Refactor cryptokeys cache to include key reader context

sreya · sreya · commit 76561ac268aa · 2024-10-17T00:52:47.000Z
Enhances the cache functionality by wrapping the context with a key
reader, ensuring proper authorization checks during cryptographic
operations. This change aligns cache behavior with security practices.
diff --git a/coderd/cryptokeys/cache.go b/coderd/cryptokeys/cache.go
@@ -155,6 +155,8 @@ func (c *cache) EncryptingKey(ctx context.Context) (string, interface{}, error)
 		return "", nil, ErrInvalidFeature
 	}
 
+	//nolint:gocritic // cache can only rotate crypto keys.
+	ctx = dbauthz.AsKeyReader(ctx)
 	return c.cryptoKey(ctx, latestSequence)
 }
 
@@ -168,6 +170,8 @@ func (c *cache) DecryptingKey(ctx context.Context, id string) (interface{}, erro
 		return nil, xerrors.Errorf("parse id: %w", err)
 	}
 
+	//nolint:gocritic // cache can only rotate crypto keys.
+	ctx = dbauthz.AsKeyReader(ctx)
 	_, secret, err := c.cryptoKey(ctx, int32(seq))
 	if err != nil {
 		return nil, xerrors.Errorf("crypto key: %w", err)
@@ -180,6 +184,8 @@ func (c *cache) SigningKey(ctx context.Context) (string, interface{}, error) {
 		return "", nil, ErrInvalidFeature
 	}
 
+	//nolint:gocritic // cache can only rotate crypto keys.
+	ctx = dbauthz.AsKeyReader(ctx)
 	return c.cryptoKey(ctx, latestSequence)
 }
 
@@ -198,6 +204,8 @@ func (c *cache) VerifyingKey(ctx context.Context, id string) (interface{}, error
 		return nil, xerrors.Errorf("crypto key: %w", err)
 	}
 
+	//nolint:gocritic // cache can only rotate crypto keys.
+	ctx = dbauthz.AsKeyReader(ctx)
 	return secret, nil
 }
 
diff --git a/coderd/workspaceapps/token_test.go b/coderd/workspaceapps/token_test.go
@@ -283,142 +283,6 @@ func Test_TokenMatchesRequest(t *testing.T) {
 	}
 }
 
-func Test_GenerateToken(t *testing.T) {
-	t.Parallel()
-
-	t.Run("SetExpiry", func(t *testing.T) {
-		t.Parallel()
-
-		ctx := testutil.Context(t, testutil.WaitShort)
-		signer := newSigner(t)
-
-		tokenStr, err := jwtutils.Sign(ctx, signer, workspaceapps.SignedToken{
-			Request: workspaceapps.Request{
-				AccessMethod:      workspaceapps.AccessMethodPath,
-				BasePath:          "/app",
-				UsernameOrID:      "foo",
-				WorkspaceNameOrID: "bar",
-				AgentNameOrID:     "baz",
-				AppSlugOrPort:     "qux",
-			},
-
-			UserID:      uuid.MustParse("b1530ba9-76f3-415e-b597-4ddd7cd466a4"),
-			WorkspaceID: uuid.MustParse("1e6802d3-963e-45ac-9d8c-bf997016ffed"),
-			AgentID:     uuid.MustParse("9ec18681-d2c9-4c9e-9186-f136efb4edbe"),
-			AppURL:      "http://127.0.0.1:8080",
-		})
-		require.NoError(t, err)
-
-		var token workspaceapps.SignedToken
-		err = jwtutils.Verify(ctx, signer, tokenStr, &token)
-		require.NoError(t, err)
-
-		require.WithinDuration(t, time.Now().Add(time.Minute), token.Expiry.Time(), 15*time.Second)
-	})
-
-	future := time.Now().Add(time.Hour)
-	cases := []struct {
-		name             string
-		token            workspaceapps.SignedToken
-		parseErrContains string
-	}{
-		{
-			name: "OK1",
-			token: workspaceapps.SignedToken{
-				Claims: jwt.Claims{
-					Expiry: jwt.NewNumericDate(future),
-				},
-				Request: workspaceapps.Request{
-					AccessMethod:      workspaceapps.AccessMethodPath,
-					BasePath:          "/app",
-					UsernameOrID:      "foo",
-					WorkspaceNameOrID: "bar",
-					AgentNameOrID:     "baz",
-					AppSlugOrPort:     "qux",
-				},
-
-				UserID:      uuid.MustParse("b1530ba9-76f3-415e-b597-4ddd7cd466a4"),
-				WorkspaceID: uuid.MustParse("1e6802d3-963e-45ac-9d8c-bf997016ffed"),
-				AgentID:     uuid.MustParse("9ec18681-d2c9-4c9e-9186-f136efb4edbe"),
-				AppURL:      "http://127.0.0.1:8080",
-			},
-		},
-		{
-			name: "OK2",
-			token: workspaceapps.SignedToken{
-				Claims: jwt.Claims{
-					Expiry: jwt.NewNumericDate(future),
-				},
-				Request: workspaceapps.Request{
-					AccessMethod:      workspaceapps.AccessMethodSubdomain,
-					BasePath:          "/",
-					UsernameOrID:      "oof",
-					WorkspaceNameOrID: "rab",
-					AgentNameOrID:     "zab",
-					AppSlugOrPort:     "xuq",
-				},
-
-				UserID:      uuid.MustParse("6fa684a3-11aa-49fd-8512-ab527bd9b900"),
-				WorkspaceID: uuid.MustParse("b2d816cc-505c-441d-afdf-dae01781bc0b"),
-				AgentID:     uuid.MustParse("6c4396e1-af88-4a8a-91a3-13ea54fc29fb"),
-				AppURL:      "http://localhost:9090",
-			},
-		},
-		{
-			name: "Expired",
-			token: workspaceapps.SignedToken{
-				Claims: jwt.Claims{
-					Expiry: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
-				},
-
-				Request: workspaceapps.Request{
-					AccessMethod:      workspaceapps.AccessMethodSubdomain,
-					BasePath:          "/",
-					UsernameOrID:      "foo",
-					WorkspaceNameOrID: "bar",
-					AgentNameOrID:     "baz",
-					AppSlugOrPort:     "qux",
-				},
-
-				UserID:      uuid.MustParse("b1530ba9-76f3-415e-b597-4ddd7cd466a4"),
-				WorkspaceID: uuid.MustParse("1e6802d3-963e-45ac-9d8c-bf997016ffed"),
-				AgentID:     uuid.MustParse("9ec18681-d2c9-4c9e-9186-f136efb4edbe"),
-				AppURL:      "http://127.0.0.1:8080",
-			},
-			parseErrContains: "token expired",
-		},
-	}
-
-	signer := newSigner(t)
-	for _, c := range cases {
-		c := c
-
-		t.Run(c.name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := testutil.Context(t, testutil.WaitShort)
-			str, err := jwtutils.Sign(ctx, signer, c.token)
-			require.NoError(t, err)
-
-			// Tokens aren't deterministic as they have a random nonce, so we
-			// can't compare them directly.
-
-			var token workspaceapps.SignedToken
-			err = jwtutils.Verify(ctx, signer, str, &token)
-			if c.parseErrContains != "" {
-				require.Error(t, err)
-				require.ErrorContains(t, err, c.parseErrContains)
-			} else {
-				require.NoError(t, err)
-				// normalize the expiry
-				require.WithinDuration(t, c.token.Expiry.Time(), token.Expiry.Time(), 10*time.Second)
-				c.token.Expiry = token.Expiry
-				require.Equal(t, c.token, token)
-			}
-		})
-	}
-}
-
 func Test_FromRequest(t *testing.T) {
 	t.Parallel()
 

Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,8 @@ func (c *cache) EncryptingKey(ctx context.Context) (string, interface{}, error)`
`155`	`155`	`return "", nil, ErrInvalidFeature`
`156`	`156`	`}`
`157`	`157`
	`158`	`+ //nolint:gocritic // cache can only rotate crypto keys.`
	`159`	`+ ctx = dbauthz.AsKeyReader(ctx)`
`158`	`160`	`return c.cryptoKey(ctx, latestSequence)`
`159`	`161`	`}`
`160`	`162`
`@@ -168,6 +170,8 @@ func (c *cache) DecryptingKey(ctx context.Context, id string) (interface{}, erro`
`168`	`170`	`return nil, xerrors.Errorf("parse id: %w", err)`
`169`	`171`	`}`
`170`	`172`
	`173`	`+ //nolint:gocritic // cache can only rotate crypto keys.`
	`174`	`+ ctx = dbauthz.AsKeyReader(ctx)`
`171`	`175`	`_, secret, err := c.cryptoKey(ctx, int32(seq))`
`172`	`176`	`if err != nil {`
`173`	`177`	`return nil, xerrors.Errorf("crypto key: %w", err)`
`@@ -180,6 +184,8 @@ func (c *cache) SigningKey(ctx context.Context) (string, interface{}, error) {`
`180`	`184`	`return "", nil, ErrInvalidFeature`
`181`	`185`	`}`
`182`	`186`
	`187`	`+ //nolint:gocritic // cache can only rotate crypto keys.`
	`188`	`+ ctx = dbauthz.AsKeyReader(ctx)`
`183`	`189`	`return c.cryptoKey(ctx, latestSequence)`
`184`	`190`	`}`
`185`	`191`
`@@ -198,6 +204,8 @@ func (c *cache) VerifyingKey(ctx context.Context, id string) (interface{}, error`
`198`	`204`	`return nil, xerrors.Errorf("crypto key: %w", err)`
`199`	`205`	`}`
`200`	`206`
	`207`	`+ //nolint:gocritic // cache can only rotate crypto keys.`
	`208`	`+ ctx = dbauthz.AsKeyReader(ctx)`
`201`	`209`	`return secret, nil`
`202`	`210`	`}`
`203`	`211`