feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:37:34 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -11,7 +11,6 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -149,8 +148,8 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 			return client.ClientID, client.ProjectID, nil

 		}
-		if client.ClientSecret != nil {
-			if err := crypto.CompareHash(client.ClientSecret, []byte(cc.ClientSecret), s.hashAlg); err != nil {
+		if client.HashedSecret != "" {
+			if err := s.introspectionClientSecretAuth(ctx, client, cc.ClientSecret); err != nil {
 				return "", "", oidc.ErrUnauthorizedClient().WithParent(err)
 			}
 			return client.ClientID, client.ProjectID, nil
@@ -167,6 +166,35 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 	}
 }

+var errNoAppType = errors.New("introspection client without app type")
+
+func (s *Server) introspectionClientSecretAuth(ctx context.Context, client *query.IntrospectionClient, secret string) error {
+	var (
+		successCommand func(ctx context.Context, appID, projectID, resourceOwner, updated string)
+		failedCommand  func(ctx context.Context, appID, projectID, resourceOwner string)
+	)
+	switch client.AppType {
+	case query.AppTypeAPI:
+		successCommand = s.command.APISecretCheckSucceeded
+		failedCommand = s.command.APISecretCheckFailed
+	case query.AppTypeOIDC:
+		successCommand = s.command.OIDCSecretCheckSucceeded
+		failedCommand = s.command.OIDCSecretCheckFailed
+	default:
+		return zerrors.ThrowInternal(errNoAppType, "OIDC-ooD5Ot", "Errors.Internal")
+	}
+
+	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
+	updated, err := s.hasher.Verify(client.HashedSecret, secret)
+	spanPasswordComparison.EndWithError(err)
+	if err != nil {
+		failedCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner)
+		return err
+	}
+	successCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner, updated)
+	return nil
+}
+
 // clientFromCredentials parses the client ID early,
 // and makes a single query for the client for either auth methods.
 func (s *Server) clientFromCredentials(ctx context.Context, cc *op.ClientCredentials) (client *query.IntrospectionClient, err error) {