feat: add jwt pkg (#14928)

- Adds a `jwtutils` package to be shared amongst the various packages in the codebase that make use of JWTs. It's intended to help us standardize on one library instead of some implementations using `go-jose` and others using `golang-jwt`. The main reason we're converging on `go-jose` is due to its support for JWEs, `golang-jwt` also has a repo to handle it but it doesn't look maintained: https://github.com/golang-jwt/jwe
2025-07-12 00:14:10 +00:00 · 2024-10-03 21:09:52 -05:00
parent 50d9206950
commit 68ec532ca7
13 changed files with 1001 additions and 122 deletions
--- a/coderd/cryptokeys/dbkeycache_test.go
+++ b/coderd/cryptokeys/dbkeycache_test.go
@ -1,6 +1,7 @@
 package cryptokeys_test

 import (
+	"strconv"
 	"testing"

 	"github.com/stretchr/testify/require"
@ -10,7 +11,6 @@ import (

 	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/testutil"
@ -24,7 +24,7 @@ func TestMain(m *testing.M) {
 func TestDBKeyCache(t *testing.T) {
 	t.Parallel()

-	t.Run("Verifying", func(t *testing.T) {
+	t.Run("VerifyingKey", func(t *testing.T) {
 		t.Parallel()

 		t.Run("HitsCache", func(t *testing.T) {
@ -38,17 +38,18 @@ func TestDBKeyCache(t *testing.T) {
 			)

 			key := dbgen.CryptoKey(t, db, database.CryptoKey{
-				Feature:  database.CryptoKeyFeatureWorkspaceApps,
+				Feature:  database.CryptoKeyFeatureOidcConvert,
 				Sequence: 1,
 				StartsAt: clock.Now().UTC(),
 			})

-			k := cryptokeys.NewDBCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+			k, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+			require.NoError(t, err)
 			defer k.Close()

-			got, err := k.Verifying(ctx, key.Sequence)
+			got, err := k.VerifyingKey(ctx, keyID(key))
 			require.NoError(t, err)
-			require.Equal(t, db2sdk.CryptoKey(key), got)
+			require.Equal(t, decodedSecret(t, key), got)
 		})

 		t.Run("NotFound", func(t *testing.T) {
@ -61,10 +62,11 @@ func TestDBKeyCache(t *testing.T) {
 				logger = slogtest.Make(t, nil)
 			)

-			k := cryptokeys.NewDBCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+			k, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+			require.NoError(t, err)
 			defer k.Close()

-			_, err := k.Verifying(ctx, 123)
+			_, err = k.VerifyingKey(ctx, "123")
 			require.ErrorIs(t, err, cryptokeys.ErrKeyNotFound)
 		})
 	})
@ -80,29 +82,31 @@ func TestDBKeyCache(t *testing.T) {
 		)

 		_ = dbgen.CryptoKey(t, db, database.CryptoKey{
-			Feature:  database.CryptoKeyFeatureWorkspaceApps,
+			Feature:  database.CryptoKeyFeatureOidcConvert,
 			Sequence: 10,
 			StartsAt: clock.Now().UTC(),
 		})

 		expectedKey := dbgen.CryptoKey(t, db, database.CryptoKey{
-			Feature:  database.CryptoKeyFeatureWorkspaceApps,
+			Feature:  database.CryptoKeyFeatureOidcConvert,
 			Sequence: 12,
 			StartsAt: clock.Now().UTC(),
 		})

 		_ = dbgen.CryptoKey(t, db, database.CryptoKey{
-			Feature:  database.CryptoKeyFeatureWorkspaceApps,
+			Feature:  database.CryptoKeyFeatureOidcConvert,
 			Sequence: 2,
 			StartsAt: clock.Now().UTC(),
 		})

-		k := cryptokeys.NewDBCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+		k, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
 		defer k.Close()

-		got, err := k.Signing(ctx)
+		id, key, err := k.SigningKey(ctx)
 		require.NoError(t, err)
-		require.Equal(t, db2sdk.CryptoKey(expectedKey), got)
+		require.Equal(t, keyID(expectedKey), id)
+		require.Equal(t, decodedSecret(t, expectedKey), key)
 	})

 	t.Run("Closed", func(t *testing.T) {
@ -116,28 +120,97 @@ func TestDBKeyCache(t *testing.T) {
 		)

 		expectedKey := dbgen.CryptoKey(t, db, database.CryptoKey{
-			Feature:  database.CryptoKeyFeatureWorkspaceApps,
+			Feature:  database.CryptoKeyFeatureOidcConvert,
 			Sequence: 10,
 			StartsAt: clock.Now(),
 		})

-		k := cryptokeys.NewDBCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+		k, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
 		defer k.Close()

-		got, err := k.Signing(ctx)
+		id, key, err := k.SigningKey(ctx)
 		require.NoError(t, err)
-		require.Equal(t, db2sdk.CryptoKey(expectedKey), got)
+		require.Equal(t, keyID(expectedKey), id)
+		require.Equal(t, decodedSecret(t, expectedKey), key)

-		got, err = k.Verifying(ctx, expectedKey.Sequence)
+		key, err = k.VerifyingKey(ctx, keyID(expectedKey))
 		require.NoError(t, err)
-		require.Equal(t, db2sdk.CryptoKey(expectedKey), got)
+		require.Equal(t, decodedSecret(t, expectedKey), key)

 		k.Close()

-		_, err = k.Signing(ctx)
+		_, _, err = k.SigningKey(ctx)
 		require.ErrorIs(t, err, cryptokeys.ErrClosed)

-		_, err = k.Verifying(ctx, expectedKey.Sequence)
+		_, err = k.VerifyingKey(ctx, keyID(expectedKey))
 		require.ErrorIs(t, err, cryptokeys.ErrClosed)
 	})
+
+	t.Run("InvalidSigningFeature", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			db, _  = dbtestutil.NewDB(t)
+			clock  = quartz.NewMock(t)
+			logger = slogtest.Make(t, nil)
+			ctx    = testutil.Context(t, testutil.WaitShort)
+		)
+
+		_, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		// Instantiate a signing cache and try to use it as an encryption cache.
+		sc, err := cryptokeys.NewSigningCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
+		defer sc.Close()
+
+		ec, ok := sc.(cryptokeys.EncryptionKeycache)
+		require.True(t, ok)
+		_, _, err = ec.EncryptingKey(ctx)
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		_, err = ec.DecryptingKey(ctx, "123")
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+	})
+
+	t.Run("InvalidEncryptionFeature", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			db, _  = dbtestutil.NewDB(t)
+			clock  = quartz.NewMock(t)
+			logger = slogtest.Make(t, nil)
+			ctx    = testutil.Context(t, testutil.WaitShort)
+		)
+
+		_, err := cryptokeys.NewEncryptionCache(logger, db, database.CryptoKeyFeatureOidcConvert, cryptokeys.WithDBCacheClock(clock))
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		// Instantiate an encryption cache and try to use it as a signing cache.
+		ec, err := cryptokeys.NewEncryptionCache(logger, db, database.CryptoKeyFeatureWorkspaceApps, cryptokeys.WithDBCacheClock(clock))
+		require.NoError(t, err)
+		defer ec.Close()
+
+		sc, ok := ec.(cryptokeys.SigningKeycache)
+		require.True(t, ok)
+		_, _, err = sc.SigningKey(ctx)
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+
+		_, err = sc.VerifyingKey(ctx, "123")
+		require.ErrorIs(t, err, cryptokeys.ErrInvalidFeature)
+	})
+}
+
+func keyID(key database.CryptoKey) string {
+	return strconv.FormatInt(int64(key.Sequence), 10)
+}
+
+func decodedSecret(t *testing.T, key database.CryptoKey) []byte {
+	t.Helper()
+
+	secret, err := key.DecodeString()
+	require.NoError(t, err)
+
+	return secret
 }