feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 20:57:31 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/internal/command/main_test.go
+++ b/internal/command/main_test.go
@@ -3,10 +3,13 @@ package command
 import (
 	"context"
 	"database/sql"
+	"strings"
 	"testing"
 	"time"

 	"github.com/golang/mock/gomock"
+	"github.com/zitadel/passwap"
+	"github.com/zitadel/passwap/verifier"
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/crypto"
@@ -293,3 +296,38 @@ func newMockPermissionCheckNotAllowed() domain.PermissionCheck {
 		return errors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied")
 	}
 }
+
+type plainHasher struct {
+	x string // arbitrary info that triggers update when different from encoding
+}
+
+func (h plainHasher) Hash(password string) (string, error) {
+	return strings.Join([]string{"", "plain", h.x, password}, "$"), nil
+}
+
+func (h plainHasher) Verify(encoded, password string) (verifier.Result, error) {
+	nodes := strings.Split(encoded, "$")
+	if len(nodes) != 4 || nodes[1] != "plain" {
+		return verifier.Skip, nil
+	}
+	if nodes[3] != password {
+		return verifier.Fail, nil
+	}
+	if nodes[2] != h.x {
+		return verifier.NeedUpdate, nil
+	}
+	return verifier.OK, nil
+}
+
+// mockPasswordHasher creates a swapper for plain (cleartext) password used in tests.
+// x can be set to arbitrary info which triggers updates when different from the
+// setting in the encoded hashes. (normally cost parameters)
+//
+// With `x` set to "foo", the following encoded string would be produced by Hash:
+// $plain$foo$password
+func mockPasswordHasher(x string) *crypto.PasswordHasher {
+	return &crypto.PasswordHasher{
+		Swapper:  passwap.NewSwapper(plainHasher{x: x}),
+		Prefixes: []string{"$plain$"},
+	}
+}