Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc29d8ce

Browse files
committed
feat: add public API key scope endpoint
Add /auth/scopes endpoint returning curated list of public low-level API key scopes (resource:action format).This read-only endpoint requires no authentication and provides SDK constants for all public scopes.
1 parentb7ba894 commitc29d8ce

File tree

15 files changed

+2548
-1864
lines changed

15 files changed

+2548
-1864
lines changed

‎Makefile‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -646,6 +646,7 @@ GEN_FILES := \
646646
coderd/rbac/object_gen.go\
647647
codersdk/rbacresources_gen.go\
648648
coderd/rbac/scopes_constants_gen.go\
649+
codersdk/apikey_scopes_gen.go\
649650
docs/admin/integrations/prometheus.md\
650651
docs/reference/cli/index.md\
651652
docs/admin/security/audit-logs.md\
@@ -846,6 +847,12 @@ codersdk/rbacresources_gen.go: scripts/typegen/codersdk.gotmpl scripts/typegen/m
846847
mv /tmp/rbacresources_gen.go codersdk/rbacresources_gen.go
847848
touch "$@"
848849

850+
codersdk/apikey_scopes_gen.go: scripts/apikeyscopesgen/main.go coderd/rbac/scopes_catalog.go coderd/rbac/scopes.go
851+
# Generate SDK constants for public low-level API key scopes.
852+
go run ./scripts/apikeyscopesgen> /tmp/apikey_scopes_gen.go
853+
mv /tmp/apikey_scopes_gen.go codersdk/apikey_scopes_gen.go
854+
touch"$@"
855+
849856
site/src/api/rbacresourcesGenerated.ts: site/node_modules/.installed scripts/typegen/codersdk.gotmpl scripts/typegen/main.go coderd/rbac/object.go coderd/rbac/policy/policy.go
850857
go run scripts/typegen/main.go rbac typescript>"$@"
851858
(cd site/&& pnpmexec biome format --write src/api/rbacresourcesGenerated.ts)

‎coderd/apidoc/docs.go‎

Lines changed: 85 additions & 2 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 87 additions & 2 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
package coderd_test
2+
3+
import (
4+
"context"
5+
"testing"
6+
7+
"github.com/stretchr/testify/require"
8+
9+
"github.com/coder/coder/v2/coderd/coderdtest"
10+
"github.com/coder/coder/v2/codersdk"
11+
"github.com/coder/coder/v2/testutil"
12+
)
13+
14+
funcTestTokenCreation_AllowsPublicLowLevelScope(t*testing.T) {
15+
t.Parallel()
16+
client:=coderdtest.New(t,nil)
17+
_=coderdtest.CreateFirstUser(t,client)
18+
19+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
20+
defercancel()
21+
22+
// Request a token with a public low-level scope
23+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
24+
Scope:codersdk.APIKeyScope("workspace:read"),
25+
})
26+
require.NoError(t,err)
27+
require.NotEmpty(t,resp.Key)
28+
}
29+
30+
funcTestTokenCreation_RejectsInternalOnlyScope(t*testing.T) {
31+
t.Parallel()
32+
client:=coderdtest.New(t,nil)
33+
_=coderdtest.CreateFirstUser(t,client)
34+
35+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
36+
defercancel()
37+
38+
// debug_info:read is a valid RBAC pair but not public in the catalog
39+
_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
40+
Scope:codersdk.APIKeyScope("debug_info:read"),
41+
})
42+
require.Error(t,err)
43+
}
44+
45+
funcTestTokenCreation_AllowsLegacyScopes(t*testing.T) {
46+
t.Parallel()
47+
client:=coderdtest.New(t,nil)
48+
_=coderdtest.CreateFirstUser(t,client)
49+
50+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitShort)
51+
defercancel()
52+
53+
// Legacy: application_connect
54+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
55+
Scope:codersdk.APIKeyScopeApplicationConnect,
56+
})
57+
require.NoError(t,err)
58+
require.NotEmpty(t,resp.Key)
59+
}
60+
61+
funcTestTokenCreation_AllowsCanonicalSpecialScope(t*testing.T) {
62+
t.Parallel()
63+
client:=coderdtest.New(t,nil)
64+
_=coderdtest.CreateFirstUser(t,client)
65+
66+
ctx,cancel:=context.WithTimeout(t.Context(),testutil.WaitShort)
67+
defercancel()
68+
69+
resp,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
70+
Scope:codersdk.APIKeyScopeApplicationConnect,
71+
})
72+
require.NoError(t,err)
73+
require.NotEmpty(t,resp.Key)
74+
}

‎coderd/coderd.go‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1046,6 +1046,8 @@ func New(options *Options) *API {
10461046
// All CSP errors will be logged
10471047
r.Post("/csp/reports",api.logReportCSPViolations)
10481048

1049+
r.Get("/auth/scopes",api.listExternalScopes)
1050+
10491051
r.Get("/buildinfo",buildInfoHandler(buildInfo))
10501052
// /regions is overridden in the enterprise version
10511053
r.Group(func(r chi.Router) {

‎coderd/coderdtest/swaggerparser.go‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,7 @@ func assertSecurityDefined(t *testing.T, comment SwaggerComment) {
308308
ifcomment.router=="/updatecheck"||
309309
comment.router=="/buildinfo"||
310310
comment.router=="/"||
311+
comment.router=="/auth/scopes"||
311312
comment.router=="/users/login"||
312313
comment.router=="/users/otp/request"||
313314
comment.router=="/users/otp/change-password"||

‎coderd/scopes_catalog.go‎

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
package coderd
2+
3+
import (
4+
"net/http"
5+
6+
"github.com/coder/coder/v2/coderd/httpapi"
7+
"github.com/coder/coder/v2/coderd/rbac"
8+
)
9+
10+
// listExternalScopes returns the curated list of API key scopes (resource:action)
11+
// requestable via the API. This endpoint is read-only and does not require authentication.
12+
//
13+
// @Summary List API key scopes
14+
// @ID list-api-key-scopes
15+
// @Tags Authorization
16+
// @Produce json
17+
// @Success 200 {array} string
18+
// @Router /auth/scopes [get]
19+
func (*API)listExternalScopes(rw http.ResponseWriter,r*http.Request) {
20+
httpapi.Write(r.Context(),rw,http.StatusOK,rbac.ExternalScopeNames())
21+
}

‎coderd/scopes_catalog_api_test.go‎

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
package coderd_test
2+
3+
import (
4+
"encoding/json"
5+
"net/http"
6+
"testing"
7+
8+
"github.com/stretchr/testify/require"
9+
10+
"github.com/coder/coder/v2/coderd/coderdtest"
11+
"github.com/coder/coder/v2/coderd/rbac"
12+
)
13+
14+
funcTestListPublicLowLevelScopes(t*testing.T) {
15+
t.Parallel()
16+
client:=coderdtest.New(t,nil)
17+
18+
res,err:=client.Request(t.Context(),http.MethodGet,"/api/v2/auth/scopes",nil)
19+
require.NoError(t,err)
20+
deferres.Body.Close()
21+
require.Equal(t,http.StatusOK,res.StatusCode)
22+
23+
vargot []string
24+
require.NoError(t,json.NewDecoder(res.Body).Decode(&got))
25+
26+
want:=rbac.ExternalScopeNames()
27+
require.Equal(t,want,got)
28+
}

‎codersdk/apikey.go‎

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -42,14 +42,6 @@ const (
4242

4343
typeAPIKeyScopestring
4444

45-
const (
46-
// APIKeyScopeAll is a scope that allows the user to do everything.
47-
APIKeyScopeAllAPIKeyScope="all"
48-
// APIKeyScopeApplicationConnect is a scope that allows the user
49-
// to connect to applications in a workspace.
50-
APIKeyScopeApplicationConnectAPIKeyScope="application_connect"
51-
)
52-
5345
typeCreateTokenRequeststruct {
5446
Lifetime time.Duration`json:"lifetime"`
5547
ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp