NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitd7df2aa

committed

feat: add API key allow list handling

Expose allow_list targets on CreateTokenRequest and persist them in thedatabase so API keys can be scoped to resources.Introduce codersdk and rbac helpers to parse, validate, and normalizeallow lists to enforce consistent wildcard handling.Regenerate OpenAPI documentation, API typing outputs, and TypeScriptbindings with stable serialization ordering for generated files.

1 parent156f985 commitd7df2aaCopy full SHA for d7df2aa

File tree

25 files changed

+940

-95

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- apikey.go
- apikey
  - apikey.go
- coderdtest
  - authorize.go
- database
  - dbauthz
    - setup_test.go
  - dbgen
    - dbgen.go
  - modelmethods.go
  - modelmethods_internal_test.go
  - types.go
- httpmw
- rbac
codersdk
docs/reference/api
- schemas.md
- users.md
scripts/apitypings
- main.go
- main_test.go
site/src/api
- typesGenerated.ts

25 files changed

+940

-95

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 17 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 17 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey.go‎`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,37 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`116`	`116`	`TokenName:tokenName,`
`117`	`117`	`}`
`118`	`118`
	`119`	`+iflen(createToken.AllowList)>0 {`
	`120`	`+rbacAllowListElements:=make([]rbac.AllowListElement,0,len(createToken.AllowList))`
	`121`	`+for_,t:=rangecreateToken.AllowList {`
	`122`	`+entry,err:=rbac.NewAllowListElement(string(t.Type),t.ID)`
	`123`	`+iferr!=nil {`
	`124`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`125`	`+Message:"Failed to create API key.",`
	`126`	`+Detail:err.Error(),`
	`127`	`+})`
	`128`	`+return`
	`129`	`+}`
	`130`	`+rbacAllowListElements=append(rbacAllowListElements,entry)`
	`131`	`+}`
	`132`	`+`
	`133`	`+rbacAllowList,err:=rbac.NormalizeAllowList(rbacAllowListElements)`
	`134`	`+iferr!=nil {`
	`135`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`136`	`+Message:"Failed to create API key.",`
	`137`	`+Detail:err.Error(),`
	`138`	`+})`
	`139`	`+return`
	`140`	`+}`
	`141`	`+`
	`142`	`+dbAllowList:=make(database.AllowList,0,len(rbacAllowList))`
	`143`	`+for_,e:=rangerbacAllowList {`
	`144`	`+dbAllowList=append(dbAllowList, rbac.AllowListElement{Type:e.Type,ID:e.ID})`
	`145`	`+}`
	`146`	`+`
	`147`	`+params.AllowList=dbAllowList`
	`148`	`+}`
	`149`	`+`
`119`	`150`	`ifcreateToken.Lifetime!=0 {`
`120`	`151`	`err:=api.validateAPIKeyLifetime(ctx,user.ID,createToken.Lifetime)`
`121`	`152`	`iferr!=nil {`

`‎coderd/apikey/apikey.go‎`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`"github.com/coder/coder/v2/coderd/database"`
`14`	`14`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
	`15`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`15`	`16`	`"github.com/coder/coder/v2/cryptorand"`
`16`	`17`	`)`
`17`	`18`
`@@ -34,6 +35,9 @@ type CreateParams struct {`
`34`	`35`	`Scopes database.APIKeyScopes`
`35`	`36`	`TokenNamestring`
`36`	`37`	`RemoteAddrstring`
	`38`	`+// AllowList is an optional, normalized allow-list`
	`39`	`+// of resource type and uuid entries. If empty, defaults to wildcard.`
	`40`	`+AllowList database.AllowList`
`37`	`41`	`}`
`38`	`42`
`39`	`43`	`// Generate generates an API key, returning the key as a string as well as the`
`@@ -61,6 +65,10 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`61`	`65`	`params.LifetimeSeconds=int64(time.Until(params.ExpiresAt).Seconds())`
`62`	`66`	`}`
`63`	`67`
	`68`	`+iflen(params.AllowList)==0 {`
	`69`	`+params.AllowList= database.AllowList{{Type:policy.WildcardSymbol,ID:policy.WildcardSymbol}}`
	`70`	`+}`
	`71`	`+`
`64`	`72`	`ip:=net.ParseIP(params.RemoteAddr)`
`65`	`73`	`ifip==nil {`
`66`	`74`	`ip=net.IPv4(0,0,0,0)`
`@@ -115,7 +123,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`115`	`123`	`HashedSecret:hashed[:],`
`116`	`124`	`LoginType:params.LoginType,`
`117`	`125`	`Scopes:scopes,`
`118`		`-AllowList:database.AllowList{database.AllowListWildcard()},`
	`126`	`+AllowList:params.AllowList,`
`119`	`127`	`TokenName:params.TokenName,`
`120`	`128`	`},token,nil`
`121`	`129`	`}`

`‎coderd/coderdtest/authorize.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ func AssertRBAC(t testing.T, api coderd.API, client *codersdk.Client) RBACAsse`
`68`	`68`	`ID:key.UserID.String(),`
`69`	`69`	`Roles:rbac.RoleIdentifiers(roleNames),`
`70`	`70`	`Groups:roles.Groups,`
`71`		`-Scope:key.Scopes,`
	`71`	`+Scope:key.ScopeSet(),`
`72`	`72`	`},`
`73`	`73`	`Recorder:recorder,`
`74`	`74`	`}`

`‎coderd/database/dbauthz/setup_test.go‎`

Lines changed: 9 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -225,17 +225,20 @@ func (s *MethodTestSuite) SubtestWithDB(db database.Store, testCaseF func(db dat`
`225`	`225`	`iftestCase.outputs!=nil {`
`226`	`226`	`// Assert the required outputs`
`227`	`227`	`s.Equal(len(testCase.outputs),len(outputs),"method %q returned unexpected number of outputs",methodName)`
	`228`	`+cmpOptions:= []cmp.Option{`
	`229`	`+// Equate nil and empty slices.`
	`230`	`+cmpopts.EquateEmpty(),`
	`231`	`+}`
`228`	`232`	`fori:=rangeoutputs {`
`229`	`233`	`a,b:=testCase.outputs[i].Interface(),outputs[i].Interface()`
`230`	`234`
`231`	`235`	`// To avoid the extra small overhead of gob encoding, we can`
`232`	`236`	`// first check if the values are equal with regard to order.`
`233`	`237`	`// If not, re-check disregarding order and show a nice diff`
`234`	`238`	`// output of the two values.`
`235`		`-if!cmp.Equal(a,b,cmpopts.EquateEmpty()) {`
`236`		`-ifdiff:=cmp.Diff(a,b,`
`237`		`-// Equate nil and empty slices.`
`238`		`-cmpopts.EquateEmpty(),`
	`239`	`+if!cmp.Equal(a,b,cmpOptions...) {`
	`240`	`+diffOpts:=append(`
	`241`	`+append([]cmp.Option{},cmpOptions...),`
`239`	`242`	`// Allow slice order to be ignored.`
`240`	`243`	`cmpopts.SortSlices(func(a,bany)bool {`
`241`	`244`	`varab,bb strings.Builder`
`@@ -247,7 +250,8 @@ func (s *MethodTestSuite) SubtestWithDB(db database.Store, testCaseF func(db dat`
`247`	`250`	`// https://github.com/google/go-cmp/issues/67`
`248`	`251`	`returnab.String()<bb.String()`
`249`	`252`	`}),`
`250`		`-);diff!="" {`
	`253`	`+)`
	`254`	`+ifdiff:=cmp.Diff(a,b,diffOpts...);diff!="" {`
`251`	`255`	`s.Failf("compare outputs failed","method %q returned unexpected output %d (-want +got):\n%s",methodName,i,diff)`
`252`	`256`	`}`
`253`	`257`	`}`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ import (`
`27`	`27`	`"github.com/coder/coder/v2/coderd/database/provisionerjobs"`
`28`	`28`	`"github.com/coder/coder/v2/coderd/database/pubsub"`
`29`	`29`	`"github.com/coder/coder/v2/coderd/rbac"`
	`30`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`30`	`31`	`"github.com/coder/coder/v2/codersdk"`
`31`	`32`	`"github.com/coder/coder/v2/cryptorand"`
`32`	`33`	`"github.com/coder/coder/v2/provisionerd/proto"`
`@@ -186,7 +187,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`186`	`187`	`UpdatedAt:takeFirst(seed.UpdatedAt,dbtime.Now()),`
`187`	`188`	`LoginType:takeFirst(seed.LoginType,database.LoginTypePassword),`
`188`	`189`	`Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),`
`189`		`-AllowList:takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),`
	`190`	`+AllowList:takeFirstSlice(seed.AllowList, database.AllowList{{Type:policy.WildcardSymbol,ID:policy.WildcardSymbol}}),`
`190`	`191`	`TokenName:takeFirst(seed.TokenName),`
`191`	`192`	`}`
`192`	`193`	`for_,fn:=rangemunge {`

`‎coderd/database/modelmethods.go‎`

Lines changed: 49 additions & 29 deletions

Original file line number	Diff line number	Diff line change
`@@ -145,24 +145,30 @@ func (s APIKeyScope) ToRBAC() rbac.ScopeName {`
`145`	`145`	`}`
`146`	`146`	`}`
`147`	`147`
`148`		`-// APIKeyScopesallows expanding multipleAPI keyscopes into a single`
`149`		`-//RBAC scope for authorization. This implements rbac.ExpandableScope so`
`150`		`-//callers can pass the list directly without deriving a single scope.`
	`148`	`+// APIKeyScopesrepresents a collection of individualAPI keyscope names as`
	`149`	`+//stored in the database. Helper methods on this type are used to derive the`
	`150`	`+//RBAC scope that should be authorized for the key.`
`151`	`151`	`typeAPIKeyScopes []APIKeyScope`
`152`	`152`
`153`		`-var_ rbac.ExpandableScope=APIKeyScopes{}`
	`153`	`+// WithAllowList wraps the scopes with a database allow list, producing an`
	`154`	`+// ExpandableScope that always enforces the allow list overlay when expanded.`
	`155`	`+func (sAPIKeyScopes)WithAllowList(listAllowList)APIKeyScopeSet {`
	`156`	`+returnAPIKeyScopeSet{Scopes:s,AllowList:list}`
	`157`	`+}`
`154`	`158`
`155`	`159`	`// Has returns true if the slice contains the provided scope.`
`156`	`160`	`func (sAPIKeyScopes)Has(targetAPIKeyScope)bool {`
`157`	`161`	`returnslices.Contains(s,target)`
`158`	`162`	`}`
`159`	`163`
`160`		`-// Expand merges the permissions of all scopes in the list into a single scope.`
`161`		`-// If the list is empty, it defaults to rbac.ScopeAll.`
`162`		`-func (sAPIKeyScopes)Expand() (rbac.Scope,error) {`
	`164`	`+// expandRBACScope merges the permissions of all scopes in the list into a`
	`165`	`+// single RBAC scope. If the list is empty, it defaults to rbac.ScopeAll for`
	`166`	`+// backward compatibility. This method is internal; use ScopeSet() to combine`
	`167`	`+// scopes with the API key's allow list for authorization.`
	`168`	`+func (sAPIKeyScopes)expandRBACScope() (rbac.Scope,error) {`
`163`	`169`	`// Default to ScopeAll for backward compatibility when no scopes provided.`
`164`	`170`	`iflen(s)==0 {`
`165`		`-returnrbac.ScopeAll.Expand()`
	`171`	`+return rbac.Scope{},xerrors.New("no scopes provided")`
`166`	`172`	`}`
`167`	`173`
`168`	`174`	`varmerged rbac.Scope`
`@@ -174,9 +180,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`174`	`180`	`User:nil,`
`175`	`181`	`}`
`176`	`182`
`177`		`-// Track allow list union, collapsing to wildcard if any child is wildcard.`
`178`		`-allowAll:=false`
`179`		`-allowSet:=make(map[string]rbac.AllowListElement)`
	`183`	`+// Collect allow lists for a union after expanding all scopes.`
	`184`	`+allowLists:=make([][]rbac.AllowListElement,0,len(s))`
`180`	`185`
`181`	`186`	`for_,s:=ranges {`
`182`	`187`	`expanded,err:=s.ToRBAC().Expand()`
`@@ -191,16 +196,7 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`191`	`196`	`}`
`192`	`197`	`merged.User=append(merged.User,expanded.User...)`
`193`	`198`
`194`		`-// Merge allow lists.`
`195`		`-for_,e:=rangeexpanded.AllowIDList {`
`196`		`-ife.ID==policy.WildcardSymbol&&e.Type==policy.WildcardSymbol {`
`197`		`-allowAll=true`
`198`		`-// No need to track other entries once wildcard is present.`
`199`		`-continue`
`200`		`-}`
`201`		`-key:=e.String()`
`202`		`-allowSet[key]=e`
`203`		`-}`
	`199`	`+allowLists=append(allowLists,expanded.AllowIDList)`
`204`	`200`	`}`
`205`	`201`
`206`	`202`	`// De-duplicate permissions across Site/Org/User`
`@@ -210,14 +206,7 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`210`	`206`	`}`
`211`	`207`	`merged.User=rbac.DeduplicatePermissions(merged.User)`
`212`	`208`
`213`		`-ifallowAll\|\|len(allowSet)==0 {`
`214`		`-merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`
`215`		`-}else {`
`216`		`-merged.AllowIDList=make([]rbac.AllowListElement,0,len(allowSet))`
`217`		`-for_,v:=rangeallowSet {`
`218`		`-merged.AllowIDList=append(merged.AllowIDList,v)`
`219`		`-}`
`220`		`-}`
	`209`	`+merged.AllowIDList=rbac.UnionAllowLists(allowLists...)`
`221`	`210`
`222`	`211`	`returnmerged,nil`
`223`	`212`	`}`
`@@ -235,6 +224,37 @@ func (s APIKeyScopes) Name() rbac.RoleIdentifier {`
`235`	`224`	`return rbac.RoleIdentifier{Name:"scopes["+strings.Join(names,"+")+"]"}`
`236`	`225`	`}`
`237`	`226`
	`227`	`+// APIKeyScopeSet merges expanded scopes with the API key's DB allow_list. If`
	`228`	`+// the DB allow_list is a wildcard or empty, the merged scope's allow list is`
	`229`	`+// unchanged. Otherwise, the DB allow_list overrides the merged AllowIDList to`
	`230`	`+// enforce the token's resource scoping consistently across all permissions.`
	`231`	`+typeAPIKeyScopeSetstruct {`
	`232`	`+ScopesAPIKeyScopes`
	`233`	`+AllowListAllowList`
	`234`	`+}`
	`235`	`+`
	`236`	`+var_ rbac.ExpandableScope=APIKeyScopeSet{}`
	`237`	`+`
	`238`	`+func (sAPIKeyScopeSet)Name() rbac.RoleIdentifier {returns.Scopes.Name() }`
	`239`	`+`
	`240`	`+func (sAPIKeyScopeSet)Expand() (rbac.Scope,error) {`
	`241`	`+merged,err:=s.Scopes.expandRBACScope()`
	`242`	`+iferr!=nil {`
	`243`	`+return rbac.Scope{},err`
	`244`	`+}`
	`245`	`+merged.AllowIDList=rbac.IntersectAllowLists(merged.AllowIDList,s.AllowList)`
	`246`	`+returnmerged,nil`
	`247`	`+}`
	`248`	`+`
	`249`	`+// ScopeSet returns the scopes combined with the database allow list. It is the`
	`250`	`+// canonical way to expose an API key's effective scope for authorization.`
	`251`	`+func (kAPIKey)ScopeSet()APIKeyScopeSet {`
	`252`	`+returnAPIKeyScopeSet{`
	`253`	`+Scopes:k.Scopes,`
	`254`	`+AllowList:k.AllowList,`
	`255`	`+}`
	`256`	`+}`
	`257`	`+`
`238`	`258`	`func (kAPIKey)RBACObject() rbac.Object {`
`239`	`259`	`returnrbac.ResourceApiKey.WithIDString(k.ID).`
`240`	`260`	`WithOwner(k.UserID.String())`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd7df2aa

File tree

25 files changed

25 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey.go‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/coderdtest/authorize.go‎`

`‎coderd/database/dbauthz/setup_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

`‎coderd/database/modelmethods.go‎`

0 commit comments