NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit5442fcd

committed

feat: add allow_list field to API key responses for resource scoping

Add allow_list field to API key data structures and ensure properJSON serialization across backend and frontend. Initialize with default wildcard entry (*:*) for backward compatibility withexisting API keys that don't have explicit resource restrictions.Fixes#19854

1 parent1fea0d8 commit5442fcdCopy full SHA for 5442fcd

File tree

10 files changed

+342

-233

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- apikey_test.go
- apikey
  - apikey.go
- users.go
codersdk
- apikey.go
docs/reference/api
- schemas.md
- users.md
site/src
- api
  - typesGenerated.ts
- testHelpers
  - entities.ts

10 files changed

+342

-233

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 6 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 6 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey/apikey.go‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,10 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`97`	`97`	`}`
`98`	`98`	`}`
`99`	`99`
	`100`	`+iflen(params.AllowList)==0 {`
	`101`	`+params.AllowList= database.AllowList{database.AllowListTarget{}}`
	`102`	`+}`
	`103`	`+`
`100`	`104`	`token:=fmt.Sprintf("%s-%s",keyID,keySecret)`
`101`	`105`
`102`	`106`	`return database.InsertAPIKeyParams{`

`‎coderd/apikey_test.go‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,8 @@ func TestTokenCRUD(t *testing.T) {`
`51`	`51`	`require.Greater(t,keys[0].ExpiresAt,time.Now().Add(time.Hour246))`
`52`	`52`	`require.Less(t,keys[0].ExpiresAt,time.Now().Add(time.Hour248))`
`53`	`53`	`require.Equal(t,codersdk.APIKeyScopeAll,keys[0].Scope)`
	`54`	`+require.Len(t,keys[0].AllowList,1)`
	`55`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`54`	`56`
`55`	`57`	`// no update`
`56`	`58`
`@@ -86,6 +88,8 @@ func TestTokenScoped(t *testing.T) {`
`86`	`88`	`require.EqualValues(t,len(keys),1)`
`87`	`89`	`require.Contains(t,res.Key,keys[0].ID)`
`88`	`90`	`require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)`
	`91`	`+require.Len(t,keys[0].AllowList,1)`
	`92`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`89`	`93`	`}`
`90`	`94`
`91`	`95`	`// Ensure backward-compat: when a token is created using the legacy singular`
`@@ -132,6 +136,8 @@ func TestTokenLegacySingularScopeCompat(t *testing.T) {`
`132`	`136`	`require.Len(t,keys,1)`
`133`	`137`	`require.Equal(t,tc.scope,keys[0].Scope)`
`134`	`138`	`require.ElementsMatch(t,keys[0].Scopes,tc.scopes)`
	`139`	`+require.Len(t,keys[0].AllowList,1)`
	`140`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`135`	`141`	`})`
`136`	`142`	`}`
`137`	`143`	`}`

`‎coderd/users.go‎`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ import (`
`31`	`31`	`"github.com/coder/coder/v2/coderd/util/ptr"`
`32`	`32`	`"github.com/coder/coder/v2/coderd/util/slice"`
`33`	`33`	`"github.com/coder/coder/v2/codersdk"`
	`34`	`+"github.com/coder/coder/v2/x/wildcard"`
`34`	`35`	`)`
`35`	`36`
`36`	`37`	`// userDebugOIDC returns the OIDC debug context for the user.`
`@@ -1587,6 +1588,18 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {`
`1587`	`1588`	`scopes=append(scopes,codersdk.APIKeyScope(s))`
`1588`	`1589`	`}`
`1589`	`1590`
	`1591`	`+allowList:=make([]codersdk.APIAllowListTarget,0,len(k.AllowList))`
	`1592`	`+for_,entry:=rangek.AllowList {`
	`1593`	`+vartarget codersdk.APIAllowListTarget`
	`1594`	`+ifresource,ok:=entry.Type.Value();ok {`
	`1595`	`+target.Type=wildcard.Of(codersdk.RBACResource(resource))`
	`1596`	`+}`
	`1597`	`+ifid,ok:=entry.ID.Value();ok {`
	`1598`	`+target.ID=wildcard.Of(id)`
	`1599`	`+}`
	`1600`	`+allowList=append(allowList,target)`
	`1601`	`+}`
	`1602`	`+`
`1590`	`1603`	`return codersdk.APIKey{`
`1591`	`1604`	`ID:k.ID,`
`1592`	`1605`	`UserID:k.UserID,`
`@@ -1599,5 +1612,6 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {`
`1599`	`1612`	`Scopes:scopes,`
`1600`	`1613`	`LifetimeSeconds:k.LifetimeSeconds,`
`1601`	`1614`	`TokenName:k.TokenName,`
	`1615`	`+AllowList:allowList,`
`1602`	`1616`	`}`
`1603`	`1617`	`}`

`‎codersdk/apikey.go‎`

Lines changed: 12 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,17 +12,18 @@ import (`
`12`	`12`
`13`	`13`	`// APIKey: do not ever return the HashedSecret`
`14`	`14`	`typeAPIKeystruct {`
`15`		-IDstring`json:"id" validate:"required"`
`16`		-UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
`17`		-LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
`18`		-ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
`19`		-CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
`20`		-UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
`21`		-LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
`22`		-ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
`23`		-Scopes []APIKeyScope`json:"scopes"`
`24`		-TokenNamestring`json:"token_name" validate:"required"`
`25`		-LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
	`15`	+IDstring`json:"id" validate:"required"`
	`16`	+UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
	`17`	+LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
	`18`	+ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
	`19`	+CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
	`20`	+UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
	`21`	+LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
	`22`	+ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
	`23`	+Scopes []APIKeyScope`json:"scopes"`
	`24`	+TokenNamestring`json:"token_name" validate:"required"`
	`25`	+LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
	`26`	+AllowList []APIAllowListTarget`json:"allow_list"`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`// LoginType is the type of login used to create the API key.`

`‎docs/reference/api/schemas.md‎`

Lines changed: 20 additions & 13 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎docs/reference/api/users.md‎`

Lines changed: 84 additions & 22 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎site/src/api/typesGenerated.ts‎`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5442fcd

File tree

10 files changed

10 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/apikey_test.go‎`

`‎coderd/users.go‎`

`‎codersdk/apikey.go‎`

`‎docs/reference/api/schemas.md‎`

`‎docs/reference/api/users.md‎`

`‎site/src/api/typesGenerated.ts‎`

0 commit comments