-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(crypto): use passwap for machine and app secrets #7657
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
livio-a
requested changes
Apr 4, 2024
livio-a
approved these changes
Apr 5, 2024
🎉 This PR is included in version 2.50.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change introduces the use of passwap for secrets or machine users (client credentials), OIDC and API applications.
Similar to user passwords, hash configuration can now be updated in zitadel's yaml config and secrets get re-hashed when the first next verification succeeds.
Config changes
The
SecretGenerators.PasswordSaltCost
options are removed. These were previously set to 14 as a default. If users had custom values for this setting, it will now be ignored.There is a new config option
SystemDefaults.SecretHasher
which carries passwap related config in the same way we do for human user passwords. If users wish to retain their custom bcrypt cost,SystemDefaults.SecretHasher.Hasher.Cost
must be set accordingly. The new default cost is 4, which is the minimum required by the bcrypt package.4 is actually a more than sufficient value. With the defaults of digits, lower and upper case letters, there are 64^62 possible values.
Benchmarking bcrypt on my laptop at cost 4, does around 1275 ops/second. It would take 7.5e108 seconds to go through all possibilities.
Adding the fact that these are not user passwords and the ability to brute-force the hashed secrets from the database has no value for an attacker, should they get leaked.
As this feature rehashes on config change, expect all machine user and application secrets to get a
hash.updated
event if no action is taken. This is fine. As the default cost is significantly lowered, there shouldn't be much overhead.Refactorings
Crypto interface
The CryptoCode interfaces have changed into EncryptedCode interfaces. There is no longer a combined interface for encrypted and hashed codes. "old style" for generating and verifying codes has been preserved for encrypted codes, such as email, sms codes and many more. The Hashed Code generator is completely separated from this interface now.,
Generators
The generators for hashed codes are now moved completely into the
command
package. Previously the generator was obtained from thequery
package and passed intocommand
.Closes #6540
Definition of Ready