Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add multiple API key scopes support with granular permissions#19015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
ThomasK33 wants to merge1 commit intothomask33/07-15-fix_oauth2_allow_custom_uri_schemes_without_reverse_domain_notation_for_native_apps
base:thomask33/07-15-fix_oauth2_allow_custom_uri_schemes_without_reverse_domain_notation_for_native_apps
Choose a base branch
Loading
fromthomask33/07-19-feat_add_multiple_api_key_scopes_support_with_granular_permissions
Draft
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
541 changes: 541 additions & 0 deletions.claude/notes/token-scopes.md
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletioncli/exp_scaletest.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -1232,7 +1232,7 @@ func (r *RootCmd) scaletestDashboard() *serpent.Command {
name := fmt.Sprintf("dashboard-%s", usr.Username)
userTokResp, err := client.CreateToken(ctx, usr.ID.String(), codersdk.CreateTokenRequest{
Lifetime: 30 * 24 * time.Hour,
Scope: "",
Scopes:[]codersdk.APIKeyScope{codersdk.APIKeyScopeAll},
TokenName: fmt.Sprintf("scaletest-%d", time.Now().Unix()),
})
if err != nil {
Expand Down
66 changes: 43 additions & 23 deletionscoderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

66 changes: 49 additions & 17 deletionscoderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

20 changes: 15 additions & 5 deletionscoderd/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -24,6 +24,15 @@ import (
"github.com/coder/coder/v2/codersdk"
)

// convertAPIKeyScopesToDatabase converts SDK API key scopes to database API key scopes
func convertAPIKeyScopesToDatabase(scopes []codersdk.APIKeyScope) []database.APIKeyScope {
dbScopes := make([]database.APIKeyScope, 0, len(scopes))
for _, scope := range scopes {
dbScopes = append(dbScopes, database.APIKeyScope(scope))
}
return dbScopes
}

// Creates a new token API key with the given scope and lifetime.
//
// @Summary Create token API key
Expand DownExpand Up@@ -56,9 +65,10 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
return
}

scope := database.APIKeyScopeAll
if scope != "" {
scope = database.APIKeyScope(createToken.Scope)
// Use the scopes from the request, or default to 'all' if empty
scopes := createToken.Scopes
if len(scopes) == 0 {
scopes = []codersdk.APIKeyScope{codersdk.APIKeyScopeAll}
}

tokenName := namesgenerator.GetRandomName(1)
Expand All@@ -71,7 +81,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
UserID: user.ID,
LoginType: database.LoginTypeToken,
DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
Scope: scope,
Scopes:convertAPIKeyScopesToDatabase(scopes), // New scopes array
TokenName: tokenName,
}

Expand DownExpand Up@@ -380,7 +390,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, userID uuid.UUID, li
// getMaxTokenLifetime returns the maximum allowed token lifetime for a user.
// It distinguishes between regular users and owners.
func (api *API) getMaxTokenLifetime(ctx context.Context, userID uuid.UUID) (time.Duration, error) {
subject, _, err := httpmw.UserRBACSubject(ctx, api.Database, userID, rbac.ScopeAll)
subject, _, err := httpmw.UserRBACSubject(ctx, api.Database, userID,[]rbac.ExpandableScope{rbac.ScopeAll})
if err != nil {
return 0, xerrors.Errorf("failed to get user rbac subject: %w", err)
}
Expand Down
29 changes: 20 additions & 9 deletionscoderd/apikey/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -25,7 +25,8 @@ type CreateParams struct {
// Optional.
ExpiresAt time.Time
LifetimeSeconds int64
Scope database.APIKeyScope
Scope database.APIKeyScope // Legacy single scope (for backward compatibility)
Scopes []database.APIKeyScope // New scopes array
TokenName string
RemoteAddr string
}
Expand DownExpand Up@@ -62,14 +63,24 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)

bitlen := len(ip) * 8

scope := database.APIKeyScopeAll
if params.Scope != "" {
scope = params.Scope
// Determine scopes - prioritize Scopes array, fallback to legacy Scope
var scopes []database.APIKeyScope
if len(params.Scopes) > 0 {
scopes = params.Scopes
} else {
// Fallback to legacy single scope
scope := database.APIKeyScopeAll
if params.Scope != "" {
scope = params.Scope
}
scopes = []database.APIKeyScope{scope}
}
switch scope {
case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
default:
return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)

// Validate all scopes
for _, scope := range scopes {
if !scope.Valid() {
return database.InsertAPIKeyParams{}, "", xerrors.Errorf("invalid API key scope: %q", scope)
}
}

token := fmt.Sprintf("%s-%s", keyID, keySecret)
Expand All@@ -92,7 +103,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
UpdatedAt: dbtime.Now(),
HashedSecret: hashed[:],
LoginType: params.LoginType,
Scope: scope,
Scopes:scopes, // New scopes array
TokenName: params.TokenName,
}, token, nil
}
Expand Down
18 changes: 9 additions & 9 deletionscoderd/apikey/apikey_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -35,7 +35,7 @@ func TestGenerate(t *testing.T) {
LifetimeSeconds: int64(time.Hour.Seconds()),
TokenName: "hello",
RemoteAddr: "1.2.3.4",
Scope:database.APIKeyScopeApplicationConnect,
Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},
},
},
{
Expand All@@ -48,7 +48,7 @@ func TestGenerate(t *testing.T) {
LifetimeSeconds: int64(time.Hour.Seconds()),
TokenName: "hello",
RemoteAddr: "1.2.3.4",
Scope:database.APIKeyScope("test"),
Scopes:[]database.APIKeyScope{database.APIKeyScope("test")},
},
fail: true,
},
Expand All@@ -62,7 +62,7 @@ func TestGenerate(t *testing.T) {
ExpiresAt: time.Time{},
TokenName: "hello",
RemoteAddr: "1.2.3.4",
Scope:database.APIKeyScopeApplicationConnect,
Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},
},
},
{
Expand All@@ -75,7 +75,7 @@ func TestGenerate(t *testing.T) {
ExpiresAt: time.Time{},
TokenName: "hello",
RemoteAddr: "1.2.3.4",
Scope:database.APIKeyScopeApplicationConnect,
Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},
},
},
{
Expand All@@ -88,7 +88,7 @@ func TestGenerate(t *testing.T) {
LifetimeSeconds: int64(time.Hour.Seconds()),
TokenName: "hello",
RemoteAddr: "",
Scope:database.APIKeyScopeApplicationConnect,
Scopes:[]database.APIKeyScope{database.APIKeyScopeApplicationConnect},
},
},
{
Expand All@@ -101,7 +101,7 @@ func TestGenerate(t *testing.T) {
LifetimeSeconds: int64(time.Hour.Seconds()),
TokenName: "hello",
RemoteAddr: "1.2.3.4",
Scope: "",
Scopes:[]database.APIKeyScope{},
},
},
}
Expand DownExpand Up@@ -158,10 +158,10 @@ func TestGenerate(t *testing.T) {
assert.Equal(t, "0.0.0.0", key.IPAddress.IPNet.IP.String())
}

if tc.params.Scope != "" {
assert.Equal(t, tc.params.Scope, key.Scope)
iflen(tc.params.Scopes) > 0 {
assert.Equal(t, tc.params.Scopes, key.Scopes)
} else {
assert.Equal(t, database.APIKeyScopeAll, key.Scope)
assert.Equal(t,[]database.APIKeyScope{database.APIKeyScopeAll}, key.Scopes)
}

if tc.params.TokenName != "" {
Expand Down
6 changes: 3 additions & 3 deletionscoderd/apikey_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -47,7 +47,7 @@ func TestTokenCRUD(t *testing.T) {
// expires_at should default to 30 days
require.Greater(t,keys[0].ExpiresAt,time.Now().Add(time.Hour*24*6))
require.Less(t,keys[0].ExpiresAt,time.Now().Add(time.Hour*24*8))
require.Equal(t,codersdk.APIKeyScopeAll,keys[0].Scope)
require.Equal(t,[]codersdk.APIKeyScope{codersdk.APIKeyScopeAll},keys[0].Scopes)

// no update

Expand All@@ -73,7 +73,7 @@ func TestTokenScoped(t *testing.T) {
_=coderdtest.CreateFirstUser(t,client)

res,err:=client.CreateToken(ctx,codersdk.Me, codersdk.CreateTokenRequest{
Scope:codersdk.APIKeyScopeApplicationConnect,
Scopes: []codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect},
})
require.NoError(t,err)
require.Greater(t,len(res.Key),2)
Expand All@@ -82,7 +82,7 @@ func TestTokenScoped(t *testing.T) {
require.NoError(t,err)
require.EqualValues(t,len(keys),1)
require.Contains(t,res.Key,keys[0].ID)
require.Equal(t,keys[0].Scope,codersdk.APIKeyScopeApplicationConnect)
require.Equal(t,[]codersdk.APIKeyScope{codersdk.APIKeyScopeApplicationConnect},keys[0].Scopes)
}

funcTestUserSetTokenDuration(t*testing.T) {
Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp