NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commitf569d9c

authored

feat: add separate max token lifetime for administrators (#18267)

# Add separate token lifetime limits for administratorsThis PR introduces a new configuration option `--max-admin-token-lifetime` that allows administrators to create API tokens with longer lifetimes than regular users. By default, administrators can create tokens with a lifetime of up to 7 days (168 hours), while the existing `--max-token-lifetime` setting continues to apply to regular users.The implementation:- Adds a new `MaximumAdminTokenDuration` field to the session configuration- Modifies the token validation logic to check the user's role and apply the appropriate lifetime limit- Updates the token configuration endpoint to return the correct maximum lifetime based on the user's role- Adds tests to verify that administrators can create tokens with longer and shorter lifetimes- Updates documentation and help text to reflect the new optionThis change allows organizations to grant administrators extended token lifetimes while maintaining tighter security controls for regular users.Fixes#17395

1 parent348d19d commitf569d9cCopy full SHA for f569d9c

File tree

12 files changed

+178

-13

lines changed

cli/testdata
- coder_server_--help.golden
- server-config.yaml.golden
coderd
- apidoc
  - docs.go
  - swagger.json
- apikey.go
- apikey_test.go
codersdk
- deployment.go
docs/reference
- api
  - general.md
  - schemas.md
- cli
  - server.md
enterprise/cli/testdata
- coder_server_--help.golden
site/src/api
- typesGenerated.ts

12 files changed

+178

-13

lines changed

`‎cli/testdata/coder_server_--help.golden‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -332,6 +332,10 @@ NETWORKING / HTTP OPTIONS:`
`332`	`332`	`The maximum lifetime duration users can specify when creating an API`
`333`	`333`	`token.`
`334`	`334`
	`335`	`+ --max-admin-token-lifetime duration, $CODER_MAX_ADMIN_TOKEN_LIFETIME (default: 168h0m0s)`
	`336`	`+ The maximum lifetime duration administrators can specify when creating`
	`337`	`+ an API token.`
	`338`	`+`
`335`	`339`	`--proxy-health-interval duration, $CODER_PROXY_HEALTH_INTERVAL (default: 1m0s)`
`336`	`340`	`The interval in which coderd should be checking the status of`
`337`	`341`	`workspace proxies.`

`‎cli/testdata/server-config.yaml.golden‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,10 @@ networking:`
`25`	`25`	`# The maximum lifetime duration users can specify when creating an API token.`
`26`	`26`	`# (default: 876600h0m0s, type: duration)`
`27`	`27`	`maxTokenLifetime: 876600h0m0s`
	`28`	`+ # The maximum lifetime duration administrators can specify when creating an API`
	`29`	`+ # token.`
	`30`	`+ # (default: 168h0m0s, type: duration)`
	`31`	`+ maxAdminTokenLifetime: 168h0m0s`
`28`	`32`	`# The token expiry duration for browser sessions. Sessions may last longer if they`
`29`	`33`	`# are actively making requests, but this functionality can be disabled via`
`30`	`34`	`# --disable-session-expiry-refresh.`

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`19`	`19`	`"github.com/coder/coder/v2/coderd/httpapi"`
`20`	`20`	`"github.com/coder/coder/v2/coderd/httpmw"`
	`21`	`+"github.com/coder/coder/v2/coderd/rbac"`
`21`	`22`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
`22`	`23`	`"github.com/coder/coder/v2/coderd/telemetry"`
`23`	`24`	`"github.com/coder/coder/v2/codersdk"`
`@@ -75,7 +76,7 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`ifcreateToken.Lifetime!=0 {`
`78`		`-err:=api.validateAPIKeyLifetime(createToken.Lifetime)`
	`79`	`+err:=api.validateAPIKeyLifetime(ctx,user.ID,createToken.Lifetime)`
`79`	`80`	`iferr!=nil {`
`80`	`81`	`httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`81`	`82`	`Message:"Failed to validate create API key request.",`
`@@ -338,35 +339,69 @@ func (api API) deleteAPIKey(rw http.ResponseWriter, r http.Request) {`
`338`	`339`	`// @Success 200 {object} codersdk.TokenConfig`
`339`	`340`	`// @Router /users/{user}/keys/tokens/tokenconfig [get]`
`340`	`341`	`func (apiAPI)tokenConfig(rw http.ResponseWriter,rhttp.Request) {`
`341`		`-values,err:=api.DeploymentValues.WithoutSecrets()`
	`342`	`+user:=httpmw.UserParam(r)`
	`343`	`+maxLifetime,err:=api.getMaxTokenLifetime(r.Context(),user.ID)`
`342`	`344`	`iferr!=nil {`
`343`		`-httpapi.InternalServerError(rw,err)`
	`345`	`+httpapi.Write(r.Context(),rw,http.StatusInternalServerError, codersdk.Response{`
	`346`	`+Message:"Failed to get token configuration.",`
	`347`	`+Detail:err.Error(),`
	`348`	`+})`
`344`	`349`	`return`
`345`	`350`	`}`
`346`	`351`
`347`	`352`	`httpapi.Write(`
`348`	`353`	`r.Context(),rw,http.StatusOK,`
`349`	`354`	`codersdk.TokenConfig{`
`350`		`-MaxTokenLifetime:values.Sessions.MaximumTokenDuration.Value(),`
	`355`	`+MaxTokenLifetime:maxLifetime,`
`351`	`356`	`},`
`352`	`357`	`)`
`353`	`358`	`}`
`354`	`359`
`355`		`-func (api*API)validateAPIKeyLifetime(lifetime time.Duration)error {`
	`360`	`+func (api*API)validateAPIKeyLifetime(ctx context.Context,userID uuid.UUID,lifetime time.Duration)error {`
`356`	`361`	`iflifetime<=0 {`
`357`	`362`	`returnxerrors.New("lifetime must be positive number greater than 0")`
`358`	`363`	`}`
`359`	`364`
`360`		`-iflifetime>api.DeploymentValues.Sessions.MaximumTokenDuration.Value() {`
	`365`	`+maxLifetime,err:=api.getMaxTokenLifetime(ctx,userID)`
	`366`	`+iferr!=nil {`
	`367`	`+returnxerrors.Errorf("failed to get max token lifetime: %w",err)`
	`368`	`+}`
	`369`	`+`
	`370`	`+iflifetime>maxLifetime {`
`361`	`371`	`returnxerrors.Errorf(`
`362`	`372`	`"lifetime must be less than %v",`
`363`		`-api.DeploymentValues.Sessions.MaximumTokenDuration,`
	`373`	`+maxLifetime,`
`364`	`374`	`)`
`365`	`375`	`}`
`366`	`376`
`367`	`377`	`returnnil`
`368`	`378`	`}`
`369`	`379`
	`380`	`+// getMaxTokenLifetime returns the maximum allowed token lifetime for a user.`
	`381`	`+// It distinguishes between regular users and owners.`
	`382`	`+func (api*API)getMaxTokenLifetime(ctx context.Context,userID uuid.UUID) (time.Duration,error) {`
	`383`	`+subject,_,err:=httpmw.UserRBACSubject(ctx,api.Database,userID,rbac.ScopeAll)`
	`384`	`+iferr!=nil {`
	`385`	`+return0,xerrors.Errorf("failed to get user rbac subject: %w",err)`
	`386`	`+}`
	`387`	`+`
	`388`	`+roles,err:=subject.Roles.Expand()`
	`389`	`+iferr!=nil {`
	`390`	`+return0,xerrors.Errorf("failed to expand user roles: %w",err)`
	`391`	`+}`
	`392`	`+`
	`393`	`+maxLifetime:=api.DeploymentValues.Sessions.MaximumTokenDuration.Value()`
	`394`	`+for_,role:=rangeroles {`
	`395`	`+ifrole.Identifier.Name==codersdk.RoleOwner {`
	`396`	`+// Owners have a different max lifetime.`
	`397`	`+maxLifetime=api.DeploymentValues.Sessions.MaximumAdminTokenDuration.Value()`
	`398`	`+break`
	`399`	`+}`
	`400`	`+}`
	`401`	`+`
	`402`	`+returnmaxLifetime,nil`
	`403`	`+}`
	`404`	`+`
`370`	`405`	`func (apiAPI)createAPIKey(ctx context.Context,params apikey.CreateParams) (http.Cookie,*database.APIKey,error) {`
`371`	`406`	`key,sessionToken,err:=apikey.Generate(params)`
`372`	`407`	`iferr!=nil {`

`‎coderd/apikey_test.go‎`

Lines changed: 82 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,88 @@ func TestTokenUserSetMaxLifetime(t *testing.T) {`
`144`	`144`	`require.ErrorContains(t,err,"lifetime must be less")`
`145`	`145`	`}`
`146`	`146`
	`147`	`+funcTestTokenAdminSetMaxLifetime(t*testing.T) {`
	`148`	`+t.Parallel()`
	`149`	`+`
	`150`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`151`	`+defercancel()`
	`152`	`+dc:=coderdtest.DeploymentValues(t)`
	`153`	`+dc.Sessions.MaximumTokenDuration=serpent.Duration(time.Hour247)`
	`154`	`+dc.Sessions.MaximumAdminTokenDuration=serpent.Duration(time.Hour2414)`
	`155`	`+client:=coderdtest.New(t,&coderdtest.Options{`
	`156`	`+DeploymentValues:dc,`
	`157`	`+})`
	`158`	`+adminUser:=coderdtest.CreateFirstUser(t,client)`
	`159`	`+nonAdminClient,_:=coderdtest.CreateAnotherUser(t,client,adminUser.OrganizationID)`
	`160`	`+`
	`161`	`+// Admin should be able to create a token with a lifetime longer than the non-admin max.`
	`162`	`+_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`163`	`+Lifetime:time.Hour2410,`
	`164`	`+})`
	`165`	`+require.NoError(t,err)`
	`166`	`+`
	`167`	`+// Admin should NOT be able to create a token with a lifetime longer than the admin max.`
	`168`	`+_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`169`	`+Lifetime:time.Hour2415,`
	`170`	`+})`
	`171`	`+require.Error(t,err)`
	`172`	`+require.Contains(t,err.Error(),"lifetime must be less")`
	`173`	`+`
	`174`	`+// Non-admin should NOT be able to create a token with a lifetime longer than the non-admin max.`
	`175`	`+_,err=nonAdminClient.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`176`	`+Lifetime:time.Hour248,`
	`177`	`+})`
	`178`	`+require.Error(t,err)`
	`179`	`+require.Contains(t,err.Error(),"lifetime must be less")`
	`180`	`+`
	`181`	`+// Non-admin should be able to create a token with a lifetime shorter than the non-admin max.`
	`182`	`+_,err=nonAdminClient.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`183`	`+Lifetime:time.Hour246,`
	`184`	`+})`
	`185`	`+require.NoError(t,err)`
	`186`	`+}`
	`187`	`+`
	`188`	`+funcTestTokenAdminSetMaxLifetimeShorter(t*testing.T) {`
	`189`	`+t.Parallel()`
	`190`	`+`
	`191`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`192`	`+defercancel()`
	`193`	`+dc:=coderdtest.DeploymentValues(t)`
	`194`	`+dc.Sessions.MaximumTokenDuration=serpent.Duration(time.Hour2414)`
	`195`	`+dc.Sessions.MaximumAdminTokenDuration=serpent.Duration(time.Hour247)`
	`196`	`+client:=coderdtest.New(t,&coderdtest.Options{`
	`197`	`+DeploymentValues:dc,`
	`198`	`+})`
	`199`	`+adminUser:=coderdtest.CreateFirstUser(t,client)`
	`200`	`+nonAdminClient,_:=coderdtest.CreateAnotherUser(t,client,adminUser.OrganizationID)`
	`201`	`+`
	`202`	`+// Admin should NOT be able to create a token with a lifetime longer than the admin max.`
	`203`	`+_,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`204`	`+Lifetime:time.Hour248,`
	`205`	`+})`
	`206`	`+require.Error(t,err)`
	`207`	`+require.Contains(t,err.Error(),"lifetime must be less")`
	`208`	`+`
	`209`	`+// Admin should be able to create a token with a lifetime shorter than the admin max.`
	`210`	`+_,err=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`211`	`+Lifetime:time.Hour246,`
	`212`	`+})`
	`213`	`+require.NoError(t,err)`
	`214`	`+`
	`215`	`+// Non-admin should be able to create a token with a lifetime longer than the admin max.`
	`216`	`+_,err=nonAdminClient.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`217`	`+Lifetime:time.Hour2410,`
	`218`	`+})`
	`219`	`+require.NoError(t,err)`
	`220`	`+`
	`221`	`+// Non-admin should NOT be able to create a token with a lifetime longer than the non-admin max.`
	`222`	`+_,err=nonAdminClient.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{`
	`223`	`+Lifetime:time.Hour2415,`
	`224`	`+})`
	`225`	`+require.Error(t,err)`
	`226`	`+require.Contains(t,err.Error(),"lifetime must be less")`
	`227`	`+}`
	`228`	`+`
`147`	`229`	`funcTestTokenCustomDefaultLifetime(t*testing.T) {`
`148`	`230`	`t.Parallel()`
`149`	`231`

`‎codersdk/deployment.go‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -468,6 +468,8 @@ type SessionLifetime struct {`
`468`	`468`	DefaultTokenDuration serpent.Duration`json:"default_token_lifetime,omitempty" typescript:",notnull"`
`469`	`469`
`470`	`470`	MaximumTokenDuration serpent.Duration`json:"max_token_lifetime,omitempty" typescript:",notnull"`
	`471`	`+`
	`472`	+MaximumAdminTokenDuration serpent.Duration`json:"max_admin_token_lifetime,omitempty" typescript:",notnull"`
`471`	`473`	`}`
`472`	`474`
`473`	`475`	`typeDERPstruct {`
`@@ -2340,6 +2342,17 @@ func (c *DeploymentValues) Options() serpent.OptionSet {`
`2340`	`2342`	`YAML:"maxTokenLifetime",`
`2341`	`2343`	`Annotations: serpent.Annotations{}.Mark(annotationFormatDuration,"true"),`
`2342`	`2344`	`},`
	`2345`	`+{`
	`2346`	`+Name:"Maximum Admin Token Lifetime",`
	`2347`	`+Description:"The maximum lifetime duration administrators can specify when creating an API token.",`
	`2348`	`+Flag:"max-admin-token-lifetime",`
	`2349`	`+Env:"CODER_MAX_ADMIN_TOKEN_LIFETIME",`
	`2350`	`+Default: (724time.Hour).String(),`
	`2351`	`+Value:&c.Sessions.MaximumAdminTokenDuration,`
	`2352`	`+Group:&deploymentGroupNetworkingHTTP,`
	`2353`	`+YAML:"maxAdminTokenLifetime",`
	`2354`	`+Annotations: serpent.Annotations{}.Mark(annotationFormatDuration,"true"),`
	`2355`	`+},`
`2343`	`2356`	`{`
`2344`	`2357`	`Name:"Default Token Lifetime",`
`2345`	`2358`	`Description:"The default lifetime duration for API tokens. This value is used when creating a token without specifying a duration, such as when authenticating the CLI or an IDE plugin.",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf569d9c

File tree

12 files changed

12 files changed

`‎cli/testdata/coder_server_--help.golden‎`

`‎cli/testdata/server-config.yaml.golden‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey.go‎`

`‎coderd/apikey_test.go‎`

`‎codersdk/deployment.go‎`

`‎docs/reference/api/general.md‎`

`‎docs/reference/api/schemas.md‎`

`‎docs/reference/cli/server.md‎`

0 commit comments