dbcrypt.New now marks database as encrypted

johnstcn · johnstcn · commit cbd776fb4c3c · 2023-08-24T10:36:58.000Z
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -65,9 +65,14 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	ctx, cancelFunc := context.WithCancel(ctx)
 
 	externalTokenCipher := &atomic.Pointer[dbcrypt.Cipher]{}
-	options.Database = dbcrypt.New(options.Database, &dbcrypt.Options{
+	cryptDB, err := dbcrypt.New(ctx, options.Database, &dbcrypt.Options{
 		ExternalTokenCipher: externalTokenCipher,
 	})
+	if err != nil {
+		cancelFunc()
+		return nil, xerrors.Errorf("init dbcrypt: %w", err)
+	}
+	options.Database = cryptDB
 
 	api := &API{
 		ctx:                 ctx,
diff --git a/enterprise/dbcrypt/dbcrypt.go b/enterprise/dbcrypt/dbcrypt.go
@@ -13,6 +13,7 @@ import (
 	"cdr.dev/slog"
 
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 )
 
 // MagicPrefix is prepended to all encrypted values in the database.
@@ -25,7 +26,7 @@ const MagicPrefix = "dbcrypt-"
 // Otherwise, the value is encrypted.
 const sentinelValue = "coder"
 
-var ErrNotEncrypted = xerrors.New("database is not encrypted")
+var ErrNotEnabled = xerrors.New("encryption is not enabled")
 
 type Options struct {
 	// ExternalTokenCipher is an optional cipher that is used
@@ -37,11 +38,15 @@ type Options struct {
 
 // New creates a database.Store wrapper that encrypts/decrypts values
 // stored at rest in the database.
-func New(db database.Store, options *Options) database.Store {
-	return &dbCrypt{
+func New(ctx context.Context, db database.Store, options *Options) (database.Store, error) {
+	dbc := &dbCrypt{
 		Options: options,
 		Store:   db,
 	}
+	if err := ensureEncrypted(dbauthz.AsSystemRestricted(ctx), dbc); err != nil {
+		return nil, xerrors.Errorf("ensure encrypted database fields: %w", err)
+	}
+	return dbc, nil
 }
 
 type dbCrypt struct {
@@ -61,14 +66,8 @@ func (db *dbCrypt) InTx(function func(database.Store) error, txOpts *sql.TxOptio
 func (db *dbCrypt) GetDBCryptSentinelValue(ctx context.Context) (string, error) {
 	rawValue, err := db.Store.GetDBCryptSentinelValue(ctx)
 	if err != nil {
-		if errors.Is(err, sql.ErrNoRows) {
-			return "", ErrNotEncrypted
-		}
 		return "", err
 	}
-	if rawValue == sentinelValue {
-		return "", ErrNotEncrypted
-	}
 	return rawValue, db.decryptFields(&rawValue)
 }
 
@@ -171,7 +170,7 @@ func (db *dbCrypt) decryptFields(fields ...*string) error {
 			if strings.HasPrefix(*field, MagicPrefix) {
 				// If we have a magic prefix but encryption is disabled,
 				// complain loudly.
-				return xerrors.Errorf("failed to decrypt field %q: encryption is disabled", *field)
+				return xerrors.Errorf("failed to decrypt field %q: %w", *field, ErrNotEnabled)
 			}
 		}
 		return nil
@@ -183,7 +182,7 @@ func (db *dbCrypt) decryptFields(fields ...*string) error {
 			continue
 		}
 		if len(*field) < len(MagicPrefix) || !strings.HasPrefix(*field, MagicPrefix) {
-			// We do not force encryption of unencrypted rows. This could be damaging
+			// We do not force decryption of unencrypted rows. This could be damaging
 			// to the deployment, and admins can always manually purge data.
 			continue
 		}
@@ -201,3 +200,29 @@ func (db *dbCrypt) decryptFields(fields ...*string) error {
 	}
 	return nil
 }
+
+func ensureEncrypted(ctx context.Context, dbc *dbCrypt) error {
+	return dbc.InTx(func(s database.Store) error {
+		val, err := s.GetDBCryptSentinelValue(ctx)
+		if err != nil {
+			if !errors.Is(err, sql.ErrNoRows) {
+				return err
+			}
+		}
+
+		if val != "" && val != sentinelValue {
+			// TODO: Handle key rotation.
+			return xerrors.Errorf("database is already encrypted with a different key and key rotation is not implemented yet")
+		}
+
+		if val == sentinelValue {
+			return nil // nothing to do!
+		}
+
+		if err := s.SetDBCryptSentinelValue(ctx, sentinelValue); err != nil {
+			return xerrors.Errorf("mark database as encrypted: %w", err)
+		}
+
+		return nil
+	}, nil)
+}
diff --git a/enterprise/dbcrypt/dbcrypt_test.go b/enterprise/dbcrypt/dbcrypt_test.go
@@ -27,7 +27,6 @@ func TestUserLinks(t *testing.T) {
 	t.Run("InsertUserLink", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		user := dbgen.User(t, crypt, database.User{})
 		link := dbgen.UserLink(t, crypt, database.UserLink{
 			UserID:            user.ID,
@@ -43,7 +42,6 @@ func TestUserLinks(t *testing.T) {
 	t.Run("UpdateUserLink", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		user := dbgen.User(t, crypt, database.User{})
 		link := dbgen.UserLink(t, crypt, database.UserLink{
 			UserID: user.ID,
@@ -64,7 +62,6 @@ func TestUserLinks(t *testing.T) {
 	t.Run("GetUserLinkByLinkedID", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		user := dbgen.User(t, crypt, database.User{})
 		link := dbgen.UserLink(t, crypt, database.UserLink{
 			UserID:            user.ID,
@@ -86,7 +83,6 @@ func TestUserLinks(t *testing.T) {
 	t.Run("GetUserLinkByUserIDLoginType", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		user := dbgen.User(t, crypt, database.User{})
 		link := dbgen.UserLink(t, crypt, database.UserLink{
 			UserID:            user.ID,
@@ -119,7 +115,6 @@ func TestGitAuthLinks(t *testing.T) {
 	t.Run("InsertGitAuthLink", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		link := dbgen.GitAuthLink(t, crypt, database.GitAuthLink{
 			OAuthAccessToken:  "access",
 			OAuthRefreshToken: "refresh",
@@ -136,7 +131,6 @@ func TestGitAuthLinks(t *testing.T) {
 	t.Run("UpdateGitAuthLink", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		link := dbgen.GitAuthLink(t, crypt, database.GitAuthLink{})
 		_, err := crypt.UpdateGitAuthLink(ctx, database.UpdateGitAuthLinkParams{
 			ProviderID:        link.ProviderID,
@@ -157,7 +151,6 @@ func TestGitAuthLinks(t *testing.T) {
 	t.Run("GetGitAuthLink", func(t *testing.T) {
 		t.Parallel()
 		db, crypt, cipher := setup(t)
-		initCipher(t, cipher)
 		link := dbgen.GitAuthLink(t, crypt, database.GitAuthLink{
 			OAuthAccessToken:  "access",
 			OAuthRefreshToken: "refresh",
@@ -181,37 +174,90 @@ func TestGitAuthLinks(t *testing.T) {
 	})
 }
 
-func TestDBCryptSentinelValue(t *testing.T) {
+func TestNew(t *testing.T) {
 	t.Parallel()
-	ctx := context.Background()
-	db, crypt, cipher := setup(t)
-	// Initially, the database will not be encrypted.
-	_, err := db.GetDBCryptSentinelValue(ctx)
-	require.ErrorIs(t, err, sql.ErrNoRows)
-	_, err = crypt.GetDBCryptSentinelValue(ctx)
-	require.EqualError(t, err, dbcrypt.ErrNotEncrypted.Error())
 
-	// Now, we'll encrypt the value.
-	initCipher(t, cipher)
-	err = crypt.SetDBCryptSentinelValue(ctx, "coder")
-	require.NoError(t, err)
+	t.Run("OK", func(t *testing.T) {
+		// Given: a cipher is loaded
+		cipher := &atomic.Pointer[dbcrypt.Cipher]{}
+		initCipher(t, cipher)
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		rawDB, _ := dbtestutil.NewDB(t)
 
-	// The value should be encrypted in the database.
-	crypted, err := db.GetDBCryptSentinelValue(ctx)
-	require.NoError(t, err)
-	require.NotEqual(t, "coder", crypted)
-	decrypted, err := crypt.GetDBCryptSentinelValue(ctx)
-	require.NoError(t, err)
-	require.Equal(t, "coder", decrypted)
-	requireEncryptedEquals(t, cipher, crypted, "coder")
+		// When: we init the crypt db
+		cryptDB, err := dbcrypt.New(ctx, rawDB, &dbcrypt.Options{
+			ExternalTokenCipher: cipher,
+			Logger:              slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		})
+		require.NoError(t, err)
 
-	// Reset the key and empty values should be returned!
-	initCipher(t, cipher)
+		// Then: the sentinel value is encrypted
+		cryptVal, err := cryptDB.GetDBCryptSentinelValue(ctx)
+		require.NoError(t, err)
+		require.Equal(t, "coder", cryptVal)
 
-	_, err = db.GetDBCryptSentinelValue(ctx) // We can still read the raw value
-	require.NoError(t, err)
-	_, err = crypt.GetDBCryptSentinelValue(ctx) // Decryption should fail
-	require.ErrorIs(t, err, sql.ErrNoRows)
+		rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)
+		require.NoError(t, err)
+		require.Contains(t, rawVal, dbcrypt.MagicPrefix)
+	})
+
+	t.Run("NoCipher", func(t *testing.T) {
+		// Given: no cipher is loaded
+		cipher := &atomic.Pointer[dbcrypt.Cipher]{}
+		// initCipher(t, cipher)
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		rawDB, _ := dbtestutil.NewDB(t)
+
+		// When: we init the crypt db
+		cryptDB, err := dbcrypt.New(ctx, rawDB, &dbcrypt.Options{
+			ExternalTokenCipher: cipher,
+			Logger:              slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		})
+		require.NoError(t, err)
+
+		// Then: the sentinel value is not encrypted
+		cryptVal, err := cryptDB.GetDBCryptSentinelValue(ctx)
+		require.NoError(t, err)
+		require.Equal(t, "coder", cryptVal)
+
+		rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)
+		require.NoError(t, err)
+		require.Equal(t, "coder", rawVal)
+	})
+
+	t.Run("CipherChanged", func(t *testing.T) {
+		// Given: no cipher is loaded
+		cipher := &atomic.Pointer[dbcrypt.Cipher]{}
+		initCipher(t, cipher)
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+		rawDB, _ := dbtestutil.NewDB(t)
+
+		// And: the sentinel value is encrypted with a different cipher
+		cipher2 := &atomic.Pointer[dbcrypt.Cipher]{}
+		initCipher(t, cipher2)
+		field := "coder"
+		encrypted, err := (*cipher2.Load()).Encrypt([]byte(field))
+		require.NoError(t, err)
+		b64encrypted := base64.StdEncoding.EncodeToString(encrypted)
+		require.NoError(t, rawDB.SetDBCryptSentinelValue(ctx, b64encrypted))
+
+		// When: we init the crypt db
+		_, err = dbcrypt.New(ctx, rawDB, &dbcrypt.Options{
+			ExternalTokenCipher: cipher,
+			Logger:              slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		})
+		// Then: an error is returned
+		// TODO: when we implement key rotation, this should not fail.
+		require.ErrorContains(t, err, "database is already encrypted with a different key")
+
+		// And the sentinel value should remain unchanged. For now.
+		rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)
+		require.NoError(t, err)
+		require.Equal(t, b64encrypted, rawVal)
+	})
 }
 
 func requireEncryptedEquals(t *testing.T, cipher *atomic.Pointer[dbcrypt.Cipher], value, expected string) {
@@ -238,10 +284,28 @@ func initCipher(t *testing.T, cipher *atomic.Pointer[dbcrypt.Cipher]) {
 
 func setup(t *testing.T) (db, cryptodb database.Store, cipher *atomic.Pointer[dbcrypt.Cipher]) {
 	t.Helper()
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
 	rawDB, _ := dbtestutil.NewDB(t)
+
+	_, err := rawDB.GetDBCryptSentinelValue(ctx)
+	require.ErrorIs(t, err, sql.ErrNoRows)
+
 	cipher = &atomic.Pointer[dbcrypt.Cipher]{}
-	return rawDB, dbcrypt.New(rawDB, &dbcrypt.Options{
+	initCipher(t, cipher)
+	cryptDB, err := dbcrypt.New(ctx, rawDB, &dbcrypt.Options{
 		ExternalTokenCipher: cipher,
 		Logger:              slogtest.Make(t, nil).Leveled(slog.LevelDebug),
-	}), cipher
+	})
+	require.NoError(t, err)
+
+	rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)
+	require.NoError(t, err)
+	require.Contains(t, rawVal, dbcrypt.MagicPrefix)
+
+	cryptVal, err := cryptDB.GetDBCryptSentinelValue(ctx)
+	require.NoError(t, err)
+	require.Equal(t, "coder", cryptVal)
+
+	return rawDB, cryptDB, cipher
 }
