feat: enable key rotation (#15066)

This PR contains the remaining logic necessary to hook up key rotation to the product.
2025-07-12 00:14:10 +00:00 · 2024-10-25 17:14:35 +01:00
parent ccfffc6911
commit cd890aa3a0
54 changed files with 1412 additions and 1129 deletions
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@ -3113,9 +3113,11 @@ func (c *Client) SSHConfiguration(ctx context.Context) (SSHConfigResponse, error
 type CryptoKeyFeature string

 const (
-	CryptoKeyFeatureWorkspaceApp  CryptoKeyFeature = "workspace_apps"
-	CryptoKeyFeatureOIDCConvert   CryptoKeyFeature = "oidc_convert"
-	CryptoKeyFeatureTailnetResume CryptoKeyFeature = "tailnet_resume"
+	CryptoKeyFeatureWorkspaceAppsAPIKey CryptoKeyFeature = "workspace_apps_api_key"
+	//nolint:gosec // This denotes a type of key, not a literal.
+	CryptoKeyFeatureWorkspaceAppsToken CryptoKeyFeature = "workspace_apps_token"
+	CryptoKeyFeatureOIDCConvert        CryptoKeyFeature = "oidc_convert"
+	CryptoKeyFeatureTailnetResume      CryptoKeyFeature = "tailnet_resume"
 )

 type CryptoKey struct {
--- a/codersdk/workspacesdk/connector_internal_test.go
+++ b/codersdk/workspacesdk/connector_internal_test.go
@ -25,6 +25,7 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/v2/apiversion"
 	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/tailnet/proto"
@ -61,7 +62,7 @@ func TestTailnetAPIConnector_Disconnects(t *testing.T) {
 		CoordPtr:                &coordPtr,
 		DERPMapUpdateFrequency:  time.Millisecond,
 		DERPMapFn:               func() *tailcfg.DERPMap { return <-derpMapCh },
-		NetworkTelemetryHandler: func(batch []*proto.TelemetryEvent) {},
+		NetworkTelemetryHandler: func([]*proto.TelemetryEvent) {},
 		ResumeTokenProvider:     tailnet.NewInsecureTestResumeTokenProvider(),
 	})
 	require.NoError(t, err)
@ -165,13 +166,17 @@ func TestTailnetAPIConnector_ResumeToken(t *testing.T) {
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
 	require.NoError(t, err)
-	resumeTokenProvider := tailnet.NewResumeTokenKeyProvider(resumeTokenSigningKey, clock, time.Hour)
+	mgr := jwtutils.StaticKey{
+		ID:  "123",
+		Key: resumeTokenSigningKey[:],
+	}
+	resumeTokenProvider := tailnet.NewResumeTokenKeyProvider(mgr, clock, time.Hour)
 	svc, err := tailnet.NewClientService(tailnet.ClientServiceOptions{
 		Logger:                  logger,
 		CoordPtr:                &coordPtr,
 		DERPMapUpdateFrequency:  time.Millisecond,
 		DERPMapFn:               func() *tailcfg.DERPMap { return <-derpMapCh },
-		NetworkTelemetryHandler: func(batch []*proto.TelemetryEvent) {},
+		NetworkTelemetryHandler: func([]*proto.TelemetryEvent) {},
 		ResumeTokenProvider:     resumeTokenProvider,
 	})
 	require.NoError(t, err)
@ -190,7 +195,7 @@ func TestTailnetAPIConnector_ResumeToken(t *testing.T) {
 		t.Logf("received resume token: %s", resumeToken)
 		assert.Equal(t, expectResumeToken, resumeToken)
 		if resumeToken != "" {
-			peerID, err = resumeTokenProvider.VerifyResumeToken(resumeToken)
+			peerID, err = resumeTokenProvider.VerifyResumeToken(ctx, resumeToken)
 			assert.NoError(t, err, "failed to parse resume token")
 			if err != nil {
 				httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{
@ -280,13 +285,17 @@ func TestTailnetAPIConnector_ResumeTokenFailure(t *testing.T) {
 	clock := quartz.NewMock(t)
 	resumeTokenSigningKey, err := tailnet.GenerateResumeTokenSigningKey()
 	require.NoError(t, err)
-	resumeTokenProvider := tailnet.NewResumeTokenKeyProvider(resumeTokenSigningKey, clock, time.Hour)
+	mgr := jwtutils.StaticKey{
+		ID:  uuid.New().String(),
+		Key: resumeTokenSigningKey[:],
+	}
+	resumeTokenProvider := tailnet.NewResumeTokenKeyProvider(mgr, clock, time.Hour)
 	svc, err := tailnet.NewClientService(tailnet.ClientServiceOptions{
 		Logger:                  logger,
 		CoordPtr:                &coordPtr,
 		DERPMapUpdateFrequency:  time.Millisecond,
 		DERPMapFn:               func() *tailcfg.DERPMap { return <-derpMapCh },
-		NetworkTelemetryHandler: func(batch []*proto.TelemetryEvent) {},
+		NetworkTelemetryHandler: func(_ []*proto.TelemetryEvent) {},
 		ResumeTokenProvider:     resumeTokenProvider,
 	})
 	require.NoError(t, err)