Skip to content

[WIP] feat(enterprise): encrypt external access tokens (oidc, git auth) in the database #9339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 67 commits into from
Closed

[WIP] feat(enterprise): encrypt external access tokens (oidc, git auth) in the database #9339

wants to merge 67 commits into from

Conversation

johnstcn
Copy link
Member

@johnstcn johnstcn commented Aug 25, 2023
edited
Loading

Encrypt exernal access tokens

Note: this PR has gotten rather big, so I am breaking it up into smaller chunks. Keeping this around for reference.
#9421
#9433

This PR adds enterprise-only functionality to encrypt external database access tokens. This builds upon @kylecarbs' previous work in #7959.

  • Adds a new table dbcrypt_sentinel which is used as a litmus test for database encryption status.
  • Adds package enterprise/dbcrypt which handles encryption/decryption for the following fields:
    • dbcrypt_sentinel.value
    • user_links.oauth_access_token
    • user_links.oauth_refresh_token
    • git_auth_links.oauth_access_token
    • git_auth_links.oauth_refresh_token
  • Adds support for specifying EXTERNAL_TOKEN_ENCRYPTION_KEYS to enterprise server cmd.
    • When specified, the database.Store will be wrapped by dbcrypt.Store.
    • At present, we only allow max. 2 keys; this is to force people to complete key rotation in a timely manner instead of continuously appending old keys.
  • Adds a dbcrypt-rotate enterprise subcommand (and associated test) to perform key rotation and re-encryption of affected rows.

Suggested attention:

  • enterprise/dbcrypt - this is the most important piece
  • enterprise/cli - specifically the rotation command
  • enterprise/coderd - specifically the misc. plumbing

Checklist

  • No experimental flags needed
  • Testing:
    • Unit tests have been added
    • Manual testing has been performed using ./scripts/dev-oidc.sh
  • User-facing changes:
    • Add documentation under ./docs (in progress)

kylecarbs and others added 30 commits May 30, 2023 16:26
@kylecarbs
feat: encrypt oidc and git auth tokens in the database
6651fe1
@kylecarbs
Fix dbcrypt
b9251fd
@kylecarbs
Automatically delete rows when not encrypted
deb577b
@kylecarbs
gen
faa20ad
@kylecarbs
Merge branch 'main' into dbcrypt
2e19360
@kylecarbs
Merge branch 'main' into dbcrypt
614065b
@johnstcn
Merge remote-tracking branch 'origin/dbcrypt' into cj/dbcrypt
be996ba
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
2b99db9
@johnstcn
move cipher to dbcrypt package
7837f71
@johnstcn
fixup! move cipher to dbcrypt package
82e7b35
@johnstcn
fixup! move cipher to dbcrypt package
2b404d1
@johnstcn
fixup! move cipher to dbcrypt package
02277a8
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
3a21c5d
@johnstcn
fixup! move cipher to dbcrypt package
a4612c2
@johnstcn
update golden files
8b1f835
@johnstcn
enforce 32-byte key length
60d52f5
@johnstcn
fix some failing tests
dc69c4a 
- add external token encryption key to YAML excludes
- ensure that secret external token encryption key is
  scrubbed from deployment values
@johnstcn
make DecryptionFailedError unwrap to sql.ErrNoRows
d9d050f
@johnstcn
modify dbCrypt to not delete rows silently
1cd4847
@johnstcn
add dbcrypt_sentinel table to determine encryption status
832766c
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
935f79f
@johnstcn
fix unused-receiver
05c0cf9
@johnstcn
move dbcrypt to enterprise
6556269
@johnstcn
dbcrypt.New now marks database as encrypted
cbd776f
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
5929c96
@johnstcn
add hex digest of cipher to encrypted fields
22e7aeb
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
3842fdd
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
9f71836
@johnstcn
fixup! Merge remote-tracking branch 'origin/main' into cj/dbcrypt
17e694c
@johnstcn
add previous external token encryption key deployment value
dbe6915
johnstcn added 19 commits August 29, 2023 08:58
@johnstcn
refactor: add Ciphers to abstract over multiple ciphers
5a0161c
@johnstcn
refactor dbcrypt: add Ciphers to wrap multiple AES256
4142fb2
@johnstcn
fixup! refactor dbcrypt: add Ciphers to wrap multiple AES256
7a64a4e
@johnstcn
fixup! refactor dbcrypt: add Ciphers to wrap multiple AES256
600391f
@johnstcn
fixup! refactor dbcrypt: add Ciphers to wrap multiple AES256
ae6f623
@johnstcn
make gen
8b07604
@johnstcn
make fmt
a2b7935
@johnstcn
make lint
e3dd4c0
@johnstcn
update-golden-files
db30bdd
@johnstcn
fix logging
4c6a93f
@johnstcn
appease the linter
da8c984
@johnstcn
address some comments from original PR
e1a77a6
@johnstcn
fixup! address some comments from original PR
552e425
@johnstcn
lint
2e5b5c0
@johnstcn
fixup! lint
ad44e1e
@johnstcn
handle sentinel mismatch with a specific message
128ad09
@johnstcn
fix build issue
1851fff
@johnstcn
add external token encryption keys to ./scripts/develop.sh by default
6ad0904
@johnstcn
Merge remote-tracking branch 'origin/main' into cj/dbcrypt
1b6e92e
@johnstcn johnstcn changed the title [WIP] encrypt external access tokens feat(enterprise): encrypt external access tokens (oidc, git auth) in the database Aug 29, 2023
@johnstcn johnstcn changed the title feat(enterprise): encrypt external access tokens (oidc, git auth) in the database [WIP] feat(enterprise): encrypt external access tokens (oidc, git auth) in the database Aug 30, 2023
@johnstcn johnstcn mentioned this pull request Aug 30, 2023
Closed
@johnstcn johnstcn closed this Aug 30, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Aug 30, 2023
@johnstcn johnstcn deleted the cj/dbcrypt branch October 13, 2023 12:19
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@johnstcn johnstcn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@johnstcn @kylecarbs