mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 19:36:41 +00:00
2727fa719d
# Which Problems Are Solved
The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.
# How the Problems Are Solved
Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.
- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15
# Additional Changes
- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.
# Additional Context
- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)
159 lines
4.5 KiB
Go
159 lines
4.5 KiB
Go
package saml
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/zitadel/saml/pkg/provider"
|
|
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/internal/api/http/middleware"
|
|
"github.com/zitadel/zitadel/internal/api/ui/login"
|
|
"github.com/zitadel/zitadel/internal/auth/repository"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/database"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/telemetry/metrics"
|
|
)
|
|
|
|
const (
|
|
HandlerPrefix = "/saml/v2"
|
|
)
|
|
|
|
type Config struct {
|
|
ProviderConfig *provider.Config
|
|
DefaultLoginURLV2 string
|
|
}
|
|
|
|
type Provider struct {
|
|
*provider.Provider
|
|
command *command.Commands
|
|
}
|
|
|
|
func NewProvider(
|
|
conf Config,
|
|
externalSecure bool,
|
|
command *command.Commands,
|
|
query *query.Queries,
|
|
repo repository.Repository,
|
|
encAlg crypto.EncryptionAlgorithm,
|
|
certEncAlg crypto.EncryptionAlgorithm,
|
|
targetEncAlg crypto.EncryptionAlgorithm,
|
|
es *eventstore.Eventstore,
|
|
projections *database.DB,
|
|
instanceHandler,
|
|
userAgentCookie func(http.Handler) http.Handler,
|
|
accessHandler *middleware.AccessInterceptor,
|
|
) (*Provider, error) {
|
|
metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
|
|
|
|
provStorage, err := newStorage(
|
|
command,
|
|
query,
|
|
repo,
|
|
encAlg,
|
|
certEncAlg,
|
|
targetEncAlg,
|
|
es,
|
|
projections,
|
|
fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
|
|
conf.DefaultLoginURLV2,
|
|
ContextToIssuer,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
options := []provider.Option{
|
|
provider.WithHttpInterceptors(
|
|
middleware.MetricsHandler(metricTypes),
|
|
middleware.TelemetryHandler(),
|
|
middleware.NoCacheInterceptor().Handler,
|
|
instanceHandler,
|
|
userAgentCookie,
|
|
accessHandler.HandleWithPublicAuthPathPrefixes(publicAuthPathPrefixes(conf.ProviderConfig)),
|
|
http_utils.CopyHeadersToContext,
|
|
middleware.ActivityHandler,
|
|
),
|
|
provider.WithCustomTimeFormat("2006-01-02T15:04:05.999Z"),
|
|
}
|
|
if !externalSecure {
|
|
options = append(options, provider.WithAllowInsecure())
|
|
}
|
|
|
|
p, err := provider.NewProvider(
|
|
provStorage,
|
|
IssuerFromContext,
|
|
conf.ProviderConfig,
|
|
options...,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Provider{
|
|
p,
|
|
command,
|
|
}, nil
|
|
}
|
|
|
|
func ContextToIssuer(ctx context.Context) string {
|
|
return http_utils.DomainContext(ctx).Origin() + HandlerPrefix
|
|
}
|
|
|
|
func IssuerFromContext(_ bool) (provider.IssuerFromRequest, error) {
|
|
return func(r *http.Request) string {
|
|
return ContextToIssuer(r.Context())
|
|
}, nil
|
|
}
|
|
|
|
func newStorage(
|
|
command *command.Commands,
|
|
query *query.Queries,
|
|
repo repository.Repository,
|
|
encAlg crypto.EncryptionAlgorithm,
|
|
certEncAlg crypto.EncryptionAlgorithm,
|
|
targetEncAlg crypto.EncryptionAlgorithm,
|
|
es *eventstore.Eventstore,
|
|
db *database.DB,
|
|
defaultLoginURL string,
|
|
defaultLoginURLV2 string,
|
|
contextToIssuer func(context.Context) string,
|
|
) (*Storage, error) {
|
|
return &Storage{
|
|
encAlg: encAlg,
|
|
certEncAlg: certEncAlg,
|
|
targetEncAlg: targetEncAlg,
|
|
locker: crdb.NewLocker(db.DB, locksTable, signingKey),
|
|
eventstore: es,
|
|
repo: repo,
|
|
command: command,
|
|
query: query,
|
|
defaultLoginURL: defaultLoginURL,
|
|
defaultLoginURLv2: defaultLoginURLV2,
|
|
contextToIssuer: contextToIssuer,
|
|
}, nil
|
|
}
|
|
|
|
func publicAuthPathPrefixes(config *provider.Config) []string {
|
|
metadataEndpoint := HandlerPrefix + provider.DefaultMetadataEndpoint
|
|
certificateEndpoint := HandlerPrefix + provider.DefaultCertificateEndpoint
|
|
ssoEndpoint := HandlerPrefix + provider.DefaultSingleSignOnEndpoint
|
|
if config.MetadataConfig != nil && config.MetadataConfig.Path != "" {
|
|
metadataEndpoint = HandlerPrefix + config.MetadataConfig.Path
|
|
}
|
|
if config.IDPConfig == nil || config.IDPConfig.Endpoints == nil {
|
|
return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}
|
|
}
|
|
if config.IDPConfig.Endpoints.Certificate != nil && config.IDPConfig.Endpoints.Certificate.Relative() != "" {
|
|
certificateEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.Certificate.Relative()
|
|
}
|
|
if config.IDPConfig.Endpoints.SingleSignOn != nil && config.IDPConfig.Endpoints.SingleSignOn.Relative() != "" {
|
|
ssoEndpoint = HandlerPrefix + config.IDPConfig.Endpoints.SingleSignOn.Relative()
|
|
}
|
|
return []string{metadataEndpoint, certificateEndpoint, ssoEndpoint}
|
|
}
|