feat: add flag for token lifetime (#5385)

f0ssel · web-flow · commit 40a5c0476f2b · 2022-12-12T15:39:31.000-05:00
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -424,6 +424,12 @@ func newConfig() *codersdk.DeploymentConfig {
 			Flag:    "update-check",
 			Default: flag.Lookup("test.v") == nil && !buildinfo.IsDev(),
 		},
+		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Max Token Lifetime",
+			Usage:   "The maximum lifetime duration for any user creating a token.",
+			Flag:    "max-token-lifetime",
+			Default: 24 * 30 * time.Hour,
+		},
 	}
 }
 
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -65,6 +65,10 @@ Flags:
                                                      production.
                                                      Consumes $CODER_EXPERIMENTAL
   -h, --help                                         help for server
+      --max-token-lifetime duration                  The maximum lifetime duration for any
+                                                     user creating a token.
+                                                     Consumes $CODER_MAX_TOKEN_LIFETIME
+                                                     (default 720h0m0s)
       --oauth2-github-allow-everyone                 Allow all logins, setting this option
                                                      means allowed orgs and teams must be
                                                      empty.
diff --git a/cli/tokens.go b/cli/tokens.go
@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 )
@@ -46,6 +47,9 @@ func tokens() *cobra.Command {
 }
 
 func createToken() *cobra.Command {
+	var (
+		tokenLifetime time.Duration
+	)
 	cmd := &cobra.Command{
 		Use:   "create",
 		Short: "Create a tokens",
@@ -55,7 +59,9 @@ func createToken() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})
+			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{
+				Lifetime: tokenLifetime,
+			})
 			if err != nil {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
@@ -74,6 +80,8 @@ func createToken() *cobra.Command {
 		},
 	}
 
+	cliflag.DurationVarP(cmd.Flags(), &tokenLifetime, "lifetime", "", "CODER_TOKEN_LIFETIME", 30*24*time.Hour, "Specify a duration for the lifetime of the token.")
+
 	return cmd
 }
 
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -44,8 +44,21 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		scope = database.APIKeyScope(createToken.Scope)
 	}
 
-	// tokens last 100 years
-	lifeTime := time.Hour * 876000
+	// default lifetime is 30 days
+	lifeTime := 30 * 24 * time.Hour
+	if createToken.Lifetime != 0 {
+		lifeTime = createToken.Lifetime
+	}
+
+	err := api.validateAPIKeyLifetime(lifeTime)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Failed to validate create API key request.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
@@ -65,7 +78,6 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 }
 
 // Creates a new session key, used for logging in via the CLI.
-// DEPRECATED: use postToken instead.
 func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
@@ -214,6 +226,18 @@ type createAPIKeyParams struct {
 	Scope           database.APIKeyScope
 }
 
+func (api *API) validateAPIKeyLifetime(lifetime time.Duration) error {
+	if lifetime <= 0 {
+		return xerrors.New("lifetime must be positive number greater than 0")
+	}
+
+	if lifetime > api.DeploymentConfig.MaxTokenLifetime.Value {
+		return xerrors.Errorf("lifetime must be less than %s", api.DeploymentConfig.MaxTokenLifetime.Value)
+	}
+
+	return nil
+}
+
 func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*http.Cookie, error) {
 	keyID, keySecret, err := generateAPIKeyIDSecret()
 	if err != nil {
diff --git a/coderd/apikey_test.go b/coderd/apikey_test.go
@@ -12,63 +12,101 @@ import (
 	"github.com/coder/coder/testutil"
 )
 
-func TestTokens(t *testing.T) {
+func TestTokenCRUD(t *testing.T) {
 	t.Parallel()
 
-	t.Run("CRUD", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
-		keys, err := client.GetTokens(ctx, codersdk.Me)
-		require.NoError(t, err)
-		require.Empty(t, keys)
-
-		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
-		require.NoError(t, err)
-		require.Greater(t, len(res.Key), 2)
-
-		keys, err = client.GetTokens(ctx, codersdk.Me)
-		require.NoError(t, err)
-		require.EqualValues(t, len(keys), 1)
-		require.Contains(t, res.Key, keys[0].ID)
-		// expires_at must be greater than 50 years
-		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
-		require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
-
-		// no update
-
-		err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
-		require.NoError(t, err)
-		keys, err = client.GetTokens(ctx, codersdk.Me)
-		require.NoError(t, err)
-		require.Empty(t, keys)
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	client := coderdtest.New(t, nil)
+	_ = coderdtest.CreateFirstUser(t, client)
+	keys, err := client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Empty(t, keys)
+
+	res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
+	require.NoError(t, err)
+	require.Greater(t, len(res.Key), 2)
+
+	keys, err = client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.EqualValues(t, len(keys), 1)
+	require.Contains(t, res.Key, keys[0].ID)
+	// expires_at should default to 30 days
+	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*29*24))
+	require.Less(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*31*24))
+	require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+
+	// no update
+
+	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+	require.NoError(t, err)
+	keys, err = client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Empty(t, keys)
+}
+
+func TestTokenScoped(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	client := coderdtest.New(t, nil)
+	_ = coderdtest.CreateFirstUser(t, client)
+
+	res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+		Scope: codersdk.APIKeyScopeApplicationConnect,
 	})
+	require.NoError(t, err)
+	require.Greater(t, len(res.Key), 2)
+
+	keys, err := client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.EqualValues(t, len(keys), 1)
+	require.Contains(t, res.Key, keys[0].ID)
+	require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+}
+
+func TestTokenDuration(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	client := coderdtest.New(t, nil)
+	_ = coderdtest.CreateFirstUser(t, client)
+
+	_, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+		Lifetime: time.Hour * 24 * 7,
+	})
+	require.NoError(t, err)
+	keys, err := client.GetTokens(ctx, codersdk.Me)
+	require.NoError(t, err)
+	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*6*24))
+	require.Less(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*8*24))
+}
+
+func TestTokenMaxLifetime(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	dc := coderdtest.DeploymentConfig(t)
+	dc.MaxTokenLifetime.Value = time.Hour * 24 * 7
+	client := coderdtest.New(t, &coderdtest.Options{
+		DeploymentConfig: dc,
+	})
+	_ = coderdtest.CreateFirstUser(t, client)
+
+	// success
+	_, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+		Lifetime: time.Hour * 24 * 6,
+	})
+	require.NoError(t, err)
 
-	t.Run("Scoped", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
-			Scope: codersdk.APIKeyScopeApplicationConnect,
-		})
-		require.NoError(t, err)
-		require.Greater(t, len(res.Key), 2)
-
-		keys, err := client.GetTokens(ctx, codersdk.Me)
-		require.NoError(t, err)
-		require.EqualValues(t, len(keys), 1)
-		require.Contains(t, res.Key, keys[0].ID)
-		// expires_at must be greater than 50 years
-		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
-		require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	// fail
+	_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+		Lifetime: time.Hour * 24 * 8,
 	})
+	require.ErrorContains(t, err, "lifetime must be less")
 }
 
 func TestAPIKey(t *testing.T) {
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -313,7 +313,8 @@ func TestPostLogin(t *testing.T) {
 		apiKey, err := client.GetAPIKey(ctx, admin.UserID.String(), split[0])
 		require.NoError(t, err, "fetch api key")
 
-		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*438300)), "tokens lasts more than 50 years")
+		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*24*29)), "default tokens lasts more than 29 days")
+		require.True(t, apiKey.ExpiresAt.Before(time.Now().Add(time.Hour*24*31)), "default tokens lasts less than 31 days")
 		require.Greater(t, apiKey.LifetimeSeconds, key.LifetimeSeconds, "token should have longer lifetime")
 	})
 }
diff --git a/codersdk/apikey.go b/codersdk/apikey.go
@@ -40,7 +40,8 @@ const (
 )
 
 type CreateTokenRequest struct {
-	Scope APIKeyScope `json:"scope"`
+	Lifetime time.Duration `json:"lifetime"`
+	Scope    APIKeyScope   `json:"scope"`
 }
 
 // GenerateAPIKeyResponse contains an API key for a user.
diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go
@@ -42,6 +42,7 @@ type DeploymentConfig struct {
 	APIRateLimit                    *DeploymentConfigField[int]             `json:"api_rate_limit" typescript:",notnull"`
 	Experimental                    *DeploymentConfigField[bool]            `json:"experimental" typescript:",notnull"`
 	UpdateCheck                     *DeploymentConfigField[bool]            `json:"update_check" typescript:",notnull"`
+	MaxTokenLifetime                *DeploymentConfigField[time.Duration]   `json:"max_token_lifetime" typescript:",notnull"`
 }
 
 type DERP struct {
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -206,6 +206,8 @@ export interface CreateTestAuditLogRequest {
 
 // From codersdk/apikey.go
 export interface CreateTokenRequest {
+  // This is likely an enum in an external package ("time.Duration")
+  readonly lifetime: number
   readonly scope: APIKeyScope
 }
 
@@ -303,6 +305,7 @@ export interface DeploymentConfig {
   readonly api_rate_limit: DeploymentConfigField<number>
   readonly experimental: DeploymentConfigField<boolean>
   readonly update_check: DeploymentConfigField<boolean>
+  readonly max_token_lifetime: DeploymentConfigField<number>
 }
 
 // From codersdk/deploymentconfig.go

Original file line number	Diff line number	Diff line change
`@@ -424,6 +424,12 @@ func newConfig() *codersdk.DeploymentConfig {`
`424`	`424`	`Flag: "update-check",`
`425`	`425`	`Default: flag.Lookup("test.v") == nil && !buildinfo.IsDev(),`
`426`	`426`	`},`
	`427`	`+ MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{`
	`428`	`+ Name: "Max Token Lifetime",`
	`429`	`+ Usage: "The maximum lifetime duration for any user creating a token.",`
	`430`	`+ Flag: "max-token-lifetime",`
	`431`	`+ Default: 24 * 30 * time.Hour,`
	`432`	`+ },`
`427`	`433`	`}`
`428`	`434`	`}`
`429`	`435`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"github.com/spf13/cobra"`
`9`	`9`	`"golang.org/x/xerrors"`
`10`	`10`
	`11`	`+ "github.com/coder/coder/cli/cliflag"`
`11`	`12`	`"github.com/coder/coder/cli/cliui"`
`12`	`13`	`"github.com/coder/coder/codersdk"`
`13`	`14`	`)`
`@@ -46,6 +47,9 @@ func tokens() *cobra.Command {`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`func createToken() *cobra.Command {`
	`50`	`+ var (`
	`51`	`+ tokenLifetime time.Duration`
	`52`	`+ )`
`49`	`53`	`cmd := &cobra.Command{`
`50`	`54`	`Use: "create",`
`51`	`55`	`Short: "Create a tokens",`
`@@ -55,7 +59,9 @@ func createToken() *cobra.Command {`
`55`	`59`	`return xerrors.Errorf("create codersdk client: %w", err)`
`56`	`60`	`}`
`57`	`61`
`58`		`- res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})`
	`62`	`+ res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{`
	`63`	`+ Lifetime: tokenLifetime,`
	`64`	`+ })`
`59`	`65`	`if err != nil {`
`60`	`66`	`return xerrors.Errorf("create tokens: %w", err)`
`61`	`67`	`}`
`@@ -74,6 +80,8 @@ func createToken() *cobra.Command {`
`74`	`80`	`},`
`75`	`81`	`}`
`76`	`82`
	`83`	`+ cliflag.DurationVarP(cmd.Flags(), &tokenLifetime, "lifetime", "", "CODER_TOKEN_LIFETIME", 3024time.Hour, "Specify a duration for the lifetime of the token.")`
	`84`	`+`
`77`	`85`	`return cmd`
`78`	`86`	`}`
`79`	`87`
Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,8 @@ func TestPostLogin(t *testing.T) {`
`313`	`313`	`apiKey, err := client.GetAPIKey(ctx, admin.UserID.String(), split[0])`
`314`	`314`	`require.NoError(t, err, "fetch api key")`
`315`	`315`
`316`		`- require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*438300)), "tokens lasts more than 50 years")`
	`316`	`+ require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour2429)), "default tokens lasts more than 29 days")`
	`317`	`+ require.True(t, apiKey.ExpiresAt.Before(time.Now().Add(time.Hour2431)), "default tokens lasts less than 31 days")`
`317`	`318`	`require.Greater(t, apiKey.LifetimeSeconds, key.LifetimeSeconds, "token should have longer lifetime")`
`318`	`319`	`})`
`319`	`320`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,8 @@ const (`
`40`	`40`	`)`
`41`	`41`
`42`	`42`	`type CreateTokenRequest struct {`
`43`		- Scope APIKeyScope `json:"scope"`
	`43`	+ Lifetime time.Duration `json:"lifetime"`
	`44`	+ Scope APIKeyScope `json:"scope"`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`// GenerateAPIKeyResponse contains an API key for a user.`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ type DeploymentConfig struct {`
`42`	`42`	APIRateLimit *DeploymentConfigField[int] `json:"api_rate_limit" typescript:",notnull"`
`43`	`43`	Experimental *DeploymentConfigField[bool] `json:"experimental" typescript:",notnull"`
`44`	`44`	UpdateCheck *DeploymentConfigField[bool] `json:"update_check" typescript:",notnull"`
	`45`	+ MaxTokenLifetime *DeploymentConfigField[time.Duration] `json:"max_token_lifetime" typescript:",notnull"`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`type DERP struct {`
Original file line number	Diff line number	Diff line change
`@@ -206,6 +206,8 @@ export interface CreateTestAuditLogRequest {`
`206`	`206`
`207`	`207`	`// From codersdk/apikey.go`
`208`	`208`	`export interface CreateTokenRequest {`
	`209`	`+ // This is likely an enum in an external package ("time.Duration")`
	`210`	`+ readonly lifetime: number`
`209`	`211`	`readonly scope: APIKeyScope`
`210`	`212`	`}`
`211`	`213`
`@@ -303,6 +305,7 @@ export interface DeploymentConfig {`
`303`	`305`	`readonly api_rate_limit: DeploymentConfigField<number>`
`304`	`306`	`readonly experimental: DeploymentConfigField<boolean>`
`305`	`307`	`readonly update_check: DeploymentConfigField<boolean>`
	`308`	`+ readonly max_token_lifetime: DeploymentConfigField<number>`
`306`	`309`	`}`
`307`	`310`
`308`	`311`	`// From codersdk/deploymentconfig.go`