feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/crypto/code.go

@@ -26,7 +26,7 @@ type GeneratorConfig struct {
 type Generator interface {
 	Length() uint
 	Expiry() time.Duration
-	Alg() Crypto
+	Alg() EncryptionAlgorithm
 	Runes() []rune
 }
 
@@ -53,7 +53,7 @@ type encryptionGenerator struct {
 	alg EncryptionAlgorithm
 }
 
-func (g *encryptionGenerator) Alg() Crypto {
+func (g *encryptionGenerator) Alg() EncryptionAlgorithm {
 	return g.alg
 }
 
@@ -64,22 +64,30 @@ func NewEncryptionGenerator(config GeneratorConfig, algorithm EncryptionAlgorith
 	}
 }
 
-type hashGenerator struct {
+type HashGenerator struct {
 	generator
-	alg HashAlgorithm
+	hasher *Hasher
 }
 
-func (g *hashGenerator) Alg() Crypto {
-	return g.alg
-}
-
-func NewHashGenerator(config GeneratorConfig, algorithm HashAlgorithm) Generator {
-	return &hashGenerator{
+func NewHashGenerator(config GeneratorConfig, hasher *Hasher) *HashGenerator {
+	return &HashGenerator{
 		newGenerator(config),
-		algorithm,
+		hasher,
 	}
 }
 
+func (g *HashGenerator) NewCode() (encoded, plain string, err error) {
+	plain, err = GenerateRandomString(g.Length(), g.Runes())
+	if err != nil {
+		return "", "", err
+	}
+	encoded, err = g.hasher.Hash(plain)
+	if err != nil {
+		return "", "", err
+	}
+	return encoded, plain, nil
+}
+
 func newGenerator(config GeneratorConfig) generator {
 	var runes []rune
 	if config.IncludeLowerLetters {
@@ -120,21 +128,11 @@ func IsCodeExpired(creationDate time.Time, expiry time.Duration) bool {
 	return creationDate.Add(expiry).Before(time.Now().UTC())
 }
 
-func VerifyCode(creationDate time.Time, expiry time.Duration, cryptoCode *CryptoValue, verificationCode string, g Generator) error {
-	return VerifyCodeWithAlgorithm(creationDate, expiry, cryptoCode, verificationCode, g.Alg())
-}
-
-func VerifyCodeWithAlgorithm(creationDate time.Time, expiry time.Duration, cryptoCode *CryptoValue, verificationCode string, algorithm Crypto) error {
+func VerifyCode(creationDate time.Time, expiry time.Duration, cryptoCode *CryptoValue, verificationCode string, algorithm EncryptionAlgorithm) error {
 	if IsCodeExpired(creationDate, expiry) {
 		return zerrors.ThrowPreconditionFailed(nil, "CODE-QvUQ4P", "Errors.User.Code.Expired")
 	}
-	switch alg := algorithm.(type) {
-	case EncryptionAlgorithm:
-		return verifyEncryptedCode(cryptoCode, verificationCode, alg)
-	case HashAlgorithm:
-		return verifyHashedCode(cryptoCode, verificationCode, alg)
-	}
-	return zerrors.ThrowInvalidArgument(nil, "CODE-fW2gNa", "Errors.User.Code.GeneratorAlgNotSupported")
+	return verifyEncryptedCode(cryptoCode, verificationCode, algorithm)
 }
 
 func GenerateRandomString(length uint, chars []rune) (string, error) {
@@ -173,10 +171,3 @@ func verifyEncryptedCode(cryptoCode *CryptoValue, verificationCode string, alg E
 	}
 	return nil
 }
-
-func verifyHashedCode(cryptoCode *CryptoValue, verificationCode string, alg HashAlgorithm) error {
-	if cryptoCode == nil {
-		return zerrors.ThrowInvalidArgument(nil, "CRYPT-2q3r", "cryptoCode must not be nil")
-	}
-	return CompareHash(cryptoCode, []byte(verificationCode), alg)
-}