feat: implement API key scopes database migration (#19861)

Added database migration for API key scopes. Fixes #19845
2026-06-02 20:48:20 +00:00 · 2025-09-22 19:26:51 +02:00
parent a30c30724b
commit fb0ce389a6
26 changed files with 1253 additions and 72 deletions
@@ -12,7 +12,145 @@ CREATE TYPE agent_key_scope_enum AS ENUM (

 CREATE TYPE api_key_scope AS ENUM (
    'all',
-    'application_connect'
+    'application_connect',
+    'aibridge_interception:create',
+    'aibridge_interception:read',
+    'aibridge_interception:update',
+    'api_key:create',
+    'api_key:delete',
+    'api_key:read',
+    'api_key:update',
+    'assign_org_role:assign',
+    'assign_org_role:create',
+    'assign_org_role:delete',
+    'assign_org_role:read',
+    'assign_org_role:unassign',
+    'assign_org_role:update',
+    'assign_role:assign',
+    'assign_role:read',
+    'assign_role:unassign',
+    'audit_log:create',
+    'audit_log:read',
+    'connection_log:read',
+    'connection_log:update',
+    'crypto_key:create',
+    'crypto_key:delete',
+    'crypto_key:read',
+    'crypto_key:update',
+    'debug_info:read',
+    'deployment_config:read',
+    'deployment_config:update',
+    'deployment_stats:read',
+    'file:create',
+    'file:read',
+    'group:create',
+    'group:delete',
+    'group:read',
+    'group:update',
+    'group_member:read',
+    'idpsync_settings:read',
+    'idpsync_settings:update',
+    'inbox_notification:create',
+    'inbox_notification:read',
+    'inbox_notification:update',
+    'license:create',
+    'license:delete',
+    'license:read',
+    'notification_message:create',
+    'notification_message:delete',
+    'notification_message:read',
+    'notification_message:update',
+    'notification_preference:read',
+    'notification_preference:update',
+    'notification_template:read',
+    'notification_template:update',
+    'oauth2_app:create',
+    'oauth2_app:delete',
+    'oauth2_app:read',
+    'oauth2_app:update',
+    'oauth2_app_code_token:create',
+    'oauth2_app_code_token:delete',
+    'oauth2_app_code_token:read',
+    'oauth2_app_secret:create',
+    'oauth2_app_secret:delete',
+    'oauth2_app_secret:read',
+    'oauth2_app_secret:update',
+    'organization:create',
+    'organization:delete',
+    'organization:read',
+    'organization:update',
+    'organization_member:create',
+    'organization_member:delete',
+    'organization_member:read',
+    'organization_member:update',
+    'prebuilt_workspace:delete',
+    'prebuilt_workspace:update',
+    'provisioner_daemon:create',
+    'provisioner_daemon:delete',
+    'provisioner_daemon:read',
+    'provisioner_daemon:update',
+    'provisioner_jobs:create',
+    'provisioner_jobs:read',
+    'provisioner_jobs:update',
+    'replicas:read',
+    'system:create',
+    'system:delete',
+    'system:read',
+    'system:update',
+    'tailnet_coordinator:create',
+    'tailnet_coordinator:delete',
+    'tailnet_coordinator:read',
+    'tailnet_coordinator:update',
+    'template:create',
+    'template:delete',
+    'template:read',
+    'template:update',
+    'template:use',
+    'template:view_insights',
+    'usage_event:create',
+    'usage_event:read',
+    'usage_event:update',
+    'user:create',
+    'user:delete',
+    'user:read',
+    'user:read_personal',
+    'user:update',
+    'user:update_personal',
+    'user_secret:create',
+    'user_secret:delete',
+    'user_secret:read',
+    'user_secret:update',
+    'webpush_subscription:create',
+    'webpush_subscription:delete',
+    'webpush_subscription:read',
+    'workspace:application_connect',
+    'workspace:create',
+    'workspace:create_agent',
+    'workspace:delete',
+    'workspace:delete_agent',
+    'workspace:read',
+    'workspace:ssh',
+    'workspace:start',
+    'workspace:stop',
+    'workspace:update',
+    'workspace_agent_devcontainers:create',
+    'workspace_agent_resource_monitor:create',
+    'workspace_agent_resource_monitor:read',
+    'workspace_agent_resource_monitor:update',
+    'workspace_dormant:application_connect',
+    'workspace_dormant:create',
+    'workspace_dormant:create_agent',
+    'workspace_dormant:delete',
+    'workspace_dormant:delete_agent',
+    'workspace_dormant:read',
+    'workspace_dormant:ssh',
+    'workspace_dormant:start',
+    'workspace_dormant:stop',
+    'workspace_dormant:update',
+    'workspace_proxy:create',
+    'workspace_proxy:delete',
+    'workspace_proxy:read',
+    'workspace_proxy:update'
 );

 CREATE TYPE app_sharing_level AS ENUM (
@@ -920,8 +1058,9 @@ CREATE TABLE api_keys (
    login_type login_type NOT NULL,
    lifetime_seconds bigint DEFAULT 86400 NOT NULL,
    ip_address inet DEFAULT '0.0.0.0'::inet NOT NULL,
-    scope api_key_scope DEFAULT 'all'::api_key_scope NOT NULL,
-    token_name text DEFAULT ''::text NOT NULL
+    token_name text DEFAULT ''::text NOT NULL,
+    scopes api_key_scope[] NOT NULL,
+    allow_list text[] NOT NULL
 );

 COMMENT ON COLUMN api_keys.hashed_secret IS 'hashed_secret contains a SHA256 hash of the key secret. This is considered a secret and MUST NOT be returned from the API as it is used for API key encryption in app proxying code.';