Skip to content

feat: add schema for key rotation #14662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Sep 17, 2024
Merged

feat: add schema for key rotation #14662

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
03262de
feat: add schema for key rotation
sreya Sep 13, 2024
04de868
add some more dbcrypt tests
sreya Sep 13, 2024
561e11f
add dbauthz tests
sreya Sep 13, 2024
c913091
fixture
sreya Sep 13, 2024
86782ed
pr comments
sreya Sep 13, 2024
28b7551
feat: add crypto_key to RBAC resources
sreya Sep 15, 2024
7662b67
Add CryptoKeys to RBAC role permissions test
sreya Sep 15, 2024
5b68b1e
fix: update crypto key for peer resume feature
sreya Sep 15, 2024
aed56d6
Merge branch 'main' into jon/keyschema
sreya Sep 17, 2024
7c22dd2
Merge branch 'main' into jon/keyschema
sreya Sep 17, 2024
741cbb0
move migration file
sreya Sep 17, 2024
7f81b21
Add idpsync_settings to RBAC resources
sreya Sep 17, 2024
61b64c5
Rename crypto_keys migration file for consistency
sreya Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
pr comments
  • Loading branch information
@sreya
sreya committed Sep 13, 2024
commit 86782ed823441c1ec5319cb33e814a4b4ed541b8
44 changes: 35 additions & 9 deletions coderd/database/dbgen/dbgen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/google/uuid"
"github.com/sqlc-dev/pqtype"
"github.com/stretchr/testify/require"
"golang.org/x/xerrors"

"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
Expand Down Expand Up @@ -897,18 +898,22 @@ func CustomRole(t testing.TB, db database.Store, seed database.CustomRole) datab
func CryptoKey(t testing.TB, db database.Store, seed database.CryptoKey) database.CryptoKey {
t.Helper()

b := make([]byte, 96)
_, err := rand.Read(b)
require.NoError(t, err, "generate secret")
seed.Feature = takeFirst(seed.Feature, database.CryptoKeyFeatureWorkspaceApps)

key, err := db.InsertCryptoKey(genCtx, database.InsertCryptoKeyParams{
Sequence: takeFirst(seed.Sequence, 123),
Secret: takeFirst(seed.Secret, sql.NullString{
String: hex.EncodeToString(b),
if !seed.Secret.Valid {
secret, err := newCryptoKeySecret(seed.Feature)
require.NoError(t, err, "generate secret")
seed.Secret = sql.NullString{
String: secret,
Valid: true,
}),
}
}

key, err := db.InsertCryptoKey(genCtx, database.InsertCryptoKeyParams{
Sequence: takeFirst(seed.Sequence, 123),
Secret: seed.Secret,
SecretKeyID: takeFirst(seed.SecretKeyID, sql.NullString{}),
Feature: takeFirst(seed.Feature, database.CryptoKeyFeatureWorkspaceApps),
Feature: seed.Feature,
StartsAt: takeFirst(seed.StartsAt, time.Now()),
})
require.NoError(t, err, "insert crypto key")
Expand Down Expand Up @@ -967,3 +972,24 @@ func takeFirst[Value comparable](values ...Value) Value {
return v != empty
})
}

func newCryptoKeySecret(feature database.CryptoKeyFeature) (string, error) {
switch feature {
case database.CryptoKeyFeatureWorkspaceApps:
return generateCryptoKey(96)
case database.CryptoKeyFeatureOidcConvert:
return generateCryptoKey(32)
case database.CryptoKeyFeatureTailnetResume:
return generateCryptoKey(64)
}
return "", xerrors.Errorf("unknown feature: %s", feature)
}

func generateCryptoKey(length int) (string, error) {
b := make([]byte, length)
_, err := rand.Read(b)
if err != nil {
return "", xerrors.Errorf("rand read: %w", err)
}
return hex.EncodeToString(b), nil
}
9 changes: 5 additions & 4 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1448,6 +1448,8 @@ func (q *FakeQuerier) DeleteCryptoKey(_ context.Context, arg database.DeleteCryp
if key.Feature == arg.Feature && key.Sequence == arg.Sequence {
q.cryptoKeys[i].Secret.String = ""
q.cryptoKeys[i].Secret.Valid = false
q.cryptoKeys[i].SecretKeyID.String = ""
q.cryptoKeys[i].SecretKeyID.Valid = false
return q.cryptoKeys[i], nil
}
}
Expand Down Expand Up @@ -2871,11 +2873,10 @@ func (q *FakeQuerier) GetLatestCryptoKeyByFeature(_ context.Context, feature dat
latestKey = key
}
}

if latestKey.Secret.Valid {
return latestKey, nil
if latestKey.StartsAt.IsZero() {
return database.CryptoKey{}, sql.ErrNoRows
}
return database.CryptoKey{}, sql.ErrNoRows
return latestKey, nil
}

func (q *FakeQuerier) GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, workspaceID uuid.UUID) (database.WorkspaceBuild, error) {
Expand Down
2 changes: 1 addition & 1 deletion coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion coderd/database/migrations/000250_crypto_keys.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
CREATE TYPE crypto_key_feature AS ENUM (
'workspace_apps',
'oidc_convert',
'peer_reconnect'
'tailnet_resume'
);

CREATE TABLE crypto_keys (
Expand Down
6 changes: 3 additions & 3 deletions coderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 2 additions & 3 deletions coderd/database/queries/crypto_keys.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ WHERE feature = $1
ORDER BY sequence DESC
LIMIT 1;


-- name: GetCryptoKeyByFeatureAndSequence :one
SELECT *
FROM crypto_keys
Expand All @@ -29,13 +28,13 @@ INSERT INTO crypto_keys (
sequence,
secret,
starts_at,
secret_key_id
secret_key_id
) VALUES (
$1,
$2,
$3,
$4,
$5
$5
) RETURNING *;

-- name: UpdateCryptoKeyDeletesAt :one
Expand Down
22 changes: 20 additions & 2 deletions enterprise/dbcrypt/dbcrypt_internal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"encoding/json"
"io"
"testing"
"time"

"github.com/lib/pq"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -353,8 +354,6 @@ func TestCryptoKeys(t *testing.T) {
t.Parallel()
ctx := context.Background()

// We don't write a GetCryptoKeyByFeatureAndSequence test
// because it's basically the same as InsertCryptoKey.
t.Run("InsertCryptoKey", func(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -432,6 +431,25 @@ func TestCryptoKeys(t *testing.T) {
require.Equal(t, ciphers[0].HexDigest(), key.SecretKeyID.String)
})

t.Run("UpdateCryptoKeyDeletesAt", func(t *testing.T) {
t.Parallel()
_, crypt, ciphers := setup(t)
key := dbgen.CryptoKey(t, crypt, database.CryptoKey{
Secret: sql.NullString{String: "test", Valid: true},
})
key, err := crypt.UpdateCryptoKeyDeletesAt(ctx, database.UpdateCryptoKeyDeletesAtParams{
Feature: key.Feature,
Sequence: key.Sequence,
DeletesAt: sql.NullTime{
Time: time.Now().Add(time.Hour),
Valid: true,
},
})
require.NoError(t, err)
require.Equal(t, "test", key.Secret.String)
require.Equal(t, ciphers[0].HexDigest(), key.SecretKeyID.String)
})

t.Run("DecryptErr", func(t *testing.T) {
t.Parallel()
db, crypt, ciphers := setup(t)
Expand Down
Loading