coder
diff --git a/‎cli/server.go
Lines changed: 9 additions & 81 deletions b/‎cli/server.go
Lines changed: 9 additions & 81 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 16 additions & 10 deletions b/‎coderd/coderd.go
Lines changed: 16 additions & 10 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 0 additions & 5 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 0 additions & 5 deletions
diff --git a/‎coderd/jwtutils/jwe.go
Lines changed: 38 additions & 0 deletions b/‎coderd/jwtutils/jwe.go
Lines changed: 38 additions & 0 deletions
diff --git a/‎coderd/jwtutils/jws.go
Lines changed: 27 additions & 0 deletions b/‎coderd/jwtutils/jws.go
Lines changed: 27 additions & 0 deletions
diff --git a/‎coderd/workspaceagents.go
Lines changed: 1 addition & 1 deletion b/‎coderd/workspaceagents.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/workspaceagents_test.go
Lines changed: 10 additions & 5 deletions b/‎coderd/workspaceagents_test.go
Lines changed: 10 additions & 5 deletions
diff --git a/‎coderd/workspaceapps.go
Lines changed: 2 additions & 2 deletions b/‎coderd/workspaceapps.go
Lines changed: 2 additions & 2 deletions
@@ -10,7 +10,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"database/sql"
-	"encoding/hex"
 	"errors"
 	"flag"
 	"fmt"
@@ -62,6 +61,7 @@ import (
 	"github.com/coder/serpent"
 	"github.com/coder/wgtunnel/tunnelsdk"
 
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/coder/v2/coderd/notifications/reports"
 	"github.com/coder/coder/v2/coderd/runtimeconfig"
@@ -97,7 +97,6 @@ import (
 	"github.com/coder/coder/v2/coderd/updatecheck"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	stringutil "github.com/coder/coder/v2/coderd/util/strings"
-	"github.com/coder/coder/v2/coderd/workspaceapps"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/coderd/workspacestats"
 	"github.com/coder/coder/v2/codersdk"
@@ -741,90 +740,19 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 						return xerrors.Errorf("set deployment id: %w", err)
 					}
 				}
-
-				// Read the app signing key from the DB. We store it hex encoded
-				// since the config table uses strings for the value and we
-				// don't want to deal with automatic encoding issues.
-				appSecurityKeyStr, err := tx.GetAppSecurityKey(ctx)
-				if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-					return xerrors.Errorf("get app signing key: %w", err)
-				}
-				// If the string in the DB is an invalid hex string or the
-				// length is not equal to the current key length, generate a new
-				// one.
-				//
-				// If the key is regenerated, old signed tokens and encrypted
-				// strings will become invalid. New signed app tokens will be
-				// generated automatically on failure. Any workspace app token
-				// smuggling operations in progress may fail, although with a
-				// helpful error.
-				if decoded, err := hex.DecodeString(appSecurityKeyStr); err != nil || len(decoded) != len(workspaceapps.SecurityKey{}) {
-					b := make([]byte, len(workspaceapps.SecurityKey{}))
-					_, err := rand.Read(b)
-					if err != nil {
-						return xerrors.Errorf("generate fresh app signing key: %w", err)
-					}
-
-					appSecurityKeyStr = hex.EncodeToString(b)
-					err = tx.UpsertAppSecurityKey(ctx, appSecurityKeyStr)
-					if err != nil {
-						return xerrors.Errorf("insert freshly generated app signing key to database: %w", err)
-					}
-				}
-
-				appSecurityKey, err := workspaceapps.KeyFromString(appSecurityKeyStr)
-				if err != nil {
-					return xerrors.Errorf("decode app signing key from database: %w", err)
-				}
-
-				options.AppSecurityKey = appSecurityKey
-
-				// Read the oauth signing key from the database. Like the app security, generate a new one
-				// if it is invalid for any reason.
-				oauthSigningKeyStr, err := tx.GetOAuthSigningKey(ctx)
-				if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
-					return xerrors.Errorf("get app oauth signing key: %w", err)
-				}
-				if decoded, err := hex.DecodeString(oauthSigningKeyStr); err != nil || len(decoded) != len(options.OAuthSigningKey) {
-					b := make([]byte, len(options.OAuthSigningKey))
-					_, err := rand.Read(b)
-					if err != nil {
-						return xerrors.Errorf("generate fresh oauth signing key: %w", err)
-					}
-
-					oauthSigningKeyStr = hex.EncodeToString(b)
-					err = tx.UpsertOAuthSigningKey(ctx, oauthSigningKeyStr)
-					if err != nil {
-						return xerrors.Errorf("insert freshly generated oauth signing key to database: %w", err)
-					}
-				}
-
-				oauthKeyBytes, err := hex.DecodeString(oauthSigningKeyStr)
-				if err != nil {
-					return xerrors.Errorf("decode oauth signing key from database: %w", err)
-				}
-				if len(oauthKeyBytes) != len(options.OAuthSigningKey) {
-					return xerrors.Errorf("oauth signing key in database is not the correct length, expect %d got %d", len(options.OAuthSigningKey), len(oauthKeyBytes))
-				}
-				copy(options.OAuthSigningKey[:], oauthKeyBytes)
-				if options.OAuthSigningKey == [32]byte{} {
-					return xerrors.Errorf("oauth signing key in database is empty")
-				}
-
-				// Read the coordinator resume token signing key from the
-				// database.
-				resumeTokenKey, err := tailnet.ResumeTokenSigningKeyFromDatabase(ctx, tx)
-				if err != nil {
-					return xerrors.Errorf("get coordinator resume token key from database: %w", err)
-				}
-				options.CoordinatorResumeTokenProvider = tailnet.NewResumeTokenKeyProvider(resumeTokenKey, quartz.NewReal(), tailnet.DefaultResumeTokenExpiry)
-
 				return nil
 			}, nil)
 			if err != nil {
-				return err
+				return xerrors.Errorf("set deployment id: %w", err)
 			}
 
+			resumeKeycache, err := cryptokeys.NewSigningCache(logger, options.Database, database.CryptoKeyFeatureTailnetResume)
+			if err != nil {
+				return xerrors.Errorf("create resume token key cache: %w", err)
+			}
+
+			options.CoordinatorResumeTokenProvider = tailnet.NewResumeTokenKeyProvider(resumeKeycache, quartz.NewReal(), tailnet.DefaultResumeTokenExpiry)
+
 			options.RuntimeConfig = runtimeconfig.NewManager()
 
 			// This should be output before the logs start streaming.
 
@@ -186,9 +186,7 @@ type Options struct {
 	TemplateScheduleStore          *atomic.Pointer[schedule.TemplateScheduleStore]
 	UserQuietHoursScheduleStore    *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
 	AccessControlStore             *atomic.Pointer[dbauthz.AccessControlStore]
-	// AppSecurityKey is the crypto key used to sign and encrypt tokens related to
 	// workspace applications. It consists of both a signing and encryption key.
-	AppSecurityKey workspaceapps.SecurityKey
 	// CoordinatorResumeTokenProvider is used to provide and validate resume
 	// tokens issued by and passed to the coordinator DRPC API.
 	CoordinatorResumeTokenProvider tailnet.ResumeTokenProvider
@@ -445,6 +443,14 @@ func New(options *Options) *API {
 	if err != nil {
 		panic(xerrors.Errorf("get deployment ID: %w", err))
 	}
+	appSigningKeyCache, err := cryptokeys.NewSigningCache(options.Logger.Named("app_signing_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsToken)
+	if err != nil {
+		options.Logger.Fatal(ctx, "failed to initialize app signing key cache", slog.Error(err))
+	}
+	appEncryptingKeyCache, err := cryptokeys.NewEncryptionCache(options.Logger.Named("app_encrypting_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsAPIKey)
+	if err != nil {
+		options.Logger.Fatal(ctx, "failed to initialize app encrypting key cache", slog.Error(err))
+	}
 	api := &API{
 		ctx:          ctx,
 		cancel:       cancel,
@@ -465,7 +471,7 @@ func New(options *Options) *API {
 			options.DeploymentValues,
 			oauthConfigs,
 			options.AgentInactiveDisconnectTimeout,
-			options.AppSecurityKey,
+			appSigningKeyCache,
 		),
 		metricsCache:                metricsCache,
 		Auditor:                     atomic.Pointer[audit.Auditor]{},
@@ -620,6 +626,7 @@ func New(options *Options) *API {
 	if err != nil {
 		api.Logger.Fatal(api.ctx, "failed to initialize oauth convert key cache", slog.Error(err))
 	}
+	api.workspaceAppsKeyCache = appEncryptingKeyCache
 
 	api.statsReporter = workspacestats.NewReporter(workspacestats.ReporterOptions{
 		Database:              options.Database,
@@ -640,9 +647,6 @@ func New(options *Options) *API {
 		options.WorkspaceAppsStatsCollectorOptions.Reporter = api.statsReporter
 	}
 
-	if options.AppSecurityKey.IsZero() {
-		api.Logger.Fatal(api.ctx, "app security key cannot be zero")
-	}
 	api.workspaceAppServer = &workspaceapps.Server{
 		Logger: workspaceAppsLogger,
 
@@ -654,11 +658,12 @@ func New(options *Options) *API {
 
 		SignedTokenProvider: api.WorkspaceAppsProvider,
 		AgentProvider:       api.agentProvider,
-		AppSecurityKey:      options.AppSecurityKey,
 		StatsCollector:      workspaceapps.NewStatsCollector(options.WorkspaceAppsStatsCollectorOptions),
 
-		DisablePathApps:  options.DeploymentValues.DisablePathApps.Value(),
-		SecureAuthCookie: options.DeploymentValues.SecureAuthCookie.Value(),
+		DisablePathApps:      options.DeploymentValues.DisablePathApps.Value(),
+		SecureAuthCookie:     options.DeploymentValues.SecureAuthCookie.Value(),
+		Signer:               appSigningKeyCache,
+		EncryptingKeyManager: appEncryptingKeyCache,
 	}
 
 	apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
@@ -1405,7 +1410,8 @@ type API struct {
 	// resumeTokenKeycache is used to fetch and cache keys used for signing JWTs
 	// oauthConvertKeycache is used to fetch and cache keys used for signing JWTs
 	// during OAuth conversions. See userauth.go.convertUserToOauth.
-	oauthConvertKeycache cryptokeys.SigningKeycache
+	oauthConvertKeycache  cryptokeys.SigningKeycache
+	workspaceAppsKeyCache cryptokeys.EncryptionKeycache
 }
 
 // Close waits for all WebSocket connections to drain before returning.
 
@@ -90,10 +90,6 @@ import (
 	"github.com/coder/coder/v2/testutil"
 )
 
-// AppSecurityKey is a 96-byte key used to sign JWTs and encrypt JWEs for
-// workspace app tokens in tests.
-var AppSecurityKey = must(workspaceapps.KeyFromString("6465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e207761732068657265206465616e2077617320686572"))
-
 type Options struct {
 	// AccessURL denotes a custom access URL. By default we use the httptest
 	// server's URL. Setting this may result in unexpected behavior (especially
@@ -525,7 +521,6 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			DeploymentOptions:                  codersdk.DeploymentOptionsWithoutSecrets(options.DeploymentValues.Options()),
 			UpdateCheckOptions:                 options.UpdateCheckOptions,
 			SwaggerEndpoint:                    options.SwaggerEndpoint,
-			AppSecurityKey:                     AppSecurityKey,
 			SSHConfig:                          options.ConfigSSH,
 			HealthcheckFunc:                    options.HealthcheckFunc,
 			HealthcheckTimeout:                 options.HealthcheckTimeout,
 
@@ -15,6 +15,11 @@ const (
 	encryptContentAlgo = jose.A256GCM
 )
 
+type EncryptingKeyManager interface {
+	EncryptKeyProvider
+	DecryptKeyProvider
+}
+
 type EncryptKeyProvider interface {
 	EncryptingKey(ctx context.Context) (id string, key interface{}, err error)
 }
@@ -65,6 +70,12 @@ func Encrypt(ctx context.Context, e EncryptKeyProvider, claims Claims) (string,
 	return compact, nil
 }
 
+func WithDecryptExpected(expected jwt.Expected) func(*DecryptOptions) {
+	return func(opts *DecryptOptions) {
+		opts.RegisteredClaims = expected
+	}
+}
+
 // DecryptOptions are options for decrypting a JWE.
 type DecryptOptions struct {
 	RegisteredClaims           jwt.Expected
@@ -119,3 +130,30 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla
 
 	return claims.Validate(options.RegisteredClaims)
 }
+
+type StaticKeyManager struct {
+	ID  string
+	Key interface{}
+}
+
+func (s StaticKeyManager) SigningKey(_ context.Context) (string, interface{}, error) {
+	return s.ID, s.Key, nil
+}
+
+func (s StaticKeyManager) VerifyingKey(_ context.Context, id string) (interface{}, error) {
+	if id != s.ID {
+		return nil, xerrors.Errorf("invalid id %q", id)
+	}
+	return s.Key, nil
+}
+
+func (s StaticKeyManager) EncryptingKey(_ context.Context) (string, interface{}, error) {
+	return s.ID, s.Key, nil
+}
+
+func (s StaticKeyManager) DecryptingKey(_ context.Context, id string) (interface{}, error) {
+	if id != s.ID {
+		return nil, xerrors.Errorf("invalid id %q", id)
+	}
+	return s.Key, nil
+}
@@ -24,6 +24,27 @@ const (
 	signingAlgo = jose.HS512
 )
 
+type StaticKeyManager struct {
+	ID  string
+	Key interface{}
+}
+
+func (s StaticKeyManager) SigningKey(_ context.Context) (string, interface{}, error) {
+	return s.ID, s.Key, nil
+}
+
+func (s StaticKeyManager) VerifyingKey(_ context.Context, id string) (interface{}, error) {
+	if id != s.ID {
+		return nil, xerrors.Errorf("invalid id %q", id)
+	}
+	return s.Key, nil
+}
+
+type SigningKeyManager interface {
+	SigningKeyProvider
+	VerifyKeyProvider
+}
+
 type SigningKeyProvider interface {
 	SigningKey(ctx context.Context) (id string, key interface{}, err error)
 }
@@ -75,6 +96,12 @@ type VerifyOptions struct {
 	SignatureAlgorithm jose.SignatureAlgorithm
 }
 
+func WithVerifyExpected(expected jwt.Expected) func(*VerifyOptions) {
+	return func(opts *VerifyOptions) {
+		opts.RegisteredClaims = expected
+	}
+}
+
 // Verify verifies that a token was signed by the provided key. It unmarshals into the provided claims.
 func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claims, opts ...func(*VerifyOptions)) error {
 	options := VerifyOptions{
 
@@ -853,7 +853,7 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	)
 	if resumeToken != "" {
 		var err error
-		peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(resumeToken)
+		peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(ctx, resumeToken)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
 				Message: workspacesdk.CoordinateAPIInvalidResumeToken,
 
@@ -36,6 +36,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/externalauth"
+	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
@@ -531,20 +532,20 @@ func newResumeTokenRecordingProvider(t testing.TB, underlying tailnet.ResumeToke
 	}
 }
 
-func (r *resumeTokenRecordingProvider) GenerateResumeToken(peerID uuid.UUID) (*tailnetproto.RefreshResumeTokenResponse, error) {
+func (r *resumeTokenRecordingProvider) GenerateResumeToken(ctx context.Context, peerID uuid.UUID) (*tailnetproto.RefreshResumeTokenResponse, error) {
 	select {
 	case r.generateCalls <- peerID:
-		return r.ResumeTokenProvider.GenerateResumeToken(peerID)
+		return r.ResumeTokenProvider.GenerateResumeToken(ctx, peerID)
 	default:
 		r.t.Error("generateCalls full")
 		return nil, xerrors.New("generateCalls full")
 	}
 }
 
-func (r *resumeTokenRecordingProvider) VerifyResumeToken(token string) (uuid.UUID, error) {
+func (r *resumeTokenRecordingProvider) VerifyResumeToken(ctx context.Context, token string) (uuid.UUID, error) {
 	select {
 	case r.verifyCalls <- token:
-		return r.ResumeTokenProvider.VerifyResumeToken(token)
+		return r.ResumeTokenProvider.VerifyResumeToken(ctx, token)
 	default:
 		r.t.Error("verifyCalls full")
 		return uuid.Nil, xerrors.New("verifyCalls full")
@@ -557,10 +558,14 @@ func TestWorkspaceAgentClientCoordinate_ResumeToken(t *testing.T) {
 	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
+	mgr := jwtutils.StaticKeyManager{
+		ID:  uuid.New().String(),
+		Key: resumeTokenSigningKey,
+	}
 	require.NoError(t, err)
 	resumeTokenProvider := newResumeTokenRecordingProvider(
 		t,
-		tailnet.NewResumeTokenKeyProvider(resumeTokenSigningKey, clock, time.Hour),
+		tailnet.NewResumeTokenKeyProvider(mgr, clock, time.Hour),
 	)
 	client, closer, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
 		Coordinator:                    tailnet.NewCoordinator(logger),
 
@@ -16,6 +16,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
@@ -122,8 +123,7 @@ func (api *API) workspaceApplicationAuth(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
-	// Encrypt the API key.
-	encryptedAPIKey, err := api.AppSecurityKey.EncryptAPIKey(workspaceapps.EncryptedAPIKeyPayload{
+	encryptedAPIKey, err := jwtutils.Encrypt(ctx, api.workspaceAppsKeyCache, workspaceapps.EncryptedAPIKeyPayload{
 		APIKey: cookie.Value,
 	})
 	if err != nil {
Original file line number	Diff line number	Diff line change
`@@ -853,7 +853,7 @@ func (api API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r http.R`
`853`	`853`	`)`
`854`	`854`	`if resumeToken != "" {`
`855`	`855`	`var err error`
`856`		`- peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(resumeToken)`
	`856`	`+ peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(ctx, resumeToken)`
`857`	`857`	`if err != nil {`
`858`	`858`	`httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{`
`859`	`859`	`Message: workspacesdk.CoordinateAPIInvalidResumeToken,`