feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:17:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/repository/project/api_config.go
+++ b/internal/repository/project/api_config.go
@@ -15,14 +15,20 @@ const (
 	APIConfigSecretChangedType        = applicationEventTypePrefix + "config.api.secret.changed"
 	APIClientSecretCheckSucceededType = applicationEventTypePrefix + "api.secret.check.succeeded"
 	APIClientSecretCheckFailedType    = applicationEventTypePrefix + "api.secret.check.failed"
+	APIConfigSecretHashUpdatedType    = applicationEventTypePrefix + "config.api.secret.updated"
 )

 type APIConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AppID          string                   `json:"appId"`
-	ClientID       string                   `json:"clientId,omitempty"`
-	ClientSecret   *crypto.CryptoValue      `json:"clientSecret,omitempty"`
+	AppID    string `json:"appId"`
+	ClientID string `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
 	AuthMethodType domain.APIAuthMethodType `json:"authMethodType,omitempty"`
 }

@@ -39,7 +45,7 @@ func NewAPIConfigAddedEvent(
 	aggregate *eventstore.Aggregate,
 	appID,
 	clientID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 	authMethodType domain.APIAuthMethodType,
 ) *APIConfigAddedEvent {
 	return &APIConfigAddedEvent{
@@ -50,7 +56,7 @@ func NewAPIConfigAddedEvent(
 		),
 		AppID:          appID,
 		ClientID:       clientID,
-		ClientSecret:   clientSecret,
+		HashedSecret:   hashedSecret,
 		AuthMethodType: authMethodType,
 	}
 }
@@ -91,7 +97,6 @@ type APIConfigChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	AppID          string                    `json:"appId"`
-	ClientSecret   *crypto.CryptoValue       `json:"clientSecret,omitempty"`
 	AuthMethodType *domain.APIAuthMethodType `json:"authMethodType,omitempty"`
 }

@@ -151,8 +156,12 @@ func APIConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, erro
 type APIConfigSecretChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AppID        string              `json:"appId"`
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }

 func (e *APIConfigSecretChangedEvent) Payload() interface{} {
@@ -167,7 +176,7 @@ func NewAPIConfigSecretChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	appID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *APIConfigSecretChangedEvent {
 	return &APIConfigSecretChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -176,7 +185,7 @@ func NewAPIConfigSecretChangedEvent(
 			APIConfigSecretChangedType,
 		),
 		AppID:        appID,
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }

@@ -276,3 +285,39 @@ func APIConfigSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.E

 	return e, nil
 }
+
+type APIConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewAPIConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *APIConfigSecretHashUpdatedEvent {
+	return &APIConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
--- a/internal/repository/project/eventstore.go
+++ b/internal/repository/project/eventstore.go
@@ -37,9 +37,11 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretChangedType, OIDCConfigSecretChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCClientSecretCheckSucceededType, OIDCConfigSecretCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, OIDCClientSecretCheckFailedType, OIDCConfigSecretCheckFailedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, OIDCConfigSecretHashUpdatedType, eventstore.GenericEventMapper[OIDCConfigSecretHashUpdatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigAddedType, APIConfigAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigChangedType, APIConfigChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretChangedType, APIConfigSecretChangedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, APIConfigSecretHashUpdatedType, eventstore.GenericEventMapper[APIConfigSecretHashUpdatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, SAMLConfigAddedType, SAMLConfigAddedEventMapper)
--- a/internal/repository/project/oidc_config.go
+++ b/internal/repository/project/oidc_config.go
@@ -16,15 +16,21 @@ const (
 	OIDCConfigSecretChangedType        = applicationEventTypePrefix + "config.oidc.secret.changed"
 	OIDCClientSecretCheckSucceededType = applicationEventTypePrefix + "oidc.secret.check.succeeded"
 	OIDCClientSecretCheckFailedType    = applicationEventTypePrefix + "oidc.secret.check.failed"
+	OIDCConfigSecretHashUpdatedType    = applicationEventTypePrefix + "config.oidc.secret.updated"
 )

 type OIDCConfigAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	Version                  domain.OIDCVersion         `json:"oidcVersion,omitempty"`
-	AppID                    string                     `json:"appId"`
-	ClientID                 string                     `json:"clientId,omitempty"`
-	ClientSecret             *crypto.CryptoValue        `json:"clientSecret,omitempty"`
+	Version  domain.OIDCVersion `json:"oidcVersion,omitempty"`
+	AppID    string             `json:"appId"`
+	ClientID string             `json:"clientId,omitempty"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
+
 	RedirectUris             []string                   `json:"redirectUris,omitempty"`
 	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
 	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
@@ -55,7 +61,7 @@ func NewOIDCConfigAddedEvent(
 	version domain.OIDCVersion,
 	appID string,
 	clientID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 	redirectUris []string,
 	responseTypes []domain.OIDCResponseType,
 	grantTypes []domain.OIDCGrantType,
@@ -80,7 +86,7 @@ func NewOIDCConfigAddedEvent(
 		Version:                  version,
 		AppID:                    appID,
 		ClientID:                 clientID,
-		ClientSecret:             clientSecret,
+		HashedSecret:             hashedSecret,
 		RedirectUris:             redirectUris,
 		ResponseTypes:            responseTypes,
 		GrantTypes:               grantTypes,
@@ -357,8 +363,12 @@ func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, err
 type OIDCConfigSecretChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	AppID        string              `json:"appId"`
+	AppID string `json:"appId"`
+
+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }

 func (e *OIDCConfigSecretChangedEvent) Payload() interface{} {
@@ -373,7 +383,7 @@ func NewOIDCConfigSecretChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	appID string,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *OIDCConfigSecretChangedEvent {
 	return &OIDCConfigSecretChangedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -382,7 +392,7 @@ func NewOIDCConfigSecretChangedEvent(
 			OIDCConfigSecretChangedType,
 		),
 		AppID:        appID,
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }

@@ -482,3 +492,39 @@ func OIDCConfigSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.

 	return e, nil
 }
+
+type OIDCConfigSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	AppID        string `json:"appId"`
+	HashedSecret string `json:"hashedSecret,omitempty"`
+}
+
+func NewOIDCConfigSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	hashedSecret string,
+) *OIDCConfigSecretHashUpdatedEvent {
+	return &OIDCConfigSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretHashUpdatedType,
+		),
+		AppID:        appID,
+		HashedSecret: hashedSecret,
+	}
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}