Skip to content

feat: add API key scopes and application_connect scope #4067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 19, 2022
Merged

feat: add API key scopes and application_connect scope #4067

merged 11 commits into from
Sep 19, 2022

Conversation

deansheather
Copy link
Member

@deansheather deansheather commented Sep 14, 2022
edited
Loading

Adds API key scopes using code from #1846. This will be used for devurl scoping which will be done in a future PR.

We decided to use roles as scopes instead of a map of map[Resource][]Action, because:

  • It's easier to implement
  • It's easier to implement the scopes we care about
  • If we ever want to add permissions to "default scopes" we can do so without a complex migration
  • If we ever want to allow custom-scoped keys (with custom permissions) we could just let users create their own roles and use those as scopes

TODO:

  • Better tests

Co-authored-by: David Wahler david@coder.com

kylecarbs
kylecarbs requested changes Sep 14, 2022
View reviewed changes
@deansheather deansheather marked this pull request as ready for review September 15, 2022 19:00
@deansheather deansheather changed the title feat: add API key scopes feat: add API key scopes and application_connect scope Sep 15, 2022
coadler
coadler reviewed Sep 16, 2022
View reviewed changes
kylecarbs
kylecarbs approved these changes Sep 16, 2022
View reviewed changes
@deansheather
Copy link
Member Author

I ran into a bug in our migration generation code that had me stumped for a bit. The database generation main.go program depended on the database package, so if you were renaming types you would get compile errors. The database generation code only depended on the database package for migrations, so I've moved the migration code to the migrations directory instead.

kylecarbs
kylecarbs reviewed Sep 19, 2022
View reviewed changes
Emyrk
Emyrk approved these changes Sep 19, 2022
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG!

coderd/database/migrations/000050_apikey_scope.up.sql
Comment on lines +1 to +4
CREATE TYPE api_key_scope AS ENUM (
'all',
'application_connect'
);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we add custom scopes later, this cannot be an enum. Roles are not enums.

Your call, but it isn't really necessary to enforce at the db level.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can resolve this problem with migrations when the time comes. Technically, the only correct and future proof option is to use UUIDs and foreign keys to a roles table but we're not at that point yet.

@deansheather deansheather enabled auto-merge (squash) September 19, 2022 17:31
@deansheather deansheather merged commit 29d804e into main Sep 19, 2022
@deansheather deansheather deleted the dean/token-scopes branch September 19, 2022 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coadler coadler coadler left review comments

@kylecarbs kylecarbs kylecarbs approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@deansheather @Emyrk @coadler @kylecarbs