Skip to content

feat: implement key rotation system #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: implement key rotation system #2

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6f4a504
feat: add key rotation
sreya Sep 10, 2024
1c7bfc8
refactor: replace keys with crypto_keys handling
sreya Sep 12, 2024
e91fd31
Add crypto key generation and refactor rotation tests
sreya Sep 12, 2024
86195f0
tests are passing
sreya Sep 12, 2024
8980d32
dbcrypt
sreya Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
dbcrypt
  • Loading branch information
@sreya
sreya committed Sep 13, 2024
commit 8980d32be53fc67a3fae667d11d87ea2293ac10c
5 changes: 3 additions & 2 deletions coderd/database/dbgen/dbgen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -907,8 +907,9 @@ func CryptoKey(t testing.TB, db database.Store, seed database.CryptoKey) databas
String: hex.EncodeToString(b),
Valid: true,
}),
Feature: takeFirst(seed.Feature, database.CryptoKeyFeatureWorkspaceApps),
StartsAt: takeFirst(seed.StartsAt, time.Now()),
SecretKeyID: takeFirst(seed.SecretKeyID, sql.NullString{}),
Feature: takeFirst(seed.Feature, database.CryptoKeyFeatureWorkspaceApps),
StartsAt: takeFirst(seed.StartsAt, time.Now()),
})
require.NoError(t, err, "insert crypto key")

Expand Down
35 changes: 31 additions & 4 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ type data struct {
// New tables
workspaceAgentStats []database.WorkspaceAgentStat
auditLogs []database.AuditLog
cryptoKeys []database.CryptoKey
dbcryptKeys []database.DBCryptKey
files []database.File
externalAuthLinks []database.ExternalAuthLink
Expand Down Expand Up @@ -2318,13 +2319,26 @@ func (q *FakeQuerier) GetCoordinatorResumeTokenSigningKey(_ context.Context) (st
return q.coordinatorResumeTokenSigningKey, nil
}

func (q *FakeQuerier) GetCryptoKeyByFeatureAndSequence(ctx context.Context, arg database.GetCryptoKeyByFeatureAndSequenceParams) (database.CryptoKey, error) {
func (q *FakeQuerier) GetCryptoKeyByFeatureAndSequence(_ context.Context, arg database.GetCryptoKeyByFeatureAndSequenceParams) (database.CryptoKey, error) {
err := validateDatabaseType(arg)
if err != nil {
return database.CryptoKey{}, err
}

panic("not implemented")
q.mutex.RLock()
defer q.mutex.RUnlock()

for _, key := range q.cryptoKeys {
if key.Feature == arg.Feature && key.Sequence == arg.Sequence {
// Keys with NULL secrets are considered deleted.
if key.Secret.Valid {
return key, nil
}
return database.CryptoKey{}, sql.ErrNoRows
}
}

return database.CryptoKey{}, sql.ErrNoRows
}

func (q *FakeQuerier) GetCryptoKeys(ctx context.Context) ([]database.CryptoKey, error) {
Expand Down Expand Up @@ -6331,13 +6345,26 @@ func (q *FakeQuerier) InsertAuditLog(_ context.Context, arg database.InsertAudit
return alog, nil
}

func (q *FakeQuerier) InsertCryptoKey(ctx context.Context, arg database.InsertCryptoKeyParams) (database.CryptoKey, error) {
func (q *FakeQuerier) InsertCryptoKey(_ context.Context, arg database.InsertCryptoKeyParams) (database.CryptoKey, error) {
err := validateDatabaseType(arg)
if err != nil {
return database.CryptoKey{}, err
}

panic("not implemented")
q.mutex.Lock()
defer q.mutex.Unlock()

key := database.CryptoKey{
Feature: arg.Feature,
Sequence: arg.Sequence,
Secret: arg.Secret,
SecretKeyID: arg.SecretKeyID,
StartsAt: arg.StartsAt,
}

q.cryptoKeys = append(q.cryptoKeys, key)

return key, nil
}

func (q *FakeQuerier) InsertCustomRole(_ context.Context, arg database.InsertCustomRoleParams) (database.CustomRole, error) {
Expand Down
4 changes: 4 additions & 0 deletions coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions coderd/database/foreign_key_constraint.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 9 additions & 8 deletions coderd/database/migrations/000250_crypto_keys.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
CREATE TYPE "crypto_key_feature" AS ENUM (
CREATE TYPE crypto_key_feature AS ENUM (
'workspace_apps',
'oidc_convert',
'peer_reconnect'
);

CREATE TABLE "crypto_keys" (
"feature" "crypto_key_feature" NOT NULL,
"sequence" integer NOT NULL,
"secret" text NULL,
"starts_at" timestamptz NOT NULL,
"deletes_at" timestamptz NULL,
PRIMARY KEY ("feature", "sequence")
CREATE TABLE crypto_keys (
feature crypto_key_feature NOT NULL,
sequence integer NOT NULL,
secret text NULL,
secret_key_id text NULL REFERENCES dbcrypt_keys(active_key_digest),
starts_at timestamptz NOT NULL,
deletes_at timestamptz NULL,
PRIMARY KEY (feature, sequence)
);

11 changes: 6 additions & 5 deletions coderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading