mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 13:23:40 +00:00
f60d200d5a
* key rotation * fix: rotate signing key * cleanup * introspect * testingapplication key * date * client keys * fix client keys * fix client keys * access tokens only for users * AuthMethodPrivateKeyJWT * client keys * set introspection info correctly * managae apis * update oidc pkg * cleanup * merge msater * set current sequence in migration * set current sequence in migration * set current sequence in migration * ensure authn keys uptodate * improve key rotation * fix: return api config in ApplicationView * fix mocks for tests * fix(mock): corrected unit tests for updated mock package Co-authored-by: Stefan Benz <stefan@caos.ch>
123 lines
2.5 KiB
Go
123 lines
2.5 KiB
Go
package model
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/caos/zitadel/internal/crypto"
|
|
"github.com/caos/zitadel/internal/errors"
|
|
"github.com/caos/zitadel/internal/model"
|
|
)
|
|
|
|
type KeyView struct {
|
|
ID string
|
|
Private bool
|
|
Expiry time.Time
|
|
Algorithm string
|
|
Usage KeyUsage
|
|
Key *crypto.CryptoValue
|
|
Sequence uint64
|
|
}
|
|
|
|
type SigningKey struct {
|
|
ID string
|
|
Algorithm string
|
|
Key interface{}
|
|
Sequence uint64
|
|
}
|
|
|
|
type PublicKey struct {
|
|
ID string
|
|
Algorithm string
|
|
Usage KeyUsage
|
|
Key interface{}
|
|
}
|
|
|
|
type KeySearchRequest struct {
|
|
Offset uint64
|
|
Limit uint64
|
|
SortingColumn KeySearchKey
|
|
Asc bool
|
|
Queries []*KeySearchQuery
|
|
}
|
|
|
|
type KeySearchKey int32
|
|
|
|
const (
|
|
KeySearchKeyUnspecified KeySearchKey = iota
|
|
KeySearchKeyID
|
|
KeySearchKeyPrivate
|
|
KeySearchKeyExpiry
|
|
KeySearchKeyUsage
|
|
)
|
|
|
|
type KeySearchQuery struct {
|
|
Key KeySearchKey
|
|
Method model.SearchMethod
|
|
Value interface{}
|
|
}
|
|
|
|
type KeySearchResponse struct {
|
|
Offset uint64
|
|
Limit uint64
|
|
TotalResult uint64
|
|
Result []*KeyView
|
|
}
|
|
|
|
func (r *KeySearchRequest) EnsureLimit(limit uint64) {
|
|
if r.Limit == 0 || r.Limit > limit {
|
|
r.Limit = limit
|
|
}
|
|
}
|
|
|
|
func SigningKeyFromKeyView(key *KeyView, alg crypto.EncryptionAlgorithm) (*SigningKey, error) {
|
|
if key.Usage != KeyUsageSigning || !key.Private {
|
|
return nil, errors.ThrowInvalidArgument(nil, "MODEL-5HBdh", "key must be private signing key")
|
|
}
|
|
keyData, err := crypto.Decrypt(key.Key, alg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
privateKey, err := crypto.BytesToPrivateKey(keyData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &SigningKey{
|
|
ID: key.ID,
|
|
Algorithm: key.Algorithm,
|
|
Key: privateKey,
|
|
Sequence: key.Sequence,
|
|
}, nil
|
|
}
|
|
|
|
func PublicKeysFromKeyView(keys []*KeyView, alg crypto.EncryptionAlgorithm) ([]*PublicKey, error) {
|
|
converted := make([]*PublicKey, len(keys))
|
|
var err error
|
|
for i, key := range keys {
|
|
converted[i], err = PublicKeyFromKeyView(key, alg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
return converted, nil
|
|
|
|
}
|
|
func PublicKeyFromKeyView(key *KeyView, alg crypto.EncryptionAlgorithm) (*PublicKey, error) {
|
|
if key.Private {
|
|
return nil, errors.ThrowInvalidArgument(nil, "MODEL-dTZa2", "key must be public")
|
|
}
|
|
keyData, err := crypto.Decrypt(key.Key, alg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
publicKey, err := crypto.BytesToPublicKey(keyData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &PublicKey{
|
|
ID: key.ID,
|
|
Algorithm: key.Algorithm,
|
|
Usage: key.Usage,
|
|
Key: publicKey,
|
|
}, nil
|
|
}
|