NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commit7557ed2

committed

Refactor key management and enhance logging

- Improve clarity by naming loggers used in key cache creation.- Adjust key cache context to utilize KeyReader for consistent context handling.- Refactor API to use central key cache management approach.- Enhance error messages for crypto key fetching.- Update test to add safety against unexpected panics.

1 parentb770762 commit7557ed2Copy full SHA for 7557ed2

File tree

9 files changed

+75

-61

lines changed

coderd
- coderd.go
- cryptokeys
  - cache.go
- userauth.go
- workspaceapps
  - proxy.go
  - token.go
enterprise/wsproxy
- tokenprovider.go
- wsproxy.go
- wsproxy_test.go
- wsproxysdk
  - wsproxysdk.go

9 files changed

+75

-61

lines changed

`‎coderd/coderd.go‎`

Lines changed: 5 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -461,7 +461,7 @@ func New(options Options) API {`
`461`	`461`
`462`	`462`	`ifoptions.OIDCConvertKeyCache==nil {`
`463`	`463`	`options.OIDCConvertKeyCache,err=cryptokeys.NewSigningCache(ctx,`
`464`		`-options.Logger,`
	`464`	`+options.Logger.Named("oidc_convert_keycache"),`
`465`	`465`	`fetcher,`
`466`	`466`	`codersdk.CryptoKeyFeatureOIDCConvert,`
`467`	`467`	`)`
`@@ -470,7 +470,7 @@ func New(options Options) API {`
`470`	`470`
`471`	`471`	`ifoptions.AppSigningKeyCache==nil {`
`472`	`472`	`options.AppSigningKeyCache,err=cryptokeys.NewSigningCache(ctx,`
`473`		`-options.Logger,`
	`473`	`+options.Logger.Named("app_signing_keycache"),`
`474`	`474`	`fetcher,`
`475`	`475`	`codersdk.CryptoKeyFeatureWorkspaceAppsToken,`
`476`	`476`	`)`
`@@ -683,10 +683,9 @@ func New(options Options) API {`
`683`	`683`	`AgentProvider:api.agentProvider,`
`684`	`684`	`StatsCollector:workspaceapps.NewStatsCollector(options.WorkspaceAppsStatsCollectorOptions),`
`685`	`685`
`686`		`-DisablePathApps:options.DeploymentValues.DisablePathApps.Value(),`
`687`		`-SecureAuthCookie:options.DeploymentValues.SecureAuthCookie.Value(),`
`688`		`-Signer:options.AppSigningKeyCache,`
`689`		`-EncryptingKeyManager:options.AppEncryptionKeyCache,`
	`686`	`+DisablePathApps:options.DeploymentValues.DisablePathApps.Value(),`
	`687`	`+SecureAuthCookie:options.DeploymentValues.SecureAuthCookie.Value(),`
	`688`	`+APIKeyEncryptionKey:options.AppEncryptionKeyCache,`
`690`	`689`	`}`
`691`	`690`
`692`	`691`	`apiKeyMiddleware:=httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{`

`‎coderd/cryptokeys/cache.go‎`

Lines changed: 16 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`	`"cdr.dev/slog"`
`15`	`15`	`"github.com/coder/coder/v2/coderd/database"`
`16`	`16`	`"github.com/coder/coder/v2/coderd/database/db2sdk"`
	`17`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
`17`	`18`	`"github.com/coder/coder/v2/codersdk"`
`18`	`19`	`"github.com/coder/quartz"`
`19`	`20`	`)`
`@@ -77,12 +78,12 @@ func (d *DBFetcher) Fetch(ctx context.Context, feature codersdk.CryptoKeyFeature`
`77`	`78`
`78`	`79`	`// cache implements the caching functionality for both signing and encryption keys.`
`79`	`80`	`typecachestruct {`
`80`		`-clock quartz.Clock`
`81`		`-refreshCtxcontext.Context`
`82`		`-refreshCancel context.CancelFunc`
`83`		`-fetcherFetcher`
`84`		`-loggerslog.Logger`
`85`		`-featurecodersdk.CryptoKeyFeature`
	`81`	`+ctxcontext.Context`
	`82`	`+cancelcontext.CancelFunc`
	`83`	`+clock quartz.Clock`
	`84`	`+fetcherFetcher`
	`85`	`+logger slog.Logger`
	`86`	`+feature codersdk.CryptoKeyFeature`
`86`	`87`
`87`	`88`	`mu sync.Mutex`
`88`	`89`	`keysmap[int32]codersdk.CryptoKey`
`@@ -136,12 +137,13 @@ func newCache(ctx context.Context, logger slog.Logger, fetcher Fetcher, feature`
`136`	`137`	`}`
`137`	`138`
`138`	`139`	`cache.cond=sync.NewCond(&cache.mu)`
`139`		`-cache.refreshCtx,cache.refreshCancel=context.WithCancel(ctx)`
	`140`	`+//nolint:gocritic // We need to be able to read the keys in order to cache them.`
	`141`	`+cache.ctx,cache.cancel=context.WithCancel(dbauthz.AsKeyReader(ctx))`
`140`	`142`	`cache.refresher=cache.clock.AfterFunc(refreshInterval,cache.refresh)`
`141`	`143`
`142`		`-keys,err:=cache.cryptoKeys(ctx)`
	`144`	`+keys,err:=cache.cryptoKeys(cache.ctx)`
`143`	`145`	`iferr!=nil {`
`144`		`-cache.refreshCancel()`
	`146`	`+cache.cancel()`
`145`	`147`	`returnnil,xerrors.Errorf("initial fetch: %w",err)`
`146`	`148`	`}`
`147`	`149`	`cache.keys=keys`
`@@ -205,7 +207,7 @@ func isEncryptionKeyFeature(feature codersdk.CryptoKeyFeature) bool {`
`205`	`207`
`206`	`208`	`funcisSigningKeyFeature(feature codersdk.CryptoKeyFeature)bool {`
`207`	`209`	`switchfeature {`
`208`		`-casecodersdk.CryptoKeyFeatureTailnetResume,codersdk.CryptoKeyFeatureOIDCConvert:`
	`210`	`+casecodersdk.CryptoKeyFeatureTailnetResume,codersdk.CryptoKeyFeatureOIDCConvert,codersdk.CryptoKeyFeatureWorkspaceAppsToken:`
`209`	`211`	`returntrue`
`210`	`212`	`default:`
`211`	`213`	`returnfalse`
`@@ -315,9 +317,9 @@ func (c *cache) refresh() {`
`315`	`317`	`c.fetching=true`
`316`	`318`
`317`	`319`	`c.mu.Unlock()`
`318`		`-keys,err:=c.cryptoKeys(c.refreshCtx)`
	`320`	`+keys,err:=c.cryptoKeys(c.ctx)`
`319`	`321`	`iferr!=nil {`
`320`		`-c.logger.Error(c.refreshCtx,"fetch crypto keys",slog.Error(err))`
	`322`	`+c.logger.Error(c.ctx,"fetch crypto keys",slog.Error(err))`
`321`	`323`	`return`
`322`	`324`	`}`
`323`	`325`
`@@ -336,7 +338,7 @@ func (c *cache) refresh() {`
`336`	`338`	`func (c*cache)cryptoKeys(ctx context.Context) (map[int32]codersdk.CryptoKey,error) {`
`337`	`339`	`keys,err:=c.fetcher.Fetch(ctx,c.feature)`
`338`	`340`	`iferr!=nil {`
`339`		`-returnnil,xerrors.Errorf("crypto keys: %w",err)`
	`341`	`+returnnil,xerrors.Errorf("fetch: %w",err)`
`340`	`342`	`}`
`341`	`343`	`cache:=toKeyMap(keys,c.clock.Now())`
`342`	`344`	`returncache,nil`
`@@ -363,7 +365,7 @@ func (c *cache) Close() error {`
`363`	`365`	`}`
`364`	`366`
`365`	`367`	`c.closed=true`
`366`		`-c.refreshCancel()`
	`368`	`+c.cancel()`
`367`	`369`	`c.refresher.Stop()`
`368`	`370`	`c.cond.Broadcast()`
`369`	`371`

`‎coderd/userauth.go‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,9 @@ func (api API) postConvertLoginType(rw http.ResponseWriter, r http.Request) {`
`167`	`167`	`ToLoginType:req.ToType,`
`168`	`168`	`}`
`169`	`169`
`170`		`-token,err:=jwtutils.Sign(dbauthz.AsKeyRotator(ctx),api.OIDCConvertKeyCache,claims)`
	`170`	`+//nolint:gocritic // We need to read the system signing key`
	`171`	`+// in order to sign the token.`
	`172`	`+token,err:=jwtutils.Sign(dbauthz.AsKeyReader(ctx),api.OIDCConvertKeyCache,claims)`
`171`	`173`	`iferr!=nil {`
`172`	`174`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`173`	`175`	`Message:"Internal error signing state jwt.",`
`@@ -1676,7 +1678,10 @@ func (api API) convertUserToOauth(ctx context.Context, r http.Request, db data`
`1676`	`1678`	`}`
`1677`	`1679`	`}`
`1678`	`1680`	`varclaimsOAuthConvertStateClaims`
`1679`		`-err=jwtutils.Verify(dbauthz.AsKeyRotator(ctx),api.OIDCConvertKeyCache,jwtCookie.Value,&claims)`
	`1681`	`+`
	`1682`	`+//nolint:gocritic // We need to read the system signing key`
	`1683`	`+// in order to verify the token.`
	`1684`	`+err=jwtutils.Verify(dbauthz.AsKeyReader(ctx),api.OIDCConvertKeyCache,jwtCookie.Value,&claims)`
`1680`	`1685`	`ifxerrors.Is(err,cryptokeys.ErrKeyNotFound)\|\|xerrors.Is(err,cryptokeys.ErrKeyInvalid)\|\|xerrors.Is(err,jose.ErrCryptoFailure) {`
`1681`	`1686`	`// These errors are probably because the user is mixing 2 coder deployments.`
`1682`	`1687`	`return database.User{}, idpsync.HTTPError{`

`‎coderd/workspaceapps/proxy.go‎`

Lines changed: 3 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -100,9 +100,8 @@ type Server struct {`
`100`	`100`	`HostnameRegex*regexp.Regexp`
`101`	`101`	`RealIPConfig*httpmw.RealIPConfig`
`102`	`102`
`103`		`-SignedTokenProviderSignedTokenProvider`
`104`		`-Signer jwtutils.SigningKeyManager`
`105`		`-EncryptingKeyManager jwtutils.EncryptingKeyManager`
	`103`	`+SignedTokenProviderSignedTokenProvider`
	`104`	`+APIKeyEncryptionKey jwtutils.EncryptingKeyManager`
`106`	`105`
`107`	`106`	`// DisablePathApps disables path-based apps. This is a security feature as path`
`108`	`107`	`// based apps share the same cookie as the dashboard, and are susceptible to XSS`
`@@ -181,7 +180,7 @@ func (s Server) handleAPIKeySmuggling(rw http.ResponseWriter, r http.Request,`
`181`	`180`
`182`	`181`	`// Exchange the encoded API key for a real one.`
`183`	`182`	`varpayloadEncryptedAPIKeyPayload`
`184`		`-err:=jwtutils.Decrypt(ctx,s.EncryptingKeyManager,encryptedAPIKey,&payload,jwtutils.WithDecryptExpected(jwt.Expected{`
	`183`	`+err:=jwtutils.Decrypt(ctx,s.APIKeyEncryptionKey,encryptedAPIKey,&payload,jwtutils.WithDecryptExpected(jwt.Expected{`
`185`	`184`	`Time:time.Now(),`
`186`	`185`	`}))`
`187`	`186`	`iferr!=nil {`

`‎coderd/workspaceapps/token.go‎`

Lines changed: 0 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,19 +5,13 @@ import (`
`5`	`5`	`"strings"`
`6`	`6`	`"time"`
`7`	`7`
`8`		`-"github.com/go-jose/go-jose/v4"`
`9`	`8`	`"github.com/go-jose/go-jose/v4/jwt"`
`10`	`9`	`"github.com/google/uuid"`
`11`	`10`
`12`	`11`	`"github.com/coder/coder/v2/coderd/jwtutils"`
`13`	`12`	`"github.com/coder/coder/v2/codersdk"`
`14`	`13`	`)`
`15`	`14`
`16`		`-const (`
`17`		`-tokenSigningAlgorithm=jose.HS512`
`18`		`-apiKeyEncryptionAlgorithm=jose.A256GCMKW`
`19`		`-)`
`20`		`-`
`21`	`15`	`// SignedToken is the struct data contained inside a workspace app JWE. It`
`22`	`16`	`// contains the details of the workspace app that the token is valid for to`
`23`	`17`	`// avoid database queries.`

`‎enterprise/wsproxy/tokenprovider.go‎`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,14 +19,14 @@ type TokenProvider struct {`
`19`	`19`	`AccessURL*url.URL`
`20`	`20`	`AppHostnamestring`
`21`	`21`
`22`		`-Client*wsproxysdk.Client`
`23`		`-SigningKey jwtutils.SigningKeyManager`
`24`		`-EncryptingKey jwtutils.EncryptingKeyManager`
`25`		`-Logger slog.Logger`
	`22`	`+Client*wsproxysdk.Client`
	`23`	`+TokenSigningKey jwtutils.SigningKeyManager`
	`24`	`+APIKeyEncryptionKey jwtutils.EncryptingKeyManager`
	`25`	`+Loggerslog.Logger`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`func (pTokenProvider)FromRequest(rhttp.Request) (*workspaceapps.SignedToken,bool) {`
`29`		`-returnworkspaceapps.FromRequest(r,p.SigningKey)`
	`29`	`+returnworkspaceapps.FromRequest(r,p.TokenSigningKey)`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`func (pTokenProvider)Issue(ctx context.Context,rw http.ResponseWriter,rhttp.Request,issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken,string,bool) {`
`@@ -45,7 +45,7 @@ func (p TokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r ht`
`45`	`45`
`46`	`46`	`// Check that it verifies properly and matches the string.`
`47`	`47`	`vartoken workspaceapps.SignedToken`
`48`		`-err=jwtutils.Verify(ctx,p.SigningKey,resp.SignedTokenStr,&token)`
	`48`	`+err=jwtutils.Verify(ctx,p.TokenSigningKey,resp.SignedTokenStr,&token)`
`49`	`49`	`iferr!=nil {`
`50`	`50`	`workspaceapps.WriteWorkspaceApp500(p.Logger,p.DashboardURL,rw,r,&appReq,err,"failed to verify newly generated signed token")`
`51`	`51`	`returnnil,"",false`

`‎enterprise/wsproxy/wsproxy.go‎`

Lines changed: 31 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -131,8 +131,12 @@ type Server struct {`
`131`	`131`	`// the moon's token.`
`132`	`132`	`SDKClient*wsproxysdk.Client`
`133`	`133`
`134`		`-WorkspaceAppsEncryptionKeycache cryptokeys.EncryptionKeycache`
`135`		`-WorkspaceAppsSigningKeycache cryptokeys.SigningKeycache`
	`134`	`+// apiKeyEncryptionKeycache manages the encryption keys for smuggling API`
	`135`	`+// tokens to the alternate domain when using workspace apps.`
	`136`	`+apiKeyEncryptionKeycache cryptokeys.EncryptionKeycache`
	`137`	`+// appTokenSigningKeycache manages the signing keys for signing the app`
	`138`	`+// tokens we use for workspace apps.`
	`139`	`+appTokenSigningKeycache cryptokeys.SigningKeycache`
`136`	`140`
`137`	`141`	`// DERP`
`138`	`142`	`derpMesh*derpmesh.Mesh`
`@@ -206,6 +210,7 @@ func New(ctx context.Context, opts Options) (Server, error) {`
`206`	`210`	`codersdk.CryptoKeyFeatureWorkspaceAppsAPIKey,`
`207`	`211`	`)`
`208`	`212`	`iferr!=nil {`
	`213`	`+cancel()`
`209`	`214`	`returnnil,xerrors.Errorf("create api key encryption cache: %w",err)`
`210`	`215`	`}`
`211`	`216`	`signingCache,err:=cryptokeys.NewSigningCache(ctx,`
`@@ -214,6 +219,7 @@ func New(ctx context.Context, opts Options) (Server, error) {`
`214`	`219`	`codersdk.CryptoKeyFeatureWorkspaceAppsToken,`
`215`	`220`	`)`
`216`	`221`	`iferr!=nil {`
	`222`	`+cancel()`
`217`	`223`	`returnnil,xerrors.Errorf("create api token signing cache: %w",err)`
`218`	`224`	`}`
`219`	`225`
`@@ -222,15 +228,17 @@ func New(ctx context.Context, opts Options) (Server, error) {`
`222`	`228`	`ctx:ctx,`
`223`	`229`	`cancel:cancel,`
`224`	`230`
`225`		`-Options:opts,`
`226`		`-Handler:r,`
`227`		`-DashboardURL:opts.DashboardURL,`
`228`		`-Logger:opts.Logger.Named("net.workspace-proxy"),`
`229`		`-TracerProvider:opts.Tracing,`
`230`		`-PrometheusRegistry:opts.PrometheusRegistry,`
`231`		`-SDKClient:client,`
`232`		`-derpMesh:derpmesh.New(opts.Logger.Named("net.derpmesh"),derpServer,meshTLSConfig),`
`233`		`-derpMeshTLSConfig:meshTLSConfig,`
	`231`	`+Options:opts,`
	`232`	`+Handler:r,`
	`233`	`+DashboardURL:opts.DashboardURL,`
	`234`	`+Logger:opts.Logger.Named("net.workspace-proxy"),`
	`235`	`+TracerProvider:opts.Tracing,`
	`236`	`+PrometheusRegistry:opts.PrometheusRegistry,`
	`237`	`+SDKClient:client,`
	`238`	`+derpMesh:derpmesh.New(opts.Logger.Named("net.derpmesh"),derpServer,meshTLSConfig),`
	`239`	`+derpMeshTLSConfig:meshTLSConfig,`
	`240`	`+apiKeyEncryptionKeycache:encryptionCache,`
	`241`	`+appTokenSigningKeycache:signingCache,`
`234`	`242`	`}`
`235`	`243`
`236`	`244`	`// Register the workspace proxy with the primary coderd instance and start a`
`@@ -295,20 +303,21 @@ func New(ctx context.Context, opts Options) (Server, error) {`
`295`	`303`	`HostnameRegex:opts.AppHostnameRegex,`
`296`	`304`	`RealIPConfig:opts.RealIPConfig,`
`297`	`305`	`SignedTokenProvider:&TokenProvider{`
`298`		`-DashboardURL:opts.DashboardURL,`
`299`		`-AccessURL:opts.AccessURL,`
`300`		`-AppHostname:opts.AppHostname,`
`301`		`-Client:client,`
`302`		`-SigningKey:signingCache,`
`303`		`-EncryptingKey:encryptionCache,`
`304`		`-Logger:s.Logger.Named("proxy_token_provider"),`
	`306`	`+DashboardURL:opts.DashboardURL,`
	`307`	`+AccessURL:opts.AccessURL,`
	`308`	`+AppHostname:opts.AppHostname,`
	`309`	`+Client:client,`
	`310`	`+TokenSigningKey:signingCache,`
	`311`	`+APIKeyEncryptionKey:encryptionCache,`
	`312`	`+Logger:s.Logger.Named("proxy_token_provider"),`
`305`	`313`	`},`
`306`	`314`
`307`	`315`	`DisablePathApps:opts.DisablePathApps,`
`308`	`316`	`SecureAuthCookie:opts.SecureAuthCookie,`
`309`	`317`
`310`		`-AgentProvider:agentProvider,`
`311`		`-StatsCollector:workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),`
	`318`	`+AgentProvider:agentProvider,`
	`319`	`+StatsCollector:workspaceapps.NewStatsCollector(opts.StatsCollectorOptions),`
	`320`	`+APIKeyEncryptionKey:encryptionCache,`
`312`	`321`	`}`
`313`	`322`
`314`	`323`	`derpHandler:=derphttp.Handler(derpServer)`
`@@ -451,8 +460,8 @@ func (s *Server) Close() error {`
`451`	`460`	`err=multierror.Append(err,agentProviderErr)`
`452`	`461`	`}`
`453`	`462`	`s.SDKClient.SDKClient.HTTPClient.CloseIdleConnections()`
`454`		`-_=s.WorkspaceAppsSigningKeycache.Close()`
`455`		`-_=s.WorkspaceAppsEncryptionKeycache.Close()`
	`463`	`+_=s.appTokenSigningKeycache.Close()`
	`464`	`+_=s.apiKeyEncryptionKeycache.Close()`
`456`	`465`	`returnerr`
`457`	`466`	`}`
`458`	`467`

`‎enterprise/wsproxy/wsproxy_test.go‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"net/http"`
`9`	`9`	`"net/http/httptest"`
`10`	`10`	`"net/url"`
	`11`	`+"runtime/debug"`
`11`	`12`	`"testing"`
`12`	`13`	`"time"`
`13`	`14`
`@@ -321,6 +322,11 @@ resourceLoop:`
`321`	`322`
`322`	`323`	`funcTestDERPEndToEnd(t*testing.T) {`
`323`	`324`	`t.Parallel()`
	`325`	`+deferfunc() {`
	`326`	`+ifr:=recover();r!=nil {`
	`327`	`+debug.PrintStack()`
	`328`	`+}`
	`329`	`+}()`
`324`	`330`
`325`	`331`	`deploymentValues:=coderdtest.DeploymentValues(t)`
`326`	`332`	`deploymentValues.Experiments= []string{`

`‎enterprise/wsproxy/wsproxysdk/wsproxysdk.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -581,7 +581,7 @@ type CryptoKeysResponse struct {`
`581`	`581`
`582`	`582`	`func (c*Client)CryptoKeys(ctx context.Context,feature codersdk.CryptoKeyFeature) (CryptoKeysResponse,error) {`
`583`	`583`	`res,err:=c.Request(ctx,http.MethodGet,`
`584`		`-"/api/v2/workspaceproxies/me/crypto-keys",`
	`584`	`+"/api/v2/workspaceproxies/me/crypto-keys",nil,`
`585`	`585`	`codersdk.WithQueryParam("feature",string(feature)),`
`586`	`586`	`)`
`587`	`587`	`iferr!=nil {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7557ed2

File tree

9 files changed

9 files changed

`‎coderd/coderd.go‎`

`‎coderd/cryptokeys/cache.go‎`

`‎coderd/userauth.go‎`

`‎coderd/workspaceapps/proxy.go‎`

`‎coderd/workspaceapps/token.go‎`

`‎enterprise/wsproxy/tokenprovider.go‎`

`‎enterprise/wsproxy/wsproxy.go‎`

`‎enterprise/wsproxy/wsproxy_test.go‎`

`‎enterprise/wsproxy/wsproxysdk/wsproxysdk.go‎`

0 commit comments