Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit03262de

Browse files
committed
feat: add schema for key rotation
1 parentbfdc29f commit03262de

File tree

17 files changed

+733
-0
lines changed

17 files changed

+733
-0
lines changed

‎coderd/database/dbauthz/dbauthz.go‎

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1041,6 +1041,13 @@ func (q *querier) DeleteCoordinator(ctx context.Context, id uuid.UUID) error {
10411041
returnq.db.DeleteCoordinator(ctx,id)
10421042
}
10431043

1044+
func (q*querier)DeleteCryptoKey(ctx context.Context,arg database.DeleteCryptoKeyParams) (database.CryptoKey,error) {
1045+
iferr:=q.authorizeContext(ctx,policy.ActionDelete,rbac.ResourceSystem);err!=nil {
1046+
return database.CryptoKey{},err
1047+
}
1048+
returnq.db.DeleteCryptoKey(ctx,arg)
1049+
}
1050+
10441051
func (q*querier)DeleteCustomRole(ctx context.Context,arg database.DeleteCustomRoleParams)error {
10451052
ifarg.OrganizationID.UUID!=uuid.Nil {
10461053
iferr:=q.authorizeContext(ctx,policy.ActionDelete,rbac.ResourceAssignOrgRole.InOrg(arg.OrganizationID.UUID));err!=nil {
@@ -1383,6 +1390,20 @@ func (q *querier) GetCoordinatorResumeTokenSigningKey(ctx context.Context) (stri
13831390
returnq.db.GetCoordinatorResumeTokenSigningKey(ctx)
13841391
}
13851392

1393+
func (q*querier)GetCryptoKeyByFeatureAndSequence(ctx context.Context,arg database.GetCryptoKeyByFeatureAndSequenceParams) (database.CryptoKey,error) {
1394+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceSystem);err!=nil {
1395+
return database.CryptoKey{},err
1396+
}
1397+
returnq.db.GetCryptoKeyByFeatureAndSequence(ctx,arg)
1398+
}
1399+
1400+
func (q*querier)GetCryptoKeys(ctx context.Context) ([]database.CryptoKey,error) {
1401+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceSystem);err!=nil {
1402+
returnnil,err
1403+
}
1404+
returnq.db.GetCryptoKeys(ctx)
1405+
}
1406+
13861407
func (q*querier)GetDBCryptKeys(ctx context.Context) ([]database.DBCryptKey,error) {
13871408
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceSystem);err!=nil {
13881409
returnnil,err
@@ -1549,6 +1570,13 @@ func (q *querier) GetLastUpdateCheck(ctx context.Context) (string, error) {
15491570
returnq.db.GetLastUpdateCheck(ctx)
15501571
}
15511572

1573+
func (q*querier)GetLatestCryptoKeyByFeature(ctx context.Context,feature database.CryptoKeyFeature) (database.CryptoKey,error) {
1574+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceSystem);err!=nil {
1575+
return database.CryptoKey{},err
1576+
}
1577+
returnq.db.GetLatestCryptoKeyByFeature(ctx,feature)
1578+
}
1579+
15521580
func (q*querier)GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context,workspaceID uuid.UUID) (database.WorkspaceBuild,error) {
15531581
if_,err:=q.GetWorkspaceByID(ctx,workspaceID);err!=nil {
15541582
return database.WorkspaceBuild{},err
@@ -2654,6 +2682,13 @@ func (q *querier) InsertAuditLog(ctx context.Context, arg database.InsertAuditLo
26542682
returninsert(q.log,q.auth,rbac.ResourceAuditLog,q.db.InsertAuditLog)(ctx,arg)
26552683
}
26562684

2685+
func (q*querier)InsertCryptoKey(ctx context.Context,arg database.InsertCryptoKeyParams) (database.CryptoKey,error) {
2686+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceSystem);err!=nil {
2687+
return database.CryptoKey{},err
2688+
}
2689+
returnq.db.InsertCryptoKey(ctx,arg)
2690+
}
2691+
26572692
func (q*querier)InsertCustomRole(ctx context.Context,arg database.InsertCustomRoleParams) (database.CustomRole,error) {
26582693
// Org and site role upsert share the same query. So switch the assertion based on the org uuid.
26592694
ifarg.OrganizationID.UUID!=uuid.Nil {
@@ -3157,6 +3192,13 @@ func (q *querier) UpdateAPIKeyByID(ctx context.Context, arg database.UpdateAPIKe
31573192
returnupdate(q.log,q.auth,fetch,q.db.UpdateAPIKeyByID)(ctx,arg)
31583193
}
31593194

3195+
func (q*querier)UpdateCryptoKeyDeletesAt(ctx context.Context,arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey,error) {
3196+
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceSystem);err!=nil {
3197+
return database.CryptoKey{},err
3198+
}
3199+
returnq.db.UpdateCryptoKeyDeletesAt(ctx,arg)
3200+
}
3201+
31603202
func (q*querier)UpdateCustomRole(ctx context.Context,arg database.UpdateCustomRoleParams) (database.CustomRole,error) {
31613203
ifarg.OrganizationID.UUID!=uuid.Nil {
31623204
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceAssignOrgRole.InOrg(arg.OrganizationID.UUID));err!=nil {

‎coderd/database/dbgen/dbgen.go‎

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package dbgen
22

33
import (
44
"context"
5+
"crypto/rand"
56
"crypto/sha256"
67
"database/sql"
78
"encoding/hex"
@@ -893,6 +894,36 @@ func CustomRole(t testing.TB, db database.Store, seed database.CustomRole) datab
893894
returnrole
894895
}
895896

897+
funcCryptoKey(t testing.TB,db database.Store,seed database.CryptoKey) database.CryptoKey {
898+
t.Helper()
899+
900+
b:=make([]byte,96)
901+
_,err:=rand.Read(b)
902+
require.NoError(t,err,"generate secret")
903+
904+
key,err:=db.InsertCryptoKey(genCtx, database.InsertCryptoKeyParams{
905+
Sequence:takeFirst(seed.Sequence,123),
906+
Secret:takeFirst(seed.Secret, sql.NullString{
907+
String:hex.EncodeToString(b),
908+
Valid:true,
909+
}),
910+
SecretKeyID:takeFirst(seed.SecretKeyID, sql.NullString{}),
911+
Feature:takeFirst(seed.Feature,database.CryptoKeyFeatureWorkspaceApps),
912+
StartsAt:takeFirst(seed.StartsAt,time.Now()),
913+
})
914+
require.NoError(t,err,"insert crypto key")
915+
916+
ifseed.DeletesAt.Valid {
917+
key,err=db.UpdateCryptoKeyDeletesAt(genCtx, database.UpdateCryptoKeyDeletesAtParams{
918+
Feature:key.Feature,
919+
Sequence:key.Sequence,
920+
DeletesAt: sql.NullTime{Time:seed.DeletesAt.Time,Valid:true},
921+
})
922+
require.NoError(t,err,"update crypto key deletes_at")
923+
}
924+
returnkey
925+
}
926+
896927
funcmust[Vany](vV,errerror)V {
897928
iferr!=nil {
898929
panic(err)

‎coderd/database/dbmem/dbmem.go‎

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,7 @@ type data struct {
153153
// New tables
154154
workspaceAgentStats []database.WorkspaceAgentStat
155155
auditLogs []database.AuditLog
156+
cryptoKeys []database.CryptoKey
156157
dbcryptKeys []database.DBCryptKey
157158
files []database.File
158159
externalAuthLinks []database.ExternalAuthLink
@@ -1434,6 +1435,25 @@ func (*FakeQuerier) DeleteCoordinator(context.Context, uuid.UUID) error {
14341435
returnErrUnimplemented
14351436
}
14361437

1438+
func (q*FakeQuerier)DeleteCryptoKey(_ context.Context,arg database.DeleteCryptoKeyParams) (database.CryptoKey,error) {
1439+
err:=validateDatabaseType(arg)
1440+
iferr!=nil {
1441+
return database.CryptoKey{},err
1442+
}
1443+
1444+
q.mutex.Lock()
1445+
deferq.mutex.Unlock()
1446+
1447+
fori,key:=rangeq.cryptoKeys {
1448+
ifkey.Feature==arg.Feature&&key.Sequence==arg.Sequence {
1449+
q.cryptoKeys[i].Secret.String=""
1450+
q.cryptoKeys[i].Secret.Valid=false
1451+
returnq.cryptoKeys[i],nil
1452+
}
1453+
}
1454+
return database.CryptoKey{},sql.ErrNoRows
1455+
}
1456+
14371457
func (q*FakeQuerier)DeleteCustomRole(_ context.Context,arg database.DeleteCustomRoleParams)error {
14381458
err:=validateDatabaseType(arg)
14391459
iferr!=nil {
@@ -2309,6 +2329,41 @@ func (q *FakeQuerier) GetCoordinatorResumeTokenSigningKey(_ context.Context) (st
23092329
returnq.coordinatorResumeTokenSigningKey,nil
23102330
}
23112331

2332+
func (q*FakeQuerier)GetCryptoKeyByFeatureAndSequence(_ context.Context,arg database.GetCryptoKeyByFeatureAndSequenceParams) (database.CryptoKey,error) {
2333+
err:=validateDatabaseType(arg)
2334+
iferr!=nil {
2335+
return database.CryptoKey{},err
2336+
}
2337+
2338+
q.mutex.RLock()
2339+
deferq.mutex.RUnlock()
2340+
2341+
for_,key:=rangeq.cryptoKeys {
2342+
ifkey.Feature==arg.Feature&&key.Sequence==arg.Sequence {
2343+
// Keys with NULL secrets are considered deleted.
2344+
ifkey.Secret.Valid {
2345+
returnkey,nil
2346+
}
2347+
return database.CryptoKey{},sql.ErrNoRows
2348+
}
2349+
}
2350+
2351+
return database.CryptoKey{},sql.ErrNoRows
2352+
}
2353+
2354+
func (q*FakeQuerier)GetCryptoKeys(_ context.Context) ([]database.CryptoKey,error) {
2355+
q.mutex.RLock()
2356+
deferq.mutex.RUnlock()
2357+
2358+
keys:=make([]database.CryptoKey,0)
2359+
for_,key:=rangeq.cryptoKeys {
2360+
ifkey.Secret.Valid {
2361+
keys=append(keys,key)
2362+
}
2363+
}
2364+
returnkeys,nil
2365+
}
2366+
23122367
func (q*FakeQuerier)GetDBCryptKeys(_ context.Context) ([]database.DBCryptKey,error) {
23132368
q.mutex.RLock()
23142369
deferq.mutex.RUnlock()
@@ -2806,6 +2861,23 @@ func (q *FakeQuerier) GetLastUpdateCheck(_ context.Context) (string, error) {
28062861
returnstring(q.lastUpdateCheck),nil
28072862
}
28082863

2864+
func (q*FakeQuerier)GetLatestCryptoKeyByFeature(_ context.Context,feature database.CryptoKeyFeature) (database.CryptoKey,error) {
2865+
q.mutex.RLock()
2866+
deferq.mutex.RUnlock()
2867+
2868+
varlatestKey database.CryptoKey
2869+
for_,key:=rangeq.cryptoKeys {
2870+
ifkey.Feature==feature&&latestKey.Sequence<key.Sequence {
2871+
latestKey=key
2872+
}
2873+
}
2874+
2875+
iflatestKey.Secret.Valid {
2876+
returnlatestKey,nil
2877+
}
2878+
return database.CryptoKey{},sql.ErrNoRows
2879+
}
2880+
28092881
func (q*FakeQuerier)GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context,workspaceID uuid.UUID) (database.WorkspaceBuild,error) {
28102882
q.mutex.RLock()
28112883
deferq.mutex.RUnlock()
@@ -6305,6 +6377,28 @@ func (q *FakeQuerier) InsertAuditLog(_ context.Context, arg database.InsertAudit
63056377
returnalog,nil
63066378
}
63076379

6380+
func (q*FakeQuerier)InsertCryptoKey(_ context.Context,arg database.InsertCryptoKeyParams) (database.CryptoKey,error) {
6381+
err:=validateDatabaseType(arg)
6382+
iferr!=nil {
6383+
return database.CryptoKey{},err
6384+
}
6385+
6386+
q.mutex.Lock()
6387+
deferq.mutex.Unlock()
6388+
6389+
key:= database.CryptoKey{
6390+
Feature:arg.Feature,
6391+
Sequence:arg.Sequence,
6392+
Secret:arg.Secret,
6393+
SecretKeyID:arg.SecretKeyID,
6394+
StartsAt:arg.StartsAt,
6395+
}
6396+
6397+
q.cryptoKeys=append(q.cryptoKeys,key)
6398+
6399+
returnkey,nil
6400+
}
6401+
63086402
func (q*FakeQuerier)InsertCustomRole(_ context.Context,arg database.InsertCustomRoleParams) (database.CustomRole,error) {
63096403
err:=validateDatabaseType(arg)
63106404
iferr!=nil {
@@ -7774,6 +7868,25 @@ func (q *FakeQuerier) UpdateAPIKeyByID(_ context.Context, arg database.UpdateAPI
77747868
returnsql.ErrNoRows
77757869
}
77767870

7871+
func (q*FakeQuerier)UpdateCryptoKeyDeletesAt(_ context.Context,arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey,error) {
7872+
err:=validateDatabaseType(arg)
7873+
iferr!=nil {
7874+
return database.CryptoKey{},err
7875+
}
7876+
q.mutex.Lock()
7877+
deferq.mutex.Unlock()
7878+
7879+
fori,key:=rangeq.cryptoKeys {
7880+
ifkey.Feature==arg.Feature&&key.Sequence==arg.Sequence {
7881+
key.DeletesAt=arg.DeletesAt
7882+
q.cryptoKeys[i]=key
7883+
returnkey,nil
7884+
}
7885+
}
7886+
7887+
return database.CryptoKey{},sql.ErrNoRows
7888+
}
7889+
77777890
func (q*FakeQuerier)UpdateCustomRole(_ context.Context,arg database.UpdateCustomRoleParams) (database.CustomRole,error) {
77787891
err:=validateDatabaseType(arg)
77797892
iferr!=nil {

‎coderd/database/dbmetrics/dbmetrics.go‎

Lines changed: 42 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp