NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit3e06647

committed

feat: rename special API key scopes to coder:* namespace

This change unifies scope handling by migrating special scopes to thecoder:* namespace while maintaining backward compatibility:- Database: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'- API accepts both legacy and canonical forms in requests- Responses maintain legacy format for existing client compatibility- Scope catalog returns all public scopes including canonical specials- Validation enforces public scope requirements using unified logicThe migration preserves existing API key functionality while establishingconsistent scope naming conventions for future extensibility.

1 parente25866a commit3e06647Copy full SHA for 3e06647

File tree

31 files changed

+341

-127

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- apikey.go
- apikey_scopes_validation_test.go
- apikey
  - apikey.go
  - apikey_test.go
- database
  - dbauthz
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - dump.sql
  - migrations
    - 000372_canonicalize_special_api_key_scopes.down.sql
    - 000372_canonicalize_special_api_key_scopes.up.sql
  - modelmethods.go
  - modelmethods_internal_test.go
  - models.go
  - queries.sql.go
  - queries
    - apikeys.sql
- httpmw
- rbac
  - scopes.go
  - scopes_catalog.go
- scopes_catalog.go
- scopes_catalog_api_test.go
- userauth_test.go
- users.go
- workspaceapps.go
codersdk
- apikey.go
docs/reference/api
site/src/api
- typesGenerated.ts

31 files changed

+341

-127

lines changed

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import (`
`5`	`5`	`"fmt"`
`6`	`6`	`"net/http"`
`7`	`7`	`"strconv"`
	`8`	`+"strings"`
`8`	`9`	`"time"`
`9`	`10`
`10`	`11`	`"github.com/go-chi/chi/v5"`
`@@ -66,9 +67,37 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`66`	`67`	`return`
`67`	`68`	`}`
`68`	`69`
`69`		`-scope:=database.APIKeyScopeAll`
`70`		`-ifscope!="" {`
`71`		`-scope=database.APIKeyScope(createToken.Scope)`
	`70`	`+// Compatibility shim: accept singular "scope" or plural "scopes".`
	`71`	`+// Convert to canonical coder:* specials where applicable.`
	`72`	`+varrequested []string`
	`73`	`+iflen(createToken.Scopes)>0 {`
	`74`	`+for_,s:=rangecreateToken.Scopes {`
	`75`	`+requested=append(requested,string(s))`
	`76`	`+}`
	`77`	`+}elseifs:=strings.TrimSpace(string(createToken.Scope));s!="" {`
	`78`	`+requested=append(requested,s)`
	`79`	`+}`
	`80`	`+`
	`81`	`+fori,s:=rangerequested {`
	`82`	`+switchs {`
	`83`	`+case"all":`
	`84`	`+requested[i]="coder:all"`
	`85`	`+case"application_connect":`
	`86`	`+requested[i]="coder:application_connect"`
	`87`	`+}`
	`88`	`+}`
	`89`	`+`
	`90`	`+vardbScopes database.APIKeyScopes`
	`91`	`+for_,s:=rangerequested {`
	`92`	`+ifrbac.IsPublicScope(rbac.ScopeName(s)) {`
	`93`	`+dbScopes=append(dbScopes,database.APIKeyScope(s))`
	`94`	`+continue`
	`95`	`+}`
	`96`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`97`	`+Message:"Invalid API key scope.",`
	`98`	`+Detail:fmt.Sprintf("scope %q is not public or not recognized",s),`
	`99`	`+})`
	`100`	`+return`
`72`	`101`	`}`
`73`	`102`
`74`	`103`	`tokenName:=namesgenerator.GetRandomName(1)`
`@@ -81,7 +110,7 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`81`	`110`	`UserID:user.ID,`
`82`	`111`	`LoginType:database.LoginTypeToken,`
`83`	`112`	`DefaultLifetime:api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),`
`84`		`-Scope:scope,`
	`113`	`+Scopes:dbScopes,`
`85`	`114`	`TokenName:tokenName,`
`86`	`115`	`}`
`87`	`116`

`‎coderd/apikey/apikey.go‎`

Lines changed: 19 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,9 +25,13 @@ type CreateParams struct {`
`25`	`25`	`// Optional.`
`26`	`26`	`ExpiresAt time.Time`
`27`	`27`	`LifetimeSecondsint64`
`28`		`-Scope database.APIKeyScope`
`29`		`-TokenNamestring`
`30`		`-RemoteAddrstring`
	`28`	`+// Deprecated: use Scopes. If set and Scopes is empty, Generate will create`
	`29`	`+// a single-element Scopes slice containing this value.`
	`30`	`+Scope database.APIKeyScope`
	`31`	+// If empty and Scope is also empty, Scopes default to the `coder:all`.
	`32`	`+Scopes database.APIKeyScopes`
	`33`	`+TokenNamestring`
	`34`	`+RemoteAddrstring`
`31`	`35`	`}`
`32`	`36`
`33`	`37`	`// Generate generates an API key, returning the key as a string as well as the`
`@@ -62,14 +66,17 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`62`	`66`
`63`	`67`	`bitlen:=len(ip)*8`
`64`	`68`
`65`		`-scope:=database.APIKeyScopeAll`
`66`		`-ifparams.Scope!="" {`
`67`		`-scope=params.Scope`
`68`		`-}`
`69`		`-switchscope {`
`70`		`-casedatabase.APIKeyScopeAll,database.APIKeyScopeApplicationConnect:`
`71`		`-default:`
`72`		`-return database.InsertAPIKeyParams{},"",xerrors.Errorf("invalid API key scope: %q",scope)`
	`69`	`+// Decide scopes using compatibility rules:`
	`70`	`+// 1) If Scopes provided, use as-is.`
	`71`	`+// 2) Else if Scope provided, wrap it.`
	`72`	`+// 3) Else default to canonical coder:all.`
	`73`	`+scopes:=params.Scopes`
	`74`	`+iflen(scopes)==0 {`
	`75`	`+ifparams.Scope!="" {`
	`76`	`+scopes= database.APIKeyScopes{params.Scope}`
	`77`	`+}else {`
	`78`	`+scopes= database.APIKeyScopes{database.APIKeyScope("coder:all")}`
	`79`	`+}`
`73`	`80`	`}`
`74`	`81`
`75`	`82`	`token:=fmt.Sprintf("%s-%s",keyID,keySecret)`
`@@ -92,7 +99,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`92`	`99`	`UpdatedAt:dbtime.Now(),`
`93`	`100`	`HashedSecret:hashed[:],`
`94`	`101`	`LoginType:params.LoginType,`
`95`		`-Scopes:database.APIKeyScopes{scope},`
	`102`	`+Scopes:scopes,`
`96`	`103`	`AllowList: database.AllowList{database.AllowListWildcard()},`
`97`	`104`	`TokenName:params.TokenName,`
`98`	`105`	`},token,nil`

`‎coderd/apikey/apikey_test.go‎`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {`
`35`	`35`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`36`	`36`	`TokenName:"hello",`
`37`	`37`	`RemoteAddr:"1.2.3.4",`
`38`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`38`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`39`	`39`	`},`
`40`	`40`	`},`
`41`	`41`	`{`
`@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {`
`62`	`62`	`ExpiresAt: time.Time{},`
`63`	`63`	`TokenName:"hello",`
`64`	`64`	`RemoteAddr:"1.2.3.4",`
`65`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`65`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`66`	`66`	`},`
`67`	`67`	`},`
`68`	`68`	`{`
`@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {`
`75`	`75`	`ExpiresAt: time.Time{},`
`76`	`76`	`TokenName:"hello",`
`77`	`77`	`RemoteAddr:"1.2.3.4",`
`78`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`78`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`79`	`79`	`},`
`80`	`80`	`},`
`81`	`81`	`{`
`@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {`
`88`	`88`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`89`	`89`	`TokenName:"hello",`
`90`	`90`	`RemoteAddr:"",`
`91`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`91`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`92`	`92`	`},`
`93`	`93`	`},`
`94`	`94`	`{`
`@@ -161,7 +161,7 @@ func TestGenerate(t *testing.T) {`
`161`	`161`	`iftc.params.Scope!="" {`
`162`	`162`	`assert.True(t,key.Scopes.Has(tc.params.Scope))`
`163`	`163`	`}else {`
`164`		`-assert.True(t,key.Scopes.Has(database.APIKeyScopeAll))`
	`164`	`+assert.True(t,key.Scopes.Has(database.ApiKeyScopeCoderAll))`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`iftc.params.TokenName!="" {`

`‎coderd/apikey_scopes_validation_test.go‎`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,3 +54,17 @@ func TestTokenCreation_AllowsLegacyScopes(t *testing.T) {`
`54`	`54`	`require.NoError(t,err)`
`55`	`55`	`require.NotEmpty(t,resp.Key)`
`56`	`56`	`}`
	`57`	`+`
	`58`	`+funcTestTokenCreation_AllowsCanonicalSpecialScope(t*testing.T) {`
	`59`	`+client:=coderdtest.New(t,nil)`
	`60`	`+_=coderdtest.CreateFirstUser(t,client)`
	`61`	`+`
	`62`	`+ctx,cancel:=context.WithTimeout(t.Context(),10*time.Second)`
	`63`	`+defercancel()`
	`64`	`+`
	`65`	`+resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`66`	`+Scope:codersdk.APIKeyScopeCoderApplicationConnect,`
	`67`	`+})`
	`68`	`+require.NoError(t,err)`
	`69`	`+require.NotEmpty(t,resp.Key)`
	`70`	`+}`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`251`	`251`	`}))`
`252`	`252`	`s.Run("InsertAPIKey",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`253`	`253`	`u:=testutil.Fake(s.T(),faker, database.User{})`
`254`		`-arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.APIKeyScopeAll},IPAddress:defaultIPAddress()}`
	`254`	`+arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderAll},IPAddress:defaultIPAddress()}`
`255`	`255`	`ret:=testutil.Fake(s.T(),faker, database.APIKey{UserID:u.ID,LoginType:database.LoginTypePassword})`
`256`	`256`	`dbm.EXPECT().InsertAPIKey(gomock.Any(),arg).Return(ret,nil).AnyTimes()`
`257`	`257`	`check.Args(arg).Asserts(rbac.ResourceApiKey.WithOwner(u.ID.String()),policy.ActionCreate)`
`@@ -265,7 +265,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`265`	`265`	`check.Args(arg).Asserts(a,policy.ActionUpdate).Returns()`
`266`	`266`	`}))`
`267`	`267`	`s.Run("DeleteApplicationConnectAPIKeysByUserID",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`268`		`-a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.APIKeyScopeApplicationConnect}})`
	`268`	`+a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderApplicationConnect}})`
`269`	`269`	`dbm.EXPECT().DeleteApplicationConnectAPIKeysByUserID(gomock.Any(),a.UserID).Return(nil).AnyTimes()`
`270`	`270`	`check.Args(a.UserID).Asserts(rbac.ResourceApiKey.WithOwner(a.UserID.String()),policy.ActionDelete).Returns()`
`271`	`271`	`}))`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`185`	`185`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
`186`	`186`	`UpdatedAt:takeFirst(seed.UpdatedAt,dbtime.Now()),`
`187`	`187`	`LoginType:takeFirst(seed.LoginType,database.LoginTypePassword),`
`188`		`-Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.APIKeyScopeAll}),`
	`188`	`+Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),`
`189`	`189`	`AllowList:takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),`
`190`	`190`	`TokenName:takeFirst(seed.TokenName),`
`191`	`191`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3e06647

File tree

31 files changed

31 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey.go‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/apikey/apikey_test.go‎`

`‎coderd/apikey_scopes_validation_test.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

0 commit comments