Oct 4, 2024 · Oct 1, 2024 · Oct 2, 2024 · Oct 2, 2024 · Oct 2, 2024 · Oct 2, 2024
diff --git a/Makefile b/Makefile
 examples/examples.gen.json \
 tailnet/tailnettest/coordinatormock.go \
 tailnet/tailnettest/coordinateemock.go \
 tailnet/tailnettest/multiagentmock.go
 tailnet/tailnettest/multiagentmock.go \
 coderd/cryptokeys/keycachemock.go
 .PHONY: gen

 # Mark all generated files as fresh so make thinks they're up-to-date. This is
 tailnet/tailnettest/coordinatormock.go \
 tailnet/tailnettest/coordinateemock.go \
 tailnet/tailnettest/multiagentmock.go \
 coderd/cryptokeys/keycachemock.go
 "
 for file in $$files; do
 echo "$$file"
 coderd/rbac/object_gen.go: scripts/rbacgen/rbacobject.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 go run scripts/rbacgen/main.go rbac > coderd/rbac/object_gen.go

 coderd/cryptokeys/keycachemock.go: coderd/cryptokeys/keycache.go
 go generate ./coderd/cryptokeys

 codersdk/rbacresources_gen.go: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
 go run scripts/rbacgen/main.go codersdk > codersdk/rbacresources_gen.go

diff --git a/coderd/cryptokeys/dbkeycache.go b/coderd/cryptokeys/dbkeycache.go

 import (
 "context"
 "strconv"
 "sync"
 "time"

 "golang.org/x/xerrors"

 "cdr.dev/slog"
 "github.com/coder/coder/v2/coderd/database"
 "github.com/coder/coder/v2/coderd/database/db2sdk"
 "github.com/coder/coder/v2/codersdk"
 "github.com/coder/quartz"
 )

 // never represents the maximum value for a time.Duration.
 const never = 1<<63 - 1

 //DBCache implements Keycache for callers with access to the database.
 typeDBCache struct {
 //dbCache implements Keycache for callers with access to the database.
 typedbCache struct {
 db      database.Store
 feature database.CryptoKeyFeature
 logger  slog.Logger
 closed       bool
 }

 type DBCacheOption func(*DBCache)
 type DBCacheOption func(*dbCache)

 func WithDBCacheClock(clock quartz.Clock) DBCacheOption {
 return func(d *DBCache) {
 return func(d *dbCache) {
 d.clock = clock
 }
 }

 //NewDBCache creates a new DBCache. Close should be called to
 //NewSigningCache creates a new DBCache. Close should be called to
 // release resources associated with its internal timer.
 func NewDBCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*DBCache)) *DBCache {
 d := &DBCache{
 func NewSigningCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*dbCache)) (SigningKeycache, error) {
 if !isSigningKeyFeature(feature) {
 return nil, ErrInvalidFeature
 }

 return newDBCache(logger, db, feature, opts...), nil
 }

 func NewEncryptionCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*dbCache)) (EncryptionKeycache, error) {
 if !isEncryptionKeyFeature(feature) {
 return nil, ErrInvalidFeature
 }

 return newDBCache(logger, db, feature, opts...), nil
 }

 func newDBCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*dbCache)) *dbCache {
 d := &dbCache{
 db:      db,
 feature: feature,
 clock:   quartz.NewReal(),
 return d
 }

 // Verifying returns the CryptoKey with the given sequence number, provided that
 func (d *dbCache) EncryptingKey(ctx context.Context) (id string, key interface{}, err error) {
 return d.latest(ctx)
 }

 func (d *dbCache) DecryptingKey(ctx context.Context, id string) (key interface{}, err error) {
 return d.sequence(ctx, id)
 }

 func (d *dbCache) SigningKey(ctx context.Context) (id string, key interface{}, err error) {
 return d.latest(ctx)
 }

 func (d *dbCache) VerifyingKey(ctx context.Context, id string) (key interface{}, err error) {
 return d.sequence(ctx, id)
 }

 // sequence returns the CryptoKey with the given sequence number, provided that
 // it is neither deleted nor has breached its deletion date. It should only be
 // used for verifying or decrypting payloads. To sign/encrypt call Signing.
 func (d *DBCache) Verifying(ctx context.Context, sequence int32) (codersdk.CryptoKey, error) {
 func (d *dbCache) sequence(ctx context.Context, id string) (interface{}, error) {
 sequence, err := strconv.ParseInt(id, 10, 32)
 if err != nil {
 return nil, xerrors.Errorf("expecting sequence number got %q: %w", id, err)
 }

 d.keysMu.RLock()
 if d.closed {
 d.keysMu.RUnlock()
 returncodersdk.CryptoKey{}, ErrClosed
 returnnil, ErrClosed
 }

 now := d.clock.Now()
 key, ok := d.keys[sequence]
 key, ok := d.keys[int32(sequence)]
 d.keysMu.RUnlock()
 if ok {
 return checkKey(key, now)
 defer d.keysMu.Unlock()

 if d.closed {
 returncodersdk.CryptoKey{}, ErrClosed
 returnnil, ErrClosed
 }

 key, ok = d.keys[sequence]
 key, ok = d.keys[int32(sequence)]
 if ok {
 return checkKey(key, now)
 }

 err:= d.fetch(ctx)
 err = d.fetch(ctx)
 if err != nil {
 returncodersdk.CryptoKey{}, xerrors.Errorf("fetch: %w", err)
 returnnil, xerrors.Errorf("fetch: %w", err)
 }

 key, ok = d.keys[sequence]
 key, ok = d.keys[int32(sequence)]
 if !ok {
 returncodersdk.CryptoKey{}, ErrKeyNotFound
 returnnil, ErrKeyNotFound
 }

 return checkKey(key, now)
 }

 //Signing returns the latest valid key for signing. A valid key is one that is
 //latest returns the latest valid key for signing. A valid key is one that is
 // both past its start time and before its deletion time.
 func (d *DBCache) Signing(ctx context.Context) (codersdk.CryptoKey, error) {
 func (d *dbCache) latest(ctx context.Context) (string, interface{}, error) {
 d.keysMu.RLock()

 if d.closed {
 d.keysMu.RUnlock()
 returncodersdk.CryptoKey{}, ErrClosed
 return"", nil, ErrClosed
 }

 latest := d.latestKey
 d.keysMu.RUnlock()

 now := d.clock.Now()
 if latest.CanSign(now) {
 returndb2sdk.CryptoKey(latest), nil
 returnidSecret(latest)
 }

 d.keysMu.Lock()
 defer d.keysMu.Unlock()

 if d.closed {
 returncodersdk.CryptoKey{}, ErrClosed
 return"", nil, ErrClosed
 }

 if d.latestKey.CanSign(now) {
 returndb2sdk.CryptoKey(d.latestKey), nil
 returnidSecret(d.latestKey)
 }

 // Refetch all keys for this feature so we can find the latest valid key.
 err := d.fetch(ctx)
 if err != nil {
 returncodersdk.CryptoKey{}, xerrors.Errorf("fetch: %w", err)
 return"", nil, xerrors.Errorf("fetch: %w", err)
 }

 returndb2sdk.CryptoKey(d.latestKey), nil
 returnidSecret(d.latestKey)
 }

 // clear invalidates the cache. This forces the subsequent call to fetch fresh keys.
 func (d *DBCache) clear() {
 func (d *dbCache) clear() {
 now := d.clock.Now("DBCache", "clear")
 d.keysMu.Lock()
 defer d.keysMu.Unlock()

 // fetch fetches all keys for the given feature and determines the latest key.
 // It must be called while holding the keysMu lock.
 func (d *DBCache) fetch(ctx context.Context) error {
 func (d *dbCache) fetch(ctx context.Context) error {
 keys, err := d.db.GetCryptoKeysByFeature(ctx, d.feature)
 if err != nil {
 return xerrors.Errorf("get crypto keys by feature: %w", err)
 return nil
 }

 func checkKey(key database.CryptoKey, now time.Time) (codersdk.CryptoKey, error) {
 func checkKey(key database.CryptoKey, now time.Time) (interface{}, error) {
 if !key.CanVerify(now) {
 returncodersdk.CryptoKey{}, ErrKeyInvalid
 returnnil, ErrKeyInvalid
 }

 returndb2sdk.CryptoKey(key), nil
 returnkey.DecodeString()
 }

 func (d *DBCache) Close() {
 func (d *dbCache) Close() error {
 d.keysMu.Lock()
 defer d.keysMu.Unlock()

 if d.closed {
 return
 return nil
 }

 d.timer.Stop()
 d.closed = true
 return nil
 }

 func isEncryptionKeyFeature(feature database.CryptoKeyFeature) bool {
 return feature == database.CryptoKeyFeatureWorkspaceApps
 }

 func isSigningKeyFeature(feature database.CryptoKeyFeature) bool {
 switch feature {
 case database.CryptoKeyFeatureTailnetResume, database.CryptoKeyFeatureOidcConvert:
 return true
 default:
 return false
 }
 }

 func idSecret(k database.CryptoKey) (string, interface{}, error) {
 key, err := k.DecodeString()
 if err != nil {
 return "", nil, xerrors.Errorf("decode key: %w", err)
 }

 return strconv.FormatInt(int64(k.Sequence), 10), key, nil
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -507,7 +507,8 @@ gen: \
		examples/examples.gen.json \
		tailnet/tailnettest/coordinatormock.go \
		tailnet/tailnettest/coordinateemock.go \
		tailnet/tailnettest/multiagentmock.go
		tailnet/tailnettest/multiagentmock.go \
		coderd/cryptokeys/keycachemock.go
		.PHONY: gen

		# Mark all generated files as fresh so make thinks they're up-to-date. This is
Expand DownExpand Up		@@ -537,6 +538,7 @@ gen/mark-fresh:
		tailnet/tailnettest/coordinatormock.go \
		tailnet/tailnettest/coordinateemock.go \
		tailnet/tailnettest/multiagentmock.go \
		coderd/cryptokeys/keycachemock.go
		"
		for file in $$files; do
		echo "$$file"
Expand DownExpand Up		@@ -628,6 +630,9 @@ examples/examples.gen.json: scripts/examplegen/main.go examples/examples.go $(sh
		coderd/rbac/object_gen.go: scripts/rbacgen/rbacobject.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
		go run scripts/rbacgen/main.go rbac > coderd/rbac/object_gen.go

		coderd/cryptokeys/keycachemock.go: coderd/cryptokeys/keycache.go
		go generate ./coderd/cryptokeys

		codersdk/rbacresources_gen.go: scripts/rbacgen/codersdk.gotmpl scripts/rbacgen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
		go run scripts/rbacgen/main.go codersdk > codersdk/rbacresources_gen.go

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,23 +2,22 @@ package cryptokeys

		import (
		"context"
		"strconv"
		"sync"
		"time"

		"golang.org/x/xerrors"

		"cdr.dev/slog"
		"github.com/coder/coder/v2/coderd/database"
		"github.com/coder/coder/v2/coderd/database/db2sdk"
		"github.com/coder/coder/v2/codersdk"
		"github.com/coder/quartz"
		)

		// never represents the maximum value for a time.Duration.
		const never = 1<<63 - 1

		//DBCache implements Keycache for callers with access to the database.
		typeDBCache struct {
		//dbCache implements Keycache for callers with access to the database.
		typedbCache struct {
		db database.Store
		feature database.CryptoKeyFeature
		logger slog.Logger
Expand All		@@ -34,18 +33,34 @@ type DBCache struct {
		closed bool
		}

		type DBCacheOption func(*DBCache)
		type DBCacheOption func(*dbCache)

		func WithDBCacheClock(clock quartz.Clock) DBCacheOption {
		return func(d *DBCache) {
		return func(d *dbCache) {
		d.clock = clock
		}
		}

		//NewDBCache creates a new DBCache. Close should be called to
		//NewSigningCache creates a new DBCache. Close should be called to
		// release resources associated with its internal timer.
		func NewDBCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(DBCache)) DBCache {
		d := &DBCache{
		func NewSigningCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*dbCache)) (SigningKeycache, error) {
		if !isSigningKeyFeature(feature) {
		return nil, ErrInvalidFeature
		}

		return newDBCache(logger, db, feature, opts...), nil
		}

		func NewEncryptionCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(*dbCache)) (EncryptionKeycache, error) {
		if !isEncryptionKeyFeature(feature) {
		return nil, ErrInvalidFeature
		}

		return newDBCache(logger, db, feature, opts...), nil
		}
sreya marked this conversation as resolved. Show resolvedHide resolved

		func newDBCache(logger slog.Logger, db database.Store, feature database.CryptoKeyFeature, opts ...func(dbCache)) dbCache {
		d := &dbCache{
sreya marked this conversation as resolved. Show resolvedHide resolved
		db: db,
		feature: feature,
		clock: quartz.NewReal(),
Expand All		@@ -61,18 +76,39 @@ func NewDBCache(logger slog.Logger, db database.Store, feature database.CryptoKe
		return d
		}

		// Verifying returns the CryptoKey with the given sequence number, provided that
		func (d *dbCache) EncryptingKey(ctx context.Context) (id string, key interface{}, err error) {
		return d.latest(ctx)
		}

		func (d *dbCache) DecryptingKey(ctx context.Context, id string) (key interface{}, err error) {
		return d.sequence(ctx, id)
		}
sreya marked this conversation as resolved. Show resolvedHide resolved

		func (d *dbCache) SigningKey(ctx context.Context) (id string, key interface{}, err error) {
		return d.latest(ctx)
		}

		func (d *dbCache) VerifyingKey(ctx context.Context, id string) (key interface{}, err error) {
		return d.sequence(ctx, id)
		}
sreya marked this conversation as resolved. Show resolvedHide resolved

		// sequence returns the CryptoKey with the given sequence number, provided that
		// it is neither deleted nor has breached its deletion date. It should only be
		// used for verifying or decrypting payloads. To sign/encrypt call Signing.
		func (d *DBCache) Verifying(ctx context.Context, sequence int32) (codersdk.CryptoKey, error) {
		func (d *dbCache) sequence(ctx context.Context, id string) (interface{}, error) {
		sequence, err := strconv.ParseInt(id, 10, 32)
		if err != nil {
		return nil, xerrors.Errorf("expecting sequence number got %q: %w", id, err)
		}

		d.keysMu.RLock()
		if d.closed {
		d.keysMu.RUnlock()
		returncodersdk.CryptoKey{}, ErrClosed
		returnnil, ErrClosed
		}

		now := d.clock.Now()
		key, ok := d.keys[sequence]
		key, ok := d.keys[int32(sequence)]
		d.keysMu.RUnlock()
		if ok {
		return checkKey(key, now)
Expand All		@@ -82,67 +118,67 @@ func (d *DBCache) Verifying(ctx context.Context, sequence int32) (codersdk.Crypt
		defer d.keysMu.Unlock()

		if d.closed {
		returncodersdk.CryptoKey{}, ErrClosed
		returnnil, ErrClosed
		}

		key, ok = d.keys[sequence]
		key, ok = d.keys[int32(sequence)]
		if ok {
		return checkKey(key, now)
		}

		err:= d.fetch(ctx)
		err = d.fetch(ctx)
		if err != nil {
		returncodersdk.CryptoKey{}, xerrors.Errorf("fetch: %w", err)
		returnnil, xerrors.Errorf("fetch: %w", err)
		}

		key, ok = d.keys[sequence]
		key, ok = d.keys[int32(sequence)]
		if !ok {
		returncodersdk.CryptoKey{}, ErrKeyNotFound
		returnnil, ErrKeyNotFound
		}

		return checkKey(key, now)
		}

		//Signing returns the latest valid key for signing. A valid key is one that is
		//latest returns the latest valid key for signing. A valid key is one that is
		// both past its start time and before its deletion time.
		func (d *DBCache) Signing(ctx context.Context) (codersdk.CryptoKey, error) {
		func (d *dbCache) latest(ctx context.Context) (string, interface{}, error) {
		d.keysMu.RLock()

		if d.closed {
		d.keysMu.RUnlock()
		returncodersdk.CryptoKey{}, ErrClosed
		return"", nil, ErrClosed
		}

		latest := d.latestKey
		d.keysMu.RUnlock()

		now := d.clock.Now()
		if latest.CanSign(now) {
		returndb2sdk.CryptoKey(latest), nil
		returnidSecret(latest)
		}

		d.keysMu.Lock()
		defer d.keysMu.Unlock()

		if d.closed {
		returncodersdk.CryptoKey{}, ErrClosed
		return"", nil, ErrClosed
		}

		if d.latestKey.CanSign(now) {
		returndb2sdk.CryptoKey(d.latestKey), nil
		returnidSecret(d.latestKey)
		}

		// Refetch all keys for this feature so we can find the latest valid key.
		err := d.fetch(ctx)
		if err != nil {
		returncodersdk.CryptoKey{}, xerrors.Errorf("fetch: %w", err)
		return"", nil, xerrors.Errorf("fetch: %w", err)
		}

		returndb2sdk.CryptoKey(d.latestKey), nil
		returnidSecret(d.latestKey)
		}

		// clear invalidates the cache. This forces the subsequent call to fetch fresh keys.
		func (d *DBCache) clear() {
		func (d *dbCache) clear() {
		now := d.clock.Now("DBCache", "clear")
		d.keysMu.Lock()
		defer d.keysMu.Unlock()
Expand All		@@ -158,7 +194,7 @@ func (d *DBCache) clear() {

		// fetch fetches all keys for the given feature and determines the latest key.
		// It must be called while holding the keysMu lock.
		func (d *DBCache) fetch(ctx context.Context) error {
		func (d *dbCache) fetch(ctx context.Context) error {
		keys, err := d.db.GetCryptoKeysByFeature(ctx, d.feature)
		if err != nil {
		return xerrors.Errorf("get crypto keys by feature: %w", err)
Expand DownExpand Up		@@ -189,22 +225,45 @@ func (d *DBCache) fetch(ctx context.Context) error {
		return nil
		}

		func checkKey(key database.CryptoKey, now time.Time) (codersdk.CryptoKey, error) {
		func checkKey(key database.CryptoKey, now time.Time) (interface{}, error) {
		if !key.CanVerify(now) {
		returncodersdk.CryptoKey{}, ErrKeyInvalid
		returnnil, ErrKeyInvalid
		}

		returndb2sdk.CryptoKey(key), nil
		returnkey.DecodeString()
		}

		func (d *DBCache) Close() {
		func (d *dbCache) Close() error {
		d.keysMu.Lock()
		defer d.keysMu.Unlock()

		if d.closed {
		return
		return nil
		}

		d.timer.Stop()
		d.closed = true
		return nil
		}

		func isEncryptionKeyFeature(feature database.CryptoKeyFeature) bool {
		return feature == database.CryptoKeyFeatureWorkspaceApps
		}

		func isSigningKeyFeature(feature database.CryptoKeyFeature) bool {
		switch feature {
		case database.CryptoKeyFeatureTailnetResume, database.CryptoKeyFeatureOidcConvert:
		return true
		default:
		return false
		}
		}

		func idSecret(k database.CryptoKey) (string, interface{}, error) {
		key, err := k.DecodeString()
		if err != nil {
		return "", nil, xerrors.Errorf("decode key: %w", err)
		}

		return strconv.FormatInt(int64(k.Sequence), 10), key, nil
		}