May 29, 2024 · May 24, 2024 · May 29, 2024 · May 29, 2024 · May 29, 2024 · May 27, 2024
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
 if err != nil {
 return nil, failJob(fmt.Sprintf("get owner: %s", err))
 }
 var ownerSSHPublicKey, ownerSSHPrivateKey string
 if ownerSSHKey, err := s.Database.GetGitSSHKey(ctx, owner.ID); err != nil {
 if !xerrors.Is(err, sql.ErrNoRows) {
 return nil, failJob(fmt.Sprintf("get owner ssh key: %s", err))
 }
 } else {
 ownerSSHPublicKey = ownerSSHKey.PublicKey
 ownerSSHPrivateKey = ownerSSHKey.PrivateKey
 }
 ownerGroups, err := s.Database.GetGroupsByOrganizationAndUserID(ctx, database.GetGroupsByOrganizationAndUserIDParams{
 UserID:         owner.ID,
 OrganizationID: s.OrganizationID,
 TemplateName:                  template.Name,
 TemplateVersion:               templateVersion.Name,
 WorkspaceOwnerSessionToken:    sessionToken,
 WorkspaceOwnerSshPublicKey:    ownerSSHPublicKey,
 WorkspaceOwnerSshPrivateKey:   ownerSSHPrivateKey,
 },
 LogLevel: input.LogLevel,
 },
diff --git a/coderd/provisionerdserver/provisionerdserver_test.go b/coderd/provisionerdserver/provisionerdserver_test.go
 Name:           "group1",
 OrganizationID: pd.OrganizationID,
 })
 sshKey := dbgen.GitSSHKey(t, db, database.GitSSHKey{
 UserID: user.ID,
 })
 err := db.InsertGroupMember(ctx, database.InsertGroupMemberParams{
 UserID:  user.ID,
 GroupID: group1.ID,
 TemplateName:                  template.Name,
 TemplateVersion:               version.Name,
 WorkspaceOwnerSessionToken:    sessionToken,
 WorkspaceOwnerSshPublicKey:    sshKey.PublicKey,
 WorkspaceOwnerSshPrivateKey:   sshKey.PrivateKey,
 },
 },
 })
diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go
 "CODER_WORKSPACE_OWNER_NAME="+metadata.GetWorkspaceOwnerName(),
 "CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+metadata.GetWorkspaceOwnerOidcAccessToken(),
 "CODER_WORKSPACE_OWNER_GROUPS="+string(ownerGroups),
 "CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY="+metadata.GetWorkspaceOwnerSshPublicKey(),
 "CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY="+metadata.GetWorkspaceOwnerSshPrivateKey(),
 "CODER_WORKSPACE_ID="+metadata.GetWorkspaceId(),
 "CODER_WORKSPACE_OWNER_ID="+metadata.GetWorkspaceOwnerId(),
 "CODER_WORKSPACE_OWNER_SESSION_TOKEN="+metadata.GetWorkspaceOwnerSessionToken(),
diff --git a/provisioner/terraform/provision_test.go b/provisioner/terraform/provision_test.go
 }},
 },
 },
 {
 Name: "ssh-key",
 Files: map[string]string{
 "main.tf": `terraform {
 required_providers {
  coder = {
 source  = "coder/coder"
  }
 }
 }

 resource "null_resource" "example" {}
 data "coder_workspace_owner" "me" {}
 resource "coder_metadata" "example" {
 resource_id = null_resource.example.id
 item {
 key = "pubkey"
 value = data.coder_workspace_owner.me.ssh_public_key
 }
 item {
 key = "privkey"
 value = data.coder_workspace_owner.me.ssh_private_key
 }
 }
 `,
 },
 Request: &proto.PlanRequest{
 Metadata: &proto.Metadata{
 WorkspaceOwnerSshPublicKey:  "fake public key",
 WorkspaceOwnerSshPrivateKey: "fake private key",
 },
 },
 Response: &proto.PlanComplete{
 Resources: []*proto.Resource{{
 Name: "example",
 Type: "null_resource",
 Metadata: []*proto.Resource_Metadata{{
 Key:   "pubkey",
 Value: "fake public key",
 }, {
 Key:   "privkey",
 Value: "fake private key",
 }},
 }},
 },
 },
 }

 for _, testCase := range testCases {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -467,6 +467,15 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
		if err != nil {
		return nil, failJob(fmt.Sprintf("get owner: %s", err))
		}
		var ownerSSHPublicKey, ownerSSHPrivateKey string
		if ownerSSHKey, err := s.Database.GetGitSSHKey(ctx, owner.ID); err != nil {
		if !xerrors.Is(err, sql.ErrNoRows) {
		return nil, failJob(fmt.Sprintf("get owner ssh key: %s", err))
		}
		} else {
		ownerSSHPublicKey = ownerSSHKey.PublicKey
		ownerSSHPrivateKey = ownerSSHKey.PrivateKey
		}
		ownerGroups, err := s.Database.GetGroupsByOrganizationAndUserID(ctx, database.GetGroupsByOrganizationAndUserIDParams{
		UserID: owner.ID,
		OrganizationID: s.OrganizationID,
Expand DownExpand Up		@@ -586,6 +595,8 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
		TemplateName: template.Name,
		TemplateVersion: templateVersion.Name,
		WorkspaceOwnerSessionToken: sessionToken,
		WorkspaceOwnerSshPublicKey: ownerSSHPublicKey,
		WorkspaceOwnerSshPrivateKey: ownerSSHPrivateKey,
		},
		LogLevel: input.LogLevel,
		},
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -190,6 +190,9 @@ func TestAcquireJob(t *testing.T) {
		Name: "group1",
		OrganizationID: pd.OrganizationID,
		})
		sshKey := dbgen.GitSSHKey(t, db, database.GitSSHKey{
		UserID: user.ID,
		})
		err := db.InsertGroupMember(ctx, database.InsertGroupMemberParams{
		UserID: user.ID,
		GroupID: group1.ID,
Expand DownExpand Up		@@ -360,6 +363,8 @@ func TestAcquireJob(t *testing.T) {
		TemplateName: template.Name,
		TemplateVersion: version.Name,
		WorkspaceOwnerSessionToken: sessionToken,
		WorkspaceOwnerSshPublicKey: sshKey.PublicKey,
		WorkspaceOwnerSshPrivateKey: sshKey.PrivateKey,
		},
		},
		})
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -202,6 +202,8 @@ func provisionEnv(
		"CODER_WORKSPACE_OWNER_NAME="+metadata.GetWorkspaceOwnerName(),
		"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+metadata.GetWorkspaceOwnerOidcAccessToken(),
		"CODER_WORKSPACE_OWNER_GROUPS="+string(ownerGroups),
		"CODER_WORKSPACE_OWNER_SSH_PUBLIC_KEY="+metadata.GetWorkspaceOwnerSshPublicKey(),
		"CODER_WORKSPACE_OWNER_SSH_PRIVATE_KEY="+metadata.GetWorkspaceOwnerSshPrivateKey(),
Copy link Contributor dannykoppingMay 27, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Is this safe to do? I suppose if the provisioner is compromised all bets are off, but just curious if there is anything we should be sensitive to here in relation to passing the privkey around. Copy link MemberAuthor johnstcnMay 27, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. The safety of these values is predicated on a) trusting the provisioner that's executing the job, b) trusting the communication channel between the provisioner and coder. So if someone can either access the environment variables of the`terraform-provider-coder` process, or intercept the communication path between provisionerd and coderd, then all bets are off. Apart from that, this is a sensitive variable just like the OIDC access token or Coder session token that get passed in the same way. dannykopping and matifali reacted with thumbs up emoji
		"CODER_WORKSPACE_ID="+metadata.GetWorkspaceId(),
		"CODER_WORKSPACE_OWNER_ID="+metadata.GetWorkspaceOwnerId(),
		"CODER_WORKSPACE_OWNER_SESSION_TOKEN="+metadata.GetWorkspaceOwnerSessionToken(),
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -572,6 +572,52 @@ func TestProvision(t *testing.T) {
		}},
		},
		},
		{
		Name: "ssh-key",
		Files: map[string]string{
		"main.tf": `terraform {
		required_providers {
		coder = {
		source = "coder/coder"
		}
		}
		}

		resource "null_resource" "example" {}
		data "coder_workspace_owner" "me" {}
		resource "coder_metadata" "example" {
		resource_id = null_resource.example.id
		item {
		key = "pubkey"
		value = data.coder_workspace_owner.me.ssh_public_key
		}
		item {
		key = "privkey"
		value = data.coder_workspace_owner.me.ssh_private_key
		}
		}
		`,
		},
		Request: &proto.PlanRequest{
		Metadata: &proto.Metadata{
		WorkspaceOwnerSshPublicKey: "fake public key",
		WorkspaceOwnerSshPrivateKey: "fake private key",
		},
		},
		Response: &proto.PlanComplete{
		Resources: []*proto.Resource{{
		Name: "example",
		Type: "null_resource",
		Metadata: []*proto.Resource_Metadata{{
		Key: "pubkey",
		Value: "fake public key",
		}, {
		Key: "privkey",
		Value: "fake private key",
		}},
		}},
		},
		},
		}

		for _, testCase := range testCases {
Expand Down