8000 Add secret prefix column and query to get token · coder/coder@4f1d9a0 · GitHub
[go: up one dir, main page]
Skip to content

Commit 4f1d9a0

Browse files
code-ashercode-asher
committed
Add secret prefix column and query to get token
This will be used as an ID that we can prefix into the secrets themselves. This is so we can salt the hashed secrets. The token query is for implementing the refresh flow.
1 parent c15f851 commit 4f1d9a0

File tree

13 files changed

+308
-195
lines changed

13 files changed

+308
-195
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1188,16 +1188,12 @@ func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (d
11881188
return q.db.GetOAuth2ProviderAppByID(ctx, id)
11891189
}
11901190

1191-
func (q *querier) GetOAuth2ProviderAppCodeByAppIDAndSecret(ctx context.Context, arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode, error) {
1192-
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByAppIDAndSecret)(ctx, arg)
1193-
}
1194-
11951191
func (q *querier) GetOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
11961192
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByID)(ctx, id)
11971193
}
11981194

1199-
func (q *querier) GetOAuth2ProviderAppSecretByAppIDAndSecret(ctx context.Context, arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret, error) {
1200-
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppSecretByAppIDAndSecret)(ctx, arg)
1195+
func (q *querier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
1196+
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByPrefix)(ctx, secretPrefix)
12011197
}
12021198

12031199
func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
@@ -1207,13 +1203,33 @@ func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UU
12071203
return q.db.GetOAuth2ProviderAppSecretByID(ctx, id)
12081204
}
12091205

1206+
func (q *querier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppSecret, error) {
1207+
return fetch(q.log, q.auth, q.db.GetOAuth2ProviderAppSecretByPrefix)(ctx, secretPrefix)
1208+
}
1209+
12101210
func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID uuid.UUID) ([]database.OAuth2ProviderAppSecret, error) {
12111211
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
12121212
return []database.OAuth2ProviderAppSecret{}, err
12131213
}
12141214
return q.db.GetOAuth2ProviderAppSecretsByAppID(ctx, appID)
12151215
}
12161216

1217+
func (q *querier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPrefix []byte) (database.OAuth2ProviderAppToken, error) {
1218+
token, err := q.db.GetOAuth2ProviderAppTokenByPrefix(ctx, hashPrefix)
1219+
if err != nil {
1220+
return database.OAuth2ProviderAppToken{}, err
1221+
}
1222+
// The user ID is on the API key so that has to be fetched.
1223+
key, err := q.db.GetAPIKeyByID(ctx, token.APIKeyID)
1224+
if err != nil {
1225+
return database.OAuth2ProviderAppToken{}, err
1226+
}
1227+
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
1228+
return database.OAuth2ProviderAppToken{}, err
1229+
}
1230+
return token, nil
1231+
}
1232+
12171233
func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp, error) {
12181234
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
12191235
return []database.OAuth2ProviderApp{}, err

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2293,15 +2293,12 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppSecrets() {
22932293
})
22942294
check.Args(secret.ID).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
22952295
}))
2296-
s.Run("GetOAuth2ProviderAppSecretByAppIDAndSecret", s.Subtest(func(db database.Store, check *expects) {
2296+
s.Run("GetOAuth2ProviderAppSecretByPrefix", s.Subtest(func(db database.Store, check *expects) {
22972297
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
22982298
secret := dbgen.OAuth2ProviderAppSecret(s.T(), db, database.OAuth2ProviderAppSecret{
22992299
AppID: app.ID,
23002300
})
2301-
check.Args(database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
2302-
AppID: app.ID,
2303-
HashedSecret: secret.HashedSecret,
2304-
}).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
2301+
check.Args(secret.SecretPrefix).Asserts(rbac.ResourceOAuth2ProviderAppSecret, rbac.ActionRead).Returns(secret)
23052302
}))
23062303
s.Run("InsertOAuth2ProviderAppSecret", s.Subtest(func(db database.Store, check *expects) {
23072304
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
@@ -2339,17 +2336,14 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {
23392336
})
23402337
check.Args(code.ID).Asserts(code, rbac.ActionRead).Returns(code)
23412338
}))
2342-
s.Run("GetOAuth2ProviderAppCodeByAppIDAndSecret", s.Subtest(func(db database.Store, check *expects) {
2339+
s.Run("GetOAuth2ProviderAppCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
23432340
user := dbgen.User(s.T(), db, database.User{})
23442341
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
23452342
code := dbgen.OAuth2ProviderAppCode(s.T(), db, database.OAuth2ProviderAppCode{
23462343
AppID: app.ID,
23472344
UserID: user.ID,
23482345
})
2349-
check.Args(database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
2350-
AppID: app.ID,
2351-
HashedSecret: code.HashedSecret,
2352-
}).Asserts(code, rbac.ActionRead).Returns(code)
2346+
check.Args(code.SecretPrefix).Asserts(code, rbac.ActionRead).Returns(code)
23532347
}))
23542348
s.Run("InsertOAuth2ProviderAppCode", s.Subtest(func(db database.Store, check *expects) {
23552349
user := dbgen.User(s.T(), db, database.User{})
@@ -2399,6 +2393,21 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
23992393
APIKeyID: key.ID,
24002394
}).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()), rbac.ActionCreate)
24012395
}))
2396+
s.Run("GetOAuth2ProviderAppTokenByPrefix", s.Subtest(func(db database.Store, check *expects) {
2397+
user := dbgen.User(s.T(), db, database.User{})
2398+
key, _ := dbgen.APIKey(s.T(), db, database.APIKey{
2399+
UserID: user.ID,
2400+
})
2401+
app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
2402+
secret := dbgen.OAuth2ProviderAppSecret(s.T(), db, database.OAuth2ProviderAppSecret{
2403+
AppID: app.ID,
2404+
})
2405+
token := dbgen.OAuth2ProviderAppToken(s.T(), db, database.OAuth2ProviderAppToken{
2406+
AppSecretID: secret.ID,
2407+
APIKeyID: key.ID,
2408+
})
2409+
check.Args(token.HashPrefix).Asserts(rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(user.ID.String()), rbac.ActionRead)
2410+
}))
24022411
s.Run("DeleteOAuth2ProviderAppTokensByAppAndUserID", s.Subtest(func(db database.Store, check *expects) {
24032412
user := dbgen.User(s.T(), db, database.User{})
24042413
key, _ := dbgen.APIKey(s.T(), db, database.APIKey{

coderd/database/dbmem/dbmem.go

Lines changed: 20 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2203,58 +2203,48 @@ func (q *FakeQuerier) GetOAuth2ProviderAppByID(_ context.Context, id uuid.UUID)
22032203
return database.OAuth2ProviderApp{}, sql.ErrNoRows
22042204
}
22052205

2206-
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByAppIDAndSecret(_ context.Context, arg database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams) (database.OAuth2ProviderAppCode, error) {
2207-
err := validateDatabaseType(arg)
2208-
if err != nil {
2209-
return database.OAuth2ProviderAppCode{}, err
2210-
}
2211-
2206+
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
22122207
q.mutex.Lock()
22132208
defer q.mutex.Unlock()
22142209

22152210
for _, code := range q.oauth2ProviderAppCodes {
2216-
if bytes.Equal(code.HashedSecret, arg.HashedSecret) && code.AppID == arg.AppID {
2211+
if code.ID == id {
22172212
return code, nil
22182213
}
22192214
}
22202215
return database.OAuth2ProviderAppCode{}, sql.ErrNoRows
22212216
}
22222217

2223-
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppCode, error) {
2218+
func (q *FakeQuerier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
22242219
q.mutex.Lock()
22252220
defer q.mutex.Unlock()
22262221

22272222
for _, code := range q.oauth2ProviderAppCodes {
2228-
if code.ID == id {
2223+
if bytes.Equal(code.SecretPrefix, secretPrefix) {
22292224
return code, nil
22302225
}
22312226
}
22322227
return database.OAuth2ProviderAppCode{}, sql.ErrNoRows
22332228
}
22342229

2235-
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByAppIDAndSecret(_ context.Context, arg database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams) (database.OAuth2ProviderAppSecret, error) {
2236-
err := validateDatabaseType(arg)
2237-
if err != nil {
2238-
return database.OAuth2ProviderAppSecret{}, err
2239-
}
2240-
2230+
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
22412231
q.mutex.Lock()
22422232
defer q.mutex.Unlock()
22432233

22442234
for _, secret := range q.oauth2ProviderAppSecrets {
2245-
if secret.AppID == arg.AppID && bytes.Equal(secret.HashedSecret, arg.HashedSecret) {
2235+
if secret.ID == id {
22462236
return secret, nil
22472237
}
22482238
}
22492239
return database.OAuth2ProviderAppSecret{}, sql.ErrNoRows
22502240
}
22512241

2252-
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByID(_ context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
2242+
func (q *FakeQuerier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppSecret, error) {
22532243
q.mutex.Lock()
22542244
defer q.mutex.Unlock()
22552245

22562246
for _, secret := range q.oauth2ProviderAppSecrets {
2257-
if secret.ID == id {
2247+
if bytes.Equal(secret.SecretPrefix, secretPrefix) {
22582248
return secret, nil
22592249
}
22602250
}
@@ -2289,6 +2279,18 @@ func (q *FakeQuerier) GetOAuth2ProviderAppSecretsByAppID(_ context.Context, appI
22892279
return []database.OAuth2ProviderAppSecret{}, sql.ErrNoRows
22902280
}
22912281

2282+
func (q *FakeQuerier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPrefix []byte) (database.OAuth2ProviderAppToken, error) {
2283+
q.mutex.Lock()
2284+
defer q.mutex.Unlock()
2285+
2286+
for _, token := range q.oauth2ProviderAppTokens {
2287+
if bytes.Equal(token.HashPrefix, hashPrefix) {
2288+
return token, nil
2289+
}
2290+
}
2291+
return database.OAuth2ProviderAppToken{}, sql.ErrNoRows
2292+
}
2293+
22922294
func (q *FakeQuerier) GetOAuth2ProviderApps(_ context.Context) ([]database.OAuth2ProviderApp, error) {
22932295
q.mutex.Lock()
22942296
defer q.mutex.Unlock()

coderd/database/dbmetrics/dbmetrics.go

Lines changed: 17 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbmock/dbmock.go

Lines changed: 37 additions & 22 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
0