remove composite jwtutil interfaces

sreya · sreya · commit d16e98f8f752 · 2024-10-17T02:29:12.000Z
diff --git a/coderd/cryptokeys/cache.go b/coderd/cryptokeys/cache.go
@@ -13,7 +13,6 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/quartz"
@@ -73,7 +72,7 @@ func (d *DBFetcher) Fetch(ctx context.Context, feature codersdk.CryptoKeyFeature
 		return nil, xerrors.Errorf("get crypto keys by feature: %w", err)
 	}
 
-	return db2sdk.CryptoKeys(keys), nil
+	return toSDKKeys(keys), nil
 }
 
 // cache implements the caching functionality for both signing and encryption keys.
@@ -378,3 +377,54 @@ func (c *cache) Close() error {
 
 	return nil
 }
+
+// StaticKey fulfills the SigningKeycache and EncryptionKeycache interfaces. Useful for testing.
+type StaticKey struct {
+	ID  string
+	Key interface{}
+}
+
+func (s StaticKey) SigningKey(_ context.Context) (string, interface{}, error) {
+	return s.ID, s.Key, nil
+}
+
+func (s StaticKey) VerifyingKey(_ context.Context, id string) (interface{}, error) {
+	if id != s.ID {
+		return nil, xerrors.Errorf("invalid id %q", id)
+	}
+	return s.Key, nil
+}
+
+func (s StaticKey) EncryptingKey(_ context.Context) (string, interface{}, error) {
+	return s.ID, s.Key, nil
+}
+
+func (s StaticKey) DecryptingKey(_ context.Context, id string) (interface{}, error) {
+	if id != s.ID {
+		return nil, xerrors.Errorf("invalid id %q", id)
+	}
+	return s.Key, nil
+}
+
+func (s StaticKey) Close() error {
+	return nil
+}
+
+// We have to do this to avoid a circular dependency on db2sdk (cryptokeys -> db2sdk -> tailnet -> cryptokeys)
+func toSDKKeys(keys []database.CryptoKey) []codersdk.CryptoKey {
+	into := make([]codersdk.CryptoKey, 0, len(keys))
+	for _, key := range keys {
+		into = append(into, toSDK(key))
+	}
+	return into
+}
+
+func toSDK(key database.CryptoKey) codersdk.CryptoKey {
+	return codersdk.CryptoKey{
+		Feature:   codersdk.CryptoKeyFeature(key.Feature),
+		Sequence:  key.Sequence,
+		StartsAt:  key.StartsAt,
+		DeletesAt: key.DeletesAt.Time,
+		Secret:    key.Secret.String,
+	}
+}
diff --git a/coderd/jwtutils/jwe.go b/coderd/jwtutils/jwe.go
@@ -15,11 +15,6 @@ const (
 	encryptContentAlgo = jose.A256GCM
 )
 
-type EncryptingKeyManager interface {
-	EncryptKeyProvider
-	DecryptKeyProvider
-}
-
 type EncryptKeyProvider interface {
 	EncryptingKey(ctx context.Context) (id string, key interface{}, err error)
 }
diff --git a/coderd/jwtutils/jws.go b/coderd/jwtutils/jws.go
@@ -24,27 +24,6 @@ const (
 	signingAlgo = jose.HS512
 )
 
-type StaticKeyManager struct {
-	ID  string
-	Key interface{}
-}
-
-func (s StaticKeyManager) SigningKey(_ context.Context) (string, interface{}, error) {
-	return s.ID, s.Key, nil
-}
-
-func (s StaticKeyManager) VerifyingKey(_ context.Context, id string) (interface{}, error) {
-	if id != s.ID {
-		return nil, xerrors.Errorf("invalid id %q", id)
-	}
-	return s.Key, nil
-}
-
-type SigningKeyManager interface {
-	SigningKeyProvider
-	VerifyKeyProvider
-}
-
 type SigningKeyProvider interface {
 	SigningKey(ctx context.Context) (id string, key interface{}, err error)
 }
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -28,6 +28,7 @@ import (
 	agentproto "github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
@@ -36,7 +37,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/externalauth"
-	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
@@ -558,7 +558,7 @@ func TestWorkspaceAgentClientCoordinate_ResumeToken(t *testing.T) {
 	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
-	mgr := jwtutils.StaticKeyManager{
+	mgr := cryptokeys.StaticKey{
 		ID:  uuid.New().String(),
 		Key: resumeTokenSigningKey[:],
 	}
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -16,6 +16,7 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
@@ -38,12 +39,12 @@ type DBTokenProvider struct {
 	DeploymentValues              *codersdk.DeploymentValues
 	OAuth2Configs                 *httpmw.OAuth2Configs
 	WorkspaceAgentInactiveTimeout time.Duration
-	TokenSigner                   jwtutils.SigningKeyManager
+	TokenSigner                   cryptokeys.SigningKeycache
 }
 
 var _ SignedTokenProvider = &DBTokenProvider{}
 
-func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, workspaceAgentInactiveTimeout time.Duration, signer jwtutils.SigningKeyManager) SignedTokenProvider {
+func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, workspaceAgentInactiveTimeout time.Duration, signer cryptokeys.SigningKeycache) SignedTokenProvider {
 	if workspaceAgentInactiveTimeout == 0 {
 		workspaceAgentInactiveTimeout = 1 * time.Minute
 	}
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -21,6 +21,7 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/agent/agentssh"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
@@ -100,8 +101,8 @@ type Server struct {
 	HostnameRegex *regexp.Regexp
 	RealIPConfig  *httpmw.RealIPConfig
 
-	SignedTokenProvider SignedTokenProvider
-	APIKeyEncryptionKey jwtutils.EncryptingKeyManager
+	SignedTokenProvider      SignedTokenProvider
+	APIKeyEncryptionKeycache cryptokeys.EncryptionKeycache
 
 	// DisablePathApps disables path-based apps. This is a security feature as path
 	// based apps share the same cookie as the dashboard, and are susceptible to XSS
@@ -180,7 +181,7 @@ func (s *Server) handleAPIKeySmuggling(rw http.ResponseWriter, r *http.Request,
 
 	// Exchange the encoded API key for a real one.
 	var payload EncryptedAPIKeyPayload
-	err := jwtutils.Decrypt(ctx, s.APIKeyEncryptionKey, encryptedAPIKey, &payload, jwtutils.WithDecryptExpected(jwt.Expected{
+	err := jwtutils.Decrypt(ctx, s.APIKeyEncryptionKeycache, encryptedAPIKey, &payload, jwtutils.WithDecryptExpected(jwt.Expected{
 		Time: time.Now(),
 	}))
 	if err != nil {
diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -8,6 +8,7 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/google/uuid"
 
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -54,7 +55,7 @@ type EncryptedAPIKeyPayload struct {
 
 // FromRequest returns the signed token from the request, if it exists and is
 // valid. The caller must check that the token matches the request.
-func FromRequest(r *http.Request, mgr jwtutils.SigningKeyManager) (*SignedToken, bool) {
+func FromRequest(r *http.Request, mgr cryptokeys.SigningKeycache) (*SignedToken, bool) {
 	// Get all signed app tokens from the request. This includes the query
 	// parameter and all matching cookies sent with the request. If there are
 	// somehow multiple signed app token cookies, we want to try all of them
diff --git a/coderd/workspaceapps/token_test.go b/coderd/workspaceapps/token_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
 )
@@ -343,10 +344,10 @@ func Test_FromRequest(t *testing.T) {
 	})
 }
 
-func newSigner(t *testing.T) jwtutils.SigningKeyManager {
+func newSigner(t *testing.T) cryptokeys.StaticKey {
 	t.Helper()
 
-	return jwtutils.StaticKeyManager{
+	return cryptokeys.StaticKey{
 		ID:  "test",
 		Key: generateSecret(t, 64),
 	}
diff --git a/codersdk/workspacesdk/connector_internal_test.go b/codersdk/workspacesdk/connector_internal_test.go
@@ -24,8 +24,8 @@ import (
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/v2/apiversion"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/httpapi"
-	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/tailnet/proto"
@@ -166,7 +166,7 @@ func TestTailnetAPIConnector_ResumeToken(t *testing.T) {
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
 	require.NoError(t, err)
-	mgr := jwtutils.StaticKeyManager{
+	mgr := cryptokeys.StaticKey{
 		ID:  uuid.New().String(),
 		Key: resumeTokenSigningKey[:],
 	}
@@ -285,7 +285,7 @@ func TestTailnetAPIConnector_ResumeTokenFailure(t *testing.T) {
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
 	require.NoError(t, err)
-	mgr := jwtutils.StaticKeyManager{
+	mgr := cryptokeys.StaticKey{
 		ID:  uuid.New().String(),
 		Key: resumeTokenSigningKey[:],
 	}
diff --git a/enterprise/wsproxy/tokenprovider.go b/enterprise/wsproxy/tokenprovider.go
@@ -7,6 +7,7 @@ import (
 
 	"cdr.dev/slog"
 
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
 	"github.com/coder/coder/v2/enterprise/wsproxy/wsproxysdk"
@@ -19,14 +20,14 @@ type TokenProvider struct {
 	AccessURL    *url.URL
 	AppHostname  string
 
-	Client              *wsproxysdk.Client
-	TokenSigningKey     jwtutils.SigningKeyManager
-	APIKeyEncryptionKey jwtutils.EncryptingKeyManager
-	Logger              slog.Logger
+	Client                   *wsproxysdk.Client
+	TokenSigningKeycache     cryptokeys.SigningKeycache
+	APIKeyEncryptionKeycache cryptokeys.EncryptionKeycache
+	Logger                   slog.Logger
 }
 
 func (p *TokenProvider) FromRequest(r *http.Request) (*workspaceapps.SignedToken, bool) {
-	return workspaceapps.FromRequest(r, p.TokenSigningKey)
+	return workspaceapps.FromRequest(r, p.TokenSigningKeycache)
 }
 
 func (p *TokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {
@@ -45,7 +46,7 @@ func (p *TokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *ht
 
 	// Check that it verifies properly and matches the string.
 	var token workspaceapps.SignedToken
-	err = jwtutils.Verify(ctx, p.TokenSigningKey, resp.SignedTokenStr, &token)
+	err = jwtutils.Verify(ctx, p.TokenSigningKeycache, resp.SignedTokenStr, &token)
 	if err != nil {
 		workspaceapps.WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "failed to verify newly generated signed token")
 		return nil, "", false
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -303,21 +303,21 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		HostnameRegex: opts.AppHostnameRegex,
 		RealIPConfig:  opts.RealIPConfig,
 		SignedTokenProvider: &TokenProvider{
-			DashboardURL:        opts.DashboardURL,
-			AccessURL:           opts.AccessURL,
-			AppHostname:         opts.AppHostname,
-			Client:              client,
-			TokenSigningKey:     signingCache,
-			APIKeyEncryptionKey: encryptionCache,
-			Logger:              s.Logger.Named("proxy_token_provider"),
+			DashboardURL:             opts.DashboardURL,
+			AccessURL:                opts.AccessURL,
+			AppHostname:              opts.AppHostname,
+			Client:                   client,
+			TokenSigningKeycache:     signingCache,
+			APIKeyEncryptionKeycache: encryptionCache,
+			Logger:                   s.Logger.Named("proxy_token_provider"),
 		},
 
 		DisablePathApps:  opts.DisablePathApps,
 		SecureAuthCookie: opts.SecureAuthCookie,
 
-		AgentProvider:       agentProvider,
-		StatsCollector:      workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),
-		APIKeyEncryptionKey: encryptionCache,
+		AgentProvider:            agentProvider,
+		StatsCollector:           workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),
+		APIKeyEncryptionKeycache: encryptionCache,
 	}
 
 	derpHandler := derphttp.Handler(derpServer)
diff --git a/tailnet/resume.go b/tailnet/resume.go
@@ -11,6 +11,7 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/tailnet/proto"
 	"github.com/coder/quartz"
@@ -28,7 +29,7 @@ func NewInsecureTestResumeTokenProvider() ResumeTokenProvider {
 	if err != nil {
 		panic(err)
 	}
-	return NewResumeTokenKeyProvider(jwtutils.StaticKeyManager{
+	return NewResumeTokenKeyProvider(cryptokeys.StaticKey{
 		ID:  uuid.New().String(),
 		Key: key[:],
 	}, quartz.NewReal(), time.Hour)
@@ -51,12 +52,12 @@ func GenerateResumeTokenSigningKey() (ResumeTokenSigningKey, error) {
 }
 
 type ResumeTokenKeyProvider struct {
-	key    jwtutils.SigningKeyManager
+	key    cryptokeys.SigningKeycache
 	clock  quartz.Clock
 	expiry time.Duration
 }
 
-func NewResumeTokenKeyProvider(key jwtutils.SigningKeyManager, clock quartz.Clock, expiry time.Duration) ResumeTokenProvider {
+func NewResumeTokenKeyProvider(key cryptokeys.SigningKeycache, clock quartz.Clock, expiry time.Duration) ResumeTokenProvider {
 	if expiry <= 0 {
 		expiry = DefaultResumeTokenExpiry
 	}
diff --git a/tailnet/resume_test.go b/tailnet/resume_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
-	"github.com/coder/coder/v2/coderd/jwtutils"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/testutil"
 	"github.com/coder/quartz"
@@ -91,8 +91,8 @@ func TestResumeTokenKeyProvider(t *testing.T) {
 	})
 }
 
-func newKeySigner(key tailnet.ResumeTokenSigningKey) jwtutils.StaticKeyManager {
-	return jwtutils.StaticKeyManager{
+func newKeySigner(key tailnet.ResumeTokenSigningKey) cryptokeys.StaticKey {
+	return cryptokeys.StaticKey{
 		ID:  uuid.New().String(),
 		Key: key[:],
 	}

Original file line number	Diff line number	Diff line change
`@@ -15,11 +15,6 @@ const (`
`15`	`15`	`encryptContentAlgo = jose.A256GCM`
`16`	`16`	`)`
`17`	`17`
`18`		`-type EncryptingKeyManager interface {`
`19`		`- EncryptKeyProvider`
`20`		`- DecryptKeyProvider`
`21`		`-}`
`22`		`-`
`23`	`18`	`type EncryptKeyProvider interface {`
`24`	`19`	`EncryptingKey(ctx context.Context) (id string, key interface{}, err error)`
`25`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ import (`
`15`	`15`	`"github.com/google/uuid"`
`16`	`16`	`"github.com/stretchr/testify/require"`
`17`	`17`
	`18`	`+ "github.com/coder/coder/v2/coderd/cryptokeys"`
`18`	`19`	`"github.com/coder/coder/v2/coderd/jwtutils"`
`19`	`20`	`"github.com/coder/coder/v2/coderd/workspaceapps"`
`20`	`21`	`)`
`@@ -343,10 +344,10 @@ func Test_FromRequest(t *testing.T) {`
`343`	`344`	`})`
`344`	`345`	`}`
`345`	`346`
`346`		`-func newSigner(t *testing.T) jwtutils.SigningKeyManager {`
	`347`	`+func newSigner(t *testing.T) cryptokeys.StaticKey {`
`347`	`348`	`t.Helper()`
`348`	`349`
`349`		`- return jwtutils.StaticKeyManager{`
	`350`	`+ return cryptokeys.StaticKey{`
`350`	`351`	`ID: "test",`
`351`	`352`	`Key: generateSecret(t, 64),`
`352`	`353`	`}`