Skip to content

Commit b4eb230

Browse files
sreyasreya
committed
hm
1 parent ecc125d commit b4eb230

File tree

5 files changed

+35
-27
lines changed

5 files changed

+35
-27
lines changed

coderd/coderd.go

+3-11
Original file line numberDiff line numberDiff line change
@@ -448,14 +448,6 @@ func New(options *Options) *API {
448448
if err != nil {
449449
panic(xerrors.Errorf("get deployment ID: %w", err))
450450
}
451-
appSigningKeyCache, err := cryptokeys.NewSigningCache(options.Logger.Named("app_signing_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsToken)
452-
if err != nil {
453-
options.Logger.Fatal(ctx, "failed to initialize app signing key cache", slog.Error(err))
454-
}
455-
appEncryptingKeyCache, err := cryptokeys.NewEncryptionCache(options.Logger.Named("app_encrypting_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsAPIKey)
456-
if err != nil {
457-
options.Logger.Fatal(ctx, "failed to initialize app encrypting key cache", slog.Error(err))
458-
}
459451
api := &API{
460452
ctx: ctx,
461453
cancel: cancel,
@@ -476,7 +468,7 @@ func New(options *Options) *API {
476468
options.DeploymentValues,
477469
oauthConfigs,
478470
options.AgentInactiveDisconnectTimeout,
479-
appSigningKeyCache,
471+
options.AppSigningKeyCache,
480472
),
481473
metricsCache: metricsCache,
482474
Auditor: atomic.Pointer[audit.Auditor]{},
@@ -661,8 +653,8 @@ func New(options *Options) *API {
661653

662654
DisablePathApps: options.DeploymentValues.DisablePathApps.Value(),
663655
SecureAuthCookie: options.DeploymentValues.SecureAuthCookie.Value(),
664-
Signer: appSigningKeyCache,
665-
EncryptingKeyManager: appEncryptingKeyCache,
656+
Signer: options.AppSigningKeyCache,
657+
EncryptingKeyManager: options.AppEncryptionKeyCache,
666658
}
667659

668660
apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{

coderd/cryptokeys/rotate.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ func WithKeyDuration(keyDuration time.Duration) RotatorOption {
5656
// Canceling the provided context will stop the background process.
5757
func StartRotator(ctx context.Context, logger slog.Logger, db database.Store, opts ...RotatorOption) error {
5858
//nolint:gocritic // KeyRotator can only rotate crypto keys.
59-
ctx = dbauthz.AsSystemRestricted(ctx)
59+
ctx = dbauthz.AsKeyRotator(ctx)
6060
kr := &rotator{
6161
db: db,
6262
logger: logger,

coderd/database/dbauthz/dbauthz.go

+26-3
Original file line numberDiff line numberDiff line change
@@ -229,15 +229,33 @@ var (
229229
}.WithCachedASTValue()
230230

231231
// See cryptokeys package.
232-
subjectCryptoKey = rbac.Subject{
232+
subjectCryptoKeyRotator = rbac.Subject{
233233
FriendlyName: "Crypto Key Rotator",
234234
ID: uuid.Nil.String(),
235235
Roles: rbac.Roles([]rbac.Role{
236236
{
237237
Identifier: rbac.RoleIdentifier{Name: "keyrotator"},
238238
DisplayName: "Key Rotator",
239239
Site: rbac.Permissions(map[string][]policy.Action{
240-
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol, policy.ActionRead},
240+
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
241+
}),
242+
Org: map[string][]rbac.Permission{},
243+
User: []rbac.Permission{},
244+
},
245+
}),
246+
Scope: rbac.ScopeAll,
247+
}.WithCachedASTValue()
248+
249+
// See cryptokeys package.
250+
subjectCryptoKeyReader = rbac.Subject{
251+
FriendlyName: "Crypto Key Reader",
252+
ID: uuid.Nil.String(),
253+
Roles: rbac.Roles([]rbac.Role{
254+
{
255+
Identifier: rbac.RoleIdentifier{Name: "keyrotator"},
256+
DisplayName: "Key Rotator",
257+
Site: rbac.Permissions(map[string][]policy.Action{
258+
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
241259
}),
242260
Org: map[string][]rbac.Permission{},
243261
User: []rbac.Permission{},
@@ -301,7 +319,12 @@ func AsHangDetector(ctx context.Context) context.Context {
301319

302320
// AsKeyRotator returns a context with an actor that has permissions required for rotating crypto keys.
303321
func AsKeyRotator(ctx context.Context) context.Context {
304-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKey)
322+
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyRotator)
323+
}
324+
325+
// AsKeyReader returns a context with an actor that has permissions required for reading crypto keys.
326+
func AsKeyReader(ctx context.Context) context.Context {
327+
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyReader)
305328
}
306329

307330
// AsSystemRestricted returns a context with an actor that has permissions

coderd/workspaceapps/db.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ type DBTokenProvider struct {
3838
DeploymentValues *codersdk.DeploymentValues
3939
OAuth2Configs *httpmw.OAuth2Configs
4040
WorkspaceAgentInactiveTimeout time.Duration
41-
Signer jwtutils.SigningKeyManager
41+
TokenSigner jwtutils.SigningKeyManager
4242
}
4343

4444
var _ SignedTokenProvider = &DBTokenProvider{}
@@ -56,12 +56,12 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz
5656
DeploymentValues: cfg,
5757
OAuth2Configs: oauth2Cfgs,
5858
WorkspaceAgentInactiveTimeout: workspaceAgentInactiveTimeout,
59-
Signer: signer,
59+
TokenSigner: signer,
6060
}
6161
}
6262

6363
func (p *DBTokenProvider) FromRequest(r *http.Request) (*SignedToken, bool) {
64-
return FromRequest(r, p.Signer)
64+
return FromRequest(r, p.TokenSigner)
6565
}
6666

6767
func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {
@@ -217,7 +217,7 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
217217
token.Claims = jwt.Claims{
218218
Expiry: jwt.NewNumericDate(time.Now().Add(DefaultTokenExpiry)),
219219
}
220-
tokenStr, err := jwtutils.Sign(ctx, p.Signer, token)
220+
tokenStr, err := jwtutils.Sign(ctx, p.TokenSigner, token)
221221
if err != nil {
222222
WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "generate token")
223223
return nil, "", false

tailnet/resume.go

+1-8
Original file line numberDiff line numberDiff line change
@@ -21,15 +21,8 @@ import (
2121

2222
const (
2323
DefaultResumeTokenExpiry = 24 * time.Hour
24-
25-
resumeTokenSigningAlgorithm = jose.HS512
2624
)
2725

28-
// resumeTokenSigningKeyID is a fixed key ID for the resume token signing key.
29-
// If/when we add support for multiple keys (e.g. key rotation), this will move
30-
// to the database instead.
31-
var resumeTokenSigningKeyID = uuid.MustParse("97166747-9309-4d7f-9071-a230e257c2a4")
32-
3326
// NewInsecureTestResumeTokenProvider returns a ResumeTokenProvider that uses a
3427
// random key with short expiry for testing purposes. If any errors occur while
3528
// generating the key, the function panics.
@@ -40,7 +33,7 @@ func NewInsecureTestResumeTokenProvider() ResumeTokenProvider {
4033
}
4134
return NewResumeTokenKeyProvider(jwtutils.StaticKeyManager{
4235
ID: uuid.New().String(),
43-
Key: key,
36+
Key: key[:],
4437
}, quartz.NewReal(), time.Hour)
4538
}
4639

0 commit comments

Comments
 (0)