Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add session token injection to provisioner#7461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
sreya merged 12 commits intomainfromjon/tfsessiontoken
May 18, 2023
Merged
Show file tree
Hide file tree
Changes from1 commit
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
PrevPrevious commit
NextNext commit
pr comments
  • Loading branch information
@sreya
sreya committedMay 17, 2023
commit1d35967bae5630c89905606ec71e89ca78a5f7d6
4 changes: 2 additions & 2 deletionscoderd/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -374,7 +374,7 @@ func (api *API) validateAPIKeyLifetime(lifetime time.Duration) error {
}

func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*http.Cookie, *database.APIKey, error) {
secret, key, err := apikey.Generate(params)
key, sessionToken, err := apikey.Generate(params)
if err != nil {
return nil, nil, xerrors.Errorf("generate API key: %w", err)
}
Expand All@@ -390,7 +390,7 @@ func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*

return &http.Cookie{
Name: codersdk.SessionTokenCookie,
Value:secret,
Value:sessionToken,
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
Expand Down
12 changes: 6 additions & 6 deletionscoderd/apikey/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -31,10 +31,10 @@ type CreateParams struct {
// Generate generates an API key, returning the key as a string as well as the
// database representation. It is the responsibility of the caller to insert it
// into the database.
func Generate(params CreateParams) (string,database.InsertAPIKeyParams, error) {
func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error) {
keyID, keySecret, err := generateKey()
if err != nil {
return"",database.InsertAPIKeyParams{}, xerrors.Errorf("generate API key: %w", err)
return database.InsertAPIKeyParams{}, "", xerrors.Errorf("generate API key: %w", err)
}

hashed := sha256.Sum256([]byte(keySecret))
Expand DownExpand Up@@ -67,12 +67,12 @@ func Generate(params CreateParams) (string, database.InsertAPIKeyParams, error)
switch scope {
case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
default:
return"",database.InsertAPIKeyParams{}, xerrors.Errorf("invalid API key scope: %q", scope)
return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
}

keyStr := fmt.Sprintf("%s-%s", keyID, keySecret)
token := fmt.Sprintf("%s-%s", keyID, keySecret)

returnkeyStr,database.InsertAPIKeyParams{
return database.InsertAPIKeyParams{
ID: keyID,
UserID: params.UserID,
LifetimeSeconds: params.LifetimeSeconds,
Expand All@@ -91,7 +91,7 @@ func Generate(params CreateParams) (string, database.InsertAPIKeyParams, error)
LoginType: params.LoginType,
Scope: scope,
TokenName: params.TokenName,
}, nil
},token,nil
}

// generateKey a new ID and secret for an API key.
Expand Down
35 changes: 18 additions & 17 deletionscoderd/apikey/apikey_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -7,6 +7,7 @@ import (
"time"

"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/coder/coder/cli/clibase"
Expand DownExpand Up@@ -100,7 +101,7 @@ func TestGenerate(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()

keystr, key, err := apikey.Generate(tc.params)
key, keystr, err := apikey.Generate(tc.params)
if tc.fail {
require.Error(t, err)
return
Expand All@@ -117,46 +118,46 @@ func TestGenerate(t *testing.T) {

// Assert that the hashed secret is correct.
hashed := sha256.Sum256([]byte(keytokens[1]))
require.ElementsMatch(t, hashed, key.HashedSecret[:])
assert.ElementsMatch(t, hashed, key.HashedSecret[:])

require.Equal(t, tc.params.UserID, key.UserID)
require.WithinDuration(t, database.Now(), key.CreatedAt, time.Second*5)
require.WithinDuration(t, database.Now(), key.UpdatedAt, time.Second*5)
assert.Equal(t, tc.params.UserID, key.UserID)
assert.WithinDuration(t, database.Now(), key.CreatedAt, time.Second*5)
assert.WithinDuration(t, database.Now(), key.UpdatedAt, time.Second*5)

if tc.params.LifetimeSeconds > 0 {
require.Equal(t, tc.params.LifetimeSeconds, key.LifetimeSeconds)
assert.Equal(t, tc.params.LifetimeSeconds, key.LifetimeSeconds)
} else if !tc.params.ExpiresAt.IsZero() {
// Should not be a delta greater than 5 seconds.
require.InDelta(t, time.Until(tc.params.ExpiresAt).Seconds(), key.LifetimeSeconds, 5)
assert.InDelta(t, time.Until(tc.params.ExpiresAt).Seconds(), key.LifetimeSeconds, 5)
} else {
require.Equal(t, int64(tc.params.DeploymentValues.SessionDuration.Value().Seconds()), key.LifetimeSeconds)
assert.Equal(t, int64(tc.params.DeploymentValues.SessionDuration.Value().Seconds()), key.LifetimeSeconds)
}

if !tc.params.ExpiresAt.IsZero() {
require.Equal(t, tc.params.ExpiresAt.UTC(), key.ExpiresAt)
assert.Equal(t, tc.params.ExpiresAt.UTC(), key.ExpiresAt)
} else if tc.params.LifetimeSeconds > 0 {
require.WithinDuration(t, database.Now().Add(time.Duration(tc.params.LifetimeSeconds)), key.ExpiresAt, time.Second*5)
assert.WithinDuration(t, database.Now().Add(time.Duration(tc.params.LifetimeSeconds)), key.ExpiresAt, time.Second*5)
} else {
require.WithinDuration(t, database.Now().Add(tc.params.DeploymentValues.SessionDuration.Value()), key.ExpiresAt, time.Second*5)
assert.WithinDuration(t, database.Now().Add(tc.params.DeploymentValues.SessionDuration.Value()), key.ExpiresAt, time.Second*5)
}

if tc.params.RemoteAddr != "" {
require.Equal(t, tc.params.RemoteAddr, key.IPAddress.IPNet.IP.String())
assert.Equal(t, tc.params.RemoteAddr, key.IPAddress.IPNet.IP.String())
} else {
require.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
assert.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
}

if tc.params.Scope != "" {
require.Equal(t, tc.params.Scope, key.Scope)
assert.Equal(t, tc.params.Scope, key.Scope)
} else {
require.Equal(t, database.APIKeyScopeAll, key.Scope)
assert.Equal(t, database.APIKeyScopeAll, key.Scope)
}

if tc.params.TokenName != "" {
require.Equal(t, tc.params.TokenName, key.TokenName)
assert.Equal(t, tc.params.TokenName, key.TokenName)
}
if tc.params.LoginType != "" {
require.Equal(t, tc.params.LoginType, key.LoginType)
assert.Equal(t, tc.params.LoginType, key.LoginType)
}
})
}
Expand Down
51 changes: 32 additions & 19 deletionscoderd/provisionerdserver/provisionerdserver.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -203,7 +203,7 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
return nil, failJob(fmt.Sprintf("regenerate session token: %s", err))
}
case database.WorkspaceTransitionStop, database.WorkspaceTransitionDelete:
err =server.deleteSessionToken(ctx, workspace)
err = deleteSessionToken(ctx, server.Database, workspace)
if err != nil {
return nil, failJob(fmt.Sprintf("delete session token: %s", err))
}
Expand DownExpand Up@@ -1432,7 +1432,7 @@ func workspaceSessionTokenName(workspace database.Workspace) string {
}

func (server *Server) regenerateSessionToken(ctx context.Context, user database.User, workspace database.Workspace) (string, error) {
secret, newkey, err := apikey.Generate(apikey.CreateParams{
newkey, sessionToken, err := apikey.Generate(apikey.CreateParams{
UserID: user.ID,
LoginType: user.LoginType,
DeploymentValues: server.DeploymentValues,
Expand All@@ -1443,30 +1443,43 @@ func (server *Server) regenerateSessionToken(ctx context.Context, user database.
return "", xerrors.Errorf("generate API key: %w", err)
}

err = server.deleteSessionToken(ctx, workspace)
if err != nil {
return "", xerrors.Errorf("delete session token: %w", err)
}
err = server.Database.InTx(func(tx database.Store) error {
err := deleteSessionToken(ctx, tx, workspace)
if err != nil {
return xerrors.Errorf("delete session token: %w", err)
}

_, err = server.Database.InsertAPIKey(ctx, newkey)
_, err = tx.InsertAPIKey(ctx, newkey)
if err != nil {
return xerrors.Errorf("insert API key: %w", err)
}
return nil
}, nil)
if err != nil {
return "", xerrors.Errorf("insert API key: %w", err)
return "", xerrors.Errorf("create API key: %w", err)
}

returnsecret, nil
returnsessionToken, nil
}

func (server *Server) deleteSessionToken(ctx context.Context, workspace database.Workspace) error {
key, err := server.Database.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
UserID: workspace.OwnerID,
TokenName: workspaceSessionTokenName(workspace),
})
if err == nil {
err = server.Database.DeleteAPIKeyByID(ctx, key.ID)
}
func deleteSessionToken(ctx context.Context, db database.Store, workspace database.Workspace) error {
err := db.InTx(func(tx database.Store) error {
key, err := tx.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
UserID: workspace.OwnerID,
TokenName: workspaceSessionTokenName(workspace),
})
if err == nil {
err = tx.DeleteAPIKeyByID(ctx, key.ID)
}

if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
return xerrors.Errorf("get api key by name: %w", err)
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
return xerrors.Errorf("get api key by name: %w", err)
}

return nil
}, nil)
if err != nil {
return xerrors.Errorf("in tx: %w", err)
}

return nil
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp