coder
diff --git a/‎.swaggo‎
Lines changed: 8 additions & 0 deletions b/‎.swaggo‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go‎
Lines changed: 17 additions & 0 deletions b/‎coderd/apidoc/docs.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 17 additions & 0 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apikey.go‎
Lines changed: 39 additions & 0 deletions b/‎coderd/apikey.go‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎coderd/apikey/apikey.go‎
Lines changed: 4 additions & 1 deletion b/‎coderd/apikey/apikey.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/database/dbauthz/setup_test.go‎
Lines changed: 11 additions & 5 deletions b/‎coderd/database/dbauthz/setup_test.go‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 1 addition & 1 deletion b/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/modelmethods.go‎
Lines changed: 35 additions & 0 deletions b/‎coderd/database/modelmethods.go‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎coderd/database/types.go‎
Lines changed: 28 additions & 12 deletions b/‎coderd/database/types.go‎
Lines changed: 28 additions & 12 deletions
diff --git a/‎coderd/httpmw/apikey.go‎
Lines changed: 4 additions & 1 deletion b/‎coderd/httpmw/apikey.go‎
Lines changed: 4 additions & 1 deletion
@@ -6,3 +6,11 @@ replace time.Duration int64
 replace github.com/coder/coder/v2/codersdk.ProvisionerType string
 // Do not render netip.Addr
 replace netip.Addr string
+
+// Map generics of wildcard.Value[T] to concrete, client-friendly types.
+
+// Type: wildcard.Value[codersdk.RBACResource] -> codersdk.RBACResource (already includes "*")
+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-codersdk_RBACResource github.com/coder/coder/v2/codersdk.RBACResource
+
+// ID: wildcard.Value[uuid.UUID] -> string (we’ll add a doc note to allow "*")
+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-uuid_UUID string
@@ -116,6 +116,45 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		TokenName:       tokenName,
 	}
 
+	if len(createToken.AllowList) > 0 {
+		rbacAllowListElements := make([]rbac.AllowListElement, 0, len(createToken.AllowList))
+		for _, t := range createToken.AllowList {
+			entry, err := rbac.NewAllowListElement(t.Type.String(), t.ID.String())
+			if err != nil {
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Failed to create API key.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+			rbacAllowListElements = append(rbacAllowListElements, entry)
+		}
+
+		rbacAllowList, err := rbac.NewAllowList(rbacAllowListElements, 128)
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Failed to create API key.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+
+		dbAllowList := make(database.AllowList, 0, len(rbacAllowList))
+		for _, e := range rbacAllowList {
+			target, err := database.NewAllowListTarget(e.Type, e.ID)
+			if err != nil {
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Failed to create API key.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+			dbAllowList = append(dbAllowList, target)
+		}
+
+		params.AllowList = dbAllowList
+	}
+
 	if createToken.Lifetime != 0 {
 		err := api.validateAPIKeyLifetime(ctx, user.ID, createToken.Lifetime)
 		if err != nil {
 
@@ -34,6 +34,9 @@ type CreateParams struct {
 	Scopes     database.APIKeyScopes
 	TokenName  string
 	RemoteAddr string
+	// AllowList is an optional, normalized allow-list
+	// of resource type and uuid entries. If empty, defaults to wildcard.
+	AllowList database.AllowList
 }
 
 // Generate generates an API key, returning the key as a string as well as the
@@ -115,7 +118,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 		HashedSecret: hashed[:],
 		LoginType:    params.LoginType,
 		Scopes:       scopes,
-		AllowList:    database.AllowList{database.AllowListWildcard()},
+		AllowList:    params.AllowList,
 		TokenName:    params.TokenName,
 	}, token, nil
 }
 
@@ -31,6 +31,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/rbac/regosql"
 	"github.com/coder/coder/v2/coderd/util/slice"
+	"github.com/coder/coder/v2/x/wildcard"
 )
 
 var errMatchAny = xerrors.New("match any error")
@@ -225,17 +226,21 @@ func (s *MethodTestSuite) SubtestWithDB(db database.Store, testCaseF func(db dat
 			if testCase.outputs != nil {
 				// Assert the required outputs
 				s.Equal(len(testCase.outputs), len(outputs), "method %q returned unexpected number of outputs", methodName)
+				cmpOptions := []cmp.Option{
+					// Equate nil and empty slices.
+					cmpopts.EquateEmpty(),
+					cmpopts.EquateComparable(wildcard.Value[string]{}, wildcard.Value[uuid.UUID]{}),
+				}
 				for i := range outputs {
 					a, b := testCase.outputs[i].Interface(), outputs[i].Interface()
 
 					// To avoid the extra small overhead of gob encoding, we can
 					// first check if the values are equal with regard to order.
 					// If not, re-check disregarding order and show a nice diff
 					// output of the two values.
-					if !cmp.Equal(a, b, cmpopts.EquateEmpty()) {
-						if diff := cmp.Diff(a, b,
-							// Equate nil and empty slices.
-							cmpopts.EquateEmpty(),
+					if !cmp.Equal(a, b, cmpOptions...) {
+						diffOpts := append(
+							append([]cmp.Option{}, cmpOptions...),
 							// Allow slice order to be ignored.
 							cmpopts.SortSlices(func(a, b any) bool {
 								var ab, bb strings.Builder
@@ -247,7 +252,8 @@ func (s *MethodTestSuite) SubtestWithDB(db database.Store, testCaseF func(db dat
 								// https://github.com/google/go-cmp/issues/67
 								return ab.String() < bb.String()
 							}),
-						); diff != "" {
+						)
+						if diff := cmp.Diff(a, b, diffOpts...); diff != "" {
 							s.Failf("compare outputs failed", "method %q returned unexpected output %d (-want +got):\n%s", methodName, i, diff)
 						}
 					}
 
@@ -186,7 +186,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func
 		UpdatedAt:       takeFirst(seed.UpdatedAt, dbtime.Now()),
 		LoginType:       takeFirst(seed.LoginType, database.LoginTypePassword),
 		Scopes:          takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),
-		AllowList:       takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),
+		AllowList:       takeFirstSlice(seed.AllowList, database.AllowList{}),
 		TokenName:       takeFirst(seed.TokenName),
 	}
 	for _, fn := range munge {
 
@@ -235,6 +235,41 @@ func (s APIKeyScopes) Name() rbac.RoleIdentifier {
 	return rbac.RoleIdentifier{Name: "scopes[" + strings.Join(names, "+") + "]"}
 }
 
+// APIKeyEffectiveScope merges expanded scopes with the API key's DB allow_list.
+// If the DB allow_list is a wildcard or empty, the merged scope's allow list is unchanged.
+// Otherwise, the DB allow_list overrides the merged AllowIDList to enforce the token's
+// resource scoping consistently across all permissions.
+type APIKeyEffectiveScope struct {
+	Scopes    APIKeyScopes
+	AllowList AllowList
+}
+
+func (e APIKeyEffectiveScope) Name() rbac.RoleIdentifier { return e.Scopes.Name() }
+
+func (e APIKeyEffectiveScope) Expand() (rbac.Scope, error) {
+	merged, err := e.Scopes.Expand()
+	if err != nil {
+		return rbac.Scope{}, err
+	}
+	if len(e.AllowList) == 0 {
+		return merged, nil
+	}
+
+	// If allow list contains a single wildcard (*:*), keep merged allow list as-is
+	for _, entry := range e.AllowList {
+		if entry.Type.IsAny() && entry.ID.IsAny() {
+			return merged, nil
+		}
+	}
+
+	out := make([]rbac.AllowListElement, 0, len(e.AllowList))
+	for _, t := range e.AllowList {
+		out = append(out, rbac.AllowListElement{Type: t.Type.String(), ID: t.ID.String()})
+	}
+	merged.AllowIDList = out
+	return merged, nil
+}
+
 func (k APIKey) RBACObject() rbac.Object {
 	return rbac.ResourceApiKey.WithIDString(k.ID).
 		WithOwner(k.UserID.String())
 
@@ -15,6 +15,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/x/wildcard"
 )
 
 // AuditOAuthConvertState is never stored in the database. It is stored in a cookie
@@ -163,9 +164,7 @@ func (m StringMapOfInt) Value() (driver.Value, error) {
 
 type CustomRolePermissions []CustomRolePermission
 
-// APIKeyScopes implements sql.Scanner and driver.Valuer so it can be read from
-// and written to the Postgres api_key_scope[] enum array column.
-func (s *APIKeyScopes) Scan(src interface{}) error {
+func (s *APIKeyScopes) Scan(src any) error {
 	var arr []string
 	if err := pq.Array(&arr).Scan(src); err != nil {
 		return err
@@ -318,26 +317,43 @@ func ParseIP(ipStr string) pqtype.Inet {
 // It encodes a resource tuple (type, id) and provides helpers for
 // consistent string and JSON representations across the codebase.
 type AllowListTarget struct {
-	Type string `json:"type"`
-	ID   string `json:"id"`
+	Type wildcard.Value[string]    `json:"type"`
+	ID   wildcard.Value[uuid.UUID] `json:"id"`
 }
 
 // String returns the canonical database representation "type:id".
-func (t AllowListTarget) String() string {
-	return t.Type + ":" + t.ID
+func (t AllowListTarget) String() string { return t.Type.String() + ":" + t.ID.String() }
+
+func NewAllowListTarget(typ string, id string) (AllowListTarget, error) {
+	var (
+		anyType wildcard.Value[string]
+		anyID   wildcard.Value[uuid.UUID]
+	)
+
+	if typ != policy.WildcardSymbol {
+		anyType = wildcard.Of(typ)
+	}
+
+	if id != policy.WildcardSymbol {
+		u, err := uuid.Parse(id)
+		if err != nil {
+			return AllowListTarget{}, xerrors.Errorf("invalid %s ID: %q", typ, id)
+		}
+		anyID = wildcard.Of(u)
+	}
+
+	return AllowListTarget{Type: anyType, ID: anyID}, nil
 }
 
 // ParseAllowListTarget parses the canonical string form "type:id".
 func ParseAllowListTarget(s string) (AllowListTarget, error) {
-	targetType, id, ok := rbac.ParseResourceAction(s)
+	targetType, rawID, ok := rbac.ParseResourceAction(s)
 	if !ok {
 		return AllowListTarget{}, xerrors.Errorf("invalid allow list target: %q", s)
 	}
-	return AllowListTarget{Type: targetType, ID: id}, nil
-}
 
-// AllowListWildcard returns the wildcard allow-list entry {"*","*"}.
-func AllowListWildcard() AllowListTarget { return AllowListTarget{Type: "*", ID: "*"} }
+	return NewAllowListTarget(targetType, rawID)
+}
 
 // AllowList is a typed wrapper around a list of AllowListTarget entries.
 // It implements sql.Scanner and driver.Valuer so it can be stored in and
 
@@ -434,7 +434,10 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 	// If the key is valid, we also fetch the user roles and status.
 	// The roles are used for RBAC authorize checks, and the status
 	// is to block 'suspended' users from accessing the platform.
-	actor, userStatus, err := UserRBACSubject(ctx, cfg.DB, key.UserID, key.Scopes)
+	actor, userStatus, err := UserRBACSubject(ctx, cfg.DB, key.UserID, database.APIKeyEffectiveScope{
+		Scopes:    key.Scopes,
+		AllowList: key.AllowList,
+	})
 	if err != nil {
 		return write(http.StatusUnauthorized, codersdk.Response{
 			Message: internalErrorMessage,
Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func`
`186`	`186`	`UpdatedAt: takeFirst(seed.UpdatedAt, dbtime.Now()),`
`187`	`187`	`LoginType: takeFirst(seed.LoginType, database.LoginTypePassword),`
`188`	`188`	`Scopes: takeFirstSlice([]database.APIKeyScope(seed.Scopes), []database.APIKeyScope{database.ApiKeyScopeCoderAll}),`
`189`		`- AllowList: takeFirstSlice(seed.AllowList, database.AllowList{database.AllowListWildcard()}),`
	`189`	`+ AllowList: takeFirstSlice(seed.AllowList, database.AllowList{}),`
`190`	`190`	`TokenName: takeFirst(seed.TokenName),`
`191`	`191`	`}`
`192`	`192`	`for _, fn := range munge {`