chore: add test for app sharing with scoped keys

deansheather · deansheather · commit 4f6aac886543 · 2022-10-12T19:49:09.000Z
diff --git a/cli/tokens.go b/cli/tokens.go
@@ -55,7 +55,7 @@ func createToken() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			res, err := client.CreateToken(cmd.Context(), codersdk.Me)
+			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})
 			if err != nil {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -34,12 +34,23 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var createToken codersdk.CreateTokenRequest
+	if !httpapi.Read(ctx, rw, r, &createToken) {
+		return
+	}
+
+	scope := database.APIKeyScopeAll
+	if scope != "" {
+		scope = database.APIKeyScope(createToken.Scope)
+	}
+
 	// tokens last 100 years
 	lifeTime := time.Hour * 876000
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		ExpiresAt:       database.Now().Add(lifeTime),
+		Scope:           scope,
 		LifetimeSeconds: int64(lifeTime.Seconds()),
 	})
 	if err != nil {
@@ -54,6 +65,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 }
 
 // Creates a new session key, used for logging in via the CLI.
+// DEPRECATED: use postToken instead.
 func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
@@ -229,6 +241,11 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 	if params.Scope != "" {
 		scope = params.Scope
 	}
+	switch scope {
+	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
+	default:
+		return nil, xerrors.Errorf("invalid API key scope: %q", scope)
+	}
 
 	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
 		ID:              keyID,
diff --git a/coderd/apikey_test.go b/coderd/apikey_test.go
@@ -14,30 +14,61 @@ import (
 
 func TestTokens(t *testing.T) {
 	t.Parallel()
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	_ = coderdtest.CreateFirstUser(t, client)
-	keys, err := client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
 
-	res, err := client.CreateToken(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Greater(t, len(res.Key), 2)
+	t.Run("CRUD", func(t *testing.T) {
+		t.Parallel()
 
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.EqualValues(t, len(keys), 1)
-	require.Contains(t, res.Key, keys[0].ID)
-	// expires_at must be greater than 50 years
-	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
 
-	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
-	require.NoError(t, err)
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+
+		// no update
+
+		err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+		require.NoError(t, err)
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
+	})
+
+	t.Run("Scoped", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Scope: codersdk.APIKeyScopeApplicationConnect,
+		})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	})
 }
 
 func TestAPIKey(t *testing.T) {
diff --git a/coderd/users.go b/coderd/users.go
@@ -1207,6 +1207,7 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {
 		CreatedAt:       k.CreatedAt,
 		UpdatedAt:       k.UpdatedAt,
 		LoginType:       codersdk.LoginType(k.LoginType),
+		Scope:           codersdk.APIKeyScope(k.Scope),
 		LifetimeSeconds: k.LifetimeSeconds,
 	}
 }
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -286,7 +286,7 @@ func TestPostLogin(t *testing.T) {
 		require.Equal(t, int64(86400), key.LifetimeSeconds, "default should be 86400")
 
 		// tokens have a longer life
-		token, err := client.CreateToken(ctx, codersdk.Me)
+		token, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
 		require.NoError(t, err, "make new token api key")
 		split = strings.Split(token.Key, "-")
 		apiKey, err := client.GetAPIKey(ctx, admin.UserID.String(), split[0])
@@ -1202,7 +1202,7 @@ func TestPostTokens(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancel()
 
-	apiKey, err := client.CreateToken(ctx, codersdk.Me)
+	apiKey, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
 	require.NotNil(t, apiKey)
 	require.GreaterOrEqual(t, len(apiKey.Key), 2)
 	require.NoError(t, err)
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -327,7 +327,18 @@ func (api *API) authorizeWorkspaceApp(r *http.Request, sharingLevel database.App
 			return false, xerrors.Errorf("get template %q: %w", workspace.TemplateID, err)
 		}
 
-		err = api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), []string{}, rbac.ActionRead, template.RBACObject())
+		// We have to perform this check without scopes enabled because
+		// otherwise this check will always fail on a scoped API key.
+		err = api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, rbac.ScopeAll, []string{}, rbac.ActionRead, template.RBACObject())
+		if err != nil {
+			// Exit early if the user doesn't have access to the template.
+			return false, nil
+		}
+
+		// Now check if the user has ApplicationConnect access to their own
+		// workspaces.
+		object := rbac.ResourceWorkspaceApplicationConnect.WithOwner(roles.ID.String())
+		err = api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), []string{}, rbac.ActionCreate, object)
 		if err == nil {
 			return true, nil
 		}
diff --git a/coderd/workspaceapps_test.go b/coderd/workspaceapps_test.go
@@ -836,7 +836,18 @@ func TestAppSharing(t *testing.T) {
 		// If the client has a session token, we also want to check that a
 		// scoped key works.
 		clients := []*codersdk.Client{client}
-		// TODO: generate scoped token and add to slice
+		if client.SessionToken != "" {
+			token, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+				Scope: codersdk.APIKeyScopeApplicationConnect,
+			})
+			require.NoError(t, err)
+
+			scopedClient := codersdk.New(client.URL)
+			scopedClient.SessionToken = token.Key
+			scopedClient.HTTPClient.CheckRedirect = client.HTTPClient.CheckRedirect
+
+			clients = append(clients, scopedClient)
+		}
 
 		for i, client := range clients {
 			msg := fmt.Sprintf("client %d", i)
diff --git a/codersdk/apikey.go b/codersdk/apikey.go
@@ -13,13 +13,14 @@ import (
 type APIKey struct {
 	ID string `json:"id" validate:"required"`
 	// NOTE: do not ever return the HashedSecret
-	UserID          uuid.UUID `json:"user_id" validate:"required"`
-	LastUsed        time.Time `json:"last_used" validate:"required"`
-	ExpiresAt       time.Time `json:"expires_at" validate:"required"`
-	CreatedAt       time.Time `json:"created_at" validate:"required"`
-	UpdatedAt       time.Time `json:"updated_at" validate:"required"`
-	LoginType       LoginType `json:"login_type" validate:"required"`
-	LifetimeSeconds int64     `json:"lifetime_seconds" validate:"required"`
+	UserID          uuid.UUID   `json:"user_id" validate:"required"`
+	LastUsed        time.Time   `json:"last_used" validate:"required"`
+	ExpiresAt       time.Time   `json:"expires_at" validate:"required"`
+	CreatedAt       time.Time   `json:"created_at" validate:"required"`
+	UpdatedAt       time.Time   `json:"updated_at" validate:"required"`
+	LoginType       LoginType   `json:"login_type" validate:"required"`
+	Scope           APIKeyScope `json:"scope" validate:"required"`
+	LifetimeSeconds int64       `json:"lifetime_seconds" validate:"required"`
 }
 
 type LoginType string
@@ -31,32 +32,51 @@ const (
 	LoginTypeToken    LoginType = "token"
 )
 
+type APIKeyScope string
+
+const (
+	APIKeyScopeAll                APIKeyScope = "all"
+	APIKeyScopeApplicationConnect APIKeyScope = "application_connect"
+)
+
+type CreateTokenRequest struct {
+	Scope APIKeyScope `json:"scope"`
+}
+
+// GenerateAPIKeyResponse contains an API key for a user.
+type GenerateAPIKeyResponse struct {
+	Key string `json:"key"`
+}
+
 // CreateToken generates an API key that doesn't expire.
-func (c *Client) CreateToken(ctx context.Context, userID string) (*GenerateAPIKeyResponse, error) {
-	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/keys/tokens", userID), nil)
+func (c *Client) CreateToken(ctx context.Context, userID string, req CreateTokenRequest) (GenerateAPIKeyResponse, error) {
+	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/keys/tokens", userID), req)
 	if err != nil {
-		return nil, err
+		return GenerateAPIKeyResponse{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode > http.StatusCreated {
-		return nil, readBodyAsError(res)
+		return GenerateAPIKeyResponse{}, readBodyAsError(res)
 	}
-	apiKey := &GenerateAPIKeyResponse{}
-	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
+
+	var apiKey GenerateAPIKeyResponse
+	return apiKey, json.NewDecoder(res.Body).Decode(&apiKey)
 }
 
 // CreateAPIKey generates an API key for the user ID provided.
-func (c *Client) CreateAPIKey(ctx context.Context, user string) (*GenerateAPIKeyResponse, error) {
+// DEPRECATED: use CreateToken instead.
+func (c *Client) CreateAPIKey(ctx context.Context, user string) (GenerateAPIKeyResponse, error) {
 	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/keys", user), nil)
 	if err != nil {
-		return nil, err
+		return GenerateAPIKeyResponse{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode > http.StatusCreated {
-		return nil, readBodyAsError(res)
+		return GenerateAPIKeyResponse{}, readBodyAsError(res)
 	}
-	apiKey := &GenerateAPIKeyResponse{}
-	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
+
+	var apiKey GenerateAPIKeyResponse
+	return apiKey, json.NewDecoder(res.Body).Decode(&apiKey)
 }
 
 // GetTokens list machine API keys.
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -96,11 +96,6 @@ type LoginWithPasswordResponse struct {
 	SessionToken string `json:"session_token" validate:"required"`
 }
 
-// GenerateAPIKeyResponse contains an API key for a user.
-type GenerateAPIKeyResponse struct {
-	Key string `json:"key"`
-}
-
 type CreateOrganizationRequest struct {
 	Name string `json:"name" validate:"required,username"`
 }
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -9,6 +9,7 @@ export interface APIKey {
   readonly created_at: string
   readonly updated_at: string
   readonly login_type: LoginType
+  readonly scope: APIKeyScope
   readonly lifetime_seconds: number
 }
 
@@ -218,6 +219,11 @@ export interface CreateTestAuditLogRequest {
   readonly resource_id?: string
 }
 
+// From codersdk/apikey.go
+export interface CreateTokenRequest {
+  readonly scope: APIKeyScope
+}
+
 // From codersdk/users.go
 export interface CreateUserRequest {
   readonly email: string
@@ -344,7 +350,7 @@ export interface Feature {
   readonly actual?: number
 }
 
-// From codersdk/users.go
+// From codersdk/apikey.go
 export interface GenerateAPIKeyResponse {
   readonly key: string
 }
@@ -852,6 +858,9 @@ export interface WorkspaceResourceMetadata {
   readonly sensitive: boolean
 }
 
+// From codersdk/apikey.go
+export type APIKeyScope = "all" | "application_connect"
+
 // From codersdk/audit.go
 export type AuditAction = "create" | "delete" | "write"
 
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
@@ -199,6 +199,7 @@ export const MockWorkspaceApp: TypesGen.WorkspaceApp = {
   icon: "",
   subdomain: false,
   health: "disabled",
+  sharing_level: "owner",
   healthcheck: {
     url: "",
     interval: 0,

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func createToken() *cobra.Command {`
`55`	`55`	`return xerrors.Errorf("create codersdk client: %w", err)`
`56`	`56`	`}`
`57`	`57`
`58`		`- res, err := client.CreateToken(cmd.Context(), codersdk.Me)`
	`58`	`+ res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})`
`59`	`59`	`if err != nil {`
`60`	`60`	`return xerrors.Errorf("create tokens: %w", err)`
`61`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1207,6 +1207,7 @@ func convertAPIKey(k database.APIKey) codersdk.APIKey {`
`1207`	`1207`	`CreatedAt: k.CreatedAt,`
`1208`	`1208`	`UpdatedAt: k.UpdatedAt,`
`1209`	`1209`	`LoginType: codersdk.LoginType(k.LoginType),`
	`1210`	`+ Scope: codersdk.APIKeyScope(k.Scope),`
`1210`	`1211`	`LifetimeSeconds: k.LifetimeSeconds,`
`1211`	`1212`	`}`
`1212`	`1213`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,11 +96,6 @@ type LoginWithPasswordResponse struct {`
`96`	`96`	SessionToken string `json:"session_token" validate:"required"`
`97`	`97`	`}`
`98`	`98`
`99`		`-// GenerateAPIKeyResponse contains an API key for a user.`
`100`		`-type GenerateAPIKeyResponse struct {`
`101`		- Key string `json:"key"`
`102`		`-}`
`103`		`-`
`104`	`99`	`type CreateOrganizationRequest struct {`
`105`	`100`	Name string `json:"name" validate:"required,username"`
`106`	`101`	`}`