feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:57:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/command/project_application_api_model.go
+++ b/internal/command/project_application_api_model.go
@@ -15,7 +15,7 @@ type APIApplicationWriteModel struct {
 	AppID              string
 	AppName            string
 	ClientID           string
-	ClientSecret       *crypto.CryptoValue
+	HashedSecret       string
 	ClientSecretString string
 	AuthMethodType     domain.APIAuthMethodType
 	State              domain.AppState
@@ -83,6 +83,11 @@ func (wm *APIApplicationWriteModel) AppendEvents(events ...eventstore.Event) {
 				continue
 			}
 			wm.WriteModel.AppendEvents(e)
+		case *project.APIConfigSecretHashUpdatedEvent:
+			if e.AppID != wm.AppID {
+				continue
+			}
+			wm.WriteModel.AppendEvents(e)
 		case *project.ProjectRemovedEvent:
 			wm.WriteModel.AppendEvents(e)
 		}
@@ -114,7 +119,9 @@ func (wm *APIApplicationWriteModel) Reduce() error {
 		case *project.APIConfigChangedEvent:
 			wm.appendChangeAPIEvent(e)
 		case *project.APIConfigSecretChangedEvent:
-			wm.ClientSecret = e.ClientSecret
+			wm.HashedSecret = crypto.SecretOrEncodedHash(e.ClientSecret, e.HashedSecret)
+		case *project.APIConfigSecretHashUpdatedEvent:
+			wm.HashedSecret = e.HashedSecret
 		case *project.ProjectRemovedEvent:
 			wm.State = domain.AppStateRemoved
 		}
@@ -125,7 +132,7 @@ func (wm *APIApplicationWriteModel) Reduce() error {
 func (wm *APIApplicationWriteModel) appendAddAPIEvent(e *project.APIConfigAddedEvent) {
 	wm.api = true
 	wm.ClientID = e.ClientID
-	wm.ClientSecret = e.ClientSecret
+	wm.HashedSecret = crypto.SecretOrEncodedHash(e.ClientSecret, e.HashedSecret)
 	wm.AuthMethodType = e.AuthMethodType
 }

@@ -150,8 +157,9 @@ func (wm *APIApplicationWriteModel) Query() *eventstore.SearchQueryBuilder {
 			project.APIConfigAddedType,
 			project.APIConfigChangedType,
 			project.APIConfigSecretChangedType,
-			project.ProjectRemovedType).
-		Builder()
+			project.APIConfigSecretHashUpdatedType,
+			project.ProjectRemovedType,
+		).Builder()
 }

 func (wm *APIApplicationWriteModel) NewChangedEvent(