mirror of
https://github.com/coder/coder.git
synced 2025-07-06 15:41:45 +00:00
feat(coderd): connect dbcrypt package implementation (#9523)
See also: https://github.com/coder/coder/pull/9522 - Adds commands `server dbcrypt {rotate,decrypt,delete}` to re-encrypt, decrypt, or delete encrypted data, respectively. - Plumbs through dbcrypt in enterprise/coderd (including unit tests). - Adds documentation in admin/encryption.md. This enables dbcrypt by default, but the feature is soft-enforced on supplying external token encryption keys. Without specifying any keys, encryption/decryption is a no-op.
This commit is contained in:
Cian Johnston
GitHub
@ -33,6 +33,7 @@ import (
|
||||
"github.com/coder/coder/v2/enterprise/coderd/license"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/proxyhealth"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/schedule"
|
||||
"github.com/coder/coder/v2/enterprise/dbcrypt"
|
||||
"github.com/coder/coder/v2/enterprise/derpmesh"
|
||||
"github.com/coder/coder/v2/enterprise/replicasync"
|
||||
"github.com/coder/coder/v2/enterprise/tailnet"
|
||||
@ -47,8 +48,8 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
|
||||
if options.EntitlementsUpdateInterval == 0 {
|
||||
options.EntitlementsUpdateInterval = 10 * time.Minute
|
||||
}
|
||||
if options.Keys == nil {
|
||||
options.Keys = Keys
|
||||
if options.LicenseKeys == nil {
|
||||
options.LicenseKeys = Keys
|
||||
}
|
||||
if options.Options == nil {
|
||||
options.Options = &coderd.Options{}
|
||||
@ -61,10 +62,38 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
|
||||
}
|
||||
|
||||
ctx, cancelFunc := context.WithCancel(ctx)
|
||||
api := &API{
|
||||
ctx: ctx,
|
||||
cancel: cancelFunc,
|
||||
|
||||
if options.ExternalTokenEncryption == nil {
|
||||
options.ExternalTokenEncryption = make([]dbcrypt.Cipher, 0)
|
||||
}
|
||||
// Database encryption is an enterprise feature, but as checking license entitlements
|
||||
// depends on the database, we end up in a chicken-and-egg situation. To avoid this,
|
||||
// we always enable it but only soft-enforce it.
|
||||
if len(options.ExternalTokenEncryption) > 0 {
|
||||
var keyDigests []string
|
||||
for _, cipher := range options.ExternalTokenEncryption {
|
||||
keyDigests = append(keyDigests, cipher.HexDigest())
|
||||
}
|
||||
options.Logger.Info(ctx, "database encryption enabled", slog.F("keys", keyDigests))
|
||||
}
|
||||
|
||||
cryptDB, err := dbcrypt.New(ctx, options.Database, options.ExternalTokenEncryption...)
|
||||
if err != nil {
|
||||
cancelFunc()
|
||||
// If we fail to initialize the database, it's likely that the
|
||||
// database is encrypted with an unknown external token encryption key.
|
||||
// This is a fatal error.
|
||||
var derr *dbcrypt.DecryptFailedError
|
||||
if xerrors.As(err, &derr) {
|
||||
return nil, xerrors.Errorf("database encrypted with unknown key, either add the key or see https://coder.com/docs/v2/latest/admin/encryption#disabling-encryption: %w", derr)
|
||||
}
|
||||
return nil, xerrors.Errorf("init database encryption: %w", err)
|
||||
}
|
||||
options.Database = cryptDB
|
||||
|
||||
api := &API{
|
||||
ctx: ctx,
|
||||
cancel: cancelFunc,
|
||||
AGPL: coderd.New(options.Options),
|
||||
Options: options,
|
||||
provisionerDaemonAuth: &provisionerDaemonAuth{
|
||||
@ -364,6 +393,8 @@ type Options struct {
|
||||
BrowserOnly bool
|
||||
SCIMAPIKey []byte
|
||||
|
||||
ExternalTokenEncryption []dbcrypt.Cipher
|
||||
|
||||
// Used for high availability.
|
||||
ReplicaSyncUpdateInterval time.Duration
|
||||
DERPServerRelayAddress string
|
||||
@ -374,7 +405,7 @@ type Options struct {
|
||||
|
||||
EntitlementsUpdateInterval time.Duration
|
||||
ProxyHealthInterval time.Duration
|
||||
Keys map[string]ed25519.PublicKey
|
||||
LicenseKeys map[string]ed25519.PublicKey
|
||||
|
||||
// optional pre-shared key for authentication of external provisioner daemons
|
||||
ProvisionerDaemonPSK string
|
||||
@ -429,13 +460,14 @@ func (api *API) updateEntitlements(ctx context.Context) error {
|
||||
|
||||
entitlements, err := license.Entitlements(
|
||||
ctx, api.Database,
|
||||
api.Logger, len(api.replicaManager.AllPrimary()), len(api.GitAuthConfigs), api.Keys, map[codersdk.FeatureName]bool{
|
||||
api.Logger, len(api.replicaManager.AllPrimary()), len(api.GitAuthConfigs), api.LicenseKeys, map[codersdk.FeatureName]bool{
|
||||
codersdk.FeatureAuditLog: api.AuditLogging,
|
||||
codersdk.FeatureBrowserOnly: api.BrowserOnly,
|
||||
codersdk.FeatureSCIM: len(api.SCIMAPIKey) != 0,
|
||||
codersdk.FeatureHighAvailability: api.DERPServerRelayAddress != "",
|
||||
codersdk.FeatureMultipleGitAuth: len(api.GitAuthConfigs) > 1,
|
||||
codersdk.FeatureTemplateRBAC: api.RBAC,
|
||||
codersdk.FeatureExternalTokenEncryption: len(api.ExternalTokenEncryption) > 0,
|
||||
codersdk.FeatureExternalProvisionerDaemons: true,
|
||||
codersdk.FeatureAdvancedTemplateScheduling: true,
|
||||
// FeatureTemplateAutostopRequirement depends on
|
||||
@ -615,6 +647,16 @@ func (api *API) updateEntitlements(ctx context.Context) error {
|
||||
}
|
||||
}
|
||||
|
||||
// External token encryption is soft-enforced
|
||||
featureExternalTokenEncryption := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
|
||||
featureExternalTokenEncryption.Enabled = len(api.ExternalTokenEncryption) > 0
|
||||
if featureExternalTokenEncryption.Enabled && featureExternalTokenEncryption.Entitlement != codersdk.EntitlementEntitled {
|
||||
msg := fmt.Sprintf("%s is enabled (due to setting external token encryption keys) but your license is not entitled to this feature.", codersdk.FeatureExternalTokenEncryption.Humanize())
|
||||
api.Logger.Warn(ctx, msg)
|
||||
entitlements.Warnings = append(entitlements.Warnings, msg)
|
||||
}
|
||||
entitlements.Features[codersdk.FeatureExternalTokenEncryption] = featureExternalTokenEncryption
|
||||
|
||||
api.entitlementsMu.Lock()
|
||||
defer api.entitlementsMu.Unlock()
|
||||
api.entitlements = entitlements
|
||||
|
||||
@ -1,8 +1,10 @@
|
||||
package coderd_test
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
@ -16,6 +18,7 @@ import (
|
||||
"github.com/coder/coder/v2/coderd/database"
|
||||
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
||||
"github.com/coder/coder/v2/coderd/database/dbfake"
|
||||
"github.com/coder/coder/v2/coderd/database/dbtestutil"
|
||||
"github.com/coder/coder/v2/coderd/database/dbtime"
|
||||
"github.com/coder/coder/v2/coderd/rbac"
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
@ -23,6 +26,7 @@ import (
|
||||
"github.com/coder/coder/v2/enterprise/coderd"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/license"
|
||||
"github.com/coder/coder/v2/enterprise/dbcrypt"
|
||||
"github.com/coder/coder/v2/testutil"
|
||||
)
|
||||
|
||||
@ -48,25 +52,27 @@ func TestEntitlements(t *testing.T) {
|
||||
AuditLogging: true,
|
||||
DontAddLicense: true,
|
||||
})
|
||||
// Enable all features
|
||||
features := make(license.Features)
|
||||
for _, feature := range codersdk.FeatureNames {
|
||||
features[feature] = 1
|
||||
}
|
||||
features[codersdk.FeatureUserLimit] = 100
|
||||
coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
|
||||
Features: license.Features{
|
||||
codersdk.FeatureUserLimit: 100,
|
||||
codersdk.FeatureAuditLog: 1,
|
||||
codersdk.FeatureTemplateRBAC: 1,
|
||||
codersdk.FeatureExternalProvisionerDaemons: 1,
|
||||
codersdk.FeatureAdvancedTemplateScheduling: 1,
|
||||
codersdk.FeatureWorkspaceProxy: 1,
|
||||
codersdk.FeatureUserRoleManagement: 1,
|
||||
},
|
||||
GraceAt: time.Now().Add(59 * 24 * time.Hour),
|
||||
Features: features,
|
||||
GraceAt: time.Now().Add(59 * 24 * time.Hour),
|
||||
})
|
||||
res, err := client.Entitlements(context.Background())
|
||||
require.NoError(t, err)
|
||||
assert.True(t, res.HasLicense)
|
||||
ul := res.Features[codersdk.FeatureUserLimit]
|
||||
assert.Equal(t, codersdk.EntitlementEntitled, ul.Entitlement)
|
||||
assert.Equal(t, int64(100), *ul.Limit)
|
||||
assert.Equal(t, int64(1), *ul.Actual)
|
||||
if assert.NotNil(t, ul.Limit) {
|
||||
assert.Equal(t, int64(100), *ul.Limit)
|
||||
}
|
||||
if assert.NotNil(t, ul.Actual) {
|
||||
assert.Equal(t, int64(1), *ul.Actual)
|
||||
}
|
||||
assert.True(t, ul.Enabled)
|
||||
al := res.Features[codersdk.FeatureAuditLog]
|
||||
assert.Equal(t, codersdk.EntitlementEntitled, al.Entitlement)
|
||||
@ -228,6 +234,134 @@ func TestAuditLogging(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestExternalTokenEncryption(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("Enabled", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
db, ps := dbtestutil.NewDB(t)
|
||||
ciphers, err := dbcrypt.NewCiphers(bytes.Repeat([]byte("a"), 32))
|
||||
require.NoError(t, err)
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
EntitlementsUpdateInterval: 25 * time.Millisecond,
|
||||
ExternalTokenEncryption: ciphers,
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{
|
||||
codersdk.FeatureExternalTokenEncryption: 1,
|
||||
},
|
||||
},
|
||||
Options: &coderdtest.Options{
|
||||
Database: db,
|
||||
Pubsub: ps,
|
||||
},
|
||||
})
|
||||
keys, err := db.GetDBCryptKeys(ctx)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, keys, 1)
|
||||
require.Equal(t, ciphers[0].HexDigest(), keys[0].ActiveKeyDigest.String)
|
||||
|
||||
require.Eventually(t, func() bool {
|
||||
entitlements, err := client.Entitlements(context.Background())
|
||||
assert.NoError(t, err)
|
||||
feature := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
|
||||
entitled := feature.Entitlement == codersdk.EntitlementEntitled
|
||||
var warningExists bool
|
||||
for _, warning := range entitlements.Warnings {
|
||||
if strings.Contains(warning, codersdk.FeatureExternalTokenEncryption.Humanize()) {
|
||||
warningExists = true
|
||||
break
|
||||
}
|
||||
}
|
||||
t.Logf("feature: %+v, warnings: %+v, errors: %+v", feature, entitlements.Warnings, entitlements.Errors)
|
||||
return feature.Enabled && entitled && !warningExists
|
||||
}, testutil.WaitShort, testutil.IntervalFast)
|
||||
})
|
||||
|
||||
t.Run("Disabled", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
db, ps := dbtestutil.NewDB(t)
|
||||
ciphers, err := dbcrypt.NewCiphers()
|
||||
require.NoError(t, err)
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
DontAddLicense: true,
|
||||
EntitlementsUpdateInterval: 25 * time.Millisecond,
|
||||
ExternalTokenEncryption: ciphers,
|
||||
Options: &coderdtest.Options{
|
||||
Database: db,
|
||||
Pubsub: ps,
|
||||
},
|
||||
})
|
||||
keys, err := db.GetDBCryptKeys(ctx)
|
||||
require.NoError(t, err)
|
||||
require.Empty(t, keys)
|
||||
|
||||
require.Eventually(t, func() bool {
|
||||
entitlements, err := client.Entitlements(context.Background())
|
||||
assert.NoError(t, err)
|
||||
feature := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
|
||||
entitled := feature.Entitlement == codersdk.EntitlementEntitled
|
||||
var warningExists bool
|
||||
for _, warning := range entitlements.Warnings {
|
||||
if strings.Contains(warning, codersdk.FeatureExternalTokenEncryption.Humanize()) {
|
||||
warningExists = true
|
||||
break
|
||||
}
|
||||
}
|
||||
t.Logf("feature: %+v, warnings: %+v, errors: %+v", feature, entitlements.Warnings, entitlements.Errors)
|
||||
return !feature.Enabled && !entitled && !warningExists
|
||||
}, testutil.WaitShort, testutil.IntervalFast)
|
||||
})
|
||||
|
||||
t.Run("PreviouslyEnabledButMissingFromLicense", func(t *testing.T) {
|
||||
// If this test fails, it potentially means that a customer who has
|
||||
// actively been using this feature is now unable _start coderd_
|
||||
// because of a licensing issue. This should never happen.
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
db, ps := dbtestutil.NewDB(t)
|
||||
ciphers, err := dbcrypt.NewCiphers(bytes.Repeat([]byte("a"), 32))
|
||||
require.NoError(t, err)
|
||||
|
||||
dbc, err := dbcrypt.New(ctx, db, ciphers...) // should insert key
|
||||
require.NoError(t, err)
|
||||
|
||||
keys, err := dbc.GetDBCryptKeys(ctx)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, keys, 1)
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
DontAddLicense: true,
|
||||
EntitlementsUpdateInterval: 25 * time.Millisecond,
|
||||
ExternalTokenEncryption: ciphers,
|
||||
Options: &coderdtest.Options{
|
||||
Database: db,
|
||||
Pubsub: ps,
|
||||
},
|
||||
})
|
||||
|
||||
require.Eventually(t, func() bool {
|
||||
entitlements, err := client.Entitlements(context.Background())
|
||||
assert.NoError(t, err)
|
||||
feature := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
|
||||
entitled := feature.Entitlement == codersdk.EntitlementEntitled
|
||||
var warningExists bool
|
||||
for _, warning := range entitlements.Warnings {
|
||||
if strings.Contains(warning, codersdk.FeatureExternalTokenEncryption.Humanize()) {
|
||||
warningExists = true
|
||||
break
|
||||
}
|
||||
}
|
||||
t.Logf("feature: %+v, warnings: %+v, errors: %+v", feature, entitlements.Warnings, entitlements.Errors)
|
||||
return feature.Enabled && !entitled && warningExists
|
||||
}, testutil.WaitShort, testutil.IntervalFast)
|
||||
})
|
||||
}
|
||||
|
||||
// testDBAuthzRole returns a context with a subject that has a role
|
||||
// with permissions required for test setup.
|
||||
func testDBAuthzRole(ctx context.Context) context.Context {
|
||||
|
||||
@ -21,6 +21,7 @@ import (
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
"github.com/coder/coder/v2/enterprise/coderd"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/license"
|
||||
"github.com/coder/coder/v2/enterprise/dbcrypt"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -56,6 +57,7 @@ type Options struct {
|
||||
DontAddLicense bool
|
||||
DontAddFirstUser bool
|
||||
ReplicaSyncUpdateInterval time.Duration
|
||||
ExternalTokenEncryption []dbcrypt.Cipher
|
||||
ProvisionerDaemonPSK string
|
||||
}
|
||||
|
||||
@ -92,10 +94,11 @@ func NewWithAPI(t *testing.T, options *Options) (
|
||||
ReplicaSyncUpdateInterval: options.ReplicaSyncUpdateInterval,
|
||||
Options: oop,
|
||||
EntitlementsUpdateInterval: options.EntitlementsUpdateInterval,
|
||||
Keys: Keys,
|
||||
LicenseKeys: Keys,
|
||||
ProxyHealthInterval: options.ProxyHealthInterval,
|
||||
DefaultQuietHoursSchedule: oop.DeploymentValues.UserQuietHoursSchedule.DefaultSchedule.Value(),
|
||||
ProvisionerDaemonPSK: options.ProvisionerDaemonPSK,
|
||||
ExternalTokenEncryption: options.ExternalTokenEncryption,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
setHandler(coderAPI.AGPL.RootHandler)
|
||||
|
||||
@ -84,7 +84,7 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
rawClaims, err := license.ParseRaw(addLicense.License, api.Keys)
|
||||
rawClaims, err := license.ParseRaw(addLicense.License, api.LicenseKeys)
|
||||
if err != nil {
|
||||
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
||||
Message: "Invalid license",
|
||||
@ -102,7 +102,7 @@ func (api *API) postLicense(rw http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
expTime := time.Unix(int64(exp), 0)
|
||||
|
||||
claims, err := license.ParseClaims(addLicense.License, api.Keys)
|
||||
claims, err := license.ParseClaims(addLicense.License, api.LicenseKeys)
|
||||
if err != nil {
|
||||
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
||||
Message: "Invalid license",
|
||||
|
||||
Reference in New Issue
Block a user