feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 20:37:30 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/command/user_v2_human_test.go
+++ b/internal/command/user_v2_human_test.go
@@ -25,8 +25,8 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 	type fields struct {
 		eventstore         func(t *testing.T) *eventstore.Eventstore
 		idGenerator        id.Generator
-		userPasswordHasher *crypto.PasswordHasher
-		newCode            cryptoCodeFunc
+		userPasswordHasher *crypto.Hasher
+		newCode            encrypedCodeFunc
 		checkPermission    domain.PermissionCheck
 	}
 	type args struct {
@@ -247,7 +247,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				newCode:         mockCode("userinit", time.Hour),
+				newCode:         mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -283,7 +283,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				),
 				checkPermission: newMockPermissionCheckNotAllowed(),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				newCode:         mockCode("userinit", time.Hour),
+				newCode:         mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -349,7 +349,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				newCode:         mockCode("userinit", time.Hour),
+				newCode:         mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -420,7 +420,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				checkPermission:    newMockPermissionCheckAllowed(),
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockCode("userinit", time.Hour),
+				newCode:            mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -492,7 +492,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				checkPermission:    newMockPermissionCheckAllowed(),
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockCode("emailCode", time.Hour),
+				newCode:            mockEncryptedCode("emailCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -565,7 +565,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				checkPermission:    newMockPermissionCheckAllowed(),
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockCode("emailCode", time.Hour),
+				newCode:            mockEncryptedCode("emailCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -974,7 +974,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				checkPermission:    newMockPermissionCheckAllowed(),
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockCode("phonecode", time.Hour),
+				newCode:            mockEncryptedCode("phonecode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1040,7 +1040,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				newCode:         mockCode("userinit", time.Hour),
+				newCode:         mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1116,7 +1116,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				checkPermission:    newMockPermissionCheckAllowed(),
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockCode("phoneCode", time.Hour),
+				newCode:            mockEncryptedCode("phoneCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1185,7 +1185,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 				idGenerator:     id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				newCode:         mockCode("userinit", time.Hour),
+				newCode:         mockEncryptedCode("userinit", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1223,7 +1223,7 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 				eventstore:         tt.fields.eventstore(t),
 				userPasswordHasher: tt.fields.userPasswordHasher,
 				idGenerator:        tt.fields.idGenerator,
-				newCode:            tt.fields.newCode,
+				newEncryptedCode:   tt.fields.newCode,
 				checkPermission:    tt.fields.checkPermission,
 			}
 			err := r.AddUserHuman(tt.args.ctx, tt.args.orgID, tt.args.human, tt.args.allowInitMail, tt.args.codeAlg)
@@ -1247,8 +1247,8 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 func TestCommandSide_ChangeUserHuman(t *testing.T) {
 	type fields struct {
 		eventstore         func(t *testing.T) *eventstore.Eventstore
-		userPasswordHasher *crypto.PasswordHasher
-		newCode            cryptoCodeFunc
+		userPasswordHasher *crypto.Hasher
+		newCode            encrypedCodeFunc
 		checkPermission    domain.PermissionCheck
 	}
 	type args struct {
@@ -1562,7 +1562,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockCode("emailCode", time.Hour),
+				newCode:         mockEncryptedCode("emailCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1741,7 +1741,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockCode("emailCode", time.Hour),
+				newCode:         mockEncryptedCode("emailCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1791,7 +1791,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockCode("phoneCode", time.Hour),
+				newCode:         mockEncryptedCode("phoneCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1939,7 +1939,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockCode("phoneCode", time.Hour),
+				newCode:         mockEncryptedCode("phoneCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -2546,7 +2546,7 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 			r := &Commands{
 				eventstore:         tt.fields.eventstore(t),
 				userPasswordHasher: tt.fields.userPasswordHasher,
-				newCode:            tt.fields.newCode,
+				newEncryptedCode:   tt.fields.newCode,
 				checkPermission:    tt.fields.checkPermission,
 			}
 			err := r.ChangeUserHuman(tt.args.ctx, tt.args.human, tt.args.codeAlg)