NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commit13ca9ea

authored

chore!: ensure consistent secret token generation and hashing (#20388)

This PR uses the same sha256 hashing technique as we use for APIKeys. Sonow all randomly generated secrets will be hashed with sha256 forconsistency.This is a breaking change for the oauth tokens. Since oauth is onlyallowed for dev builds and experimental, this is ok.

1 parent9061493 commit13ca9eaCopy full SHA for 13ca9ea

File tree

35 files changed

+169

-179

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- apikey
  - apikey.go
  - apikey_test.go
- database
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - dbmetrics
    - querymetrics.go
  - dbmock
    - dbmock.go
  - dump.sql
  - migrations
    - 000388_oauth_app_byte_reg_access_token.down.sql
    - 000388_oauth_app_byte_reg_access_token.up.sql
  - models.go
  - querier.go
  - queries.sql.go
- httpmw
- oauth2_test.go
- oauth2provider
- provisionerkey
  - provisionerkey.go
codersdk
- oauth2.go
docs/reference/api
- enterprise.md
- schemas.md
enterprise
- coderd
  - workspaceproxy.go
- x/aibridgedserver
  - aibridgedserver.go
  - aibridgedserver_test.go

35 files changed

+169

-179

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 4 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 4 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey/apikey.go‎`

Lines changed: 28 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package apikey`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"crypto/sha256"`
	`5`	`+"crypto/subtle"`
`5`	`6`	`"fmt"`
`6`	`7`	`"net"`
`7`	`8`	`"time"`
`@@ -44,12 +45,17 @@ type CreateParams struct {`
`44`	`45`	`// database representation. It is the responsibility of the caller to insert it`
`45`	`46`	`// into the database.`
`46`	`47`	`funcGenerate(paramsCreateParams) (database.InsertAPIKeyParams,string,error) {`
`47`		`-keyID,keySecret,err:=generateKey()`
	`48`	`+// Length of an API Key ID.`
	`49`	`+keyID,err:=cryptorand.String(10)`
`48`	`50`	`iferr!=nil {`
`49`		`-return database.InsertAPIKeyParams{},"",xerrors.Errorf("generate API key: %w",err)`
	`51`	`+return database.InsertAPIKeyParams{},"",xerrors.Errorf("generate API key ID: %w",err)`
`50`	`52`	`}`
`51`	`53`
`52`		`-hashed:=sha256.Sum256([]byte(keySecret))`
	`54`	`+// Length of an API Key secret.`
	`55`	`+keySecret,hashedSecret,err:=GenerateSecret(22)`
	`56`	`+iferr!=nil {`
	`57`	`+return database.InsertAPIKeyParams{},"",xerrors.Errorf("generate API key secret: %w",err)`
	`58`	`+}`
`53`	`59`
`54`	`60`	`// Default expires at to now+lifetime, or use the configured value if not`
`55`	`61`	`// set.`
`@@ -120,25 +126,32 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`120`	`126`	`ExpiresAt:params.ExpiresAt.UTC(),`
`121`	`127`	`CreatedAt:dbtime.Now(),`
`122`	`128`	`UpdatedAt:dbtime.Now(),`
`123`		`-HashedSecret:hashed[:],`
	`129`	`+HashedSecret:hashedSecret,`
`124`	`130`	`LoginType:params.LoginType,`
`125`	`131`	`Scopes:scopes,`
`126`	`132`	`AllowList:params.AllowList,`
`127`	`133`	`TokenName:params.TokenName,`
`128`	`134`	`},token,nil`
`129`	`135`	`}`
`130`	`136`
`131`		`-// generateKey a new ID and secret for an API key.`
`132`		`-funcgenerateKey() (idstring,secretstring,errerror) {`
`133`		`-// Length of an API Key ID.`
`134`		`-id,err=cryptorand.String(10)`
`135`		`-iferr!=nil {`
`136`		`-return"","",err`
`137`		`-}`
`138`		`-// Length of an API Key secret.`
`139`		`-secret,err=cryptorand.String(22)`
	`137`	`+funcGenerateSecret(lengthint) (secretstring,hashed []byte,errerror) {`
	`138`	`+secret,err=cryptorand.String(length)`
`140`	`139`	`iferr!=nil {`
`141`		`-return"","",err`
	`140`	`+return"",nil,err`
`142`	`141`	`}`
`143`		`-returnid,secret,nil`
	`142`	`+hash:=HashSecret(secret)`
	`143`	`+returnsecret,hash,nil`
	`144`	`+}`
	`145`	`+`
	`146`	`+// ValidateHash compares a secret against an expected hashed secret.`
	`147`	`+funcValidateHash(hashedSecret []byte,secretstring)bool {`
	`148`	`+hash:=HashSecret(secret)`
	`149`	`+returnsubtle.ConstantTimeCompare(hashedSecret,hash)==1`
	`150`	`+}`
	`151`	`+`
	`152`	`+// HashSecret is the single function used to hash API key secrets.`
	`153`	`+// Use this to ensure a consistent hashing algorithm.`
	`154`	`+funcHashSecret(secretstring) []byte {`
	`155`	`+hash:=sha256.Sum256([]byte(secret))`
	`156`	`+returnhash[:]`
`144`	`157`	`}`

`‎coderd/apikey/apikey_test.go‎`

Lines changed: 16 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package apikey_test`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"crypto/sha256"`
`5`	`4`	`"strings"`
`6`	`5`	`"testing"`
`7`	`6`	`"time"`
`@@ -126,8 +125,8 @@ func TestGenerate(t *testing.T) {`
`126`	`125`	`require.Equal(t,key.ID,keytokens[0])`
`127`	`126`
`128`	`127`	`// Assert that the hashed secret is correct.`
`129`		`-hashed:=sha256.Sum256([]byte(keytokens[1]))`
`130`		`-assert.ElementsMatch(t,hashed,key.HashedSecret)`
	`128`	`+equal:=apikey.ValidateHash(key.HashedSecret,keytokens[1])`
	`129`	`+require.True(t,equal,"valid secret")`
`131`	`130`
`132`	`131`	`assert.Equal(t,tc.params.UserID,key.UserID)`
`133`	`132`	`assert.WithinDuration(t,dbtime.Now(),key.CreatedAt,time.Second*5)`
`@@ -173,3 +172,17 @@ func TestGenerate(t *testing.T) {`
`173`	`172`	`})`
`174`	`173`	`}`
`175`	`174`	`}`
	`175`	`+`
	`176`	`+// TestInvalid just ensures the false case is asserted by some tests.`
	`177`	+// Otherwise, a function that just `returns true` might pass all tests incorrectly.
	`178`	`+funcTestInvalid(t*testing.T) {`
	`179`	`+t.Parallel()`
	`180`	`+`
	`181`	`+require.Falsef(t,apikey.ValidateHash([]byte{},"secret"),"empty hash")`
	`182`	`+`
	`183`	`+secret,hash,err:=apikey.GenerateSecret(10)`
	`184`	`+require.NoError(t,err)`
	`185`	`+`
	`186`	`+require.Falsef(t,apikey.ValidateHash(hash,secret+"_"),"different secret")`
	`187`	`+require.Falsef(t,apikey.ValidateHash(hash[:len(hash)-1],secret),"different hash length")`
	`188`	`+}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2475,7 +2475,7 @@ func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (d`
`2475`	`2475`	`returnq.db.GetOAuth2ProviderAppByID(ctx,id)`
`2476`	`2476`	`}`
`2477`	`2477`
`2478`		`-func (q*querier)GetOAuth2ProviderAppByRegistrationToken(ctx context.Context,registrationAccessTokensql.NullString) (database.OAuth2ProviderApp,error) {`
	`2478`	`+func (q*querier)GetOAuth2ProviderAppByRegistrationToken(ctx context.Context,registrationAccessToken[]byte) (database.OAuth2ProviderApp,error) {`
`2479`	`2479`	`iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2App);err!=nil {`
`2480`	`2480`	`return database.OAuth2ProviderApp{},err`
`2481`	`2481`	`}`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -3925,9 +3925,9 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {`
`3925`	`3925`	`}))`
`3926`	`3926`	`s.Run("GetOAuth2ProviderAppByRegistrationToken",s.Subtest(func(db database.Store,check*expects) {`
`3927`	`3927`	`app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{`
`3928`		`-RegistrationAccessToken:sql.NullString{String:"test-token",Valid:true},`
	`3928`	`+RegistrationAccessToken:[]byte("test-token"),`
`3929`	`3929`	`})`
`3930`		`-check.Args(sql.NullString{String:"test-token",Valid:true}).Asserts(rbac.ResourceOauth2App,policy.ActionRead).Returns(app)`
	`3930`	`+check.Args([]byte("test-token")).Asserts(rbac.ResourceOauth2App,policy.ActionRead).Returns(app)`
`3931`	`3931`	`}))`
`3932`	`3932`	`}`
`3933`	`3933`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 8 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@ package dbgen`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"crypto/rand"`
`6`		`-"crypto/sha256"`
`7`	`6`	`"database/sql"`
`8`	`7`	`"encoding/hex"`
`9`	`8`	`"encoding/json"`
`@@ -20,6 +19,7 @@ import (`
`20`	`19`	`"github.com/stretchr/testify/require"`
`21`	`20`	`"golang.org/x/xerrors"`
`22`	`21`
	`22`	`+"github.com/coder/coder/v2/coderd/apikey"`
`23`	`23`	`"github.com/coder/coder/v2/coderd/database"`
`24`	`24`	`"github.com/coder/coder/v2/coderd/database/db2sdk"`
`25`	`25`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`@@ -161,8 +161,8 @@ func Template(t testing.TB, db database.Store, seed database.Template) database.`
`161`	`161`
`162`	`162`	`funcAPIKey(t testing.TB,db database.Store,seed database.APIKey,munge...func(*database.InsertAPIKeyParams)) (key database.APIKey,tokenstring) {`
`163`	`163`	`id,_:=cryptorand.String(10)`
`164`		`-secret,_:=cryptorand.String(22)`
`165`		`-hashed:=sha256.Sum256([]byte(secret))`
	`164`	`+secret,hashed,err:=apikey.GenerateSecret(22)`
	`165`	`+require.NoError(t,err)`
`166`	`166`
`167`	`167`	`ip:=seed.IPAddress`
`168`	`168`	`if!ip.Valid {`
`@@ -179,7 +179,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`179`	`179`	`ID:takeFirst(seed.ID,id),`
`180`	`180`	`// 0 defaults to 86400 at the db layer`
`181`	`181`	`LifetimeSeconds:takeFirst(seed.LifetimeSeconds,0),`
`182`		`-HashedSecret:takeFirstSlice(seed.HashedSecret,hashed[:]),`
	`182`	`+HashedSecret:takeFirstSlice(seed.HashedSecret,hashed),`
`183`	`183`	`IPAddress:ip,`
`184`	`184`	`UserID:takeFirst(seed.UserID,uuid.New()),`
`185`	`185`	`LastUsed:takeFirst(seed.LastUsed,dbtime.Now()),`
`@@ -194,7 +194,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`194`	`194`	`for_,fn:=rangemunge {`
`195`	`195`	`fn(&params)`
`196`	`196`	`}`
`197`		`-key,err:=db.InsertAPIKey(genCtx,params)`
	`197`	`+key,err=db.InsertAPIKey(genCtx,params)`
`198`	`198`	`require.NoError(t,err,"insert api key")`
`199`	`199`	`returnkey,fmt.Sprintf("%s-%s",key.ID,secret)`
`200`	`200`	`}`
`@@ -980,16 +980,15 @@ func WorkspaceResourceMetadatums(t testing.TB, db database.Store, seed database.`
`980`	`980`	`}`
`981`	`981`
`982`	`982`	`funcWorkspaceProxy(t testing.TB,db database.Store,orig database.WorkspaceProxy) (database.WorkspaceProxy,string) {`
`983`		`-secret,err:=cryptorand.HexString(64)`
	`983`	`+secret,hashedSecret,err:=apikey.GenerateSecret(64)`
`984`	`984`	`require.NoError(t,err,"generate secret")`
`985`		`-hashedSecret:=sha256.Sum256([]byte(secret))`
`986`	`985`
`987`	`986`	`proxy,err:=db.InsertWorkspaceProxy(genCtx, database.InsertWorkspaceProxyParams{`
`988`	`987`	`ID:takeFirst(orig.ID,uuid.New()),`
`989`	`988`	`Name:takeFirst(orig.Name,testutil.GetRandomName(t)),`
`990`	`989`	`DisplayName:takeFirst(orig.DisplayName,testutil.GetRandomName(t)),`
`991`	`990`	`Icon:takeFirst(orig.Icon,testutil.GetRandomName(t)),`
`992`		`-TokenHashedSecret:hashedSecret[:],`
	`991`	`+TokenHashedSecret:hashedSecret,`
`993`	`992`	`CreatedAt:takeFirst(orig.CreatedAt,dbtime.Now()),`
`994`	`993`	`UpdatedAt:takeFirst(orig.UpdatedAt,dbtime.Now()),`
`995`	`994`	`DerpEnabled:takeFirst(orig.DerpEnabled,false),`
`@@ -1259,7 +1258,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov`
`1259`	`1258`	`Jwks:seed.Jwks,// pqtype.NullRawMessage{} is not comparable, use existing value`
`1260`	`1259`	`SoftwareID:takeFirst(seed.SoftwareID, sql.NullString{}),`
`1261`	`1260`	`SoftwareVersion:takeFirst(seed.SoftwareVersion, sql.NullString{}),`
`1262`		`-RegistrationAccessToken:takeFirst(seed.RegistrationAccessToken, sql.NullString{}),`
	`1261`	`+RegistrationAccessToken:seed.RegistrationAccessToken,`
`1263`	`1262`	`RegistrationClientUri:takeFirst(seed.RegistrationClientUri, sql.NullString{}),`
`1264`	`1263`	`})`
`1265`	`1264`	`require.NoError(t,err,"insert oauth2 app")`

`‎coderd/database/dbmetrics/querymetrics.go‎`

Lines changed: 1 addition & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbmock/dbmock.go‎`

Lines changed: 1 addition & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dump.sql‎`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit13ca9ea

File tree

35 files changed

35 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/apikey/apikey_test.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

`‎coderd/database/dbmetrics/querymetrics.go‎`

`‎coderd/database/dbmock/dbmock.go‎`

`‎coderd/database/dump.sql‎`

0 commit comments