add previous external token encryption key deployment value

johnstcn · johnstcn · commit dbe6915e8de2 · 2023-08-25T10:51:48.000Z
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -463,6 +463,11 @@ These options are only available in the Enterprise Edition.
           database. The value must be a base64-encoded key exactly 32 bytes in
           length.
 
+      --previous-external-token-encryption-key string, $CODER_PREVIOUS_EXTERNAL_TOKEN_ENCRYPTION_KEY
+          When rotating external token encryption key, provide the previous
+          encryption key. The value must be a base64-encoded key exactly 32
+          bytes in length.
+
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
           server. New users are automatically created with OIDC authentication.
diff --git a/coderd/deployment_test.go b/coderd/deployment_test.go
@@ -26,7 +26,8 @@ func TestDeploymentValues(t *testing.T) {
 	cfg.OIDC.EmailField.Set("some_random_field_you_never_expected")
 	cfg.PostgresURL.Set(hi)
 	cfg.SCIMAPIKey.Set(hi)
-	cfg.ExternalTokenEncryptionKey.Set("the_random_key_we_never_expected") // len:32
+	cfg.ExternalTokenEncryptionKey.Set("the_random_key_we_never_expected")         // len:32
+	cfg.PreviousExternalTokenEncryptionKey.Set("another_random_key_we_unexpected") // len:32
 
 	client := coderdtest.New(t, &coderdtest.Options{
 		DeploymentValues: cfg,
@@ -46,6 +47,7 @@ func TestDeploymentValues(t *testing.T) {
 	require.Empty(t, scrubbed.Values.PostgresURL.Value())
 	require.Empty(t, scrubbed.Values.SCIMAPIKey.Value())
 	require.Empty(t, scrubbed.Values.ExternalTokenEncryptionKey.Value())
+	require.Empty(t, scrubbed.Values.PreviousExternalTokenEncryptionKey.Value())
 }
 
 func TestDeploymentStats(t *testing.T) {
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -129,52 +129,53 @@ type DeploymentValues struct {
 	DocsURL             clibase.URL  `json:"docs_url,omitempty"`
 	RedirectToAccessURL clibase.Bool `json:"redirect_to_access_url,omitempty"`
 	// HTTPAddress is a string because it may be set to zero to disable.
-	HTTPAddress                     clibase.String                  `json:"http_address,omitempty" typescript:",notnull"`
-	AutobuildPollInterval           clibase.Duration                `json:"autobuild_poll_interval,omitempty"`
-	JobHangDetectorInterval         clibase.Duration                `json:"job_hang_detector_interval,omitempty"`
-	DERP                            DERP                            `json:"derp,omitempty" typescript:",notnull"`
-	Prometheus                      PrometheusConfig                `json:"prometheus,omitempty" typescript:",notnull"`
-	Pprof                           PprofConfig                     `json:"pprof,omitempty" typescript:",notnull"`
-	ProxyTrustedHeaders             clibase.StringArray             `json:"proxy_trusted_headers,omitempty" typescript:",notnull"`
-	ProxyTrustedOrigins             clibase.StringArray             `json:"proxy_trusted_origins,omitempty" typescript:",notnull"`
-	CacheDir                        clibase.String                  `json:"cache_directory,omitempty" typescript:",notnull"`
-	InMemoryDatabase                clibase.Bool                    `json:"in_memory_database,omitempty" typescript:",notnull"`
-	PostgresURL                     clibase.String                  `json:"pg_connection_url,omitempty" typescript:",notnull"`
-	OAuth2                          OAuth2Config                    `json:"oauth2,omitempty" typescript:",notnull"`
-	OIDC                            OIDCConfig                      `json:"oidc,omitempty" typescript:",notnull"`
-	Telemetry                       TelemetryConfig                 `json:"telemetry,omitempty" typescript:",notnull"`
-	TLS                             TLSConfig                       `json:"tls,omitempty" typescript:",notnull"`
-	Trace                           TraceConfig                     `json:"trace,omitempty" typescript:",notnull"`
-	SecureAuthCookie                clibase.Bool                    `json:"secure_auth_cookie,omitempty" typescript:",notnull"`
-	StrictTransportSecurity         clibase.Int64                   `json:"strict_transport_security,omitempty" typescript:",notnull"`
-	StrictTransportSecurityOptions  clibase.StringArray             `json:"strict_transport_security_options,omitempty" typescript:",notnull"`
-	SSHKeygenAlgorithm              clibase.String                  `json:"ssh_keygen_algorithm,omitempty" typescript:",notnull"`
-	MetricsCacheRefreshInterval     clibase.Duration                `json:"metrics_cache_refresh_interval,omitempty" typescript:",notnull"`
-	AgentStatRefreshInterval        clibase.Duration                `json:"agent_stat_refresh_interval,omitempty" typescript:",notnull"`
-	AgentFallbackTroubleshootingURL clibase.URL                     `json:"agent_fallback_troubleshooting_url,omitempty" typescript:",notnull"`
-	BrowserOnly                     clibase.Bool                    `json:"browser_only,omitempty" typescript:",notnull"`
-	SCIMAPIKey                      clibase.String                  `json:"scim_api_key,omitempty" typescript:",notnull"`
-	ExternalTokenEncryptionKey      clibase.String                  `json:"external_token_encryption_key"`
-	Provisioner                     ProvisionerConfig               `json:"provisioner,omitempty" typescript:",notnull"`
-	RateLimit                       RateLimitConfig                 `json:"rate_limit,omitempty" typescript:",notnull"`
-	Experiments                     clibase.StringArray             `json:"experiments,omitempty" typescript:",notnull"`
-	UpdateCheck                     clibase.Bool                    `json:"update_check,omitempty" typescript:",notnull"`
-	MaxTokenLifetime                clibase.Duration                `json:"max_token_lifetime,omitempty" typescript:",notnull"`
-	Swagger                         SwaggerConfig                   `json:"swagger,omitempty" typescript:",notnull"`
-	Logging                         LoggingConfig                   `json:"logging,omitempty" typescript:",notnull"`
-	Dangerous                       DangerousConfig                 `json:"dangerous,omitempty" typescript:",notnull"`
-	DisablePathApps                 clibase.Bool                    `json:"disable_path_apps,omitempty" typescript:",notnull"`
-	SessionDuration                 clibase.Duration                `json:"max_session_expiry,omitempty" typescript:",notnull"`
-	DisableSessionExpiryRefresh     clibase.Bool                    `json:"disable_session_expiry_refresh,omitempty" typescript:",notnull"`
-	DisablePasswordAuth             clibase.Bool                    `json:"disable_password_auth,omitempty" typescript:",notnull"`
-	Support                         SupportConfig                   `json:"support,omitempty" typescript:",notnull"`
-	GitAuthProviders                clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
-	SSHConfig                       SSHConfig                       `json:"config_ssh,omitempty" typescript:",notnull"`
-	WgtunnelHost                    clibase.String                  `json:"wgtunnel_host,omitempty" typescript:",notnull"`
-	DisableOwnerWorkspaceExec       clibase.Bool                    `json:"disable_owner_workspace_exec,omitempty" typescript:",notnull"`
-	ProxyHealthStatusInterval       clibase.Duration                `json:"proxy_health_status_interval,omitempty" typescript:",notnull"`
-	EnableTerraformDebugMode        clibase.Bool                    `json:"enable_terraform_debug_mode,omitempty" typescript:",notnull"`
-	UserQuietHoursSchedule          UserQuietHoursScheduleConfig    `json:"user_quiet_hours_schedule,omitempty" typescript:",notnull"`
+	HTTPAddress                        clibase.String                  `json:"http_address,omitempty" typescript:",notnull"`
+	AutobuildPollInterval              clibase.Duration                `json:"autobuild_poll_interval,omitempty"`
+	JobHangDetectorInterval            clibase.Duration                `json:"job_hang_detector_interval,omitempty"`
+	DERP                               DERP                            `json:"derp,omitempty" typescript:",notnull"`
+	Prometheus                         PrometheusConfig                `json:"prometheus,omitempty" typescript:",notnull"`
+	Pprof                              PprofConfig                     `json:"pprof,omitempty" typescript:",notnull"`
+	ProxyTrustedHeaders                clibase.StringArray             `json:"proxy_trusted_headers,omitempty" typescript:",notnull"`
+	ProxyTrustedOrigins                clibase.StringArray             `json:"proxy_trusted_origins,omitempty" typescript:",notnull"`
+	CacheDir                           clibase.String                  `json:"cache_directory,omitempty" typescript:",notnull"`
+	InMemoryDatabase                   clibase.Bool                    `json:"in_memory_database,omitempty" typescript:",notnull"`
+	PostgresURL                        clibase.String                  `json:"pg_connection_url,omitempty" typescript:",notnull"`
+	OAuth2                             OAuth2Config                    `json:"oauth2,omitempty" typescript:",notnull"`
+	OIDC                               OIDCConfig                      `json:"oidc,omitempty" typescript:",notnull"`
+	Telemetry                          TelemetryConfig                 `json:"telemetry,omitempty" typescript:",notnull"`
+	TLS                                TLSConfig                       `json:"tls,omitempty" typescript:",notnull"`
+	Trace                              TraceConfig                     `json:"trace,omitempty" typescript:",notnull"`
+	SecureAuthCookie                   clibase.Bool                    `json:"secure_auth_cookie,omitempty" typescript:",notnull"`
+	StrictTransportSecurity            clibase.Int64                   `json:"strict_transport_security,omitempty" typescript:",notnull"`
+	StrictTransportSecurityOptions     clibase.StringArray             `json:"strict_transport_security_options,omitempty" typescript:",notnull"`
+	SSHKeygenAlgorithm                 clibase.String                  `json:"ssh_keygen_algorithm,omitempty" typescript:",notnull"`
+	MetricsCacheRefreshInterval        clibase.Duration                `json:"metrics_cache_refresh_interval,omitempty" typescript:",notnull"`
+	AgentStatRefreshInterval           clibase.Duration                `json:"agent_stat_refresh_interval,omitempty" typescript:",notnull"`
+	AgentFallbackTroubleshootingURL    clibase.URL                     `json:"agent_fallback_troubleshooting_url,omitempty" typescript:",notnull"`
+	BrowserOnly                        clibase.Bool                    `json:"browser_only,omitempty" typescript:",notnull"`
+	SCIMAPIKey                         clibase.String                  `json:"scim_api_key,omitempty" typescript:",notnull"`
+	ExternalTokenEncryptionKey         clibase.String                  `json:"external_token_encryption_key"`
+	PreviousExternalTokenEncryptionKey clibase.String                  `json:"previous_external_token_encryption_key"`
+	Provisioner                        ProvisionerConfig               `json:"provisioner,omitempty" typescript:",notnull"`
+	RateLimit                          RateLimitConfig                 `json:"rate_limit,omitempty" typescript:",notnull"`
+	Experiments                        clibase.StringArray             `json:"experiments,omitempty" typescript:",notnull"`
+	UpdateCheck                        clibase.Bool                    `json:"update_check,omitempty" typescript:",notnull"`
+	MaxTokenLifetime                   clibase.Duration                `json:"max_token_lifetime,omitempty" typescript:",notnull"`
+	Swagger                            SwaggerConfig                   `json:"swagger,omitempty" typescript:",notnull"`
+	Logging                            LoggingConfig                   `json:"logging,omitempty" typescript:",notnull"`
+	Dangerous                          DangerousConfig                 `json:"dangerous,omitempty" typescript:",notnull"`
+	DisablePathApps                    clibase.Bool                    `json:"disable_path_apps,omitempty" typescript:",notnull"`
+	SessionDuration                    clibase.Duration                `json:"max_session_expiry,omitempty" typescript:",notnull"`
+	DisableSessionExpiryRefresh        clibase.Bool                    `json:"disable_session_expiry_refresh,omitempty" typescript:",notnull"`
+	DisablePasswordAuth                clibase.Bool                    `json:"disable_password_auth,omitempty" typescript:",notnull"`
+	Support                            SupportConfig                   `json:"support,omitempty" typescript:",notnull"`
+	GitAuthProviders                   clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
+	SSHConfig                          SSHConfig                       `json:"config_ssh,omitempty" typescript:",notnull"`
+	WgtunnelHost                       clibase.String                  `json:"wgtunnel_host,omitempty" typescript:",notnull"`
+	DisableOwnerWorkspaceExec          clibase.Bool                    `json:"disable_owner_workspace_exec,omitempty" typescript:",notnull"`
+	ProxyHealthStatusInterval          clibase.Duration                `json:"proxy_health_status_interval,omitempty" typescript:",notnull"`
+	EnableTerraformDebugMode           clibase.Bool                    `json:"enable_terraform_debug_mode,omitempty" typescript:",notnull"`
+	UserQuietHoursSchedule             UserQuietHoursScheduleConfig    `json:"user_quiet_hours_schedule,omitempty" typescript:",notnull"`
 
 	Config      clibase.YAMLConfigPath `json:"config,omitempty" typescript:",notnull"`
 	WriteConfig clibase.Bool           `json:"write_config,omitempty" typescript:",notnull"`
@@ -1597,6 +1598,14 @@ when required by your organization's security policy.`,
 			Annotations: clibase.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),
 			Value:       &c.ExternalTokenEncryptionKey,
 		},
+		{
+			Name:        "Previous External Token Encryption Key",
+			Description: "When rotating external token encryption key, provide the previous encryption key. The value must be a base64-encoded key exactly 32 bytes in length.",
+			Flag:        "previous-external-token-encryption-key",
+			Env:         "CODER_PREVIOUS_EXTERNAL_TOKEN_ENCRYPTION_KEY",
+			Annotations: clibase.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),
+			Value:       &c.PreviousExternalTokenEncryptionKey,
+		},
 		{
 			Name:        "Disable Path Apps",
 			Description: "Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.",
diff --git a/codersdk/deployment_test.go b/codersdk/deployment_test.go
@@ -60,6 +60,9 @@ func TestDeploymentValues_HighlyConfigurable(t *testing.T) {
 		"External Token Encryption Key": {
 			yaml: true,
 		},
+		"Previous External Token Encryption Key": {
+			yaml: true,
+		},
 		// These complex objects should be configured through YAML.
 		"Support Links": {
 			flag: true,
diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden
@@ -463,6 +463,11 @@ These options are only available in the Enterprise Edition.
           database. The value must be a base64-encoded key exactly 32 bytes in
           length.
 
+      --previous-external-token-encryption-key string, $CODER_PREVIOUS_EXTERNAL_TOKEN_ENCRYPTION_KEY
+          When rotating external token encryption key, provide the previous
+          encryption key. The value must be a base64-encoded key exactly 32
+          bytes in length.
+
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
           server. New users are automatically created with OIDC authentication.
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
