Skip to content

Commit 7b84d8c

Browse files
code-ashercode-asher
committed
Add secret prefix column and query to get token
This will be used as an ID that we can prefix into the secrets themselves. This is so we can salt the hashed secrets. The token query is for implementing the refresh flow.
1 parent ce7bc3f commit 7b84d8c

File tree

16 files changed

+339
-200
lines changed

16 files changed

+339
-200
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1202,16 +1202,12 @@ func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (d
12021202
return q.db.GetOAuth2ProviderAppByID(ctx, id)
12031203
}
12041204

1205-
func (q *querier) GetOAuth2ProviderAppCodeByAppIDAndSecret(ctx context.Context, arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode, error) {
1206-
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByAppIDAndSecret)(ctx, arg)
1207-
}
1208-
12091205
func (q *querier) GetOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
12101206
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByID)(ctx, id)
12111207
}
12121208

1213-
func (q *querier) GetOAuth2ProviderAppSecretByAppIDAndSecret(ctx context.Context, arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret, error) {
1214-
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppSecretByAppIDAndSecret)(ctx, arg)
1209+
func (q *querier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
1210+
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByPrefix)(ctx, secretPrefix)
12151211
}
12161212

12171213
func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
@@ -1221,13 +1217,33 @@ func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UU
12211217
return q.db.GetOAuth2ProviderAppSecretByID(ctx, id)
12221218
}
12231219

1220+
func (q *querier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppSecret, error) {
1221+
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppSecretByPrefix)(ctx, secretPrefix)
1222+
}
1223+
12241224
func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID uuid.UUID) ([]database.OAuth2ProviderAppSecret, error) {
12251225
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
12261226
return []database.OAuth2ProviderAppSecret{}, err
12271227
}
12281228
return q.db.GetOAuth2ProviderAppSecretsByAppID(ctx, appID)
12291229
}
12301230

1231+
func (q *querier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPrefix []byte) (database.OAuth2ProviderAppToken, error) {
1232+
token, err := q.db.GetOAuth2ProviderAppTokenByPrefix(ctx, hashPrefix)
1233+
if err != nil {
1234+
return database.OAuth2ProviderAppToken{}, err
1235+
}
1236+
// The user ID is on the API key so that has to be fetched.
1237+
key, err := q.db.GetAPIKeyByID(ctx, token.APIKeyID)
1238+
if err != nil {
1239+
return database.OAuth2ProviderAppToken{}, err
1240+
}
1241+
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
1242+
return database.OAuth2ProviderAppToken{}, err
1243+
}
1244+
return token, nil
1245+
}
1246+
12311247
func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp, error) {
12321248
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
12331249
return []database.OAuth2ProviderApp{}, err

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2389,15 +2389,12 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppSecrets() {
23892389
})
23902390
check.Args(secret.ID).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
23912391
}))
2392-
s.Run("GetOAuth2ProviderAppSecretByAppIDAndSecret", s.Subtest(func(db database.Store, check *expects) {
2392+
s.Run("GetOAuth2ProviderAppSecretByPrefix", s.Subtest(func(db database.Store, check *expects) {
23932393
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
23942394
secret := dbgen.OAuth2ProviderAppSecret(s.T(), db, database.OAuth2ProviderAppSecret{
23952395
AppID: app.ID,
23962396
})
2397-
check.Args(database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
2398-
AppID: app.ID,
2399-
HashedSecret: secret.HashedSecret,
2400-
}).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
2397+
check.Args(secret.SecretPrefix).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
24012398
}))
24022399
s.Run("InsertOAuth2ProviderAppSecret", s.Subtest(func(db database.Store, check *expects) {
24032400
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
@@ -2435,17 +2432,14 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {
24352432
})
24362433
check.Args(code.ID).Asserts(code, rbac.ActionRead).Returns(code)
24372434
}))
2438-
s.Run("GetOAuth2ProviderAppCodeByAppIDAndSecret", s.Subtest(func(db database.Store, check *expects) {
2435+
s.Run("GetOAuth2ProviderAppCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
24392436
user := dbgen.User(s.T(), db, database.User{})
24402437
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
24412438
code := dbgen.OAuth2ProviderAppCode(s.T(), db, database.OAuth2ProviderAppCode{
24422439
AppID: app.ID,
24432440
UserID: user.ID,
24442441
})
2445-
check.Args(database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
2446-
AppID: app.ID,
2447-
HashedSecret: code.HashedSecret,
2448-
}).Asserts(code, rbac.ActionRead).Returns(code)
2442+
check.Args(code.SecretPrefix).Asserts(code, rbac.ActionRead).Returns(code)
24492443
}))
24502444
s.Run("InsertOAuth2ProviderAppCode", s.Subtest(func(db database.Store, check *expects) {
24512445
user := dbgen.User(s.T(), db, database.User{})
@@ -2495,6 +2489,21 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
24952489
APIKeyID: key.ID,
24962490
}).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()), rbac.ActionCreate)
24972491
}))
2492+
s.Run("GetOAuth2ProviderAppTokenByPrefix", s.Subtest(func(db database.Store, check *expects) {
2493+
user := dbgen.User(s.T(), db, database.User{})
2494+
key, _ := dbgen.APIKey(s.T(), db, database.APIKey{
2495+
UserID: user.ID,
2496+
})
2497+
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
2498+
secret := dbgen.OAuth2ProviderAppSecret(s.T(), db, database.OAuth2ProviderAppSecret{
2499+
AppID: app.ID,
2500+
})
2501+
token := dbgen.OAuth2ProviderAppToken(s.T(), db, database.OAuth2ProviderAppToken{
2502+
AppSecretID: secret.ID,
2503+
APIKeyID: key.ID,
2504+
})
2505+
check.Args(token.HashPrefix).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()), rbac.ActionRead)
2506+
}))
24982507
s.Run("DeleteOAuth2ProviderAppTokensByAppAndUserID", s.Subtest(func(db database.Store, check *expects) {
24992508
user := dbgen.User(s.T(), db, database.User{})
25002509
key, _ := dbgen.APIKey(s.T(), db, database.APIKey{

coderd/database/dbgen/dbgen.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -707,6 +707,7 @@ func OAuth2ProviderAppSecret(t testing.TB, db database.Store, seed database.OAut
707707
app, err := db.InsertOAuth2ProviderAppSecret(genCtx, database.InsertOAuth2ProviderAppSecretParams{
708708
ID: takeFirst(seed.ID, uuid.New()),
709709
CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()),
710+
SecretPrefix: takeFirstSlice(seed.SecretPrefix, []byte("prefix")),
710711
HashedSecret: takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
711712
DisplaySecret: takeFirst(seed.DisplaySecret, "secret"),
712713
AppID: takeFirst(seed.AppID, uuid.New()),
@@ -720,6 +721,7 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2
720721
ID: takeFirst(seed.ID, uuid.New()),
721722
CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()),
722723
ExpiresAt: takeFirst(seed.CreatedAt, dbtime.Now()),
724+
SecretPrefix: takeFirstSlice(seed.SecretPrefix, []byte("prefix")),
723725
HashedSecret: takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
724726
AppID: takeFirst(seed.AppID, uuid.New()),
725727
UserID: takeFirst(seed.UserID, uuid.New()),
@@ -733,6 +735,7 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
733735
ID: takeFirst(seed.ID, uuid.New()),
734736
CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()),
735737
ExpiresAt: takeFirst(seed.CreatedAt, dbtime.Now()),
738+
HashPrefix: takeFirstSlice(seed.HashPrefix, []byte("prefix")),
736739
RefreshHash: takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),
737740
AppSecretID: takeFirst(seed.AppSecretID, uuid.New()),
738741
APIKeyID: takeFirst(seed.APIKeyID, uuid.New().String()),

coderd/database/dbmem/dbmem.go

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2261,58 +2261,48 @@ func (q *FakeQuerier) GetOAuth2ProviderAppByID(_ context.Context, id uuid.UUID)
22612261
return database.OAuth2ProviderApp{}, sql.ErrNoRows
22622262
}
22632263

2264-
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByAppIDAndSecret(_ context.Context, arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode, error) {
2265-
err := validateDatabaseType(arg)
2266-
if err != nil {
2267-
return database.OAuth2ProviderAppCode{}, err
2268-
}
2269-
2264+
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
22702265
q.mutex.Lock()
22712266
defer q.mutex.Unlock()
22722267

22732268
for _, code := range q.oauth2ProviderAppCodes {
2274-
if bytes.Equal(code.HashedSecret, arg.HashedSecret) && code.AppID == arg.AppID {
2269+
if code.ID == id {
22752270
return code, nil
22762271
}
22772272
}
22782273
return database.OAuth2ProviderAppCode{}, sql.ErrNoRows
22792274
}
22802275

2281-
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
2276+
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByPrefix(_ context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
22822277
q.mutex.Lock()
22832278
defer q.mutex.Unlock()
22842279

22852280
for _, code := range q.oauth2ProviderAppCodes {
2286-
if code.ID == id {
2281+
if bytes.Equal(code.SecretPrefix, secretPrefix) {
22872282
return code, nil
22882283
}
22892284
}
22902285
return database.OAuth2ProviderAppCode{}, sql.ErrNoRows
22912286
}
22922287

2293-
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByAppIDAndSecret(_ context.Context, arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret, error) {
2294-
err := validateDatabaseType(arg)
2295-
if err != nil {
2296-
return database.OAuth2ProviderAppSecret{}, err
2297-
}
2298-
2288+
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
22992289
q.mutex.Lock()
23002290
defer q.mutex.Unlock()
23012291

23022292
for _, secret := range q.oauth2ProviderAppSecrets {
2303-
if secret.AppID == arg.AppID && bytes.Equal(secret.HashedSecret, arg.HashedSecret) {
2293+
if secret.ID == id {
23042294
return secret, nil
23052295
}
23062296
}
23072297
return database.OAuth2ProviderAppSecret{}, sql.ErrNoRows
23082298
}
23092299

2310-
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
2300+
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByPrefix(_ context.Context, secretPrefix []byte) (database.OAuth2ProviderAppSecret, error) {
23112301
q.mutex.Lock()
23122302
defer q.mutex.Unlock()
23132303

23142304
for _, secret := range q.oauth2ProviderAppSecrets {
2315-
if secret.ID == id {
2305+
if bytes.Equal(secret.SecretPrefix, secretPrefix) {
23162306
return secret, nil
23172307
}
23182308
}
@@ -2347,6 +2337,18 @@ func (q *FakeQuerier) GetOAuth2ProviderAppSecretsByAppID(_ context.Context, appI
23472337
return []database.OAuth2ProviderAppSecret{}, sql.ErrNoRows
23482338
}
23492339

2340+
func (q *FakeQuerier) GetOAuth2ProviderAppTokenByPrefix(_ context.Context, hashPrefix []byte) (database.OAuth2ProviderAppToken, error) {
2341+
q.mutex.Lock()
2342+
defer q.mutex.Unlock()
2343+
2344+
for _, token := range q.oauth2ProviderAppTokens {
2345+
if bytes.Equal(token.HashPrefix, hashPrefix) {
2346+
return token, nil
2347+
}
2348+
}
2349+
return database.OAuth2ProviderAppToken{}, sql.ErrNoRows
2350+
}
2351+
23502352
func (q *FakeQuerier) GetOAuth2ProviderApps(_ context.Context) ([]database.OAuth2ProviderApp, error) {
23512353
q.mutex.Lock()
23522354
defer q.mutex.Unlock()
@@ -5460,6 +5462,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppCode(_ context.Context, arg databas
54605462
ID: arg.ID,
54615463
CreatedAt: arg.CreatedAt,
54625464
ExpiresAt: arg.ExpiresAt,
5465+
SecretPrefix: arg.SecretPrefix,
54635466
HashedSecret: arg.HashedSecret,
54645467
UserID: arg.UserID,
54655468
AppID: arg.AppID,
@@ -5486,6 +5489,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppSecret(_ context.Context, arg datab
54865489
secret := database.OAuth2ProviderAppSecret{
54875490
ID: arg.ID,
54885491
CreatedAt: arg.CreatedAt,
5492+
SecretPrefix: arg.SecretPrefix,
54895493
HashedSecret: arg.HashedSecret,
54905494
DisplaySecret: arg.DisplaySecret,
54915495
AppID: arg.AppID,
@@ -5514,6 +5518,7 @@ func (q *FakeQuerier) InsertOAuth2ProviderAppToken(_ context.Context, arg databa
55145518
ID: arg.ID,
55155519
CreatedAt: arg.CreatedAt,
55165520
ExpiresAt: arg.ExpiresAt,
5521+
HashPrefix: arg.HashPrefix,
55175522
RefreshHash: arg.RefreshHash,
55185523
APIKeyID: arg.APIKeyID,
55195524
AppSecretID: arg.AppSecretID,
@@ -6632,6 +6637,7 @@ func (q *FakeQuerier) UpdateOAuth2ProviderAppSecretByID(_ context.Context, arg d
66326637
newSecret := database.OAuth2ProviderAppSecret{
66336638
ID: arg.ID,
66346639
CreatedAt: secret.CreatedAt,
6640+
SecretPrefix: secret.SecretPrefix,
66356641
HashedSecret: secret.HashedSecret,
66366642
DisplaySecret: secret.DisplaySecret,
66376643
AppID: secret.AppID,

coderd/database/dbmetrics/dbmetrics.go

Lines changed: 17 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy