mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:27:42 +00:00
feat(crypto): use passwap for machine and app secrets (#7657)
* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann
@@ -11,7 +11,7 @@ type APIApp struct {
|
||||
AppID string
|
||||
AppName string
|
||||
ClientID string
|
||||
ClientSecret *crypto.CryptoValue
|
||||
EncodedHash string
|
||||
ClientSecretString string
|
||||
AuthMethodType APIAuthMethodType
|
||||
|
||||
@@ -41,21 +41,21 @@ func (a *APIApp) setClientID(clientID string) {
|
||||
a.ClientID = clientID
|
||||
}
|
||||
|
||||
func (a *APIApp) setClientSecret(clientSecret *crypto.CryptoValue) {
|
||||
a.ClientSecret = clientSecret
|
||||
func (a *APIApp) setClientSecret(encodedHash string) {
|
||||
a.EncodedHash = encodedHash
|
||||
}
|
||||
|
||||
func (a *APIApp) requiresClientSecret() bool {
|
||||
return a.AuthMethodType == APIAuthMethodTypeBasic
|
||||
}
|
||||
|
||||
func (a *APIApp) GenerateClientSecretIfNeeded(generator crypto.Generator) (secret string, err error) {
|
||||
func (a *APIApp) GenerateClientSecretIfNeeded(generator *crypto.HashGenerator) (plain string, err error) {
|
||||
if a.AuthMethodType == APIAuthMethodTypePrivateKeyJWT {
|
||||
return "", nil
|
||||
}
|
||||
a.ClientSecret, secret, err = NewClientSecret(generator)
|
||||
a.EncodedHash, plain, err = generator.NewCode()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return secret, nil
|
||||
return plain, nil
|
||||
}
|
||||
|
||||
@@ -4,16 +4,12 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/zitadel/logging"
|
||||
|
||||
"github.com/zitadel/zitadel/internal/crypto"
|
||||
"github.com/zitadel/zitadel/internal/id"
|
||||
"github.com/zitadel/zitadel/internal/zerrors"
|
||||
)
|
||||
|
||||
type oAuthApplication interface {
|
||||
setClientID(clientID string)
|
||||
setClientSecret(secret *crypto.CryptoValue)
|
||||
setClientSecret(encodedHash string)
|
||||
requiresClientSecret() bool
|
||||
}
|
||||
|
||||
@@ -37,23 +33,14 @@ func NewClientID(idGenerator id.Generator, projectName string) (string, error) {
|
||||
return fmt.Sprintf("%s@%s", rndID, strings.ReplaceAll(strings.ToLower(projectName), " ", "_")), nil
|
||||
}
|
||||
|
||||
func SetNewClientSecretIfNeeded(a oAuthApplication, generator crypto.Generator) (string, error) {
|
||||
func SetNewClientSecretIfNeeded(a oAuthApplication, generate func() (encodedHash, plain string, err error)) (string, error) {
|
||||
if !a.requiresClientSecret() {
|
||||
return "", nil
|
||||
}
|
||||
clientSecret, secretString, err := NewClientSecret(generator)
|
||||
encodedHash, plain, err := generate()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
a.setClientSecret(clientSecret)
|
||||
return secretString, nil
|
||||
}
|
||||
|
||||
func NewClientSecret(generator crypto.Generator) (*crypto.CryptoValue, string, error) {
|
||||
cryptoValue, stringSecret, err := crypto.NewCode(generator)
|
||||
if err != nil {
|
||||
logging.Log("MODEL-UpnTI").OnError(err).Error("unable to create client secret")
|
||||
return nil, "", zerrors.ThrowInternal(err, "MODEL-gH2Wl", "Errors.Project.CouldNotGenerateClientSecret")
|
||||
}
|
||||
return cryptoValue, stringSecret, nil
|
||||
a.setClientSecret(encodedHash)
|
||||
return plain, nil
|
||||
}
|
||||
|
||||
@@ -5,7 +5,6 @@ import (
|
||||
"time"
|
||||
|
||||
http_util "github.com/zitadel/zitadel/internal/api/http"
|
||||
"github.com/zitadel/zitadel/internal/crypto"
|
||||
"github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
)
|
||||
|
||||
@@ -28,7 +27,7 @@ type OIDCApp struct {
|
||||
AppID string
|
||||
AppName string
|
||||
ClientID string
|
||||
ClientSecret *crypto.CryptoValue
|
||||
EncodedHash string
|
||||
ClientSecretString string
|
||||
RedirectUris []string
|
||||
ResponseTypes []OIDCResponseType
|
||||
@@ -62,8 +61,8 @@ func (a *OIDCApp) setClientID(clientID string) {
|
||||
a.ClientID = clientID
|
||||
}
|
||||
|
||||
func (a *OIDCApp) setClientSecret(clientSecret *crypto.CryptoValue) {
|
||||
a.ClientSecret = clientSecret
|
||||
func (a *OIDCApp) setClientSecret(encodedHash string) {
|
||||
a.EncodedHash = encodedHash
|
||||
}
|
||||
|
||||
func (a *OIDCApp) requiresClientSecret() bool {
|
||||
|
||||
@@ -4,6 +4,8 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"github.com/zitadel/zitadel/internal/crypto"
|
||||
es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/zitadel/zitadel/internal/zerrors"
|
||||
@@ -102,10 +104,10 @@ func (u *Human) EnsureDisplayName() {
|
||||
u.DisplayName = u.Username
|
||||
}
|
||||
|
||||
func (u *Human) HashPasswordIfExisting(policy *PasswordComplexityPolicy, hasher *crypto.PasswordHasher, onetime bool) error {
|
||||
func (u *Human) HashPasswordIfExisting(ctx context.Context, policy *PasswordComplexityPolicy, hasher *crypto.Hasher, onetime bool) error {
|
||||
if u.Password != nil {
|
||||
u.Password.ChangeRequired = onetime
|
||||
return u.Password.HashPasswordIfExisting(policy, hasher)
|
||||
return u.Password.HashPasswordIfExisting(ctx, policy, hasher)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
package domain
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
"github.com/zitadel/zitadel/internal/crypto"
|
||||
es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
|
||||
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
||||
"github.com/zitadel/zitadel/internal/zerrors"
|
||||
)
|
||||
|
||||
@@ -30,7 +32,7 @@ type PasswordCode struct {
|
||||
NotificationType NotificationType
|
||||
}
|
||||
|
||||
func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, hasher *crypto.PasswordHasher) error {
|
||||
func (p *Password) HashPasswordIfExisting(ctx context.Context, policy *PasswordComplexityPolicy, hasher *crypto.Hasher) error {
|
||||
if p.SecretString == "" {
|
||||
return nil
|
||||
}
|
||||
@@ -40,7 +42,9 @@ func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, hash
|
||||
if err := policy.Check(p.SecretString); err != nil {
|
||||
return err
|
||||
}
|
||||
_, spanHash := tracing.NewNamedSpan(ctx, "passwap.Hash")
|
||||
encoded, err := hasher.Hash(p.SecretString)
|
||||
spanHash.EndWithError(err)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
package domain
|
||||
|
||||
import (
|
||||
"github.com/zitadel/zitadel/internal/crypto"
|
||||
"github.com/zitadel/zitadel/internal/zerrors"
|
||||
)
|
||||
|
||||
func NewMachineClientSecret(generator crypto.Generator) (*crypto.CryptoValue, string, error) {
|
||||
cryptoValue, stringSecret, err := crypto.NewCode(generator)
|
||||
if err != nil {
|
||||
return nil, "", zerrors.ThrowInternal(err, "MODEL-57cjsiw", "Errors.User.Machine.Secret.CouldNotGenerate")
|
||||
}
|
||||
return cryptoValue, stringSecret, nil
|
||||
}
|
||||
Reference in New Issue
Block a user