NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit4ec061d

committed

refactor: add allow_list field to API keys for resource scoping

- Add allow_list field to CreateTokenRequest API and database schema- Implement APIKeyEffectiveScope that merges scopes with token allow_list- Create x/wildcard package for type-safe wildcard values- Add rbac.ParseAllowList for validating and normalizing allow lists- Support resource targeting like "workspace:*" or "template:<uuid>"- Default to wildcard (*:*) for backward compatibility

1 parent71ff7de commit4ec061dCopy full SHA for 4ec061d

File tree

13 files changed

+579

-6

lines changed

.swaggo
coderd
- apidoc
  - swagger.json
- rbac
  - allowlist.go
  - allowlist_test.go
codersdk
- allowlist.go
- allowlist_test.go
docs/reference/api
- schemas.md
- users.md
scripts/apitypings/testdata/wildcarduse
- wildcarduse.go
- wildcarduse.ts
site/src/api
- typesGenerated.ts
x/wildcard
- wildcard.go
- wildcard_internal_test.go

13 files changed

+579

-6

lines changed

`‎.swaggo‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,3 +6,11 @@ replace time.Duration int64`
`6`	`6`	`replace github.com/coder/coder/v2/codersdk.ProvisionerType string`
`7`	`7`	`// Do not render netip.Addr`
`8`	`8`	`replace netip.Addr string`
	`9`	`+`
	`10`	`+// Map generics of wildcard.Value[T] to concrete, client-friendly types.`
	`11`	`+`
	`12`	`+// Type: wildcard.Value[codersdk.RBACResource] -> codersdk.RBACResource (already includes "*")`
	`13`	`+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-codersdk_RBACResource github.com/coder/coder/v2/codersdk.RBACResource`
	`14`	`+`
	`15`	`+// ID: wildcard.Value[uuid.UUID] -> string (we’ll add a doc note to allow "*")`
	`16`	`+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-uuid_UUID string`

`‎coderd/apidoc/swagger.json‎`

Lines changed: 17 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/allowlist.go‎`

Lines changed: 118 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,118 @@`
	`1`	`+package rbac`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"sort"`
	`5`	`+"strings"`
	`6`	`+`
	`7`	`+"github.com/google/uuid"`
	`8`	`+"golang.org/x/xerrors"`
	`9`	`+`
	`10`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
	`11`	`+)`
	`12`	`+`
	`13`	`+// ParseAllowListEntry parses a single allow-list entry string in the form`
	`14`	`+// ":", "<resource_type>:*", or "<resource_type>:<uuid>" into an`
	`15`	`+// AllowListElement with validation.`
	`16`	`+funcParseAllowListEntry(sstring) (AllowListElement,error) {`
	`17`	`+s=strings.TrimSpace(strings.ToLower(s))`
	`18`	`+res,id,ok:=ParseResourceAction(s)`
	`19`	`+if!ok {`
	`20`	`+returnAllowListElement{},xerrors.Errorf("invalid allow_list entry %q: want <type>:<id>",s)`
	`21`	`+}`
	`22`	`+`
	`23`	`+returnNewAllowListElement(res,id)`
	`24`	`+}`
	`25`	`+`
	`26`	`+funcNewAllowListElement(resourceTypestring,idstring) (AllowListElement,error) {`
	`27`	`+ifresourceType!=policy.WildcardSymbol {`
	`28`	`+if_,ok:=policy.RBACPermissions[resourceType];!ok {`
	`29`	`+returnAllowListElement{},xerrors.Errorf("unknown resource type %q",resourceType)`
	`30`	`+}`
	`31`	`+}`
	`32`	`+ifid!=policy.WildcardSymbol {`
	`33`	`+if_,err:=uuid.Parse(id);err!=nil {`
	`34`	`+returnAllowListElement{},xerrors.Errorf("invalid %s ID (must be UUID): %q",resourceType,id)`
	`35`	`+}`
	`36`	`+}`
	`37`	`+`
	`38`	`+returnAllowListElement{Type:resourceType,ID:id},nil`
	`39`	`+}`
	`40`	`+`
	`41`	`+// ParseAllowList parses, validates, normalizes, and deduplicates a list of`
	`42`	`+// allow-list entries. If max is <=0, a default cap of 128 is applied.`
	`43`	`+funcParseAllowList(inputs []string,maxint) ([]AllowListElement,error) {`
	`44`	`+iflen(inputs)==0 {`
	`45`	`+returnnil,nil`
	`46`	`+}`
	`47`	`+ifmax<=0 {`
	`48`	`+max=128`
	`49`	`+}`
	`50`	`+iflen(inputs)>max {`
	`51`	`+returnnil,xerrors.Errorf("allow_list has %d entries; max allowed is %d",len(inputs),max)`
	`52`	`+}`
	`53`	`+`
	`54`	`+elems:=make([]AllowListElement,0,len(inputs))`
	`55`	`+for_,s:=rangeinputs {`
	`56`	`+e,err:=ParseAllowListEntry(s)`
	`57`	`+iferr!=nil {`
	`58`	`+returnnil,err`
	`59`	`+}`
	`60`	`+// Global wildcard short-circuits`
	`61`	`+ife.Type==policy.WildcardSymbol&&e.ID==policy.WildcardSymbol {`
	`62`	`+return []AllowListElement{AllowListAll()},nil`
	`63`	`+}`
	`64`	`+elems=append(elems,e)`
	`65`	`+}`
	`66`	`+`
	`67`	`+returnNewAllowList(elems,max)`
	`68`	`+}`
	`69`	`+`
	`70`	`+funcNewAllowList(inputs []AllowListElement,maxint) ([]AllowListElement,error) {`
	`71`	`+iflen(inputs)==0 {`
	`72`	`+returnnil,nil`
	`73`	`+}`
	`74`	`+ifmax<=0 {`
	`75`	`+max=128`
	`76`	`+}`
	`77`	`+iflen(inputs)>max {`
	`78`	`+returnnil,xerrors.Errorf("allow_list has %d entries; max allowed is %d",len(inputs),max)`
	`79`	`+}`
	`80`	`+`
	`81`	`+// Collapse typed wildcards and drop shadowed IDs`
	`82`	`+typedWildcard:=map[string]struct{}{}`
	`83`	`+idsByType:=map[string]map[string]struct{}{}`
	`84`	`+for_,e:=rangeinputs {`
	`85`	`+// Global wildcard short-circuits`
	`86`	`+ife.Type==policy.WildcardSymbol&&e.ID==policy.WildcardSymbol {`
	`87`	`+return []AllowListElement{AllowListAll()},nil`
	`88`	`+}`
	`89`	`+`
	`90`	`+ife.ID==policy.WildcardSymbol {`
	`91`	`+typedWildcard[e.Type]=struct{}{}`
	`92`	`+continue`
	`93`	`+}`
	`94`	`+ifidsByType[e.Type]==nil {`
	`95`	`+idsByType[e.Type]=map[string]struct{}{}`
	`96`	`+}`
	`97`	`+idsByType[e.Type][e.ID]=struct{}{}`
	`98`	`+}`
	`99`	`+`
	`100`	`+out:=make([]AllowListElement,0)`
	`101`	`+fort,ids:=rangeidsByType {`
	`102`	`+if_,ok:=typedWildcard[t];ok {`
	`103`	`+out=append(out,AllowListElement{Type:t,ID:policy.WildcardSymbol})`
	`104`	`+continue`
	`105`	`+}`
	`106`	`+forid:=rangeids {`
	`107`	`+out=append(out,AllowListElement{Type:t,ID:id})`
	`108`	`+}`
	`109`	`+}`
	`110`	`+`
	`111`	`+sort.Slice(out,func(i,jint)bool {`
	`112`	`+ifout[i].Type==out[j].Type {`
	`113`	`+returnout[i].ID<out[j].ID`
	`114`	`+}`
	`115`	`+returnout[i].Type<out[j].Type`
	`116`	`+})`
	`117`	`+returnout,nil`
	`118`	`+}`

`‎coderd/rbac/allowlist_test.go‎`

Lines changed: 64 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,64 @@`
	`1`	`+package rbac`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"testing"`
	`5`	`+`
	`6`	`+"github.com/google/uuid"`
	`7`	`+"github.com/stretchr/testify/require"`
	`8`	`+)`
	`9`	`+`
	`10`	`+funcTestParseAllowListEntry(t*testing.T) {`
	`11`	`+t.Parallel()`
	`12`	`+e,err:=ParseAllowListEntry(":")`
	`13`	`+require.NoError(t,err)`
	`14`	`+require.Equal(t,AllowListElement{Type:"",ID:""},e)`
	`15`	`+`
	`16`	`+e,err=ParseAllowListEntry("workspace:*")`
	`17`	`+require.NoError(t,err)`
	`18`	`+require.Equal(t,AllowListElement{Type:"workspace",ID:"*"},e)`
	`19`	`+`
	`20`	`+id:=uuid.New().String()`
	`21`	`+e,err=ParseAllowListEntry("template:"+id)`
	`22`	`+require.NoError(t,err)`
	`23`	`+require.Equal(t,AllowListElement{Type:"template",ID:id},e)`
	`24`	`+`
	`25`	`+_,err=ParseAllowListEntry("unknown:*")`
	`26`	`+require.Error(t,err)`
	`27`	`+_,err=ParseAllowListEntry("workspace:bad-uuid")`
	`28`	`+require.Error(t,err)`
	`29`	`+_,err=ParseAllowListEntry(":")`
	`30`	`+require.Error(t,err)`
	`31`	`+}`
	`32`	`+`
	`33`	`+funcTestParseAllowListNormalize(t*testing.T) {`
	`34`	`+t.Parallel()`
	`35`	`+id1:=uuid.New().String()`
	`36`	`+id2:=uuid.New().String()`
	`37`	`+`
	`38`	`+// Global wildcard short-circuits`
	`39`	`+out,err:=ParseAllowList([]string{"workspace:"+id1,":","template:"+id2},128)`
	`40`	`+require.NoError(t,err)`
	`41`	`+require.Equal(t, []AllowListElement{{Type:"",ID:""}},out)`
	`42`	`+`
	`43`	`+// Typed wildcard collapses typed ids`
	`44`	`+out,err=ParseAllowList([]string{"workspace:*","workspace:"+id1,"workspace:"+id2},128)`
	`45`	`+require.NoError(t,err)`
	`46`	`+require.Equal(t, []AllowListElement{{Type:"workspace",ID:"*"}},out)`
	`47`	`+`
	`48`	`+// Dedup ids and sort deterministically`
	`49`	`+out,err=ParseAllowList([]string{"template:"+id2,"template:"+id2,"template:"+id1},128)`
	`50`	`+require.NoError(t,err)`
	`51`	`+require.Len(t,out,2)`
	`52`	`+require.Equal(t,"template",out[0].Type)`
	`53`	`+require.Equal(t,"template",out[1].Type)`
	`54`	`+}`
	`55`	`+`
	`56`	`+funcTestParseAllowListLimit(t*testing.T) {`
	`57`	`+t.Parallel()`
	`58`	`+inputs:=make([]string,0,130)`
	`59`	`+forrange130 {`
	`60`	`+inputs=append(inputs,"workspace:"+uuid.New().String())`
	`61`	`+}`
	`62`	`+_,err:=ParseAllowList(inputs,128)`
	`63`	`+require.Error(t,err)`
	`64`	`+}`

`‎codersdk/allowlist.go‎`

Lines changed: 75 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,75 @@`
	`1`	`+package codersdk`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"encoding/json"`
	`5`	`+"fmt"`
	`6`	`+"strings"`
	`7`	`+`
	`8`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
	`9`	`+"github.com/coder/coder/v2/x/wildcard"`
	`10`	`+"github.com/google/uuid"`
	`11`	`+)`
	`12`	`+`
	`13`	`+// APIAllowListTarget is a typed allow-list entry that marshals to a single string`
	`14`	`+// "<resource_type>:<id>" where "*" is used as a wildcard for either side.`
	`15`	`+typeAPIAllowListTargetstruct {`
	`16`	`+Type wildcard.Value[RBACResource]`
	`17`	`+ID wildcard.Value[uuid.UUID]`
	`18`	`+}`
	`19`	`+`
	`20`	`+funcAllowAllTarget()APIAllowListTarget {`
	`21`	`+returnAPIAllowListTarget{}`
	`22`	`+}`
	`23`	`+`
	`24`	`+funcAllowTypeTarget(rRBACResource)APIAllowListTarget {`
	`25`	`+returnAPIAllowListTarget{Type:wildcard.Of(r)}`
	`26`	`+}`
	`27`	`+`
	`28`	`+funcAllowResourceTarget(rRBACResource,id uuid.UUID)APIAllowListTarget {`
	`29`	`+returnAPIAllowListTarget{Type:wildcard.Of(r),ID:wildcard.Of(id)}`
	`30`	`+}`
	`31`	`+`
	`32`	`+// String returns the canonical string representation "<type>:<id>" with "*" wildcards.`
	`33`	`+func (tAPIAllowListTarget)String()string {`
	`34`	`+returnt.Type.String()+":"+t.ID.String()`
	`35`	`+}`
	`36`	`+`
	`37`	`+// MarshalJSON encodes as a JSON string: "<type>:<id>".`
	`38`	`+func (tAPIAllowListTarget)MarshalJSON() ([]byte,error) {`
	`39`	`+returnjson.Marshal(t.String())`
	`40`	`+}`
	`41`	`+`
	`42`	`+// UnmarshalJSON decodes from a JSON string: "<type>:<id>".`
	`43`	`+func (t*APIAllowListTarget)UnmarshalJSON(b []byte)error {`
	`44`	`+varsstring`
	`45`	`+iferr:=json.Unmarshal(b,&s);err!=nil {`
	`46`	`+returnerr`
	`47`	`+}`
	`48`	`+parts:=strings.SplitN(strings.TrimSpace(s),":",2)`
	`49`	`+iflen(parts)!=2\|\|parts[0]==""\|\|parts[1]=="" {`
	`50`	`+returnfmt.Errorf("invalid allow_list entry %q: want <type>:<id>",s)`
	`51`	`+}`
	`52`	`+`
	`53`	`+// Type`
	`54`	`+ifparts[0]!=policy.WildcardSymbol {`
	`55`	`+t.Type=wildcard.Of(RBACResource(parts[0]))`
	`56`	`+}`
	`57`	`+`
	`58`	`+// ID`
	`59`	`+ifparts[1]!=policy.WildcardSymbol {`
	`60`	`+u,err:=uuid.Parse(parts[1])`
	`61`	`+iferr!=nil {`
	`62`	`+returnfmt.Errorf("invalid %s ID (must be UUID): %q",parts[0],parts[1])`
	`63`	`+}`
	`64`	`+t.ID=wildcard.Of(u)`
	`65`	`+}`
	`66`	`+returnnil`
	`67`	`+}`
	`68`	`+`
	`69`	`+// Implement encoding.TextMarshaler/Unmarshaler for broader compatibility`
	`70`	`+`
	`71`	`+func (tAPIAllowListTarget)MarshalText() ([]byte,error) {return []byte(t.String()),nil }`
	`72`	`+`
	`73`	`+func (t*APIAllowListTarget)UnmarshalText(b []byte)error {`
	`74`	`+returnt.UnmarshalJSON([]byte("\""+string(b)+"\""))`
	`75`	`+}`

`‎codersdk/allowlist_test.go‎`

Lines changed: 39 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,39 @@`
	`1`	`+package codersdk`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"encoding/json"`
	`5`	`+"testing"`
	`6`	`+`
	`7`	`+"github.com/google/uuid"`
	`8`	`+"github.com/stretchr/testify/require"`
	`9`	`+)`
	`10`	`+`
	`11`	`+funcTestAPIAllowListTarget_JSONRoundTrip(t*testing.T) {`
	`12`	`+t.Parallel()`
	`13`	`+`
	`14`	`+all:=AllowAllTarget()`
	`15`	`+b,err:=json.Marshal(all)`
	`16`	`+require.NoError(t,err)`
	`17`	+require.JSONEq(t,`":"`,string(b))
	`18`	`+varrtAPIAllowListTarget`
	`19`	`+require.NoError(t,json.Unmarshal(b,&rt))`
	`20`	`+require.True(t,rt.Type.IsAny())`
	`21`	`+require.True(t,rt.ID.IsAny())`
	`22`	`+`
	`23`	`+ty:=AllowTypeTarget(ResourceWorkspace)`
	`24`	`+b,err=json.Marshal(ty)`
	`25`	`+require.NoError(t,err)`
	`26`	+require.JSONEq(t,`"workspace:*"`,string(b))
	`27`	`+require.NoError(t,json.Unmarshal(b,&rt))`
	`28`	`+r,ok:=rt.Type.Value()`
	`29`	`+require.True(t,ok)`
	`30`	`+require.Equal(t,ResourceWorkspace,r)`
	`31`	`+require.True(t,rt.ID.IsAny())`
	`32`	`+`
	`33`	`+id:=uuid.New()`
	`34`	`+res:=AllowResourceTarget(ResourceTemplate,id)`
	`35`	`+b,err=json.Marshal(res)`
	`36`	`+require.NoError(t,err)`
	`37`	+exp:=`"template:`+id.String()+`"`
	`38`	`+require.JSONEq(t,exp,string(b))`
	`39`	`+}`

`‎docs/reference/api/schemas.md‎`

Lines changed: 29 additions & 6 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4ec061d

File tree

13 files changed

13 files changed

`‎.swaggo‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/rbac/allowlist.go‎`

`‎coderd/rbac/allowlist_test.go‎`

`‎codersdk/allowlist.go‎`

`‎codersdk/allowlist_test.go‎`

`‎docs/reference/api/schemas.md‎`

0 commit comments