NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit7d68b72

committed

feat: add multiple API key scopes support with granular permissions

Change-Id: I5857fd833f8114d53f575b9fa48a8e5e7dbfdb2cSigned-off-by: Thomas Kosiewski <tk@coder.com>

1 parent99e7a7b commit7d68b72Copy full SHA for 7d68b72

File tree

65 files changed

+1612

-459

lines changed

.claude/notes
- token-scopes.md
cli
- exp_scaletest.go
coderd
- apidoc
  - docs.go
  - swagger.json
- apikey.go
- apikey_test.go
- apikey
  - apikey.go
  - apikey_test.go
- authorize.go
- coderdtest
  - authorize.go
  - coderdtest.go
- database
  - dbauthz
  - dbfake
    - dbfake.go
  - dbgen
    - dbgen.go
  - dump.sql
  - migrations
    - 000354_add_multiple_api_key_scopes.down.sql
    - 000354_add_multiple_api_key_scopes.up.sql
  - models.go
  - querier_test.go
  - queries.sql.go
  - queries
    - apikeys.sql
    - oauth2.sql
- files
  - cache_test.go
- httpmw
- insights_test.go
- oauth2_test.go
- oauth2provider
- presets_test.go
- rbac
- userauth.go
- userauth_test.go
- users.go
- workspaceapps/apptest
  - apptest.go
- workspaceupdates_test.go
codersdk
- apikey.go
docs
- admin/security
  - audit-logs.md
- reference/api
  - schemas.md
  - users.md
enterprise
- audit
  - table.go
- coderd
  - coderd_test.go
  - workspaces_test.go
- tailnet
  - pgcoord.go
scripts/rbac-authz
- gen_input.go
site/src
- api
  - typesGenerated.ts
- pages/CreateTokenPage
  - CreateTokenPage.tsx
- testHelpers
  - entities.ts

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

65 files changed

+1612

-459

lines changed

`‎.claude/notes/token-scopes.md‎`

Lines changed: 541 additions & 0 deletions

Large diffs are not rendered by default.

`‎cli/exp_scaletest.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1232,7 +1232,7 @@ func (r RootCmd) scaletestDashboard() serpent.Command {`
`1232`	`1232`	`name:=fmt.Sprintf("dashboard-%s",usr.Username)`
`1233`	`1233`	`userTokResp,err:=client.CreateToken(ctx,usr.ID.String(), codersdk.CreateTokenRequest{`
`1234`	`1234`	`Lifetime:3024time.Hour,`
`1235`		`-Scope:"",`
	`1235`	`+Scopes:[]codersdk.APIKeyScope{codersdk.APIKeyScopeAll},`
`1236`	`1236`	`TokenName:fmt.Sprintf("scaletest-%d",time.Now().Unix()),`
`1237`	`1237`	`})`
`1238`	`1238`	`iferr!=nil {`

`‎coderd/apidoc/docs.go‎`

Lines changed: 41 additions & 23 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 47 additions & 17 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey.go‎`

Lines changed: 15 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,15 @@ import (`
`24`	`24`	`"github.com/coder/coder/v2/codersdk"`
`25`	`25`	`)`
`26`	`26`
	`27`	`+// convertAPIKeyScopesToDatabase converts SDK API key scopes to database API key scopes`
	`28`	`+funcconvertAPIKeyScopesToDatabase(scopes []codersdk.APIKeyScope) []database.APIKeyScope {`
	`29`	`+dbScopes:=make([]database.APIKeyScope,0,len(scopes))`
	`30`	`+for_,scope:=rangescopes {`
	`31`	`+dbScopes=append(dbScopes,database.APIKeyScope(scope))`
	`32`	`+}`
	`33`	`+returndbScopes`
	`34`	`+}`
	`35`	`+`
`27`	`36`	`// Creates a new token API key with the given scope and lifetime.`
`28`	`37`	`//`
`29`	`38`	`// @Summary Create token API key`
`@@ -56,9 +65,10 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`56`	`65`	`return`
`57`	`66`	`}`
`58`	`67`
`59`		`-scope:=database.APIKeyScopeAll`
`60`		`-ifscope!="" {`
`61`		`-scope=database.APIKeyScope(createToken.Scope)`
	`68`	`+// Use the scopes from the request, or default to 'all' if empty`
	`69`	`+scopes:=createToken.Scopes`
	`70`	`+iflen(scopes)==0 {`
	`71`	`+scopes= []codersdk.APIKeyScope{codersdk.APIKeyScopeAll}`
`62`	`72`	`}`
`63`	`73`
`64`	`74`	`tokenName:=namesgenerator.GetRandomName(1)`
`@@ -71,7 +81,7 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`71`	`81`	`UserID:user.ID,`
`72`	`82`	`LoginType:database.LoginTypeToken,`
`73`	`83`	`DefaultLifetime:api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),`
`74`		`-Scope:scope,`
	`84`	`+Scopes:convertAPIKeyScopesToDatabase(scopes),// New scopes array`
`75`	`85`	`TokenName:tokenName,`
`76`	`86`	`}`
`77`	`87`
`@@ -380,7 +390,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, userID uuid.UUID, li`
`380`	`390`	`// getMaxTokenLifetime returns the maximum allowed token lifetime for a user.`
`381`	`391`	`// It distinguishes between regular users and owners.`
`382`	`392`	`func (api*API)getMaxTokenLifetime(ctx context.Context,userID uuid.UUID) (time.Duration,error) {`
`383`		`-subject,_,err:=httpmw.UserRBACSubject(ctx,api.Database,userID,rbac.ScopeAll)`
	`393`	`+subject,_,err:=httpmw.UserRBACSubject(ctx,api.Database,userID,[]rbac.ExpandableScope{rbac.ScopeAll})`
`384`	`394`	`iferr!=nil {`
`385`	`395`	`return0,xerrors.Errorf("failed to get user rbac subject: %w",err)`
`386`	`396`	`}`

`‎coderd/apikey/apikey.go‎`

Lines changed: 20 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,8 @@ type CreateParams struct {`
`25`	`25`	`// Optional.`
`26`	`26`	`ExpiresAt time.Time`
`27`	`27`	`LifetimeSecondsint64`
`28`		`-Scope database.APIKeyScope`
	`28`	`+Scope database.APIKeyScope// Legacy single scope (for backward compatibility)`
	`29`	`+Scopes []database.APIKeyScope// New scopes array`
`29`	`30`	`TokenNamestring`
`30`	`31`	`RemoteAddrstring`
`31`	`32`	`}`
`@@ -62,14 +63,24 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`62`	`63`
`63`	`64`	`bitlen:=len(ip)*8`
`64`	`65`
`65`		`-scope:=database.APIKeyScopeAll`
`66`		`-ifparams.Scope!="" {`
`67`		`-scope=params.Scope`
	`66`	`+// Determine scopes - prioritize Scopes array, fallback to legacy Scope`
	`67`	`+varscopes []database.APIKeyScope`
	`68`	`+iflen(params.Scopes)>0 {`
	`69`	`+scopes=params.Scopes`
	`70`	`+}else {`
	`71`	`+// Fallback to legacy single scope`
	`72`	`+scope:=database.APIKeyScopeAll`
	`73`	`+ifparams.Scope!="" {`
	`74`	`+scope=params.Scope`
	`75`	`+}`
	`76`	`+scopes= []database.APIKeyScope{scope}`
`68`	`77`	`}`
`69`		`-switchscope {`
`70`		`-casedatabase.APIKeyScopeAll,database.APIKeyScopeApplicationConnect:`
`71`		`-default:`
`72`		`-return database.InsertAPIKeyParams{},"",xerrors.Errorf("invalid API key scope: %q",scope)`
	`78`	`+`
	`79`	`+// Validate all scopes`
	`80`	`+for_,scope:=rangescopes {`
	`81`	`+if!scope.Valid() {`
	`82`	`+return database.InsertAPIKeyParams{},"",xerrors.Errorf("invalid API key scope: %q",scope)`
	`83`	`+}`
`73`	`84`	`}`
`74`	`85`
`75`	`86`	`token:=fmt.Sprintf("%s-%s",keyID,keySecret)`
`@@ -92,7 +103,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`92`	`103`	`UpdatedAt:dbtime.Now(),`
`93`	`104`	`HashedSecret:hashed[:],`
`94`	`105`	`LoginType:params.LoginType,`
`95`		`-Scope:scope,`
	`106`	`+Scopes:scopes,// New scopes array`
`96`	`107`	`TokenName:params.TokenName,`
`97`	`108`	`},token,nil`
`98`	`109`	`}`

`‎coderd/apikey/apikey_test.go‎`

Lines changed: 9 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {`
`35`	`35`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`36`	`36`	`TokenName:"hello",`
`37`	`37`	`RemoteAddr:"1.2.3.4",`
`38`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`38`	`+Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},`
`39`	`39`	`},`
`40`	`40`	`},`
`41`	`41`	`{`
`@@ -48,7 +48,7 @@ func TestGenerate(t *testing.T) {`
`48`	`48`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`49`	`49`	`TokenName:"hello",`
`50`	`50`	`RemoteAddr:"1.2.3.4",`
`51`		`-Scope:database.APIKeyScope("test"),`
	`51`	`+Scopes:[]database.APIKeyScope{database.APIKeyScope("test")},`
`52`	`52`	`},`
`53`	`53`	`fail:true,`
`54`	`54`	`},`
`@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {`
`62`	`62`	`ExpiresAt: time.Time{},`
`63`	`63`	`TokenName:"hello",`
`64`	`64`	`RemoteAddr:"1.2.3.4",`
`65`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`65`	`+Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},`
`66`	`66`	`},`
`67`	`67`	`},`
`68`	`68`	`{`
`@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {`
`75`	`75`	`ExpiresAt: time.Time{},`
`76`	`76`	`TokenName:"hello",`
`77`	`77`	`RemoteAddr:"1.2.3.4",`
`78`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`78`	`+Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},`
`79`	`79`	`},`
`80`	`80`	`},`
`81`	`81`	`{`
`@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {`
`88`	`88`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`89`	`89`	`TokenName:"hello",`
`90`	`90`	`RemoteAddr:"",`
`91`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`91`	`+Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},`
`92`	`92`	`},`
`93`	`93`	`},`
`94`	`94`	`{`
`@@ -101,7 +101,7 @@ func TestGenerate(t *testing.T) {`
`101`	`101`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`102`	`102`	`TokenName:"hello",`
`103`	`103`	`RemoteAddr:"1.2.3.4",`
`104`		`-Scope:"",`
	`104`	`+Scopes:[]database.APIKeyScope{},`
`105`	`105`	`},`
`106`	`106`	`},`
`107`	`107`	`}`
`@@ -158,10 +158,10 @@ func TestGenerate(t *testing.T) {`
`158`	`158`	`assert.Equal(t,"0.0.0.0",key.IPAddress.IPNet.IP.String())`
`159`	`159`	`}`
`160`	`160`
`161`		`-iftc.params.Scope!="" {`
`162`		`-assert.Equal(t,tc.params.Scope,key.Scope)`
	`161`	`+iflen(tc.params.Scopes)>0 {`
	`162`	`+assert.Equal(t,tc.params.Scopes,key.Scopes)`
`163`	`163`	`}else {`
`164`		`-assert.Equal(t,database.APIKeyScopeAll,key.Scope)`
	`164`	`+assert.Equal(t,[]database.APIKeyScope{database.APIKeyScopeAll},key.Scopes)`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`iftc.params.TokenName!="" {`

`‎coderd/apikey_test.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func TestTokenCRUD(t *testing.T) {`
`47`	`47`	`// expires_at should default to 30 days`
`48`	`48`	`require.Greater(t,keys[0].ExpiresAt,time.Now().Add(time.Hour246))`
`49`	`49`	`require.Less(t,keys[0].ExpiresAt,time.Now().Add(time.Hour248))`
`50`		`-require.Equal(t,codersdk.APIKeyScopeAll,keys[0].Scope)`
	`50`	`+require.Equal(t,[]codersdk.APIKeyScope{codersdk.APIKeyScopeAll},keys[0].Scopes)`
`51`	`51`
`52`	`52`	`// no update`
`53`	`53`
`@@ -73,7 +73,7 @@ func TestTokenScoped(t *testing.T) {`
`73`	`73`	`_=coderdtest.CreateFirstUser(t,client)`
`74`	`74`
`75`	`75`	`res,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`76`		`-Scope:codersdk.APIKeyScopeApplicationConnect,`
	`76`	`+Scopes: []codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect},`
`77`	`77`	`})`
`78`	`78`	`require.NoError(t,err)`
`79`	`79`	`require.Greater(t,len(res.Key),2)`
`@@ -82,7 +82,7 @@ func TestTokenScoped(t *testing.T) {`
`82`	`82`	`require.NoError(t,err)`
`83`	`83`	`require.EqualValues(t,len(keys),1)`
`84`	`84`	`require.Contains(t,res.Key,keys[0].ID)`
`85`		`-require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)`
	`85`	`+require.Equal(t,[]codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect},keys[0].Scopes)`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`funcTestUserSetTokenDuration(t*testing.T) {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7d68b72

File tree

65 files changed

Some content is hidden

65 files changed

`‎.claude/notes/token-scopes.md‎`

`‎cli/exp_scaletest.go‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey.go‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/apikey/apikey_test.go‎`

`‎coderd/apikey_test.go‎`

0 commit comments