feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/oidc/client.go

@@ -1050,8 +1050,13 @@ func (s *Server) verifyClientSecret(ctx context.Context, client *query.OIDCClien
 	if secret == "" {
 		return oidc.ErrInvalidClient().WithDescription("empty client secret")
 	}
-	if err = crypto.CompareHash(client.ClientSecret, []byte(secret), s.hashAlg); err != nil {
+	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
+	updated, err := s.hasher.Verify(client.HashedSecret, secret)
+	spanPasswordComparison.EndWithError(err)
+	if err != nil {
+		s.command.OIDCSecretCheckFailed(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner)
 		return oidc.ErrInvalidClient().WithParent(err).WithDescription("invalid secret")
 	}
+	s.command.OIDCSecretCheckSucceeded(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner, updated)
 	return nil
 }

internal/api/oidc/client_credentials.go

@@ -7,8 +7,8 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"
 
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -41,15 +41,18 @@ func (s *Server) clientCredentialsAuth(ctx context.Context, clientID, clientSecr
 	if err != nil {
 		return nil, err // defaults to server error
 	}
-	if user.Machine == nil || user.Machine.Secret == nil {
+	if user.Machine == nil || user.Machine.EncodedSecret == "" {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-pieP8", "Errors.User.Machine.Secret.NotExisting")
 	}
-	if err = crypto.CompareHash(user.Machine.Secret, []byte(clientSecret), s.hashAlg); err != nil {
+	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
+	updated, err := s.hasher.Verify(user.Machine.EncodedSecret, clientSecret)
+	spanPasswordComparison.EndWithError(err)
+	if err != nil {
 		s.command.MachineSecretCheckFailed(ctx, user.ID, user.ResourceOwner)
 		return nil, zerrors.ThrowInvalidArgument(err, "OIDC-VoXo6", "Errors.User.Machine.Secret.Invalid")
 	}
 
-	s.command.MachineSecretCheckSucceeded(ctx, user.ID, user.ResourceOwner)
+	s.command.MachineSecretCheckSucceeded(ctx, user.ID, user.ResourceOwner, updated)
 	return &clientCredentialsClient{
 		id:   clientID,
 		user: user,

internal/api/oidc/introspect.go

@@ -11,7 +11,6 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/op"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -149,8 +148,8 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 			return client.ClientID, client.ProjectID, nil
 
 		}
-		if client.ClientSecret != nil {
-			if err := crypto.CompareHash(client.ClientSecret, []byte(cc.ClientSecret), s.hashAlg); err != nil {
+		if client.HashedSecret != "" {
+			if err := s.introspectionClientSecretAuth(ctx, client, cc.ClientSecret); err != nil {
 				return "", "", oidc.ErrUnauthorizedClient().WithParent(err)
 			}
 			return client.ClientID, client.ProjectID, nil
@@ -167,6 +166,35 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 	}
 }
 
+var errNoAppType = errors.New("introspection client without app type")
+
+func (s *Server) introspectionClientSecretAuth(ctx context.Context, client *query.IntrospectionClient, secret string) error {
+	var (
+		successCommand func(ctx context.Context, appID, projectID, resourceOwner, updated string)
+		failedCommand  func(ctx context.Context, appID, projectID, resourceOwner string)
+	)
+	switch client.AppType {
+	case query.AppTypeAPI:
+		successCommand = s.command.APISecretCheckSucceeded
+		failedCommand = s.command.APISecretCheckFailed
+	case query.AppTypeOIDC:
+		successCommand = s.command.OIDCSecretCheckSucceeded
+		failedCommand = s.command.OIDCSecretCheckFailed
+	default:
+		return zerrors.ThrowInternal(errNoAppType, "OIDC-ooD5Ot", "Errors.Internal")
+	}
+
+	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
+	updated, err := s.hasher.Verify(client.HashedSecret, secret)
+	spanPasswordComparison.EndWithError(err)
+	if err != nil {
+		failedCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner)
+		return err
+	}
+	successCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner, updated)
+	return nil
+}
+
 // clientFromCredentials parses the client ID early,
 // and makes a single query for the client for either auth methods.
 func (s *Server) clientFromCredentials(ctx context.Context, cc *op.ClientCredentials) (client *query.IntrospectionClient, err error) {

internal/api/oidc/op.go

@@ -80,6 +80,7 @@ type OPStorage struct {
 }
 
 func NewServer(
+	ctx context.Context,
 	config Config,
 	defaultLogoutRedirectURI string,
 	externalSecure bool,
@@ -93,13 +94,14 @@ func NewServer(
 	userAgentCookie, instanceHandler func(http.Handler) http.Handler,
 	accessHandler *middleware.AccessInterceptor,
 	fallbackLogger *slog.Logger,
+	hashConfig crypto.HashConfig,
 ) (*Server, error) {
 	opConfig, err := createOPConfig(config, defaultLogoutRedirectURI, cryptoKey)
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "OIDC-EGrqd", "cannot create op config: %w")
 	}
 	storage := newStorage(config, command, query, repo, encryptionAlg, es, projections, externalSecure)
-	keyCache := newPublicKeyCache(context.TODO(), config.PublicKeyCacheMaxAge, query.GetPublicKeyByID)
+	keyCache := newPublicKeyCache(ctx, config.PublicKeyCacheMaxAge, query.GetPublicKeyByID)
 	accessTokenKeySet := newOidcKeySet(keyCache, withKeyExpiryCheck(true))
 	idTokenHintKeySet := newOidcKeySet(keyCache)
 
@@ -119,7 +121,10 @@ func NewServer(
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "OIDC-DAtg3", "cannot create provider")
 	}
-
+	hasher, err := hashConfig.NewHasher()
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "OIDC-Aij4e", "cannot create secret hasher")
+	}
 	server := &Server{
 		LegacyServer:               op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
 		repo:                       repo,
@@ -133,7 +138,7 @@ func NewServer(
 		defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime,
 		defaultIdTokenLifetime:     config.DefaultIdTokenLifetime,
 		fallbackLogger:             fallbackLogger,
-		hashAlg:                    crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
+		hasher:                     hasher,
 		signingKeyAlgorithm:        config.SigningKeyAlgorithm,
 		assetAPIPrefix:             assets.AssetAPI(externalSecure),
 	}

internal/api/oidc/server.go

@@ -35,7 +35,7 @@ type Server struct {
 	defaultIdTokenLifetime     time.Duration
 
 	fallbackLogger      *slog.Logger
-	hashAlg             crypto.HashAlgorithm
+	hasher              *crypto.Hasher
 	signingKeyAlgorithm string
 	assetAPIPrefix      func(ctx context.Context) string
 }