feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:17:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/repository/user/machine_secret.go
+++ b/internal/repository/user/machine_secret.go
@@ -11,6 +11,7 @@ import (
 const (
 	machineSecretPrefix             = machineEventPrefix + "secret."
 	MachineSecretSetType            = machineSecretPrefix + "set"
+	MachineSecretHashUpdatedType    = machineSecretPrefix + "updated"
 	MachineSecretRemovedType        = machineSecretPrefix + "removed"
 	MachineSecretCheckSucceededType = machineSecretPrefix + "check.succeeded"
 	MachineSecretCheckFailedType    = machineSecretPrefix + "check.failed"
@@ -19,7 +20,10 @@ const (
 type MachineSecretSetEvent struct {
 	eventstore.BaseEvent `json:"-"`

+	// New events only use EncodedHash. However, the ClientSecret field
+	// is preserved to handle events older than the switch to Passwap.
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	HashedSecret string              `json:"hashedSecret,omitempty"`
 }

 func (e *MachineSecretSetEvent) Payload() interface{} {
@@ -33,7 +37,7 @@ func (e *MachineSecretSetEvent) UniqueConstraints() []*eventstore.UniqueConstrai
 func NewMachineSecretSetEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	clientSecret *crypto.CryptoValue,
+	hashedSecret string,
 ) *MachineSecretSetEvent {
 	return &MachineSecretSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -41,7 +45,7 @@ func NewMachineSecretSetEvent(
 			aggregate,
 			MachineSecretSetType,
 		),
-		ClientSecret: clientSecret,
+		HashedSecret: hashedSecret,
 	}
 }

@@ -167,3 +171,35 @@ func MachineSecretCheckFailedEventMapper(event eventstore.Event) (eventstore.Eve

 	return check, nil
 }
+
+type MachineSecretHashUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+	HashedSecret          string `json:"hashedSecret,omitempty"`
+}
+
+func NewMachineSecretHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	encoded string,
+) *MachineSecretHashUpdatedEvent {
+	return &MachineSecretHashUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineSecretHashUpdatedType,
+		),
+		HashedSecret: encoded,
+	}
+}
+
+func (e *MachineSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *MachineSecretHashUpdatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *MachineSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}