fixup! refactor dbcrypt: add Ciphers to wrap multiple AES256

johnstcn · johnstcn · commit 600391fbf2f1 · 2023-08-29T11:18:01.000Z
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -72,27 +72,20 @@ func (r *RootCmd) server() *clibase.Cmd {
 		}
 
 		if encKeys := options.DeploymentValues.ExternalTokenEncryptionKeys.Value(); len(encKeys) != 0 {
-			if len(encKeys) > 2 {
-				return nil, nil, xerrors.Errorf("at most 2 external-token-encryption-keys may be specified")
-			}
-			k1, err := base64.StdEncoding.DecodeString(encKeys[0])
-			if err != nil {
-				return nil, nil, xerrors.Errorf("decode external-token-encryption-key: %w", err)
-			}
-			o.PrimaryExternalTokenEncryption, err = dbcrypt.CipherAES256(k1)
-			if err != nil {
-				return nil, nil, xerrors.Errorf("create external-token-encryption-key cipher: %w", err)
-			}
-			if len(encKeys) > 1 {
-				k2, err := base64.StdEncoding.DecodeString(encKeys[0])
+			cs := make([]dbcrypt.Cipher, 0, len(encKeys))
+			for idx, ek := range encKeys {
+				dk, err := base64.StdEncoding.DecodeString(ek)
 				if err != nil {
-					return nil, nil, xerrors.Errorf("decode external-token-encryption-key: %w", err)
+					return nil, nil, xerrors.Errorf("decode external-token-encryption-key %d: %w", idx, err)
 				}
-				o.SecondaryExternalTokenEncryption, err = dbcrypt.CipherAES256(k2)
+				c, err := dbcrypt.CipherAES256(dk)
 				if err != nil {
-					return nil, nil, xerrors.Errorf("create external-token-encryption-key cipher: %w", err)
+					return nil, nil, xerrors.Errorf("create external-token-encryption-key cipher %d: %w", idx, err)
+
 				}
+				cs = append(cs, c)
 			}
+			o.ExternalTokenEncryption = dbcrypt.NewCiphers(cs...)
 		}
 
 		api, err := coderd.New(ctx, o)
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -63,13 +63,8 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 
 	ctx, cancelFunc := context.WithCancel(ctx)
 
-	if options.PrimaryExternalTokenEncryption != nil {
-		cs := make([]dbcrypt.Cipher, 0)
-		cs = append(cs, options.PrimaryExternalTokenEncryption)
-		if options.SecondaryExternalTokenEncryption != nil {
-			cs = append(cs, options.SecondaryExternalTokenEncryption)
-		}
-		cryptDB, err := dbcrypt.New(ctx, options.Database, dbcrypt.NewCiphers(cs...))
+	if options.ExternalTokenEncryption != nil {
+		cryptDB, err := dbcrypt.New(ctx, options.Database, options.ExternalTokenEncryption)
 		if err != nil {
 			cancelFunc()
 			return nil, xerrors.Errorf("init dbcrypt: %w", err)
@@ -379,9 +374,7 @@ type Options struct {
 	BrowserOnly bool
 	SCIMAPIKey  []byte
 
-	// TODO: wire these up properly
-	PrimaryExternalTokenEncryption   dbcrypt.Cipher
-	SecondaryExternalTokenEncryption dbcrypt.Cipher
+	ExternalTokenEncryption *dbcrypt.Ciphers
 
 	// Used for high availability.
 	ReplicaSyncUpdateInterval time.Duration
@@ -449,7 +442,7 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			codersdk.FeatureHighAvailability:           api.DERPServerRelayAddress != "",
 			codersdk.FeatureMultipleGitAuth:            len(api.GitAuthConfigs) > 1,
 			codersdk.FeatureTemplateRBAC:               api.RBAC,
-			codersdk.FeatureExternalTokenEncryption:    api.PrimaryExternalTokenEncryption != nil,
+			codersdk.FeatureExternalTokenEncryption:    api.ExternalTokenEncryption != nil,
 			codersdk.FeatureExternalProvisionerDaemons: true,
 			codersdk.FeatureAdvancedTemplateScheduling: true,
 			// FeatureTemplateRestartRequirement depends on
