Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit75432b4

Browse files
committed
refactor: replace CEL with expr for token lifetime expressions
Change-Id: I2dcfa21535a8c5d4b2276622617782f0b2c47603Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent2a1a6d1 commit75432b4

18 files changed

+800
-994
lines changed

‎cli/testdata/coder_server_--help.golden

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -51,14 +51,15 @@ OPTIONS:
5151
all available experiments.
5252

5353
--max-token-lifetime-expression string, $CODER_MAX_TOKEN_LIFETIME_EXPRESSION
54-
A CEL expression that determines the maximum token lifetime based on
54+
An expr expression that determines the maximum token lifetime based on
5555
user attributes. The expression has access to 'subject'
56-
(rbac.Subject), 'globalMaxDuration' (time.Duration),
57-
and'defaultDuration' (time.Duration). Must return a duration string
58-
(e.g., duration("168h")). Example: 'subject.roles.exists(r, r.name ==
59-
"owner") ? duration(globalMaxDuration) : duration(defaultDuration)'.
60-
See https://github.com/google/cel-spec for CEL expression syntax and
61-
examples.
56+
(coderd/expr.Subject with fields: ID, Email, Groups, Roles),
57+
'globalMaxDuration' (time.Duration as int64 nanoseconds), and
58+
'defaultDuration' (time.Duration as int64 nanoseconds). Must return a
59+
duration as int64 nanoseconds (e.g., duration("168h")). Example:
60+
'any(subject.Roles, .Name == "owner") ? duration("720h") :
61+
duration("168h")'. See https://github.com/expr-lang/expr for expr
62+
expression syntax and examples.
6263

6364
--postgres-auth password|awsiamrds, $CODER_PG_AUTH (default: password)
6465
Type of auth to use when connecting to postgres. For AWS RDS, using

‎cli/testdata/server-config.yaml.golden

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -445,13 +445,13 @@ experiments: []
445445
# performed once per day.
446446
# (default: false, type: bool)
447447
updateCheck: false
448-
#A CEL expression that determines the maximum token lifetime based on user
449-
# attributes. The expression has access to 'subject' (rbac.Subject),
450-
#'globalMaxDuration' (time.Duration),and'defaultDuration' (time.Duration). Must
451-
#return a duration string (e.g., duration("168h")). Example:
452-
#'subject.roles.exists(r, r.name == "owner") ?duration(globalMaxDuration):
453-
#duration(defaultDuration)'. See https://github.com/google/cel-spec for CEL
454-
# expression syntax and examples.
448+
#An expr expression that determines the maximum token lifetime based on user
449+
# attributes. The expression has access to 'subject' (coderd/expr.Subject with
450+
#fields: ID, Email, Groups, Roles),'globalMaxDuration' (time.Duration as int64
451+
#nanoseconds), and 'defaultDuration' (time.Duration as int64 nanoseconds). Must
452+
#return a duration as int64 nanoseconds (e.g.,duration("168h")). Example:
453+
#'any(subject.Roles, .Name == "owner") ? duration("720h") : duration("168h")'.
454+
#See https://github.com/expr-lang/expr for exprexpression syntax and examples.
455455
# (default: <unset>, type: string)
456456
maxTokenLifetimeExpression: ""
457457
# The default lifetime duration for API tokens. This value is used when creating a

‎coderd/apidoc/docs.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apikey.go

Lines changed: 19 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -9,17 +9,18 @@ import (
99
"time"
1010

1111
"github.com/go-chi/chi/v5"
12-
"github.com/google/cel-go/common/types"
1312
"github.com/google/uuid"
1413
"github.com/moby/moby/pkg/namesgenerator"
1514
"golang.org/x/xerrors"
1615

16+
"github.com/expr-lang/expr"
17+
1718
"cdr.dev/slog"
1819
"github.com/coder/coder/v2/coderd/apikey"
1920
"github.com/coder/coder/v2/coderd/audit"
20-
celtoken"github.com/coder/coder/v2/coderd/cel"
2121
"github.com/coder/coder/v2/coderd/database"
2222
"github.com/coder/coder/v2/coderd/database/dbtime"
23+
exprtoken"github.com/coder/coder/v2/coderd/expr"
2324
"github.com/coder/coder/v2/coderd/httpapi"
2425
"github.com/coder/coder/v2/coderd/httpmw"
2526
"github.com/coder/coder/v2/coderd/rbac"
@@ -392,7 +393,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, lifetime time.Durati
392393
}
393394

394395
// getMaxTokenLifetimeForUser determines the maximum token lifetime a user is entitled to
395-
// based on their attributes and theCEL expression configuration.
396+
// based on their attributes and theexpr expression configuration.
396397
func (api*API)getMaxTokenLifetimeForUser(ctx context.Context,subject rbac.Subject) time.Duration {
397398
// Compiled at startup no need to recheck here.
398399
program,_:=api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()
@@ -404,34 +405,30 @@ func (api *API) getMaxTokenLifetimeForUser(ctx context.Context, subject rbac.Sub
404405
globalMax:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()
405406
defaultDuration:=api.DeploymentValues.Sessions.DefaultTokenDuration.Value()
406407

407-
// Convert subject toCEL-friendly format
408-
celSubject:=celtoken.ConvertSubjectToCEL(subject)
408+
// Convert subject toexpr-friendly format
409+
exprSubject:=exprtoken.ConvertSubjectToExpr(subject)
409410

410-
// EvaluateCEL expression with typed struct
411+
// Evaluateexpr expression with typed struct
411412
// TODO: Consider adding timeout protection in future iterations
412-
out,_,err:=program.Eval(map[string]interface{}{
413-
"subject":celSubject,
414-
"globalMaxDuration":globalMax,
415-
"defaultDuration":defaultDuration,
413+
out,err:=expr.Run(program,map[string]interface{}{
414+
"subject":exprSubject,
415+
"globalMaxDuration":int64(globalMax),
416+
"defaultDuration":int64(defaultDuration),
416417
})
417418
iferr!=nil {
418-
api.Logger.Error(ctx,"theCEL evaluation failed, using default duration",slog.Error(err))
419+
api.Logger.Error(ctx,"theexpr evaluation failed, using default duration",slog.Error(err))
419420
returndefaultDuration
420421
}
421422

422-
// Convert result to time.Duration
423-
// CEL returns types.Duration, not time.Duration directly
424-
switchv:=out.Value().(type) {
425-
case types.Duration:
426-
returnv.Duration
427-
case time.Duration:
428-
returnv
429-
default:
430-
api.Logger.Error(ctx,"the CEL expression did not return a duration, using default duration",
431-
slog.F("result_type",fmt.Sprintf("%T",out.Value())),
432-
slog.F("result_value",out.Value()))
423+
// Convert result to time.Duration (expr returns int64 due to AsInt64 constraint)
424+
intVal,ok:=out.(int64)
425+
if!ok {
426+
api.Logger.Error(ctx,"the expr expression did not return an int64, using default duration",
427+
slog.F("result_type",fmt.Sprintf("%T",out)),
428+
slog.F("result_value",out))
433429
returndefaultDuration
434430
}
431+
returntime.Duration(intVal)
435432
}
436433

437434
func (api*API)createAPIKey(ctx context.Context,params apikey.CreateParams) (*http.Cookie,*database.APIKey,error) {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp