shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 21:18:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
75f5b60eb6a674220249e7da73158faef44db289
coder/codersdk/allowlist.go
T
Thomas Kosiewski ed90ecf00e feat: add allow_list to resource-scoped API tokens (#19964) 
# Add API key allow_list for resource-scoped tokens

This PR adds support for API key allow lists, enabling tokens to be scoped to specific resources. The implementation:

1. Adds a new `allow_list` field to the `CreateTokenRequest` struct, allowing clients to specify resource-specific scopes when creating API tokens
2. Implements `APIAllowListTarget` type to represent resource targets in the format `<type>:<id>` with support for wildcards
3. Adds validation and normalization logic for allow lists to handle wildcards and deduplication
4. Integrates with RBAC by creating an `APIKeyEffectiveScope` that merges API key scopes with allow list restrictions
5. Updates API documentation and TypeScript types to reflect the new functionality

This feature enables creating tokens that are limited to specific resources (like workspaces or templates) by ID, making it possible to create more granular API tokens with limited access.
2025-10-09 14:53:08 +02:00

81 lines
2.2 KiB
Go
Raw Blame History

package codersdk
import (
"encoding/json"
"strings"
"github.com/google/uuid"
"golang.org/x/xerrors"
"github.com/coder/coder/v2/coderd/rbac/policy"
)
// APIAllowListTarget represents a single allow-list entry using the canonical
// string form "<resource_type>:<id>". The wildcard symbol "*" is treated as a
// permissive match for either side.
type APIAllowListTarget struct {
Type RBACResource `json:"type"`
ID string `json:"id"`
}
func AllowAllTarget() APIAllowListTarget {
return APIAllowListTarget{Type: ResourceWildcard, ID: policy.WildcardSymbol}
}
func AllowTypeTarget(r RBACResource) APIAllowListTarget {
return APIAllowListTarget{Type: r, ID: policy.WildcardSymbol}
}
func AllowResourceTarget(r RBACResource, id uuid.UUID) APIAllowListTarget {
return APIAllowListTarget{Type: r, ID: id.String()}
}
// String returns the canonical string representation "<type>:<id>" with "*" wildcards.
func (t APIAllowListTarget) String() string {
return string(t.Type) + ":" + t.ID
}
// MarshalJSON encodes as a JSON string: "<type>:<id>".
func (t APIAllowListTarget) MarshalJSON() ([]byte, error) {
return json.Marshal(t.String())
}
// UnmarshalJSON decodes from a JSON string: "<type>:<id>".
func (t *APIAllowListTarget) UnmarshalJSON(b []byte) error {
var s string
if err := json.Unmarshal(b, &s); err != nil {
return err
}
parts := strings.SplitN(strings.TrimSpace(s), ":", 2)
if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
return xerrors.Errorf("invalid allow_list entry %q: want <type>:<id>", s)
}
resource, id := RBACResource(parts[0]), parts[1]
// Type
if resource != ResourceWildcard {
if _, ok := policy.RBACPermissions[string(resource)]; !ok {
return xerrors.Errorf("unknown resource type %q", resource)
}
}
t.Type = resource
// ID
if id != policy.WildcardSymbol {
if _, err := uuid.Parse(id); err != nil {
return xerrors.Errorf("invalid %s ID (must be UUID): %q", resource, id)
}
}
t.ID = id
return nil
}
// Implement encoding.TextMarshaler/Unmarshaler for broader compatibility
func (t APIAllowListTarget) MarshalText() ([]byte, error) { return []byte(t.String()), nil }
func (t *APIAllowListTarget) UnmarshalText(b []byte) error {
return t.UnmarshalJSON([]byte("\"" + string(b) + "\""))
}
Reference in New Issue View Git Blame Copy Permalink