NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit9e8200b

committed

Add secret prefix column and query to get token

This will be used as an ID that we can prefix into the secretsthemselves. This is so we can salt the hashed secrets.The token query is for implementing the refresh flow.

1 parentd1a2111 commit9e8200bCopy full SHA for 9e8200b

File tree

15 files changed

+320

-196

lines changed

coderd/database
- dbauthz
  - dbauthz.go
  - dbauthz_test.go
- dbgen
  - dbgen.go
- dbmem
  - dbmem.go
- dbmetrics
  - dbmetrics.go
- dbmock
  - dbmock.go
- dump.sql
- migrations
  - 000189_oauth2_provider_codes.down.sql
  - 000189_oauth2_provider_codes.up.sql
- models.go
- querier.go
- queries
  - oauth2.sql
- queries.sql.go
- unique_constraint.go
enterprise/coderd
- oauth2.go

15 files changed

+320

-196

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 22 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1202,16 +1202,12 @@ func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (d`
`1202`	`1202`	`returnq.db.GetOAuth2ProviderAppByID(ctx,id)`
`1203`	`1203`	`}`
`1204`	`1204`
`1205`		`-func (q*querier)GetOAuth2ProviderAppCodeByAppIDAndSecret(ctx context.Context,arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode,error) {`
`1206`		`-returnfetch(q.log,q.auth,q.db.GetOAuth2ProviderAppCodeByAppIDAndSecret)(ctx,arg)`
`1207`		`-}`
`1208`		`-`
`1209`	`1205`	`func (q*querier)GetOAuth2ProviderAppCodeByID(ctx context.Context,id uuid.UUID) (database.OAuth2ProviderAppCode,error) {`
`1210`	`1206`	`returnfetch(q.log,q.auth,q.db.GetOAuth2ProviderAppCodeByID)(ctx,id)`
`1211`	`1207`	`}`
`1212`	`1208`
`1213`		`-func (q*querier)GetOAuth2ProviderAppSecretByAppIDAndSecret(ctx context.Context,arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret,error) {`
`1214`		`-returnfetch(q.log,q.auth,q.db.GetOAuth2ProviderAppSecretByAppIDAndSecret)(ctx,arg)`
	`1209`	`+func (q*querier)GetOAuth2ProviderAppCodeByPrefix(ctx context.Context,secretPrefix []byte) (database.OAuth2ProviderAppCode,error) {`
	`1210`	`+returnfetch(q.log,q.auth,q.db.GetOAuth2ProviderAppCodeByPrefix)(ctx,secretPrefix)`
`1215`	`1211`	`}`
`1216`	`1212`
`1217`	`1213`	`func (q*querier)GetOAuth2ProviderAppSecretByID(ctx context.Context,id uuid.UUID) (database.OAuth2ProviderAppSecret,error) {`
`@@ -1221,13 +1217,33 @@ func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UU`
`1221`	`1217`	`returnq.db.GetOAuth2ProviderAppSecretByID(ctx,id)`
`1222`	`1218`	`}`
`1223`	`1219`
	`1220`	`+func (q*querier)GetOAuth2ProviderAppSecretByPrefix(ctx context.Context,secretPrefix []byte) (database.OAuth2ProviderAppSecret,error) {`
	`1221`	`+returnfetch(q.log,q.auth,q.db.GetOAuth2ProviderAppSecretByPrefix)(ctx,secretPrefix)`
	`1222`	`+}`
	`1223`	`+`
`1224`	`1224`	`func (q*querier)GetOAuth2ProviderAppSecretsByAppID(ctx context.Context,appID uuid.UUID) ([]database.OAuth2ProviderAppSecret,error) {`
`1225`	`1225`	`iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {`
`1226`	`1226`	`return []database.OAuth2ProviderAppSecret{},err`
`1227`	`1227`	`}`
`1228`	`1228`	`returnq.db.GetOAuth2ProviderAppSecretsByAppID(ctx,appID)`
`1229`	`1229`	`}`
`1230`	`1230`
	`1231`	`+func (q*querier)GetOAuth2ProviderAppTokenByPrefix(ctx context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {`
	`1232`	`+token,err:=q.db.GetOAuth2ProviderAppTokenByPrefix(ctx,hashPrefix)`
	`1233`	`+iferr!=nil {`
	`1234`	`+return database.OAuth2ProviderAppToken{},err`
	`1235`	`+}`
	`1236`	`+// The user ID is on the API key so that has to be fetched.`
	`1237`	`+key,err:=q.db.GetAPIKeyByID(ctx,token.APIKeyID)`
	`1238`	`+iferr!=nil {`
	`1239`	`+return database.OAuth2ProviderAppToken{},err`
	`1240`	`+}`
	`1241`	`+iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String()));err!=nil {`
	`1242`	`+return database.OAuth2ProviderAppToken{},err`
	`1243`	`+}`
	`1244`	`+returntoken,nil`
	`1245`	`+}`
	`1246`	`+`
`1231`	`1247`	`func (q*querier)GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp,error) {`
`1232`	`1248`	`iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceOAuth2ProviderApp);err!=nil {`
`1233`	`1249`	`return []database.OAuth2ProviderApp{},err`

`‎coderd/database/dbauthz/dbauthz_test.go`

Lines changed: 19 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -2352,15 +2352,12 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppSecrets() {`
`2352`	`2352`	`})`
`2353`	`2353`	`check.Args(secret.ID).Asserts(rbac.ResourceOAuth2ProviderAppSecret,rbac.ActionRead).Returns(secret)`
`2354`	`2354`	`}))`
`2355`		`-s.Run("GetOAuth2ProviderAppSecretByAppIDAndSecret",s.Subtest(func(db database.Store,check*expects) {`
	`2355`	`+s.Run("GetOAuth2ProviderAppSecretByPrefix",s.Subtest(func(db database.Store,check*expects) {`
`2356`	`2356`	`app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})`
`2357`	`2357`	`secret:=dbgen.OAuth2ProviderAppSecret(s.T(),db, database.OAuth2ProviderAppSecret{`
`2358`	`2358`	`AppID:app.ID,`
`2359`	`2359`	`})`
`2360`		`-check.Args(database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{`
`2361`		`-AppID:app.ID,`
`2362`		`-HashedSecret:secret.HashedSecret,`
`2363`		`-}).Asserts(rbac.ResourceOAuth2ProviderAppSecret,rbac.ActionRead).Returns(secret)`
	`2360`	`+check.Args(secret.SecretPrefix).Asserts(rbac.ResourceOAuth2ProviderAppSecret,rbac.ActionRead).Returns(secret)`
`2364`	`2361`	`}))`
`2365`	`2362`	`s.Run("InsertOAuth2ProviderAppSecret",s.Subtest(func(db database.Store,check*expects) {`
`2366`	`2363`	`app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})`
`@@ -2398,17 +2395,14 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {`
`2398`	`2395`	`})`
`2399`	`2396`	`check.Args(code.ID).Asserts(code,rbac.ActionRead).Returns(code)`
`2400`	`2397`	`}))`
`2401`		`-s.Run("GetOAuth2ProviderAppCodeByAppIDAndSecret",s.Subtest(func(db database.Store,check*expects) {`
	`2398`	`+s.Run("GetOAuth2ProviderAppCodeByPrefix",s.Subtest(func(db database.Store,check*expects) {`
`2402`	`2399`	`user:=dbgen.User(s.T(),db, database.User{})`
`2403`	`2400`	`app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})`
`2404`	`2401`	`code:=dbgen.OAuth2ProviderAppCode(s.T(),db, database.OAuth2ProviderAppCode{`
`2405`	`2402`	`AppID:app.ID,`
`2406`	`2403`	`UserID:user.ID,`
`2407`	`2404`	`})`
`2408`		`-check.Args(database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{`
`2409`		`-AppID:app.ID,`
`2410`		`-HashedSecret:code.HashedSecret,`
`2411`		`-}).Asserts(code,rbac.ActionRead).Returns(code)`
	`2405`	`+check.Args(code.SecretPrefix).Asserts(code,rbac.ActionRead).Returns(code)`
`2412`	`2406`	`}))`
`2413`	`2407`	`s.Run("InsertOAuth2ProviderAppCode",s.Subtest(func(db database.Store,check*expects) {`
`2414`	`2408`	`user:=dbgen.User(s.T(),db, database.User{})`
`@@ -2458,6 +2452,21 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {`
`2458`	`2452`	`APIKeyID:key.ID,`
`2459`	`2453`	`}).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()),rbac.ActionCreate)`
`2460`	`2454`	`}))`
	`2455`	`+s.Run("GetOAuth2ProviderAppTokenByPrefix",s.Subtest(func(db database.Store,check*expects) {`
	`2456`	`+user:=dbgen.User(s.T(),db, database.User{})`
	`2457`	`+key,_:=dbgen.APIKey(s.T(),db, database.APIKey{`
	`2458`	`+UserID:user.ID,`
	`2459`	`+})`
	`2460`	`+app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})`
	`2461`	`+secret:=dbgen.OAuth2ProviderAppSecret(s.T(),db, database.OAuth2ProviderAppSecret{`
	`2462`	`+AppID:app.ID,`
	`2463`	`+})`
	`2464`	`+token:=dbgen.OAuth2ProviderAppToken(s.T(),db, database.OAuth2ProviderAppToken{`
	`2465`	`+AppSecretID:secret.ID,`
	`2466`	`+APIKeyID:key.ID,`
	`2467`	`+})`
	`2468`	`+check.Args(token.HashPrefix).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()),rbac.ActionRead)`
	`2469`	`+}))`
`2461`	`2470`	`s.Run("DeleteOAuth2ProviderAppTokensByAppAndUserID",s.Subtest(func(db database.Store,check*expects) {`
`2462`	`2471`	`user:=dbgen.User(s.T(),db, database.User{})`
`2463`	`2472`	`key,_:=dbgen.APIKey(s.T(),db, database.APIKey{`

`‎coderd/database/dbgen/dbgen.go`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -696,6 +696,7 @@ func OAuth2ProviderAppSecret(t testing.TB, db database.Store, seed database.OAut`
`696`	`696`	`app,err:=db.InsertOAuth2ProviderAppSecret(genCtx, database.InsertOAuth2ProviderAppSecretParams{`
`697`	`697`	`ID:takeFirst(seed.ID,uuid.New()),`
`698`	`698`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
	`699`	`+SecretPrefix:takeFirstSlice(seed.SecretPrefix, []byte("prefix")),`
`699`	`700`	`HashedSecret:takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),`
`700`	`701`	`DisplaySecret:takeFirst(seed.DisplaySecret,"secret"),`
`701`	`702`	`AppID:takeFirst(seed.AppID,uuid.New()),`
`@@ -709,6 +710,7 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2`
`709`	`710`	`ID:takeFirst(seed.ID,uuid.New()),`
`710`	`711`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
`711`	`712`	`ExpiresAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
	`713`	`+SecretPrefix:takeFirstSlice(seed.SecretPrefix, []byte("prefix")),`
`712`	`714`	`HashedSecret:takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),`
`713`	`715`	`AppID:takeFirst(seed.AppID,uuid.New()),`
`714`	`716`	`UserID:takeFirst(seed.UserID,uuid.New()),`
`@@ -722,6 +724,7 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth`
`722`	`724`	`ID:takeFirst(seed.ID,uuid.New()),`
`723`	`725`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
`724`	`726`	`ExpiresAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
	`727`	`+HashPrefix:takeFirstSlice(seed.HashPrefix, []byte("prefix")),`
`725`	`728`	`RefreshHash:takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),`
`726`	`729`	`AppSecretID:takeFirst(seed.AppSecretID,uuid.New()),`
`727`	`730`	`APIKeyID:takeFirst(seed.APIKeyID,uuid.New().String()),`

`‎coderd/database/dbmem/dbmem.go`

Lines changed: 24 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -2242,58 +2242,48 @@ func (q *FakeQuerier) GetOAuth2ProviderAppByID(_ context.Context, id uuid.UUID)`
`2242`	`2242`	`return database.OAuth2ProviderApp{},sql.ErrNoRows`
`2243`	`2243`	`}`
`2244`	`2244`
`2245`		`-func (q*FakeQuerier)GetOAuth2ProviderAppCodeByAppIDAndSecret(_ context.Context,arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode,error) {`
`2246`		`-err:=validateDatabaseType(arg)`
`2247`		`-iferr!=nil {`
`2248`		`-return database.OAuth2ProviderAppCode{},err`
`2249`		`-}`
`2250`		`-`
	`2245`	`+func (q*FakeQuerier)GetOAuth2ProviderAppCodeByID(_ context.Context,id uuid.UUID) (database.OAuth2ProviderAppCode,error) {`
`2251`	`2246`	`q.mutex.Lock()`
`2252`	`2247`	`deferq.mutex.Unlock()`
`2253`	`2248`
`2254`	`2249`	`for_,code:=rangeq.oauth2ProviderAppCodes {`
`2255`		`-ifbytes.Equal(code.HashedSecret,arg.HashedSecret)&&code.AppID==arg.AppID {`
	`2250`	`+ifcode.ID==id {`
`2256`	`2251`	`returncode,nil`
`2257`	`2252`	`}`
`2258`	`2253`	`}`
`2259`	`2254`	`return database.OAuth2ProviderAppCode{},sql.ErrNoRows`
`2260`	`2255`	`}`
`2261`	`2256`
`2262`		`-func (q*FakeQuerier)GetOAuth2ProviderAppCodeByID(_ context.Context,id uuid.UUID) (database.OAuth2ProviderAppCode,error) {`
	`2257`	`+func (q*FakeQuerier)GetOAuth2ProviderAppCodeByPrefix(_ context.Context,secretPrefix []byte) (database.OAuth2ProviderAppCode,error) {`
`2263`	`2258`	`q.mutex.Lock()`
`2264`	`2259`	`deferq.mutex.Unlock()`
`2265`	`2260`
`2266`	`2261`	`for_,code:=rangeq.oauth2ProviderAppCodes {`
`2267`		`-ifcode.ID==id {`
	`2262`	`+ifbytes.Equal(code.SecretPrefix,secretPrefix) {`
`2268`	`2263`	`returncode,nil`
`2269`	`2264`	`}`
`2270`	`2265`	`}`
`2271`	`2266`	`return database.OAuth2ProviderAppCode{},sql.ErrNoRows`
`2272`	`2267`	`}`
`2273`	`2268`
`2274`		`-func (q*FakeQuerier)GetOAuth2ProviderAppSecretByAppIDAndSecret(_ context.Context,arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret,error) {`
`2275`		`-err:=validateDatabaseType(arg)`
`2276`		`-iferr!=nil {`
`2277`		`-return database.OAuth2ProviderAppSecret{},err`
`2278`		`-}`
`2279`		`-`
	`2269`	`+func (q*FakeQuerier)GetOAuth2ProviderAppSecretByID(_ context.Context,id uuid.UUID) (database.OAuth2ProviderAppSecret,error) {`
`2280`	`2270`	`q.mutex.Lock()`
`2281`	`2271`	`deferq.mutex.Unlock()`
`2282`	`2272`
`2283`	`2273`	`for_,secret:=rangeq.oauth2ProviderAppSecrets {`
`2284`		`-ifsecret.AppID==arg.AppID&&bytes.Equal(secret.HashedSecret,arg.HashedSecret) {`
	`2274`	`+ifsecret.ID==id {`
`2285`	`2275`	`returnsecret,nil`
`2286`	`2276`	`}`
`2287`	`2277`	`}`
`2288`	`2278`	`return database.OAuth2ProviderAppSecret{},sql.ErrNoRows`
`2289`	`2279`	`}`
`2290`	`2280`
`2291`		`-func (q*FakeQuerier)GetOAuth2ProviderAppSecretByID(_ context.Context,id uuid.UUID) (database.OAuth2ProviderAppSecret,error) {`
	`2281`	`+func (q*FakeQuerier)GetOAuth2ProviderAppSecretByPrefix(_ context.Context,secretPrefix []byte) (database.OAuth2ProviderAppSecret,error) {`
`2292`	`2282`	`q.mutex.Lock()`
`2293`	`2283`	`deferq.mutex.Unlock()`
`2294`	`2284`
`2295`	`2285`	`for_,secret:=rangeq.oauth2ProviderAppSecrets {`
`2296`		`-ifsecret.ID==id {`
	`2286`	`+ifbytes.Equal(secret.SecretPrefix,secretPrefix) {`
`2297`	`2287`	`returnsecret,nil`
`2298`	`2288`	`}`
`2299`	`2289`	`}`
`@@ -2328,6 +2318,18 @@ func (q *FakeQuerier) GetOAuth2ProviderAppSecretsByAppID(_ context.Context, appI`
`2328`	`2318`	`return []database.OAuth2ProviderAppSecret{},sql.ErrNoRows`
`2329`	`2319`	`}`
`2330`	`2320`
	`2321`	`+func (q*FakeQuerier)GetOAuth2ProviderAppTokenByPrefix(_ context.Context,hashPrefix []byte) (database.OAuth2ProviderAppToken,error) {`
	`2322`	`+q.mutex.Lock()`
	`2323`	`+deferq.mutex.Unlock()`
	`2324`	`+`
	`2325`	`+for_,token:=rangeq.oauth2ProviderAppTokens {`
	`2326`	`+ifbytes.Equal(token.HashPrefix,hashPrefix) {`
	`2327`	`+returntoken,nil`
	`2328`	`+}`
	`2329`	`+}`
	`2330`	`+return database.OAuth2ProviderAppToken{},sql.ErrNoRows`
	`2331`	`+}`
	`2332`	`+`
`2331`	`2333`	`func (q*FakeQuerier)GetOAuth2ProviderApps(_ context.Context) ([]database.OAuth2ProviderApp,error) {`
`2332`	`2334`	`q.mutex.Lock()`
`2333`	`2335`	`deferq.mutex.Unlock()`
`@@ -5419,6 +5421,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppCode(_ context.Context, arg databas`
`5419`	`5421`	`ID:arg.ID,`
`5420`	`5422`	`CreatedAt:arg.CreatedAt,`
`5421`	`5423`	`ExpiresAt:arg.ExpiresAt,`
	`5424`	`+SecretPrefix:arg.SecretPrefix,`
`5422`	`5425`	`HashedSecret:arg.HashedSecret,`
`5423`	`5426`	`UserID:arg.UserID,`
`5424`	`5427`	`AppID:arg.AppID,`
`@@ -5445,6 +5448,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppSecret(_ context.Context, arg datab`
`5445`	`5448`	`secret:= database.OAuth2ProviderAppSecret{`
`5446`	`5449`	`ID:arg.ID,`
`5447`	`5450`	`CreatedAt:arg.CreatedAt,`
	`5451`	`+SecretPrefix:arg.SecretPrefix,`
`5448`	`5452`	`HashedSecret:arg.HashedSecret,`
`5449`	`5453`	`DisplaySecret:arg.DisplaySecret,`
`5450`	`5454`	`AppID:arg.AppID,`
`@@ -5473,6 +5477,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppToken(_ context.Context, arg databa`
`5473`	`5477`	`ID:arg.ID,`
`5474`	`5478`	`CreatedAt:arg.CreatedAt,`
`5475`	`5479`	`ExpiresAt:arg.ExpiresAt,`
	`5480`	`+HashPrefix:arg.HashPrefix,`
`5476`	`5481`	`RefreshHash:arg.RefreshHash,`
`5477`	`5482`	`APIKeyID:arg.APIKeyID,`
`5478`	`5483`	`AppSecretID:arg.AppSecretID,`
`@@ -6553,6 +6558,7 @@ func (q *FakeQuerier) UpdateOAuth2ProviderAppSecretByID(_ context.Context, arg d`
`6553`	`6558`	`newSecret:= database.OAuth2ProviderAppSecret{`
`6554`	`6559`	`ID:arg.ID,`
`6555`	`6560`	`CreatedAt:secret.CreatedAt,`
	`6561`	`+SecretPrefix:secret.SecretPrefix,`
`6556`	`6562`	`HashedSecret:secret.HashedSecret,`
`6557`	`6563`	`DisplaySecret:secret.DisplaySecret,`
`6558`	`6564`	`AppID:secret.AppID,`

`‎coderd/database/dbmetrics/dbmetrics.go`

Lines changed: 17 additions & 10 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9e8200b

File tree

15 files changed

15 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/dbauthz_test.go`

`‎coderd/database/dbgen/dbgen.go`

`‎coderd/database/dbmem/dbmem.go`

`‎coderd/database/dbmetrics/dbmetrics.go`

0 commit comments