pr comments

sreya · sreya · commit 1d35967bae56 · 2023-05-17T00:49:48.000Z
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -374,7 +374,7 @@ func (api *API) validateAPIKeyLifetime(lifetime time.Duration) error {
 }
 
 func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*http.Cookie, *database.APIKey, error) {
-	secret, key, err := apikey.Generate(params)
+	key, sessionToken, err := apikey.Generate(params)
 	if err != nil {
 		return nil, nil, xerrors.Errorf("generate API key: %w", err)
 	}
@@ -390,7 +390,7 @@ func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*
 
 	return &http.Cookie{
 		Name:     codersdk.SessionTokenCookie,
-		Value:    secret,
+		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
diff --git a/coderd/apikey/apikey.go b/coderd/apikey/apikey.go
@@ -31,10 +31,10 @@ type CreateParams struct {
 // Generate generates an API key, returning the key as a string as well as the
 // database representation. It is the responsibility of the caller to insert it
 // into the database.
-func Generate(params CreateParams) (string, database.InsertAPIKeyParams, error) {
+func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error) {
 	keyID, keySecret, err := generateKey()
 	if err != nil {
-		return "", database.InsertAPIKeyParams{}, xerrors.Errorf("generate API key: %w", err)
+		return database.InsertAPIKeyParams{}, "", xerrors.Errorf("generate API key: %w", err)
 	}
 
 	hashed := sha256.Sum256([]byte(keySecret))
@@ -67,12 +67,12 @@ func Generate(params CreateParams) (string, database.InsertAPIKeyParams, error)
 	switch scope {
 	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
 	default:
-		return "", database.InsertAPIKeyParams{}, xerrors.Errorf("invalid API key scope: %q", scope)
+		return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
 	}
 
-	keyStr := fmt.Sprintf("%s-%s", keyID, keySecret)
+	token := fmt.Sprintf("%s-%s", keyID, keySecret)
 
-	return keyStr, database.InsertAPIKeyParams{
+	return database.InsertAPIKeyParams{
 		ID:              keyID,
 		UserID:          params.UserID,
 		LifetimeSeconds: params.LifetimeSeconds,
@@ -91,7 +91,7 @@ func Generate(params CreateParams) (string, database.InsertAPIKeyParams, error)
 		LoginType:    params.LoginType,
 		Scope:        scope,
 		TokenName:    params.TokenName,
-	}, nil
+	}, token, nil
 }
 
 // generateKey a new ID and secret for an API key.
diff --git a/coderd/apikey/apikey_test.go b/coderd/apikey/apikey_test.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/cli/clibase"
@@ -100,7 +101,7 @@ func TestGenerate(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			keystr, key, err := apikey.Generate(tc.params)
+			key, keystr, err := apikey.Generate(tc.params)
 			if tc.fail {
 				require.Error(t, err)
 				return
@@ -117,46 +118,46 @@ func TestGenerate(t *testing.T) {
 
 			// Assert that the hashed secret is correct.
 			hashed := sha256.Sum256([]byte(keytokens[1]))
-			require.ElementsMatch(t, hashed, key.HashedSecret[:])
+			assert.ElementsMatch(t, hashed, key.HashedSecret[:])
 
-			require.Equal(t, tc.params.UserID, key.UserID)
-			require.WithinDuration(t, database.Now(), key.CreatedAt, time.Second*5)
-			require.WithinDuration(t, database.Now(), key.UpdatedAt, time.Second*5)
+			assert.Equal(t, tc.params.UserID, key.UserID)
+			assert.WithinDuration(t, database.Now(), key.CreatedAt, time.Second*5)
+			assert.WithinDuration(t, database.Now(), key.UpdatedAt, time.Second*5)
 
 			if tc.params.LifetimeSeconds > 0 {
-				require.Equal(t, tc.params.LifetimeSeconds, key.LifetimeSeconds)
+				assert.Equal(t, tc.params.LifetimeSeconds, key.LifetimeSeconds)
 			} else if !tc.params.ExpiresAt.IsZero() {
 				// Should not be a delta greater than 5 seconds.
-				require.InDelta(t, time.Until(tc.params.ExpiresAt).Seconds(), key.LifetimeSeconds, 5)
+				assert.InDelta(t, time.Until(tc.params.ExpiresAt).Seconds(), key.LifetimeSeconds, 5)
 			} else {
-				require.Equal(t, int64(tc.params.DeploymentValues.SessionDuration.Value().Seconds()), key.LifetimeSeconds)
+				assert.Equal(t, int64(tc.params.DeploymentValues.SessionDuration.Value().Seconds()), key.LifetimeSeconds)
 			}
 
 			if !tc.params.ExpiresAt.IsZero() {
-				require.Equal(t, tc.params.ExpiresAt.UTC(), key.ExpiresAt)
+				assert.Equal(t, tc.params.ExpiresAt.UTC(), key.ExpiresAt)
 			} else if tc.params.LifetimeSeconds > 0 {
-				require.WithinDuration(t, database.Now().Add(time.Duration(tc.params.LifetimeSeconds)), key.ExpiresAt, time.Second*5)
+				assert.WithinDuration(t, database.Now().Add(time.Duration(tc.params.LifetimeSeconds)), key.ExpiresAt, time.Second*5)
 			} else {
-				require.WithinDuration(t, database.Now().Add(tc.params.DeploymentValues.SessionDuration.Value()), key.ExpiresAt, time.Second*5)
+				assert.WithinDuration(t, database.Now().Add(tc.params.DeploymentValues.SessionDuration.Value()), key.ExpiresAt, time.Second*5)
 			}
 
 			if tc.params.RemoteAddr != "" {
-				require.Equal(t, tc.params.RemoteAddr, key.IPAddress.IPNet.IP.String())
+				assert.Equal(t, tc.params.RemoteAddr, key.IPAddress.IPNet.IP.String())
 			} else {
-				require.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
+				assert.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
 			}
 
 			if tc.params.Scope != "" {
-				require.Equal(t, tc.params.Scope, key.Scope)
+				assert.Equal(t, tc.params.Scope, key.Scope)
 			} else {
-				require.Equal(t, database.APIKeyScopeAll, key.Scope)
+				assert.Equal(t, database.APIKeyScopeAll, key.Scope)
 			}
 
 			if tc.params.TokenName != "" {
-				require.Equal(t, tc.params.TokenName, key.TokenName)
+				assert.Equal(t, tc.params.TokenName, key.TokenName)
 			}
 			if tc.params.LoginType != "" {
-				require.Equal(t, tc.params.LoginType, key.LoginType)
+				assert.Equal(t, tc.params.LoginType, key.LoginType)
 			}
 		})
 	}
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -203,7 +203,7 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 				return nil, failJob(fmt.Sprintf("regenerate session token: %s", err))
 			}
 		case database.WorkspaceTransitionStop, database.WorkspaceTransitionDelete:
-			err = server.deleteSessionToken(ctx, workspace)
+			err = deleteSessionToken(ctx, server.Database, workspace)
 			if err != nil {
 				return nil, failJob(fmt.Sprintf("delete session token: %s", err))
 			}
@@ -1432,7 +1432,7 @@ func workspaceSessionTokenName(workspace database.Workspace) string {
 }
 
 func (server *Server) regenerateSessionToken(ctx context.Context, user database.User, workspace database.Workspace) (string, error) {
-	secret, newkey, err := apikey.Generate(apikey.CreateParams{
+	newkey, sessionToken, err := apikey.Generate(apikey.CreateParams{
 		UserID:           user.ID,
 		LoginType:        user.LoginType,
 		DeploymentValues: server.DeploymentValues,
@@ -1443,30 +1443,43 @@ func (server *Server) regenerateSessionToken(ctx context.Context, user database.
 		return "", xerrors.Errorf("generate API key: %w", err)
 	}
 
-	err = server.deleteSessionToken(ctx, workspace)
-	if err != nil {
-		return "", xerrors.Errorf("delete session token: %w", err)
-	}
+	err = server.Database.InTx(func(tx database.Store) error {
+		err := deleteSessionToken(ctx, tx, workspace)
+		if err != nil {
+			return xerrors.Errorf("delete session token: %w", err)
+		}
 
-	_, err = server.Database.InsertAPIKey(ctx, newkey)
+		_, err = tx.InsertAPIKey(ctx, newkey)
+		if err != nil {
+			return xerrors.Errorf("insert API key: %w", err)
+		}
+		return nil
+	}, nil)
 	if err != nil {
-		return "", xerrors.Errorf("insert API key: %w", err)
+		return "", xerrors.Errorf("create API key: %w", err)
 	}
 
-	return secret, nil
+	return sessionToken, nil
 }
 
-func (server *Server) deleteSessionToken(ctx context.Context, workspace database.Workspace) error {
-	key, err := server.Database.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
-		UserID:    workspace.OwnerID,
-		TokenName: workspaceSessionTokenName(workspace),
-	})
-	if err == nil {
-		err = server.Database.DeleteAPIKeyByID(ctx, key.ID)
-	}
+func deleteSessionToken(ctx context.Context, db database.Store, workspace database.Workspace) error {
+	err := db.InTx(func(tx database.Store) error {
+		key, err := tx.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
+			UserID:    workspace.OwnerID,
+			TokenName: workspaceSessionTokenName(workspace),
+		})
+		if err == nil {
+			err = tx.DeleteAPIKeyByID(ctx, key.ID)
+		}
 
-	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-		return xerrors.Errorf("get api key by name: %w", err)
+		if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
+			return xerrors.Errorf("get api key by name: %w", err)
+		}
+
+		return nil
+	}, nil)
+	if err != nil {
+		return xerrors.Errorf("in tx: %w", err)
 	}
 
 	return nil
