mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 19:17:32 +00:00
feat(crypto): use passwap for machine and app secrets (#7657)
* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann
@@ -135,4 +135,5 @@ func init() {
|
||||
eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretRemovedType, MachineSecretRemovedEventMapper)
|
||||
eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretCheckSucceededType, MachineSecretCheckSucceededEventMapper)
|
||||
eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretCheckFailedType, MachineSecretCheckFailedEventMapper)
|
||||
eventstore.RegisterFilterEventMapper(AggregateType, MachineSecretHashUpdatedType, eventstore.GenericEventMapper[MachineSecretHashUpdatedEvent])
|
||||
}
|
||||
|
||||
@@ -314,12 +314,3 @@ func NewHumanPasswordHashUpdatedEvent(
|
||||
EncodedHash: encoded,
|
||||
}
|
||||
}
|
||||
|
||||
// SecretOrEncodedHash returns the legacy *crypto.CryptoValue if it is not nil.
|
||||
// orherwise it will returns the encoded hash string.
|
||||
func SecretOrEncodedHash(secret *crypto.CryptoValue, encoded string) string {
|
||||
if secret != nil {
|
||||
return string(secret.Crypted)
|
||||
}
|
||||
return encoded
|
||||
}
|
||||
|
||||
@@ -11,6 +11,7 @@ import (
|
||||
const (
|
||||
machineSecretPrefix = machineEventPrefix + "secret."
|
||||
MachineSecretSetType = machineSecretPrefix + "set"
|
||||
MachineSecretHashUpdatedType = machineSecretPrefix + "updated"
|
||||
MachineSecretRemovedType = machineSecretPrefix + "removed"
|
||||
MachineSecretCheckSucceededType = machineSecretPrefix + "check.succeeded"
|
||||
MachineSecretCheckFailedType = machineSecretPrefix + "check.failed"
|
||||
@@ -19,7 +20,10 @@ const (
|
||||
type MachineSecretSetEvent struct {
|
||||
eventstore.BaseEvent `json:"-"`
|
||||
|
||||
// New events only use EncodedHash. However, the ClientSecret field
|
||||
// is preserved to handle events older than the switch to Passwap.
|
||||
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
||||
HashedSecret string `json:"hashedSecret,omitempty"`
|
||||
}
|
||||
|
||||
func (e *MachineSecretSetEvent) Payload() interface{} {
|
||||
@@ -33,7 +37,7 @@ func (e *MachineSecretSetEvent) UniqueConstraints() []*eventstore.UniqueConstrai
|
||||
func NewMachineSecretSetEvent(
|
||||
ctx context.Context,
|
||||
aggregate *eventstore.Aggregate,
|
||||
clientSecret *crypto.CryptoValue,
|
||||
hashedSecret string,
|
||||
) *MachineSecretSetEvent {
|
||||
return &MachineSecretSetEvent{
|
||||
BaseEvent: *eventstore.NewBaseEventForPush(
|
||||
@@ -41,7 +45,7 @@ func NewMachineSecretSetEvent(
|
||||
aggregate,
|
||||
MachineSecretSetType,
|
||||
),
|
||||
ClientSecret: clientSecret,
|
||||
HashedSecret: hashedSecret,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -167,3 +171,35 @@ func MachineSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.Eve
|
||||
|
||||
return check, nil
|
||||
}
|
||||
|
||||
type MachineSecretHashUpdatedEvent struct {
|
||||
*eventstore.BaseEvent `json:"-"`
|
||||
HashedSecret string `json:"hashedSecret,omitempty"`
|
||||
}
|
||||
|
||||
func NewMachineSecretHashUpdatedEvent(
|
||||
ctx context.Context,
|
||||
aggregate *eventstore.Aggregate,
|
||||
encoded string,
|
||||
) *MachineSecretHashUpdatedEvent {
|
||||
return &MachineSecretHashUpdatedEvent{
|
||||
BaseEvent: eventstore.NewBaseEventForPush(
|
||||
ctx,
|
||||
aggregate,
|
||||
MachineSecretHashUpdatedType,
|
||||
),
|
||||
HashedSecret: encoded,
|
||||
}
|
||||
}
|
||||
|
||||
func (e *MachineSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
|
||||
e.BaseEvent = b
|
||||
}
|
||||
|
||||
func (e *MachineSecretHashUpdatedEvent) Payload() interface{} {
|
||||
return e
|
||||
}
|
||||
|
||||
func (e *MachineSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user