- Notifications
You must be signed in to change notification settings - Fork1k
feat: enable key rotation#15066
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
42 commits Select commitHold shift + click to select a range
b745c8e feat: enable key rotation
sreyab98bff0 add migration
sreya0646b30 Refactor cryptographic key handling for OIDC and API keys
sreyab73b210 the end is nigh
sreya7fe88ea fix migrations
sreya0323f79 Refactor key cache management for better clarity
sreya7413907 hm
sreya2ea31ab fixing tests
sreyad0d168b time to fix it
sreya33cdb96 Refactor cryptokeys Fetcher to include feature param
sreya08570b7 Refactor key caching and logging behavior
sreyab770762 Refactor crypto_key_feature migration logic
sreya7557ed2 Refactor key management and enhance logging
sreyafa9a75d Update cryptokey feature test and migration logic
sreya94987b6 gen
sreya76561ac Refactor cryptokeys cache to include key reader context
sreya53dcf36 Refactor jwtutils to remove redundant key reader
sreyac656d00 Remove unused cryptokey feature fixtures
sreyae7cfb46 Refactor cryptokeys comments and variable typo
sreya6432b0d fix comments
sreya9ad187d move rotator out of coderd
sreyad16e98f remove composite jwtutil interfaces
sreya3809cd5 fix tests caused by moving rotator initiation out of coderd
sreya6d3c103 pr comments
sreyaa3020fc Merge branch 'main' into jon/glue
sreyabfa88b7 Refactor tests to remove direct database setup
sreya495c28f Rename cryptokey migration files to update sequence
sreya692bb36 Fix conditional logging in key cache initialization
sreya4028995 Refactor crypto key management in tests
sreya6b9a3e4 add test for oidc jwt
sreya5ee6ad5 add test for tailnet_resume jwt
sreya886d87c add test for workspaceapps
sreya5261442 add test for signedtoken
sreya4a1d974 fix migrations
sreya092a241 fmt
sreya87828a2 pr comments
sreya6aa90bc Merge branch 'main' into jon/glue
sreya358aaa8 Rename cryptokey migration files to update sequence
sreyaad237ad Merge branch 'main' into jon/glue
sreya5798a33 migrations
sreya200cd68 Refactor StaticKey to jwtutils package
sreya2194b4d fix tests
sreyaFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
102 changes: 21 additions & 81 deletionscli/server.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
18 changes: 13 additions & 5 deletionscoderd/apidoc/docs.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
22 changes: 17 additions & 5 deletionscoderd/apidoc/swagger.json
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
72 changes: 61 additions & 11 deletionscoderd/coderd.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -40,6 +40,7 @@ import ( | ||
| "github.com/coder/quartz" | ||
| "github.com/coder/serpent" | ||
| "github.com/coder/coder/v2/coderd/cryptokeys" | ||
| "github.com/coder/coder/v2/coderd/entitlements" | ||
| "github.com/coder/coder/v2/coderd/idpsync" | ||
| "github.com/coder/coder/v2/coderd/runtimeconfig" | ||
| @@ -185,9 +186,6 @@ type Options struct { | ||
| TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore] | ||
| UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore] | ||
| AccessControlStore *atomic.Pointer[dbauthz.AccessControlStore] | ||
| // CoordinatorResumeTokenProvider is used to provide and validate resume | ||
| // tokens issued by and passed to the coordinator DRPC API. | ||
| CoordinatorResumeTokenProvider tailnet.ResumeTokenProvider | ||
| @@ -251,6 +249,12 @@ type Options struct { | ||
| // OneTimePasscodeValidityPeriod specifies how long a one time passcode should be valid for. | ||
| OneTimePasscodeValidityPeriod time.Duration | ||
| // Keycaches | ||
| AppSigningKeyCache cryptokeys.SigningKeycache | ||
| AppEncryptionKeyCache cryptokeys.EncryptionKeycache | ||
| OIDCConvertKeyCache cryptokeys.SigningKeycache | ||
| Clock quartz.Clock | ||
| } | ||
| // @title Coder API | ||
| @@ -352,6 +356,9 @@ func New(options *Options) *API { | ||
| if options.PrometheusRegistry == nil { | ||
| options.PrometheusRegistry = prometheus.NewRegistry() | ||
| } | ||
| if options.Clock == nil { | ||
| options.Clock = quartz.NewReal() | ||
| } | ||
| if options.DERPServer == nil && options.DeploymentValues.DERP.Server.Enable { | ||
| options.DERPServer = derp.NewServer(key.NewNode(), tailnet.Logger(options.Logger.Named("derp"))) | ||
| } | ||
| @@ -444,6 +451,49 @@ func New(options *Options) *API { | ||
| if err != nil { | ||
| panic(xerrors.Errorf("get deployment ID: %w", err)) | ||
| } | ||
| fetcher := &cryptokeys.DBFetcher{ | ||
| DB: options.Database, | ||
| } | ||
| if options.OIDCConvertKeyCache == nil { | ||
| options.OIDCConvertKeyCache, err = cryptokeys.NewSigningCache(ctx, | ||
| options.Logger.Named("oidc_convert_keycache"), | ||
| fetcher, | ||
| codersdk.CryptoKeyFeatureOIDCConvert, | ||
| ) | ||
| if err != nil { | ||
| options.Logger.Critical(ctx, "failed to properly instantiate oidc convert signing cache", slog.Error(err)) | ||
| } | ||
| } | ||
| if options.AppSigningKeyCache == nil { | ||
| options.AppSigningKeyCache, err = cryptokeys.NewSigningCache(ctx, | ||
| options.Logger.Named("app_signing_keycache"), | ||
| fetcher, | ||
| codersdk.CryptoKeyFeatureWorkspaceAppsToken, | ||
| ) | ||
| if err != nil { | ||
| options.Logger.Critical(ctx, "failed to properly instantiate app signing key cache", slog.Error(err)) | ||
| } | ||
| } | ||
| if options.AppEncryptionKeyCache == nil { | ||
| options.AppEncryptionKeyCache, err = cryptokeys.NewEncryptionCache(ctx, | ||
| options.Logger, | ||
| fetcher, | ||
| codersdk.CryptoKeyFeatureWorkspaceAppsAPIKey, | ||
| ) | ||
| if err != nil { | ||
| options.Logger.Critical(ctx, "failed to properly instantiate app encryption key cache", slog.Error(err)) | ||
| } | ||
| } | ||
| // Start a background process that rotates keys. We intentionally start this after the caches | ||
| // are created to force initial requests for a key to populate the caches. This helps catch | ||
| // bugs that may only occur when a key isn't precached in tests and the latency cost is minimal. | ||
sreya marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| cryptokeys.StartRotator(ctx, options.Logger, options.Database) | ||
| api := &API{ | ||
| ctx: ctx, | ||
| cancel: cancel, | ||
| @@ -464,7 +514,7 @@ func New(options *Options) *API { | ||
| options.DeploymentValues, | ||
| oauthConfigs, | ||
| options.AgentInactiveDisconnectTimeout, | ||
| options.AppSigningKeyCache, | ||
| ), | ||
| metricsCache: metricsCache, | ||
| Auditor: atomic.Pointer[audit.Auditor]{}, | ||
| @@ -606,7 +656,7 @@ func New(options *Options) *API { | ||
| ResumeTokenProvider: api.Options.CoordinatorResumeTokenProvider, | ||
| }) | ||
| if err != nil { | ||
| api.Logger.Fatal(context.Background(), "failed to initialize tailnet client service", slog.Error(err)) | ||
| } | ||
| api.statsReporter = workspacestats.NewReporter(workspacestats.ReporterOptions{ | ||
| @@ -628,9 +678,6 @@ func New(options *Options) *API { | ||
| options.WorkspaceAppsStatsCollectorOptions.Reporter = api.statsReporter | ||
| } | ||
| api.workspaceAppServer = &workspaceapps.Server{ | ||
| Logger: workspaceAppsLogger, | ||
| @@ -642,11 +689,11 @@ func New(options *Options) *API { | ||
| SignedTokenProvider: api.WorkspaceAppsProvider, | ||
| AgentProvider: api.agentProvider, | ||
| StatsCollector: workspaceapps.NewStatsCollector(options.WorkspaceAppsStatsCollectorOptions), | ||
| DisablePathApps: options.DeploymentValues.DisablePathApps.Value(), | ||
| SecureAuthCookie: options.DeploymentValues.SecureAuthCookie.Value(), | ||
| APIKeyEncryptionKeycache: options.AppEncryptionKeyCache, | ||
| } | ||
| apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{ | ||
| @@ -1434,6 +1481,9 @@ func (api *API) Close() error { | ||
| _ = api.agentProvider.Close() | ||
| _ = api.statsReporter.Close() | ||
| _ = api.NetworkTelemetryBatcher.Close() | ||
| _ = api.OIDCConvertKeyCache.Close() | ||
| _ = api.AppSigningKeyCache.Close() | ||
| _ = api.AppEncryptionKeyCache.Close() | ||
| return nil | ||
| } | ||
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.