NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitacadd79

committed

feat: rename special API key scopes to coder:* namespace

This change unifies scope handling by migrating special scopes to thecoder:* namespace while maintaining backward compatibility:- Database: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'- API accepts both legacy and canonical forms in requests- Responses maintain legacy format for existing client compatibility- Scope catalog returns all public scopes including canonical specials- Validation enforces public scope requirements using unified logicThe migration preserves existing API key functionality while establishingconsistent scope naming conventions for future extensibility.

1 parent6b9783a commitacadd79Copy full SHA for acadd79

File tree

25 files changed

+285

-85

lines changed

Makefile
coderd
- apidoc
  - swagger.json
- apikey_test.go
- apikey
  - apikey_test.go
- database
  - dbauthz
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - dump.sql
  - migrations
    - 000373_canonicalize_special_api_key_scopes.down.sql
    - 000373_canonicalize_special_api_key_scopes.up.sql
  - modelmethods.go
  - modelmethods_internal_test.go
  - models.go
  - queries.sql.go
  - queries
    - apikeys.sql
- httpmw
- rbac
  - scopes_constants_gen.go
- userauth_test.go
- users.go
- workspaceapps.go
docs/reference/api
- schemas.md
- users.md
site/src
- api
  - typesGenerated.ts
- testHelpers
  - entities.ts

25 files changed

+285

-85

lines changed

`‎Makefile‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -872,7 +872,7 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m`
`872`	`872`	`touch "$@"`
`873`	`873`
`874`	`874`	`codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go`
`875`		`-# Generate SDK constants forpublic low-level API key scopes.`
	`875`	`+# Generate SDK constants forexternal API key scopes.`
`876`	`876`	`go run ./scripts/apikeyscopesgen> /tmp/apikey_scopes_gen.go`
`877`	`877`	`mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go`
`878`	`878`	`touch"$@"`

`‎coderd/apidoc/swagger.json‎`

Lines changed: 25 additions & 4 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey/apikey_test.go‎`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {`
`35`	`35`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`36`	`36`	`TokenName:"hello",`
`37`	`37`	`RemoteAddr:"1.2.3.4",`
`38`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`38`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`39`	`39`	`},`
`40`	`40`	`},`
`41`	`41`	`{`
`@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {`
`62`	`62`	`ExpiresAt: time.Time{},`
`63`	`63`	`TokenName:"hello",`
`64`	`64`	`RemoteAddr:"1.2.3.4",`
`65`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`65`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`66`	`66`	`},`
`67`	`67`	`},`
`68`	`68`	`{`
`@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {`
`75`	`75`	`ExpiresAt: time.Time{},`
`76`	`76`	`TokenName:"hello",`
`77`	`77`	`RemoteAddr:"1.2.3.4",`
`78`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`78`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`79`	`79`	`},`
`80`	`80`	`},`
`81`	`81`	`{`
`@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {`
`88`	`88`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`89`	`89`	`TokenName:"hello",`
`90`	`90`	`RemoteAddr:"",`
`91`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`91`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`92`	`92`	`},`
`93`	`93`	`},`
`94`	`94`	`{`
`@@ -161,7 +161,7 @@ func TestGenerate(t *testing.T) {`
`161`	`161`	`iftc.params.Scope!="" {`
`162`	`162`	`assert.True(t,key.Scopes.Has(tc.params.Scope))`
`163`	`163`	`}else {`
`164`		`-assert.True(t,key.Scopes.Has(database.APIKeyScopeAll))`
	`164`	`+assert.True(t,key.Scopes.Has(database.ApiKeyScopeCoderAll))`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`iftc.params.TokenName!="" {`

`‎coderd/apikey_test.go‎`

Lines changed: 48 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,54 @@ func TestTokenScoped(t *testing.T) {`
`88`	`88`	`require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)`
`89`	`89`	`}`
`90`	`90`
	`91`	`+// Ensure backward-compat: when a token is created using the legacy singular`
	`92`	`+// scope names ("all" or "application_connect"), the API returns the same`
	`93`	`+// legacy value in the deprecated singular Scope field while also supporting`
	`94`	`+// the new multi-scope field.`
	`95`	`+funcTestTokenLegacySingularScopeCompat(t*testing.T) {`
	`96`	`+t.Parallel()`
	`97`	`+`
	`98`	`+cases:= []struct {`
	`99`	`+namestring`
	`100`	`+scope codersdk.APIKeyScope`
	`101`	`+scopes []codersdk.APIKeyScope`
	`102`	`+}{`
	`103`	`+{`
	`104`	`+name:"all",`
	`105`	`+scope:codersdk.APIKeyScopeAll,`
	`106`	`+scopes: []codersdk.APIKeyScope{codersdk.APIKeyScopeCoderAll},`
	`107`	`+},`
	`108`	`+{`
	`109`	`+name:"application_connect",`
	`110`	`+scope:codersdk.APIKeyScopeApplicationConnect,`
	`111`	`+scopes: []codersdk.APIKeyScope{codersdk.APIKeyScopeCoderApplicationConnect},`
	`112`	`+},`
	`113`	`+}`
	`114`	`+`
	`115`	`+for_,tc:=rangecases {`
	`116`	`+t.Run(tc.name,func(t*testing.T) {`
	`117`	`+t.Parallel()`
	`118`	`+ctx,cancel:=context.WithTimeout(t.Context(),testutil.WaitLong)`
	`119`	`+defercancel()`
	`120`	`+client:=coderdtest.New(t,nil)`
	`121`	`+_=coderdtest.CreateFirstUser(t,client)`
	`122`	`+`
	`123`	`+// Create with legacy singular scope.`
	`124`	`+_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`125`	`+Scope:tc.scope,`
	`126`	`+})`
	`127`	`+require.NoError(t,err)`
	`128`	`+`
	`129`	`+// Read back and ensure the deprecated singular field matches exactly.`
	`130`	`+keys,err:=client.Tokens(ctx,codersdk.Me, codersdk.TokensFilter{})`
	`131`	`+require.NoError(t,err)`
	`132`	`+require.Len(t,keys,1)`
	`133`	`+require.Equal(t,tc.scope,keys[0].Scope)`
	`134`	`+require.ElementsMatch(t,keys[0].Scopes,tc.scopes)`
	`135`	`+})`
	`136`	`+}`
	`137`	`+}`
	`138`	`+`
`91`	`139`	`funcTestUserSetTokenDuration(t*testing.T) {`
`92`	`140`	`t.Parallel()`
`93`	`141`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`251`	`251`	`}))`
`252`	`252`	`s.Run("InsertAPIKey",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`253`	`253`	`u:=testutil.Fake(s.T(),faker, database.User{})`
`254`		`-arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.APIKeyScopeAll},IPAddress:defaultIPAddress()}`
	`254`	`+arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderAll},IPAddress:defaultIPAddress()}`
`255`	`255`	`ret:=testutil.Fake(s.T(),faker, database.APIKey{UserID:u.ID,LoginType:database.LoginTypePassword})`
`256`	`256`	`dbm.EXPECT().InsertAPIKey(gomock.Any(),arg).Return(ret,nil).AnyTimes()`
`257`	`257`	`check.Args(arg).Asserts(rbac.ResourceApiKey.WithOwner(u.ID.String()),policy.ActionCreate)`
`@@ -265,7 +265,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`265`	`265`	`check.Args(arg).Asserts(a,policy.ActionUpdate).Returns()`
`266`	`266`	`}))`
`267`	`267`	`s.Run("DeleteApplicationConnectAPIKeysByUserID",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`268`		`-a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.APIKeyScopeApplicationConnect}})`
	`268`	`+a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderApplicationConnect}})`
`269`	`269`	`dbm.EXPECT().DeleteApplicationConnectAPIKeysByUserID(gomock.Any(),a.UserID).Return(nil).AnyTimes()`
`270`	`270`	`check.Args(a.UserID).Asserts(rbac.ResourceApiKey.WithOwner(a.UserID.String()),policy.ActionDelete).Returns()`
`271`	`271`	`}))`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -185,8 +185,8 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`185`	`185`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
`186`	`186`	`UpdatedAt:takeFirst(seed.UpdatedAt,dbtime.Now()),`
`187`	`187`	`LoginType:takeFirst(seed.LoginType,database.LoginTypePassword),`
`188`		`-Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.APIKeyScopeAll}),`
`189`		`-AllowList:takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),`
	`188`	`+Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),`
	`189`	`+AllowList:takeFirstSlice(seed.AllowList, database.AllowList{}),`
`190`	`190`	`TokenName:takeFirst(seed.TokenName),`
`191`	`191`	`}`
`192`	`192`	`for_,fn:=rangemunge {`

`‎coderd/database/dump.sql‎`

Lines changed: 2 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000373_canonicalize_special_api_key_scopes.down.sql‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+-- Revert canonicalization of special API key scopes`
	`2`	`+-- Rename enum values back: 'coder:all' -> 'all', 'coder:application_connect' -> 'application_connect'`
	`3`	`+`
	`4`	`+ALTERTYPE api_key_scope RENAME VALUE'coder:all' TO'all';`
	`5`	`+ALTERTYPE api_key_scope RENAME VALUE'coder:application_connect' TO'application_connect';`

`‎coderd/database/migrations/000373_canonicalize_special_api_key_scopes.up.sql‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+-- Canonicalize special API key scopes to coder:* namespace`
	`2`	`+-- Rename enum values: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'`
	`3`	`+`
	`4`	`+ALTERTYPE api_key_scope RENAME VALUE'all' TO'coder:all';`
	`5`	`+ALTERTYPE api_key_scope RENAME VALUE'application_connect' TO'coder:application_connect';`

`‎coderd/database/modelmethods.go‎`

Lines changed: 62 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,9 +134,9 @@ func (w ConnectionLog) RBACObject() rbac.Object {`
`134`	`134`
`135`	`135`	`func (sAPIKeyScope)ToRBAC() rbac.ScopeName {`
`136`	`136`	`switchs {`
`137`		`-caseAPIKeyScopeAll:`
	`137`	`+caseApiKeyScopeCoderAll:`
`138`	`138`	`returnrbac.ScopeAll`
`139`		`-caseAPIKeyScopeApplicationConnect:`
	`139`	`+caseApiKeyScopeCoderApplicationConnect:`
`140`	`140`	`returnrbac.ScopeApplicationConnect`
`141`	`141`	`default:`
`142`	`142`	`// Allow low-level resource:action scopes to flow through to RBAC for`
`@@ -203,6 +203,29 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`203`	`203`	`}`
`204`	`204`	`}`
`205`	`205`
	`206`	`+// De-duplicate permissions across Site/Org/User`
	`207`	`+dedup:=func(in []rbac.Permission) []rbac.Permission {`
	`208`	`+iflen(in)==0 {`
	`209`	`+returnin`
	`210`	`+}`
	`211`	`+seen:=make(map[string]struct{},len(in))`
	`212`	`+out:=make([]rbac.Permission,0,len(in))`
	`213`	`+for_,p:=rangein {`
	`214`	`+key:=p.ResourceType+"\x00"+string(p.Action)+"\x00"+strconv.FormatBool(p.Negate)`
	`215`	`+if_,ok:=seen[key];ok {`
	`216`	`+continue`
	`217`	`+}`
	`218`	`+seen[key]=struct{}{}`
	`219`	`+out=append(out,p)`
	`220`	`+}`
	`221`	`+returnout`
	`222`	`+}`
	`223`	`+merged.Site=dedup(merged.Site)`
	`224`	`+fororgID,perms:=rangemerged.Org {`
	`225`	`+merged.Org[orgID]=dedup(perms)`
	`226`	`+}`
	`227`	`+merged.User=dedup(merged.User)`
	`228`	`+`
`206`	`229`	`ifallowAll\|\|len(allowSet)==0 {`
`207`	`230`	`merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`
`208`	`231`	`}else {`
`@@ -218,7 +241,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`218`	`241`	`// Name returns a human-friendly identifier for tracing/logging.`
`219`	`242`	`func (sAPIKeyScopes)Name() rbac.RoleIdentifier {`
`220`	`243`	`iflen(s)==0 {`
`221`		`-return rbac.RoleIdentifier{Name:string(APIKeyScopeAll)}`
	`244`	`+// Return all for backward compatibility.`
	`245`	`+return rbac.RoleIdentifier{Name:string(ApiKeyScopeCoderAll)}`
`222`	`246`	`}`
`223`	`247`	`names:=make([]string,0,len(s))`
`224`	`248`	`for_,s:=ranges {`
`@@ -227,6 +251,41 @@ func (s APIKeyScopes) Name() rbac.RoleIdentifier {`
`227`	`251`	`return rbac.RoleIdentifier{Name:"scopes["+strings.Join(names,"+")+"]"}`
`228`	`252`	`}`
`229`	`253`
	`254`	`+// APIKeyEffectiveScope merges expanded scopes with the API key's DB allow_list.`
	`255`	`+// If the DB allow_list is a wildcard or empty, the merged scope's allow list is unchanged.`
	`256`	`+// Otherwise, the DB allow_list overrides the merged AllowIDList to enforce the token's`
	`257`	`+// resource scoping consistently across all permissions.`
	`258`	`+typeAPIKeyEffectiveScopestruct {`
	`259`	`+ScopesAPIKeyScopes`
	`260`	`+AllowListAllowList`
	`261`	`+}`
	`262`	`+`
	`263`	`+func (eAPIKeyEffectiveScope)Name() rbac.RoleIdentifier {returne.Scopes.Name() }`
	`264`	`+`
	`265`	`+func (eAPIKeyEffectiveScope)Expand() (rbac.Scope,error) {`
	`266`	`+merged,err:=e.Scopes.Expand()`
	`267`	`+iferr!=nil {`
	`268`	`+return rbac.Scope{},err`
	`269`	`+}`
	`270`	`+iflen(e.AllowList)==0 {`
	`271`	`+returnmerged,nil`
	`272`	`+}`
	`273`	`+`
	`274`	`+// If allow list contains a single wildcard (:), keep merged allow list as-is`
	`275`	`+for_,entry:=rangee.AllowList {`
	`276`	`+ifentry.Type.IsAny()&&entry.ID.IsAny() {`
	`277`	`+returnmerged,nil`
	`278`	`+}`
	`279`	`+}`
	`280`	`+`
	`281`	`+out:=make([]rbac.AllowListElement,0,len(e.AllowList))`
	`282`	`+for_,t:=rangee.AllowList {`
	`283`	`+out=append(out, rbac.AllowListElement{Type:t.Type.String(),ID:t.ID.String()})`
	`284`	`+}`
	`285`	`+merged.AllowIDList=out`
	`286`	`+returnmerged,nil`
	`287`	`+}`
	`288`	`+`
`230`	`289`	`func (kAPIKey)RBACObject() rbac.Object {`
`231`	`290`	`returnrbac.ResourceApiKey.WithIDString(k.ID).`
`232`	`291`	`WithOwner(k.UserID.String())`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitacadd79

File tree

25 files changed

25 files changed

`‎Makefile‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey/apikey_test.go‎`

`‎coderd/apikey_test.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

`‎coderd/database/dump.sql‎`

`‎coderd/database/migrations/000373_canonicalize_special_api_key_scopes.down.sql‎`

`‎coderd/database/migrations/000373_canonicalize_special_api_key_scopes.up.sql‎`

`‎coderd/database/modelmethods.go‎`

0 commit comments