Refactor key management and enhance logging

sreya · sreya · commit 7557ed289b08 · 2024-10-16T23:25:48.000Z
- Improve clarity by naming loggers used in key cache creation.
- Adjust key cache context to utilize KeyReader for consistent
  context handling.
- Refactor API to use central key cache management approach.
- Enhance error messages for crypto key fetching.
- Update test to add safety against unexpected panics.
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -461,7 +461,7 @@ func New(options *Options) *API {
 
 	if options.OIDCConvertKeyCache == nil {
 		options.OIDCConvertKeyCache, err = cryptokeys.NewSigningCache(ctx,
-			options.Logger,
+			options.Logger.Named("oidc_convert_keycache"),
 			fetcher,
 			codersdk.CryptoKeyFeatureOIDCConvert,
 		)
@@ -470,7 +470,7 @@ func New(options *Options) *API {
 
 	if options.AppSigningKeyCache == nil {
 		options.AppSigningKeyCache, err = cryptokeys.NewSigningCache(ctx,
-			options.Logger,
+			options.Logger.Named("app_signing_keycache"),
 			fetcher,
 			codersdk.CryptoKeyFeatureWorkspaceAppsToken,
 		)
@@ -683,10 +683,9 @@ func New(options *Options) *API {
 		AgentProvider:       api.agentProvider,
 		StatsCollector:      workspaceapps.NewStatsCollector(options.WorkspaceAppsStatsCollectorOptions),
 
-		DisablePathApps:      options.DeploymentValues.DisablePathApps.Value(),
-		SecureAuthCookie:     options.DeploymentValues.SecureAuthCookie.Value(),
-		Signer:               options.AppSigningKeyCache,
-		EncryptingKeyManager: options.AppEncryptionKeyCache,
+		DisablePathApps:     options.DeploymentValues.DisablePathApps.Value(),
+		SecureAuthCookie:    options.DeploymentValues.SecureAuthCookie.Value(),
+		APIKeyEncryptionKey: options.AppEncryptionKeyCache,
 	}
 
 	apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
diff --git a/coderd/cryptokeys/cache.go b/coderd/cryptokeys/cache.go
@@ -14,6 +14,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/quartz"
 )
@@ -77,12 +78,12 @@ func (d *DBFetcher) Fetch(ctx context.Context, feature codersdk.CryptoKeyFeature
 
 // cache implements the caching functionality for both signing and encryption keys.
 type cache struct {
-	clock         quartz.Clock
-	refreshCtx    context.Context
-	refreshCancel context.CancelFunc
-	fetcher       Fetcher
-	logger        slog.Logger
-	feature       codersdk.CryptoKeyFeature
+	ctx     context.Context
+	cancel  context.CancelFunc
+	clock   quartz.Clock
+	fetcher Fetcher
+	logger  slog.Logger
+	feature codersdk.CryptoKeyFeature
 
 	mu        sync.Mutex
 	keys      map[int32]codersdk.CryptoKey
@@ -136,12 +137,13 @@ func newCache(ctx context.Context, logger slog.Logger, fetcher Fetcher, feature
 	}
 
 	cache.cond = sync.NewCond(&cache.mu)
-	cache.refreshCtx, cache.refreshCancel = context.WithCancel(ctx)
+	//nolint:gocritic // We need to be able to read the keys in order to cache them.
+	cache.ctx, cache.cancel = context.WithCancel(dbauthz.AsKeyReader(ctx))
 	cache.refresher = cache.clock.AfterFunc(refreshInterval, cache.refresh)
 
-	keys, err := cache.cryptoKeys(ctx)
+	keys, err := cache.cryptoKeys(cache.ctx)
 	if err != nil {
-		cache.refreshCancel()
+		cache.cancel()
 		return nil, xerrors.Errorf("initial fetch: %w", err)
 	}
 	cache.keys = keys
@@ -205,7 +207,7 @@ func isEncryptionKeyFeature(feature codersdk.CryptoKeyFeature) bool {
 
 func isSigningKeyFeature(feature codersdk.CryptoKeyFeature) bool {
 	switch feature {
-	case codersdk.CryptoKeyFeatureTailnetResume, codersdk.CryptoKeyFeatureOIDCConvert:
+	case codersdk.CryptoKeyFeatureTailnetResume, codersdk.CryptoKeyFeatureOIDCConvert, codersdk.CryptoKeyFeatureWorkspaceAppsToken:
 		return true
 	default:
 		return false
@@ -315,9 +317,9 @@ func (c *cache) refresh() {
 	c.fetching = true
 
 	c.mu.Unlock()
-	keys, err := c.cryptoKeys(c.refreshCtx)
+	keys, err := c.cryptoKeys(c.ctx)
 	if err != nil {
-		c.logger.Error(c.refreshCtx, "fetch crypto keys", slog.Error(err))
+		c.logger.Error(c.ctx, "fetch crypto keys", slog.Error(err))
 		return
 	}
 
@@ -336,7 +338,7 @@ func (c *cache) refresh() {
 func (c *cache) cryptoKeys(ctx context.Context) (map[int32]codersdk.CryptoKey, error) {
 	keys, err := c.fetcher.Fetch(ctx, c.feature)
 	if err != nil {
-		return nil, xerrors.Errorf("crypto keys: %w", err)
+		return nil, xerrors.Errorf("fetch: %w", err)
 	}
 	cache := toKeyMap(keys, c.clock.Now())
 	return cache, nil
@@ -363,7 +365,7 @@ func (c *cache) Close() error {
 	}
 
 	c.closed = true
-	c.refreshCancel()
+	c.cancel()
 	c.refresher.Stop()
 	c.cond.Broadcast()
 
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -167,7 +167,9 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 		ToLoginType:   req.ToType,
 	}
 
-	token, err := jwtutils.Sign(dbauthz.AsKeyRotator(ctx), api.OIDCConvertKeyCache, claims)
+	//nolint:gocritic // We need to read the system signing key
+	// in order to sign the token.
+	token, err := jwtutils.Sign(dbauthz.AsKeyReader(ctx), api.OIDCConvertKeyCache, claims)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error signing state jwt.",
@@ -1676,7 +1678,10 @@ func (api *API) convertUserToOauth(ctx context.Context, r *http.Request, db data
 		}
 	}
 	var claims OAuthConvertStateClaims
-	err = jwtutils.Verify(dbauthz.AsKeyRotator(ctx), api.OIDCConvertKeyCache, jwtCookie.Value, &claims)
+
+	//nolint:gocritic // We need to read the system signing key
+	// in order to verify the token.
+	err = jwtutils.Verify(dbauthz.AsKeyReader(ctx), api.OIDCConvertKeyCache, jwtCookie.Value, &claims)
 	if xerrors.Is(err, cryptokeys.ErrKeyNotFound) || xerrors.Is(err, cryptokeys.ErrKeyInvalid) || xerrors.Is(err, jose.ErrCryptoFailure) {
 		// These errors are probably because the user is mixing 2 coder deployments.
 		return database.User{}, idpsync.HTTPError{
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -100,9 +100,8 @@ type Server struct {
 	HostnameRegex *regexp.Regexp
 	RealIPConfig  *httpmw.RealIPConfig
 
-	SignedTokenProvider  SignedTokenProvider
-	Signer               jwtutils.SigningKeyManager
-	EncryptingKeyManager jwtutils.EncryptingKeyManager
+	SignedTokenProvider SignedTokenProvider
+	APIKeyEncryptionKey jwtutils.EncryptingKeyManager
 
 	// DisablePathApps disables path-based apps. This is a security feature as path
 	// based apps share the same cookie as the dashboard, and are susceptible to XSS
@@ -181,7 +180,7 @@ func (s *Server) handleAPIKeySmuggling(rw http.ResponseWriter, r *http.Request,
 
 	// Exchange the encoded API key for a real one.
 	var payload EncryptedAPIKeyPayload
-	err := jwtutils.Decrypt(ctx, s.EncryptingKeyManager, encryptedAPIKey, &payload, jwtutils.WithDecryptExpected(jwt.Expected{
+	err := jwtutils.Decrypt(ctx, s.APIKeyEncryptionKey, encryptedAPIKey, &payload, jwtutils.WithDecryptExpected(jwt.Expected{
 		Time: time.Now(),
 	}))
 	if err != nil {
diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -5,19 +5,13 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-jose/go-jose/v4"
 	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/google/uuid"
 
 	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 )
 
-const (
-	tokenSigningAlgorithm     = jose.HS512
-	apiKeyEncryptionAlgorithm = jose.A256GCMKW
-)
-
 // SignedToken is the struct data contained inside a workspace app JWE. It
 // contains the details of the workspace app that the token is valid for to
 // avoid database queries.
diff --git a/enterprise/wsproxy/tokenprovider.go b/enterprise/wsproxy/tokenprovider.go
@@ -19,14 +19,14 @@ type TokenProvider struct {
 	AccessURL    *url.URL
 	AppHostname  string
 
-	Client        *wsproxysdk.Client
-	SigningKey    jwtutils.SigningKeyManager
-	EncryptingKey jwtutils.EncryptingKeyManager
-	Logger        slog.Logger
+	Client              *wsproxysdk.Client
+	TokenSigningKey     jwtutils.SigningKeyManager
+	APIKeyEncryptionKey jwtutils.EncryptingKeyManager
+	Logger              slog.Logger
 }
 
 func (p *TokenProvider) FromRequest(r *http.Request) (*workspaceapps.SignedToken, bool) {
-	return workspaceapps.FromRequest(r, p.SigningKey)
+	return workspaceapps.FromRequest(r, p.TokenSigningKey)
 }
 
 func (p *TokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {
@@ -45,7 +45,7 @@ func (p *TokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *ht
 
 	// Check that it verifies properly and matches the string.
 	var token workspaceapps.SignedToken
-	err = jwtutils.Verify(ctx, p.SigningKey, resp.SignedTokenStr, &token)
+	err = jwtutils.Verify(ctx, p.TokenSigningKey, resp.SignedTokenStr, &token)
 	if err != nil {
 		workspaceapps.WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "failed to verify newly generated signed token")
 		return nil, "", false
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -131,8 +131,12 @@ type Server struct {
 	// the moon's token.
 	SDKClient *wsproxysdk.Client
 
-	WorkspaceAppsEncryptionKeycache cryptokeys.EncryptionKeycache
-	WorkspaceAppsSigningKeycache    cryptokeys.SigningKeycache
+	// apiKeyEncryptionKeycache manages the encryption keys for smuggling API
+	// tokens to the alternate domain when using workspace apps.
+	apiKeyEncryptionKeycache cryptokeys.EncryptionKeycache
+	// appTokenSigningKeycache manages the signing keys for signing the app
+	// tokens we use for workspace apps.
+	appTokenSigningKeycache cryptokeys.SigningKeycache
 
 	// DERP
 	derpMesh                *derpmesh.Mesh
@@ -206,6 +210,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		codersdk.CryptoKeyFeatureWorkspaceAppsAPIKey,
 	)
 	if err != nil {
+		cancel()
 		return nil, xerrors.Errorf("create api key encryption cache: %w", err)
 	}
 	signingCache, err := cryptokeys.NewSigningCache(ctx,
@@ -214,6 +219,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		codersdk.CryptoKeyFeatureWorkspaceAppsToken,
 	)
 	if err != nil {
+		cancel()
 		return nil, xerrors.Errorf("create api token signing cache: %w", err)
 	}
 
@@ -222,15 +228,17 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		ctx:    ctx,
 		cancel: cancel,
 
-		Options:            opts,
-		Handler:            r,
-		DashboardURL:       opts.DashboardURL,
-		Logger:             opts.Logger.Named("net.workspace-proxy"),
-		TracerProvider:     opts.Tracing,
-		PrometheusRegistry: opts.PrometheusRegistry,
-		SDKClient:          client,
-		derpMesh:           derpmesh.New(opts.Logger.Named("net.derpmesh"), derpServer, meshTLSConfig),
-		derpMeshTLSConfig:  meshTLSConfig,
+		Options:                  opts,
+		Handler:                  r,
+		DashboardURL:             opts.DashboardURL,
+		Logger:                   opts.Logger.Named("net.workspace-proxy"),
+		TracerProvider:           opts.Tracing,
+		PrometheusRegistry:       opts.PrometheusRegistry,
+		SDKClient:                client,
+		derpMesh:                 derpmesh.New(opts.Logger.Named("net.derpmesh"), derpServer, meshTLSConfig),
+		derpMeshTLSConfig:        meshTLSConfig,
+		apiKeyEncryptionKeycache: encryptionCache,
+		appTokenSigningKeycache:  signingCache,
 	}
 
 	// Register the workspace proxy with the primary coderd instance and start a
@@ -295,20 +303,21 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		HostnameRegex: opts.AppHostnameRegex,
 		RealIPConfig:  opts.RealIPConfig,
 		SignedTokenProvider: &TokenProvider{
-			DashboardURL:  opts.DashboardURL,
-			AccessURL:     opts.AccessURL,
-			AppHostname:   opts.AppHostname,
-			Client:        client,
-			SigningKey:    signingCache,
-			EncryptingKey: encryptionCache,
-			Logger:        s.Logger.Named("proxy_token_provider"),
+			DashboardURL:        opts.DashboardURL,
+			AccessURL:           opts.AccessURL,
+			AppHostname:         opts.AppHostname,
+			Client:              client,
+			TokenSigningKey:     signingCache,
+			APIKeyEncryptionKey: encryptionCache,
+			Logger:              s.Logger.Named("proxy_token_provider"),
 		},
 
 		DisablePathApps:  opts.DisablePathApps,
 		SecureAuthCookie: opts.SecureAuthCookie,
 
-		AgentProvider:  agentProvider,
-		StatsCollector: workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),
+		AgentProvider:       agentProvider,
+		StatsCollector:      workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),
+		APIKeyEncryptionKey: encryptionCache,
 	}
 
 	derpHandler := derphttp.Handler(derpServer)
@@ -451,8 +460,8 @@ func (s *Server) Close() error {
 		err = multierror.Append(err, agentProviderErr)
 	}
 	s.SDKClient.SDKClient.HTTPClient.CloseIdleConnections()
-	_ = s.WorkspaceAppsSigningKeycache.Close()
-	_ = s.WorkspaceAppsEncryptionKeycache.Close()
+	_ = s.appTokenSigningKeycache.Close()
+	_ = s.apiKeyEncryptionKeycache.Close()
 	return err
 }
 
diff --git a/enterprise/wsproxy/wsproxy_test.go b/enterprise/wsproxy/wsproxy_test.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"runtime/debug"
 	"testing"
 	"time"
 
@@ -321,6 +322,11 @@ resourceLoop:
 
 func TestDERPEndToEnd(t *testing.T) {
 	t.Parallel()
+	defer func() {
+		if r := recover(); r != nil {
+			debug.PrintStack()
+		}
+	}()
 
 	deploymentValues := coderdtest.DeploymentValues(t)
 	deploymentValues.Experiments = []string{
diff --git a/enterprise/wsproxy/wsproxysdk/wsproxysdk.go b/enterprise/wsproxy/wsproxysdk/wsproxysdk.go
@@ -581,7 +581,7 @@ type CryptoKeysResponse struct {
 
 func (c *Client) CryptoKeys(ctx context.Context, feature codersdk.CryptoKeyFeature) (CryptoKeysResponse, error) {
 	res, err := c.Request(ctx, http.MethodGet,
-		"/api/v2/workspaceproxies/me/crypto-keys",
+		"/api/v2/workspaceproxies/me/crypto-keys", nil,
 		codersdk.WithQueryParam("feature", string(feature)),
 	)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -581,7 +581,7 @@ type CryptoKeysResponse struct {`
`581`	`581`
`582`	`582`	`func (c *Client) CryptoKeys(ctx context.Context, feature codersdk.CryptoKeyFeature) (CryptoKeysResponse, error) {`
`583`	`583`	`res, err := c.Request(ctx, http.MethodGet,`
`584`		`- "/api/v2/workspaceproxies/me/crypto-keys",`
	`584`	`+ "/api/v2/workspaceproxies/me/crypto-keys", nil,`
`585`	`585`	`codersdk.WithQueryParam("feature", string(feature)),`
`586`	`586`	`)`
`587`	`587`	`if err != nil {`