Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit24afdea

Browse files
committed
feat: add public API key scope endpoint
Add /auth/scopes endpoint returning curated list of public low-level API key scopes (resource:action format).This read-only endpoint requires no authentication and provides SDK constants for all public scopes.
1 parentb7ba894 commit24afdea

File tree

13 files changed

+2550
-1864
lines changed

13 files changed

+2550
-1864
lines changed

‎Makefile‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -646,6 +646,7 @@ GEN_FILES := \
646646
coderd/rbac/object_gen.go\
647647
codersdk/rbacresources_gen.go\
648648
coderd/rbac/scopes_constants_gen.go\
649+
codersdk/apikey_scopes_gen.go\
649650
docs/admin/integrations/prometheus.md\
650651
docs/reference/cli/index.md\
651652
docs/admin/security/audit-logs.md\
@@ -846,6 +847,12 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m
846847
mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go
847848
touch "$@"
848849

850+
codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go
851+
# Generate SDK constants for public low-level API key scopes.
852+
go run ./scripts/apikeyscopesgen> /tmp/apikey_scopes_gen.go
853+
mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go
854+
touch"$@"
855+
849856
site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
850857
go run scripts/typegen/main.go rbac typescript>"$@"
851858
(cd site/&& pnpmexec biome format --write src/api/rbacresourcesGenerated.ts)

‎coderd/apidoc/docs.go‎

Lines changed: 85 additions & 2 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 87 additions & 2 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
package coderd_test
2+
3+
import (
4+
"context"
5+
"testing"
6+
"time"
7+
8+
"github.com/stretchr/testify/require"
9+
10+
"github.com/coder/coder/v2/coderd/coderdtest"
11+
"github.com/coder/coder/v2/codersdk"
12+
"github.com/coder/coder/v2/testutil"
13+
)
14+
15+
funcTestTokenCreation_AllowsPublicLowLevelScope(t*testing.T) {
16+
t.Parallel()
17+
client:=coderdtest.New(t,nil)
18+
_=coderdtest.CreateFirstUser(t,client)
19+
20+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
21+
defercancel()
22+
23+
// Request a token with a public low-level scope
24+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
25+
Scope:codersdk.APIKeyScope("workspace:read"),
26+
})
27+
require.NoError(t,err)
28+
require.NotEmpty(t,resp.Key)
29+
}
30+
31+
funcTestTokenCreation_RejectsInternalOnlyScope(t*testing.T) {
32+
t.Parallel()
33+
client:=coderdtest.New(t,nil)
34+
_=coderdtest.CreateFirstUser(t,client)
35+
36+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
37+
defercancel()
38+
39+
// debug_info:read is a valid RBAC pair but not public in the catalog
40+
_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
41+
Scope:codersdk.APIKeyScope("debug_info:read"),
42+
})
43+
require.Error(t,err)
44+
}
45+
46+
funcTestTokenCreation_AllowsLegacyScopes(t*testing.T) {
47+
t.Parallel()
48+
client:=coderdtest.New(t,nil)
49+
_=coderdtest.CreateFirstUser(t,client)
50+
51+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
52+
defercancel()
53+
54+
// Legacy: application_connect
55+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
56+
Scope:codersdk.APIKeyScopeApplicationConnect,
57+
})
58+
require.NoError(t,err)
59+
require.NotEmpty(t,resp.Key)
60+
}
61+
62+
funcTestTokenCreation_AllowsCanonicalSpecialScope(t*testing.T) {
63+
client:=coderdtest.New(t,nil)
64+
_=coderdtest.CreateFirstUser(t,client)
65+
66+
ctx,cancel:=context.WithTimeout(t.Context(),10*time.Second)
67+
defercancel()
68+
69+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
70+
Scope:codersdk.APIKeyScopeApplicationConnect,
71+
})
72+
require.NoError(t,err)
73+
require.NotEmpty(t,resp.Key)
74+
}

‎coderd/scopes_catalog.go‎

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
package coderd
2+
3+
import (
4+
"net/http"
5+
6+
"github.com/coder/coder/v2/coderd/httpapi"
7+
"github.com/coder/coder/v2/coderd/rbac"
8+
)
9+
10+
// listPublicLowLevelScopes returns the curated list of public low-level
11+
// API key scopes (resource:action). This endpoint is read-only and does not
12+
// require authentication.
13+
//
14+
// @Summary List public API key scopes
15+
// @ID list-public-low-level-scopes
16+
// @Produce json
17+
// @Tags Authorization
18+
// @Success 200 {array} string
19+
// @Router /auth/scopes [get]
20+
func (*API)listPublicLowLevelScopes(rw http.ResponseWriter,r*http.Request) {
21+
httpapi.Write(r.Context(),rw,http.StatusOK,rbac.ExternalScopeNames())
22+
}

‎coderd/scopes_catalog_api_test.go‎

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
package coderd_test
2+
3+
import (
4+
"encoding/json"
5+
"net/http"
6+
"testing"
7+
8+
"github.com/stretchr/testify/require"
9+
10+
"github.com/coder/coder/v2/coderd/coderdtest"
11+
"github.com/coder/coder/v2/coderd/rbac"
12+
)
13+
14+
funcTestListPublicLowLevelScopes(t*testing.T) {
15+
t.Parallel()
16+
client:=coderdtest.New(t,nil)
17+
18+
res,err:=client.Request(t.Context(),http.MethodGet,"/api/v2/auth/scopes",nil)
19+
require.NoError(t,err)
20+
deferres.Body.Close()
21+
require.Equal(t,http.StatusOK,res.StatusCode)
22+
23+
vargot []string
24+
require.NoError(t,json.NewDecoder(res.Body).Decode(&got))
25+
26+
want:=rbac.ExternalScopeNames()
27+
require.Equal(t,want,got)
28+
}

‎codersdk/apikey.go‎

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -42,14 +42,6 @@ const (
4242

4343
typeAPIKeyScopestring
4444

45-
const (
46-
// APIKeyScopeAll is a scope that allows the user to do everything.
47-
APIKeyScopeAllAPIKeyScope="all"
48-
// APIKeyScopeApplicationConnect is a scope that allows the user
49-
// to connect to applications in a workspace.
50-
APIKeyScopeApplicationConnectAPIKeyScope="application_connect"
51-
)
52-
5345
typeCreateTokenRequeststruct {
5446
Lifetime time.Duration`json:"lifetime"`
5547
ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp