Add feature validation to dbCache key methods

sreya · sreya · commit 938bdda0594f · 2024-10-03T23:08:05.000Z
Ensure that the dbCache methods for encrypting, decrypting, signing,
and verifying keys validate the feature flag before proceeding with
operations. This validation step prevents using keys for unintended
purposes, maintaining proper alignment with their intended
cryptographic feature.
diff --git a/coderd/cryptokeys/dbkeycache.go b/coderd/cryptokeys/dbkeycache.go
@@ -77,18 +77,34 @@ func newDBCache(logger slog.Logger, db database.Store, feature database.CryptoKe
 }
 
 func (d *dbCache) EncryptingKey(ctx context.Context) (id string, key interface{}, err error) {
+	if !isEncryptionKeyFeature(d.feature) {
+		return "", nil, ErrInvalidFeature
+	}
+
 	return d.latest(ctx)
 }
 
 func (d *dbCache) DecryptingKey(ctx context.Context, id string) (key interface{}, err error) {
+	if !isEncryptionKeyFeature(d.feature) {
+		return nil, ErrInvalidFeature
+	}
+
 	return d.sequence(ctx, id)
 }
 
 func (d *dbCache) SigningKey(ctx context.Context) (id string, key interface{}, err error) {
+	if !isSigningKeyFeature(d.feature) {
+		return "", nil, ErrInvalidFeature
+	}
+
 	return d.latest(ctx)
 }
 
 func (d *dbCache) VerifyingKey(ctx context.Context, id string) (key interface{}, err error) {
+	if !isSigningKeyFeature(d.feature) {
+		return nil, ErrInvalidFeature
+	}
+
 	return d.sequence(ctx, id)
 }
 
diff --git a/coderd/cryptokeys/dbkeycache_test.go b/coderd/cryptokeys/dbkeycache_test.go
@@ -154,10 +154,24 @@ func TestDBKeyCache(t *testing.T) {
 			db, _  = dbtestutil.NewDB(t)
 			clock  = quartz.NewMock(t)
 			logger = slogtest.Make(t, nil)
+			ctx    = testutil.Context(t, testutil.WaitShort)
 		)
 
 		_, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
 		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		// Instantiate a signing cache and try to use it as an encryption cache.
+		sc, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
+		defer sc.Close()
+
+		ec, ok := sc.(cryptokeys.EncryptionKeycache)
+		require.True(t, ok)
+		_, _, err = ec.EncryptingKey(ctx)
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		_, err = ec.DecryptingKey(ctx, "123")
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
 	})
 
 	t.Run("InvalidEncryptionFeature", func(t *testing.T) {
@@ -167,10 +181,24 @@ func TestDBKeyCache(t *testing.T) {
 			db, _  = dbtestutil.NewDB(t)
 			clock  = quartz.NewMock(t)
 			logger = slogtest.Make(t, nil)
+			ctx    = testutil.Context(t, testutil.WaitShort)
 		)
 
 		_, err := cryptokeys.NewEncryptionCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
 		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		// Instantiate an encryption cache and try to use it as a signing cache.
+		ec, err := cryptokeys.NewEncryptionCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
+		defer ec.Close()
+
+		sc, ok := ec.(cryptokeys.SigningKeycache)
+		require.True(t, ok)
+		_, _, err = sc.SigningKey(ctx)
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		_, err = sc.VerifyingKey(ctx, "123")
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
 	})
 }
 
