NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitafa0215

committed

feat: add API key scope for workspace agents to support running without user data access

Change-Id: Ia5a7085afea6ad6ab7fdba2ab738357f4c519966Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent6cc32e3 commitafa0215Copy full SHA for afa0215

File tree

21 files changed

+718

-404

lines changed

coderd
- coderd.go
- database
  - dbauthz
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - dbmem
    - dbmem.go
  - dump.sql
  - migrations
    - 000320_add_api_key_scope_to_workspace_agents.down.sql
    - 000320_add_api_key_scope_to_workspace_agents.up.sql
  - models.go
  - queries
    - workspaceagents.sql
  - queries.sql.go
- httpmw
  - agentapikeyscopecheck.go
  - agentapikeyscopecheck_test.go
- provisionerdserver
  - provisionerdserver.go
- util/tz
  - tz_darwin.go
docs/admin/security
- audit-logs.md
enterprise/audit
- table.go
provisioner/terraform
- resources.go
provisionersdk/proto
- provisioner.pb.go
- provisioner.proto
site/e2e
- helpers.ts
- provisionerGenerated.ts

21 files changed

+718

-404

lines changed

`‎coderd/coderd.go`

Lines changed: 28 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -800,6 +800,17 @@ func New(options Options) API {`
`800`	`800`	`PostAuthAdditionalHeadersFunc:options.PostAuthAdditionalHeadersFunc,`
`801`	`801`	`})`
`802`	`802`
	`803`	`+workspaceAgentInfo:=httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{`
	`804`	`+DB:options.Database,`
	`805`	`+Optional:false,`
	`806`	`+})`
	`807`	`+// Same as above but optional`
	`808`	`+workspaceAgentInfoOptional:=httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{`
	`809`	`+DB:options.Database,`
	`810`	`+Optional:true,`
	`811`	`+})`
	`812`	`+workspaceAgentAPIKeyScopeCheck:=httpmw.AgentAPIKeyScopeCheckMW()`
	`813`	`+`
`803`	`814`	`// API rate limit middleware. The counter is local and not shared between`
`804`	`815`	`// replicas or instances of this middleware.`
`805`	`816`	`apiRateLimiter:=httpmw.RateLimit(options.APIRateLimit,time.Minute)`
`@@ -1019,6 +1030,8 @@ func New(options Options) API {`
`1019`	`1030`	`r.Route("/external-auth",func(r chi.Router) {`
`1020`	`1031`	`r.Use(`
`1021`	`1032`	`apiKeyMiddleware,`
	`1033`	`+workspaceAgentInfoOptional,`
	`1034`	`+workspaceAgentAPIKeyScopeCheck,`
`1022`	`1035`	`)`
`1023`	`1036`	`// Get without a specific external auth ID will return all external auths.`
`1024`	`1037`	`r.Get("/",api.listUserExternalAuths)`
`@@ -1254,8 +1267,14 @@ func New(options Options) API {`
`1254`	`1267`	`r.Get("/",api.workspaceByOwnerAndName)`
`1255`	`1268`	`r.Get("/builds/{buildnumber}",api.workspaceBuildByBuildNumber)`
`1256`	`1269`	`})`
`1257`		`-r.Get("/gitsshkey",api.gitSSHKey)`
`1258`		`-r.Put("/gitsshkey",api.regenerateGitSSHKey)`
	`1270`	`+r.With(`
	`1271`	`+workspaceAgentInfoOptional,`
	`1272`	`+workspaceAgentAPIKeyScopeCheck,`
	`1273`	`+).Get("/gitsshkey",api.gitSSHKey)`
	`1274`	`+r.With(`
	`1275`	`+workspaceAgentInfoOptional,`
	`1276`	`+workspaceAgentAPIKeyScopeCheck,`
	`1277`	`+).Put("/gitsshkey",api.regenerateGitSSHKey)`
`1259`	`1278`	`r.Route("/notifications",func(r chi.Router) {`
`1260`	`1279`	`r.Route("/preferences",func(r chi.Router) {`
`1261`	`1280`	`r.Get("/",api.userNotificationPreferences)`
`@@ -1284,17 +1303,17 @@ func New(options Options) API {`
`1284`	`1303`	`httpmw.RequireAPIKeyOrWorkspaceProxyAuth(),`
`1285`	`1304`	`).Get("/connection",api.workspaceAgentConnectionGeneric)`
`1286`	`1305`	`r.Route("/me",func(r chi.Router) {`
`1287`		`-r.Use(httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{`
`1288`		`-DB:options.Database,`
`1289`		`-Optional:false,`
`1290`		`-}))`
	`1306`	`+r.Use(workspaceAgentInfo)`
`1291`	`1307`	`r.Get("/rpc",api.workspaceAgentRPC)`
`1292`	`1308`	`r.Patch("/logs",api.patchWorkspaceAgentLogs)`
`1293`	`1309`	`r.Patch("/app-status",api.patchWorkspaceAgentAppStatus)`
`1294`	`1310`	`// Deprecated: Required to support legacy agents`
`1295`		`-r.Get("/gitauth",api.workspaceAgentsGitAuth)`
`1296`		`-r.Get("/external-auth",api.workspaceAgentsExternalAuth)`
`1297`		`-r.Get("/gitsshkey",api.agentGitSSHKey)`
	`1311`	`+r.With(workspaceAgentAPIKeyScopeCheck).`
	`1312`	`+Get("/gitauth",api.workspaceAgentsGitAuth)`
	`1313`	`+r.With(workspaceAgentAPIKeyScopeCheck).`
	`1314`	`+Get("/external-auth",api.workspaceAgentsExternalAuth)`
	`1315`	`+r.With(workspaceAgentAPIKeyScopeCheck).`
	`1316`	`+Get("/gitsshkey",api.agentGitSSHKey)`
`1298`	`1317`	`r.Post("/log-source",api.workspaceAgentPostLogSource)`
`1299`	`1318`	`})`
`1300`	`1319`	`r.Route("/{workspaceagent}",func(r chi.Router) {`

`‎coderd/database/dbauthz/dbauthz_test.go`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -3986,8 +3986,9 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`3986`	`3986`	`s.Run("InsertWorkspaceAgent",s.Subtest(func(db database.Store,check*expects) {`
`3987`	`3987`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
`3988`	`3988`	`check.Args(database.InsertWorkspaceAgentParams{`
`3989`		`-ID:uuid.New(),`
`3990`		`-Name:"dev",`
	`3989`	`+ID:uuid.New(),`
	`3990`	`+Name:"dev",`
	`3991`	`+APIKeyScope:database.ApiKeyScopeEnumDefault,`
`3991`	`3992`	`}).Asserts(rbac.ResourceSystem,policy.ActionCreate)`
`3992`	`3993`	`}))`
`3993`	`3994`	`s.Run("InsertWorkspaceApp",s.Subtest(func(db database.Store,check*expects) {`

`‎coderd/database/dbgen/dbgen.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen`
`210`	`210`	`MOTDFile:takeFirst(orig.TroubleshootingURL,""),`
`211`	`211`	`DisplayApps:append([]database.DisplayApp{},orig.DisplayApps...),`
`212`	`212`	`DisplayOrder:takeFirst(orig.DisplayOrder,1),`
	`213`	`+APIKeyScope:takeFirst(orig.APIKeyScope,database.ApiKeyScopeEnumDefault),`
`213`	`214`	`})`
`214`	`215`	`require.NoError(t,err,"insert workspace agent")`
`215`	`216`	`returnagt`

`‎coderd/database/dbmem/dbmem.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9587,6 +9587,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser`
`9587`	`9587`	`LifecycleState:database.WorkspaceAgentLifecycleStateCreated,`
`9588`	`9588`	`DisplayApps:arg.DisplayApps,`
`9589`	`9589`	`DisplayOrder:arg.DisplayOrder,`
	`9590`	`+APIKeyScope:arg.APIKeyScope,`
`9590`	`9591`	`}`
`9591`	`9592`
`9592`	`9593`	`q.workspaceAgents=append(q.workspaceAgents,agent)`

`‎coderd/database/dump.sql`

Lines changed: 8 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+-- Remove the api_key_scope column from the workspace_agents table`
	`2`	`+ALTERTABLE workspace_agents`
	`3`	`+DROP COLUMN IF EXISTS api_key_scope;`
	`4`	`+`
	`5`	`+-- Drop the enum type for API key scope`
	`6`	`+DROPTYPE IF EXISTS api_key_scope_enum;`

`‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,10 @@`
	`1`	`+-- Create the enum type for API key scope`
	`2`	`+CREATETYPEapi_key_scope_enumAS ENUM ('default','no_user_data');`
	`3`	`+`
	`4`	`+-- Add the api_key_scope column to the workspace_agents table`
	`5`	`+-- It defaults to 'default' to maintain existing behavior for current agents.`
	`6`	`+ALTERTABLE workspace_agents`
	`7`	`+ADD COLUMN api_key_scope api_key_scope_enumNOT NULL DEFAULT'default';`
	`8`	`+`
	`9`	`+-- Add a comment explaining the purpose of the column`
	`10`	`+COMMENT ON COLUMN workspace_agents.api_key_scope IS'Defines the scope of the API key associated with the agent.''default'' allows access to everything,''no_user_data'' restricts it to exclude user data.';`

`‎coderd/database/models.go`

Lines changed: 60 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitafa0215

File tree

21 files changed

21 files changed

`‎coderd/coderd.go`

`‎coderd/database/dbauthz/dbauthz_test.go`

`‎coderd/database/dbgen/dbgen.go`

`‎coderd/database/dbmem/dbmem.go`

`‎coderd/database/dump.sql`

`‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql`

`‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql`

`‎coderd/database/models.go`

0 commit comments