NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitc5117c4

committed

refactor: replace role token lifetimes JSON config with CEL expressions

Change-Id: I9693c219e2e6268662d2ced209bc75744c07cf67Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent63eaf5c commitc5117c4Copy full SHA for c5117c4

File tree

25 files changed

+1173

-987

lines changed

.swaggo
cli
- server.go
- testdata
  - coder_server_--help.golden
  - server-config.yaml.golden
coderd
- apidoc
  - docs.go
  - swagger.json
- apikey.go
- apikey_rolelifetime_test.go
- apikey_test.go
- cel
  - token_lifetime.go
  - token_lifetime_test.go
- config.go
- config_test.go
- identityprovider
  - tokens.go
- oauth2.go
codersdk
- deployment.go
- deployment_test.go
docs/reference
- api
  - general.md
  - schemas.md
- cli
  - server.md
enterprise/cli/testdata
- coder_server_--help.golden
go.mod
go.sum
scripts/apidocgen
- generate.sh
site/src/api
- typesGenerated.ts

25 files changed

+1173

-987

lines changed

`‎.swaggo`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,3 +6,5 @@ replace time.Duration int64`
`6`	`6`	`replace github.com/coder/coder/v2/codersdk.ProvisionerType string`
`7`	`7`	`// Do not render netip.Addr`
`8`	`8`	`replace netip.Addr string`
	`9`	`+// Do not render cel.Program`
	`10`	`+replace github.com/google/cel-go/cel.Program object`

`‎cli/server.go`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -813,9 +813,9 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`813`	`813`	`returnxerrors.Errorf("set deployment id: %w",err)`
`814`	`814`	`}`
`815`	`815`
`816`		`-//Process the role-based token lifetimeconfigurations`
`817`		`-iferr:=coderd.ProcessRoleTokenLifetimesConfig(ctx,&vals.Sessions,options.Database,options.Logger);err!=nil {`
`818`		`-returnxerrors.Errorf("failed toinitialize roletokenlifetimes configuration: %w",err)`
	`816`	`+//Compile the role token lifetimeCEL expression`
	`817`	`+if_,err:=vals.Sessions.CompiledMaximumTokenDurationProgram();err!=nil {`
	`818`	`+returnxerrors.Errorf("failed tocompiletokenlifetime expression: %w",err)`
`819`	`819`	`}`
`820`	`820`
`821`	`821`	`// Manage push notifications.`

`‎cli/testdata/coder_server_--help.golden`

Lines changed: 11 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,17 @@ OPTIONS:`
`50`	`50`	`Separate multiple experiments with commas, or enter '*' to opt-in to`
`51`	`51`	`all available experiments.`
`52`	`52`
	`53`	`+ --max-token-lifetime-expression string, $CODER_MAX_TOKEN_LIFETIME_EXPRESSION`
	`54`	`+ A CEL expression that determines the maximum token lifetime based on`
	`55`	`+ user attributes. The expression has access to 'subject'`
	`56`	`+ (rbac.Subject), 'requestedLifetime' (string), 'globalMaxDuration'`
	`57`	`+ (string), 'defaultDuration' (string), and 'tokenScope' (string). Must`
	`58`	`+ return a duration string (e.g., duration("168h")). Example:`
	`59`	`+ 'subject.roles.exists(r, r.name == "owner") ?`
	`60`	`+ duration(globalMaxDuration) : duration(defaultDuration)'. See`
	`61`	`+ https://github.com/google/cel-spec for CEL expression syntax and`
	`62`	`+ examples.`
	`63`	`+`
`53`	`64`	`--postgres-auth password\|awsiamrds, $CODER_PG_AUTH (default: password)`
`54`	`65`	`Type of auth to use when connecting to postgres. For AWS RDS, using`
`55`	`66`	`IAM authentication (awsiamrds) is recommended.`
`@@ -61,15 +72,6 @@ OPTIONS:`
`61`	`72`	`server postgres-builtin-url". Note that any special characters in the`
`62`	`73`	`URL must be URL-encoded.`
`63`	`74`
`64`		`- --role-token-lifetimes string, $CODER_ROLE_TOKEN_LIFETIMES (default: {})`
`65`		`- A JSON mapping of role names to maximum token lifetimes (e.g.,`
`66`		- `{"owner": "720h", "MyOrg/admin": "168h"}`). Overrides the global
`67`		`- max_token_lifetime for specified roles. Site-level roles are direct`
`68`		`- names (e.g., 'admin'). Organization-level roles use the format`
`69`		`- 'OrgName/rolename'. Durations use Go duration format: hours (h),`
`70`		`- minutes (m), seconds (s). Common conversions: 1 day = 24h, 7 days =`
`71`		`- 168h, 30 days = 720h.`
`72`		`-`
`73`	`75`	`--ssh-keygen-algorithm string, $CODER_SSH_KEYGEN_ALGORITHM (default: ed25519)`
`74`	`76`	`The algorithm to use for generating ssh keys. Accepted values are`
`75`	`77`	`"ed25519", "ecdsa", or "rsa4096".`

`‎cli/testdata/server-config.yaml.golden`

Lines changed: 9 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -445,14 +445,15 @@ experiments: []`
`445`	`445`	`# performed once per day.`
`446`	`446`	`# (default: false, type: bool)`
`447`	`447`	`updateCheck: false`
`448`		-# A JSON mapping of role names to maximum token lifetimes (e.g., `{"owner":
`449`		-# "720h", "MyOrg/admin": "168h"}`). Overrides the global max_token_lifetime for
`450`		`-# specified roles. Site-level roles are direct names (e.g., 'admin').`
`451`		`-# Organization-level roles use the format 'OrgName/rolename'. Durations use Go`
`452`		`-# duration format: hours (h), minutes (m), seconds (s). Common conversions: 1 day`
`453`		`-# = 24h, 7 days = 168h, 30 days = 720h.`
`454`		`-# (default: {}, type: string)`
`455`		`-roleTokenLifetimes: '{}'`
	`448`	`+# A CEL expression that determines the maximum token lifetime based on user`
	`449`	`+# attributes. The expression has access to 'subject' (rbac.Subject),`
	`450`	`+# 'requestedLifetime' (string), 'globalMaxDuration' (string), 'defaultDuration'`
	`451`	`+# (string), and 'tokenScope' (string). Must return a duration string (e.g.,`
	`452`	`+# duration("168h")). Example: 'subject.roles.exists(r, r.name == "owner") ?`
	`453`	`+# duration(globalMaxDuration) : duration(defaultDuration)'. See`
	`454`	`+# https://github.com/google/cel-spec for CEL expression syntax and examples.`
	`455`	`+# (default: <unset>, type: string)`
	`456`	`+maxTokenLifetimeExpression: ""`
`456`	`457`	`# The default lifetime duration for API tokens. This value is used when creating a`
`457`	`458`	`# token without specifying a duration, such as when authenticating the CLI or an`
`458`	`459`	`# IDE plugin.`

`‎coderd/apidoc/docs.go`

Lines changed: 7 additions & 4 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 4 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey.go`

Lines changed: 49 additions & 49 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,12 +9,15 @@ import (`
`9`	`9`	`"time"`
`10`	`10`
`11`	`11`	`"github.com/go-chi/chi/v5"`
	`12`	`+"github.com/google/cel-go/common/types"`
`12`	`13`	`"github.com/google/uuid"`
`13`	`14`	`"github.com/moby/moby/pkg/namesgenerator"`
`14`	`15`	`"golang.org/x/xerrors"`
`15`	`16`
	`17`	`+"cdr.dev/slog"`
`16`	`18`	`"github.com/coder/coder/v2/coderd/apikey"`
`17`	`19`	`"github.com/coder/coder/v2/coderd/audit"`
	`20`	`+celtoken"github.com/coder/coder/v2/coderd/cel"`
`18`	`21`	`"github.com/coder/coder/v2/coderd/database"`
`19`	`22`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`20`	`23`	`"github.com/coder/coder/v2/coderd/httpapi"`
`@@ -340,28 +343,14 @@ func (api API) deleteAPIKey(rw http.ResponseWriter, r http.Request) {`
`340`	`343`	`// @Router /users/{user}/keys/tokens/tokenconfig [get]`
`341`	`344`	`func (apiAPI)tokenConfig(rw http.ResponseWriter,rhttp.Request) {`
`342`	`345`	`ctx:=r.Context()`
`343`		`-user:=httpmw.UserParam(r)`
`344`	`346`
`345`		`-varroleIdentifiers []rbac.RoleIdentifier`
`346`		`-`
`347`		`-ifuser.ID!=uuid.Nil {`
`348`		`-subject,userStatus,err:=httpmw.UserRBACSubject(ctx,api.Database,user.ID,rbac.ScopeAll)`
`349`		`-switch {`
`350`		`-caseerr!=nil:`
`351`		`-api.Logger.Error(ctx,"failed to get user RBAC subject for token config","user_id",user.ID.String(),"error",err)`
`352`		`-roleIdentifiers= []rbac.RoleIdentifier{}`
`353`		`-caseuserStatus==database.UserStatusSuspended:`
`354`		`-roleIdentifiers= []rbac.RoleIdentifier{}`
`355`		`-default:`
`356`		`-// Extract role names from the RBAC subject and convert to internal format`
`357`		`-roleIdentifiers=subject.Roles.Names()`
`358`		`-}`
`359`		`-}else {`
`360`		`-api.Logger.Warn(ctx,"user ID is nil in token config request context")`
`361`		`-roleIdentifiers= []rbac.RoleIdentifier{}`
`362`		`-}`
	`347`	`+maxLifetime:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
`363`	`348`
`364`		`-maxLifetime:=api.getMaxTokenLifetimeForUserRoles(roleIdentifiers)`
	`349`	`+user:=httpmw.UserParam(r)`
	`350`	`+subject,_,err:=httpmw.UserRBACSubject(ctx,api.Database,user.ID,rbac.ScopeAll)`
	`351`	`+iferr==nil {`
	`352`	`+maxLifetime=api.getMaxTokenLifetimeForUser(ctx,subject)`
	`353`	`+}`
`365`	`354`
`366`	`355`	`httpapi.Write(`
`367`	`356`	`ctx,rw,http.StatusOK,`
`@@ -378,20 +367,19 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, lifetime time.Durati`
`378`	`367`
`379`	`368`	`subject,userStatus,err:=httpmw.UserRBACSubject(ctx,api.Database,userID,rbac.ScopeAll)`
`380`	`369`	`iferr!=nil {`
`381`		`-api.Logger.Error(ctx,"failed to get user RBAC subject during token validation","user_id",userID.String(),"error",err)`
	`370`	`+api.Logger.Error(ctx,"failed to get user RBAC subject during token validation",slog.F("user_id",userID.String()),slog.Error(err))`
`382`	`371`	`ifxerrors.Is(err,sql.ErrNoRows) {`
`383`	`372`	`returnxerrors.Errorf("user %s not found",userID)`
`384`	`373`	`}`
`385`	`374`	`returnxerrors.Errorf("internal server error validating token lifetime for user %s",userID)`
`386`	`375`	`}`
`387`	`376`
`388`		`-ifuserStatus==database.UserStatusSuspended {`
`389`		`-returnxerrors.Errorf("user %s is suspended and cannot create tokens",userID)`
	`377`	`+ifuserStatus!=database.UserStatusActive {`
	`378`	`+returnxerrors.Errorf("user %s is suspendedor inactive,and cannot create tokens",userID)`
`390`	`379`	`}`
`391`	`380`
`392`		`-// Extract role names from the RBAC subject and convert to internal format`
`393`		`-roleIdentifiers:=subject.Roles.Names()`
`394`		`-maxAllowedLifetime:=api.getMaxTokenLifetimeForUserRoles(roleIdentifiers)`
	`381`	`+// Get the maximum token lifetime for this user based on CEL expression`
	`382`	`+maxAllowedLifetime:=api.getMaxTokenLifetimeForUser(ctx,subject)`
`395`	`383`
`396`	`384`	`iflifetime>maxAllowedLifetime {`
`397`	`385`	`returnxerrors.Errorf(`
`@@ -403,35 +391,47 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, lifetime time.Durati`
`403`	`391`	`returnnil`
`404`	`392`	`}`
`405`	`393`
`406`		`-// getMaxTokenLifetimeForUserRoles determines the most generous token lifetime a user is entitled to`
`407`		`-// based on their roles and the CODER_ROLE_TOKEN_LIFETIMES configuration.`
`408`		`-// Roles are expected in the internal format ("rolename" or "rolename:org_id").`
`409`		`-func (api*API)getMaxTokenLifetimeForUserRoles(roles []rbac.RoleIdentifier) time.Duration {`
`410`		`-globalMaxDefault:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
`411`		`-`
`412`		`-// Early return for empty config`
`413`		`-ifapi.DeploymentValues.Sessions.RoleTokenLifetimes.Value()==""\|\|`
`414`		`-api.DeploymentValues.Sessions.RoleTokenLifetimes.Value()=="{}" {`
`415`		`-returnglobalMaxDefault`
	`394`	`+// getMaxTokenLifetimeForUser determines the maximum token lifetime a user is entitled to`
	`395`	`+// based on their attributes and the CEL expression configuration.`
	`396`	`+func (api*API)getMaxTokenLifetimeForUser(ctx context.Context,subject rbac.Subject) time.Duration {`
	`397`	`+// Compiled at startup no need to recheck here.`
	`398`	`+program,_:=api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()`
	`399`	`+ifprogram==nil {`
	`400`	`+// No expression configured, use global max`
	`401`	`+returnapi.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
`416`	`402`	`}`
`417`	`403`
`418`		`-// Early return for no roles`
`419`		`-iflen(roles)==0 {`
`420`		`-returnglobalMaxDefault`
`421`		`-}`
	`404`	`+globalMax:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
	`405`	`+defaultDuration:=api.DeploymentValues.Sessions.DefaultTokenDuration.Value()`
`422`	`406`
`423`		`-// Find the maximum lifetime among all roles`
`424`		`-// This includes both role-specific lifetimes and the global default`
`425`		`-maxLifetime:=globalMaxDefault`
	`407`	`+// Convert subject to CEL-friendly format`
	`408`	`+celSubject:=celtoken.ConvertSubjectToCEL(subject)`
`426`	`409`
`427`		`-for_,role:=rangeroles {`
`428`		`-roleDuration:=api.DeploymentValues.Sessions.MaxTokenLifetimeForRole(role)`
`429`		`-ifroleDuration>maxLifetime {`
`430`		`-maxLifetime=roleDuration`
`431`		`-}`
	`410`	`+// Evaluate CEL expression with typed struct`
	`411`	`+// TODO: Consider adding timeout protection in future iterations`
	`412`	`+out,_,err:=program.Eval(map[string]interface{}{`
	`413`	`+"subject":celSubject,`
	`414`	`+"globalMaxDuration":globalMax,`
	`415`	`+"defaultDuration":defaultDuration,`
	`416`	`+})`
	`417`	`+iferr!=nil {`
	`418`	`+api.Logger.Error(ctx,"the CEL evaluation failed, using default duration",slog.Error(err))`
	`419`	`+returndefaultDuration`
`432`	`420`	`}`
`433`	`421`
`434`		`-returnmaxLifetime`
	`422`	`+// Convert result to time.Duration`
	`423`	`+// CEL returns types.Duration, not time.Duration directly`
	`424`	`+switchv:=out.Value().(type) {`
	`425`	`+case types.Duration:`
	`426`	`+returnv.Duration`
	`427`	`+case time.Duration:`
	`428`	`+returnv`
	`429`	`+default:`
	`430`	`+api.Logger.Error(ctx,"the CEL expression did not return a duration, using default duration",`
	`431`	`+slog.F("result_type",fmt.Sprintf("%T",out.Value())),`
	`432`	`+slog.F("result_value",out.Value()))`
	`433`	`+returndefaultDuration`
	`434`	`+}`
`435`	`435`	`}`
`436`	`436`
`437`	`437`	`func (apiAPI)createAPIKey(ctx context.Context,params apikey.CreateParams) (http.Cookie,*database.APIKey,error) {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc5117c4

File tree

25 files changed

25 files changed

`‎.swaggo`

`‎cli/server.go`

`‎cli/testdata/coder_server_--help.golden`

`‎cli/testdata/server-config.yaml.golden`

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/apikey.go`

0 commit comments