feat: end-to-end workspace application authentication

deansheather · deansheather · commit d9b404d1d0f9 · 2022-09-21T02:04:49.000Z
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -154,7 +154,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				return
 			}
 
-			keyID, keySecret, err := splitAPIToken(token)
+			keyID, keySecret, err := SplitAPIToken(token)
 			if err != nil {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
 					Message: signedOutErrorMessage,
@@ -377,11 +377,11 @@ func apiTokenFromRequest(r *http.Request) string {
 	return ""
 }
 
-// splitAPIToken verifies the format of an API key and returns the split ID and
+// SplitAPIToken verifies the format of an API key and returns the split ID and
 // secret.
 //
 // APIKeys are formatted: ${ID}-${SECRET}
-func splitAPIToken(token string) (id string, secret string, err error) {
+func SplitAPIToken(token string) (id string, secret string, err error) {
 	parts := strings.Split(token, "-")
 	if len(parts) != 2 {
 		return "", "", xerrors.Errorf("incorrect amount of API key parts, expected 2 got %d", len(parts))
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -162,7 +162,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.setAuthCookie(rw, cookie)
+	http.SetCookie(rw, cookie)
 
 	redirect := state.Redirect
 	if redirect == "" {
@@ -296,7 +296,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.setAuthCookie(rw, cookie)
+	http.SetCookie(rw, cookie)
 
 	redirect := state.Redirect
 	if redirect == "" {
diff --git a/coderd/users.go b/coderd/users.go
@@ -921,7 +921,7 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.setAuthCookie(rw, cookie)
+	http.SetCookie(rw, cookie)
 
 	httpapi.Write(rw, http.StatusCreated, codersdk.LoginWithPasswordResponse{
 		SessionToken: cookie.Value,
@@ -998,7 +998,7 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 		Name:   codersdk.SessionTokenKey,
 		Path:   "/",
 	}
-	api.setAuthCookie(rw, cookie)
+	http.SetCookie(rw, cookie)
 
 	// Delete the session token from database.
 	apiKey := httpmw.APIKey(r)
@@ -1186,15 +1186,6 @@ func (api *API) createUser(ctx context.Context, store database.Store, req create
 	})
 }
 
-func (api *API) setAuthCookie(rw http.ResponseWriter, cookie *http.Cookie) {
-	http.SetCookie(rw, cookie)
-
-	appCookie := api.applicationCookie(cookie)
-	if appCookie != nil {
-		http.SetCookie(rw, appCookie)
-	}
-}
-
 func convertUser(user database.User, organizationIDs []uuid.UUID) codersdk.User {
 	convertedUser := codersdk.User{
 		ID:              user.ID,
diff --git a/coderd/workspace_apps_internal_test.go b/coderd/workspace_apps_internal_test.go
@@ -0,0 +1,100 @@
+package coderd
+
+import (
+	"context"
+	"crypto/sha256"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/databasefake"
+	"github.com/coder/coder/testutil"
+)
+
+func TestAPIKeyEncryption(t *testing.T) {
+	t.Parallel()
+
+	generateAPIKey := func(t *testing.T, db database.Store) (keyID, keySecret string, hashedSecret []byte, data encryptedAPIKeyPayload) {
+		keyID, keySecret, err := generateAPIKeyIDSecret()
+		require.NoError(t, err)
+
+		hashedSecretArray := sha256.Sum256([]byte(keySecret))
+		data = encryptedAPIKeyPayload{
+			APIKey:    keyID + "-" + keySecret,
+			ExpiresAt: database.Now().Add(24 * time.Hour),
+		}
+
+		return keyID, keySecret, hashedSecretArray[:], data
+	}
+	insertAPIKey := func(t *testing.T, db database.Store, keyID string, hashedSecret []byte) {
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		_, err := db.InsertAPIKey(ctx, database.InsertAPIKeyParams{
+			ID:           keyID,
+			HashedSecret: hashedSecret,
+		})
+		require.NoError(t, err)
+	}
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		db := databasefake.New()
+		keyID, _, hashedSecret, data := generateAPIKey(t, db)
+		insertAPIKey(t, db, keyID, hashedSecret)
+
+		encrypted, err := encryptAPIKey(data)
+		require.NoError(t, err)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		key, token, err := decryptAPIKey(ctx, db, encrypted)
+		require.NoError(t, err)
+		require.Equal(t, keyID, key.ID)
+		require.Equal(t, hashedSecret[:], key.HashedSecret)
+		require.Equal(t, data.APIKey, token)
+	})
+
+	t.Run("Verifies", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("Expiry", func(t *testing.T) {
+			t.Parallel()
+			db := databasefake.New()
+			keyID, _, hashedSecret, data := generateAPIKey(t, db)
+			insertAPIKey(t, db, keyID, hashedSecret)
+
+			data.ExpiresAt = database.Now().Add(-1 * time.Hour)
+			encrypted, err := encryptAPIKey(data)
+			require.NoError(t, err)
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			_, _, err = decryptAPIKey(ctx, db, encrypted)
+			require.Error(t, err)
+			require.ErrorContains(t, err, "expired")
+		})
+
+		t.Run("KeyMatches", func(t *testing.T) {
+			t.Parallel()
+			db := databasefake.New()
+			keyID, _, _, data := generateAPIKey(t, db)
+			hashedSecret := sha256.Sum256([]byte("wrong"))
+			insertAPIKey(t, db, keyID, hashedSecret[:])
+
+			encrypted, err := encryptAPIKey(data)
+			require.NoError(t, err)
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			_, _, err = decryptAPIKey(ctx, db, encrypted)
+			require.Error(t, err)
+			require.ErrorContains(t, err, "error in crypto")
+		})
+	})
+}
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
diff --git a/coderd/workspaceapps_test.go b/coderd/workspaceapps_test.go

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`162`	`162`	`return`
`163`	`163`	`}`
`164`	`164`
`165`		`- api.setAuthCookie(rw, cookie)`
	`165`	`+ http.SetCookie(rw, cookie)`
`166`	`166`
`167`	`167`	`redirect := state.Redirect`
`168`	`168`	`if redirect == "" {`
`@@ -296,7 +296,7 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`296`	`296`	`return`
`297`	`297`	`}`
`298`	`298`
`299`		`- api.setAuthCookie(rw, cookie)`
	`299`	`+ http.SetCookie(rw, cookie)`
`300`	`300`
`301`	`301`	`redirect := state.Redirect`
`302`	`302`	`if redirect == "" {`