feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/repository/project/api_config.go

@@ -15,14 +15,20 @@ const (
 	APIConfigSecretChangedType        = applicationEventTypePrefix + "config.api.secret.changed"
 	APIClientSecretCheckSucceededType = applicationEventTypePrefix + "api.secret.check.succeeded"
 	APIClientSecretCheckFailedType    = applicationEventTypePrefix + "api.secret.check.failed"
+	APIConfigSecretHashUpdatedType    = applicationEventTypePrefix + "config.api.secret.updated"
 )
 
 type APIConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	AppID          string                   `json:"appId"`
-	ClientID       string                   `json:"clientId,omitempty"`
-	ClientSecret   *crypto.CryptoValue      `json:"clientSecret,omitempty"`
+	AppID    string `json:"appId"`
+	ClientID string `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
 	AuthMethodType domain.APIAuthMethodType `json:"authMethodType,omitempty"`
 }
 
@@ -39,7 +45,7 @@ func NewAPIConfigAddedEvent(
 	aggregate *eventstore.Aggregate,
 	appID,
 	clientID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 	authMethodType domain.APIAuthMethodType,
 ) *APIConfigAddedEvent {
 	return &APIConfigAddedEvent{
@@ -50,7 +56,7 @@ func NewAPIConfigAddedEvent(
 		),
 		AppID:          appID,
 		ClientID:       clientID,
-		ClientSecret:   clientSecret,
+		HashedSecret:   hashedSecret,
 		AuthMethodType: authMethodType,
 	}
 }
@@ -91,7 +97,6 @@ type APIConfigChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
 	AppID          string                    `json:"appId"`
-	ClientSecret   *crypto.CryptoValue       `json:"clientSecret,omitempty"`
 	AuthMethodType *domain.APIAuthMethodType `json:"authMethodType,omitempty"`
 }
 
@@ -151,8 +156,12 @@ func APIConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, erro
 type APIConfigSecretChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	AppID        string              `json:"appId"`
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }
 
 func (e *APIConfigSecretChangedEvent) Payload() interface{} {
@@ -167,7 +176,7 @@ func NewAPIConfigSecretChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	appID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *APIConfigSecretChangedEvent {
 	return &APIConfigSecretChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -176,7 +185,7 @@ func NewAPIConfigSecretChangedEvent(
 			APIConfigSecretChangedType,
 		),
 		AppID:        appID,
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }
 
@@ -276,3 +285,39 @@ func APIConfigSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.E
 
 	return e, nil
 }
+
+type APIConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewAPIConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *APIConfigSecretHashUpdatedEvent {
+	return &APIConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}

internal/repository/project/eventstore.go

@@ -37,9 +37,11 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretChangedType, OIDCConfigSecretChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCClientSecretCheckSucceededType, OIDCConfigSecretCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCClientSecretCheckFailedType, OIDCConfigSecretCheckFailedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretHashUpdatedType, eventstore.GenericEventMapper[OIDCConfigSecretHashUpdatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigAddedType, APIConfigAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigChangedType, APIConfigChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretChangedType, APIConfigSecretChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretHashUpdatedType, eventstore.GenericEventMapper[APIConfigSecretHashUpdatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, SAMLConfigAddedType, SAMLConfigAddedEventMapper)

internal/repository/project/oidc_config.go

@@ -16,15 +16,21 @@ const (
 	OIDCConfigSecretChangedType        = applicationEventTypePrefix + "config.oidc.secret.changed"
 	OIDCClientSecretCheckSucceededType = applicationEventTypePrefix + "oidc.secret.check.succeeded"
 	OIDCClientSecretCheckFailedType    = applicationEventTypePrefix + "oidc.secret.check.failed"
+	OIDCConfigSecretHashUpdatedType    = applicationEventTypePrefix + "config.oidc.secret.updated"
 )
 
 type OIDCConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	Version                  domain.OIDCVersion         `json:"oidcVersion,omitempty"`
-	AppID                    string                     `json:"appId"`
-	ClientID                 string                     `json:"clientId,omitempty"`
-	ClientSecret             *crypto.CryptoValue        `json:"clientSecret,omitempty"`
+	Version  domain.OIDCVersion `json:"oidcVersion,omitempty"`
+	AppID    string             `json:"appId"`
+	ClientID string             `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
 	RedirectUris             []string                   `json:"redirectUris,omitempty"`
 	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
 	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
@@ -55,7 +61,7 @@ func NewOIDCConfigAddedEvent(
 	version domain.OIDCVersion,
 	appID string,
 	clientID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 	redirectUris []string,
 	responseTypes []domain.OIDCResponseType,
 	grantTypes []domain.OIDCGrantType,
@@ -80,7 +86,7 @@ func NewOIDCConfigAddedEvent(
 		Version:                  version,
 		AppID:                    appID,
 		ClientID:                 clientID,
-		ClientSecret:             clientSecret,
+		HashedSecret:             hashedSecret,
 		RedirectUris:             redirectUris,
 		ResponseTypes:            responseTypes,
 		GrantTypes:               grantTypes,
@@ -357,8 +363,12 @@ func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, err
 type OIDCConfigSecretChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	AppID        string              `json:"appId"`
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }
 
 func (e *OIDCConfigSecretChangedEvent) Payload() interface{} {
@@ -373,7 +383,7 @@ func NewOIDCConfigSecretChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	appID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *OIDCConfigSecretChangedEvent {
 	return &OIDCConfigSecretChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -382,7 +392,7 @@ func NewOIDCConfigSecretChangedEvent(
 			OIDCConfigSecretChangedType,
 		),
 		AppID:        appID,
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }
 
@@ -482,3 +492,39 @@ func OIDCConfigSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.
 
 	return e, nil
 }
+
+type OIDCConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewOIDCConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *OIDCConfigSecretHashUpdatedEvent {
+	return &OIDCConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}

internal/repository/user/eventstore.go

@@ -135,4 +135,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretRemovedType, MachineSecretRemovedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretCheckSucceededType, MachineSecretCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretCheckFailedType, MachineSecretCheckFailedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretHashUpdatedType, eventstore.GenericEventMapper[MachineSecretHashUpdatedEvent])
 }

internal/repository/user/human_password.go

@@ -314,12 +314,3 @@ func NewHumanPasswordHashUpdatedEvent(
 		EncodedHash: encoded,
 	}
 }
-
-// SecretOrEncodedHash returns the legacy *crypto.CryptoValue if it is not nil.
-// orherwise it will returns the encoded hash string.
-func SecretOrEncodedHash(secret *crypto.CryptoValue, encoded string) string {
-	if secret != nil {
-		return string(secret.Crypted)
-	}
-	return encoded
-}

internal/repository/user/machine_secret.go

@@ -11,6 +11,7 @@ import (
 const (
 	machineSecretPrefix             = machineEventPrefix + "secret."
 	MachineSecretSetType            = machineSecretPrefix + "set"
+	MachineSecretHashUpdatedType    = machineSecretPrefix + "updated"
 	MachineSecretRemovedType        = machineSecretPrefix + "removed"
 	MachineSecretCheckSucceededType = machineSecretPrefix + "check.succeeded"
 	MachineSecretCheckFailedType    = machineSecretPrefix + "check.failed"
@@ -19,7 +20,10 @@ const (
 type MachineSecretSetEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }
 
 func (e *MachineSecretSetEvent) Payload() interface{} {
@@ -33,7 +37,7 @@ func (e *MachineSecretSetEvent) UniqueConstraints() []*eventstore.UniqueConstrai
 func NewMachineSecretSetEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *MachineSecretSetEvent {
 	return &MachineSecretSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -41,7 +45,7 @@ func NewMachineSecretSetEvent(
 			aggregate,
 			MachineSecretSetType,
 		),
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }
 
@@ -167,3 +171,35 @@ func MachineSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.Eve
 
 	return check, nil
 }
+
+type MachineSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+	HashedSecret          string `json:"hashedSecret,omitempty"`
+}
+
+func NewMachineSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	encoded string,
+) *MachineSecretHashUpdatedEvent {
+	return &MachineSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretHashUpdatedType,
+		),
+		HashedSecret: encoded,
+	}
+}
+
+func (e *MachineSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *MachineSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *MachineSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}