Skip to content

feat: add API key scope to restrict access to user data #17692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 15, 2025
Merged

feat: add API key scope to restrict access to user data #17692

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat: add API key scope for workspace agents to support running witho… 
…ut user data access

Change-Id: Ia5a7085afea6ad6ab7fdba2ab738357f4c519966
Signed-off-by: Thomas Kosiewski <tk@coder.com>
  • Loading branch information
@ThomasK33
ThomasK33 committed May 15, 2025
commit de14cfa0681db6e80145d6f4666152976f024b19
10 changes: 6 additions & 4 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -802,6 +802,11 @@ func New(options *Options) *API {
PostAuthAdditionalHeadersFunc: options.PostAuthAdditionalHeadersFunc,
})

workspaceAgentInfo := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
DB: options.Database,
Optional: false,
})
Comment on lines +805 to +808
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is only used once, we can probably go back to doing it inline, rather than declaring it up here.

Just a nit


// API rate limit middleware. The counter is local and not shared between
// replicas or instances of this middleware.
apiRateLimiter := httpmw.RateLimit(options.APIRateLimit, time.Minute)
Expand Down Expand Up @@ -1289,10 +1294,7 @@ func New(options *Options) *API {
httpmw.RequireAPIKeyOrWorkspaceProxyAuth(),
).Get("/connection", api.workspaceAgentConnectionGeneric)
r.Route("/me", func(r chi.Router) {
r.Use(httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
DB: options.Database,
Optional: false,
}))
r.Use(workspaceAgentInfo)
r.Get("/rpc", api.workspaceAgentRPC)
r.Patch("/logs", api.patchWorkspaceAgentLogs)
r.Patch("/app-status", api.patchWorkspaceAgentAppStatus)
Expand Down
5 changes: 3 additions & 2 deletions coderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4018,8 +4018,9 @@ func (s *MethodTestSuite) TestSystemFunctions() {
s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
check.Args(database.InsertWorkspaceAgentParams{
ID: uuid.New(),
Name: "dev",
ID: uuid.New(),
Name: "dev",
APIKeyScope: database.AgentKeyScopeEnumAll,
}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
}))
s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
Expand Down
1 change: 1 addition & 0 deletions coderd/database/dbgen/dbgen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
MOTDFile: takeFirst(orig.TroubleshootingURL, ""),
DisplayApps: append([]database.DisplayApp{}, orig.DisplayApps...),
DisplayOrder: takeFirst(orig.DisplayOrder, 1),
APIKeyScope: takeFirst(orig.APIKeyScope, database.AgentKeyScopeEnumAll),
})
require.NoError(t, err, "insert workspace agent")
return agt
Expand Down
1 change: 1 addition & 0 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9620,6 +9620,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser
LifecycleState: database.WorkspaceAgentLifecycleStateCreated,
DisplayApps: arg.DisplayApps,
DisplayOrder: arg.DisplayOrder,
APIKeyScope: arg.APIKeyScope,
}

q.workspaceAgents = append(q.workspaceAgents, agent)
Expand Down
8 changes: 8 additions & 0 deletions coderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
-- Remove the api_key_scope column from the workspace_agents table
ALTER TABLE workspace_agents
DROP COLUMN IF EXISTS api_key_scope;

-- Drop the enum type for API key scope
DROP TYPE IF EXISTS agent_key_scope_enum;
10 changes: 10 additions & 0 deletions coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-- Create the enum type for API key scope
CREATE TYPE agent_key_scope_enum AS ENUM ('all', 'no_user_data');

-- Add the api_key_scope column to the workspace_agents table
-- It defaults to 'all' to maintain existing behavior for current agents.
ALTER TABLE workspace_agents
ADD COLUMN api_key_scope agent_key_scope_enum NOT NULL DEFAULT 'all';

-- Add a comment explaining the purpose of the column
COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''all'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
60 changes: 60 additions & 0 deletions coderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading