NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commita50b1f0

committed

Refactor key cache management for better clarity

- Consolidates key cache handling by replacing legacy key cache references with central key caches.- Enhances modularity and maintainability by using consistent key management methods.- Removes redundant `StaticKeyManager` implementation for streamlined code.- Adjusts cryptographic key generation and cache utilization across critical components.

1 parent5567bc7 commita50b1f0Copy full SHA for a50b1f0

File tree

14 files changed

+51

-67

lines changed

coderd
- coderd.go
- coderdtest
  - coderdtest.go
- cryptokeys
  - dbkeycache.go
  - rotate.go
- jwtutils
  - jwe.go
- userauth.go
- workspaceagents_test.go
- workspaceapps.go
- workspaceapps
codersdk/workspacesdk
- connector_internal_test.go
enterprise/wsproxy
- wsproxy.go
tailnet
- resume_test.go

14 files changed

+51

-67

lines changed

`‎coderd/coderd.go‎`

Lines changed: 5 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,11 @@ type Options struct {`
`250`	`250`
`251`	`251`	`// OneTimePasscodeValidityPeriod specifies how long a one time passcode should be valid for.`
`252`	`252`	`OneTimePasscodeValidityPeriod time.Duration`
	`253`	`+`
	`254`	`+// Keycaches`
	`255`	`+AppSigningKeyCache cryptokeys.SigningKeycache`
	`256`	`+AppEncryptionKeyCache cryptokeys.EncryptionKeycache`
	`257`	`+OIDCConvertKeyCache cryptokeys.SigningKeycache`
`253`	`258`	`}`
`254`	`259`
`255`	`260`	`// @title Coder API`
`@@ -622,12 +627,6 @@ func New(options Options) API {`
`622`	`627`	`api.Logger.Fatal(api.ctx,"start key rotator",slog.Error(err))`
`623`	`628`	`}`
`624`	`629`
`625`		`-api.oauthConvertKeycache,err=cryptokeys.NewSigningCache(api.Logger.Named("oauth_convert_keycache"),api.Database,database.CryptoKeyFeatureOIDCConvert)`
`626`		`-iferr!=nil {`
`627`		`-api.Logger.Fatal(api.ctx,"failed to initialize oauth convert key cache",slog.Error(err))`
`628`		`-}`
`629`		`-api.workspaceAppsKeyCache=appEncryptingKeyCache`
`630`		`-`
`631`	`630`	`api.statsReporter=workspacestats.NewReporter(workspacestats.ReporterOptions{`
`632`	`631`	`Database:options.Database,`
`633`	`632`	`Logger:options.Logger.Named("workspacestats"),`
`@@ -1406,12 +1405,6 @@ type API struct {`
`1406`	`1405`	`// dbRolluper rolls up template usage stats from raw agent and app`
`1407`	`1406`	`// stats. This is used to provide insights in the WebUI.`
`1408`	`1407`	`dbRolluper*dbrollup.Rolluper`
`1409`		`-`
`1410`		`-// resumeTokenKeycache is used to fetch and cache keys used for signing JWTs`
`1411`		`-// oauthConvertKeycache is used to fetch and cache keys used for signing JWTs`
`1412`		`-// during OAuth conversions. See userauth.go.convertUserToOauth.`
`1413`		`-oauthConvertKeycache cryptokeys.SigningKeycache`
`1414`		`-workspaceAppsKeyCache cryptokeys.EncryptionKeycache`
`1415`	`1408`	`}`
`1416`	`1409`
`1417`	`1410`	`// Close waits for all WebSocket connections to drain before returning.`

`‎coderd/coderdtest/coderdtest.go‎`

Lines changed: 12 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ import (`
`55`	`55`	`"github.com/coder/coder/v2/coderd/audit"`
`56`	`56`	`"github.com/coder/coder/v2/coderd/autobuild"`
`57`	`57`	`"github.com/coder/coder/v2/coderd/awsidentity"`
	`58`	`+"github.com/coder/coder/v2/coderd/cryptokeys"`
`58`	`59`	`"github.com/coder/coder/v2/coderd/database"`
`59`	`60`	`"github.com/coder/coder/v2/coderd/database/db2sdk"`
`60`	`61`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`@@ -157,8 +158,7 @@ type Options struct {`
`157`	`158`	`DatabaseRolluper*dbrollup.Rolluper`
`158`	`159`	`WorkspaceUsageTrackerFlushchanint`
`159`	`160`	`WorkspaceUsageTrackerTickchan time.Time`
`160`		`-`
`161`		`-NotificationsEnqueuer notifications.Enqueuer`
	`161`	`+NotificationsEnqueuer notifications.Enqueuer`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`// New constructs a codersdk client connected to an in-memory API instance.`
`@@ -326,6 +326,13 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`326`	`326`	`}`
`327`	`327`	`auditor.Store(&options.Auditor)`
`328`	`328`
	`329`	`+oidcConvertKeyCache,err:=cryptokeys.NewSigningCache(options.Logger.Named("oidc_convert_keycache"),options.Database,database.CryptoKeyFeatureOIDCConvert)`
	`330`	`+require.NoError(t,err)`
	`331`	`+appSigningKeyCache,err:=cryptokeys.NewSigningCache(options.Logger.Named("app_signing_keycache"),options.Database,database.CryptoKeyFeatureWorkspaceAppsToken)`
	`332`	`+require.NoError(t,err)`
	`333`	`+appEncryptionKeyCache,err:=cryptokeys.NewEncryptionCache(options.Logger.Named("app_encryption_keycache"),options.Database,database.CryptoKeyFeatureWorkspaceAppsAPIKey)`
	`334`	`+require.NoError(t,err)`
	`335`	`+`
`329`	`336`	`ctx,cancelFunc:=context.WithCancel(context.Background())`
`330`	`337`	`lifecycleExecutor:=autobuild.NewExecutor(`
`331`	`338`	`ctx,`
`@@ -533,6 +540,9 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`533`	`540`	`WorkspaceUsageTracker:wuTracker,`
`534`	`541`	`NotificationsEnqueuer:options.NotificationsEnqueuer,`
`535`	`542`	`OneTimePasscodeValidityPeriod:options.OneTimePasscodeValidityPeriod,`
	`543`	`+AppSigningKeyCache:appSigningKeyCache,`
	`544`	`+AppEncryptionKeyCache:appEncryptionKeyCache,`
	`545`	`+OIDCConvertKeyCache:oidcConvertKeyCache,`
`536`	`546`	`}`
`537`	`547`	`}`
`538`	`548`

`‎coderd/cryptokeys/dbkeycache.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ func isEncryptionKeyFeature(feature database.CryptoKeyFeature) bool {`
`269`	`269`
`270`	`270`	`funcisSigningKeyFeature(feature database.CryptoKeyFeature)bool {`
`271`	`271`	`switchfeature {`
`272`		`-casedatabase.CryptoKeyFeatureTailnetResume,database.CryptoKeyFeatureOIDCConvert:`
	`272`	`+casedatabase.CryptoKeyFeatureTailnetResume,database.CryptoKeyFeatureOIDCConvert,database.CryptoKeyFeatureWorkspaceAppsToken:`
`273`	`273`	`returntrue`
`274`	`274`	`default:`
`275`	`275`	`returnfalse`

`‎coderd/cryptokeys/rotate.go‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,8 @@ func generateNewSecret(feature database.CryptoKeyFeature) (string, error) {`
`231`	`231`	`switchfeature {`
`232`	`232`	`casedatabase.CryptoKeyFeatureWorkspaceAppsAPIKey:`
`233`	`233`	`returngenerateKey(32)`
	`234`	`+casedatabase.CryptoKeyFeatureWorkspaceAppsToken:`
	`235`	`+returngenerateKey(64)`
`234`	`236`	`casedatabase.CryptoKeyFeatureOIDCConvert:`
`235`	`237`	`returngenerateKey(64)`
`236`	`238`	`casedatabase.CryptoKeyFeatureTailnetResume:`
`@@ -252,6 +254,8 @@ func tokenDuration(feature database.CryptoKeyFeature) time.Duration {`
`252`	`254`	`switchfeature {`
`253`	`255`	`casedatabase.CryptoKeyFeatureWorkspaceAppsAPIKey:`
`254`	`256`	`returnWorkspaceAppsTokenDuration`
	`257`	`+casedatabase.CryptoKeyFeatureWorkspaceAppsToken:`
	`258`	`+returnWorkspaceAppsTokenDuration`
`255`	`259`	`casedatabase.CryptoKeyFeatureOIDCConvert:`
`256`	`260`	`returnOIDCConvertTokenDuration`
`257`	`261`	`casedatabase.CryptoKeyFeatureTailnetResume:`

`‎coderd/jwtutils/jwe.go‎`

Lines changed: 0 additions & 27 deletions

Original file line number	Diff line number	Diff line change
`@@ -130,30 +130,3 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla`
`130`	`130`
`131`	`131`	`returnclaims.Validate(options.RegisteredClaims)`
`132`	`132`	`}`
`133`		`-`
`134`		`-typeStaticKeyManagerstruct {`
`135`		`-IDstring`
`136`		`-Keyinterface{}`
`137`		`-}`
`138`		`-`
`139`		`-func (sStaticKeyManager)SigningKey(_ context.Context) (string,interface{},error) {`
`140`		`-returns.ID,s.Key,nil`
`141`		`-}`
`142`		`-`
`143`		`-func (sStaticKeyManager)VerifyingKey(_ context.Context,idstring) (interface{},error) {`
`144`		`-ifid!=s.ID {`
`145`		`-returnnil,xerrors.Errorf("invalid id %q",id)`
`146`		`-}`
`147`		`-returns.Key,nil`
`148`		`-}`
`149`		`-`
`150`		`-func (sStaticKeyManager)EncryptingKey(_ context.Context) (string,interface{},error) {`
`151`		`-returns.ID,s.Key,nil`
`152`		`-}`
`153`		`-`
`154`		`-func (sStaticKeyManager)DecryptingKey(_ context.Context,idstring) (interface{},error) {`
`155`		`-ifid!=s.ID {`
`156`		`-returnnil,xerrors.Errorf("invalid id %q",id)`
`157`		`-}`
`158`		`-returns.Key,nil`
`159`		`-}`

`‎coderd/userauth.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ func (api API) postConvertLoginType(rw http.ResponseWriter, r http.Request) {`
`167`	`167`	`ToLoginType:req.ToType,`
`168`	`168`	`}`
`169`	`169`
`170`		`-token,err:=jwtutils.Sign(dbauthz.AsKeyRotator(ctx),api.oauthConvertKeycache,claims)`
	`170`	`+token,err:=jwtutils.Sign(dbauthz.AsKeyRotator(ctx),api.OIDCConvertKeyCache,claims)`
`171`	`171`	`iferr!=nil {`
`172`	`172`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`173`	`173`	`Message:"Internal error signing state jwt.",`
`@@ -1676,7 +1676,7 @@ func (api API) convertUserToOauth(ctx context.Context, r http.Request, db data`
`1676`	`1676`	`}`
`1677`	`1677`	`}`
`1678`	`1678`	`varclaimsOAuthConvertStateClaims`
`1679`		`-err=jwtutils.Verify(dbauthz.AsKeyRotator(ctx),api.oauthConvertKeycache,jwtCookie.Value,&claims)`
	`1679`	`+err=jwtutils.Verify(dbauthz.AsKeyRotator(ctx),api.OIDCConvertKeyCache,jwtCookie.Value,&claims)`
`1680`	`1680`	`ifxerrors.Is(err,cryptokeys.ErrKeyNotFound)\|\|xerrors.Is(err,cryptokeys.ErrKeyInvalid)\|\|xerrors.Is(err,jose.ErrCryptoFailure) {`
`1681`	`1681`	`// These errors are probably because the user is mixing 2 coder deployments.`
`1682`	`1682`	`return database.User{}, idpsync.HTTPError{`

`‎coderd/workspaceagents_test.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -560,7 +560,7 @@ func TestWorkspaceAgentClientCoordinate_ResumeToken(t *testing.T) {`
`560`	`560`	`resumeTokenSigningKey,err:=tailnet.GenerateResumeTokenSigningKey()`
`561`	`561`	`mgr:= jwtutils.StaticKeyManager{`
`562`	`562`	`ID:uuid.New().String(),`
`563`		`-Key:resumeTokenSigningKey,`
	`563`	`+Key:resumeTokenSigningKey[:],`
`564`	`564`	`}`
`565`	`565`	`require.NoError(t,err)`
`566`	`566`	`resumeTokenProvider:=newResumeTokenRecordingProvider(`

`‎coderd/workspaceapps.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ func (api API) workspaceApplicationAuth(rw http.ResponseWriter, r http.Request`
`123`	`123`	`return`
`124`	`124`	`}`
`125`	`125`
`126`		`-encryptedAPIKey,err:=jwtutils.Encrypt(ctx,api.workspaceAppsKeyCache, workspaceapps.EncryptedAPIKeyPayload{`
	`126`	`+encryptedAPIKey,err:=jwtutils.Encrypt(ctx,api.AppEncryptionKeyCache, workspaceapps.EncryptedAPIKeyPayload{`
`127`	`127`	`APIKey:cookie.Value,`
`128`	`128`	`})`
`129`	`129`	`iferr!=nil {`

`‎coderd/workspaceapps/db.go‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ import (`
`13`	`13`	`"golang.org/x/exp/slices"`
`14`	`14`	`"golang.org/x/xerrors"`
`15`	`15`
	`16`	`+"github.com/go-jose/go-jose/v4/jwt"`
	`17`	`+`
`16`	`18`	`"cdr.dev/slog"`
`17`	`19`	`"github.com/coder/coder/v2/coderd/database"`
`18`	`20`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`@@ -22,7 +24,6 @@ import (`
`22`	`24`	`"github.com/coder/coder/v2/coderd/rbac"`
`23`	`25`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
`24`	`26`	`"github.com/coder/coder/v2/codersdk"`
`25`		`-"github.com/go-jose/go-jose/v4/jwt"`
`26`	`27`	`)`
`27`	`28`
`28`	`29`	`// DBTokenProvider provides authentication and authorization for workspace apps`

`‎coderd/workspaceapps/db_test.go‎`

Lines changed: 7 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ import (`
`21`	`21`	`"github.com/coder/coder/v2/agent/agenttest"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`23`	`23`	`"github.com/coder/coder/v2/coderd/httpmw"`
	`24`	`+"github.com/coder/coder/v2/coderd/jwtutils"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/workspaceapps"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/workspaceapps/appurl"`
`26`	`27`	`"github.com/coder/coder/v2/codersdk"`
`@@ -295,7 +296,8 @@ func Test_ResolveRequest(t *testing.T) {`
`295`	`296`	`require.Equal(t,codersdk.SignedAppTokenCookie,cookie.Name)`
`296`	`297`	`require.Equal(t,req.BasePath,cookie.Path)`
`297`	`298`
`298`		`-parsedToken,err:=api.workspaceAppsKeyCache.VerifySignedToken(cookie.Value)`
	`299`	`+varparsedToken workspaceapps.SignedToken`
	`300`	`+err:=jwtutils.Verify(ctx,api.AppSigningKeyCache,cookie.Value,&parsedToken)`
`299`	`301`	`require.NoError(t,err)`
`300`	`302`	`// normalize expiry`
`301`	`303`	`require.WithinDuration(t,token.Expiry.Time(),parsedToken.Expiry.Time(),2*time.Second)`
`@@ -551,7 +553,8 @@ func Test_ResolveRequest(t *testing.T) {`
`551`	`553`	`AgentID:agentID,`
`552`	`554`	`AppURL:appURL,`
`553`	`555`	`}`
`554`		`-badTokenStr,err:=api.AppSecurityKey.SignToken(badToken)`
	`556`	`+`
	`557`	`+badTokenStr,err:=jwtutils.Sign(ctx,api.AppSigningKeyCache,badToken)`
`555`	`558`	`require.NoError(t,err)`
`556`	`559`
`557`	`560`	`req:= (workspaceapps.Request{`
`@@ -594,7 +597,8 @@ func Test_ResolveRequest(t *testing.T) {`
`594`	`597`	`require.Len(t,cookies,1)`
`595`	`598`	`require.Equal(t,cookies[0].Name,codersdk.SignedAppTokenCookie)`
`596`	`599`	`require.NotEqual(t,cookies[0].Value,badTokenStr)`
`597`		`-parsedToken,err:=api.AppSecurityKey.VerifySignedToken(cookies[0].Value)`
	`600`	`+varparsedToken workspaceapps.SignedToken`
	`601`	`+err=jwtutils.Verify(ctx,api.AppSigningKeyCache,cookies[0].Value,&parsedToken)`
`598`	`602`	`require.NoError(t,err)`
`599`	`603`	`require.Equal(t,appNameOwner,parsedToken.AppSlugOrPort)`
`600`	`604`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita50b1f0

File tree

14 files changed

14 files changed

`‎coderd/coderd.go‎`

`‎coderd/coderdtest/coderdtest.go‎`

`‎coderd/cryptokeys/dbkeycache.go‎`

`‎coderd/cryptokeys/rotate.go‎`

`‎coderd/jwtutils/jwe.go‎`

`‎coderd/userauth.go‎`

`‎coderd/workspaceagents_test.go‎`

`‎coderd/workspaceapps.go‎`

`‎coderd/workspaceapps/db.go‎`

`‎coderd/workspaceapps/db_test.go‎`

0 commit comments