enforce 32-byte key length

johnstcn · johnstcn · commit 60d52f54580b · 2023-08-22T14:13:52.000Z
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -453,7 +453,8 @@ These options are only available in the Enterprise Edition.
 
       --external-token-encryption-key string, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY
           Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
-          database. The value must be a base64-encoded key.
+          database. The value must be a base64-encoded key exactly 32 bytes in
+          length.
 
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
diff --git a/coderd/database/dbcrypt/cipher.go b/coderd/database/dbcrypt/cipher.go
@@ -34,6 +34,9 @@ func IsDecryptFailedError(err error) bool {
 
 // CipherAES256 returns a new AES-256 cipher.
 func CipherAES256(key []byte) (Cipher, error) {
+	if len(key) != 32 {
+		return nil, xerrors.Errorf("key must be 32 bytes")
+	}
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
diff --git a/coderd/database/dbcrypt/cipher_test.go b/coderd/database/dbcrypt/cipher_test.go
@@ -40,6 +40,6 @@ func TestCipherAES256(t *testing.T) {
 		t.Parallel()
 
 		_, err := dbcrypt.CipherAES256(bytes.Repeat([]byte{'a'}, 31))
-		require.ErrorContains(t, err, "invalid key size")
+		require.ErrorContains(t, err, "key must be 32 bytes")
 	})
 }
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -1580,7 +1580,7 @@ when required by your organization's security policy.`,
 		},
 		{
 			Name:        "External Token Encryption Key",
-			Description: "Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a base64-encoded key.",
+			Description: "Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a base64-encoded key exactly 32 bytes in length.",
 			Flag:        "external-token-encryption-key",
 			Env:         "CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY",
 			Annotations: clibase.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),
diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden
@@ -453,7 +453,8 @@ These options are only available in the Enterprise Edition.
 
       --external-token-encryption-key string, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY
           Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
-          database. The value must be a base64-encoded key.
+          database. The value must be a base64-encoded key exactly 32 bytes in
+          length.
 
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,6 @@ func TestCipherAES256(t *testing.T) {`
`40`	`40`	`t.Parallel()`
`41`	`41`
`42`	`42`	`_, err := dbcrypt.CipherAES256(bytes.Repeat([]byte{'a'}, 31))`
`43`		`- require.ErrorContains(t, err, "invalid key size")`
	`43`	`+ require.ErrorContains(t, err, "key must be 32 bytes")`
`44`	`44`	`})`
`45`	`45`	`}`
Original file line number	Diff line number	Diff line change
@@ -1580,7 +1580,7 @@ when required by your organization's security policy.`,
`1580`	`1580`	`},`
`1581`	`1581`	`{`
`1582`	`1582`	`Name: "External Token Encryption Key",`
`1583`		`- Description: "Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a base64-encoded key.",`
	`1583`	`+ Description: "Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a base64-encoded key exactly 32 bytes in length.",`
`1584`	`1584`	`Flag: "external-token-encryption-key",`
`1585`	`1585`	`Env: "CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY",`
`1586`	`1586`	`Annotations: clibase.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),`