Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9e0bf76

Browse files
committed
feat: rename special API key scopes to coder:* namespace
This change unifies scope handling by migrating special scopes to thecoder:* namespace while maintaining backward compatibility:- Database: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'- API accepts both legacy and canonical forms in requests- Responses maintain legacy format for existing client compatibility- Scope catalog returns all public scopes including canonical specials- Validation enforces public scope requirements using unified logicThe migration preserves existing API key functionality while establishingconsistent scope naming conventions for future extensibility.
1 parent45d6550 commit9e0bf76

File tree

36 files changed

+614
-128
lines changed

36 files changed

+614
-128
lines changed

‎Makefile‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -872,7 +872,7 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m
872872
touch "$@"
873873

874874
codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go
875-
# Generate SDK constants forpublic low-level API key scopes.
875+
# Generate SDK constants forexternal API key scopes.
876876
go run ./scripts/apikeyscopesgen> /tmp/apikey_scopes_gen.go
877877
mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go
878878
touch"$@"

‎coderd/apidoc/docs.go‎

Lines changed: 56 additions & 4 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 25 additions & 4 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apikey.go‎

Lines changed: 65 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -67,18 +67,39 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
6767
}
6868

6969
// Map and validate requested scope.
70-
// Accept special scopes (all, application_connect) and curated public low-level scopes.
71-
scopes:= database.APIKeyScopes{database.APIKeyScopeAll}
72-
ifcreateToken.Scope!="" {
70+
// Accept legacy special scopes (all, application_connect) and external scopes.
71+
// Default to coder:all scopes for backward compatibility.
72+
scopes:= database.APIKeyScopes{database.ApiKeyScopeCoderAll}
73+
iflen(createToken.Scopes)>0 {
74+
scopes=make(database.APIKeyScopes,0,len(createToken.Scopes))
75+
for_,s:=rangecreateToken.Scopes {
76+
name:=string(s)
77+
if!rbac.IsExternalScope(rbac.ScopeName(name)) {
78+
httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{
79+
Message:"Failed to create API key.",
80+
Detail:fmt.Sprintf("invalid or unsupported API key scope: %q",name),
81+
})
82+
return
83+
}
84+
scopes=append(scopes,database.APIKeyScope(name))
85+
}
86+
}elseifstring(createToken.Scope)!="" {
7387
name:=string(createToken.Scope)
7488
if!rbac.IsExternalScope(rbac.ScopeName(name)) {
7589
httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{
7690
Message:"Failed to create API key.",
77-
Detail:fmt.Sprintf("invalid API key scope: %q",name),
91+
Detail:fmt.Sprintf("invalidor unsupportedAPI key scope: %q",name),
7892
})
7993
return
8094
}
81-
scopes= database.APIKeyScopes{database.APIKeyScope(name)}
95+
switchname {
96+
case"all":
97+
scopes= database.APIKeyScopes{database.ApiKeyScopeCoderAll}
98+
case"application_connect":
99+
scopes= database.APIKeyScopes{database.ApiKeyScopeCoderApplicationConnect}
100+
default:
101+
scopes= database.APIKeyScopes{database.APIKeyScope(name)}
102+
}
82103
}
83104

84105
tokenName:=namesgenerator.GetRandomName(1)
@@ -95,6 +116,45 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
95116
TokenName:tokenName,
96117
}
97118

119+
iflen(createToken.AllowList)>0 {
120+
rbacAllowListElements:=make([]rbac.AllowListElement,0,len(createToken.AllowList))
121+
for_,t:=rangecreateToken.AllowList {
122+
entry,err:=rbac.NewAllowListElement(t.Type.String(),t.ID.String())
123+
iferr!=nil {
124+
httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{
125+
Message:"Failed to create API key.",
126+
Detail:err.Error(),
127+
})
128+
return
129+
}
130+
rbacAllowListElements=append(rbacAllowListElements,entry)
131+
}
132+
133+
rbacAllowList,err:=rbac.NewAllowList(rbacAllowListElements,128)
134+
iferr!=nil {
135+
httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{
136+
Message:"Failed to create API key.",
137+
Detail:err.Error(),
138+
})
139+
return
140+
}
141+
142+
dbAllowList:=make(database.AllowList,0,len(rbacAllowList))
143+
for_,e:=rangerbacAllowList {
144+
target,err:=database.NewAllowListTarget(e.Type,e.ID)
145+
iferr!=nil {
146+
httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{
147+
Message:"Failed to create API key.",
148+
Detail:err.Error(),
149+
})
150+
return
151+
}
152+
dbAllowList=append(dbAllowList,target)
153+
}
154+
155+
params.AllowList=dbAllowList
156+
}
157+
98158
ifcreateToken.Lifetime!=0 {
99159
err:=api.validateAPIKeyLifetime(ctx,user.ID,createToken.Lifetime)
100160
iferr!=nil {

‎coderd/apikey/apikey.go‎

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,18 @@ type CreateParams struct {
2525
// Optional.
2626
ExpiresAt time.Time
2727
LifetimeSecondsint64
28+
2829
// Scope is legacy single-scope input kept for backward compatibility.
2930
//
30-
// Deprecated:Prefer Scopesfor new code.
31+
// Deprecated:use Scopesinstead.
3132
Scope database.APIKeyScope
3233
// Scopes is the full list of scopes to attach to the key.
33-
// If empty and Scope is set, the generator will use [Scope].
34-
// If both are empty, the generator will default to [APIKeyScopeAll].
3534
Scopes database.APIKeyScopes
3635
TokenNamestring
3736
RemoteAddrstring
37+
// AllowList is an optional, normalized allow-list
38+
// of resource type and uuid entries. If empty, defaults to wildcard.
39+
AllowList database.AllowList
3840
}
3941

4042
// Generate generates an API key, returning the key as a string as well as the
@@ -74,9 +76,19 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
7476
caselen(params.Scopes)>0:
7577
scopes=params.Scopes
7678
caseparams.Scope!="":
77-
scopes= database.APIKeyScopes{params.Scope}
79+
varscope database.APIKeyScope
80+
switchparams.Scope {
81+
case"all":
82+
scope=database.ApiKeyScopeCoderAll
83+
case"application_connect":
84+
scope=database.ApiKeyScopeCoderApplicationConnect
85+
default:
86+
scope=params.Scope
87+
}
88+
scopes= database.APIKeyScopes{scope}
7889
default:
79-
scopes= database.APIKeyScopes{database.APIKeyScopeAll}
90+
// Default to coder:all scope for backward compatibility.
91+
scopes= database.APIKeyScopes{database.ApiKeyScopeCoderAll}
8092
}
8193

8294
for_,s:=rangescopes {
@@ -106,7 +118,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
106118
HashedSecret:hashed[:],
107119
LoginType:params.LoginType,
108120
Scopes:scopes,
109-
AllowList:database.AllowList{database.AllowListWildcard()},
121+
AllowList:params.AllowList,
110122
TokenName:params.TokenName,
111123
},token,nil
112124
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp