mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 11:32:17 +00:00
2727fa719d
# Which Problems Are Solved
The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.
# How the Problems Are Solved
Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.
- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15
# Additional Changes
- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.
# Additional Context
- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)
185 lines
6.0 KiB
Go
185 lines
6.0 KiB
Go
package execution
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
zhttp "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
target_domain "github.com/zitadel/zitadel/internal/execution/target"
|
|
"github.com/zitadel/zitadel/internal/repository/execution"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
"github.com/zitadel/zitadel/pkg/actions"
|
|
)
|
|
|
|
type ContextInfo interface {
|
|
GetHTTPRequestBody() []byte
|
|
GetContent() interface{}
|
|
SetHTTPResponseBody([]byte) error
|
|
}
|
|
|
|
// CallTargets call a list of targets in order with handling of error and responses
|
|
func CallTargets(
|
|
ctx context.Context,
|
|
targets []target_domain.Target,
|
|
info ContextInfo,
|
|
alg crypto.EncryptionAlgorithm,
|
|
) (_ interface{}, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
for _, target := range targets {
|
|
// call the type of target
|
|
resp, err := CallTarget(ctx, target, info, alg)
|
|
// handle error if interrupt is set
|
|
if err != nil && target.IsInterruptOnError() {
|
|
return nil, err
|
|
}
|
|
if len(resp) > 0 {
|
|
// error in unmarshalling
|
|
if err := info.SetHTTPResponseBody(resp); err != nil && target.IsInterruptOnError() {
|
|
return nil, err
|
|
}
|
|
}
|
|
}
|
|
return info.GetContent(), nil
|
|
}
|
|
|
|
type ContextInfoRequest interface {
|
|
GetHTTPRequestBody() []byte
|
|
}
|
|
|
|
// CallTarget call the desired type of target with handling of responses
|
|
func CallTarget(
|
|
ctx context.Context,
|
|
target target_domain.Target,
|
|
info ContextInfoRequest,
|
|
alg crypto.EncryptionAlgorithm,
|
|
) (res []byte, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
signingKey, err := target.GetSigningKey(alg)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "EXEC-thiiCh5b", "Errors.Internal")
|
|
}
|
|
|
|
switch target.GetTargetType() {
|
|
// get request, ignore response and return request and error for handling in list of targets
|
|
case target_domain.TargetTypeWebhook:
|
|
return nil, webhook(ctx, target.GetEndpoint(), target.GetTimeout(), info.GetHTTPRequestBody(), signingKey)
|
|
// get request, return response and error
|
|
case target_domain.TargetTypeCall:
|
|
return Call(ctx, target.GetEndpoint(), target.GetTimeout(), info.GetHTTPRequestBody(), signingKey)
|
|
case target_domain.TargetTypeAsync:
|
|
go func(ctx context.Context, target target_domain.Target, info []byte) {
|
|
if _, err := Call(ctx, target.GetEndpoint(), target.GetTimeout(), info, signingKey); err != nil {
|
|
logging.WithFields("target", target.GetTargetID()).OnError(err).Info(err)
|
|
}
|
|
}(context.WithoutCancel(ctx), target, info.GetHTTPRequestBody())
|
|
return nil, nil
|
|
default:
|
|
return nil, zerrors.ThrowInternal(nil, "EXEC-auqnansr2m", "Errors.Execution.Unknown")
|
|
}
|
|
}
|
|
|
|
// webhook call a webhook, ignore the response but return the errror
|
|
func webhook(ctx context.Context, url string, timeout time.Duration, body []byte, signingKey string) error {
|
|
_, err := Call(ctx, url, timeout, body, signingKey)
|
|
return err
|
|
}
|
|
|
|
// Call function to do a post HTTP request to a desired url with timeout
|
|
func Call(ctx context.Context, url string, timeout time.Duration, body []byte, signingKey string) (_ []byte, err error) {
|
|
ctx, cancel := context.WithTimeout(ctx, timeout)
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() {
|
|
cancel()
|
|
span.EndWithError(err)
|
|
}()
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(body))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
if signingKey != "" {
|
|
req.Header.Set(actions.SigningHeader, actions.ComputeSignatureHeader(time.Now(), body, signingKey))
|
|
}
|
|
|
|
client := http.DefaultClient
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
return HandleResponse(resp)
|
|
}
|
|
|
|
func HandleResponse(resp *http.Response) ([]byte, error) {
|
|
data, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// Check for success between 200 and 299, redirect 300 to 399 is handled by the client, return error with statusCode >= 400
|
|
if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
|
|
var errorBody ErrorBody
|
|
if err := json.Unmarshal(data, &errorBody); err != nil {
|
|
// if json unmarshal fails, body has no ErrorBody information, so will be taken as successful response
|
|
return data, nil
|
|
}
|
|
if errorBody.ForwardedStatusCode != 0 || errorBody.ForwardedErrorMessage != "" {
|
|
if errorBody.ForwardedStatusCode >= 400 && errorBody.ForwardedStatusCode < 500 {
|
|
return nil, zhttp.HTTPStatusCodeToZitadelError(nil, errorBody.ForwardedStatusCode, "EXEC-reUaUZCzCp", errorBody.ForwardedErrorMessage)
|
|
}
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "EXEC-bmhNhpcqpF", errorBody.ForwardedErrorMessage)
|
|
}
|
|
// no ErrorBody filled in response, so will be taken as successful response
|
|
return data, nil
|
|
}
|
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "EXEC-dra6yamk98", "Errors.Execution.Failed")
|
|
}
|
|
|
|
type ErrorBody struct {
|
|
ForwardedStatusCode int `json:"forwardedStatusCode,omitempty"`
|
|
ForwardedErrorMessage string `json:"forwardedErrorMessage,omitempty"`
|
|
}
|
|
|
|
func QueryExecutionTargetsForRequest(
|
|
ctx context.Context,
|
|
fullMethod string,
|
|
) []target_domain.Target {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer span.End()
|
|
|
|
requestTargets, _ := authz.GetInstance(ctx).ExecutionRouter().GetEventBestMatch(execution.ID(domain.ExecutionTypeRequest, fullMethod))
|
|
return requestTargets
|
|
}
|
|
|
|
func QueryExecutionTargetsForResponse(
|
|
ctx context.Context,
|
|
fullMethod string,
|
|
) []target_domain.Target {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer span.End()
|
|
|
|
responseTargets, _ := authz.GetInstance(ctx).ExecutionRouter().GetEventBestMatch(execution.ID(domain.ExecutionTypeResponse, fullMethod))
|
|
return responseTargets
|
|
}
|
|
|
|
func QueryExecutionTargetsForFunction(ctx context.Context, function string) []target_domain.Target {
|
|
executionTargets, _ := authz.GetInstance(ctx).ExecutionRouter().GetEventBestMatch(function)
|
|
return executionTargets
|
|
}
|