Skip to content

Commit c52693f

Browse files
code-ashercode-asher
committed
Use userpassword.Hash
1 parent 3217f15 commit c52693f

File tree

4 files changed

+38
-23
lines changed

4 files changed

+38
-23
lines changed

enterprise/coderd/identityprovider/authorize.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
"github.com/coder/coder/v2/coderd/database/dbtime"
1515
"github.com/coder/coder/v2/coderd/httpapi"
1616
"github.com/coder/coder/v2/coderd/httpmw"
17+
"github.com/coder/coder/v2/coderd/userpassword"
1718
"github.com/coder/coder/v2/codersdk"
1819
"github.com/coder/coder/v2/cryptorand"
1920
)
@@ -88,7 +89,13 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
8889
})
8990
return
9091
}
91-
hashedCode := Hash(rawCode, app.ID)
92+
hashedCode, err := userpassword.Hash(rawCode)
93+
if err != nil {
94+
httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
95+
Message: "Failed to hash OAuth2 app authorization code.",
96+
})
97+
return
98+
}
9299
err = db.InTx(func(tx database.Store) error {
93100
// Delete any previous codes.
94101
err = tx.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams{
@@ -105,7 +112,7 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
105112
CreatedAt: dbtime.Now(),
106113
// TODO: Configurable expiration? Ten minutes matches GitHub.
107114
ExpiresAt: dbtime.Now().Add(time.Duration(10) * time.Minute),
108-
HashedSecret: hashedCode[:],
115+
HashedSecret: []byte(hashedCode),
109116
AppID: app.ID,
110117
UserID: apiKey.UserID,
111118
})

enterprise/coderd/identityprovider/tokens.go

Lines changed: 13 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import (
1010
"time"
1111

1212
"github.com/google/uuid"
13-
"golang.org/x/crypto/argon2"
1413
"golang.org/x/oauth2"
1514
"golang.org/x/xerrors"
1615

@@ -21,6 +20,7 @@ import (
2120
"github.com/coder/coder/v2/coderd/httpapi"
2221
"github.com/coder/coder/v2/coderd/httpmw"
2322
"github.com/coder/coder/v2/coderd/rbac"
23+
"github.com/coder/coder/v2/coderd/userpassword"
2424
"github.com/coder/coder/v2/codersdk"
2525
"github.com/coder/coder/v2/cryptorand"
2626
)
@@ -111,20 +111,23 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
111111

112112
func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, clientSecret, code string) (oauth2.Token, error) {
113113
// Validate the client secret.
114-
secretHash := Hash(clientSecret, app.ID)
114+
secretHash, err := userpassword.Hash(clientSecret)
115+
if err != nil {
116+
return oauth2.Token{}, err
117+
}
115118
secret, err := db.GetOAuth2ProviderAppSecretByAppIDAndSecret(
116119
//nolint:gocritic // Users cannot read secrets so we must use the system.
117120
dbauthz.AsSystemRestricted(ctx),
118121
database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
119122
AppID: app.ID,
120-
HashedSecret: secretHash[:],
123+
HashedSecret: []byte(secretHash),
121124
})
122125
if err != nil {
123126
return oauth2.Token{}, err
124127
}
125128

126129
// Validate the authorization code.
127-
codeHash := Hash(code, app.ID)
130+
codeHash, err := userpassword.Hash(code)
128131
if err != nil {
129132
return oauth2.Token{}, err
130133
}
@@ -133,7 +136,7 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
133136
dbauthz.AsSystemRestricted(ctx),
134137
database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
135138
AppID: app.ID,
136-
HashedSecret: codeHash[:],
139+
HashedSecret: []byte(codeHash),
137140
})
138141
if err != nil {
139142
return oauth2.Token{}, err
@@ -208,12 +211,15 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
208211
return xerrors.Errorf("insert oauth2 access token: %w", err)
209212
}
210213

211-
hashed := Hash(rawRefreshToken, app.ID)
214+
refreshHash, err := userpassword.Hash(rawRefreshToken)
215+
if err != nil {
216+
return xerrors.Errorf("hash oauth2 refresh token: %w", err)
217+
}
212218
_, err = tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{
213219
ID: uuid.New(),
214220
CreatedAt: dbtime.Now(),
215221
ExpiresAt: key.ExpiresAt,
216-
RefreshHash: hashed[:],
222+
RefreshHash: []byte(refreshHash),
217223
AppSecretID: secret.ID,
218224
APIKeyID: newKey.ID,
219225
})
@@ -234,12 +240,3 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
234240
// Expiry: key.ExpiresAt,
235241
}, nil
236242
}
237-
238-
/**
239-
* Hash uses argon2 to hash the secret using the ID as the salt.
240-
*/
241-
func Hash(secret string, id uuid.UUID) []byte {
242-
b := []byte(secret)
243-
// TODO: Expose iterations, memory, and threads as configuration values?
244-
return argon2.IDKey(b, []byte(id.String()), 1, 64*1024, 2, uint32(len(b)))
245-
}

enterprise/coderd/oauth2.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
"github.com/coder/coder/v2/coderd/database/dbtime"
1313
"github.com/coder/coder/v2/coderd/httpapi"
1414
"github.com/coder/coder/v2/coderd/httpmw"
15+
"github.com/coder/coder/v2/coderd/userpassword"
1516
"github.com/coder/coder/v2/codersdk"
1617
"github.com/coder/coder/v2/cryptorand"
1718
"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
@@ -241,11 +242,18 @@ func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Requ
241242
})
242243
return
243244
}
244-
hashed := identityprovider.Hash(rawSecret, app.ID)
245+
hashed, err := userpassword.Hash(rawSecret)
246+
if err != nil {
247+
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
248+
Message: "Failed to hash OAuth2 client secret.",
249+
Detail: err.Error(),
250+
})
251+
return
252+
}
245253
secret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
246254
ID: uuid.New(),
247255
CreatedAt: dbtime.Now(),
248-
HashedSecret: hashed[:],
256+
HashedSecret: []byte(hashed),
249257
// DisplaySecret is the last six characters of the original unhashed secret.
250258
// This is done so they can be differentiated and it matches how GitHub
251259
// displays their client secrets.

enterprise/coderd/oauth2_test.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,10 @@ import (
1919
"github.com/coder/coder/v2/coderd/database/dbtestutil"
2020
"github.com/coder/coder/v2/coderd/database/dbtime"
2121
"github.com/coder/coder/v2/coderd/httpmw"
22+
"github.com/coder/coder/v2/coderd/userpassword"
2223
"github.com/coder/coder/v2/coderd/util/ptr"
2324
"github.com/coder/coder/v2/codersdk"
2425
"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
25-
"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
2626
"github.com/coder/coder/v2/enterprise/coderd/license"
2727
"github.com/coder/coder/v2/testutil"
2828
)
@@ -602,12 +602,15 @@ func TestOAuth2ProviderTokenExchange(t *testing.T) {
602602
tokenError: "Invalid client secret or code",
603603
setup: func(ctx context.Context, client *codersdk.Client, user codersdk.User) error {
604604
// Insert an expired code.
605-
hashedCode := identityprovider.Hash("some-code", apps.Default.ID)
605+
hashedCode, err := userpassword.Hash("some-code")
606+
if err != nil {
607+
return err
608+
}
606609
_, err = db.InsertOAuth2ProviderAppCode(ctx, database.InsertOAuth2ProviderAppCodeParams{
607610
ID: uuid.New(),
608611
CreatedAt: dbtime.Now().Add(-time.Minute * 11),
609612
ExpiresAt: dbtime.Now().Add(-time.Minute),
610-
HashedSecret: hashedCode[:],
613+
HashedSecret: []byte(hashedCode),
611614
AppID: apps.Default.ID,
612615
UserID: user.ID,
613616
})

0 commit comments

Comments
 (0)