feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 07:07:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -13,7 +13,6 @@ import (

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/call"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query/projection"
@@ -94,7 +93,7 @@ type Phone struct {
 type Machine struct {
 	Name            string               `json:"name,omitempty"`
 	Description     string               `json:"description,omitempty"`
-	Secret          *crypto.CryptoValue  `json:"secret,omitempty"`
+	EncodedSecret   string               `json:"encoded_hash,omitempty"`
 	AccessTokenType domain.OIDCTokenType `json:"access_token_type,omitempty"`
 }

@@ -827,7 +826,7 @@ func scanUser(row *sql.Row) (*User, error) {
 	machineID := sql.NullString{}
 	name := sql.NullString{}
 	description := sql.NullString{}
-	var secret *crypto.CryptoValue
+	encodedHash := sql.NullString{}
 	accessTokenType := sql.NullInt32{}

 	err := row.Scan(
@@ -857,7 +856,7 @@ func scanUser(row *sql.Row) (*User, error) {
 		&machineID,
 		&name,
 		&description,
-		&secret,
+		&encodedHash,
 		&accessTokenType,
 		&count,
 	)
@@ -890,7 +889,7 @@ func scanUser(row *sql.Row) (*User, error) {
 		u.Machine = &Machine{
 			Name:            name.String,
 			Description:     description.String,
-			Secret:          secret,
+			EncodedSecret:   encodedHash.String,
 			AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 		}
 	}
@@ -1360,7 +1359,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 				machineID := sql.NullString{}
 				name := sql.NullString{}
 				description := sql.NullString{}
-				secret := new(crypto.CryptoValue)
+				encodedHash := sql.NullString{}
 				accessTokenType := sql.NullInt32{}

 				err := rows.Scan(
@@ -1390,7 +1389,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 					&machineID,
 					&name,
 					&description,
-					secret,
+					&encodedHash,
 					&accessTokenType,
 					&count,
 				)
@@ -1422,7 +1421,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 					u.Machine = &Machine{
 						Name:            name.String,
 						Description:     description.String,
-						Secret:          secret,
+						EncodedSecret:   encodedHash.String,
 						AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 					}
 				}