dbcrypt-rotate -> server dbcrypt rotate

coder · johnstcn · Sep 7, 2023 · Sep 4, 2023 · Sep 4, 2023 · Sep 5, 2023
commit d51ec66d17f632cb1f5af8e323c43084f01e57bf
diff --git a/docs/cli.md b/docs/cli.md
@@ -27,7 +27,6 @@ Coder — A tool for provisioning self-hosted development environments with Terr
 | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- |
 | [<code>config-ssh</code>](./cli/config-ssh.md)         | Add an SSH Host entry for your workspaces "ssh coder.workspace"                                       |
 | [<code>create</code>](./cli/create.md)                 | Create a workspace                                                                                    |
-| [<code>dbcrypt-rotate</code>](./cli/dbcrypt-rotate.md) | Rotate database encryption keys                                                                       |
 | [<code>delete</code>](./cli/delete.md)                 | Delete a workspace                                                                                    |
 | [<code>dotfiles</code>](./cli/dotfiles.md)             | Personalize your workspace by applying a canonical dotfiles repository                                |
 | [<code>features</code>](./cli/features.md)             | List Enterprise features                                                                              |

diff --git a/docs/cli/server.md b/docs/cli/server.md
diff --git a/docs/cli/server_dbcrypt.md b/docs/cli/server_dbcrypt.md
diff --git a/docs/cli/dbcrypt-rotate.md → docs/cli/server_dbcrypt_rotate.md b/docs/cli/dbcrypt-rotate.md → docs/cli/server_dbcrypt_rotate.md
diff --git a/docs/manifest.json b/docs/manifest.json
@@ -547,11 +547,6 @@
           "description": "Create a workspace",
           "path": "cli/create.md"
         },
-        {
-          "title": "dbcrypt-rotate",
-          "description": "Rotate database encryption keys",
-          "path": "cli/dbcrypt-rotate.md"
-        },
         {
           "title": "delete",
           "description": "Delete a workspace",
@@ -711,6 +706,16 @@
           "description": "Create a new admin user with the given username, email and password and adds it to every organization.",
           "path": "cli/server_create-admin-user.md"
         },
+        {
+          "title": "server dbcrypt",
+          "description": "Manage database encryption",
+          "path": "cli/server_dbcrypt.md"
+        },
+        {
+          "title": "server dbcrypt rotate",
+          "description": "Rotate database encryption keys",
+          "path": "cli/server_dbcrypt_rotate.md"
+        },
         {
           "title": "server postgres-builtin-serve",
           "description": "Run the built-in PostgreSQL deployment.",

diff --git a/enterprise/cli/dbcrypt_rotate_slim.go b/enterprise/cli/dbcrypt_rotate_slim.go
diff --git a/enterprise/cli/root.go b/enterprise/cli/root.go
@@ -17,7 +17,6 @@ func (r *RootCmd) enterpriseOnly() []*clibase.Cmd {
 		r.licenses(),
 		r.groups(),
 		r.provisionerDaemons(),
-		r.dbcryptRotate(),
 	}
 }
 

diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -98,5 +98,9 @@ func (r *RootCmd) Server(_ func()) *clibase.Cmd {
 		}
 		return api.AGPL, api, nil
 	})
+
+	cmd.AddSubcommands(
+		r.dbcryptCmd(),
+	)
 	return cmd
 }
diff --git a/enterprise/cli/dbcrypt_rotate.go → enterprise/cli/server_dbcrypt_rotate.go b/enterprise/cli/dbcrypt_rotate.go → enterprise/cli/server_dbcrypt_rotate.go
@@ -19,14 +19,28 @@ import (
 	"golang.org/x/xerrors"
 )
 
-func (*RootCmd) dbcryptRotate() *clibase.Cmd {
+func (r *RootCmd) dbcryptCmd() *clibase.Cmd {
+	dbcryptCmd := &clibase.Cmd{
+		Use:   "dbcrypt",
+		Short: "Manage database encryption.",
+		Handler: func(inv *clibase.Invocation) error {
+			return inv.Command.HelpHandler(inv)
+		},
+	}
+	dbcryptCmd.AddSubcommands(
+		r.dbcryptRotateCmd(),
+	)
+	return dbcryptCmd
+}
+
+func (*RootCmd) dbcryptRotateCmd() *clibase.Cmd {
 	var (
 		vals = new(codersdk.DeploymentValues)
 		opts = vals.Options()
 	)
 	cmd := &clibase.Cmd{
-		Use:   "dbcrypt-rotate --postgres-url <postgres_url> --external-token-encryption-keys <new-key>,<old-keys>",
-		Short: "Rotate database encryption keys",
+		Use:   "rotate",
+		Short: "Rotate database encryption keys.",
 		Options: clibase.OptionSet{
 			*opts.ByName("Postgres Connection URL"),
 			*opts.ByName("External Token Encryption Keys"),

diff --git a/enterprise/cli/dbcrypt_rotate_test.go → enterprise/cli/server_dbcrypt_rotate_test.go b/enterprise/cli/dbcrypt_rotate_test.go → enterprise/cli/server_dbcrypt_rotate_test.go
@@ -50,7 +50,7 @@ func TestDBCryptRotate(t *testing.T) {
 	require.NoError(t, err)
 
 	// Encrypt all the data with the initial cipher.
-	inv, _ := newCLI(t, "dbcrypt-rotate",
+	inv, _ := newCLI(t, "server", "dbcrypt", "rotate",
 		"--postgres-url", connectionURL,
 		"--external-token-encryption-keys", base64.StdEncoding.EncodeToString([]byte(keyA)),
 	)
@@ -79,7 +79,7 @@ func TestDBCryptRotate(t *testing.T) {
 		base64.StdEncoding.EncodeToString([]byte(keyA)),
 	)
 
-	inv, _ = newCLI(t, "dbcrypt-rotate",
+	inv, _ = newCLI(t, "server", "dbcrypt", "rotate",
 		"--postgres-url", connectionURL,
 		"--external-token-encryption-keys", externalTokensArg,
 	)

diff --git a/enterprise/cli/testdata/coder_--help.golden b/enterprise/cli/testdata/coder_--help.golden
@@ -10,7 +10,6 @@ Coder v0.0.0-devel — A tool for provisioning self-hosted development environme
      [40m [0m[91;40m$ coder templates init[0m[40m [0m
 
 [1mSubcommands[0m
-    dbcrypt-rotate     Rotate database encryption keys
     features           List Enterprise features
     groups             Manage groups
     licenses           Add, delete, and list licenses

diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden
@@ -6,6 +6,7 @@ Start a Coder server
     create-admin-user         Create a new admin user with the given username,
                               email and password and adds it to every
                               organization.
+    dbcrypt                   Manage database encryption.
     postgres-builtin-serve    Run the built-in PostgreSQL deployment.
     postgres-builtin-url      Output the connection URL for the built-in
                               PostgreSQL deployment.

diff --git a/enterprise/cli/testdata/coder_server_dbcrypt_--help.golden b/enterprise/cli/testdata/coder_server_dbcrypt_--help.golden
@@ -0,0 +1,9 @@
+Usage: coder server dbcrypt
+
+Manage database encryption.
+
+[1mSubcommands[0m
+    rotate    Rotate database encryption keys.
+
+---
+Run `coder --help` for a list of global options.
diff --git a/enterprise/cli/testdata/coder_server_dbcrypt_rotate_--help.golden b/enterprise/cli/testdata/coder_server_dbcrypt_rotate_--help.golden
@@ -0,0 +1,24 @@
+Usage: coder server dbcrypt rotate [flags]
+
+Rotate database encryption keys.
+
+[1mOptions[0m
+      --postgres-url string, $CODER_PG_CONNECTION_URL
+          URL of a PostgreSQL database. If empty, PostgreSQL binaries will be
+          downloaded from Maven (https://repo1.maven.org/maven2) and store all
+          data in the config root. Access the built-in database with "coder
+          server postgres-builtin-url".
+
+[1mEnterprise Options[0m 
+These options are only available in the Enterprise Edition.
+
+      --external-token-encryption-keys string-array, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS
+          Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
+          database. The value must be a comma-separated list of base64-encoded
+          keys. Each key, when base64-decoded, must be exactly 32 bytes in
+          length. The first key will be used to encrypt new values. Subsequent
+          keys will be used as a fallback when decrypting. During normal
+          operation it is recommended to only set one key.
+
+---
+Run `coder --help` for a list of global options.