NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commitf684831

authored

feat: add allow list to API keys (#19972)

Add API key allow list to the SDKThis PR adds an allow list to API keys in the SDK. The allow list is a list of targets that the API key is allowed to access. If the allow list is empty, a default allow list with a single entry that allows access to all resources is created.The changes include:- Adding a default allow list when generating an API key if none is provided- Adding allow list to the API key response in the SDK- Converting database allow list entries to SDK format in the API response- Adding tests to verify the default allow list behaviorFixes#19854

1 parentf947a34 commitf684831Copy full SHA for f684831

File tree

14 files changed

+162

-47

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- apikey_test.go
- database
  - check_constraint.go
  - db2sdk
    - db2sdk.go
  - dump.sql
  - migrations
    - 000388_api_key_allow_list_constraint.down.sql
    - 000388_api_key_allow_list_constraint.up.sql
- users.go
codersdk
- apikey.go
docs/reference/api
- schemas.md
- users.md
site/src
- api
  - typesGenerated.ts
- testHelpers
  - entities.ts

14 files changed

+162

-47

lines changed

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,8 @@ func TestTokenCRUD(t *testing.T) {`
`51`	`51`	`require.Greater(t,keys[0].ExpiresAt,time.Now().Add(time.Hour246))`
`52`	`52`	`require.Less(t,keys[0].ExpiresAt,time.Now().Add(time.Hour248))`
`53`	`53`	`require.Equal(t,codersdk.APIKeyScopeAll,keys[0].Scope)`
	`54`	`+require.Len(t,keys[0].AllowList,1)`
	`55`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`54`	`56`
`55`	`57`	`// no update`
`56`	`58`
`@@ -86,6 +88,8 @@ func TestTokenScoped(t *testing.T) {`
`86`	`88`	`require.EqualValues(t,len(keys),1)`
`87`	`89`	`require.Contains(t,res.Key,keys[0].ID)`
`88`	`90`	`require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)`
	`91`	`+require.Len(t,keys[0].AllowList,1)`
	`92`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`89`	`93`	`}`
`90`	`94`
`91`	`95`	`// Ensure backward-compat: when a token is created using the legacy singular`
`@@ -132,6 +136,8 @@ func TestTokenLegacySingularScopeCompat(t *testing.T) {`
`132`	`136`	`require.Len(t,keys,1)`
`133`	`137`	`require.Equal(t,tc.scope,keys[0].Scope)`
`134`	`138`	`require.ElementsMatch(t,keys[0].Scopes,tc.scopes)`
	`139`	`+require.Len(t,keys[0].AllowList,1)`
	`140`	`+require.Equal(t,":",keys[0].AllowList[0].String())`
`135`	`141`	`})`
`136`	`142`	`}`
`137`	`143`	`}`

`‎coderd/database/check_constraint.go‎`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,13 @@ func ListLazy[F any, T any](convert func(F) T) func(list []F) []T {`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
	`54`	`+funcAPIAllowListTarget(entry rbac.AllowListElement) codersdk.APIAllowListTarget {`
	`55`	`+return codersdk.APIAllowListTarget{`
	`56`	`+Type:codersdk.RBACResource(entry.Type),`
	`57`	`+ID:entry.ID,`
	`58`	`+}`
	`59`	`+}`
	`60`	`+`
`54`	`61`	`typeExternalAuthMetastruct {`
`55`	`62`	`Authenticatedbool`
`56`	`63`	`ValidateErrorstring`

`‎coderd/database/dump.sql‎`

Lines changed: 2 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000388_api_key_allow_list_constraint.down.sql‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-- Drop all CHECK constraints added in the up migration`
	`2`	`+ALTERTABLE api_keys`
	`3`	`+DROPCONSTRAINT api_keys_allow_list_not_empty;`

`‎coderd/database/migrations/000388_api_key_allow_list_constraint.up.sql‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,10 @@`
	`1`	`+-- Defensively update any API keys with empty allow_list to have default ':'`
	`2`	`+-- This ensures all existing keys have at least one entry before adding the constraint`
	`3`	`+UPDATE api_keys`
	`4`	`+SET allow_list= ARRAY[':']`
	`5`	`+WHERE allow_list= ARRAY[]::text[]OR array_length(allow_list,1) ISNULL;`
	`6`	`+`
	`7`	`+-- Add CHECK constraint to ensure allow_list array is never empty`
	`8`	`+ALTERTABLE api_keys`
	`9`	`+ADDCONSTRAINT api_keys_allow_list_not_empty`
	`10`	`+CHECK (array_length(allow_list,1)>0);`

`‎coderd/users.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1608,5 +1608,6 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {`
`1608`	`1608`	`Scopes:scopes,`
`1609`	`1609`	`LifetimeSeconds:k.LifetimeSeconds,`
`1610`	`1610`	`TokenName:k.TokenName,`
	`1611`	`+AllowList:db2sdk.List(k.AllowList,db2sdk.APIAllowListTarget),`
`1611`	`1612`	`}`
`1612`	`1613`	`}`

`‎codersdk/apikey.go‎`

Lines changed: 12 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,17 +12,18 @@ import (`
`12`	`12`
`13`	`13`	`// APIKey: do not ever return the HashedSecret`
`14`	`14`	`typeAPIKeystruct {`
`15`		-IDstring`json:"id" validate:"required"`
`16`		-UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
`17`		-LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
`18`		-ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
`19`		-CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
`20`		-UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
`21`		-LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
`22`		-ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
`23`		-Scopes []APIKeyScope`json:"scopes"`
`24`		-TokenNamestring`json:"token_name" validate:"required"`
`25`		-LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
	`15`	+IDstring`json:"id" validate:"required"`
	`16`	+UserID uuid.UUID`json:"user_id" validate:"required" format:"uuid"`
	`17`	+LastUsed time.Time`json:"last_used" validate:"required" format:"date-time"`
	`18`	+ExpiresAt time.Time`json:"expires_at" validate:"required" format:"date-time"`
	`19`	+CreatedAt time.Time`json:"created_at" validate:"required" format:"date-time"`
	`20`	+UpdatedAt time.Time`json:"updated_at" validate:"required" format:"date-time"`
	`21`	+LoginTypeLoginType`json:"login_type" validate:"required" enums:"password,github,oidc,token"`
	`22`	+ScopeAPIKeyScope`json:"scope" enums:"all,application_connect"`// Deprecated: use Scopes instead.
	`23`	+Scopes []APIKeyScope`json:"scopes"`
	`24`	+TokenNamestring`json:"token_name" validate:"required"`
	`25`	+LifetimeSecondsint64`json:"lifetime_seconds" validate:"required"`
	`26`	+AllowList []APIAllowListTarget`json:"allow_list"`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`// LoginType is the type of login used to create the API key.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf684831

File tree

14 files changed

14 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/apikey_test.go‎`

`‎coderd/database/check_constraint.go‎`

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dump.sql‎`

`‎coderd/database/migrations/000388_api_key_allow_list_constraint.down.sql‎`

`‎coderd/database/migrations/000388_api_key_allow_list_constraint.up.sql‎`

`‎coderd/users.go‎`

`‎codersdk/apikey.go‎`

0 commit comments