mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-12 11:04:25 +00:00
bc9a85daf3
* feat(import): add functionality to import data into an instance * feat(import): move import to admin api and additional checks for nil pointer * fix(export): export implementation with filtered members and grants * fix: export and import implementation * fix: add possibility to export hashed passwords with the user * fix(import): import with structure of v1 and v2 * docs: add v1 proto * fix(import): check im imported user is already existing * fix(import): add otp import function * fix(import): add external idps, domains, custom text and messages * fix(import): correct usage of default values from login policy * fix(export): fix renaming of add project function * fix(import): move checks for unit tests * expect filter * fix(import): move checks for unit tests * fix(import): move checks for unit tests * fix(import): produce prerelease from branch * fix(import): correctly use provided user id for machine user imports * fix(import): corrected otp import and added guide for export and import * fix: import verified and primary domains * fix(import): add reading from gcs, s3 and localfile with tracing * fix(import): gcs and s3, file size correction and error logging * Delete docker-compose.yml * fix(import): progress logging and count of resources * fix(import): progress logging and count of resources * log subscription * fix(import): incorporate review * fix(import): incorporate review * docs: add suggestion for import Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * fix(import): add verification otp event and handling of deleted but existing users Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
135 lines
3.2 KiB
Go
135 lines
3.2 KiB
Go
package crypto
|
|
|
|
import (
|
|
"database/sql/driver"
|
|
"encoding/json"
|
|
|
|
"github.com/zitadel/zitadel/internal/errors"
|
|
)
|
|
|
|
const (
|
|
TypeEncryption CryptoType = iota
|
|
TypeHash
|
|
)
|
|
|
|
type Crypto interface {
|
|
Algorithm() string
|
|
}
|
|
|
|
type EncryptionAlgorithm interface {
|
|
Crypto
|
|
EncryptionKeyID() string
|
|
DecryptionKeyIDs() []string
|
|
Encrypt(value []byte) ([]byte, error)
|
|
Decrypt(hashed []byte, keyID string) ([]byte, error)
|
|
DecryptString(hashed []byte, keyID string) (string, error)
|
|
}
|
|
|
|
type HashAlgorithm interface {
|
|
Crypto
|
|
Hash(value []byte) ([]byte, error)
|
|
CompareHash(hashed, comparer []byte) error
|
|
}
|
|
|
|
type CryptoValue struct {
|
|
CryptoType CryptoType
|
|
Algorithm string
|
|
KeyID string
|
|
Crypted []byte
|
|
}
|
|
|
|
func (c *CryptoValue) Value() (driver.Value, error) {
|
|
if c == nil {
|
|
return nil, nil
|
|
}
|
|
return json.Marshal(c)
|
|
}
|
|
|
|
func (c *CryptoValue) Scan(src interface{}) error {
|
|
if b, ok := src.([]byte); ok {
|
|
return json.Unmarshal(b, c)
|
|
}
|
|
if s, ok := src.(string); ok {
|
|
return json.Unmarshal([]byte(s), c)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
type CryptoType int
|
|
|
|
func Crypt(value []byte, c Crypto) (*CryptoValue, error) {
|
|
switch alg := c.(type) {
|
|
case EncryptionAlgorithm:
|
|
return Encrypt(value, alg)
|
|
case HashAlgorithm:
|
|
return Hash(value, alg)
|
|
}
|
|
return nil, errors.ThrowInternal(nil, "CRYPT-r4IaHZ", "algorithm not supported")
|
|
}
|
|
|
|
func Encrypt(value []byte, alg EncryptionAlgorithm) (*CryptoValue, error) {
|
|
encrypted, err := alg.Encrypt(value)
|
|
if err != nil {
|
|
return nil, errors.ThrowInternal(err, "CRYPT-qCD0JB", "error encrypting value")
|
|
}
|
|
return &CryptoValue{
|
|
CryptoType: TypeEncryption,
|
|
Algorithm: alg.Algorithm(),
|
|
KeyID: alg.EncryptionKeyID(),
|
|
Crypted: encrypted,
|
|
}, nil
|
|
}
|
|
|
|
func Decrypt(value *CryptoValue, alg EncryptionAlgorithm) ([]byte, error) {
|
|
if err := checkEncryptionAlgorithm(value, alg); err != nil {
|
|
return nil, err
|
|
}
|
|
return alg.Decrypt(value.Crypted, value.KeyID)
|
|
}
|
|
|
|
func DecryptString(value *CryptoValue, alg EncryptionAlgorithm) (string, error) {
|
|
if err := checkEncryptionAlgorithm(value, alg); err != nil {
|
|
return "", err
|
|
}
|
|
return alg.DecryptString(value.Crypted, value.KeyID)
|
|
}
|
|
|
|
func checkEncryptionAlgorithm(value *CryptoValue, alg EncryptionAlgorithm) error {
|
|
if value.Algorithm != alg.Algorithm() {
|
|
return errors.ThrowInvalidArgument(nil, "CRYPT-Nx7XlT", "value was encrypted with a different key")
|
|
}
|
|
for _, id := range alg.DecryptionKeyIDs() {
|
|
if id == value.KeyID {
|
|
return nil
|
|
}
|
|
}
|
|
return errors.ThrowInvalidArgument(nil, "CRYPT-Kq12vn", "value was encrypted with a different key")
|
|
}
|
|
|
|
func Hash(value []byte, alg HashAlgorithm) (*CryptoValue, error) {
|
|
hashed, err := alg.Hash(value)
|
|
if err != nil {
|
|
return nil, errors.ThrowInternal(err, "CRYPT-rBVaJU", "error hashing value")
|
|
}
|
|
return &CryptoValue{
|
|
CryptoType: TypeHash,
|
|
Algorithm: alg.Algorithm(),
|
|
Crypted: hashed,
|
|
}, nil
|
|
}
|
|
|
|
func CompareHash(value *CryptoValue, comparer []byte, alg HashAlgorithm) error {
|
|
if value.Algorithm != alg.Algorithm() {
|
|
return errors.ThrowInvalidArgument(nil, "CRYPT-HF32f", "value was hashed with a different algorithm")
|
|
}
|
|
return alg.CompareHash(value.Crypted, comparer)
|
|
}
|
|
|
|
func FillHash(value []byte, alg HashAlgorithm) *CryptoValue {
|
|
return &CryptoValue{
|
|
CryptoType: TypeHash,
|
|
Algorithm: alg.Algorithm(),
|
|
Crypted: value,
|
|
}
|
|
}
|