Auth: Signing Key persistence (#75487)

* signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service
2025-02-25 18:55:37 -06:00 · 2023-10-04 10:37:27 +02:00
parent 0eac9aff7f
commit 44fa0697ce
16 changed files with 663 additions and 335 deletions
--- a/pkg/services/sqlstore/migrations/migrations.go
+++ b/pkg/services/sqlstore/migrations/migrations.go
@@ -5,6 +5,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations/anonservice"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations/oauthserver"
+	"github.com/grafana/grafana/pkg/services/sqlstore/migrations/signingkeys"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations/ualert"
 	. "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
 )
@@ -99,6 +100,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
 	}

 	anonservice.AddMigration(mg)
+	signingkeys.AddMigration(mg)
 }

 func addStarMigrations(mg *Migrator) {
--- a/pkg/services/sqlstore/migrations/signingkeys/migrations.go
+++ b/pkg/services/sqlstore/migrations/signingkeys/migrations.go
@@ -0,0 +1,23 @@
+package signingkeys
+
+import "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
+
+func AddMigration(mg *migrator.Migrator) {
+	var signingKeysV1 = migrator.Table{
+		Name: "signing_key",
+		Columns: []*migrator.Column{
+			{Name: "id", Type: migrator.DB_BigInt, IsPrimaryKey: true, IsAutoIncrement: true},
+			{Name: "key_id", Type: migrator.DB_NVarchar, Length: 255, Nullable: false},
+			{Name: "private_key", Type: migrator.DB_Text, Nullable: false},
+			{Name: "added_at", Type: migrator.DB_DateTime, Nullable: false},
+			{Name: "expires_at", Type: migrator.DB_DateTime, Nullable: true},
+			{Name: "alg", Type: migrator.DB_NVarchar, Length: 255, Nullable: false},
+		},
+		Indices: []*migrator.Index{
+			{Cols: []string{"key_id"}, Type: migrator.UniqueIndex},
+		},
+	}
+
+	mg.AddMigration("create signing_key table", migrator.NewAddTableMigration(signingKeysV1))
+	mg.AddMigration("add unique index signing_key.key_id", migrator.NewAddIndexMigration(signingKeysV1, signingKeysV1.Indices[0]))
+}