NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit85aef6b

committed

feat: add public API key scope endpoint

Add /auth/scopes endpoint returning curated list of public low-level API key scopes (resource:action format).This read-only endpoint requires no authentication and provides SDK constants for all public scopes.

1 parent76ae5ab commit85aef6bCopy full SHA for 85aef6b

File tree

11 files changed

+520

-51

lines changed

11 files changed

+520

-51

lines changed

`‎Makefile‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -646,6 +646,7 @@ GEN_FILES := \`
`646`	`646`	`coderd/rbac/object_gen.go\`
`647`	`647`	`codersdk/rbacresources_gen.go\`
`648`	`648`	`coderd/rbac/scopes_constants_gen.go\`
	`649`	`+codersdk/apikey_scopes_gen.go\`
`649`	`650`	`docs/admin/integrations/prometheus.md\`
`650`	`651`	`docs/reference/cli/index.md\`
`651`	`652`	`docs/admin/security/audit-logs.md\`
`@@ -846,6 +847,12 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m`
`846`	`847`	`mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go`
`847`	`848`	`touch "$@"`
`848`	`849`
	`850`	`+codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go`
	`851`	`+# Generate SDK constants for public low-level API key scopes.`
	`852`	`+go run ./scripts/apikeyscopesgen> /tmp/apikey_scopes_gen.go`
	`853`	`+mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go`
	`854`	`+touch"$@"`
	`855`	`+`
`849`	`856`	`site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go`
`850`	`857`	`go run scripts/typegen/main.go rbac typescript>"$@"`
`851`	`858`	`(cd site/&& pnpmexec biome format --write src/api/rbacresourcesGenerated.ts)`

`‎coderd/apidoc/swagger.json‎`

Lines changed: 79 additions & 14 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey_scopes_validation_test.go‎`

Lines changed: 56 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,56 @@`
	`1`	`+package coderd_test`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"context"`
	`5`	`+"testing"`
	`6`	`+"time"`
	`7`	`+`
	`8`	`+"github.com/stretchr/testify/require"`
	`9`	`+`
	`10`	`+"github.com/coder/coder/v2/coderd/coderdtest"`
	`11`	`+"github.com/coder/coder/v2/codersdk"`
	`12`	`+)`
	`13`	`+`
	`14`	`+funcTestTokenCreation_AllowsPublicLowLevelScope(t*testing.T) {`
	`15`	`+client:=coderdtest.New(t,nil)`
	`16`	`+_=coderdtest.CreateFirstUser(t,client)`
	`17`	`+`
	`18`	`+ctx,cancel:=context.WithTimeout(context.Background(),10*time.Second)`
	`19`	`+defercancel()`
	`20`	`+`
	`21`	`+// Request a token with a public low-level scope`
	`22`	`+resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`23`	`+Scope:codersdk.APIKeyScope("workspace:read"),`
	`24`	`+})`
	`25`	`+require.NoError(t,err)`
	`26`	`+require.NotEmpty(t,resp.Key)`
	`27`	`+}`
	`28`	`+`
	`29`	`+funcTestTokenCreation_RejectsInternalOnlyScope(t*testing.T) {`
	`30`	`+client:=coderdtest.New(t,nil)`
	`31`	`+_=coderdtest.CreateFirstUser(t,client)`
	`32`	`+`
	`33`	`+ctx,cancel:=context.WithTimeout(context.Background(),10*time.Second)`
	`34`	`+defercancel()`
	`35`	`+`
	`36`	`+// debug_info:read is a valid RBAC pair but not public in the catalog`
	`37`	`+_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`38`	`+Scope:codersdk.APIKeyScope("debug_info:read"),`
	`39`	`+})`
	`40`	`+require.Error(t,err)`
	`41`	`+}`
	`42`	`+`
	`43`	`+funcTestTokenCreation_AllowsLegacyScopes(t*testing.T) {`
	`44`	`+client:=coderdtest.New(t,nil)`
	`45`	`+_=coderdtest.CreateFirstUser(t,client)`
	`46`	`+`
	`47`	`+ctx,cancel:=context.WithTimeout(context.Background(),10*time.Second)`
	`48`	`+defercancel()`
	`49`	`+`
	`50`	`+// Legacy: application_connect`
	`51`	`+resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`52`	`+Scope:codersdk.APIKeyScopeApplicationConnect,`
	`53`	`+})`
	`54`	`+require.NoError(t,err)`
	`55`	`+require.NotEmpty(t,resp.Key)`
	`56`	`+}`

`‎coderd/scopes_catalog.go‎`

Lines changed: 22 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,22 @@`
	`1`	`+package coderd`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"net/http"`
	`5`	`+`
	`6`	`+"github.com/coder/coder/v2/coderd/httpapi"`
	`7`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`8`	`+)`
	`9`	`+`
	`10`	`+// listPublicLowLevelScopes returns the curated list of public low-level`
	`11`	`+// API key scopes (resource:action). This endpoint is read-only and does not`
	`12`	`+// require authentication.`
	`13`	`+//`
	`14`	`+// @Summary List public low-level API key scopes`
	`15`	`+// @ID list-public-low-level-scopes`
	`16`	`+// @Produce json`
	`17`	`+// @Tags Authorization`
	`18`	`+// @Success 200 {array} string`
	`19`	`+// @Router /auth/scopes [get]`
	`20`	`+func (apiAPI)listPublicLowLevelScopes(rw http.ResponseWriter,rhttp.Request) {`
	`21`	`+httpapi.Write(r.Context(),rw,http.StatusOK,rbac.PublicLowLevelScopeNames())`
	`22`	`+}`

`‎coderd/scopes_catalog_api_test.go‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+package coderd_test`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"encoding/json"`
	`5`	`+"net/http"`
	`6`	`+"testing"`
	`7`	`+`
	`8`	`+"github.com/stretchr/testify/require"`
	`9`	`+`
	`10`	`+"github.com/coder/coder/v2/coderd/coderdtest"`
	`11`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`12`	`+)`
	`13`	`+`
	`14`	`+funcTestListPublicLowLevelScopes(t*testing.T) {`
	`15`	`+client:=coderdtest.New(t,nil)`
	`16`	`+`
	`17`	`+res,err:=client.Request(t.Context(),http.MethodGet,"/api/v2/auth/scopes",nil)`
	`18`	`+require.NoError(t,err)`
	`19`	`+deferres.Body.Close()`
	`20`	`+require.Equal(t,http.StatusOK,res.StatusCode)`
	`21`	`+`
	`22`	`+vargot []string`
	`23`	`+require.NoError(t,json.NewDecoder(res.Body).Decode(&got))`
	`24`	`+`
	`25`	`+want:=rbac.PublicLowLevelScopeNames()`
	`26`	`+require.Equal(t,want,got)`
	`27`	`+}`

`‎codersdk/apikey_scopes_gen.go‎`

Lines changed: 88 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎docs/reference/api/authorization.md‎`

Lines changed: 30 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit85aef6b

File tree

11 files changed

11 files changed

`‎Makefile‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey_scopes_validation_test.go‎`

`‎coderd/scopes_catalog.go‎`

`‎coderd/scopes_catalog_api_test.go‎`

`‎codersdk/apikey_scopes_gen.go‎`

`‎docs/reference/api/authorization.md‎`

0 commit comments