mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-16 12:58:00 +00:00
7caa43ab23
# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
216 lines
6.0 KiB
Go
216 lines
6.0 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/command/preparation"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
|
"github.com/zitadel/zitadel/internal/repository/target"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type AddTarget struct {
|
|
models.ObjectRoot
|
|
|
|
Name string
|
|
TargetType domain.TargetType
|
|
Endpoint string
|
|
Timeout time.Duration
|
|
InterruptOnError bool
|
|
|
|
SigningKey string
|
|
}
|
|
|
|
func (a *AddTarget) IsValid() error {
|
|
if a.Name == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-ddqbm9us5p", "Errors.Target.Invalid")
|
|
}
|
|
if a.Timeout == 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-39f35d8uri", "Errors.Target.NoTimeout")
|
|
}
|
|
_, err := url.Parse(a.Endpoint)
|
|
if err != nil || a.Endpoint == "" {
|
|
return zerrors.ThrowInvalidArgument(err, "COMMAND-1r2k6qo6wg", "Errors.Target.InvalidURL")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (c *Commands) AddTarget(ctx context.Context, add *AddTarget, resourceOwner string) (_ *domain.ObjectDetails, err error) {
|
|
if resourceOwner == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-brml926e2d", "Errors.IDMissing")
|
|
}
|
|
|
|
if err := add.IsValid(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if add.AggregateID == "" {
|
|
add.AggregateID, err = c.idGenerator.Next()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
wm, err := c.getTargetWriteModelByID(ctx, add.AggregateID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if wm.State.Exists() {
|
|
return nil, zerrors.ThrowAlreadyExists(nil, "INSTANCE-9axkz0jvzm", "Errors.Target.AlreadyExists")
|
|
}
|
|
code, err := c.newSigningKey(ctx, c.eventstore.Filter, c.targetEncryption) //nolint
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
add.SigningKey = code.PlainCode()
|
|
pushedEvents, err := c.eventstore.Push(ctx, target.NewAddedEvent(
|
|
ctx,
|
|
TargetAggregateFromWriteModel(&wm.WriteModel),
|
|
add.Name,
|
|
add.TargetType,
|
|
add.Endpoint,
|
|
add.Timeout,
|
|
add.InterruptOnError,
|
|
code.Crypted,
|
|
))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := AppendAndReduce(wm, pushedEvents...); err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&wm.WriteModel), nil
|
|
}
|
|
|
|
type ChangeTarget struct {
|
|
models.ObjectRoot
|
|
|
|
Name *string
|
|
TargetType *domain.TargetType
|
|
Endpoint *string
|
|
Timeout *time.Duration
|
|
InterruptOnError *bool
|
|
|
|
ExpirationSigningKey bool
|
|
SigningKey *string
|
|
}
|
|
|
|
func (a *ChangeTarget) IsValid() error {
|
|
if a.AggregateID == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-1l6ympeagp", "Errors.IDMissing")
|
|
}
|
|
if a.Name != nil && *a.Name == "" {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-d1wx4lm0zr", "Errors.Target.Invalid")
|
|
}
|
|
if a.Timeout != nil && *a.Timeout == 0 {
|
|
return zerrors.ThrowInvalidArgument(nil, "COMMAND-08b39vdi57", "Errors.Target.NoTimeout")
|
|
}
|
|
if a.Endpoint != nil {
|
|
_, err := url.Parse(*a.Endpoint)
|
|
if err != nil || *a.Endpoint == "" {
|
|
return zerrors.ThrowInvalidArgument(err, "COMMAND-jsbaera7b6", "Errors.Target.InvalidURL")
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Commands) ChangeTarget(ctx context.Context, change *ChangeTarget, resourceOwner string) (*domain.ObjectDetails, error) {
|
|
if resourceOwner == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-zqibgg0wwh", "Errors.IDMissing")
|
|
}
|
|
if err := change.IsValid(); err != nil {
|
|
return nil, err
|
|
}
|
|
existing, err := c.getTargetWriteModelByID(ctx, change.AggregateID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !existing.State.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "COMMAND-xj14f2cccn", "Errors.Target.NotFound")
|
|
}
|
|
|
|
var changedSigningKey *crypto.CryptoValue
|
|
if change.ExpirationSigningKey {
|
|
code, err := c.newSigningKey(ctx, c.eventstore.Filter, c.targetEncryption) //nolint
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
changedSigningKey = code.Crypted
|
|
change.SigningKey = &code.Plain
|
|
}
|
|
|
|
changedEvent := existing.NewChangedEvent(
|
|
ctx,
|
|
TargetAggregateFromWriteModel(&existing.WriteModel),
|
|
change.Name,
|
|
change.TargetType,
|
|
change.Endpoint,
|
|
change.Timeout,
|
|
change.InterruptOnError,
|
|
changedSigningKey,
|
|
)
|
|
if changedEvent == nil {
|
|
return writeModelToObjectDetails(&existing.WriteModel), nil
|
|
}
|
|
pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = AppendAndReduce(existing, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&existing.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) DeleteTarget(ctx context.Context, id, resourceOwner string) (*domain.ObjectDetails, error) {
|
|
if id == "" || resourceOwner == "" {
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-obqos2l3no", "Errors.IDMissing")
|
|
}
|
|
|
|
existing, err := c.getTargetWriteModelByID(ctx, id, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !existing.State.Exists() {
|
|
return nil, zerrors.ThrowNotFound(nil, "COMMAND-k4s7ucu0ax", "Errors.Target.NotFound")
|
|
}
|
|
|
|
if err := c.pushAppendAndReduce(ctx,
|
|
existing,
|
|
target.NewRemovedEvent(ctx,
|
|
TargetAggregateFromWriteModel(&existing.WriteModel),
|
|
existing.Name,
|
|
),
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModelToObjectDetails(&existing.WriteModel), nil
|
|
}
|
|
|
|
func (c *Commands) existsTargetsByIDs(ctx context.Context, ids []string, resourceOwner string) bool {
|
|
wm := NewTargetsExistsWriteModel(ids, resourceOwner)
|
|
err := c.eventstore.FilterToQueryReducer(ctx, wm)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return wm.AllExists()
|
|
}
|
|
|
|
func (c *Commands) getTargetWriteModelByID(ctx context.Context, id string, resourceOwner string) (*TargetWriteModel, error) {
|
|
wm := NewTargetWriteModel(id, resourceOwner)
|
|
err := c.eventstore.FilterToQueryReducer(ctx, wm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return wm, nil
|
|
}
|
|
|
|
func (c *Commands) newSigningKey(ctx context.Context, filter preparation.FilterToQueryReducer, alg crypto.EncryptionAlgorithm) (*EncryptedCode, error) {
|
|
return c.newEncryptedCodeWithDefault(ctx, filter, domain.SecretGeneratorTypeSigningKey, alg, c.defaultSecretGenerators.SigningKey)
|
|
}
|