chore: change app signing key to be 96 bytes

deansheather · deansheather · commit b38c1c8b50de · 2023-04-05T02:20:43.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -778,23 +778,31 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					}
 				}
 
-				// Read the app signing key from the DB. We store it hex
-				// encoded since the config table uses strings for the value and
-				// we don't want to deal with automatic encoding issues.
+				// Read the app signing key from the DB. We store it hex encoded
+				// since the config table uses strings for the value and we
+				// don't want to deal with automatic encoding issues.
 				appSigningKeyStr, err := tx.GetAppSigningKey(ctx)
 				if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 					return xerrors.Errorf("get app signing key: %w", err)
 				}
-				if appSigningKeyStr == "" {
-					// Generate 64 byte secure random string.
-					b := make([]byte, 64)
+				// If the string in the DB is an invalid hex string or the
+				// length is not equal to the current key length, generate a new
+				// one.
+				//
+				// If the key is regenerated, old signed tokens and encrypted
+				// strings will become invalid. New signed app tokens will be
+				// generated automatically on failure. Any workspace app token
+				// smuggling operations in progress may fail, although with a
+				// helpful error.
+				if decoded, err := hex.DecodeString(appSigningKeyStr); err != nil || len(decoded) != len(workspaceapps.SigningKey{}) {
+					b := make([]byte, len(workspaceapps.SigningKey{}))
 					_, err := rand.Read(b)
 					if err != nil {
 						return xerrors.Errorf("generate fresh app signing key: %w", err)
 					}
 
 					appSigningKeyStr = hex.EncodeToString(b)
-					err = tx.InsertAppSigningKey(ctx, appSigningKeyStr)
+					err = tx.UpsertAppSigningKey(ctx, appSigningKeyStr)
 					if err != nil {
 						return xerrors.Errorf("insert freshly generated app signing key to database: %w", err)
 					}
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -328,7 +328,7 @@ func New(options *Options) *API {
 	api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgentTailnet, 0)
 	api.TailnetCoordinator.Store(&options.TailnetCoordinator)
 
-	workspaceAppServer := workspaceapps.Server{
+	api.workspaceAppServer = &workspaceapps.Server{
 		Logger: options.Logger.Named("workspaceapps"),
 
 		DashboardURL:     api.AccessURL,
@@ -380,7 +380,7 @@ func New(options *Options) *API {
 		//
 		// Workspace apps do their own auth and must be BEFORE the auth
 		// middleware.
-		workspaceAppServer.SubdomainAppMW(apiRateLimiter),
+		api.workspaceAppServer.SubdomainAppMW(apiRateLimiter),
 		// Build-Version is helpful for debugging.
 		func(next http.Handler) http.Handler {
 			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -406,7 +406,7 @@ func New(options *Options) *API {
 	// Attach workspace apps routes.
 	r.Group(func(r chi.Router) {
 		r.Use(apiRateLimiter)
-		workspaceAppServer.Attach(r)
+		api.workspaceAppServer.Attach(r)
 	})
 
 	r.Route("/derp", func(r chi.Router) {
@@ -796,6 +796,7 @@ type API struct {
 	workspaceAgentCache   *wsconncache.Cache
 	updateChecker         *updatecheck.Checker
 	WorkspaceAppsProvider workspaceapps.SignedTokenProvider
+	workspaceAppServer    *workspaceapps.Server
 
 	// Experiments contains the list of experiments currently enabled.
 	// This is used to gate features that are not yet ready for production.
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -80,9 +80,9 @@ import (
 	"github.com/coder/coder/testutil"
 )
 
-// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tokens in
-// tests.
-var AppSigningKey = must(workspaceapps.KeyFromString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))
+// AppSigningKey is a 64-byte key used to sign JWTs and encrypt JWEs for
+// workspace app tokens in tests.
+var AppSigningKey = must(workspaceapps.KeyFromString("6465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e2077617320686572"))
 
 type Options struct {
 	// AccessURL denotes a custom access URL. By default we use the httptest
diff --git a/coderd/database/dbauthz/querier.go b/coderd/database/dbauthz/querier.go
@@ -384,9 +384,9 @@ func (q *querier) GetAppSigningKey(ctx context.Context) (string, error) {
 	return q.db.GetAppSigningKey(ctx)
 }
 
-func (q *querier) InsertAppSigningKey(ctx context.Context, data string) error {
+func (q *querier) UpsertAppSigningKey(ctx context.Context, data string) error {
 	// No authz checks as this is done during startup
-	return q.db.InsertAppSigningKey(ctx, data)
+	return q.db.UpsertAppSigningKey(ctx, data)
 }
 
 func (q *querier) GetServiceBanner(ctx context.Context) (string, error) {
diff --git a/coderd/database/dbfake/databasefake.go b/coderd/database/dbfake/databasefake.go
@@ -4451,7 +4451,7 @@ func (q *fakeQuerier) GetAppSigningKey(_ context.Context) (string, error) {
 	return q.appSigningKey, nil
 }
 
-func (q *fakeQuerier) InsertAppSigningKey(_ context.Context, data string) error {
+func (q *fakeQuerier) UpsertAppSigningKey(_ context.Context, data string) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
diff --git a/coderd/database/dbgen/generator.go b/coderd/database/dbgen/generator.go
@@ -77,12 +77,23 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database
 	secret, _ := cryptorand.String(22)
 	hashed := sha256.Sum256([]byte(secret))
 
+	ip := seed.IPAddress
+	if !ip.Valid {
+		ip = pqtype.Inet{
+			IPNet: net.IPNet{
+				IP:   net.IPv4(127, 0, 0, 1),
+				Mask: net.IPv4Mask(255, 255, 255, 255),
+			},
+			Valid: true,
+		}
+	}
+
 	key, err := db.InsertAPIKey(context.Background(), database.InsertAPIKeyParams{
 		ID: takeFirst(seed.ID, id),
 		// 0 defaults to 86400 at the db layer
 		LifetimeSeconds: takeFirst(seed.LifetimeSeconds, 0),
 		HashedSecret:    takeFirstSlice(seed.HashedSecret, hashed[:]),
-		IPAddress:       pqtype.Inet{},
+		IPAddress:       ip,
 		UserID:          takeFirst(seed.UserID, uuid.New()),
 		LastUsed:        takeFirst(seed.LastUsed, database.Now()),
 		ExpiresAt:       takeFirst(seed.ExpiresAt, database.Now().Add(time.Hour)),
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/siteconfig.sql b/coderd/database/queries/siteconfig.sql
@@ -34,5 +34,6 @@ SELECT value FROM site_configs WHERE key = 'logo_url';
 -- name: GetAppSigningKey :one
 SELECT value FROM site_configs WHERE key = 'app_signing_key';
 
--- name: InsertAppSigningKey :exec
-INSERT INTO site_configs (key, value) VALUES ('app_signing_key', $1);
+-- name: UpsertAppSigningKey :exec
+INSERT INTO site_configs (key, value) VALUES ('app_signing_key', $1)
+ON CONFLICT (key) DO UPDATE set value = $1 WHERE site_configs.key = 'app_signing_key';
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -32,16 +32,12 @@ type DBTokenProvider struct {
 	DeploymentValues              *codersdk.DeploymentValues
 	OAuth2Configs                 *httpmw.OAuth2Configs
 	WorkspaceAgentInactiveTimeout time.Duration
-	TokenSigningKey               SigningKey
+	SigningKey                    SigningKey
 }
 
 var _ SignedTokenProvider = &DBTokenProvider{}
 
-func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, workspaceAgentInactiveTimeout time.Duration, tokenSigningKey SigningKey) SignedTokenProvider {
-	if len(tokenSigningKey) != 64 {
-		panic("token signing key must be 64 bytes")
-	}
-
+func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, workspaceAgentInactiveTimeout time.Duration, signingKey SigningKey) SignedTokenProvider {
 	if workspaceAgentInactiveTimeout == 0 {
 		workspaceAgentInactiveTimeout = 1 * time.Minute
 	}
@@ -54,15 +50,15 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz
 		DeploymentValues:              cfg,
 		OAuth2Configs:                 oauth2Cfgs,
 		WorkspaceAgentInactiveTimeout: workspaceAgentInactiveTimeout,
-		TokenSigningKey:               tokenSigningKey,
+		SigningKey:                    signingKey,
 	}
 }
 
 func (p *DBTokenProvider) TokenFromRequest(r *http.Request) (*SignedToken, bool) {
 	// Get the existing token from the request.
 	tokenCookie, err := r.Cookie(codersdk.DevURLSignedAppTokenCookie)
 	if err == nil {
-		token, err := p.TokenSigningKey.VerifySignedToken(tokenCookie.Value)
+		token, err := p.SigningKey.VerifySignedToken(tokenCookie.Value)
 		if err == nil {
 			req := token.Request.Normalize()
 			err := req.Validate()
@@ -130,9 +126,6 @@ func (p *DBTokenProvider) CreateToken(ctx context.Context, rw http.ResponseWrite
 	token.AgentID = dbReq.Agent.ID
 	token.AppURL = dbReq.AppURL
 
-	// TODO(@deansheather): return an error if the agent is offline or the app
-	// is not running.
-
 	// Verify the user has access to the app.
 	authed, err := p.authorizeRequest(r.Context(), authz, dbReq)
 	if err != nil {
@@ -196,7 +189,7 @@ func (p *DBTokenProvider) CreateToken(ctx context.Context, rw http.ResponseWrite
 
 	// Sign the token.
 	token.Expiry = time.Now().Add(DefaultTokenExpiry)
-	tokenStr, err := p.TokenSigningKey.SignToken(token)
+	tokenStr, err := p.SigningKey.SignToken(token)
 	if err != nil {
 		WriteWorkspaceApp500(p.Logger, p.AccessURL, rw, r, &appReq, err, "generate token")
 		return nil, "", false
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -10,6 +10,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
@@ -84,6 +85,22 @@ type Server struct {
 	SignedTokenProvider SignedTokenProvider
 	WorkspaceConnCache  *wsconncache.Cache
 	AppSigningKey       SigningKey
+
+	websocketWaitMutex sync.Mutex
+	websocketWaitGroup sync.WaitGroup
+}
+
+// Close waits for all reconnecting-pty WebSocket connections to drain before
+// returning.
+func (s *Server) Close() error {
+	s.websocketWaitMutex.Lock()
+	s.websocketWaitGroup.Wait()
+	s.websocketWaitMutex.Unlock()
+
+	// The caller must close the SignedTokenProvider (if necessary) and the
+	// wsconncache.
+
+	return nil
 }
 
 func (s *Server) Attach(r chi.Router) {
@@ -503,11 +520,10 @@ func (s *Server) proxyWorkspaceApp(rw http.ResponseWriter, r *http.Request, appT
 func (s *Server) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	// TODO: Fix this later
-	// s.WebsocketWaitMutex.Lock()
-	// s.WebsocketWaitGroup.Add(1)
-	// s.WebsocketWaitMutex.Unlock()
-	// defer s.WebsocketWaitGroup.Done()
+	s.websocketWaitMutex.Lock()
+	s.websocketWaitGroup.Add(1)
+	s.websocketWaitMutex.Unlock()
+	defer s.websocketWaitGroup.Done()
 
 	appToken, ok := ResolveRequest(s.Logger, s.AccessURL, s.SignedTokenProvider, rw, r, Request{
 		AccessMethod:  AccessMethodTerminal,
diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -13,7 +13,10 @@ import (
 	"github.com/coder/coder/coderd/database"
 )
 
-const tokenSigningAlgorithm = jose.HS512
+const (
+	tokenSigningAlgorithm     = jose.HS512
+	apiKeyEncryptionAlgorithm = jose.A256GCMKW
+)
 
 // SignedToken is the struct data contained inside a workspace app JWE. It
 // contains the details of the workspace app that the token is valid for to
@@ -41,14 +44,11 @@ func (t SignedToken) MatchesRequest(req Request) bool {
 		t.AppSlugOrPort == req.AppSlugOrPort
 }
 
-// SigningKey is used for signing and encrypting app tokens and API keys.
-// TODO: we cannot use the same key for signing and encrypting with two
-// different algorithms, that's a security issue. We should use a different key
-// for each.
-// OR
-// We get rid of signing and use encryption for both api keys and tickets.
-// Do this by switching to JWE.
-type SigningKey [64]byte
+// AppSigningKey is used for signing and encrypting app tokens and API keys.
+//
+// The first 64 bytes of the key are used for signing tokens with HMAC-SHA256,
+// and the last 32 bytes are used for encrypting API keys with AES-256-GCM.
+type SigningKey [96]byte
 
 func KeyFromString(str string) (SigningKey, error) {
 	var key SigningKey
@@ -78,7 +78,7 @@ func (k SigningKey) SignToken(payload SignedToken) (string, error) {
 
 	signer, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: tokenSigningAlgorithm,
-		Key:       k[:],
+		Key:       k[:64],
 	}, nil)
 	if err != nil {
 		return "", xerrors.Errorf("create signer: %w", err)
@@ -112,7 +112,7 @@ func (k SigningKey) VerifySignedToken(str string) (SignedToken, error) {
 		return SignedToken{}, xerrors.Errorf("expected token signing algorithm to be %q, got %q", tokenSigningAlgorithm, object.Signatures[0].Header.Algorithm)
 	}
 
-	output, err := object.Verify(k[:])
+	output, err := object.Verify(k[:64])
 	if err != nil {
 		return SignedToken{}, xerrors.Errorf("verify JWS: %w", err)
 	}
@@ -154,8 +154,8 @@ func (k SigningKey) EncryptAPIKey(payload EncryptedAPIKeyPayload) (string, error
 	encrypter, err := jose.NewEncrypter(
 		jose.A256GCM,
 		jose.Recipient{
-			Algorithm: jose.A256GCMKW,
-			Key:       k[:32],
+			Algorithm: apiKeyEncryptionAlgorithm,
+			Key:       k[64:],
 		},
 		&jose.EncrypterOptions{
 			Compression: jose.DEFLATE,
@@ -184,9 +184,12 @@ func (k SigningKey) DecryptAPIKey(encryptedAPIKey string) (string, error) {
 	if err != nil {
 		return "", xerrors.Errorf("parse encrypted API key: %w", err)
 	}
+	if object.Header.Algorithm != string(apiKeyEncryptionAlgorithm) {
+		return "", xerrors.Errorf("expected API key encryption algorithm to be %q, got %q", apiKeyEncryptionAlgorithm, object.Header.Algorithm)
+	}
 
 	// Decrypt using the hashed secret.
-	decrypted, err := object.Decrypt(k[:32])
+	decrypted, err := object.Decrypt(k[64:])
 	if err != nil {
 		return "", xerrors.Errorf("decrypt API key: %w", err)
 	}
diff --git a/coderd/workspaceapps/token_test.go b/coderd/workspaceapps/token_test.go
@@ -301,8 +301,11 @@ func Test_ParseToken(t *testing.T) {
 		t.Parallel()
 
 		// Create a valid token using a different key.
-		otherKey, err := workspaceapps.KeyFromString("62656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164")
-		require.NoError(t, err)
+		var otherKey workspaceapps.SigningKey
+		copy(otherKey[:], coderdtest.AppSigningKey[:])
+		for i := range otherKey {
+			otherKey[i] ^= 0xff
+		}
 		require.NotEqual(t, coderdtest.AppSigningKey, otherKey)
 
 		tokenStr, err := otherKey.SignToken(workspaceapps.SignedToken{
@@ -334,7 +337,7 @@ func Test_ParseToken(t *testing.T) {
 		t.Parallel()
 
 		// Create a signature for an invalid body.
-		signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS512, Key: coderdtest.AppSigningKey[:]}, nil)
+		signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS512, Key: coderdtest.AppSigningKey[:64]}, nil)
 		require.NoError(t, err)
 		signedObject, err := signer.Sign([]byte("hi"))
 		require.NoError(t, err)
@@ -395,8 +398,11 @@ func TestAPIKeyEncryption(t *testing.T) {
 			t.Parallel()
 
 			// Create a valid token using a different key.
-			otherKey, err := workspaceapps.KeyFromString("62656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164")
-			require.NoError(t, err)
+			var otherKey workspaceapps.SigningKey
+			copy(otherKey[:], coderdtest.AppSigningKey[:])
+			for i := range otherKey {
+				otherKey[i] ^= 0xff
+			}
 			require.NotEqual(t, coderdtest.AppSigningKey, otherKey)
 
 			// Encrypt with the other key.

Original file line number	Diff line number	Diff line change
`@@ -384,9 +384,9 @@ func (q *querier) GetAppSigningKey(ctx context.Context) (string, error) {`
`384`	`384`	`return q.db.GetAppSigningKey(ctx)`
`385`	`385`	`}`
`386`	`386`
`387`		`-func (q *querier) InsertAppSigningKey(ctx context.Context, data string) error {`
	`387`	`+func (q *querier) UpsertAppSigningKey(ctx context.Context, data string) error {`
`388`	`388`	`// No authz checks as this is done during startup`
`389`		`- return q.db.InsertAppSigningKey(ctx, data)`
	`389`	`+ return q.db.UpsertAppSigningKey(ctx, data)`
`390`	`390`	`}`
`391`	`391`
`392`	`392`	`func (q *querier) GetServiceBanner(ctx context.Context) (string, error) {`
Original file line number	Diff line number	Diff line change
`@@ -4451,7 +4451,7 @@ func (q *fakeQuerier) GetAppSigningKey(_ context.Context) (string, error) {`
`4451`	`4451`	`return q.appSigningKey, nil`
`4452`	`4452`	`}`
`4453`	`4453`
`4454`		`-func (q *fakeQuerier) InsertAppSigningKey(_ context.Context, data string) error {`
	`4454`	`+func (q *fakeQuerier) UpsertAppSigningKey(_ context.Context, data string) error {`
`4455`	`4455`	`q.mutex.Lock()`
`4456`	`4456`	`defer q.mutex.Unlock()`
`4457`	`4457`