feat: allow using a local RSA key for machine keys (#7671)

* Allow using a local RSA key for machine keys * Add check for key validity * Fix naming error * docs: provide translations of invalid key --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 19:07:30 +00:00 · 2024-04-23 11:38:07 +02:00
parent df50c3835b
commit e46dd121cd
19 changed files with 80 additions and 13 deletions
--- a/internal/command/user_machine_key_test.go
+++ b/internal/command/user_machine_key_test.go
@@ -18,6 +18,16 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

+const fakePubkey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4qNBuUu/HekF2E5bOtA
+oEL76zS0NQdZL3ByEJ3hZplJhE30ITPIOLW3+uaMMM+obl/LLapwG2vdhvutQtx/
+FOLJmXysbG3RL9zjXDBT5IE+nGFC7ctsi5FGbHQbAm45E3HHCSk7gfmTy9hxyk1K
+GsyU8BDeOWasJO6aeXqpOnRM8vw/fY+6mHVC9CxcIroSfrIabFGe/mP6qpBGeFSn
+APymBc/8lca4JaPv2/u/rBhnaAHZiUuCS1+MonWelOb+MSfq48VgtpiaYIVY9szI
+esorA6EJ9pO17ROEUpX5wP5Oir+yGJU27jSvLCjvK6fOFX+OwUM9L8047JKoo+Nf
+PwIDAQAB
+-----END PUBLIC KEY-----`
+
 func TestCommands_AddMachineKey(t *testing.T) {
 	type fields struct {
 		eventstore   *eventstore.Eventstore
@@ -145,7 +155,7 @@ func TestCommands_AddMachineKey(t *testing.T) {
 							"key1",
 							domain.AuthNKeyTypeJSON,
 							time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
-							[]byte("public"),
+							[]byte(fakePubkey),
 						),
 					),
 				),
@@ -161,14 +171,14 @@ func TestCommands_AddMachineKey(t *testing.T) {
 					},
 					Type:           domain.AuthNKeyTypeJSON,
 					ExpirationDate: time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
-					PublicKey:      []byte("public"),
+					PublicKey:      []byte(fakePubkey),
 				},
 			},
 			res{
 				want: &domain.ObjectDetails{
 					ResourceOwner: "org1",
 				},
-				key: true,
+				key: false,
 			},
 		},
 		{
@@ -194,7 +204,7 @@ func TestCommands_AddMachineKey(t *testing.T) {
 							"key1",
 							domain.AuthNKeyTypeJSON,
 							time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
-							[]byte("public"),
+							[]byte(fakePubkey),
 						),
 					),
 				),
@@ -210,14 +220,35 @@ func TestCommands_AddMachineKey(t *testing.T) {
 					KeyID:          "key1",
 					Type:           domain.AuthNKeyTypeJSON,
 					ExpirationDate: time.Date(9999, 12, 31, 23, 59, 59, 0, time.UTC),
-					PublicKey:      []byte("public"),
+					PublicKey:      []byte(fakePubkey),
 				},
 			},
 			res{
 				want: &domain.ObjectDetails{
 					ResourceOwner: "org1",
 				},
-				key: true,
+				key: false,
+			},
+		},
+		{
+			"key added with invalid public key",
+			fields{
+				eventstore: eventstoreExpect(t),
+			},
+			args{
+				ctx: context.Background(),
+				key: &MachineKey{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID:   "user1",
+						ResourceOwner: "org1",
+					},
+					KeyID:     "key1",
+					Type:      domain.AuthNKeyTypeJSON,
+					PublicKey: []byte("incorrect"),
+				},
+			},
+			res{
+				err: zerrors.IsErrorInvalidArgument,
 			},
 		},
 	}
@@ -237,9 +268,8 @@ func TestCommands_AddMachineKey(t *testing.T) {
 			}
 			if tt.res.err == nil {
 				assert.Equal(t, tt.res.want, got)
-				if tt.res.key {
-					assert.NotEqual(t, "", tt.args.key.PrivateKey)
-				}
+				receivedKey := len(tt.args.key.PrivateKey) > 0
+				assert.Equal(t, tt.res.key, receivedKey)
 			}
 		})
 	}