mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 20:08:02 +00:00
e46dd121cd
* Allow using a local RSA key for machine keys * Add check for key validity * Fix naming error * docs: provide translations of invalid key --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
213 lines
6.5 KiB
Go
213 lines
6.5 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/command/preparation"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type AddMachineKey struct {
|
|
Type domain.AuthNKeyType
|
|
ExpirationDate time.Time
|
|
}
|
|
|
|
type MachineKey struct {
|
|
models.ObjectRoot
|
|
|
|
KeyID string
|
|
Type domain.AuthNKeyType
|
|
ExpirationDate time.Time
|
|
PrivateKey []byte
|
|
PublicKey []byte
|
|
}
|
|
|
|
func NewMachineKey(resourceOwner string, userID string, expirationDate time.Time, keyType domain.AuthNKeyType) *MachineKey {
|
|
return &MachineKey{
|
|
ObjectRoot: models.ObjectRoot{
|
|
AggregateID: userID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
ExpirationDate: expirationDate,
|
|
Type: keyType,
|
|
}
|
|
}
|
|
|
|
func (key *MachineKey) SetPublicKey(publicKey []byte) {
|
|
key.PublicKey = publicKey
|
|
}
|
|
func (key *MachineKey) SetPrivateKey(privateKey []byte) {
|
|
key.PrivateKey = privateKey
|
|
}
|
|
func (key *MachineKey) GetExpirationDate() time.Time {
|
|
return key.ExpirationDate
|
|
}
|
|
func (key *MachineKey) SetExpirationDate(t time.Time) {
|
|
key.ExpirationDate = t
|
|
}
|
|
|
|
func (key *MachineKey) Detail() ([]byte, error) {
|
|
if len(key.PrivateKey) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "KEY-sp2l2m", "Errors.Internal")
|
|
}
|
|
if key.Type == domain.AuthNKeyTypeJSON {
|
|
return domain.MachineKeyMarshalJSON(key.KeyID, key.PrivateKey, key.ExpirationDate, key.AggregateID)
|
|
}
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "KEY-dsg52", "Errors.Internal")
|
|
}
|
|
|
|
func (key *MachineKey) content() error {
|
|
if key.ResourceOwner == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-kqpoix", "Errors.ResourceOwnerMissing")
|
|
}
|
|
if key.AggregateID == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-xuiwk2", "Errors.User.UserIDMissing")
|
|
}
|
|
if key.KeyID == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-0p2m1h", "Errors.IDMissing")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (key *MachineKey) valid() (err error) {
|
|
if err := key.content(); err != nil {
|
|
return err
|
|
}
|
|
// If a key is supplied, it should be a valid public key
|
|
if len(key.PublicKey) > 0 {
|
|
if _, err := crypto.BytesToPublicKey(key.PublicKey); err != nil {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-5F3h1", "Errors.User.Machine.Key.Invalid")
|
|
}
|
|
}
|
|
key.ExpirationDate, err = domain.ValidateExpirationDate(key.ExpirationDate)
|
|
return err
|
|
}
|
|
|
|
func (key *MachineKey) checkAggregate(ctx context.Context, filter preparation.FilterToQueryReducer) error {
|
|
if exists, err := ExistsUser(ctx, filter, key.AggregateID, key.ResourceOwner); err != nil || !exists {
|
|
return zerrors.ThrowPreconditionFailed(err, "COMMAND-bnipwm1", "Errors.User.NotFound")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Commands) AddUserMachineKey(ctx context.Context, machineKey *MachineKey) (*domain.ObjectDetails, error) {
|
|
if machineKey.KeyID == "" {
|
|
keyID, err := c.idGenerator.Next()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
machineKey.KeyID = keyID
|
|
}
|
|
|
|
validation := prepareAddUserMachineKey(machineKey, c.machineKeySize)
|
|
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &domain.ObjectDetails{
|
|
Sequence: events[len(events)-1].Sequence(),
|
|
EventDate: events[len(events)-1].CreatedAt(),
|
|
ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
|
|
}, nil
|
|
}
|
|
|
|
func prepareAddUserMachineKey(machineKey *MachineKey, keySize int) preparation.Validation {
|
|
return func() (_ preparation.CreateCommands, err error) {
|
|
if err := machineKey.valid(); err != nil {
|
|
return nil, err
|
|
}
|
|
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
|
|
if err := machineKey.checkAggregate(ctx, filter); err != nil {
|
|
return nil, err
|
|
}
|
|
if len(machineKey.PublicKey) == 0 {
|
|
if err = domain.SetNewAuthNKeyPair(machineKey, keySize); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
writeModel, err := getMachineKeyWriteModelByID(ctx, filter, machineKey.AggregateID, machineKey.KeyID, machineKey.ResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if writeModel.Exists() {
|
|
return nil, zerrors.ThrowAlreadyExists(nil, "COMMAND-091mops", "Errors.User.Machine.Key.AlreadyExists")
|
|
}
|
|
return []eventstore.Command{
|
|
user.NewMachineKeyAddedEvent(
|
|
ctx,
|
|
UserAggregateFromWriteModel(&writeModel.WriteModel),
|
|
machineKey.KeyID,
|
|
machineKey.Type,
|
|
machineKey.ExpirationDate,
|
|
machineKey.PublicKey,
|
|
),
|
|
}, nil
|
|
}, nil
|
|
}
|
|
}
|
|
|
|
func (c *Commands) RemoveUserMachineKey(ctx context.Context, machineKey *MachineKey) (*domain.ObjectDetails, error) {
|
|
validation := prepareRemoveUserMachineKey(machineKey)
|
|
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
events, err := c.eventstore.Push(ctx, cmds...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &domain.ObjectDetails{
|
|
Sequence: events[len(events)-1].Sequence(),
|
|
EventDate: events[len(events)-1].CreatedAt(),
|
|
ResourceOwner: events[len(events)-1].Aggregate().ResourceOwner,
|
|
}, nil
|
|
}
|
|
|
|
func prepareRemoveUserMachineKey(machineKey *MachineKey) preparation.Validation {
|
|
return func() (_ preparation.CreateCommands, err error) {
|
|
if err := machineKey.content(); err != nil {
|
|
return nil, err
|
|
}
|
|
return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
|
|
writeModel, err := getMachineKeyWriteModelByID(ctx, filter, machineKey.AggregateID, machineKey.KeyID, machineKey.ResourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !writeModel.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.User.Machine.Key.NotFound")
|
|
}
|
|
return []eventstore.Command{
|
|
user.NewMachineKeyRemovedEvent(
|
|
ctx,
|
|
UserAggregateFromWriteModel(&writeModel.WriteModel),
|
|
machineKey.KeyID,
|
|
),
|
|
}, nil
|
|
}, nil
|
|
}
|
|
}
|
|
|
|
func getMachineKeyWriteModelByID(ctx context.Context, filter preparation.FilterToQueryReducer, userID, keyID, resourceOwner string) (_ *MachineKeyWriteModel, err error) {
|
|
writeModel := NewMachineKeyWriteModel(userID, keyID, resourceOwner)
|
|
events, err := filter(ctx, writeModel.Query())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(events) == 0 {
|
|
return writeModel, nil
|
|
}
|
|
writeModel.AppendEvents(events...)
|
|
err = writeModel.Reduce()
|
|
return writeModel, err
|
|
}
|