NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.8k

Commit6c2336b

authored

chore: shorten provisioner key (#14017)

1 parent7ea1a4c commit6c2336bCopy full SHA for 6c2336b

File tree

13 files changed

+103

-60

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbmem
    - dbmem.go
  - dbmetrics
    - dbmetrics.go
  - dbmock
    - dbmock.go
  - querier.go
  - queries.sql.go
  - queries
    - provisionerkeys.sql
- httpmw
  - provisionerdaemon.go
- provisionerkey
  - provisionerkey.go
enterprise
- cli
  - provisionerdaemonstart.go
  - provisionerkeys_test.go
- coderd
  - provisionerdaemons_test.go

13 files changed

+103

-60

lines changed

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1680,6 +1680,10 @@ func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt`
`1680`	`1680`	`returnq.db.GetProvisionerJobsCreatedAfter(ctx,createdAt)`
`1681`	`1681`	`}`
`1682`	`1682`
	`1683`	`+func (q*querier)GetProvisionerKeyByHashedSecret(ctx context.Context,hashedSecret []byte) (database.ProvisionerKey,error) {`
	`1684`	`+returnfetch(q.log,q.auth,q.db.GetProvisionerKeyByHashedSecret)(ctx,hashedSecret)`
	`1685`	`+}`
	`1686`	`+`
`1683`	`1687`	`func (q*querier)GetProvisionerKeyByID(ctx context.Context,id uuid.UUID) (database.ProvisionerKey,error) {`
`1684`	`1688`	`returnfetch(q.log,q.auth,q.db.GetProvisionerKeyByID)(ctx,id)`
`1685`	`1689`	`}`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1825,6 +1825,11 @@ func (s *MethodTestSuite) TestProvisionerKeys() {`
`1825`	`1825`	`pk:=dbgen.ProvisionerKey(s.T(),db, database.ProvisionerKey{OrganizationID:org.ID})`
`1826`	`1826`	`check.Args(pk.ID).Asserts(pk,policy.ActionRead).Returns(pk)`
`1827`	`1827`	`}))`
	`1828`	`+s.Run("GetProvisionerKeyByHashedSecret",s.Subtest(func(db database.Store,check*expects) {`
	`1829`	`+org:=dbgen.Organization(s.T(),db, database.Organization{})`
	`1830`	`+pk:=dbgen.ProvisionerKey(s.T(),db, database.ProvisionerKey{OrganizationID:org.ID,HashedSecret: []byte("foo")})`
	`1831`	`+check.Args([]byte("foo")).Asserts(pk,policy.ActionRead).Returns(pk)`
	`1832`	`+}))`
`1828`	`1833`	`s.Run("GetProvisionerKeyByName",s.Subtest(func(db database.Store,check*expects) {`
`1829`	`1834`	`org:=dbgen.Organization(s.T(),db, database.Organization{})`
`1830`	`1835`	`pk:=dbgen.ProvisionerKey(s.T(),db, database.ProvisionerKey{OrganizationID:org.ID})`

`‎coderd/database/dbmem/dbmem.go‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3240,6 +3240,19 @@ func (q *FakeQuerier) GetProvisionerJobsCreatedAfter(_ context.Context, after ti`
`3240`	`3240`	`returnjobs,nil`
`3241`	`3241`	`}`
`3242`	`3242`
	`3243`	`+func (q*FakeQuerier)GetProvisionerKeyByHashedSecret(_ context.Context,hashedSecret []byte) (database.ProvisionerKey,error) {`
	`3244`	`+q.mutex.RLock()`
	`3245`	`+deferq.mutex.RUnlock()`
	`3246`	`+`
	`3247`	`+for_,key:=rangeq.provisionerKeys {`
	`3248`	`+ifbytes.Equal(key.HashedSecret,hashedSecret) {`
	`3249`	`+returnkey,nil`
	`3250`	`+}`
	`3251`	`+}`
	`3252`	`+`
	`3253`	`+return database.ProvisionerKey{},sql.ErrNoRows`
	`3254`	`+}`
	`3255`	`+`
`3243`	`3256`	`func (q*FakeQuerier)GetProvisionerKeyByID(_ context.Context,id uuid.UUID) (database.ProvisionerKey,error) {`
`3244`	`3257`	`q.mutex.RLock()`
`3245`	`3258`	`deferq.mutex.RUnlock()`

`‎coderd/database/dbmetrics/dbmetrics.go‎`

Lines changed: 7 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbmock/dbmock.go‎`

Lines changed: 15 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/querier.go‎`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries.sql.go‎`

Lines changed: 23 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/provisionerkeys.sql‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,14 @@ FROM`
`19`	`19`	`WHERE`
`20`	`20`	`id= $1;`
`21`	`21`
	`22`	`+-- name: GetProvisionerKeyByHashedSecret :one`
	`23`	`+SELECT`
	`24`	`+*`
	`25`	`+FROM`
	`26`	`+ provisioner_keys`
	`27`	`+WHERE`
	`28`	`+ hashed_secret= $1;`
	`29`	`+`
`22`	`30`	`-- name: GetProvisionerKeyByName :one`
`23`	`31`	`SELECT`
`24`	`32`	`*`

`‎coderd/httpmw/provisionerdaemon.go‎`

Lines changed: 8 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -71,16 +71,17 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu`
`71`	`71`	`return`
`72`	`72`	`}`
`73`	`73`
`74`		`-id,keyValue,err:=provisionerkey.Parse(key)`
	`74`	`+err:=provisionerkey.Validate(key)`
`75`	`75`	`iferr!=nil {`
`76`		`-handleOptional(http.StatusUnauthorized, codersdk.Response{`
	`76`	`+handleOptional(http.StatusBadRequest, codersdk.Response{`
`77`	`77`	`Message:"provisioner daemon key invalid",`
	`78`	`+Detail:err.Error(),`
`78`	`79`	`})`
`79`	`80`	`return`
`80`	`81`	`}`
`81`		`-`
	`82`	`+hashedKey:=provisionerkey.HashSecret(key)`
`82`	`83`	`// nolint:gocritic // System must check if the provisioner key is valid.`
`83`		`-pk,err:=opts.DB.GetProvisionerKeyByID(dbauthz.AsSystemRestricted(ctx),id)`
	`84`	`+pk,err:=opts.DB.GetProvisionerKeyByHashedSecret(dbauthz.AsSystemRestricted(ctx),hashedKey)`
`84`	`85`	`iferr!=nil {`
`85`	`86`	`ifhttpapi.Is404Error(err) {`
`86`	`87`	`handleOptional(http.StatusUnauthorized, codersdk.Response{`
`@@ -90,12 +91,13 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu`
`90`	`91`	`}`
`91`	`92`
`92`	`93`	`handleOptional(http.StatusInternalServerError, codersdk.Response{`
`93`		`-Message:"get provisioner daemon key: "+err.Error(),`
	`94`	`+Message:"get provisioner daemon key",`
	`95`	`+Detail:err.Error(),`
`94`	`96`	`})`
`95`	`97`	`return`
`96`	`98`	`}`
`97`	`99`
`98`		`-ifprovisionerkey.Compare(pk.HashedSecret,provisionerkey.HashSecret(keyValue)) {`
	`100`	`+ifprovisionerkey.Compare(pk.HashedSecret,hashedKey) {`
`99`	`101`	`handleOptional(http.StatusUnauthorized, codersdk.Response{`
`100`	`102`	`Message:"provisioner daemon key invalid",`
`101`	`103`	`})`

`‎coderd/provisionerkey/provisionerkey.go‎`

Lines changed: 13 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,6 @@ package provisionerkey`
`3`	`3`	`import (`
`4`	`4`	`"crypto/sha256"`
`5`	`5`	`"crypto/subtle"`
`6`		`-"fmt"`
`7`		`-"strings"`
`8`	`6`
`9`	`7`	`"github.com/google/uuid"`
`10`	`8`	`"golang.org/x/xerrors"`
`@@ -14,41 +12,36 @@ import (`
`14`	`12`	`"github.com/coder/coder/v2/cryptorand"`
`15`	`13`	`)`
`16`	`14`
	`15`	`+const (`
	`16`	`+secretLength=43`
	`17`	`+)`
	`18`	`+`
`17`	`19`	`funcNew(organizationID uuid.UUID,namestring,tagsmap[string]string) (database.InsertProvisionerKeyParams,string,error) {`
`18`		`-id:=uuid.New()`
`19`		`-secret,err:=cryptorand.HexString(64)`
	`20`	`+secret,err:=cryptorand.String(secretLength)`
`20`	`21`	`iferr!=nil {`
`21`		`-return database.InsertProvisionerKeyParams{},"",xerrors.Errorf("generatetoken: %w",err)`
	`22`	`+return database.InsertProvisionerKeyParams{},"",xerrors.Errorf("generatesecret: %w",err)`
`22`	`23`	`}`
`23`		`-hashedSecret:=HashSecret(secret)`
`24`		`-token:=fmt.Sprintf("%s:%s",id,secret)`
`25`	`24`
`26`	`25`	`iftags==nil {`
`27`	`26`	`tags=map[string]string{}`
`28`	`27`	`}`
`29`	`28`
`30`	`29`	`return database.InsertProvisionerKeyParams{`
`31`		`-ID:id,`
	`30`	`+ID:uuid.New(),`
`32`	`31`	`CreatedAt:dbtime.Now(),`
`33`	`32`	`OrganizationID:organizationID,`
`34`	`33`	`Name:name,`
`35`		`-HashedSecret:hashedSecret,`
	`34`	`+HashedSecret:HashSecret(secret),`
`36`	`35`	`Tags:tags,`
`37`		`-},token,nil`
	`36`	`+},secret,nil`
`38`	`37`	`}`
`39`	`38`
`40`		`-funcParse(tokenstring) (uuid.UUID,string,error) {`
`41`		`-parts:=strings.Split(token,":")`
`42`		`-iflen(parts)!=2 {`
`43`		`-return uuid.UUID{},"",xerrors.Errorf("invalid token format")`
`44`		`-}`
`45`		`-`
`46`		`-id,err:=uuid.Parse(parts[0])`
`47`		`-iferr!=nil {`
`48`		`-return uuid.UUID{},"",xerrors.Errorf("parse id: %w",err)`
	`39`	`+funcValidate(tokenstring)error {`
	`40`	`+iflen(token)!=secretLength {`
	`41`	`+returnxerrors.Errorf("must be %d characters",secretLength)`
`49`	`42`	`}`
`50`	`43`
`51`		`-returnid,parts[1],nil`
	`44`	`+returnnil`
`52`	`45`	`}`
`53`	`46`
`54`	`47`	`funcHashSecret(secretstring) []byte {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6c2336b

File tree

13 files changed

13 files changed

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbmem/dbmem.go‎`

`‎coderd/database/dbmetrics/dbmetrics.go‎`

`‎coderd/database/dbmock/dbmock.go‎`

`‎coderd/database/querier.go‎`

`‎coderd/database/queries.sql.go‎`

`‎coderd/database/queries/provisionerkeys.sql‎`

`‎coderd/httpmw/provisionerdaemon.go‎`

`‎coderd/provisionerkey/provisionerkey.go‎`

0 commit comments