Skip to content

feat: use JWT ticket to avoid DB queries on apps #6148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Mar 7, 2023
Merged

feat: use JWT ticket to avoid DB queries on apps #6148

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
cd239fa
feat: use JWT ticket to avoid DB queries on apps
deansheather Feb 10, 2023
24d1112
get existing tests working
deansheather Feb 10, 2023
8ffd8d4
progress
deansheather Feb 11, 2023
a392635
progress
deansheather Feb 11, 2023
e60c645
working session tickets
deansheather Feb 11, 2023
e681f4c
progress
deansheather Feb 14, 2023
16cf790
Merge branch 'main' into dean/app-tickets
deansheather Feb 28, 2023
22707c6
chore: move workspace apps auth code to new package
deansheather Feb 28, 2023
3521669
fixup! chore: move workspace apps auth code to new package
deansheather Feb 28, 2023
bffd775
chore: tests for workspace apps auth ticket code
deansheather Feb 28, 2023
b8a5526
chore: update RSA private key to avoid typos
deansheather Feb 28, 2023
e0e4237
Merge branch 'main' into dean/app-tickets
deansheather Mar 3, 2023
f236a14
chore: change app ticket algo to symmetric
deansheather Mar 7, 2023
189eecf
chore: PR comments
deansheather Mar 7, 2023
df6a9e5
Merge branch 'main' into dean/app-tickets
deansheather Mar 7, 2023
9c40076
chore: avoid ExtractAPIKey middleware in apps auth
deansheather Mar 7, 2023
f16609f
Merge branch 'main' into dean/app-tickets
deansheather Mar 7, 2023
45f38bc
fixup! Merge branch 'main' into dean/app-tickets
deansheather Mar 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: change app ticket algo to symmetric
  • Loading branch information
@deansheather
deansheather committed Mar 7, 2023
commit f236a14b4a9bc6755e93988fda07cb0c275a364d
12 changes: 0 additions & 12 deletions cli/clitest/clitest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (

"github.com/coder/coder/cli"
"github.com/coder/coder/cli/config"
"github.com/coder/coder/coderd/coderdtest"
"github.com/coder/coder/codersdk"
"github.com/coder/coder/provisioner/echo"
)
Expand Down Expand Up @@ -51,17 +50,6 @@ func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
require.NoError(t, err)
}

// TestAppSigningKey returns the path to a temporary file containing the test
// app signing key. For use with the --insecure-app-signing-key-file flag.
func AppSigningKeyPath(t *testing.T) string {
tmpDir := t.TempDir()
file := filepath.Join(tmpDir, "app-signing-key.pem")
err := os.WriteFile(file, []byte(coderdtest.TestAppSigningKey), 0o600)
require.NoError(t, err)

return file
}

// CreateTemplateVersionSource writes the echo provisioner responses into a
// new temporary testing directory.
func CreateTemplateVersionSource(t *testing.T, responses *echo.Responses) string {
Expand Down
7 changes: 0 additions & 7 deletions cli/deployment/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -570,13 +570,6 @@ func newConfig() *codersdk.DeploymentConfig {
Flag: "disable-password-auth",
Default: false,
},
InsecureAppSigningKeyFile: &codersdk.DeploymentConfigField[string]{
Name: "Insecure App Signing Key File",
Usage: "Path to a file containing a signing key for app signing. This should only be used during tests.",
Flag: "insecure-app-signing-key-file",
Default: "",
Hidden: true,
},
Support: &codersdk.SupportConfig{
Links: &codersdk.DeploymentConfigField[[]codersdk.LinkConfig]{
Name: "Support links",
Expand Down
1 change: 0 additions & 1 deletion cli/resetpassword_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ func TestResetPassword(t *testing.T) {
"--access-url", "http://example.com",
"--postgres-url", connectionURL,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
go func() {
defer close(serverDone)
Expand Down
56 changes: 18 additions & 38 deletions cli/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,10 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"database/sql"
"encoding/pem"
"encoding/hex"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -610,53 +609,34 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
}
}

// Read the app signing key from the DB. We store it hex
// encoded since the config table uses strings for the value and
// we don't want to deal with automatic encoding issues.
appSigningKeyStr, err := tx.GetAppSigningKey(ctx)
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
return xerrors.Errorf("get app signing key: %w", err)
}
if appSigningKeyStr == "" {
if cfg.InsecureAppSigningKeyFile.Value != "" {
bytes, err := os.ReadFile(cfg.InsecureAppSigningKeyFile.Value)
if err != nil {
return xerrors.Errorf("read insecure app signing key file %q: %w", cfg.InsecureAppSigningKeyFile.Value, err)
}
appSigningKeyStr = string(bytes)
} else {
appSigningKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return xerrors.Errorf("generate new app signing key: %w", err)
}

keyBytes, err := x509.MarshalPKCS8PrivateKey(appSigningKey)
if err != nil {
return xerrors.Errorf("marshal app signing key: %w", err)
}

pemBytes := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: keyBytes,
})

err = tx.InsertAppSigningKey(ctx, string(pemBytes))
if err != nil {
return xerrors.Errorf("insert app signing key: %w", err)
}
// Generate 64 byte secure random string.
b := make([]byte, 64)
_, err := rand.Read(b)
if err != nil {
return xerrors.Errorf("generate fresh app signing key: %w", err)
}

appSigningKeyStr = string(pemBytes)
appSigningKeyStr = hex.EncodeToString(b)
err = tx.InsertAppSigningKey(ctx, appSigningKeyStr)
if err != nil {
return xerrors.Errorf("insert freshly generated app signing key to database: %w", err)
}
}

pemBlock, _ := pem.Decode([]byte(appSigningKeyStr))
if pemBlock == nil {
return xerrors.New("failed to decode app signing key: no PEM block found")
}
appSigningKeyInterface, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
appSigningKey, err := hex.DecodeString(appSigningKeyStr)
if err != nil {
return xerrors.Errorf("failed to parse app signing key as RSA key: %w", err)
return xerrors.Errorf("decode app signing key from database as hex: %w", err)
}
appSigningKey, ok := appSigningKeyInterface.(*rsa.PrivateKey)
if !ok {
return xerrors.Errorf("app signing key is not an *rsa.PrivateKey, got %T", appSigningKeyInterface)
if len(appSigningKey) != 64 {
return xerrors.Errorf("app signing key must be 64 bytes, key in database is %d bytes", len(appSigningKey))
}

options.AppSigningKey = appSigningKey
Expand Down
31 changes: 0 additions & 31 deletions cli/server_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ func TestServer(t *testing.T) {
"--access-url", "http://example.com",
"--postgres-url", connectionURL,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetOutput(pty.Output())
Expand Down Expand Up @@ -90,7 +89,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetOutput(pty.Output())
Expand Down Expand Up @@ -146,7 +144,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://localhost:3000/",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetIn(pty.Input())
Expand Down Expand Up @@ -179,7 +176,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "https://foobarbaz.mydomain",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetIn(pty.Input())
Expand Down Expand Up @@ -210,7 +206,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "https://google.com",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetIn(pty.Input())
Expand Down Expand Up @@ -240,7 +235,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "google.com",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
err := root.ExecuteContext(ctx)
require.Error(t, err)
Expand All @@ -260,7 +254,6 @@ func TestServer(t *testing.T) {
"--tls-address", ":0",
"--tls-min-version", "tls9",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
err := root.ExecuteContext(ctx)
require.Error(t, err)
Expand All @@ -279,7 +272,6 @@ func TestServer(t *testing.T) {
"--tls-address", ":0",
"--tls-client-auth", "something",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
err := root.ExecuteContext(ctx)
require.Error(t, err)
Expand Down Expand Up @@ -355,7 +347,6 @@ func TestServer(t *testing.T) {
"--tls-cert-file", certPath,
"--tls-key-file", keyPath,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
errC := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -400,7 +391,6 @@ func TestServer(t *testing.T) {
"--tls-cert-file", cert2Path,
"--tls-key-file", key2Path,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
errC := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -483,7 +473,6 @@ func TestServer(t *testing.T) {
"--tls-cert-file", certPath,
"--tls-key-file", keyPath,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetOutput(pty.Output())
Expand Down Expand Up @@ -615,7 +604,6 @@ func TestServer(t *testing.T) {
"--in-memory",
"--cache-dir", t.TempDir(),
"--http-address", httpListenAddr,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
}
if c.tlsListener {
flags = append(flags,
Expand Down Expand Up @@ -722,7 +710,6 @@ func TestServer(t *testing.T) {
"--in-memory",
"--http-address", "0.0.0.0:0",
"--access-url", "http://example.com",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)

pty := ptytest.New(t)
Expand All @@ -749,7 +736,6 @@ func TestServer(t *testing.T) {
"--in-memory",
"--http-address", "[::]:0",
"--access-url", "http://example.com",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)

pty := ptytest.New(t)
Expand Down Expand Up @@ -777,7 +763,6 @@ func TestServer(t *testing.T) {
"--http-address", "",
"--tls-enable=false",
"--tls-address", "",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
err := root.ExecuteContext(ctx)
require.Error(t, err)
Expand All @@ -794,7 +779,6 @@ func TestServer(t *testing.T) {
"--in-memory",
"--tls-enable=true",
"--tls-address", "",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
err := root.ExecuteContext(ctx)
require.Error(t, err)
Expand All @@ -819,7 +803,6 @@ func TestServer(t *testing.T) {
"--address", ":0",
"--access-url", "http://example.com",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetOutput(pty.Output())
Expand Down Expand Up @@ -856,7 +839,6 @@ func TestServer(t *testing.T) {
"--tls-cert-file", certPath,
"--tls-key-file", keyPath,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
pty := ptytest.New(t)
root.SetOutput(pty.Output())
Expand Down Expand Up @@ -905,7 +887,6 @@ func TestServer(t *testing.T) {
"--access-url", "http://example.com",
"--provisioner-daemons", "1",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -933,7 +914,6 @@ func TestServer(t *testing.T) {
"--access-url", "http://example.com",
"--trace=true",
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
errC := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -973,7 +953,6 @@ func TestServer(t *testing.T) {
"--telemetry",
"--telemetry-url", server.URL,
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
errC := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1006,7 +985,6 @@ func TestServer(t *testing.T) {
"--prometheus-enable",
"--prometheus-address", ":"+strconv.Itoa(randomPort),
"--cache-dir", t.TempDir(),
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1060,7 +1038,6 @@ func TestServer(t *testing.T) {
"--oauth2-github-client-id", "fake",
"--oauth2-github-client-secret", "fake",
"--oauth2-github-enterprise-base-url", fakeRedirect,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1098,7 +1075,6 @@ func TestServer(t *testing.T) {
"--in-memory",
"--http-address", ":0",
"--access-url", "http://example.com",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1128,7 +1104,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--api-rate-limit", val,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1157,7 +1132,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--api-rate-limit", "-1",
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1193,7 +1167,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--log-human", fiName,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1222,7 +1195,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--log-human", fi,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1251,7 +1223,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--log-json", fi,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
serverErr := make(chan error, 1)
go func() {
Expand Down Expand Up @@ -1280,7 +1251,6 @@ func TestServer(t *testing.T) {
"--http-address", ":0",
"--access-url", "http://example.com",
"--log-stackdriver", fi,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
// Attach pty so we get debug output from the command if this test
// fails.
Expand Down Expand Up @@ -1329,7 +1299,6 @@ func TestServer(t *testing.T) {
"--log-human", fi1,
"--log-json", fi2,
"--log-stackdriver", fi3,
"--insecure-app-signing-key-file", clitest.AppSigningKeyPath(t),
)
// Attach pty so we get debug output from the command if this test
// fails.
Expand Down
Loading