feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:57:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"net/http"
 	"strconv"
@@ -33,9 +34,10 @@ type Commands struct {

 	jobs sync.WaitGroup

-	checkPermission    domain.PermissionCheck
-	newCode            cryptoCodeFunc
-	newCodeWithDefault cryptoCodeWithDefaultFunc
+	checkPermission             domain.PermissionCheck
+	newEncryptedCode            encrypedCodeFunc
+	newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+	newHashedSecret             hashedSecretFunc

 	eventstore     *eventstore.Eventstore
 	static         static.Storage
@@ -49,8 +51,8 @@ type Commands struct {
 	smtpEncryption                  crypto.EncryptionAlgorithm
 	smsEncryption                   crypto.EncryptionAlgorithm
 	userEncryption                  crypto.EncryptionAlgorithm
-	userPasswordHasher              *crypto.PasswordHasher
-	codeAlg                         crypto.HashAlgorithm
+	userPasswordHasher              *crypto.Hasher
+	secretHasher                    *crypto.Hasher
 	machineKeySize                  int
 	applicationKeySize              int
 	domainVerificationAlg           crypto.EncryptionAlgorithm
@@ -106,6 +108,15 @@ func StartCommands(
 	idGenerator := id.SonyFlakeGenerator()
 	// reuse the oidcEncryption to be able to handle both tokens in the interceptor later on
 	sessionAlg := oidcEncryption
+
+	secretHasher, err := defaults.SecretHasher.NewHasher()
+	if err != nil {
+		return nil, fmt.Errorf("secret hasher: %w", err)
+	}
+	userPasswordHasher, err := defaults.PasswordHasher.NewHasher()
+	if err != nil {
+		return nil, fmt.Errorf("password hasher: %w", err)
+	}
 	repo = &Commands{
 		eventstore:                      es,
 		static:                          staticStore,
@@ -123,14 +134,20 @@ func StartCommands(
 		smtpEncryption:                  smtpEncryption,
 		smsEncryption:                   smsEncryption,
 		userEncryption:                  userEncryption,
+		userPasswordHasher:              userPasswordHasher,
+		secretHasher:                    secretHasher,
+		machineKeySize:                  int(defaults.SecretGenerators.MachineKeySize),
+		applicationKeySize:              int(defaults.SecretGenerators.ApplicationKeySize),
 		domainVerificationAlg:           domainVerificationEncryption,
+		domainVerificationGenerator:     crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, domainVerificationEncryption),
+		domainVerificationValidator:     api_http.ValidateDomain,
 		keyAlgorithm:                    oidcEncryption,
 		certificateAlgorithm:            samlEncryption,
 		webauthnConfig:                  webAuthN,
 		httpClient:                      httpClient,
 		checkPermission:                 permissionCheck,
-		newCode:                         newCryptoCode,
-		newCodeWithDefault:              newCryptoCodeWithDefaultConfig,
+		newEncryptedCode:                newEncryptedCode,
+		newEncryptedCodeWithDefault:     newEncryptedCodeWithDefaultConfig,
 		sessionTokenCreator:             sessionTokenCreator(idGenerator, sessionAlg),
 		sessionTokenVerifier:            sessionTokenVerifier,
 		defaultAccessTokenLifetime:      defaultAccessTokenLifetime,
@@ -145,25 +162,17 @@ func StartCommands(
 		GrpcServiceExisting:    func(service string) bool { return false },
 		GrpcMethodExisting:     func(method string) bool { return false },
 		ActionFunctionExisting: domain.FunctionExists(),
-	}
-
-	repo.codeAlg = crypto.NewBCrypt(defaults.SecretGenerators.PasswordSaltCost)
-	repo.userPasswordHasher, err = defaults.PasswordHasher.PasswordHasher()
-	if err != nil {
-		return nil, err
-	}
-	repo.machineKeySize = int(defaults.SecretGenerators.MachineKeySize)
-	repo.applicationKeySize = int(defaults.SecretGenerators.ApplicationKeySize)
-
-	repo.multifactors = domain.MultifactorConfigs{
-		OTP: domain.OTPConfig{
-			CryptoMFA: otpEncryption,
-			Issuer:    defaults.Multifactors.OTP.Issuer,
+		multifactors: domain.MultifactorConfigs{
+			OTP: domain.OTPConfig{
+				CryptoMFA: otpEncryption,
+				Issuer:    defaults.Multifactors.OTP.Issuer,
+			},
 		},
 	}

-	repo.domainVerificationGenerator = crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, repo.domainVerificationAlg)
-	repo.domainVerificationValidator = api_http.ValidateDomain
+	if defaultSecretGenerators != nil && defaultSecretGenerators.ClientSecret != nil {
+		repo.newHashedSecret = newHashedSecretWithDefault(secretHasher, defaultSecretGenerators.ClientSecret)
+	}
 	return repo, nil
 }