feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:27:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/query/introspection.go
+++ b/internal/query/introspection.go
@@ -7,7 +7,6 @@ import (
 	"sync"

 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/query/projection"
@@ -30,11 +29,21 @@ func TriggerIntrospectionProjections(ctx context.Context) {
 	triggerBatch(ctx, introspectionTriggerHandlers()...)
 }

+type AppType string
+
+const (
+	AppTypeAPI  = "api"
+	AppTypeOIDC = "oidc"
+)
+
 type IntrospectionClient struct {
-	ClientID     string
-	ClientSecret *crypto.CryptoValue
-	ProjectID    string
-	PublicKeys   database.Map[[]byte]
+	AppID         string
+	ClientID      string
+	HashedSecret  string
+	AppType       AppType
+	ProjectID     string
+	ResourceOwner string
+	PublicKeys    database.Map[[]byte]
 }

 //go:embed embed/introspection_client_by_id.sql
@@ -50,7 +59,15 @@ func (q *Queries) GetIntrospectionClientByID(ctx context.Context, clientID strin
 	)

 	err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
-		return row.Scan(&client.ClientID, &client.ClientSecret, &client.ProjectID, &client.PublicKeys)
+		return row.Scan(
+			&client.AppID,
+			&client.ClientID,
+			&client.HashedSecret,
+			&client.AppType,
+			&client.ProjectID,
+			&client.ResourceOwner,
+			&client.PublicKeys,
+		)
 	},
 		introspectionClientByIDQuery,
 		instanceID, clientID, getKeys,