time to fix it

sreya · sreya · commit 92843b204036 · 2024-10-16T19:11:28.000Z
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -3109,9 +3109,11 @@ func (c *Client) SSHConfiguration(ctx context.Context) (SSHConfigResponse, error
 type CryptoKeyFeature string
 
 const (
-	CryptoKeyFeatureWorkspaceApp  CryptoKeyFeature = "workspace_apps"
-	CryptoKeyFeatureOIDCConvert   CryptoKeyFeature = "oidc_convert"
-	CryptoKeyFeatureTailnetResume CryptoKeyFeature = "tailnet_resume"
+	CryptoKeyFeatureWorkspaceAppAPIKey CryptoKeyFeature = "workspace_apps_api_key"
+	//nolint:gosec // This denotes a type of key, not a literal.
+	CryptoKeyFeatureWorkspaceAppsToken CryptoKeyFeature = "workspace_apps_token"
+	CryptoKeyFeatureOIDCConvert        CryptoKeyFeature = "oidc_convert"
+	CryptoKeyFeatureTailnetResume      CryptoKeyFeature = "tailnet_resume"
 )
 
 type CryptoKey struct {
diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 	"time"
 
@@ -720,13 +721,29 @@ func (api *API) workspaceProxyRegister(rw http.ResponseWriter, r *http.Request)
 // @Security CoderSessionToken
 // @Produce json
 // @Tags Enterprise
+// @Param feature query string true "Feature key"
 // @Success 200 {object} wsproxysdk.CryptoKeysResponse
 // @Router /workspaceproxies/me/crypto-keys [get]
 // @x-apidocgen {"skip": true}
 func (api *API) workspaceProxyCryptoKeys(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	keys, err := api.Database.GetCryptoKeysByFeature(ctx, database.CryptoKeyFeatureWorkspaceAppsAPIKey)
+	feature := database.CryptoKeyFeature(r.URL.Query().Get("feature"))
+	if feature == "" {
+		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Missing feature query parameter.",
+		})
+		return
+	}
+
+	if !slices.Contains(database.AllCryptoKeyFeatureValues(), feature) {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Invalid feature: %q", feature),
+		})
+		return
+	}
+
+	keys, err := api.Database.GetCryptoKeysByFeature(ctx, feature)
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
diff --git a/enterprise/coderd/workspaceproxy_test.go b/enterprise/coderd/workspaceproxy_test.go
@@ -320,7 +320,6 @@ func TestProxyRegisterDeregister(t *testing.T) {
 		}
 		registerRes1, err := proxyClient.RegisterWorkspaceProxy(ctx, req)
 		require.NoError(t, err)
-		require.NotEmpty(t, registerRes1.AppSecurityKey)
 		require.NotEmpty(t, registerRes1.DERPMeshKey)
 		require.EqualValues(t, 10001, registerRes1.DERPRegionID)
 		require.Empty(t, registerRes1.SiblingReplicas)
@@ -955,7 +954,7 @@ func TestGetCryptoKeys(t *testing.T) {
 			Name: testutil.GetRandomName(t),
 		})
 
-		keys, err := proxy.SDKClient.CryptoKeys(ctx)
+		keys, err := proxy.SDKClient.CryptoKeys(ctx, codersdk.CryptoKeyFeatureWorkspaceAppAPIKey)
 		require.NoError(t, err)
 		require.NotEmpty(t, keys)
 		require.Equal(t, 2, len(keys.CryptoKeys))
@@ -987,7 +986,7 @@ func TestGetCryptoKeys(t *testing.T) {
 		client := wsproxysdk.New(cclient.URL)
 		client.SetSessionToken(cclient.SessionToken())
 
-		_, err := client.CryptoKeys(ctx)
+		_, err := client.CryptoKeys(ctx, codersdk.CryptoKeyFeatureWorkspaceAppAPIKey)
 		require.Error(t, err)
 		var sdkErr *codersdk.Error
 		require.ErrorAs(t, err, &sdkErr)
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -198,6 +198,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 	derpServer := derp.NewServer(key.NewNode(), tailnet.Logger(opts.Logger.Named("net.derp")))
 
 	ctx, cancel := context.WithCancel(context.Background())
+
 	r := chi.NewRouter()
 	s := &Server{
 		Options:            opts,
diff --git a/enterprise/wsproxy/wsproxysdk/wsproxysdk.go b/enterprise/wsproxy/wsproxysdk/wsproxysdk.go
@@ -205,7 +205,6 @@ type RegisterWorkspaceProxyRequest struct {
 }
 
 type RegisterWorkspaceProxyResponse struct {
-	AppSecurityKey      string           `json:"app_security_key"`
 	DERPMeshKey         string           `json:"derp_mesh_key"`
 	DERPRegionID        int32            `json:"derp_region_id"`
 	DERPMap             *tailcfg.DERPMap `json:"derp_map"`
@@ -372,12 +371,6 @@ func (l *RegisterWorkspaceProxyLoop) Start(ctx context.Context) (RegisterWorkspa
 			}
 			failedAttempts = 0
 
-			// Check for consistency.
-			if originalRes.AppSecurityKey != resp.AppSecurityKey {
-				l.failureFn(xerrors.New("app security key has changed, proxy must be restarted"))
-				return
-			}
-
 			if originalRes.DERPMeshKey != resp.DERPMeshKey {
 				l.failureFn(xerrors.New("DERP mesh key has changed, proxy must be restarted"))
 				return
@@ -586,10 +579,10 @@ type CryptoKeysResponse struct {
 	CryptoKeys []codersdk.CryptoKey `json:"crypto_keys"`
 }
 
-func (c *Client) CryptoKeys(ctx context.Context) (CryptoKeysResponse, error) {
+func (c *Client) CryptoKeys(ctx context.Context, feature codersdk.CryptoKeyFeature) (CryptoKeysResponse, error) {
 	res, err := c.Request(ctx, http.MethodGet,
 		"/api/v2/workspaceproxies/me/crypto-keys",
-		nil,
+		codersdk.WithQueryParam("feature", string(feature)),
 	)
 	if err != nil {
 		return CryptoKeysResponse{}, xerrors.Errorf("make request: %w", err)
diff --git a/tailnet/resume.go b/tailnet/resume.go
@@ -63,7 +63,7 @@ func NewResumeTokenKeyProvider(key jwtutils.SigningKeyManager, clock quartz.Cloc
 	return ResumeTokenKeyProvider{
 		key:    key,
 		clock:  clock,
-		expiry: DefaultResumeTokenExpiry,
+		expiry: expiry,
 	}
 }
 
diff --git a/tailnet/resume_test.go b/tailnet/resume_test.go
@@ -54,10 +54,11 @@ func TestResumeTokenKeyProvider(t *testing.T) {
 		require.Equal(t, tailnet.DefaultResumeTokenExpiry/2, token.RefreshIn.AsDuration())
 		require.WithinDuration(t, clock.Now().Add(tailnet.DefaultResumeTokenExpiry), token.ExpiresAt.AsTime(), time.Second)
 
-		// Advance time past expiry
-		_ = clock.Advance(tailnet.DefaultResumeTokenExpiry + time.Second)
+		// Advance time past expiry. Account for leeway.
+		_ = clock.Advance(tailnet.DefaultResumeTokenExpiry + time.Second*61)
 
 		_, err = provider.VerifyResumeToken(ctx, token.Token)
+		require.Error(t, err)
 		require.ErrorIs(t, err, jwt.ErrExpired)
 	})
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func NewResumeTokenKeyProvider(key jwtutils.SigningKeyManager, clock quartz.Cloc`
`63`	`63`	`return ResumeTokenKeyProvider{`
`64`	`64`	`key: key,`
`65`	`65`	`clock: clock,`
`66`		`- expiry: DefaultResumeTokenExpiry,`
	`66`	`+ expiry: expiry,`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`