Catalog: add migration for mock_authentication_nonce setting

The
[SASL/SCRAM](#33468)
PR introduces the need for some stable, cluster wide, cryptographically
random key material. We use this material to be able to present
deterministic challenges for even users that don't exist to guard
against enumeration attacks. 

However that PR made a bad assumption that the initialize step of
catalog opening would always add this new key. But old versions that
have already been initialized wouldn't have it! This PR add code to
generate it for old versions

Author: DAlperin

Cargo.lock

@@ -72,6 +72,7 @@ mz-storage-types = { path = "../storage-types" }
 mz-tracing = { path = "../tracing" }
 mz-transform = { path = "../transform" }
 mz-timestamp-oracle = { path = "../timestamp-oracle" }
+openssl = { version = "0.10.73", features = ["vendored"] }
 opentelemetry = { version = "0.24.0", features = ["trace"] }
 prometheus = { version = "0.13.4", default-features = false }
 prost = { version = "0.13.5", features = ["no-recursion-limit"] }

src/adapter/Cargo.toml

@@ -9,9 +9,10 @@
 
 use std::collections::BTreeMap;
 
+use base64::prelude::*;
 use maplit::btreeset;
 use mz_catalog::builtin::BuiltinTable;
-use mz_catalog::durable::Transaction;
+use mz_catalog::durable::{MOCK_AUTHENTICATION_NONCE_KEY, Transaction};
 use mz_catalog::memory::objects::{BootstrapStateUpdateKind, StateUpdate};
 use mz_ore::collections::CollectionExt;
 use mz_ore::now::NowFn;
@@ -830,6 +831,17 @@ pub(crate) fn durable_migrate(
             Some(BUILTIN_MIGRATION_SHARD_MIGRATION_DONE),
         )?;
     }
+
+    if tx
+        .get_setting(MOCK_AUTHENTICATION_NONCE_KEY.to_string())
+        .is_none()
+    {
+        let mut nonce = [0u8; 24];
+        let _ = openssl::rand::rand_bytes(&mut nonce).expect("failed to generate nonce");
+        let nonce = BASE64_STANDARD.encode(nonce);
+        tx.set_setting(MOCK_AUTHENTICATION_NONCE_KEY.to_string(), Some(nonce))?;
+    }
+
     Ok(())
 }