feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:47:33 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -80,6 +80,7 @@ type OPStorage struct {
 }

 func NewServer(
+	ctx context.Context,
 	config Config,
 	defaultLogoutRedirectURI string,
 	externalSecure bool,
@@ -93,13 +94,14 @@ func NewServer(
 	userAgentCookie, instanceHandler func(http.Handler) http.Handler,
 	accessHandler *middleware.AccessInterceptor,
 	fallbackLogger *slog.Logger,
+	hashConfig crypto.HashConfig,
 ) (*Server, error) {
 	opConfig, err := createOPConfig(config, defaultLogoutRedirectURI, cryptoKey)
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "OIDC-EGrqd", "cannot create op config: %w")
 	}
 	storage := newStorage(config, command, query, repo, encryptionAlg, es, projections, externalSecure)
-	keyCache := newPublicKeyCache(context.TODO(), config.PublicKeyCacheMaxAge, query.GetPublicKeyByID)
+	keyCache := newPublicKeyCache(ctx, config.PublicKeyCacheMaxAge, query.GetPublicKeyByID)
 	accessTokenKeySet := newOidcKeySet(keyCache, withKeyExpiryCheck(true))
 	idTokenHintKeySet := newOidcKeySet(keyCache)

@@ -119,7 +121,10 @@ func NewServer(
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "OIDC-DAtg3", "cannot create provider")
 	}
-
+	hasher, err := hashConfig.NewHasher()
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "OIDC-Aij4e", "cannot create secret hasher")
+	}
 	server := &Server{
 		LegacyServer:               op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
 		repo:                       repo,
@@ -133,7 +138,7 @@ func NewServer(
 		defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime,
 		defaultIdTokenLifetime:     config.DefaultIdTokenLifetime,
 		fallbackLogger:             fallbackLogger,
-		hashAlg:                    crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
+		hasher:                     hasher,
 		signingKeyAlgorithm:        config.SigningKeyAlgorithm,
 		assetAPIPrefix:             assets.AssetAPI(externalSecure),
 	}