[cli/mirror] Allow to reencrypt event payload

[adlerhurst]

As an administrator of ZITADEL I want to mirror my data to an already existing database, this includes already generated encryption keys, so that I can mirror the data to an already existing database.

The Idea is that you can share an instance with other persons without sharing your secrets.

Open questions

• How to decrypt and encrypt the event payload during mirror?

Acceptance criteria

Beta Give feedback

1. Clarify open question
2. Add flag to mirror events which defines if it should reencrypt the payload
3. decrypt event payload if necessary on export
4. encrypt event payload if necessary on import
5. ensure pgcrypto-extension is enabled if needed for encryption

Additional info

The following events include encrypted data in the payload:

• idpintent.saml.succeeded: {assertion}

• idpintent.succeeded: idp{idpAccessToken}

• instance.idp.oauth.added: {clientSecret}

• instance.idp.oidc.added: {clientSecret}

• instance.idp.oidc.migrated.azure: {client_secret}

• instance.idp.oidc.migrated.google: {clientSecret}

• instance.idp.azure.added: {client_secret}

• instance.idp.github.added: {clientSecret}

• instance.idp.github_enterprise.added: {clientSecret}

• instance.idp.gitlab.added: {client_secret}

• instance.idp.gitlab_self_hosted.added: {client_secret}

• instance.idp.google.added: {clientSecret}

• instance.idp.ldap.v2.added: {bindPassword}

• instance.idp.apple.added: {privateKey}

• instance.idp.saml.added: {key} //TODO: do we need to decrypt the key?

• iam.idp.oidc.config.added: {clientSecret}

• org.idp.oauth.added: {clientSecret}

• org.idp.oidc.added: {clientSecret}

• org.idp.oidc.migrated.azure: {client_secret}

• org.idp.oidc.migrated.google: {clientSecret}

• org.idp.azure.added: {client_secret}

• org.idp.github.added: {clientSecret}

• org.idp.github_enterprise.added: {clientSecret}

• org.idp.gitlab.added: {client_secret}

• org.idp.gitlab_self_hosted.added: {client_secret}

• org.idp.google.added: {clientSecret}

• org.idp.ldap.v2.added: {bindPassword}

• org.idp.apple.added: {privateKey}

• org.idp.saml.added: {key} //TODO: do we need to decrypt the key?

• instance.sms.configtwilio.added: {token}

• instance.sms.configtwilio.token.changed: {token}

• instance.smtp.config.password.changed: {password}

• instance.smtp.config.added: {password}

• user.human.mfa.otp.added: {otpSecret}

• key_pair.added: {publicKey}

• key_pair.certificate.added: {certificate}