fixup! support secondary cipher in dbcrypt

johnstcn · johnstcn · commit e14272c995b8 · 2023-08-25T13:56:29.000Z
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -458,15 +458,13 @@ These options are only available in the Enterprise Edition.
           An HTTP URL that is accessible by other replicas to relay DERP
           traffic. Required for high availability.
 
-      --external-token-encryption-key string, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY
+      --external-token-encryption-keys string-array, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS
           Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
-          database. The value must be a base64-encoded key exactly 32 bytes in
-          length.
-
-      --previous-external-token-encryption-key string, $CODER_PREVIOUS_EXTERNAL_TOKEN_ENCRYPTION_KEY
-          When rotating external token encryption key, provide the previous
-          encryption key. The value must be a base64-encoded key exactly 32
-          bytes in length.
+          database. The value must be a comma-separated list of base64-encoded
+          keys. A maximum of two keys may be provided. Each key, when
+          base64-decoded, must be exactly 32 bytes in length. The first key will
+          be used to encrypt new values. Subsequent keys will be used as a
+          fallback when decrypting.
 
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden
@@ -458,15 +458,13 @@ These options are only available in the Enterprise Edition.
           An HTTP URL that is accessible by other replicas to relay DERP
           traffic. Required for high availability.
 
-      --external-token-encryption-key string, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEY
+      --external-token-encryption-keys string-array, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS
           Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
-          database. The value must be a base64-encoded key exactly 32 bytes in
-          length.
-
-      --previous-external-token-encryption-key string, $CODER_PREVIOUS_EXTERNAL_TOKEN_ENCRYPTION_KEY
-          When rotating external token encryption key, provide the previous
-          encryption key. The value must be a base64-encoded key exactly 32
-          bytes in length.
+          database. The value must be a comma-separated list of base64-encoded
+          keys. A maximum of two keys may be provided. Each key, when
+          base64-decoded, must be exactly 32 bytes in length. The first key will
+          be used to encrypt new values. Subsequent keys will be used as a
+          fallback when decrypting.
 
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -64,21 +64,28 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 
 	ctx, cancelFunc := context.WithCancel(ctx)
 
-	externalTokenCipher := &atomic.Pointer[dbcrypt.Cipher]{}
-	cryptDB, err := dbcrypt.New(ctx, options.Database, &dbcrypt.Options{
-		PrimaryCipher: externalTokenCipher,
-	})
-	if err != nil {
-		cancelFunc()
-		return nil, xerrors.Errorf("init dbcrypt: %w", err)
+	if options.PrimaryExternalTokenEncryption != nil {
+		primaryExternalTokenCipher := atomic.Pointer[dbcrypt.Cipher]{}
+		primaryExternalTokenCipher.Store(&options.PrimaryExternalTokenEncryption)
+		secondaryExternalTokenCipher := atomic.Pointer[dbcrypt.Cipher]{}
+		if options.SecondaryExternalTokenEncryption != nil {
+			secondaryExternalTokenCipher.Store(&options.SecondaryExternalTokenEncryption)
+		}
+		cryptDB, err := dbcrypt.New(ctx, options.Database, &dbcrypt.Options{
+			PrimaryCipher:   &primaryExternalTokenCipher,
+			SecondaryCipher: &secondaryExternalTokenCipher,
+		})
+
+		if err != nil {
+			cancelFunc()
+			return nil, xerrors.Errorf("init dbcrypt: %w", err)
+		}
+		options.Database = cryptDB
 	}
-	options.Database = cryptDB
 
 	api := &API{
-		ctx:                 ctx,
-		cancel:              cancelFunc,
-		externalTokenCipher: externalTokenCipher,
-
+		ctx:     ctx,
+		cancel:  cancelFunc,
 		AGPL:    coderd.New(options.Options),
 		Options: options,
 		provisionerDaemonAuth: &provisionerDaemonAuth{
@@ -407,8 +414,6 @@ type API struct {
 	ctx    context.Context
 	cancel context.CancelFunc
 
-	externalTokenCipher *atomic.Pointer[dbcrypt.Cipher]
-
 	// Detects multiple Coder replicas running at the same time.
 	replicaManager *replicasync.Manager
 	// Meshes DERP connections from multiple replicas.
diff --git a/enterprise/dbcrypt/dbcrypt_test.go b/enterprise/dbcrypt/dbcrypt_test.go
@@ -217,12 +217,11 @@ func TestNew(t *testing.T) {
 		})
 
 		// Then: an error is returned
-		require.ErrorContains(t, err, "at least one cipher must be provided")
+		require.ErrorContains(t, err, "at least one cipher is required")
 
-		// And: the sentinel value is not encrypted
-		rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)
-		require.NoError(t, err)
-		require.Equal(t, "coder", rawVal)
+		// And: the sentinel value is not present
+		_, err = rawDB.GetDBCryptSentinelValue(ctx)
+		require.ErrorIs(t, err, sql.ErrNoRows)
 	})
 
 	t.Run("CipherChanged", func(t *testing.T) {
