Use new secret prefix

code-asher · code-asher · commit 8bbb308fa431 · 2024-02-08T17:34:46.000-09:00
diff --git a/enterprise/coderd/identityprovider/authorize.go b/enterprise/coderd/identityprovider/authorize.go
@@ -14,9 +14,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
 type authorizeParams struct {
@@ -81,21 +79,13 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 
 		// TODO: Ignoring scope for now, but should look into implementing.
-		// 40 characters matches the length of GitHub's client secrets.
-		rawCode, err := cryptorand.String(40)
+		code, err := GenerateSecret()
 		if err != nil {
 			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Failed to generate OAuth2 app authorization code.",
 			})
 			return
 		}
-		hashedCode, err := userpassword.Hash(rawCode)
-		if err != nil {
-			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
-				Message: "Failed to hash OAuth2 app authorization code.",
-			})
-			return
-		}
 		err = db.InTx(func(tx database.Store) error {
 			// Delete any previous codes.
 			err = tx.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams{
@@ -118,7 +108,8 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 				// token (for example suppose they ask the user to confirm and the user
 				// has left) then they can just retry immediately and get a new code.
 				ExpiresAt:    dbtime.Now().Add(time.Duration(10) * time.Minute),
-				HashedSecret: []byte(hashedCode),
+				SecretPrefix: []byte(code.Prefix),
+				HashedSecret: []byte(code.Hashed),
 				AppID:        app.ID,
 				UserID:       apiKey.UserID,
 			})
@@ -137,7 +128,7 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 
 		newQuery := params.redirectURL.Query()
-		newQuery.Add("code", rawCode)
+		newQuery.Add("code", code.Formatted)
 		newQuery.Add("state", params.state)
 		params.redirectURL.RawQuery = newQuery.Encode()
 
diff --git a/enterprise/coderd/identityprovider/secrets.go b/enterprise/coderd/identityprovider/secrets.go
@@ -0,0 +1,64 @@
+package identityprovider
+
+import (
+	"fmt"
+	"strings"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/userpassword"
+	"github.com/coder/coder/v2/cryptorand"
+)
+
+type OAuth2ProviderAppSecret struct {
+	Formatted string
+	Prefix    string
+	Hashed    string
+}
+
+// GenerateSecret generates a secret to be used as a client secret, refresh
+// token, or authorization code.
+func GenerateSecret() (OAuth2ProviderAppSecret, error) {
+	// 40 characters matches the length of GitHub's client secrets.
+	secret, err := cryptorand.String(40)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	// This ID is prefixed to the secret so it can be used to look up the secret
+	// when the user provides it, since we cannot just re-hash it to match as we
+	// will not have the salt.
+	prefix, err := cryptorand.String(10)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	hashed, err := userpassword.Hash(secret)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	return OAuth2ProviderAppSecret{
+		Formatted: fmt.Sprintf("coder_%s_%s", prefix, secret),
+		Prefix:    prefix,
+		Hashed:    hashed,
+	}, nil
+}
+
+// parseSecret extracts the ID and original secret from a secret.
+func parseSecret(secret string) (string, string, error) {
+	parts := strings.Split(secret, "_")
+	if len(parts) != 3 {
+		return "", "", xerrors.Errorf("incorrect number of parts: %d", len(parts))
+	}
+	if parts[0] != "coder" {
+		return "", "", xerrors.Errorf("incorrect scheme: %s", parts[0])
+	}
+	if len(parts[1]) == 0 {
+		return "", "", xerrors.Errorf("prefix is invalid")
+	}
+	if len(parts[2]) == 0 {
+		return "", "", xerrors.Errorf("invalid")
+	}
+	return parts[1], parts[2], nil
+}
diff --git a/enterprise/coderd/identityprovider/tokens.go b/enterprise/coderd/identityprovider/tokens.go
@@ -22,9 +22,14 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
+// errBadSecret means the user provided a bad secret.
+var errBadSecret = errors.New("Invalid client secret")
+
+// errBadCode means the user provided a bad code.
+var errBadCode = errors.New("Invalid code")
+
 type tokenParams struct {
 	clientID     string
 	clientSecret string
@@ -86,12 +91,12 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 		switch params.grantType {
 		// TODO: Client creds, device code, refresh.
 		default:
-			token, err = authorizationCodeGrant(ctx, db, app, defaultLifetime, params.clientSecret, params.code)
+			token, err = authorizationCodeGrant(ctx, db, app, defaultLifetime, params)
 		}
 
-		if err != nil && errors.Is(err, sql.ErrNoRows) {
+		if errors.Is(err, errBadCode) || errors.Is(err, errBadSecret) {
 			httpapi.Write(r.Context(), rw, http.StatusUnauthorized, codersdk.Response{
-				Message: "Invalid client secret or code",
+				Message: err.Error(),
 			})
 			return
 		}
@@ -109,59 +114,68 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 	}
 }
 
-func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, clientSecret, code string) (oauth2.Token, error) {
+func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, params tokenParams) (oauth2.Token, error) {
 	// Validate the client secret.
-	secretHash, err := userpassword.Hash(clientSecret)
+	secretPrefix, originalSecret, err := parseSecret(params.clientSecret)
 	if err != nil {
-		return oauth2.Token{}, err
+		return oauth2.Token{}, errBadSecret
+	}
+	//nolint:gocritic // Users cannot read secrets so we must use the system.
+	secret, err := db.GetOAuth2ProviderAppSecretByPrefix(dbauthz.AsSystemRestricted(ctx), []byte(secretPrefix))
+	if errors.Is(err, sql.ErrNoRows) {
+		return oauth2.Token{}, errBadSecret
 	}
-	secret, err := db.GetOAuth2ProviderAppSecretByAppIDAndSecret(
-		//nolint:gocritic // Users cannot read secrets so we must use the system.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: []byte(secretHash),
-		})
 	if err != nil {
 		return oauth2.Token{}, err
 	}
+	equal, err := userpassword.Compare(string(secret.HashedSecret), originalSecret)
+	if err != nil {
+		return oauth2.Token{}, xerrors.Errorf("unable to compare secret: %w", err)
+	}
+	if !equal {
+		return oauth2.Token{}, errBadSecret
+	}
 
 	// Validate the authorization code.
-	codeHash, err := userpassword.Hash(code)
+	codePrefix, originalCode, err := parseSecret(params.code)
 	if err != nil {
-		return oauth2.Token{}, err
+		return oauth2.Token{}, errBadCode
+	}
+	//nolint:gocritic // There is no user yet so we must use the system.
+	code, err := db.GetOAuth2ProviderAppCodeByPrefix(dbauthz.AsSystemRestricted(ctx), []byte(codePrefix))
+	if errors.Is(err, sql.ErrNoRows) {
+		return oauth2.Token{}, errBadCode
 	}
-	dbCode, err := db.GetOAuth2ProviderAppCodeByAppIDAndSecret(
-		//nolint:gocritic // There is no user yet so we must use the system.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: []byte(codeHash),
-		})
 	if err != nil {
 		return oauth2.Token{}, err
 	}
+	equal, err = userpassword.Compare(string(code.HashedSecret), originalCode)
+	if err != nil {
+		return oauth2.Token{}, xerrors.Errorf("unable to compare code: %w", err)
+	}
+	if !equal {
+		return oauth2.Token{}, errBadCode
+	}
 
-	// Ensure the code has not expired.  Make it look like no code.
-	if dbCode.ExpiresAt.Before(dbtime.Now()) {
-		return oauth2.Token{}, sql.ErrNoRows
+	// Ensure the code has not expired.
+	if code.ExpiresAt.Before(dbtime.Now()) {
+		return oauth2.Token{}, errBadCode
 	}
 
 	// Generate a refresh token.
 	// The refresh token is not currently used or exposed though as API keys can
 	// already be refreshed by just using them.
 	// TODO: However, should we implement the refresh grant anyway?
-	// 40 characters matches the length of GitHub's client secrets.
-	rawRefreshToken, err := cryptorand.String(40)
+	refreshToken, err := GenerateSecret()
 	if err != nil {
 		return oauth2.Token{}, err
 	}
 
 	// Generate the API key we will swap for the code.
 	// TODO: We are ignoring scopes for now.
-	tokenName := fmt.Sprintf("%s_%s_oauth_session_token", dbCode.UserID, app.ID)
+	tokenName := fmt.Sprintf("%s_%s_oauth_session_token", code.UserID, app.ID)
 	key, sessionToken, err := apikey.Generate(apikey.CreateParams{
-		UserID:    dbCode.UserID,
+		UserID:    code.UserID,
 		LoginType: database.LoginTypeOAuth2ProviderApp,
 		// TODO: This is just the lifetime for api keys, maybe have its own config
 		//       settings. #11693
@@ -175,12 +189,12 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 
 	// Grab the user roles so we can perform the exchange as the user.
 	//nolint:gocritic // In the token exchange, there is no user actor.
-	roles, err := db.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), dbCode.UserID)
+	roles, err := db.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), code.UserID)
 	if err != nil {
 		return oauth2.Token{}, err
 	}
 	userSubj := rbac.Subject{
-		ID:     dbCode.UserID.String(),
+		ID:     code.UserID.String(),
 		Roles:  rbac.RoleNames(roles.Roles),
 		Groups: roles.Groups,
 		Scope:  rbac.ScopeAll,
@@ -189,14 +203,14 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 	// Do the actual token exchange in the database.
 	err = db.InTx(func(tx database.Store) error {
 		ctx := dbauthz.As(ctx, userSubj)
-		err = tx.DeleteOAuth2ProviderAppCodeByID(ctx, dbCode.ID)
+		err = tx.DeleteOAuth2ProviderAppCodeByID(ctx, code.ID)
 		if err != nil {
 			return xerrors.Errorf("delete oauth2 app code: %w", err)
 		}
 
 		// Delete the previous key, if any.
 		prevKey, err := tx.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
-			UserID:    dbCode.UserID,
+			UserID:    code.UserID,
 			TokenName: tokenName,
 		})
 		if err == nil {
@@ -211,15 +225,12 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 			return xerrors.Errorf("insert oauth2 access token: %w", err)
 		}
 
-		refreshHash, err := userpassword.Hash(rawRefreshToken)
-		if err != nil {
-			return xerrors.Errorf("hash oauth2 refresh token: %w", err)
-		}
 		_, err = tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{
 			ID:          uuid.New(),
 			CreatedAt:   dbtime.Now(),
 			ExpiresAt:   key.ExpiresAt,
-			RefreshHash: []byte(refreshHash),
+			HashPrefix:  []byte(refreshToken.Prefix),
+			RefreshHash: []byte(refreshToken.Hashed),
 			AppSecretID: secret.ID,
 			APIKeyID:    newKey.ID,
 		})
@@ -236,7 +247,7 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 		AccessToken: sessionToken,
 		TokenType:   "Bearer",
 		// TODO: Exclude until refresh grant is implemented.
-		// RefreshToken: rawRefreshToken,
+		// RefreshToken: refreshToken.formatted,
 		// Expiry:       key.ExpiresAt,
 	}, nil
 }
diff --git a/enterprise/coderd/oauth2.go b/enterprise/coderd/oauth2.go
@@ -12,9 +12,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
 )
 
@@ -229,30 +227,23 @@ func (api *API) oAuth2ProviderAppSecrets(rw http.ResponseWriter, r *http.Request
 func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	app := httpmw.OAuth2ProviderApp(r)
-	// 40 characters matches the length of GitHub's client secrets.
-	rawSecret, err := cryptorand.String(40)
-	if err != nil {
-		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to generate OAuth2 client secret.",
-		})
-		return
-	}
-	hashed, err := userpassword.Hash(rawSecret)
+	secret, err := identityprovider.GenerateSecret()
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to hash OAuth2 client secret.",
+			Message: "Failed to generate OAuth2 client secret.",
 			Detail:  err.Error(),
 		})
 		return
 	}
-	secret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
+	dbSecret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
 		ID:           uuid.New(),
 		CreatedAt:    dbtime.Now(),
-		HashedSecret: []byte(hashed),
+		SecretPrefix: []byte(secret.Prefix),
+		HashedSecret: []byte(secret.Hashed),
 		// DisplaySecret is the last six characters of the original unhashed secret.
 		// This is done so they can be differentiated and it matches how GitHub
 		// displays their client secrets.
-		DisplaySecret: rawSecret[len(rawSecret)-6:],
+		DisplaySecret: secret.Formatted[len(secret.Formatted)-6:],
 		AppID:         app.ID,
 	})
 	if err != nil {
@@ -263,8 +254,8 @@ func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Requ
 		return
 	}
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.OAuth2ProviderAppSecretFull{
-		ID:               secret.ID,
-		ClientSecretFull: rawSecret,
+		ID:               dbSecret.ID,
+		ClientSecretFull: secret.Formatted,
 	})
 }
 
diff --git a/enterprise/coderd/oauth2_test.go b/enterprise/coderd/oauth2_test.go
