(ctx context.Context, tx database.Store, key database.CryptoKey, now time.Time)
| 200 | } |
| 201 | |
| 202 | func (k *rotator) rotateKey(ctx context.Context, tx database.Store, key database.CryptoKey, now time.Time) ([]database.CryptoKey, error) { |
| 203 | startsAt := minStartsAt(key, now, k.keyDuration) |
| 204 | newKey, err := k.insertNewKey(ctx, tx, key.Feature, startsAt) |
| 205 | if err != nil { |
| 206 | return nil, xerrors.Errorf("insert new key: %w", err) |
| 207 | } |
| 208 | |
| 209 | // Set old key's deletes_at to an hour + however long the token |
| 210 | // for this feature is expected to be valid for. This should |
| 211 | // allow for sufficient time for the new key to propagate to |
| 212 | // dependent services (i.e. Workspace Proxies). |
| 213 | deletesAt := startsAt.Add(time.Hour).Add(tokenDuration(key.Feature)) |
| 214 | |
| 215 | updatedKey, err := tx.UpdateCryptoKeyDeletesAt(ctx, database.UpdateCryptoKeyDeletesAtParams{ |
| 216 | Feature: key.Feature, |
| 217 | Sequence: key.Sequence, |
| 218 | DeletesAt: sql.NullTime{ |
| 219 | Time: deletesAt.UTC(), |
| 220 | Valid: true, |
| 221 | }, |
| 222 | }) |
| 223 | if err != nil { |
| 224 | return nil, xerrors.Errorf("update old key's deletes_at: %w", err) |
| 225 | } |
| 226 | |
| 227 | return []database.CryptoKey{updatedKey, newKey}, nil |
| 228 | } |
| 229 | |
| 230 | func generateNewSecret(feature database.CryptoKeyFeature) (string, error) { |
| 231 | switch feature { |
no test coverage detected