feat: enable key rotation (#15066)

This PR contains the remaining logic necessary to hook up key rotation to the product.
2025-07-03 16:13:58 +00:00 · 2024-10-25 17:14:35 +01:00
parent ccfffc6911
commit cd890aa3a0
54 changed files with 1412 additions and 1129 deletions
--- a/coderd/jwtutils/jwe.go
+++ b/coderd/jwtutils/jwe.go
@ -65,6 +65,12 @@ func Encrypt(ctx context.Context, e EncryptKeyProvider, claims Claims) (string,
 	return compact, nil
 }

+func WithDecryptExpected(expected jwt.Expected) func(*DecryptOptions) {
+	return func(opts *DecryptOptions) {
+		opts.RegisteredClaims = expected
+	}
+}
+
 // DecryptOptions are options for decrypting a JWE.
 type DecryptOptions struct {
 	RegisteredClaims           jwt.Expected
@ -100,7 +106,7 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla

 	kid := object.Header.KeyID
 	if kid == "" {
-		return xerrors.Errorf("expected %q header to be a string", keyIDHeaderKey)
+		return ErrMissingKeyID
 	}

 	key, err := d.DecryptingKey(ctx, kid)