mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
feat: encrypt gitsshkeys.private_key at rest via dbcrypt (#25872)
Adds an optional dbcrypt wrapper around gitsshkeys.private_key. The column is encrypted on insert and update through enterprise/dbcrypt when external token encryption is configured, and decrypted on read. A new private_key_key_id column references dbcrypt_keys(active_key_digest) so revocation safety is enforced by the existing foreign key. Rows with a NULL key_id stay plaintext and remain readable. Existing plaintext rows can be backfilled by running `coder server dbcrypt rotate`. Generated with assistance from Coder Agents.
This commit is contained in:
Zach
@@ -84,11 +84,12 @@ var auditableResourcesTypes = map[any]map[string]Action{
|
||||
"updated_at": ActionIgnore,
|
||||
},
|
||||
&database.GitSSHKey{}: {
|
||||
"user_id": ActionTrack,
|
||||
"created_at": ActionIgnore, // Never changes, but is implicit and not helpful in a diff.
|
||||
"updated_at": ActionIgnore, // Changes, but is implicit and not helpful in a diff.
|
||||
"private_key": ActionSecret, // We don't want to expose private keys in diffs.
|
||||
"public_key": ActionTrack, // Public keys are ok to expose in a diff.
|
||||
"user_id": ActionTrack,
|
||||
"created_at": ActionIgnore, // Never changes, but is implicit and not helpful in a diff.
|
||||
"updated_at": ActionIgnore, // Changes, but is implicit and not helpful in a diff.
|
||||
"private_key": ActionSecret, // We don't want to expose private keys in diffs.
|
||||
"private_key_key_id": ActionIgnore, // Internal dbcrypt metadata, not useful in audit diffs.
|
||||
"public_key": ActionTrack, // Public keys are ok to expose in a diff.
|
||||
},
|
||||
&database.Template{}: {
|
||||
"id": ActionTrack,
|
||||
|
||||
@@ -204,6 +204,12 @@ func TestServerDBCrypt(t *testing.T) {
|
||||
userSecrets, err := db.ListUserSecretsWithValues(ctx, usr.ID)
|
||||
require.NoError(t, err, "failed to get user secrets for user %s", usr.ID)
|
||||
require.Empty(t, userSecrets)
|
||||
|
||||
// gitsshkey rows are preserved so the user can regenerate; only the ciphertext is wiped.
|
||||
sshKey, err := db.GetGitSSHKey(ctx, usr.ID)
|
||||
require.NoError(t, err, "expected gitsshkey row to remain for user %s", usr.ID)
|
||||
require.Empty(t, sshKey.PrivateKey, "expected private_key to be cleared for user %s", usr.ID)
|
||||
require.False(t, sshKey.PrivateKeyKeyID.Valid, "expected private_key_key_id to be cleared for user %s", usr.ID)
|
||||
}
|
||||
|
||||
// Validate that the key has been revoked in the database.
|
||||
@@ -245,6 +251,13 @@ func genData(t *testing.T, db database.Store) []database.User {
|
||||
ProviderID: provider.ID,
|
||||
APIKey: "provider-key-" + usr.ID.String(),
|
||||
})
|
||||
// gitsshkeys are not removed by the user soft-delete trigger,
|
||||
// so seed one for every user including deleted ones.
|
||||
_ = dbgen.GitSSHKey(t, db, database.GitSSHKey{
|
||||
UserID: usr.ID,
|
||||
PrivateKey: "private-" + usr.ID.String(),
|
||||
PublicKey: "public-" + usr.ID.String(),
|
||||
})
|
||||
now := time.Now()
|
||||
_, err := db.UpsertUserAIProviderKey(context.Background(), database.UpsertUserAIProviderKeyParams{
|
||||
ID: uuid.New(),
|
||||
@@ -325,6 +338,13 @@ func requireEncryptedWithCipher(ctx context.Context, t *testing.T, db database.S
|
||||
require.Equal(t, c.HexDigest(), s.ValueKeyID.String)
|
||||
}
|
||||
|
||||
sshKey, err := db.GetGitSSHKey(ctx, userID)
|
||||
require.NoError(t, err, "failed to get gitsshkey for user %s", userID)
|
||||
requireEncryptedEquals(t, c, "private-"+userID.String(), sshKey.PrivateKey)
|
||||
require.Equal(t, c.HexDigest(), sshKey.PrivateKeyKeyID.String)
|
||||
// Public key is never encrypted.
|
||||
require.Equal(t, "public-"+userID.String(), sshKey.PublicKey)
|
||||
|
||||
providers, err := db.GetAIProviders(ctx, database.GetAIProvidersParams{
|
||||
IncludeDeleted: true,
|
||||
IncludeDisabled: true,
|
||||
|
||||
@@ -101,6 +101,31 @@ func Rotate(ctx context.Context, log slog.Logger, sqlDB *sql.DB, ciphers []Ciphe
|
||||
log.Debug(ctx, "rotated user secret", slog.F("user_id", uid), slog.F("secret_name", secret.Name), slog.F("current", idx+1), slog.F("cipher", ciphers[0].HexDigest()))
|
||||
}
|
||||
|
||||
sshKey, err := cryptTx.GetGitSSHKey(ctx, uid)
|
||||
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
|
||||
return xerrors.Errorf("get gitsshkey for user %s: %w", uid, err)
|
||||
}
|
||||
if err == nil {
|
||||
switch {
|
||||
case sshKey.PrivateKey == "":
|
||||
// Post-Delete wipes the private_key and key_id; nothing to encrypt.
|
||||
log.Debug(ctx, "skipping empty gitsshkey", slog.F("user_id", uid), slog.F("current", idx+1))
|
||||
case sshKey.PrivateKeyKeyID.Valid && sshKey.PrivateKeyKeyID.String == ciphers[0].HexDigest():
|
||||
log.Debug(ctx, "skipping gitsshkey", slog.F("user_id", uid), slog.F("current", idx+1), slog.F("cipher", ciphers[0].HexDigest()))
|
||||
default:
|
||||
if _, err := cryptTx.UpdateGitSSHKey(ctx, database.UpdateGitSSHKeyParams{
|
||||
UserID: uid,
|
||||
UpdatedAt: sshKey.UpdatedAt,
|
||||
PrivateKey: sshKey.PrivateKey,
|
||||
PrivateKeyKeyID: sql.NullString{}, // dbcrypt will re-encrypt
|
||||
PublicKey: sshKey.PublicKey,
|
||||
}); err != nil {
|
||||
return xerrors.Errorf("rotate gitsshkey user_id=%s: %w", uid, err)
|
||||
}
|
||||
log.Debug(ctx, "rotated gitsshkey", slog.F("user_id", uid), slog.F("current", idx+1), slog.F("cipher", ciphers[0].HexDigest()))
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}, &database.TxOptions{
|
||||
Isolation: sql.LevelRepeatableRead,
|
||||
@@ -288,6 +313,23 @@ func Decrypt(ctx context.Context, log slog.Logger, sqlDB *sql.DB, ciphers []Ciph
|
||||
log.Debug(ctx, "decrypted user secret", slog.F("user_id", uid), slog.F("secret_name", secret.Name), slog.F("current", idx+1))
|
||||
}
|
||||
|
||||
sshKey, err := tx.GetGitSSHKey(ctx, uid)
|
||||
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
|
||||
return xerrors.Errorf("get gitsshkey for user %s: %w", uid, err)
|
||||
}
|
||||
if err == nil && sshKey.PrivateKeyKeyID.Valid {
|
||||
if _, err := tx.UpdateGitSSHKey(ctx, database.UpdateGitSSHKeyParams{
|
||||
UserID: uid,
|
||||
UpdatedAt: sshKey.UpdatedAt,
|
||||
PrivateKey: sshKey.PrivateKey,
|
||||
PrivateKeyKeyID: sql.NullString{}, // clear the key ID
|
||||
PublicKey: sshKey.PublicKey,
|
||||
}); err != nil {
|
||||
return xerrors.Errorf("decrypt gitsshkey user_id=%s: %w", uid, err)
|
||||
}
|
||||
log.Debug(ctx, "decrypted gitsshkey", slog.F("user_id", uid), slog.F("current", idx+1))
|
||||
}
|
||||
|
||||
return nil
|
||||
}, &database.TxOptions{
|
||||
Isolation: sql.LevelRepeatableRead,
|
||||
@@ -382,6 +424,15 @@ DELETE FROM user_ai_provider_keys
|
||||
WHERE api_key_key_id IS NOT NULL;
|
||||
DELETE FROM user_secrets
|
||||
WHERE value_key_id IS NOT NULL;
|
||||
-- gitsshkeys has no delete path in product code: rows are inserted on
|
||||
-- user creation and only ever mutated by regenerate. dbcrypt's 'delete'
|
||||
-- command is the one operation that needs to wipe encrypted content,
|
||||
-- and it does so by clearing the value rather than deleting the row,
|
||||
-- so users can regenerate via the UI.
|
||||
UPDATE gitsshkeys
|
||||
SET private_key = '',
|
||||
private_key_key_id = NULL
|
||||
WHERE private_key_key_id IS NOT NULL;
|
||||
UPDATE ai_providers
|
||||
SET settings = NULL,
|
||||
settings_key_id = NULL
|
||||
|
||||
@@ -930,6 +930,45 @@ func (db *dbCrypt) UpdateUserSecretByUserIDAndName(ctx context.Context, arg data
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
func (db *dbCrypt) InsertGitSSHKey(ctx context.Context, params database.InsertGitSSHKeyParams) (database.GitSSHKey, error) {
|
||||
if err := db.encryptField(¶ms.PrivateKey, ¶ms.PrivateKeyKeyID); err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
key, err := db.Store.InsertGitSSHKey(ctx, params)
|
||||
if err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
if err := db.decryptField(&key.PrivateKey, key.PrivateKeyKeyID); err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func (db *dbCrypt) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (database.GitSSHKey, error) {
|
||||
key, err := db.Store.GetGitSSHKey(ctx, userID)
|
||||
if err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
if err := db.decryptField(&key.PrivateKey, key.PrivateKeyKeyID); err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func (db *dbCrypt) UpdateGitSSHKey(ctx context.Context, params database.UpdateGitSSHKeyParams) (database.GitSSHKey, error) {
|
||||
if err := db.encryptField(¶ms.PrivateKey, ¶ms.PrivateKeyKeyID); err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
key, err := db.Store.UpdateGitSSHKey(ctx, params)
|
||||
if err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
if err := db.decryptField(&key.PrivateKey, key.PrivateKeyKeyID); err != nil {
|
||||
return database.GitSSHKey{}, err
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func (db *dbCrypt) encryptField(field *string, digest *sql.NullString) error {
|
||||
// If no cipher is loaded, then we can't encrypt anything!
|
||||
if db.ciphers == nil || db.primaryCipherDigest == "" {
|
||||
|
||||
@@ -1764,3 +1764,176 @@ func TestUserSecrets(t *testing.T) {
|
||||
require.ErrorAs(t, err, &derr)
|
||||
})
|
||||
}
|
||||
|
||||
func TestGitSSHKey(t *testing.T) {
|
||||
t.Parallel()
|
||||
ctx := context.Background()
|
||||
|
||||
const (
|
||||
initialPrivate = "private-key-initial"
|
||||
updatedPrivate = "private-key-updated"
|
||||
publicKey = "public-key"
|
||||
)
|
||||
|
||||
insertGitSSHKey := func(t *testing.T, store database.Store, ciphers []Cipher) database.GitSSHKey {
|
||||
t.Helper()
|
||||
user := dbgen.User(t, store, database.User{})
|
||||
key, err := store.InsertGitSSHKey(ctx, database.InsertGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
CreatedAt: dbtime.Now(),
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: initialPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, initialPrivate, key.PrivateKey)
|
||||
require.Equal(t, publicKey, key.PublicKey)
|
||||
if len(ciphers) > 0 {
|
||||
require.True(t, key.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), key.PrivateKeyKeyID.String)
|
||||
}
|
||||
return key
|
||||
}
|
||||
|
||||
t.Run("InsertGitSSHKeyEncryptsPrivateKey", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
db, crypt, ciphers := setup(t)
|
||||
key := insertGitSSHKey(t, crypt, ciphers)
|
||||
|
||||
// Raw row should be ciphertext under the primary cipher.
|
||||
rawKey, err := db.GetGitSSHKey(ctx, key.UserID)
|
||||
require.NoError(t, err)
|
||||
require.NotEqual(t, initialPrivate, rawKey.PrivateKey)
|
||||
requireEncryptedEquals(t, ciphers[0], rawKey.PrivateKey, initialPrivate)
|
||||
require.True(t, rawKey.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), rawKey.PrivateKeyKeyID.String)
|
||||
// Public key is not encrypted.
|
||||
require.Equal(t, publicKey, rawKey.PublicKey)
|
||||
})
|
||||
|
||||
t.Run("GetGitSSHKeyDecryptsEncryptedRow", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
_, crypt, ciphers := setup(t)
|
||||
key := insertGitSSHKey(t, crypt, ciphers)
|
||||
|
||||
got, err := crypt.GetGitSSHKey(ctx, key.UserID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, initialPrivate, got.PrivateKey)
|
||||
require.True(t, got.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), got.PrivateKeyKeyID.String)
|
||||
})
|
||||
|
||||
t.Run("GetGitSSHKeyReadsPlaintextRow", func(t *testing.T) {
|
||||
// Pre-existing plaintext rows (private_key_key_id IS NULL) must remain readable.
|
||||
t.Parallel()
|
||||
db, crypt, _ := setup(t)
|
||||
user := dbgen.User(t, db, database.User{})
|
||||
inserted, err := db.InsertGitSSHKey(ctx, database.InsertGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
CreatedAt: dbtime.Now(),
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: initialPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.False(t, inserted.PrivateKeyKeyID.Valid)
|
||||
|
||||
got, err := crypt.GetGitSSHKey(ctx, user.ID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, initialPrivate, got.PrivateKey)
|
||||
require.False(t, got.PrivateKeyKeyID.Valid)
|
||||
})
|
||||
|
||||
t.Run("UpdateGitSSHKeyReEncrypts", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
db, crypt, ciphers := setup(t)
|
||||
key := insertGitSSHKey(t, crypt, ciphers)
|
||||
|
||||
updated, err := crypt.UpdateGitSSHKey(ctx, database.UpdateGitSSHKeyParams{
|
||||
UserID: key.UserID,
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: updatedPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, updatedPrivate, updated.PrivateKey)
|
||||
require.True(t, updated.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), updated.PrivateKeyKeyID.String)
|
||||
|
||||
rawKey, err := db.GetGitSSHKey(ctx, key.UserID)
|
||||
require.NoError(t, err)
|
||||
requireEncryptedEquals(t, ciphers[0], rawKey.PrivateKey, updatedPrivate)
|
||||
require.True(t, rawKey.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), rawKey.PrivateKeyKeyID.String)
|
||||
})
|
||||
|
||||
t.Run("UpdateGitSSHKeyEncryptsPlaintextRow", func(t *testing.T) {
|
||||
// A row that started life as plaintext must get encrypted on the next write.
|
||||
t.Parallel()
|
||||
db, crypt, ciphers := setup(t)
|
||||
user := dbgen.User(t, db, database.User{})
|
||||
_, err := db.InsertGitSSHKey(ctx, database.InsertGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
CreatedAt: dbtime.Now(),
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: initialPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = crypt.UpdateGitSSHKey(ctx, database.UpdateGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: updatedPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
rawKey, err := db.GetGitSSHKey(ctx, user.ID)
|
||||
require.NoError(t, err)
|
||||
requireEncryptedEquals(t, ciphers[0], rawKey.PrivateKey, updatedPrivate)
|
||||
require.True(t, rawKey.PrivateKeyKeyID.Valid)
|
||||
require.Equal(t, ciphers[0].HexDigest(), rawKey.PrivateKeyKeyID.String)
|
||||
})
|
||||
|
||||
t.Run("GetGitSSHKeyDecryptErr", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
db, crypt, ciphers := setup(t)
|
||||
user := dbgen.User(t, db, database.User{})
|
||||
_, err := db.InsertGitSSHKey(ctx, database.InsertGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
CreatedAt: dbtime.Now(),
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: fakeBase64RandomData(t, 32),
|
||||
PrivateKeyKeyID: sql.NullString{String: ciphers[0].HexDigest(), Valid: true},
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = crypt.GetGitSSHKey(ctx, user.ID)
|
||||
require.Error(t, err)
|
||||
var derr *DecryptFailedError
|
||||
require.ErrorAs(t, err, &derr)
|
||||
})
|
||||
|
||||
t.Run("NoCipherPassthrough", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
db, crypt := setupNoCiphers(t)
|
||||
user := dbgen.User(t, crypt, database.User{})
|
||||
key, err := crypt.InsertGitSSHKey(ctx, database.InsertGitSSHKeyParams{
|
||||
UserID: user.ID,
|
||||
CreatedAt: dbtime.Now(),
|
||||
UpdatedAt: dbtime.Now(),
|
||||
PrivateKey: initialPrivate,
|
||||
PublicKey: publicKey,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, initialPrivate, key.PrivateKey)
|
||||
require.False(t, key.PrivateKeyKeyID.Valid)
|
||||
|
||||
rawKey, err := db.GetGitSSHKey(ctx, user.ID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, initialPrivate, rawKey.PrivateKey)
|
||||
require.False(t, rawKey.PrivateKeyKeyID.Valid)
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user