *v1.Subscription
-}
-
-func newAuthNKeys(handler handler) *AuthNKeys {
-	h := &AuthNKeys{
-		handler: handler,
-	}
-
-	h.subscribe()
-
-	return h
-}
-
-func (k *AuthNKeys) subscribe() {
-	k.subscription = k.es.Subscribe(k.AggregateTypes()...)
-	go func() {
-		for event := range k.subscription.Events {
-			query.ReduceEvent(k, event)
-		}
-	}()
-}
-
-func (k *AuthNKeys) ViewModel() string {
-	return authnKeysTable
-}
-
-func (k *AuthNKeys) Subscription() *v1.Subscription {
-	return k.subscription
-}
-
-func (_ *AuthNKeys) AggregateTypes() []es_models.AggregateType {
-	return []es_models.AggregateType{user_model.UserAggregate, proj_model.ProjectAggregate}
-}
-
-func (k *AuthNKeys) CurrentSequence() (uint64, error) {
-	sequence, err := k.view.GetLatestAuthNKeySequence()
-	if err != nil {
-		return 0, err
-	}
-	return sequence.CurrentSequence, nil
-}
-
-func (k *AuthNKeys) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := k.view.GetLatestAuthNKeySequence()
-	if err != nil {
-		return nil, err
-	}
-	return es_models.NewSearchQuery().
-		AggregateTypeFilter(k.AggregateTypes()...).
-		LatestSequenceFilter(sequence.CurrentSequence), nil
-}
-
-func (k *AuthNKeys) Reduce(event *es_models.Event) (err error) {
-	switch event.AggregateType {
-	case user_model.UserAggregate,
-		proj_model.ProjectAggregate:
-		err = k.processAuthNKeys(event)
-	}
-	return err
-}
-
-func (k *AuthNKeys) processAuthNKeys(event *es_models.Event) (err error) {
-	key := new(key_model.AuthNKeyView)
-	switch event.Type {
-	case user_model.MachineKeyAdded,
-		proj_model.ClientKeyAdded:
-		err = key.AppendEvent(event)
-		if key.ExpirationDate.Before(time.Now()) {
-			return k.view.ProcessedAuthNKeySequence(event)
-		}
-	case user_model.MachineKeyRemoved:
-		err = key.SetUserData(event)
-		if err != nil {
-			return err
-		}
-		return k.view.DeleteAuthNKey(key.ID, event)
-	case proj_model.ClientKeyRemoved:
-		err = key.SetClientData(event)
-		if err != nil {
-			return err
-		}
-		return k.view.DeleteAuthNKey(key.ID, event)
-	case user_model.UserRemoved,
-		proj_model.ApplicationRemoved:
-		return k.view.DeleteAuthNKeysByObjectID(event.AggregateID, event)
-	default:
-		return k.view.ProcessedAuthNKeySequence(event)
-	}
-	if err != nil {
-		return err
-	}
-	return k.view.PutAuthNKey(key, event)
-}
-
-func (d *AuthNKeys) OnError(event *es_models.Event, err error) error {
-	logging.LogWithFields("SPOOL-S9fe", "id", event.AggregateID).WithError(err).Warn("something went wrong in machine key handler")
-	return spooler.HandleError(event, err, d.view.GetLatestAuthNKeyFailedEvent, d.view.ProcessedAuthNKeyFailedEvent, d.view.ProcessedAuthNKeySequence, d.errorCountUntilSkip)
-}
-
-func (d *AuthNKeys) OnSuccess() error {
-	return spooler.HandleSuccess(d.view.UpdateAuthNKeySpoolerRunTimestamp)
-}

internal/management/repository/eventsourcing/handler/handler.go

@@ -42,8 +42,6 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			handler{view, bulkLimit, configs.cycleDuration("OrgMember"), errorCount, es}),
 		newUserMembership(
 			handler{view, bulkLimit, configs.cycleDuration("UserMembership"), errorCount, es}),
-		newAuthNKeys(
-			handler{view, bulkLimit, configs.cycleDuration("MachineKeys"), errorCount, es}),
 		newIDPConfig(
 			handler{view, bulkLimit, configs.cycleDuration("IDPConfig"), errorCount, es}),
 		newIDPProvider(

internal/management/repository/eventsourcing/view/authn_keys.go

@@ -1,74 +0,0 @@
-package view
-
-import (
-	"github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	key_model "github.com/caos/zitadel/internal/key/model"
-	"github.com/caos/zitadel/internal/key/repository/view"
-	"github.com/caos/zitadel/internal/key/repository/view/model"
-	"github.com/caos/zitadel/internal/view/repository"
-)
-
-const (
-	authNKeyTable = "management.authn_keys"
-)
-
-func (v *View) AuthNKeyByIDs(objectID, keyID string) (*model.AuthNKeyView, error) {
-	return view.AuthNKeyByIDs(v.Db, authNKeyTable, objectID, keyID)
-}
-
-func (v *View) AuthNKeysByObjectID(objectID string) ([]*model.AuthNKeyView, error) {
-	return view.AuthNKeysByObjectID(v.Db, authNKeyTable, objectID)
-}
-
-func (v *View) AuthNKeyByID(keyID string) (*model.AuthNKeyView, error) {
-	return view.AuthNKeyByID(v.Db, authNKeyTable, keyID)
-}
-
-func (v *View) SearchAuthNKeys(request *key_model.AuthNKeySearchRequest) ([]*model.AuthNKeyView, uint64, error) {
-	return view.SearchAuthNKeys(v.Db, authNKeyTable, request)
-}
-
-func (v *View) PutAuthNKey(key *model.AuthNKeyView, event *models.Event) error {
-	err := view.PutAuthNKey(v.Db, authNKeyTable, key)
-	if err != nil {
-		return err
-	}
-	return v.ProcessedAuthNKeySequence(event)
-}
-
-func (v *View) DeleteAuthNKey(keyID string, event *models.Event) error {
-	err := view.DeleteAuthNKey(v.Db, authNKeyTable, keyID)
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	return v.ProcessedAuthNKeySequence(event)
-}
-
-func (v *View) DeleteAuthNKeysByObjectID(objectID string, event *models.Event) error {
-	err := view.DeleteAuthNKey(v.Db, authNKeyTable, objectID)
-	if err != nil && !errors.IsNotFound(err) {
-		return err
-	}
-	return v.ProcessedAuthNKeySequence(event)
-}
-
-func (v *View) GetLatestAuthNKeySequence() (*repository.CurrentSequence, error) {
-	return v.latestSequence(authNKeyTable)
-}
-
-func (v *View) ProcessedAuthNKeySequence(event *models.Event) error {
-	return v.saveCurrentSequence(authNKeyTable, event)
-}
-
-func (v *View) UpdateAuthNKeySpoolerRunTimestamp() error {
-	return v.updateSpoolerRunSequence(authNKeyTable)
-}
-
-func (v *View) GetLatestAuthNKeyFailedEvent(sequence uint64) (*repository.FailedEvent, error) {
-	return v.latestFailedEvent(authNKeyTable, sequence)
-}
-
-func (v *View) ProcessedAuthNKeyFailedEvent(failedEvent *repository.FailedEvent) error {
-	return v.saveFailedEvent(failedEvent)
-}

internal/management/repository/project.go

@@ -6,7 +6,6 @@ import (
 
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 
-	key_model "github.com/caos/zitadel/internal/key/model"
 	"github.com/caos/zitadel/internal/project/model"
 )
 
@@ -18,8 +17,6 @@ type ProjectRepository interface {
 	ProjectChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool, retention time.Duration) (*model.ProjectChanges, error)
 
 	ApplicationChanges(ctx context.Context, projectID string, appID string, lastSequence uint64, limit uint64, sortAscending bool, retention time.Duration) (*model.ApplicationChanges, error)
-	SearchClientKeys(ctx context.Context, request *key_model.AuthNKeySearchRequest) (*key_model.AuthNKeySearchResponse, error)
-	GetClientKey(ctx context.Context, projectID, applicationID, keyID string) (*key_model.AuthNKeyView, error)
 
 	SearchProjectGrantMembers(ctx context.Context, request *model.ProjectGrantMemberSearchRequest) (*model.ProjectGrantMemberSearchResponse, error)
 

internal/management/repository/user.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/caos/zitadel/internal/domain"
-	key_model "github.com/caos/zitadel/internal/key/model"
 	"github.com/caos/zitadel/internal/user/model"
 )
 
@@ -33,9 +32,6 @@ type UserRepository interface {
 	ExternalIDPsByIDPConfigID(ctx context.Context, idpConfigID string) ([]*model.ExternalIDPView, error)
 	ExternalIDPsByIDPConfigIDAndResourceOwner(ctx context.Context, idpConfigID, resourceOwner string) ([]*model.ExternalIDPView, error)
 
-	SearchMachineKeys(ctx context.Context, request *key_model.AuthNKeySearchRequest) (*key_model.AuthNKeySearchResponse, error)
-	GetMachineKey(ctx context.Context, userID, keyID string) (*key_model.AuthNKeyView, error)
-
 	EmailByID(ctx context.Context, userID string) (*model.Email, error)
 
 	PhoneByID(ctx context.Context, userID string) (*model.Phone, error)