Merge branch 'cj/dbcrypt_redux_1' into cj/dbcrypt_redux_2

johnstcn · johnstcn · commit 6c28ce52e734 · 2023-09-05T15:40:26.000Z
diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go
@@ -672,26 +672,6 @@ func (q *FakeQuerier) isEveryoneGroup(id uuid.UUID) bool {
 	return false
 }
 
-func (q *FakeQuerier) insertDBCryptKeyNoLock(_ context.Context, arg database.InsertDBCryptKeyParams) error {
-	err := validateDatabaseType(arg)
-	if err != nil {
-		return err
-	}
-
-	for _, key := range q.dbcryptKeys {
-		if key.Number == arg.Number {
-			return errDuplicateKey
-		}
-	}
-
-	q.dbcryptKeys = append(q.dbcryptKeys, database.DBCryptKey{
-		Number:          arg.Number,
-		ActiveKeyDigest: sql.NullString{String: arg.ActiveKeyDigest, Valid: true},
-		Test:            arg.Test,
-	})
-	return nil
-}
-
 func (q *FakeQuerier) GetActiveDBCryptKeys(_ context.Context) ([]database.DBCryptKey, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -3918,9 +3898,24 @@ func (q *FakeQuerier) InsertAuditLog(_ context.Context, arg database.InsertAudit
 	return alog, nil
 }
 
-func (q *FakeQuerier) InsertDBCryptKey(ctx context.Context, arg database.InsertDBCryptKeyParams) error {
-	// This only ever gets called inside a transaction, so we need to not lock.
-	return q.insertDBCryptKeyNoLock(ctx, arg)
+func (q *FakeQuerier) InsertDBCryptKey(_ context.Context, arg database.InsertDBCryptKeyParams) error {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return err
+	}
+
+	for _, key := range q.dbcryptKeys {
+		if key.Number == arg.Number {
+			return errDuplicateKey
+		}
+	}
+
+	q.dbcryptKeys = append(q.dbcryptKeys, database.DBCryptKey{
+		Number:          arg.Number,
+		ActiveKeyDigest: sql.NullString{String: arg.ActiveKeyDigest, Valid: true},
+		Test:            arg.Test,
+	})
+	return nil
 }
 
 func (q *FakeQuerier) InsertDERPMeshKey(_ context.Context, id string) error {
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/gitauth.sql b/coderd/database/queries/gitauth.sql
@@ -11,9 +11,9 @@ INSERT INTO git_auth_links (
     created_at,
     updated_at,
     oauth_access_token,
-	oauth_access_token_key_id,
+    oauth_access_token_key_id,
     oauth_refresh_token,
-	oauth_refresh_token_key_id,
+    oauth_refresh_token_key_id,
     oauth_expiry
 ) VALUES (
     $1,
@@ -23,16 +23,16 @@ INSERT INTO git_auth_links (
     $5,
     $6,
     $7,
-	$8,
-	$9
+    $8,
+    $9
 ) RETURNING *;
 
 -- name: UpdateGitAuthLink :one
 UPDATE git_auth_links SET
     updated_at = $3,
     oauth_access_token = $4,
-	oauth_access_token_key_id = $5,
+    oauth_access_token_key_id = $5,
     oauth_refresh_token = $6,
-	oauth_refresh_token_key_id = $7,
+    oauth_refresh_token_key_id = $7,
     oauth_expiry = $8
 WHERE provider_id = $1 AND user_id = $2 RETURNING *;
diff --git a/enterprise/dbcrypt/dbcrypt.go b/enterprise/dbcrypt/dbcrypt.go
@@ -5,8 +5,6 @@ import (
 	"database/sql"
 	"encoding/base64"
 
-	"github.com/lib/pq"
-
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 
@@ -49,7 +47,8 @@ func New(ctx context.Context, db database.Store, ciphers ...Cipher) (database.St
 		Store:               db,
 	}
 	// nolint: gocritic // This is allowed.
-	if err := dbc.ensureEncrypted(dbauthz.AsSystemRestricted(ctx)); err != nil {
+	authCtx := dbauthz.AsSystemRestricted(ctx)
+	if err := dbc.ensureEncryptedWithRetry(authCtx); err != nil {
 		return nil, xerrors.Errorf("ensure encrypted database fields: %w", err)
 	}
 	return dbc, nil
@@ -271,7 +270,10 @@ func (db *dbCrypt) encryptField(field *string, digest *sql.NullString) error {
 	}
 
 	if field == nil {
-		return nil
+		return xerrors.Errorf("developer error: encryptField called with nil field")
+	}
+	if digest == nil {
+		return xerrors.Errorf("developer error: encryptField called with nil digest")
 	}
 
 	encrypted, err := db.ciphers[db.primaryCipherDigest].Encrypt([]byte(*field))
@@ -334,6 +336,23 @@ func (db *dbCrypt) decryptField(field *string, digest sql.NullString) error {
 	return nil
 }
 
+func (db *dbCrypt) ensureEncryptedWithRetry(ctx context.Context) error {
+	var err error
+	for i := 0; i < 3; i++ {
+		err = db.ensureEncrypted(ctx)
+		if err == nil {
+			return nil
+		}
+		// If we get a serialization error, then we need to retry.
+		if !database.IsSerializedError(err) {
+			return err
+		}
+		// otherwise, retry
+	}
+	// If we get here, then we ran out of retries
+	return err
+}
+
 func (db *dbCrypt) ensureEncrypted(ctx context.Context) error {
 	return db.InTx(func(s database.Store) error {
 		// Attempt to read the encrypted test fields of the currently active keys.
@@ -343,32 +362,31 @@ func (db *dbCrypt) ensureEncrypted(ctx context.Context) error {
 		}
 
 		var highestNumber int32
+		var activeCipherFound bool
 		for _, k := range ks {
+			// If our primary key has been revoked, then we can't do anything.
+			if k.RevokedKeyDigest.Valid && k.RevokedKeyDigest.String == db.primaryCipherDigest {
+				return xerrors.Errorf("primary encryption key %q has been revoked", db.primaryCipherDigest)
+			}
+
 			if k.ActiveKeyDigest.Valid && k.ActiveKeyDigest.String == db.primaryCipherDigest {
-				// This is our currently active key. We don't need to do anything further.
-				return nil
+				activeCipherFound = true
 			}
+
 			if k.Number > highestNumber {
 				highestNumber = k.Number
 			}
 		}
 
+		if activeCipherFound {
+			return nil
+		}
+
 		// If we get here, then we have a new key that we need to insert.
-		// If this conflicts with another transaction, we do not need to retry as
-		// the other transaction will have inserted the key for us.
-		if err := db.InsertDBCryptKey(ctx, database.InsertDBCryptKeyParams{
+		return db.InsertDBCryptKey(ctx, database.InsertDBCryptKeyParams{
 			Number:          highestNumber + 1,
 			ActiveKeyDigest: db.primaryCipherDigest,
 			Test:            testValue,
-		}); err != nil {
-			var pqErr *pq.Error
-			if xerrors.As(err, &pqErr) && pqErr.Code == "23505" {
-				// Unique constraint violation -> another transaction has inserted the key for us.
-				return nil
-			}
-			return err
-		}
-
-		return nil
+		})
 	}, &sql.TxOptions{Isolation: sql.LevelRepeatableRead})
 }
diff --git a/enterprise/dbcrypt/dbcrypt_internal_test.go b/enterprise/dbcrypt/dbcrypt_internal_test.go
@@ -8,10 +8,13 @@ import (
 	"io"
 	"testing"
 
+	"github.com/golang/mock/gomock"
+	"github.com/lib/pq"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbmock"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 )
 
@@ -446,6 +449,70 @@ func TestNew(t *testing.T) {
 		require.NoError(t, err, "no error should be returned")
 		require.Empty(t, keys, "no keys should be present")
 	})
+
+	t.Run("PrimaryRevoked", func(t *testing.T) {
+		t.Parallel()
+		// Given: a cipher is loaded
+		cipher := initCipher(t)
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		rawDB, _ := dbtestutil.NewDB(t)
+
+		// And: the cipher is revoked before we init the crypt db
+		err := rawDB.InsertDBCryptKey(ctx, database.InsertDBCryptKeyParams{
+			Number:          1,
+			ActiveKeyDigest: cipher.HexDigest(),
+			Test:            fakeBase64RandomData(t, 32),
+		})
+		require.NoError(t, err, "no error should be returned")
+		err = rawDB.RevokeDBCryptKey(ctx, cipher.HexDigest())
+		require.NoError(t, err, "no error should be returned")
+
+		// Then: when we init the crypt db, we error because the key is revoked
+		_, err = New(ctx, rawDB, cipher)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "has been revoked")
+	})
+
+	t.Run("Retry", func(t *testing.T) {
+		t.Parallel()
+		// Given: a cipher is loaded
+		cipher := initCipher(t)
+		ctx, cancel := context.WithCancel(context.Background())
+		testVal, err := cipher.Encrypt([]byte("coder"))
+		key := database.DBCryptKey{
+			Number:          1,
+			ActiveKeyDigest: sql.NullString{String: cipher.HexDigest(), Valid: true},
+			Test:            b64encode(testVal),
+		}
+		require.NoError(t, err)
+		t.Cleanup(cancel)
+
+		// And: a database that returns an error once when we try to serialize a key
+		ctrl := gomock.NewController(t)
+		mockDB := dbmock.NewMockStore(ctrl)
+
+		gomock.InOrder(
+			// First try: we get a serialization error.
+			expectInTx(mockDB),
+			mockDB.EXPECT().GetDBCryptKeys(gomock.Any()).Times(1).Return([]database.DBCryptKey{}, nil),
+			mockDB.EXPECT().InsertDBCryptKey(gomock.Any(), gomock.Any()).Times(1).Return(&pq.Error{Code: "40001"}),
+			// Second try: we get the key we wanted to insert initially.
+			expectInTx(mockDB),
+			mockDB.EXPECT().GetDBCryptKeys(gomock.Any()).Times(1).Return([]database.DBCryptKey{key}, nil),
+		)
+
+		_, err = New(ctx, mockDB, cipher)
+		require.NoError(t, err)
+	})
+}
+
+func expectInTx(mdb *dbmock.MockStore) *gomock.Call {
+	return mdb.EXPECT().InTx(gomock.Any(), gomock.Any()).Times(1).DoAndReturn(
+		func(f func(store database.Store) error, _ *sql.TxOptions) error {
+			return f(mdb)
+		},
+	)
 }
 
 func requireEncryptedEquals(t *testing.T, c Cipher, value, expected string) {
