NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitf080b23

committed

refactor: replace CEL with expr for token lifetime expressions

Change-Id: I2dcfa21535a8c5d4b2276622617782f0b2c47603Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parente0261c5 commitf080b23Copy full SHA for f080b23

File tree

17 files changed

+607

-995

lines changed

cli/testdata
- coder_server_--help.golden
- server-config.yaml.golden
coderd
codersdk
- deployment.go
- deployment_test.go
docs/reference
- api
  - schemas.md
- cli
  - server.md
enterprise/cli/testdata
- coder_server_--help.golden
go.mod
go.sum

17 files changed

+607

-995

lines changed

`‎cli/testdata/coder_server_--help.golden`

Lines changed: 7 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -51,14 +51,13 @@ OPTIONS:`
`51`	`51`	`all available experiments.`
`52`	`52`
`53`	`53`	`--max-token-lifetime-expression string, $CODER_MAX_TOKEN_LIFETIME_EXPRESSION`
`54`		`- A CEL expression that determines the maximum token lifetime based on`
`55`		`- user attributes. The expression has access to 'subject'`
`56`		`- (rbac.Subject), 'globalMaxDuration' (time.Duration),`
`57`		`- and'defaultDuration' (time.Duration). Must return a duration string`
`58`		`- (e.g., duration("168h")). Example: 'subject.roles.exists(r, r.name ==`
`59`		`- "owner") ? duration(globalMaxDuration) : duration(defaultDuration)'.`
`60`		`- See https://github.com/google/cel-spec for CEL expression syntax and`
`61`		`- examples.`
	`54`	`+ An expr expression that determines the maximum token lifetime based on`
	`55`	`+ user attributes. The expression has access to 'subject' (Subject),`
	`56`	`+ 'globalMaxDuration' (time.Duration), and 'defaultDuration'`
	`57`	`+ (time.Duration). Must return a duration (e.g., duration("168h")).`
	`58`	`+ Example: 'any(subject.Roles, .Name == "owner") ? duration("720h") :`
	`59`	`+ duration("168h")'. See https://github.com/expr-lang/expr for expr`
	`60`	`+ expression syntax and examples.`
`62`	`61`
`63`	`62`	`--postgres-auth password\|awsiamrds, $CODER_PG_AUTH (default: password)`
`64`	`63`	`Type of auth to use when connecting to postgres. For AWS RDS, using`

`‎cli/testdata/server-config.yaml.golden`

Lines changed: 6 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -445,13 +445,12 @@ experiments: []`
`445`	`445`	`# performed once per day.`
`446`	`446`	`# (default: false, type: bool)`
`447`	`447`	`updateCheck: false`
`448`		`-# A CEL expression that determines the maximum token lifetime based on user`
`449`		`-# attributes. The expression has access to 'subject' (rbac.Subject),`
`450`		`-# 'globalMaxDuration' (time.Duration), and'defaultDuration' (time.Duration). Must`
`451`		`-# return a duration string (e.g., duration("168h")). Example:`
`452`		`-# 'subject.roles.exists(r, r.name == "owner") ? duration(globalMaxDuration) :`
`453`		`-# duration(defaultDuration)'. See https://github.com/google/cel-spec for CEL`
`454`		`-# expression syntax and examples.`
	`448`	`+# An expr expression that determines the maximum token lifetime based on user`
	`449`	`+# attributes. The expression has access to 'subject' (Subject),`
	`450`	`+# 'globalMaxDuration' (time.Duration), and 'defaultDuration' (time.Duration). Must`
	`451`	`+# return a duration (e.g., duration("168h")). Example: 'any(subject.Roles, .Name`
	`452`	`+# == "owner") ? duration("720h") : duration("168h")'. See`
	`453`	`+# https://github.com/expr-lang/expr for expr expression syntax and examples.`
`455`	`454`	`# (default: <unset>, type: string)`
`456`	`455`	`maxTokenLifetimeExpression: ""`
`457`	`456`	`# The default lifetime duration for API tokens. This value is used when creating a`

`‎coderd/apidoc/docs.go`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apikey.go`

Lines changed: 19 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,17 +9,18 @@ import (`
`9`	`9`	`"time"`
`10`	`10`
`11`	`11`	`"github.com/go-chi/chi/v5"`
`12`		`-"github.com/google/cel-go/common/types"`
`13`	`12`	`"github.com/google/uuid"`
`14`	`13`	`"github.com/moby/moby/pkg/namesgenerator"`
`15`	`14`	`"golang.org/x/xerrors"`
`16`	`15`
	`16`	`+"github.com/expr-lang/expr"`
	`17`	`+`
`17`	`18`	`"cdr.dev/slog"`
`18`	`19`	`"github.com/coder/coder/v2/coderd/apikey"`
`19`	`20`	`"github.com/coder/coder/v2/coderd/audit"`
`20`		`-celtoken"github.com/coder/coder/v2/coderd/cel"`
`21`	`21`	`"github.com/coder/coder/v2/coderd/database"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
	`23`	`+exprtoken"github.com/coder/coder/v2/coderd/expr"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/httpapi"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/httpmw"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/rbac"`
`@@ -392,7 +393,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, lifetime time.Durati`
`392`	`393`	`}`
`393`	`394`
`394`	`395`	`// getMaxTokenLifetimeForUser determines the maximum token lifetime a user is entitled to`
`395`		`-// based on their attributes and theCEL expression configuration.`
	`396`	`+// based on their attributes and theexpr expression configuration.`
`396`	`397`	`func (api*API)getMaxTokenLifetimeForUser(ctx context.Context,subject rbac.Subject) time.Duration {`
`397`	`398`	`// Compiled at startup no need to recheck here.`
`398`	`399`	`program,_:=api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()`
`@@ -404,34 +405,30 @@ func (api *API) getMaxTokenLifetimeForUser(ctx context.Context, subject rbac.Sub`
`404`	`405`	`globalMax:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
`405`	`406`	`defaultDuration:=api.DeploymentValues.Sessions.DefaultTokenDuration.Value()`
`406`	`407`
`407`		`-// Convert subject toCEL-friendly format`
`408`		`-celSubject:=celtoken.ConvertSubjectToCEL(subject)`
	`408`	`+// Convert subject toexpr-friendly format`
	`409`	`+exprSubject:=exprtoken.ConvertSubjectToExpr(subject)`
`409`	`410`
`410`		`-// EvaluateCEL expression with typed struct`
	`411`	`+// Evaluateexpr expression with typed struct`
`411`	`412`	`// TODO: Consider adding timeout protection in future iterations`
`412`		`-out,_,err:=program.Eval(map[string]interface{}{`
`413`		`-"subject":celSubject,`
`414`		`-"globalMaxDuration":globalMax,`
`415`		`-"defaultDuration":defaultDuration,`
	`413`	`+out,err:=expr.Run(program,map[string]interface{}{`
	`414`	`+"subject":exprSubject,`
	`415`	`+"globalMaxDuration":int64(globalMax),`
	`416`	`+"defaultDuration":int64(defaultDuration),`
`416`	`417`	`})`
`417`	`418`	`iferr!=nil {`
`418`		`-api.Logger.Error(ctx,"theCEL evaluation failed, using default duration",slog.Error(err))`
	`419`	`+api.Logger.Error(ctx,"theexpr evaluation failed, using default duration",slog.Error(err))`
`419`	`420`	`returndefaultDuration`
`420`	`421`	`}`
`421`	`422`
`422`		`-// Convert result to time.Duration`
`423`		`-// CEL returns types.Duration, not time.Duration directly`
`424`		`-switchv:=out.Value().(type) {`
`425`		`-case types.Duration:`
`426`		`-returnv.Duration`
`427`		`-case time.Duration:`
`428`		`-returnv`
`429`		`-default:`
`430`		`-api.Logger.Error(ctx,"the CEL expression did not return a duration, using default duration",`
`431`		`-slog.F("result_type",fmt.Sprintf("%T",out.Value())),`
`432`		`-slog.F("result_value",out.Value()))`
	`423`	`+// Convert result to time.Duration (expr returns int64 due to AsInt64 constraint)`
	`424`	`+intVal,ok:=out.(int64)`
	`425`	`+if!ok {`
	`426`	`+api.Logger.Error(ctx,"the expr expression did not return an int64, using default duration",`
	`427`	`+slog.F("result_type",fmt.Sprintf("%T",out)),`
	`428`	`+slog.F("result_value",out))`
`433`	`429`	`returndefaultDuration`
`434`	`430`	`}`
	`431`	`+returntime.Duration(intVal)`
`435`	`432`	`}`
`436`	`433`
`437`	`434`	`func (apiAPI)createAPIKey(ctx context.Context,params apikey.CreateParams) (http.Cookie,*database.APIKey,error) {`

`‎coderd/apikey_rolelifetime_test.go`

Lines changed: 51 additions & 54 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ import (`
`7`	`7`
`8`	`8`	`"github.com/stretchr/testify/require"`
`9`	`9`
`10`		`-"github.com/coder/coder/v2/coderd/cel"`
`11`	`10`	`"github.com/coder/coder/v2/coderd/coderdtest"`
	`11`	`+"github.com/coder/coder/v2/coderd/expr"`
`12`	`12`	`"github.com/coder/coder/v2/codersdk"`
`13`	`13`	`"github.com/coder/serpent"`
`14`	`14`	`)`
`@@ -39,9 +39,9 @@ func createClientWithRoleTokenLifetimes(t *testing.T, roleTokenLifetimeExpressio`
`39`	`39`	`t.Logf("MaximumTokenDuration: %v",api.DeploymentValues.Sessions.MaximumTokenDuration.Value())`
`40`	`40`	`// Check if we have a compiled program`
`41`	`41`	`ifprogram!=nil {`
`42`		`-t.Logf("CEL expression compiled successfully")`
	`42`	`+t.Logf("expr expression compiled successfully")`
`43`	`43`	`}else {`
`44`		`-t.Logf("NoCEL expression configured")`
	`44`	`+t.Logf("Noexpr expression configured")`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`// Create the first user`
`@@ -53,29 +53,29 @@ func createClientWithRoleTokenLifetimes(t *testing.T, roleTokenLifetimeExpressio`
`53`	`53`	`funcTestRoleBasedTokenLifetimes_Integration(t*testing.T) {`
`54`	`54`	`t.Parallel()`
`55`	`55`
`56`		`-t.Run("ServerStartupWithValidCELExpressions",func(t*testing.T) {`
	`56`	`+t.Run("ServerStartupWithValidExprExpressions",func(t*testing.T) {`
`57`	`57`	`t.Parallel()`
`58`	`58`
`59`		`-// Test server starts successfully with validCEL expressions`
	`59`	`+// Test server starts successfully with validexpr expressions`
`60`	`60`	`testCases:= []struct {`
`61`		`-namestring`
`62`		`-celExpressionstring`
	`61`	`+namestring`
	`62`	`+exprExpressionstring`
`63`	`63`	`}{`
`64`	`64`	`{`
`65`		`-name:"ValidRoleBasedExpression",`
`66`		-celExpression:`subject.roles.exists(r, r.name == "owner") ? duration("168h") : subject.roles.exists(r, r.name == "user-admin") ? duration("72h") : duration("24h")`,
	`65`	`+name:"ValidRoleBasedExpression",`
	`66`	+exprExpression:`any(subject.Roles, .Name == "owner") ? duration("168h") :any(subject.Roles, .Name == "user-admin") ? duration("72h") : duration("24h")`,
`67`	`67`	`},`
`68`	`68`	`{`
`69`		`-name:"ValidSimpleExpression",`
`70`		-celExpression:`duration(globalMaxDuration)`,
	`69`	`+name:"ValidSimpleExpression",`
	`70`	+exprExpression:`duration(globalMaxDuration)`,
`71`	`71`	`},`
`72`	`72`	`{`
`73`		`-name:"EmptyExpression",`
`74`		-celExpression:``,
	`73`	`+name:"EmptyExpression",`
	`74`	+exprExpression:``,
`75`	`75`	`},`
`76`	`76`	`{`
`77`		`-name:"EmailBasedExpression",`
`78`		-celExpression:`subject.email.endsWith("@company.com") ? duration("720h") : duration("24h")`,
	`77`	`+name:"EmailBasedExpression",`
	`78`	+exprExpression:`subject.EmailendsWith"@company.com") ? duration("720h") : duration("24h")`,
`79`	`79`	`},`
`80`	`80`	`}`
`81`	`81`
`@@ -85,7 +85,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`85`	`85`	`t.Parallel()`
`86`	`86`
`87`	`87`	`dv:=coderdtest.DeploymentValues(t)`
`88`		`-dv.Sessions.MaximumTokenDurationExpression=serpent.String(tc.celExpression)`
	`88`	`+dv.Sessions.MaximumTokenDurationExpression=serpent.String(tc.exprExpression)`
`89`	`89`
`90`	`90`	`// Should create successfully`
`91`	`91`	`client:=coderdtest.New(t,&coderdtest.Options{`
`@@ -96,21 +96,21 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`96`	`96`	`}`
`97`	`97`	`})`
`98`	`98`
`99`		`-t.Run("InvalidCELExpressions",func(t*testing.T) {`
	`99`	`+t.Run("InvalidExprExpressions",func(t*testing.T) {`
`100`	`100`	`t.Parallel()`
`101`	`101`
`102`		`-// Test that invalidCEL expressions fail validation`
	`102`	`+// Test that invalidexpr expressions fail validation`
`103`	`103`	`testCases:= []struct {`
`104`		`-namestring`
`105`		`-celExpressionstring`
	`104`	`+namestring`
	`105`	`+exprExpressionstring`
`106`	`106`	`}{`
`107`	`107`	`{`
`108`		`-name:"InvalidCELSyntax",`
`109`		-celExpression:`subject.roles.exists(r, r.name == "owner" ? duration("168h")`,// Missing closing parenthesis
	`108`	`+name:"InvalidExprSyntax",`
	`109`	+exprExpression:`any(subject.Roles, .Name == "owner" ? duration("168h")`,// Missing closing parenthesis
`110`	`110`	`},`
`111`	`111`	`{`
`112`		`-name:"UndefinedVariable",`
`113`		-celExpression:`unknownVariable ? duration("720h") : duration("168h")`,
	`112`	`+name:"UndefinedVariable",`
	`113`	+exprExpression:`unknownVariable ? duration("720h") : duration("168h")`,
`114`	`114`	`},`
`115`	`115`	`}`
`116`	`116`
`@@ -119,17 +119,14 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`119`	`119`	`t.Run(tc.name,func(t*testing.T) {`
`120`	`120`	`t.Parallel()`
`121`	`121`
`122`		`-// For invalid CEL expressions, try to create the environment and compile`
`123`		`-env,err:=cel.NewTokenLifetimeEnvironment(cel.EnvironmentOptions{})`
`124`		`-require.NoError(t,err)`
`125`		`-`
`126`		`-_,issues:=env.Compile(tc.celExpression)`
`127`		`-ifissues!=nil&&issues.Err()!=nil {`
`128`		`-// CEL compilation failed as expected`
	`122`	`+// For invalid expr expressions, try to compile`
	`123`	`+_,err:=expr.CompileTokenLifetimeExpression(tc.exprExpression)`
	`124`	`+iferr!=nil {`
	`125`	`+// expr compilation failed as expected`
`129`	`126`	`return`
`130`	`127`	`}`
`131`	`128`	`// If compilation succeeded but we expected failure, that's also a test failure`
`132`		`-t.Fatalf("ExpectedCEL expression to fail compilation but it succeeded: %s",tc.celExpression)`
	`129`	`+t.Fatalf("Expectedexpr expression to fail compilation but it succeeded: %s",tc.exprExpression)`
`133`	`130`	`})`
`134`	`131`	`}`
`135`	`132`	`})`
`@@ -139,8 +136,8 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`139`	`136`
`140`	`137`	`// Test actual token creation with various user role combinations`
`141`	`138`	`// Note: The first user created is an "Owner" (capital O)`
`142`		`-// Global max is 720h (30 days),CEL expression provides role-specific rules`
`143`		-client:=createClientWithRoleTokenLifetimes(t,`subject.roles.exists(r, r.name == "owner") ? duration("168h") : subject.roles.exists(r, r.name == "user-admin") ? duration("72h") : subject.roles.exists(r, r.name == "member") ? duration("24h") : duration(globalMaxDuration)`,720*time.Hour)
	`139`	`+// Global max is 720h (30 days),expr expression provides role-specific rules`
	`140`	+client:=createClientWithRoleTokenLifetimes(t,`any(subject.Roles, .Name == "owner") ? duration("168h") :any(subject.Roles, .Name == "user-admin") ? duration("72h") :any(subject.Roles, .Name == "member") ? duration("24h") : duration(globalMaxDuration)`,720*time.Hour)
`144`	`141`
`145`	`142`	`ctx:=context.Background()`
`146`	`143`
`@@ -149,13 +146,13 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`149`	`146`	`require.NoError(t,err)`
`150`	`147`	`t.Logf("Token config max lifetime: %v (expected 720h - global max)",tokenConfig.MaxTokenLifetime)`
`151`	`148`
`152`		`-// Test owner can create token up to what theCEL expression allows (168h)`
	`149`	`+// Test owner can create token up to what theexpr expression allows (168h)`
`153`	`150`	`_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`154`	`151`	`Lifetime:167*time.Hour,`
`155`	`152`	`})`
`156`	`153`	`require.NoError(t,err)`
`157`	`154`
`158`		`-// Test owner cannot exceed what theCEL expression allows (168h)`
	`155`	`+// Test owner cannot exceed what theexpr expression allows (168h)`
`159`	`156`	`_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`160`	`157`	`Lifetime:169*time.Hour,`
`161`	`158`	`})`
`@@ -167,7 +164,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`167`	`164`	`t.Parallel()`
`168`	`165`
`169`	`166`	`// Test that users without specific role configs fall back to global max`
`170`		-client:=createClientWithRoleTokenLifetimes(t,`subject.roles.exists(r, r.name == "user-admin") ? duration("168h") : duration(globalMaxDuration)`,48*time.Hour)
	`167`	+client:=createClientWithRoleTokenLifetimes(t,`any(subject.Roles, .Name == "user-admin") ? duration("168h") : duration(globalMaxDuration)`,48*time.Hour)
`171`	`168`
`172`	`169`	`ctx:=context.Background()`
`173`	`170`
`@@ -198,9 +195,9 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`198`	`195`	`t.Run("RoleSpecificShorterThanGlobal",func(t*testing.T) {`
`199`	`196`	`t.Parallel()`
`200`	`197`
`201`		`-// TestCEL expression that chooses between role-specific and global max`
	`198`	`+// Testexpr expression that chooses between role-specific and global max`
`202`	`199`	`// Note: The first user created is an "Owner" (capital O)`
`203`		-client:=createClientWithRoleTokenLifetimes(t,`subject.roles.exists(r, r.name == "owner") ? duration(globalMaxDuration) : duration("24h")`,168*time.Hour)// 7 days global
	`200`	+client:=createClientWithRoleTokenLifetimes(t,`any(subject.Roles, .Name == "owner") ? duration(globalMaxDuration) : duration("24h")`,168*time.Hour)// 7 days global
`204`	`201`
`205`	`202`	`ctx:=context.Background()`
`206`	`203`
`@@ -214,7 +211,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`214`	`211`	`require.NoError(t,err)`
`215`	`212`	`t.Logf("User roles: %v",user.Roles)`
`216`	`213`
`217`		`-// Owner gets the global max (168h) because theCEL expression returns globalMaxDuration`
	`214`	`+// Owner gets the global max (168h) because theexpr expression returns globalMaxDuration`
`218`	`215`	`_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`219`	`216`	`Lifetime:167*time.Hour,`
`220`	`217`	`})`
`@@ -231,20 +228,20 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`231`	`228`	`t.Run("OrganizationSpecificRoles",func(t*testing.T) {`
`232`	`229`	`t.Parallel()`
`233`	`230`
`234`		`-// This test verifies that organization-specific role configurations work withCEL expressions`
	`231`	`+// This test verifies that organization-specific role configurations work withexpr expressions`
`235`	`232`
`236`		`-// Set up a client with organization-specific role configurations usingCEL`
`237`		-celExpression:=`
`238`		`-subject.roles.exists(r, r.name == "owner" &&r.orgID == "") ? duration("720h") :`
`239`		`-subject.roles.exists(r, r.name == "member" &&r.orgID == "") ? duration("24h") :`
`240`		`-subject.roles.exists(r, r.name == "organization-member" &&r.orgID != "") ? duration("48h") :`
`241`		`-subject.roles.exists(r, r.name == "organization-admin" &&r.orgID != "") ? duration("168h") :`
	`233`	`+// Set up a client with organization-specific role configurations usingexpr`
	`234`	+exprExpression:=`
	`235`	`+any(subject.Roles, .Name == "owner" &&.OrgID == "") ? duration("720h") :`
	`236`	`+any(subject.Roles, .Name == "member" &&.OrgID == "") ? duration("24h") :`
	`237`	`+any(subject.Roles, .Name == "organization-member" &&.OrgID != "") ? duration("48h") :`
	`238`	`+any(subject.Roles, .Name == "organization-admin" &&.OrgID != "") ? duration("168h") :`
`242`	`239`	`duration(defaultDuration)`
`243`	`240`	`
`244`	`241`
`245`	`242`	`dv:=coderdtest.DeploymentValues(t)`
`246`	`243`	`dv.Sessions.MaximumTokenDuration=serpent.Duration(720*time.Hour)`
`247`		`-dv.Sessions.MaximumTokenDurationExpression=serpent.String(celExpression)`
	`244`	`+dv.Sessions.MaximumTokenDurationExpression=serpent.String(exprExpression)`
`248`	`245`
`249`	`246`	`// Create the client, database, and get the API instance`
`250`	`247`	`client,closer,api:=coderdtest.NewWithAPI(t,&coderdtest.Options{`
`@@ -254,15 +251,15 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`254`	`251`	`_=closer.Close()`
`255`	`252`	`})`
`256`	`253`
`257`		`-// Compile theCEL expression`
	`254`	`+// Compile theexpr expression`
`258`	`255`	`ctx:=context.Background()`
`259`	`256`	`_,err:=api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()`
`260`	`257`	`require.NoError(t,err)`
`261`	`258`
`262`	`259`	`// Create the first user`
`263`	`260`	`_=coderdtest.CreateFirstUser(t,client)`
`264`	`261`
`265`		`-// Test that theCEL expression is working for the site-wide owner role`
	`262`	`+// Test that theexpr expression is working for the site-wide owner role`
`266`	`263`	`// The first user gets site-wide owner role, so should get 720h`
`267`	`264`	`_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`268`	`265`	`Lifetime:719*time.Hour,`
`@@ -280,21 +277,21 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {`
`280`	`277`	`t.Run("OrganizationRoleWithoutConfig",func(t*testing.T) {`
`281`	`278`	`t.Parallel()`
`282`	`279`
`283`		`-// TestCEL expression with fallback behavior for unconfigured roles`
	`280`	`+// Testexpr expression with fallback behavior for unconfigured roles`
`284`	`281`
`285`	`282`	`// Set up a client with only site-wide role configurations (no org-specific roles)`
`286`		-client:=createClientWithRoleTokenLifetimes(t,`subject.roles.exists(r, r.name == "owner") ? duration("720h") : subject.roles.exists(r, r.name == "member") ? duration("24h") : duration(globalMaxDuration)`,168*time.Hour)
	`283`	+client:=createClientWithRoleTokenLifetimes(t,`any(subject.Roles, .Name == "owner") ? duration("720h") :any(subject.Roles, .Name == "member") ? duration("24h") : duration(globalMaxDuration)`,168*time.Hour)
`287`	`284`
`288`	`285`	`ctx:=context.Background()`
`289`	`286`
`290`		`-// Test that the first user (owner) gets 720h according to theCEL expression,`
	`287`	`+// Test that the first user (owner) gets 720h according to theexpr expression,`
`291`	`288`	`// not the global max (168h)`
`292`	`289`	`_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`293`	`290`	`Lifetime:719*time.Hour,`
`294`	`291`	`})`
`295`	`292`	`require.NoError(t,err)`
`296`	`293`
`297`		`-// Test that owner cannot exceed whatCEL expression allows (720h)`
	`294`	`+// Test that owner cannot exceed whatexpr expression allows (720h)`
`298`	`295`	`_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
`299`	`296`	`Lifetime:721*time.Hour,`
`300`	`297`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf080b23

File tree

17 files changed

17 files changed

`‎cli/testdata/coder_server_--help.golden`

`‎cli/testdata/server-config.yaml.golden`

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/apikey.go`

`‎coderd/apikey_rolelifetime_test.go`

0 commit comments