Use userpassword.Hash

code-asher · code-asher · commit c52693fdd21b · 2024-02-06T15:51:42.000-09:00
diff --git a/enterprise/coderd/identityprovider/authorize.go b/enterprise/coderd/identityprovider/authorize.go
@@ -14,6 +14,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 )
@@ -88,7 +89,13 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 			})
 			return
 		}
-		hashedCode := Hash(rawCode, app.ID)
+		hashedCode, err := userpassword.Hash(rawCode)
+		if err != nil {
+			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to hash OAuth2 app authorization code.",
+			})
+			return
+		}
 		err = db.InTx(func(tx database.Store) error {
 			// Delete any previous codes.
 			err = tx.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams{
@@ -105,7 +112,7 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 				CreatedAt: dbtime.Now(),
 				// TODO: Configurable expiration?  Ten minutes matches GitHub.
 				ExpiresAt:    dbtime.Now().Add(time.Duration(10) * time.Minute),
-				HashedSecret: hashedCode[:],
+				HashedSecret: []byte(hashedCode),
 				AppID:        app.ID,
 				UserID:       apiKey.UserID,
 			})
diff --git a/enterprise/coderd/identityprovider/tokens.go b/enterprise/coderd/identityprovider/tokens.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"golang.org/x/crypto/argon2"
 	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
 
@@ -21,6 +20,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 )
@@ -111,20 +111,23 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 
 func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, clientSecret, code string) (oauth2.Token, error) {
 	// Validate the client secret.
-	secretHash := Hash(clientSecret, app.ID)
+	secretHash, err := userpassword.Hash(clientSecret)
+	if err != nil {
+		return oauth2.Token{}, err
+	}
 	secret, err := db.GetOAuth2ProviderAppSecretByAppIDAndSecret(
 		//nolint:gocritic // Users cannot read secrets so we must use the system.
 		dbauthz.AsSystemRestricted(ctx),
 		database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
 			AppID:        app.ID,
-			HashedSecret: secretHash[:],
+			HashedSecret: []byte(secretHash),
 		})
 	if err != nil {
 		return oauth2.Token{}, err
 	}
 
 	// Validate the authorization code.
-	codeHash := Hash(code, app.ID)
+	codeHash, err := userpassword.Hash(code)
 	if err != nil {
 		return oauth2.Token{}, err
 	}
@@ -133,7 +136,7 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 		dbauthz.AsSystemRestricted(ctx),
 		database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
 			AppID:        app.ID,
-			HashedSecret: codeHash[:],
+			HashedSecret: []byte(codeHash),
 		})
 	if err != nil {
 		return oauth2.Token{}, err
@@ -208,12 +211,15 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 			return xerrors.Errorf("insert oauth2 access token: %w", err)
 		}
 
-		hashed := Hash(rawRefreshToken, app.ID)
+		refreshHash, err := userpassword.Hash(rawRefreshToken)
+		if err != nil {
+			return xerrors.Errorf("hash oauth2 refresh token: %w", err)
+		}
 		_, err = tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{
 			ID:          uuid.New(),
 			CreatedAt:   dbtime.Now(),
 			ExpiresAt:   key.ExpiresAt,
-			RefreshHash: hashed[:],
+			RefreshHash: []byte(refreshHash),
 			AppSecretID: secret.ID,
 			APIKeyID:    newKey.ID,
 		})
@@ -234,12 +240,3 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 		// Expiry:       key.ExpiresAt,
 	}, nil
 }
-
-/**
- * Hash uses argon2 to hash the secret using the ID as the salt.
- */
-func Hash(secret string, id uuid.UUID) []byte {
-	b := []byte(secret)
-	// TODO: Expose iterations, memory, and threads as configuration values?
-	return argon2.IDKey(b, []byte(id.String()), 1, 64*1024, 2, uint32(len(b)))
-}
diff --git a/enterprise/coderd/oauth2.go b/enterprise/coderd/oauth2.go
@@ -12,6 +12,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
@@ -241,11 +242,18 @@ func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Requ
 		})
 		return
 	}
-	hashed := identityprovider.Hash(rawSecret, app.ID)
+	hashed, err := userpassword.Hash(rawSecret)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to hash OAuth2 client secret.",
+			Detail:  err.Error(),
+		})
+		return
+	}
 	secret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
 		ID:           uuid.New(),
 		CreatedAt:    dbtime.Now(),
-		HashedSecret: hashed[:],
+		HashedSecret: []byte(hashed),
 		// DisplaySecret is the last six characters of the original unhashed secret.
 		// This is done so they can be differentiated and it matches how GitHub
 		// displays their client secrets.
diff --git a/enterprise/coderd/oauth2_test.go b/enterprise/coderd/oauth2_test.go
@@ -19,10 +19,10 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
-	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
 	"github.com/coder/coder/v2/enterprise/coderd/license"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -602,12 +602,15 @@ func TestOAuth2ProviderTokenExchange(t *testing.T) {
 			tokenError:  "Invalid client secret or code",
 			setup: func(ctx context.Context, client *codersdk.Client, user codersdk.User) error {
 				// Insert an expired code.
-				hashedCode := identityprovider.Hash("some-code", apps.Default.ID)
+				hashedCode, err := userpassword.Hash("some-code")
+				if err != nil {
+					return err
+				}
 				_, err = db.InsertOAuth2ProviderAppCode(ctx, database.InsertOAuth2ProviderAppCodeParams{
 					ID:           uuid.New(),
 					CreatedAt:    dbtime.Now().Add(-time.Minute * 11),
 					ExpiresAt:    dbtime.Now().Add(-time.Minute),
-					HashedSecret: hashedCode[:],
+					HashedSecret: []byte(hashedCode),
 					AppID:        apps.Default.ID,
 					UserID:       user.ID,
 				})
