NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitdd9f91b

committed

feat: rename special API key scopes to coder:* namespace

This change unifies scope handling by migrating special scopes to thecoder:* namespace while maintaining backward compatibility:- Database: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'- API accepts both legacy and canonical forms in requests- Responses maintain legacy format for existing client compatibility- Scope catalog returns all public scopes including canonical specials- Validation enforces public scope requirements using unified logicThe migration preserves existing API key functionality while establishingconsistent scope naming conventions for future extensibility.

1 parent3223b46 commitdd9f91bCopy full SHA for dd9f91b

File tree

23 files changed

+124

-71

lines changed

coderd
- apikey.go
- apikey
  - apikey.go
  - apikey_test.go
- database
  - dbauthz
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - dump.sql
  - migrations
    - 000372_canonicalize_special_api_key_scopes.down.sql
    - 000372_canonicalize_special_api_key_scopes.up.sql
  - modelmethods.go
  - modelmethods_internal_test.go
  - models.go
  - queries.sql.go
  - queries
    - apikeys.sql
- httpmw
- rbac
  - scopes.go
  - scopes_catalog.go
- userauth_test.go
- users.go
- workspaceapps.go
codersdk
- apikey.go
- apikey_scopes_gen.go

23 files changed

+124

-71

lines changed

`‎coderd/apikey.go‎`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,16 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`66`	`66`	`return`
`67`	`67`	`}`
`68`	`68`
`69`		`-scope:=database.APIKeyScopeAll`
`70`		`-ifscope!="" {`
	`69`	`+scope:=database.ApiKeyScopeCoderAll`
	`70`	`+ifstring(createToken.Scope)!="" {`
	`71`	`+// Reject internal-only scopes early.`
	`72`	`+if!rbac.IsExternalScope(rbac.ScopeName(createToken.Scope)) {`
	`73`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`74`	`+Message:"Failed to create API key.",`
	`75`	`+Detail:fmt.Sprintf("invalid or unsupported API key scope: %q",createToken.Scope),`
	`76`	`+})`
	`77`	`+return`
	`78`	`+}`
`71`	`79`	`scope=database.APIKeyScope(createToken.Scope)`
`72`	`80`	`}`
`73`	`81`

`‎coderd/apikey/apikey.go‎`

Lines changed: 25 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,8 @@ type CreateParams struct {`
`25`	`25`	`// Optional.`
`26`	`26`	`ExpiresAt time.Time`
`27`	`27`	`LifetimeSecondsint64`
`28`		`-Scope database.APIKeyScope`
	`28`	`+Scope database.APIKeyScope// Deprecated use Scopes instead.`
	`29`	`+Scopes database.APIKeyScopes`
`29`	`30`	`TokenNamestring`
`30`	`31`	`RemoteAddrstring`
`31`	`32`	`}`
`@@ -62,14 +63,29 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`62`	`63`
`63`	`64`	`bitlen:=len(ip)*8`
`64`	`65`
`65`		`-scope:=database.APIKeyScopeAll`
`66`		`-ifparams.Scope!="" {`
`67`		`-scope=params.Scope`
	`66`	`+scopes:=params.Scopes`
	`67`	`+iflen(scopes)==0 {`
	`68`	`+// Backward compatibility for the single Scope field.`
	`69`	`+scope:=database.ApiKeyScopeCoderAll`
	`70`	`+`
	`71`	`+ifparams.Scope!="" {`
	`72`	`+switchparams.Scope {`
	`73`	`+case"all":`
	`74`	`+scope=database.ApiKeyScopeCoderAll`
	`75`	`+case"application_connect":`
	`76`	`+scope=database.ApiKeyScopeCoderApplicationConnect`
	`77`	`+default:`
	`78`	`+scope=params.Scope`
	`79`	`+}`
	`80`	`+}`
	`81`	`+`
	`82`	`+scopes=append(scopes,scope)`
`68`	`83`	`}`
`69`		`-switchscope {`
`70`		`-casedatabase.APIKeyScopeAll,database.APIKeyScopeApplicationConnect:`
`71`		`-default:`
`72`		`-return database.InsertAPIKeyParams{},"",xerrors.Errorf("invalid API key scope: %q",scope)`
	`84`	`+`
	`85`	`+for_,s:=rangescopes {`
	`86`	`+if!s.Valid() {`
	`87`	`+return database.InsertAPIKeyParams{},"",xerrors.Errorf("invalid API key scope: %q",s)`
	`88`	`+}`
`73`	`89`	`}`
`74`	`90`
`75`	`91`	`token:=fmt.Sprintf("%s-%s",keyID,keySecret)`
`@@ -92,7 +108,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)`
`92`	`108`	`UpdatedAt:dbtime.Now(),`
`93`	`109`	`HashedSecret:hashed[:],`
`94`	`110`	`LoginType:params.LoginType,`
`95`		`-Scopes:database.APIKeyScopes{scope},`
	`111`	`+Scopes:scopes,`
`96`	`112`	`AllowList: database.AllowList{database.AllowListWildcard()},`
`97`	`113`	`TokenName:params.TokenName,`
`98`	`114`	`},token,nil`

`‎coderd/apikey/apikey_test.go‎`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {`
`35`	`35`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`36`	`36`	`TokenName:"hello",`
`37`	`37`	`RemoteAddr:"1.2.3.4",`
`38`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`38`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`39`	`39`	`},`
`40`	`40`	`},`
`41`	`41`	`{`
`@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {`
`62`	`62`	`ExpiresAt: time.Time{},`
`63`	`63`	`TokenName:"hello",`
`64`	`64`	`RemoteAddr:"1.2.3.4",`
`65`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`65`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`66`	`66`	`},`
`67`	`67`	`},`
`68`	`68`	`{`
`@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {`
`75`	`75`	`ExpiresAt: time.Time{},`
`76`	`76`	`TokenName:"hello",`
`77`	`77`	`RemoteAddr:"1.2.3.4",`
`78`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`78`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`79`	`79`	`},`
`80`	`80`	`},`
`81`	`81`	`{`
`@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {`
`88`	`88`	`LifetimeSeconds:int64(time.Hour.Seconds()),`
`89`	`89`	`TokenName:"hello",`
`90`	`90`	`RemoteAddr:"",`
`91`		`-Scope:database.APIKeyScopeApplicationConnect,`
	`91`	`+Scope:database.ApiKeyScopeCoderApplicationConnect,`
`92`	`92`	`},`
`93`	`93`	`},`
`94`	`94`	`{`
`@@ -161,7 +161,7 @@ func TestGenerate(t *testing.T) {`
`161`	`161`	`iftc.params.Scope!="" {`
`162`	`162`	`assert.True(t,key.Scopes.Has(tc.params.Scope))`
`163`	`163`	`}else {`
`164`		`-assert.True(t,key.Scopes.Has(database.APIKeyScopeAll))`
	`164`	`+assert.True(t,key.Scopes.Has(database.ApiKeyScopeCoderAll))`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`iftc.params.TokenName!="" {`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`251`	`251`	`}))`
`252`	`252`	`s.Run("InsertAPIKey",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`253`	`253`	`u:=testutil.Fake(s.T(),faker, database.User{})`
`254`		`-arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.APIKeyScopeAll},IPAddress:defaultIPAddress()}`
	`254`	`+arg:= database.InsertAPIKeyParams{UserID:u.ID,LoginType:database.LoginTypePassword,Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderAll},IPAddress:defaultIPAddress()}`
`255`	`255`	`ret:=testutil.Fake(s.T(),faker, database.APIKey{UserID:u.ID,LoginType:database.LoginTypePassword})`
`256`	`256`	`dbm.EXPECT().InsertAPIKey(gomock.Any(),arg).Return(ret,nil).AnyTimes()`
`257`	`257`	`check.Args(arg).Asserts(rbac.ResourceApiKey.WithOwner(u.ID.String()),policy.ActionCreate)`
`@@ -265,7 +265,7 @@ func (s *MethodTestSuite) TestAPIKey() {`
`265`	`265`	`check.Args(arg).Asserts(a,policy.ActionUpdate).Returns()`
`266`	`266`	`}))`
`267`	`267`	`s.Run("DeleteApplicationConnectAPIKeysByUserID",s.Mocked(func(dbmdbmock.MockStore,fakergofakeit.Faker,check*expects) {`
`268`		`-a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.APIKeyScopeApplicationConnect}})`
	`268`	`+a:=testutil.Fake(s.T(),faker, database.APIKey{Scopes: database.APIKeyScopes{database.ApiKeyScopeCoderApplicationConnect}})`
`269`	`269`	`dbm.EXPECT().DeleteApplicationConnectAPIKeysByUserID(gomock.Any(),a.UserID).Return(nil).AnyTimes()`
`270`	`270`	`check.Args(a.UserID).Asserts(rbac.ResourceApiKey.WithOwner(a.UserID.String()),policy.ActionDelete).Returns()`
`271`	`271`	`}))`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`185`	`185`	`CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),`
`186`	`186`	`UpdatedAt:takeFirst(seed.UpdatedAt,dbtime.Now()),`
`187`	`187`	`LoginType:takeFirst(seed.LoginType,database.LoginTypePassword),`
`188`		`-Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.APIKeyScopeAll}),`
	`188`	`+Scopes:takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),`
`189`	`189`	`AllowList:takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),`
`190`	`190`	`TokenName:takeFirst(seed.TokenName),`
`191`	`191`	`}`

`‎coderd/database/dump.sql‎`

Lines changed: 2 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000372_canonicalize_special_api_key_scopes.down.sql‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+-- Revert canonicalization of special API key scopes`
	`2`	`+-- Rename enum values back: 'coder:all' -> 'all', 'coder:application_connect' -> 'application_connect'`
	`3`	`+`
	`4`	`+ALTERTYPE api_key_scope RENAME VALUE'coder:all' TO'all';`
	`5`	`+ALTERTYPE api_key_scope RENAME VALUE'coder:application_connect' TO'application_connect';`

`‎coderd/database/migrations/000372_canonicalize_special_api_key_scopes.up.sql‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+-- Canonicalize special API key scopes to coder:* namespace`
	`2`	`+-- Rename enum values: 'all' -> 'coder:all', 'application_connect' -> 'coder:application_connect'`
	`3`	`+`
	`4`	`+ALTERTYPE api_key_scope RENAME VALUE'all' TO'coder:all';`
	`5`	`+ALTERTYPE api_key_scope RENAME VALUE'application_connect' TO'coder:application_connect';`

`‎coderd/database/modelmethods.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,9 +134,9 @@ func (w ConnectionLog) RBACObject() rbac.Object {`
`134`	`134`
`135`	`135`	`func (sAPIKeyScope)ToRBAC() rbac.ScopeName {`
`136`	`136`	`switchs {`
`137`		`-caseAPIKeyScopeAll:`
	`137`	`+case"all",ApiKeyScopeCoderAll:`
`138`	`138`	`returnrbac.ScopeAll`
`139`		`-caseAPIKeyScopeApplicationConnect:`
	`139`	`+case"application_connect",ApiKeyScopeCoderApplicationConnect:`
`140`	`140`	`returnrbac.ScopeApplicationConnect`
`141`	`141`	`default:`
`142`	`142`	`// Allow low-level resource:action scopes to flow through to RBAC for`
`@@ -218,7 +218,7 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`218`	`218`	`// Name returns a human-friendly identifier for tracing/logging.`
`219`	`219`	`func (sAPIKeyScopes)Name() rbac.RoleIdentifier {`
`220`	`220`	`iflen(s)==0 {`
`221`		`-return rbac.RoleIdentifier{Name:string(APIKeyScopeAll)}`
	`221`	`+return rbac.RoleIdentifier{Name:string(ApiKeyScopeCoderAll)}`
`222`	`222`	`}`
`223`	`223`	`names:=make([]string,0,len(s))`
`224`	`224`	`for_,s:=ranges {`

`‎coderd/database/modelmethods_internal_test.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,15 +20,15 @@ func TestAPIKeyScopesExpand(t *testing.T) {`
`20`	`20`	`}{`
`21`	`21`	`{`
`22`	`22`	`name:"all",`
`23`		`-scopes:APIKeyScopes{APIKeyScopeAll},`
	`23`	`+scopes:APIKeyScopes{ApiKeyScopeCoderAll},`
`24`	`24`	`want:func(t*testing.T,s rbac.Scope) {`
`25`	`25`	`requirePermission(t,s,rbac.ResourceWildcard.Type,policy.Action(policy.WildcardSymbol))`
`26`	`26`	`requireAllowAll(t,s)`
`27`	`27`	`},`
`28`	`28`	`},`
`29`	`29`	`{`
`30`	`30`	`name:"application_connect",`
`31`		`-scopes:APIKeyScopes{APIKeyScopeApplicationConnect},`
	`31`	`+scopes:APIKeyScopes{ApiKeyScopeCoderAll},`
`32`	`32`	`want:func(t*testing.T,s rbac.Scope) {`
`33`	`33`	`requirePermission(t,s,rbac.ResourceWorkspace.Type,policy.ActionApplicationConnect)`
`34`	`34`	`requireAllowAll(t,s)`
`@@ -69,7 +69,7 @@ func TestAPIKeyScopesExpand(t *testing.T) {`
`69`	`69`
`70`	`70`	`t.Run("merge",func(t*testing.T) {`
`71`	`71`	`t.Parallel()`
`72`		`-scopes:=APIKeyScopes{APIKeyScopeApplicationConnect,APIKeyScopeAll,ApiKeyScopeWorkspaceRead}`
	`72`	`+scopes:=APIKeyScopes{ApiKeyScopeCoderApplicationConnect,ApiKeyScopeCoderAll,ApiKeyScopeWorkspaceRead}`
`73`	`73`	`s,err:=scopes.Expand()`
`74`	`74`	`require.NoError(t,err)`
`75`	`75`	`requirePermission(t,s,rbac.ResourceWildcard.Type,policy.Action(policy.WildcardSymbol))`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdd9f91b

File tree

23 files changed

23 files changed

`‎coderd/apikey.go‎`

`‎coderd/apikey/apikey.go‎`

`‎coderd/apikey/apikey_test.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

`‎coderd/database/dump.sql‎`

`‎coderd/database/migrations/000372_canonicalize_special_api_key_scopes.down.sql‎`

`‎coderd/database/migrations/000372_canonicalize_special_api_key_scopes.up.sql‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/database/modelmethods_internal_test.go‎`

0 commit comments