feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/crypto/crypto.go

@@ -13,12 +13,8 @@ const (
 	TypeHash                  // Depcrecated: use [passwap.Swapper] instead
 )
 
-type Crypto interface {
-	Algorithm() string
-}
-
 type EncryptionAlgorithm interface {
-	Crypto
+	Algorithm() string
 	EncryptionKeyID() string
 	DecryptionKeyIDs() []string
 	Encrypt(value []byte) ([]byte, error)
@@ -26,13 +22,6 @@ type EncryptionAlgorithm interface {
 	DecryptString(hashed []byte, keyID string) (string, error)
 }
 
-// Depcrecated: use [passwap.Swapper] instead
-type HashAlgorithm interface {
-	Crypto
-	Hash(value []byte) ([]byte, error)
-	CompareHash(hashed, comparer []byte) error
-}
-
 type CryptoValue struct {
 	CryptoType CryptoType
 	Algorithm  string
@@ -59,14 +48,8 @@ func (c *CryptoValue) Scan(src interface{}) error {
 
 type CryptoType int
 
-func Crypt(value []byte, c Crypto) (*CryptoValue, error) {
-	switch alg := c.(type) {
-	case EncryptionAlgorithm:
-		return Encrypt(value, alg)
-	case HashAlgorithm:
-		return Hash(value, alg)
-	}
-	return nil, zerrors.ThrowInternal(nil, "CRYPT-r4IaHZ", "algorithm not supported")
+func Crypt(value []byte, alg EncryptionAlgorithm) (*CryptoValue, error) {
+	return Encrypt(value, alg)
 }
 
 func Encrypt(value []byte, alg EncryptionAlgorithm) (*CryptoValue, error) {
@@ -108,33 +91,6 @@ func checkEncryptionAlgorithm(value *CryptoValue, alg EncryptionAlgorithm) error
 	return zerrors.ThrowInvalidArgument(nil, "CRYPT-Kq12vn", "value was encrypted with a different key")
 }
 
-func Hash(value []byte, alg HashAlgorithm) (*CryptoValue, error) {
-	hashed, err := alg.Hash(value)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "CRYPT-rBVaJU", "error hashing value")
-	}
-	return &CryptoValue{
-		CryptoType: TypeHash,
-		Algorithm:  alg.Algorithm(),
-		Crypted:    hashed,
-	}, nil
-}
-
-func CompareHash(value *CryptoValue, comparer []byte, alg HashAlgorithm) error {
-	if value.Algorithm != alg.Algorithm() {
-		return zerrors.ThrowInvalidArgument(nil, "CRYPT-HF32f", "value was hashed with a different algorithm")
-	}
-	return alg.CompareHash(value.Crypted, comparer)
-}
-
-func FillHash(value []byte, alg HashAlgorithm) *CryptoValue {
-	return &CryptoValue{
-		CryptoType: TypeHash,
-		Algorithm:  alg.Algorithm(),
-		Crypted:    value,
-	}
-}
-
 func CheckToken(alg EncryptionAlgorithm, token string, content string) error {
 	if token == "" {
 		return zerrors.ThrowPermissionDenied(nil, "CRYPTO-Sfefs", "Errors.Intent.InvalidToken")
@@ -152,3 +108,12 @@ func CheckToken(alg EncryptionAlgorithm, token string, content string) error {
 	}
 	return nil
 }
+
+// SecretOrEncodedHash returns the Crypted value from legacy [CryptoValue] if it is not nil.
+// otherwise it will returns the encoded hash string.
+func SecretOrEncodedHash(secret *CryptoValue, encoded string) string {
+	if secret != nil {
+		return string(secret.Crypted)
+	}
+	return encoded
+}