feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:37:31 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/crypto/passwap.go
+++ b/internal/crypto/passwap.go
@@ -16,12 +16,12 @@ import (
 	"github.com/zitadel/zitadel/internal/zerrors"
 )

-type PasswordHasher struct {
+type Hasher struct {
 	*passwap.Swapper
 	Prefixes []string
 }

-func (h *PasswordHasher) EncodingSupported(encodedHash string) bool {
+func (h *Hasher) EncodingSupported(encodedHash string) bool {
 	for _, prefix := range h.Prefixes {
 		if strings.HasPrefix(encodedHash, prefix) {
 			return true
@@ -54,12 +54,12 @@ const (
 	HashModeSHA512 HashMode = "sha512"
 )

-type PasswordHashConfig struct {
+type HashConfig struct {
 	Verifiers []HashName
 	Hasher    HasherConfig
 }

-func (c *PasswordHashConfig) PasswordHasher() (*PasswordHasher, error) {
+func (c *HashConfig) NewHasher() (*Hasher, error) {
 	verifiers, vPrefixes, err := c.buildVerifiers()
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "CRYPT-sahW9", "password hash config invalid")
@@ -68,7 +68,7 @@ func (c *PasswordHashConfig) PasswordHasher() (*PasswordHasher, error) {
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "CRYPT-Que4r", "password hash config invalid")
 	}
-	return &PasswordHasher{
+	return &Hasher{
 		Swapper:  passwap.NewSwapper(hasher, verifiers...),
 		Prefixes: append(hPrefixes, vPrefixes...),
 	}, nil
@@ -105,7 +105,7 @@ var knowVerifiers = map[HashName]prefixVerifier{
 	},
 }

-func (c *PasswordHashConfig) buildVerifiers() (verifiers []verifier.Verifier, prefixes []string, err error) {
+func (c *HashConfig) buildVerifiers() (verifiers []verifier.Verifier, prefixes []string, err error) {
 	verifiers = make([]verifier.Verifier, len(c.Verifiers))
 	prefixes = make([]string, 0, len(c.Verifiers)+1)
 	for i, name := range c.Verifiers {