This PR fixes an issue with API key scopes and workspace creation. Previously, the RBAC policy allowed creation of resources with an empty ID in the allow list, but this approach was inconsistent with how other permissions work.

The changes:

Update the Rego policy to properly handle "create" actions by checking if the resource type is in the allow list
Add tests to verify that workspace creation requires a matching type entry in the allow list
Add tests for scope filtering to ensure proper behavior
Add a test to verify that authorization requires a scope
Add a test to ensure workspace agent scope allow lists contain the correct elements

These changes ensure that API key scopes are properly enforced for creation operations while maintaining backward compatibility.

ThomasK33 mentioned this pull request

Sep 29, 2025

feat: add API key metadata to audit logs#19996

Closed

github-actionsbot assignedThomasK33

Sep 29, 2025

This was referencedSep 29, 2025

feat: implement API key scopes database migration#19861

Merged

feat: add lint check for API key scope enum completeness#19862

Merged

chore: upgrade Node.js from 20.19.4 to 22.19.0 and update dependencies#19870

Merged

feat: generate RBAC scope name constants#19896

Merged

feat: add public RBAC scope catalog for user-requestable permissions#19913

Merged

feat: add external API key scopes#19916

Merged

feat: add multi-scope support to API keys#19917

Merged

feat: publish RBAC scopes in OAuth2 metadata endpoints#19942

Merged

feat: implement composite API key scopes for workspaces and templates#19945

Merged

feat: add allow_list to resource-scoped API tokens#19964

Merged

feat: add allow list to API keys#19972

Open

feat: add API endpoint to update token API keys#19983

Open

feat: add scoped token support to CLI#19985

Open

Copy link

MemberAuthor

ThomasK33 commentedSep 29, 2025•
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
Learn more

fix: improve RBAC scope allow list handling for create actions #20008: 2 dependent PRs (#20021 ,#20035 ) 👈(View in Graphite)
feat: add scoped token support to CLI #19985: 1 other dependent PR (#19991 )
feat: add API endpoint to update token API keys #19983
feat: add allow list to API keys #19972
feat: add allow_list to resource-scoped API tokens #19964
refactor: add wildcard scope entries for API key scopes #20032
main

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

ThomasK33 mentioned this pull request

Sep 29, 2025

feat: add scope enforcement metrics to RBAC authorizer#19991

Closed

This was linked to issuesSep 29, 2025

Backward compatibility tests and fixtures#19860

Open

OPA/Policy: ensure scope and allow-list checks#19852

Open

This was unlinked from issuesSep 29, 2025

OPA/Policy: ensure scope and allow-list checks#19852

Open

Backward compatibility tests and fixtures#19860

Open

ThomasK33 linked an issue

Sep 29, 2025

that may beclosed by this pull request

OPA/Policy: ensure scope and allow-list checks#19852

Open

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch from5ac8d9c tobd1ff54Compare

September 29, 2025 13:25

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch fromf53f9aa to7a79289Compare

September 29, 2025 13:25

ThomasK33 marked this pull request as ready for review

September 29, 2025 16:12

ThomasK33 requested a review fromEmyrk as acode owner

September 29, 2025 16:12

ThomasK33 requested a review fromjohnstcn

September 29, 2025 16:12

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch from7a79289 tof38d137Compare

September 29, 2025 16:15

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch frombd1ff54 toeedeed8Compare

September 29, 2025 16:15

ThomasK33 mentioned this pull request

Sep 29, 2025

feat: add legacy API key scope compatibility#20021

Closed

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch 2 times, most recently from09d60e6 to4bb9040Compare

October 6, 2025 09:42

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch 2 times, most recently from4280771 to384a406Compare

October 6, 2025 10:11

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch 2 times, most recently fromcc44d1c to4c9762eCompare

October 6, 2025 10:48

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch 2 times, most recently from154d4a1 tocafac8dCompare

October 6, 2025 11:24

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch 2 times, most recently fromc9ad043 to610e5e7Compare

October 6, 2025 11:57

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch fromcafac8d to393492aCompare

October 6, 2025 11:57

Emyrk self-assigned this

Oct 6, 2025

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch from610e5e7 to14537dbCompare

October 6, 2025 21:16

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch from393492a to2c9a4c1Compare

October 6, 2025 21:16

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch from14537db tofd7df7cCompare

October 6, 2025 21:40

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch 2 times, most recently from7915a16 toe153689Compare

October 7, 2025 16:38

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch fromfd7df7c to80f543aCompare

October 7, 2025 16:38

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch frome153689 to48d0e45Compare

October 9, 2025 12:56

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch from80f543a toc18adc2Compare

October 9, 2025 12:56

ThomasK33 force-pushed thethomask33/09-28-add_api_key_audit_metadata branch from48d0e45 to0f2c153Compare

October 9, 2025 13:06

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch fromc18adc2 todda7c9aCompare

October 9, 2025 13:06

feat: introduce typed allow_list for RBAC scopes

31abb13

The allow_list for RBAC scopes has been updated to use typed elementsof the form `{type: string, id: string}` instead of raw string IDs.This change enables more granular authorization policies. Specifically, itmodifies the behavior for "create" actions. A create operation is nowpermitted if the scope's allow_list contains an entry matching theresource type, even without a specific ID. This is useful for scenarioslike workspace agent tokens which need to create resources but cannotknow the ID ahead of time.For all other actions (e.g., read, update, delete), the allow_listmust still contain an entry that matches both the type and the specificID of the resource.The Rego policy, relevant Go code, and tests have been updated toimplement and verify this new typed allow_list behavior.

ThomasK33 changed the base branch fromthomask33/09-28-add_api_key_audit_metadata tographite-base/20008

October 9, 2025 15:31

ThomasK33 requested review fromParkreiner andaslilac ascode owners

October 9, 2025 15:31

ThomasK33 changed the base branch fromgraphite-base/20008 tothomask33/09-26-add_token_scope_support_in_cli

October 9, 2025 15:32

ThomasK33 force-pushed thethomask33/09-29-feat_typed_rbac_allow_list branch fromdda7c9a to31abb13Compare

October 9, 2025 15:38

This was referencedOct 9, 2025

feat: replace ExternalAPIKeyScopes with detailed ScopeCatalog#20248

Draft

feat: add scopes and resource allow-list to API tokens#20249