coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 13 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 23 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 23 additions & 0 deletions
diff --git a/‎coderd/database/queries/provisionerkeys.sql
Lines changed: 8 additions & 0 deletions b/‎coderd/database/queries/provisionerkeys.sql
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/httpmw/provisionerdaemon.go
Lines changed: 8 additions & 6 deletions b/‎coderd/httpmw/provisionerdaemon.go
Lines changed: 8 additions & 6 deletions
diff --git a/‎coderd/provisionerkey/provisionerkey.go
Lines changed: 9 additions & 20 deletions b/‎coderd/provisionerkey/provisionerkey.go
Lines changed: 9 additions & 20 deletions
diff --git a/‎enterprise/cli/provisionerdaemonstart.go
Lines changed: 2 additions & 2 deletions b/‎enterprise/cli/provisionerdaemonstart.go
Lines changed: 2 additions & 2 deletions
@@ -1680,6 +1680,10 @@ func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt
 	return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
 }
 
+func (q *querier) GetProvisionerKeyByHashedSecret(ctx context.Context, hashedSecret []byte) (database.ProvisionerKey, error) {
+	return fetch(q.log, q.auth, q.db.GetProvisionerKeyByHashedSecret)(ctx, hashedSecret)
+}
+
 func (q *querier) GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (database.ProvisionerKey, error) {
 	return fetch(q.log, q.auth, q.db.GetProvisionerKeyByID)(ctx, id)
 }
 
@@ -3240,6 +3240,19 @@ func (q *FakeQuerier) GetProvisionerJobsCreatedAfter(_ context.Context, after ti
 	return jobs, nil
 }
 
+func (q *FakeQuerier) GetProvisionerKeyByHashedSecret(ctx context.Context, hashedSecret []byte) (database.ProvisionerKey, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	for _, key := range q.provisionerKeys {
+		if bytes.Equal(key.HashedSecret, hashedSecret) {
+			return key, nil
+		}
+	}
+
+	return database.ProvisionerKey{}, sql.ErrNoRows
+}
+
 func (q *FakeQuerier) GetProvisionerKeyByID(_ context.Context, id uuid.UUID) (database.ProvisionerKey, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -19,6 +19,14 @@ FROM
 WHERE
     id = $1;
 
+-- name: GetProvisionerKeyByHashedSecret :one
+SELECT
+    *
+FROM
+    provisioner_keys
+WHERE
+    hashed_secret = $1;
+
 -- name: GetProvisionerKeyByName :one
 SELECT
     *
 
@@ -71,16 +71,17 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 				return
 			}
 
-			id, keyValue, err := provisionerkey.Parse(key)
+			err := provisionerkey.Validate(key)
 			if err != nil {
-				handleOptional(http.StatusUnauthorized, codersdk.Response{
+				handleOptional(http.StatusBadGateway, codersdk.Response{
 					Message: "provisioner daemon key invalid",
+					Detail:  err.Error(),
 				})
 				return
 			}
-
+			hashedKey := provisionerkey.HashSecret(key)
 			// nolint:gocritic // System must check if the provisioner key is valid.
-			pk, err := opts.DB.GetProvisionerKeyByID(dbauthz.AsSystemRestricted(ctx), id)
+			pk, err := opts.DB.GetProvisionerKeyByHashedSecret(dbauthz.AsSystemRestricted(ctx), hashedKey)
 			if err != nil {
 				if httpapi.Is404Error(err) {
 					handleOptional(http.StatusUnauthorized, codersdk.Response{
@@ -90,12 +91,13 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 				}
 
 				handleOptional(http.StatusInternalServerError, codersdk.Response{
-					Message: "get provisioner daemon key: " + err.Error(),
+					Message: "get provisioner daemon key",
+					Detail:  err.Error(),
 				})
 				return
 			}
 
-			if provisionerkey.Compare(pk.HashedSecret, provisionerkey.HashSecret(keyValue)) {
+			if provisionerkey.Compare(pk.HashedSecret, hashedKey) {
 				handleOptional(http.StatusUnauthorized, codersdk.Response{
 					Message: "provisioner daemon key invalid",
 				})
 
@@ -3,8 +3,6 @@ package provisionerkey
 import (
 	"crypto/sha256"
 	"crypto/subtle"
-	"fmt"
-	"strings"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
@@ -15,40 +13,31 @@ import (
 )
 
 func New(organizationID uuid.UUID, name string, tags map[string]string) (database.InsertProvisionerKeyParams, string, error) {
-	id := uuid.New()
-	secret, err := cryptorand.HexString(64)
+	secret, err := cryptorand.String(64)
 	if err != nil {
-		return database.InsertProvisionerKeyParams{}, "", xerrors.Errorf("generate token: %w", err)
+		return database.InsertProvisionerKeyParams{}, "", xerrors.Errorf("generate secret: %w", err)
 	}
-	hashedSecret := HashSecret(secret)
-	token := fmt.Sprintf("%s:%s", id, secret)
 
 	if tags == nil {
 		tags = map[string]string{}
 	}
 
 	return database.InsertProvisionerKeyParams{
-		ID:             id,
+		ID:             uuid.New(),
 		CreatedAt:      dbtime.Now(),
 		OrganizationID: organizationID,
 		Name:           name,
-		HashedSecret:   hashedSecret,
+		HashedSecret:   HashSecret(secret),
 		Tags:           tags,
-	}, token, nil
+	}, secret, nil
 }
 
-func Parse(token string) (uuid.UUID, string, error) {
-	parts := strings.Split(token, ":")
-	if len(parts) != 2 {
-		return uuid.UUID{}, "", xerrors.Errorf("invalid token format")
+func Validate(token string) error {
+	if len(token) != 64 {
+		return xerrors.Errorf("must be 64 characters")
 	}
 
-	id, err := uuid.Parse(parts[0])
-	if err != nil {
-		return uuid.UUID{}, "", xerrors.Errorf("parse id: %w", err)
-	}
-
-	return id, parts[1], nil
+	return nil
 }
 
 func HashSecret(secret string) []byte {
 
@@ -122,9 +122,9 @@ func (r *RootCmd) provisionerDaemonStart() *serpent.Command {
 				if len(rawTags) > 0 {
 					return xerrors.New("cannot provide tags when using provisioner key")
 				}
-				_, _, err := provisionerkey.Parse(provisionerKey)
+				err = provisionerkey.Validate(provisionerKey)
 				if err != nil {
-					return xerrors.Errorf("parse provisioner key: %w", err)
+					return xerrors.Errorf("validate provisioner key: %w", err)
 				}
 			}
Original file line number	Diff line number	Diff line change
`@@ -1680,6 +1680,10 @@ func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt`
`1680`	`1680`	`return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)`
`1681`	`1681`	`}`
`1682`	`1682`
	`1683`	`+func (q *querier) GetProvisionerKeyByHashedSecret(ctx context.Context, hashedSecret []byte) (database.ProvisionerKey, error) {`
	`1684`	`+ return fetch(q.log, q.auth, q.db.GetProvisionerKeyByHashedSecret)(ctx, hashedSecret)`
	`1685`	`+}`
	`1686`	`+`
`1683`	`1687`	`func (q *querier) GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (database.ProvisionerKey, error) {`
`1684`	`1688`	`return fetch(q.log, q.auth, q.db.GetProvisionerKeyByID)(ctx, id)`
`1685`	`1689`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,9 +122,9 @@ func (r RootCmd) provisionerDaemonStart() serpent.Command {`
`122`	`122`	`if len(rawTags) > 0 {`
`123`	`123`	`return xerrors.New("cannot provide tags when using provisioner key")`
`124`	`124`	`}`
`125`		`- _, _, err := provisionerkey.Parse(provisionerKey)`
	`125`	`+ err = provisionerkey.Validate(provisionerKey)`
`126`	`126`	`if err != nil {`
`127`		`- return xerrors.Errorf("parse provisioner key: %w", err)`
	`127`	`+ return xerrors.Errorf("validate provisioner key: %w", err)`
`128`	`128`	`}`
`129`	`129`	`}`
`130`	`130`