coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit383c718

johnstcn

and

kylecarbs

committed

feat(coderd): add dbcrypt package

This commit builds upon the previous work in#7959:- Moved dbcrypt package to enterprise/dbcrypt- Modified original dbcrypt behaviour to not delete un-decryptable rows.- Added a table dbcrypt_sentinel used to determine database encryption statusNOTE: This is part 1 of a 2-part PR. This PR focusesmainly on the dbcrypt and database packages. A separatePR will add the required plumbing to integrate this intoenterprise/coderd properly.Co-authored-by: Kyle Carberry <kyle@coder.com>

1 parent16ef97a commit383c718Copy full SHA for 383c718

File tree

20 files changed

+1152

-2

lines changed

coderd/database
- dbauthz
  - dbauthz.go
- dbfake
  - dbfake.go
- dbgen
  - dbgen.go
- dbmetrics
  - dbmetrics.go
- dbmock
  - dbmock.go
- dump.sql
- migrations
- models.go
- querier.go
- queries
- queries.sql.go
- unique_constraint.go
enterprise/dbcrypt

20 files changed

+1152

-2

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 28 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -828,6 +828,13 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI`
`828`	`828`	`returnq.db.GetAuthorizationUserRoles(ctx,userID)`
`829`	`829`	`}`
`830`	`830`
	`831`	`+func (q*querier)GetDBCryptSentinelValue(ctx context.Context) (string,error) {`
	`832`	`+iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceSystem);err!=nil {`
	`833`	`+return"",err`
	`834`	`+}`
	`835`	`+returnq.db.GetDBCryptSentinelValue(ctx)`
	`836`	`+}`
	`837`	`+`
`831`	`838`	`func (q*querier)GetDERPMeshKey(ctx context.Context) (string,error) {`
`832`	`839`	`iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceSystem);err!=nil {`
`833`	`840`	`return"",err`
`@@ -904,6 +911,13 @@ func (q *querier) GetGitAuthLink(ctx context.Context, arg database.GetGitAuthLin`
`904`	`911`	`returnfetch(q.log,q.auth,q.db.GetGitAuthLink)(ctx,arg)`
`905`	`912`	`}`
`906`	`913`
	`914`	`+func (q*querier)GetGitAuthLinksByUserID(ctx context.Context,userID uuid.UUID) ([]database.GitAuthLink,error) {`
	`915`	`+iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceSystem);err!=nil {`
	`916`	`+returnnil,err`
	`917`	`+}`
	`918`	`+returnq.db.GetGitAuthLinksByUserID(ctx,userID)`
	`919`	`+}`
	`920`	`+`
`907`	`921`	`func (q*querier)GetGitSSHKey(ctx context.Context,userID uuid.UUID) (database.GitSSHKey,error) {`
`908`	`922`	`returnfetch(q.log,q.auth,q.db.GetGitSSHKey)(ctx,userID)`
`909`	`923`	`}`
`@@ -1472,6 +1486,13 @@ func (q *querier) GetUserLinkByUserIDLoginType(ctx context.Context, arg database`
`1472`	`1486`	`returnq.db.GetUserLinkByUserIDLoginType(ctx,arg)`
`1473`	`1487`	`}`
`1474`	`1488`
	`1489`	`+func (q*querier)GetUserLinksByUserID(ctx context.Context,userID uuid.UUID) ([]database.UserLink,error) {`
	`1490`	`+iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceSystem);err!=nil {`
	`1491`	`+returnnil,err`
	`1492`	`+}`
	`1493`	`+returnq.db.GetUserLinksByUserID(ctx,userID)`
	`1494`	`+}`
	`1495`	`+`
`1475`	`1496`	`func (q*querier)GetUsers(ctx context.Context,arg database.GetUsersParams) ([]database.GetUsersRow,error) {`
`1476`	`1497`	`// This does the filtering in SQL.`
`1477`	`1498`	`prep,err:=prepareSQLFilter(ctx,q.auth,rbac.ActionRead,rbac.ResourceUser.Type)`
`@@ -2134,6 +2155,13 @@ func (q *querier) RegisterWorkspaceProxy(ctx context.Context, arg database.Regis`
`2134`	`2155`	`returnupdateWithReturn(q.log,q.auth,fetch,q.db.RegisterWorkspaceProxy)(ctx,arg)`
`2135`	`2156`	`}`
`2136`	`2157`
	`2158`	`+func (q*querier)SetDBCryptSentinelValue(ctx context.Context,valuestring)error {`
	`2159`	`+iferr:=q.authorizeContext(ctx,rbac.ActionUpdate,rbac.ResourceSystem);err!=nil {`
	`2160`	`+returnerr`
	`2161`	`+}`
	`2162`	`+returnq.db.SetDBCryptSentinelValue(ctx,value)`
	`2163`	`+}`
	`2164`	`+`
`2137`	`2165`	`func (q*querier)TryAcquireLock(ctx context.Context,idint64) (bool,error) {`
`2138`	`2166`	`returnq.db.TryAcquireLock(ctx,id)`
`2139`	`2167`	`}`

`‎coderd/database/dbfake/dbfake.go`

Lines changed: 42 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ func New() database.Store {`
`44`	`44`	`organizationMembers:make([]database.OrganizationMember,0),`
`45`	`45`	`organizations:make([]database.Organization,0),`
`46`	`46`	`users:make([]database.User,0),`
	`47`	`+dbcryptSentinelValue:nil,`
`47`	`48`	`gitAuthLinks:make([]database.GitAuthLink,0),`
`48`	`49`	`groups:make([]database.Group,0),`
`49`	`50`	`groupMembers:make([]database.GroupMember,0),`
`@@ -116,6 +117,7 @@ type data struct {`
`116`	`117`	`// New tables`
`117`	`118`	`workspaceAgentStats []database.WorkspaceAgentStat`
`118`	`119`	`auditLogs []database.AuditLog`
	`120`	`+dbcryptSentinelValue*string`
`119`	`121`	`files []database.File`
`120`	`122`	`gitAuthLinks []database.GitAuthLink`
`121`	`123`	`gitSSHKey []database.GitSSHKey`
`@@ -1150,6 +1152,15 @@ func (q *FakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.U`
`1150`	`1152`	`},nil`
`1151`	`1153`	`}`
`1152`	`1154`
	`1155`	`+func (q*FakeQuerier)GetDBCryptSentinelValue(_ context.Context) (string,error) {`
	`1156`	`+q.mutex.RLock()`
	`1157`	`+deferq.mutex.RUnlock()`
	`1158`	`+ifq.dbcryptSentinelValue==nil {`
	`1159`	`+return"",sql.ErrNoRows`
	`1160`	`+}`
	`1161`	`+return*q.dbcryptSentinelValue,nil`
	`1162`	`+}`
	`1163`	`+`
`1153`	`1164`	`func (q*FakeQuerier)GetDERPMeshKey(_ context.Context) (string,error) {`
`1154`	`1165`	`q.mutex.RLock()`
`1155`	`1166`	`deferq.mutex.RUnlock()`
`@@ -1392,6 +1403,18 @@ func (q *FakeQuerier) GetGitAuthLink(_ context.Context, arg database.GetGitAuthL`
`1392`	`1403`	`return database.GitAuthLink{},sql.ErrNoRows`
`1393`	`1404`	`}`
`1394`	`1405`
	`1406`	`+func (q*FakeQuerier)GetGitAuthLinksByUserID(_ context.Context,userID uuid.UUID) ([]database.GitAuthLink,error) {`
	`1407`	`+q.mutex.RLock()`
	`1408`	`+deferq.mutex.RUnlock()`
	`1409`	`+gals:=make([]database.GitAuthLink,0)`
	`1410`	`+for_,gal:=rangeq.gitAuthLinks {`
	`1411`	`+ifgal.UserID==userID {`
	`1412`	`+gals=append(gals,gal)`
	`1413`	`+}`
	`1414`	`+}`
	`1415`	`+returngals,nil`
	`1416`	`+}`
	`1417`	`+`
`1395`	`1418`	`func (q*FakeQuerier)GetGitSSHKey(_ context.Context,userID uuid.UUID) (database.GitSSHKey,error) {`
`1396`	`1419`	`q.mutex.RLock()`
`1397`	`1420`	`deferq.mutex.RUnlock()`
`@@ -2832,6 +2855,18 @@ func (q *FakeQuerier) GetUserLinkByUserIDLoginType(_ context.Context, params dat`
`2832`	`2855`	`return database.UserLink{},sql.ErrNoRows`
`2833`	`2856`	`}`
`2834`	`2857`
	`2858`	`+func (q*FakeQuerier)GetUserLinksByUserID(_ context.Context,userID uuid.UUID) ([]database.UserLink,error) {`
	`2859`	`+q.mutex.RLock()`
	`2860`	`+deferq.mutex.RUnlock()`
	`2861`	`+uls:=make([]database.UserLink,0)`
	`2862`	`+for_,ul:=rangeq.userLinks {`
	`2863`	`+iful.UserID==userID {`
	`2864`	`+uls=append(uls,ul)`
	`2865`	`+}`
	`2866`	`+}`
	`2867`	`+returnuls,nil`
	`2868`	`+}`
	`2869`	`+`
`2835`	`2870`	`func (q*FakeQuerier)GetUsers(_ context.Context,params database.GetUsersParams) ([]database.GetUsersRow,error) {`
`2836`	`2871`	`iferr:=validateDatabaseType(params);err!=nil {`
`2837`	`2872`	`returnnil,err`
`@@ -4791,6 +4826,13 @@ func (q *FakeQuerier) RegisterWorkspaceProxy(_ context.Context, arg database.Reg`
`4791`	`4826`	`return database.WorkspaceProxy{},sql.ErrNoRows`
`4792`	`4827`	`}`
`4793`	`4828`
	`4829`	`+func (q*FakeQuerier)SetDBCryptSentinelValue(_ context.Context,valuestring)error {`
	`4830`	`+q.mutex.Lock()`
	`4831`	`+deferq.mutex.Unlock()`
	`4832`	`+q.dbcryptSentinelValue=&value`
	`4833`	`+returnnil`
	`4834`	`+}`
	`4835`	`+`
`4794`	`4836`	`func (*FakeQuerier)TryAcquireLock(_ context.Context,_int64) (bool,error) {`
`4795`	`4837`	`returnfalse,xerrors.New("TryAcquireLock must only be called within a transaction")`
`4796`	`4838`	`}`

`‎coderd/database/dbgen/dbgen.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -473,7 +473,7 @@ func UserLink(t testing.TB, db database.Store, orig database.UserLink) database.`
`473`	`473`	`LoginType:takeFirst(orig.LoginType,database.LoginTypeGithub),`
`474`	`474`	`LinkedID:takeFirst(orig.LinkedID),`
`475`	`475`	`OAuthAccessToken:takeFirst(orig.OAuthAccessToken,uuid.NewString()),`
`476`		`-OAuthRefreshToken:takeFirst(orig.OAuthAccessToken,uuid.NewString()),`
	`476`	`+OAuthRefreshToken:takeFirst(orig.OAuthRefreshToken,uuid.NewString()),`
`477`	`477`	`OAuthExpiry:takeFirst(orig.OAuthExpiry,database.Now().Add(time.Hour*24)),`
`478`	`478`	`})`
`479`	`479`
`@@ -486,7 +486,7 @@ func GitAuthLink(t testing.TB, db database.Store, orig database.GitAuthLink) dat`
`486`	`486`	`ProviderID:takeFirst(orig.ProviderID,uuid.New().String()),`
`487`	`487`	`UserID:takeFirst(orig.UserID,uuid.New()),`
`488`	`488`	`OAuthAccessToken:takeFirst(orig.OAuthAccessToken,uuid.NewString()),`
`489`		`-OAuthRefreshToken:takeFirst(orig.OAuthAccessToken,uuid.NewString()),`
	`489`	`+OAuthRefreshToken:takeFirst(orig.OAuthRefreshToken,uuid.NewString()),`
`490`	`490`	`OAuthExpiry:takeFirst(orig.OAuthExpiry,database.Now().Add(time.Hour*24)),`
`491`	`491`	`CreatedAt:takeFirst(orig.CreatedAt,database.Now()),`
`492`	`492`	`UpdatedAt:takeFirst(orig.UpdatedAt,database.Now()),`

`‎coderd/database/dbmetrics/dbmetrics.go`

Lines changed: 28 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbmock/dbmock.go`

Lines changed: 59 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dump.sql`

Lines changed: 14 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000153_dbcrypt_sentinel_value.down.sql`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+DROPTABLE IF EXISTS dbcrypt_sentinel;`

`‎coderd/database/migrations/000153_dbcrypt_sentinel_value.up.sql`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,8 @@`
	`1`	`+CREATETABLEIF NOT EXISTS dbcrypt_sentinel (`
	`2`	`+only_oneinteger GENERATED ALWAYSAS (1) STORED UNIQUE,`
	`3`	`+valtextNOT NULL DEFAULT''::text`
	`4`	`+);`
	`5`	`+`
	`6`	`+COMMENT ON TABLE dbcrypt_sentinel IS'A table used to determine if the database is encrypted';`
	`7`	`+COMMENT ON COLUMN dbcrypt_sentinel.only_one IS'Ensures that only one row exists in the table.';`
	`8`	`+COMMENT ON COLUMN dbcrypt_sentinel.val IS'Used to determine if the database is encrypted.';`

`‎coderd/database/migrations/migrate_test.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -266,6 +266,7 @@ func TestMigrateUpWithFixtures(t *testing.T) {`
`266`	`266`	`"template_version_parameters",`
`267`	`267`	`"workspace_build_parameters",`
`268`	`268`	`"template_version_variables",`
	`269`	`+"dbcrypt_sentinel",// having zero rows is a valid state for this table`
`269`	`270`	`}`
`270`	`271`	`s:=&tableStats{s:make(map[string]int)}`
`271`	`272`

`‎coderd/database/models.go`

Lines changed: 8 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/querier.go`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit383c718

File tree

20 files changed

20 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbfake/dbfake.go`

`‎coderd/database/dbgen/dbgen.go`

`‎coderd/database/dbmetrics/dbmetrics.go`

`‎coderd/database/dbmock/dbmock.go`

`‎coderd/database/dump.sql`

`‎coderd/database/migrations/000153_dbcrypt_sentinel_value.down.sql`

`‎coderd/database/migrations/000153_dbcrypt_sentinel_value.up.sql`

`‎coderd/database/migrations/migrate_test.go`

`‎coderd/database/models.go`

`‎coderd/database/querier.go`

0 commit comments