Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc41112a

Browse files
committed
feat: add allow_list field to API key responses for resource scoping
Add allow_list field to API key data structures and ensure properJSON serialization across backend and frontend. Initialize with default wildcard entry (*:*) for backward compatibility withexisting API keys that don't have explicit resource restrictions.Fixes#19854
1 parenta1346f5 commitc41112a

File tree

11 files changed

+161
-46
lines changed

11 files changed

+161
-46
lines changed

‎coderd/apidoc/docs.go‎

Lines changed: 6 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 6 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apikey/apikey.go‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212

1313
"github.com/coder/coder/v2/coderd/database"
1414
"github.com/coder/coder/v2/coderd/database/dbtime"
15+
"github.com/coder/coder/v2/coderd/rbac"
1516
"github.com/coder/coder/v2/coderd/rbac/policy"
1617
"github.com/coder/coder/v2/cryptorand"
1718
)
@@ -102,6 +103,12 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
102103
}
103104
}
104105

106+
iflen(params.AllowList)==0 {
107+
params.AllowList= database.AllowList{
108+
rbac.AllowListElement{Type:rbac.ResourceWildcard.Type,ID:policy.WildcardSymbol},
109+
}
110+
}
111+
105112
token:=fmt.Sprintf("%s-%s",keyID,keySecret)
106113

107114
return database.InsertAPIKeyParams{

‎coderd/apikey_test.go‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ func TestTokenCRUD(t *testing.T) {
5151
require.Greater(t,keys[0].ExpiresAt,time.Now().Add(time.Hour*24*6))
5252
require.Less(t,keys[0].ExpiresAt,time.Now().Add(time.Hour*24*8))
5353
require.Equal(t,codersdk.APIKeyScopeAll,keys[0].Scope)
54+
require.Len(t,keys[0].AllowList,1)
55+
require.Equal(t,"*:*",keys[0].AllowList[0].String())
5456

5557
// no update
5658

@@ -86,6 +88,8 @@ func TestTokenScoped(t *testing.T) {
8688
require.EqualValues(t,len(keys),1)
8789
require.Contains(t,res.Key,keys[0].ID)
8890
require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)
91+
require.Len(t,keys[0].AllowList,1)
92+
require.Equal(t,"*:*",keys[0].AllowList[0].String())
8993
}
9094

9195
// Ensure backward-compat: when a token is created using the legacy singular
@@ -132,6 +136,8 @@ func TestTokenLegacySingularScopeCompat(t *testing.T) {
132136
require.Len(t,keys,1)
133137
require.Equal(t,tc.scope,keys[0].Scope)
134138
require.ElementsMatch(t,keys[0].Scopes,tc.scopes)
139+
require.Len(t,keys[0].AllowList,1)
140+
require.Equal(t,"*:*",keys[0].AllowList[0].String())
135141
})
136142
}
137143
}

‎coderd/database/db2sdk/db2sdk.go‎

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,17 @@ func ListLazy[F any, T any](convert func(F) T) func(list []F) []T {
5151
}
5252
}
5353

54+
funcAPIAllowListTarget(entry rbac.AllowListElement) codersdk.APIAllowListTarget {
55+
target:=codersdk.AllowAllTarget()
56+
ifentry.Type!="" {
57+
target.Type=codersdk.RBACResource(entry.Type)
58+
}
59+
ifentry.ID!="" {
60+
target.ID=entry.ID
61+
}
62+
returntarget
63+
}
64+
5465
typeExternalAuthMetastruct {
5566
Authenticatedbool
5667
ValidateErrorstring

‎coderd/users.go‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1596,6 +1596,11 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {
15961596
scopes=append(scopes,codersdk.APIKeyScope(s))
15971597
}
15981598

1599+
allowList:=db2sdk.List(k.AllowList,db2sdk.APIAllowListTarget)
1600+
iflen(allowList)==0 {
1601+
allowList=append(allowList,codersdk.AllowAllTarget())
1602+
}
1603+
15991604
return codersdk.APIKey{
16001605
ID:k.ID,
16011606
UserID:k.UserID,
@@ -1608,5 +1613,6 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {
16081613
Scopes:scopes,
16091614
LifetimeSeconds:k.LifetimeSeconds,
16101615
TokenName:k.TokenName,
1616+
AllowList:allowList,
16111617
}
16121618
}

‎codersdk/apikey.go‎

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,17 +12,18 @@ import (
1212

1313
// APIKey: do not ever return the HashedSecret
1414
typeAPIKeystruct {
15-
IDstring`json:"id" validate:"required"`
16-
UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
17-
LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
18-
ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
19-
CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
20-
UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
21-
LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
22-
ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
23-
Scopes []APIKeyScope`json:"scopes"`
24-
TokenNamestring`json:"token_name" validate:"required"`
25-
LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
15+
IDstring`json:"id" validate:"required"`
16+
UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
17+
LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
18+
ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
19+
CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
20+
UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
21+
LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
22+
ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
23+
Scopes []APIKeyScope`json:"scopes"`
24+
TokenNamestring`json:"token_name" validate:"required"`
25+
LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
26+
AllowList []APIAllowListTarget`json:"allow_list"`
2627
}
2728

2829
// LoginType is the type of login used to create the API key.

‎docs/reference/api/schemas.md‎

Lines changed: 20 additions & 13 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎docs/reference/api/users.md‎

Lines changed: 84 additions & 22 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎site/src/api/typesGenerated.ts‎

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp