Skip to content

Commit 7413907

Browse files
sreyasreya
committed
hm
1 parent 0323f79 commit 7413907

File tree

5 files changed

+35
-27
lines changed

5 files changed

+35
-27
lines changed

coderd/coderd.go

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -448,14 +448,6 @@ func New(options *Options) *API {
448448
if err != nil {
449449
panic(xerrors.Errorf("get deployment ID: %w", err))
450450
}
451-
appSigningKeyCache, err := cryptokeys.NewSigningCache(options.Logger.Named("app_signing_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsToken)
452-
if err != nil {
453-
options.Logger.Fatal(ctx, "failed to initialize app signing key cache", slog.Error(err))
454-
}
455-
appEncryptingKeyCache, err := cryptokeys.NewEncryptionCache(options.Logger.Named("app_encrypting_key_cache"), options.Database, database.CryptoKeyFeatureWorkspaceAppsAPIKey)
456-
if err != nil {
457-
options.Logger.Fatal(ctx, "failed to initialize app encrypting key cache", slog.Error(err))
458-
}
459451
api := &API{
460452
ctx: ctx,
461453
cancel: cancel,
@@ -476,7 +468,7 @@ func New(options *Options) *API {
476468
options.DeploymentValues,
477469
oauthConfigs,
478470
options.AgentInactiveDisconnectTimeout,
479-
appSigningKeyCache,
471+
options.AppSigningKeyCache,
480472
),
481473
metricsCache: metricsCache,
482474
Auditor: atomic.Pointer[audit.Auditor]{},
@@ -661,8 +653,8 @@ func New(options *Options) *API {
661653

662654
DisablePathApps: options.DeploymentValues.DisablePathApps.Value(),
663655
SecureAuthCookie: options.DeploymentValues.SecureAuthCookie.Value(),
664-
Signer: appSigningKeyCache,
665-
EncryptingKeyManager: appEncryptingKeyCache,
656+
Signer: options.AppSigningKeyCache,
657+
EncryptingKeyManager: options.AppEncryptionKeyCache,
666658
}
667659

668660
apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{

coderd/cryptokeys/rotate.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ func WithKeyDuration(keyDuration time.Duration) RotatorOption {
5656
// Canceling the provided context will stop the background process.
5757
func StartRotator(ctx context.Context, logger slog.Logger, db database.Store, opts ...RotatorOption) error {
5858
//nolint:gocritic // KeyRotator can only rotate crypto keys.
59-
ctx = dbauthz.AsSystemRestricted(ctx)
59+
ctx = dbauthz.AsKeyRotator(ctx)
6060
kr := &rotator{
6161
db: db,
6262
logger: logger,

coderd/database/dbauthz/dbauthz.go

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -229,15 +229,33 @@ var (
229229
}.WithCachedASTValue()
230230

231231
// See cryptokeys package.
232-
subjectCryptoKey = rbac.Subject{
232+
subjectCryptoKeyRotator = rbac.Subject{
233233
FriendlyName: "Crypto Key Rotator",
234234
ID: uuid.Nil.String(),
235235
Roles: rbac.Roles([]rbac.Role{
236236
{
237237
Identifier: rbac.RoleIdentifier{Name: "keyrotator"},
238238
DisplayName: "Key Rotator",
239239
Site: rbac.Permissions(map[string][]policy.Action{
240-
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol, policy.ActionRead},
240+
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
241+
}),
242+
Org: map[string][]rbac.Permission{},
243+
User: []rbac.Permission{},
244+
},
245+
}),
246+
Scope: rbac.ScopeAll,
247+
}.WithCachedASTValue()
248+
249+
// See cryptokeys package.
250+
subjectCryptoKeyReader = rbac.Subject{
251+
FriendlyName: "Crypto Key Reader",
252+
ID: uuid.Nil.String(),
253+
Roles: rbac.Roles([]rbac.Role{
254+
{
255+
Identifier: rbac.RoleIdentifier{Name: "keyrotator"},
256+
DisplayName: "Key Rotator",
257+
Site: rbac.Permissions(map[string][]policy.Action{
258+
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
241259
}),
242260
Org: map[string][]rbac.Permission{},
243261
User: []rbac.Permission{},
@@ -301,7 +319,12 @@ func AsHangDetector(ctx context.Context) context.Context {
301319

302320
// AsKeyRotator returns a context with an actor that has permissions required for rotating crypto keys.
303321
func AsKeyRotator(ctx context.Context) context.Context {
304-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKey)
322+
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyRotator)
323+
}
324+
325+
// AsKeyReader returns a context with an actor that has permissions required for reading crypto keys.
326+
func AsKeyReader(ctx context.Context) context.Context {
327+
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyReader)
305328
}
306329

307330
// AsSystemRestricted returns a context with an actor that has permissions

coderd/workspaceapps/db.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ type DBTokenProvider struct {
3838
DeploymentValues *codersdk.DeploymentValues
3939
OAuth2Configs *httpmw.OAuth2Configs
4040
WorkspaceAgentInactiveTimeout time.Duration
41-
Signer jwtutils.SigningKeyManager
41+
TokenSigner jwtutils.SigningKeyManager
4242
}
4343

4444
var _ SignedTokenProvider = &DBTokenProvider{}
@@ -56,12 +56,12 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz
5656
DeploymentValues: cfg,
5757
OAuth2Configs: oauth2Cfgs,
5858
WorkspaceAgentInactiveTimeout: workspaceAgentInactiveTimeout,
59-
Signer: signer,
59+
TokenSigner: signer,
6060
}
6161
}
6262

6363
func (p *DBTokenProvider) FromRequest(r *http.Request) (*SignedToken, bool) {
64-
return FromRequest(r, p.Signer)
64+
return FromRequest(r, p.TokenSigner)
6565
}
6666

6767
func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {
@@ -217,7 +217,7 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
217217
token.Claims = jwt.Claims{
218218
Expiry: jwt.NewNumericDate(time.Now().Add(DefaultTokenExpiry)),
219219
}
220-
tokenStr, err := jwtutils.Sign(ctx, p.Signer, token)
220+
tokenStr, err := jwtutils.Sign(ctx, p.TokenSigner, token)
221221
if err != nil {
222222
WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "generate token")
223223
return nil, "", false

tailnet/resume.go

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,15 +21,8 @@ import (
2121

2222
const (
2323
DefaultResumeTokenExpiry = 24 * time.Hour
24-
25-
resumeTokenSigningAlgorithm = jose.HS512
2624
)
2725

28-
// resumeTokenSigningKeyID is a fixed key ID for the resume token signing key.
29-
// If/when we add support for multiple keys (e.g. key rotation), this will move
30-
// to the database instead.
31-
var resumeTokenSigningKeyID = uuid.MustParse("97166747-9309-4d7f-9071-a230e257c2a4")
32-
3326
// NewInsecureTestResumeTokenProvider returns a ResumeTokenProvider that uses a
3427
// random key with short expiry for testing purposes. If any errors occur while
3528
// generating the key, the function panics.
@@ -40,7 +33,7 @@ func NewInsecureTestResumeTokenProvider() ResumeTokenProvider {
4033
}
4134
return NewResumeTokenKeyProvider(jwtutils.StaticKeyManager{
4235
ID: uuid.New().String(),
43-
Key: key,
36+
Key: key[:],
4437
}, quartz.NewReal(), time.Hour)
4538
}
4639

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy