fix: improve key rotation (#1107)

* key rotation * fix: rotate signing key * cleanup * introspect * testingapplication key * date * client keys * fix client keys * fix client keys * access tokens only for users * AuthMethodPrivateKeyJWT * client keys * set introspection info correctly * managae apis * update oidc pkg * cleanup * merge msater * set current sequence in migration * set current sequence in migration * set current sequence in migration * ensure authn keys uptodate * improve key rotation * fix: return api config in ApplicationView * fix mocks for tests * fix(mock): corrected unit tests for updated mock package Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-10-21 15:19:14 +00:00 · 2021-02-23 15:07:42 +01:00
parent 16a47c6542
commit f60d200d5a
34 changed files with 590 additions and 433 deletions
--- a/internal/key/model/key_view.go
+++ b/internal/key/model/key_view.go
@@ -22,6 +22,7 @@ type SigningKey struct {
 	ID        string
 	Algorithm string
 	Key       interface{}
+	Sequence  uint64
 }

 type PublicKey struct {
@@ -84,6 +85,7 @@ func SigningKeyFromKeyView(key *KeyView, alg crypto.EncryptionAlgorithm) (*Signi
 		ID:        key.ID,
 		Algorithm: key.Algorithm,
 		Key:       privateKey,
+		Sequence:  key.Sequence,
 	}, nil
 }

--- a/internal/key/repository/eventsourcing/eventstore.go
+++ b/internal/key/repository/eventsourcing/eventstore.go
@@ -25,11 +25,12 @@ type KeyEventstore struct {
 }

 type KeyConfig struct {
-	Size               int
-	PrivateKeyLifetime types.Duration
-	PublicKeyLifetime  types.Duration
-	EncryptionConfig   *crypto.KeyConfig
-	SigningKeyRotation types.Duration
+	Size                     int
+	PrivateKeyLifetime       types.Duration
+	PublicKeyLifetime        types.Duration
+	EncryptionConfig         *crypto.KeyConfig
+	SigningKeyRotationCheck  types.Duration
+	SigningKeyGracefulPeriod types.Duration
 }

 func StartKey(eventstore es_int.Eventstore, config KeyConfig, keyAlgorithm crypto.EncryptionAlgorithm, generator id.Generator) (*KeyEventstore, error) {
@@ -83,3 +84,7 @@ func (es *KeyEventstore) CreateKeyPair(ctx context.Context, pair *key_model.KeyP
 	}
 	return model.KeyPairToModel(repoKey), nil
 }
+
+func (es *KeyEventstore) LatestKeyEvents(ctx context.Context, sequence uint64) ([]*models.Event, error) {
+	return es.FilterEvents(ctx, KeyPairQuery(sequence))
+}
--- a/internal/key/repository/view/key.go
+++ b/internal/key/repository/view/key.go
@@ -3,6 +3,7 @@ package view
 import (
 	"time"

+	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/view/repository"

 	"github.com/jinzhu/gorm"
@@ -22,15 +23,30 @@ func KeyByIDAndType(db *gorm.DB, table, keyID string, private bool) (*model.KeyV
 	return key, err
 }

-func GetSigningKey(db *gorm.DB, table string) (*model.KeyView, error) {
-	key := new(model.KeyView)
-	query := repository.PrepareGetByQuery(table,
-		model.KeySearchQuery{Key: key_model.KeySearchKeyPrivate, Method: global_model.SearchMethodEquals, Value: true},
-		model.KeySearchQuery{Key: key_model.KeySearchKeyUsage, Method: global_model.SearchMethodEquals, Value: key_model.KeyUsageSigning},
-		model.KeySearchQuery{Key: key_model.KeySearchKeyExpiry, Method: global_model.SearchMethodGreaterThan, Value: time.Now().UTC()},
+func GetSigningKey(db *gorm.DB, table string, expiry time.Time) (*model.KeyView, error) {
+	if expiry.IsZero() {
+		expiry = time.Now().UTC()
+	}
+	keys := make([]*model.KeyView, 0)
+	query := repository.PrepareSearchQuery(table,
+		model.KeySearchRequest{
+			Queries: []*key_model.KeySearchQuery{
+				{Key: key_model.KeySearchKeyPrivate, Method: global_model.SearchMethodEquals, Value: true},
+				{Key: key_model.KeySearchKeyUsage, Method: global_model.SearchMethodEquals, Value: key_model.KeyUsageSigning},
+				{Key: key_model.KeySearchKeyExpiry, Method: global_model.SearchMethodGreaterThan, Value: expiry},
+			},
+			SortingColumn: key_model.KeySearchKeyExpiry,
+			Limit:         1,
+		},
 	)
-	err := query(db, key)
-	return key, err
+	_, err := query(db, &keys)
+	if err != nil {
+		return nil, err
+	}
+	if len(keys) != 1 {
+		return nil, caos_errs.ThrowNotFound(err, "VIEW-BGD41", "key not found")
+	}
+	return keys[0], nil
 }

 func GetActivePublicKeys(db *gorm.DB, table string) ([]*model.KeyView, error) {
--- a/internal/key/repository/view/model/key.go
+++ b/internal/key/repository/view/model/key.go
@@ -45,7 +45,7 @@ func KeysFromPairEvent(event *models.Event) (*KeyView, *KeyView, error) {
 		Algorithm: pair.Algorithm,
 		Usage:     pair.Usage,
 		Key:       pair.PrivateKey.Key,
-		Sequence:  pair.Sequence,
+		Sequence:  event.Sequence,
 	}
 	publicKey := &KeyView{
 		ID:        event.AggregateID,
@@ -54,7 +54,7 @@ func KeysFromPairEvent(event *models.Event) (*KeyView, *KeyView, error) {
 		Algorithm: pair.Algorithm,
 		Usage:     pair.Usage,
 		Key:       pair.PublicKey.Key,
-		Sequence:  pair.Sequence,
+		Sequence:  event.Sequence,
 	}
 	return privateKey, publicKey, nil
 }