coder
diff --git a/‎.swaggo‎
Lines changed: 8 additions & 0 deletions b/‎.swaggo‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 17 additions & 0 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/database/types.go‎
Lines changed: 28 additions & 12 deletions b/‎coderd/database/types.go‎
Lines changed: 28 additions & 12 deletions
diff --git a/‎coderd/httpmw/apikey.go‎
Lines changed: 4 additions & 1 deletion b/‎coderd/httpmw/apikey.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/rbac/allowlist.go‎
Lines changed: 118 additions & 0 deletions b/‎coderd/rbac/allowlist.go‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎coderd/rbac/allowlist_test.go‎
Lines changed: 64 additions & 0 deletions b/‎coderd/rbac/allowlist_test.go‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎codersdk/allowlist.go‎
Lines changed: 75 additions & 0 deletions b/‎codersdk/allowlist.go‎
Lines changed: 75 additions & 0 deletions
@@ -6,3 +6,11 @@ replace time.Duration int64
 replace github.com/coder/coder/v2/codersdk.ProvisionerType string
 // Do not render netip.Addr
 replace netip.Addr string
+
+// Map generics of wildcard.Value[T] to concrete, client-friendly types.
+
+// Type: wildcard.Value[codersdk.RBACResource] -> codersdk.RBACResource (already includes "*")
+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-codersdk_RBACResource github.com/coder/coder/v2/codersdk.RBACResource
+
+// ID: wildcard.Value[uuid.UUID] -> string (we’ll add a doc note to allow "*")
+replace github.com/coder/coder/v2/x/wildcard.$wildcard.Value-uuid_UUID string
@@ -15,6 +15,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/x/wildcard"
 )
 
 // AuditOAuthConvertState is never stored in the database. It is stored in a cookie
@@ -163,9 +164,7 @@ func (m StringMapOfInt) Value() (driver.Value, error) {
 
 type CustomRolePermissions []CustomRolePermission
 
-// APIKeyScopes implements sql.Scanner and driver.Valuer so it can be read from
-// and written to the Postgres api_key_scope[] enum array column.
-func (s *APIKeyScopes) Scan(src interface{}) error {
+func (s *APIKeyScopes) Scan(src any) error {
 	var arr []string
 	if err := pq.Array(&arr).Scan(src); err != nil {
 		return err
@@ -318,26 +317,43 @@ func ParseIP(ipStr string) pqtype.Inet {
 // It encodes a resource tuple (type, id) and provides helpers for
 // consistent string and JSON representations across the codebase.
 type AllowListTarget struct {
-	Type string `json:"type"`
-	ID   string `json:"id"`
+	Type wildcard.Value[string]    `json:"type"`
+	ID   wildcard.Value[uuid.UUID] `json:"id"`
 }
 
 // String returns the canonical database representation "type:id".
-func (t AllowListTarget) String() string {
-	return t.Type + ":" + t.ID
+func (t AllowListTarget) String() string { return t.Type.String() + ":" + t.ID.String() }
+
+func NewAllowListTarget(typ string, id string) (AllowListTarget, error) {
+	var (
+		anyType wildcard.Value[string]
+		anyID   wildcard.Value[uuid.UUID]
+	)
+
+	if typ != policy.WildcardSymbol {
+		anyType = wildcard.Of(typ)
+	}
+
+	if id != policy.WildcardSymbol {
+		u, err := uuid.Parse(id)
+		if err != nil {
+			return AllowListTarget{}, xerrors.Errorf("invalid %s ID: %q", typ, id)
+		}
+		anyID = wildcard.Of(u)
+	}
+
+	return AllowListTarget{Type: anyType, ID: anyID}, nil
 }
 
 // ParseAllowListTarget parses the canonical string form "type:id".
 func ParseAllowListTarget(s string) (AllowListTarget, error) {
-	targetType, id, ok := rbac.ParseResourceAction(s)
+	targetType, rawID, ok := rbac.ParseResourceAction(s)
 	if !ok {
 		return AllowListTarget{}, xerrors.Errorf("invalid allow list target: %q", s)
 	}
-	return AllowListTarget{Type: targetType, ID: id}, nil
-}
 
-// AllowListWildcard returns the wildcard allow-list entry {"*","*"}.
-func AllowListWildcard() AllowListTarget { return AllowListTarget{Type: "*", ID: "*"} }
+	return NewAllowListTarget(targetType, rawID)
+}
 
 // AllowList is a typed wrapper around a list of AllowListTarget entries.
 // It implements sql.Scanner and driver.Valuer so it can be stored in and
 
@@ -434,7 +434,10 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 	// If the key is valid, we also fetch the user roles and status.
 	// The roles are used for RBAC authorize checks, and the status
 	// is to block 'suspended' users from accessing the platform.
-	actor, userStatus, err := UserRBACSubject(ctx, cfg.DB, key.UserID, key.Scopes)
+	actor, userStatus, err := UserRBACSubject(ctx, cfg.DB, key.UserID, database.APIKeyEffectiveScope{
+		Scopes:    key.Scopes,
+		AllowList: key.AllowList,
+	})
 	if err != nil {
 		return write(http.StatusUnauthorized, codersdk.Response{
 			Message: internalErrorMessage,
 
@@ -0,0 +1,118 @@
+package rbac
+
+import (
+	"sort"
+	"strings"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/rbac/policy"
+)
+
+// ParseAllowListEntry parses a single allow-list entry string in the form
+// "*:*", "<resource_type>:*", or "<resource_type>:<uuid>" into an
+// AllowListElement with validation.
+func ParseAllowListEntry(s string) (AllowListElement, error) {
+	s = strings.TrimSpace(strings.ToLower(s))
+	res, id, ok := ParseResourceAction(s)
+	if !ok {
+		return AllowListElement{}, xerrors.Errorf("invalid allow_list entry %q: want <type>:<id>", s)
+	}
+
+	return NewAllowListElement(res, id)
+}
+
+func NewAllowListElement(resourceType string, id string) (AllowListElement, error) {
+	if resourceType != policy.WildcardSymbol {
+		if _, ok := policy.RBACPermissions[resourceType]; !ok {
+			return AllowListElement{}, xerrors.Errorf("unknown resource type %q", resourceType)
+		}
+	}
+	if id != policy.WildcardSymbol {
+		if _, err := uuid.Parse(id); err != nil {
+			return AllowListElement{}, xerrors.Errorf("invalid %s ID (must be UUID): %q", resourceType, id)
+		}
+	}
+
+	return AllowListElement{Type: resourceType, ID: id}, nil
+}
+
+// ParseAllowList parses, validates, normalizes, and deduplicates a list of
+// allow-list entries. If max is <=0, a default cap of 128 is applied.
+func ParseAllowList(inputs []string, max int) ([]AllowListElement, error) {
+	if len(inputs) == 0 {
+		return nil, nil
+	}
+	if max <= 0 {
+		max = 128
+	}
+	if len(inputs) > max {
+		return nil, xerrors.Errorf("allow_list has %d entries; max allowed is %d", len(inputs), max)
+	}
+
+	elems := make([]AllowListElement, 0, len(inputs))
+	for _, s := range inputs {
+		e, err := ParseAllowListEntry(s)
+		if err != nil {
+			return nil, err
+		}
+		// Global wildcard short-circuits
+		if e.Type == policy.WildcardSymbol && e.ID == policy.WildcardSymbol {
+			return []AllowListElement{AllowListAll()}, nil
+		}
+		elems = append(elems, e)
+	}
+
+	return NewAllowList(elems, max)
+}
+
+func NewAllowList(inputs []AllowListElement, max int) ([]AllowListElement, error) {
+	if len(inputs) == 0 {
+		return nil, nil
+	}
+	if max <= 0 {
+		max = 128
+	}
+	if len(inputs) > max {
+		return nil, xerrors.Errorf("allow_list has %d entries; max allowed is %d", len(inputs), max)
+	}
+
+	// Collapse typed wildcards and drop shadowed IDs
+	typedWildcard := map[string]struct{}{}
+	idsByType := map[string]map[string]struct{}{}
+	for _, e := range inputs {
+		// Global wildcard short-circuits
+		if e.Type == policy.WildcardSymbol && e.ID == policy.WildcardSymbol {
+			return []AllowListElement{AllowListAll()}, nil
+		}
+
+		if e.ID == policy.WildcardSymbol {
+			typedWildcard[e.Type] = struct{}{}
+			continue
+		}
+		if idsByType[e.Type] == nil {
+			idsByType[e.Type] = map[string]struct{}{}
+		}
+		idsByType[e.Type][e.ID] = struct{}{}
+	}
+
+	out := make([]AllowListElement, 0)
+	for t, ids := range idsByType {
+		if _, ok := typedWildcard[t]; ok {
+			out = append(out, AllowListElement{Type: t, ID: policy.WildcardSymbol})
+			continue
+		}
+		for id := range ids {
+			out = append(out, AllowListElement{Type: t, ID: id})
+		}
+	}
+
+	sort.Slice(out, func(i, j int) bool {
+		if out[i].Type == out[j].Type {
+			return out[i].ID < out[j].ID
+		}
+		return out[i].Type < out[j].Type
+	})
+	return out, nil
+}
@@ -0,0 +1,64 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseAllowListEntry(t *testing.T) {
+	t.Parallel()
+	e, err := ParseAllowListEntry("*:*")
+	require.NoError(t, err)
+	require.Equal(t, AllowListElement{Type: "*", ID: "*"}, e)
+
+	e, err = ParseAllowListEntry("workspace:*")
+	require.NoError(t, err)
+	require.Equal(t, AllowListElement{Type: "workspace", ID: "*"}, e)
+
+	id := uuid.New().String()
+	e, err = ParseAllowListEntry("template:" + id)
+	require.NoError(t, err)
+	require.Equal(t, AllowListElement{Type: "template", ID: id}, e)
+
+	_, err = ParseAllowListEntry("unknown:*")
+	require.Error(t, err)
+	_, err = ParseAllowListEntry("workspace:bad-uuid")
+	require.Error(t, err)
+	_, err = ParseAllowListEntry(":")
+	require.Error(t, err)
+}
+
+func TestParseAllowListNormalize(t *testing.T) {
+	t.Parallel()
+	id1 := uuid.New().String()
+	id2 := uuid.New().String()
+
+	// Global wildcard short-circuits
+	out, err := ParseAllowList([]string{"workspace:" + id1, "*:*", "template:" + id2}, 128)
+	require.NoError(t, err)
+	require.Equal(t, []AllowListElement{{Type: "*", ID: "*"}}, out)
+
+	// Typed wildcard collapses typed ids
+	out, err = ParseAllowList([]string{"workspace:*", "workspace:" + id1, "workspace:" + id2}, 128)
+	require.NoError(t, err)
+	require.Equal(t, []AllowListElement{{Type: "workspace", ID: "*"}}, out)
+
+	// Dedup ids and sort deterministically
+	out, err = ParseAllowList([]string{"template:" + id2, "template:" + id2, "template:" + id1}, 128)
+	require.NoError(t, err)
+	require.Len(t, out, 2)
+	require.Equal(t, "template", out[0].Type)
+	require.Equal(t, "template", out[1].Type)
+}
+
+func TestParseAllowListLimit(t *testing.T) {
+	t.Parallel()
+	inputs := make([]string, 0, 130)
+	for range 130 {
+		inputs = append(inputs, "workspace:"+uuid.New().String())
+	}
+	_, err := ParseAllowList(inputs, 128)
+	require.Error(t, err)
+}
@@ -0,0 +1,75 @@
+package codersdk
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/x/wildcard"
+	"github.com/google/uuid"
+)
+
+// APIAllowListTarget is a typed allow-list entry that marshals to a single string
+// "<resource_type>:<id>" where "*" is used as a wildcard for either side.
+type APIAllowListTarget struct {
+	Type wildcard.Value[RBACResource]
+	ID   wildcard.Value[uuid.UUID]
+}
+
+func AllowAllTarget() APIAllowListTarget {
+	return APIAllowListTarget{}
+}
+
+func AllowTypeTarget(r RBACResource) APIAllowListTarget {
+	return APIAllowListTarget{Type: wildcard.Of(r)}
+}
+
+func AllowResourceTarget(r RBACResource, id uuid.UUID) APIAllowListTarget {
+	return APIAllowListTarget{Type: wildcard.Of(r), ID: wildcard.Of(id)}
+}
+
+// String returns the canonical string representation "<type>:<id>" with "*" wildcards.
+func (t APIAllowListTarget) String() string {
+	return t.Type.String() + ":" + t.ID.String()
+}
+
+// MarshalJSON encodes as a JSON string: "<type>:<id>".
+func (t APIAllowListTarget) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.String())
+}
+
+// UnmarshalJSON decodes from a JSON string: "<type>:<id>".
+func (t *APIAllowListTarget) UnmarshalJSON(b []byte) error {
+	var s string
+	if err := json.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	parts := strings.SplitN(strings.TrimSpace(s), ":", 2)
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+		return fmt.Errorf("invalid allow_list entry %q: want <type>:<id>", s)
+	}
+
+	// Type
+	if parts[0] != policy.WildcardSymbol {
+		t.Type = wildcard.Of(RBACResource(parts[0]))
+	}
+
+	// ID
+	if parts[1] != policy.WildcardSymbol {
+		u, err := uuid.Parse(parts[1])
+		if err != nil {
+			return fmt.Errorf("invalid %s ID (must be UUID): %q", parts[0], parts[1])
+		}
+		t.ID = wildcard.Of(u)
+	}
+	return nil
+}
+
+// Implement encoding.TextMarshaler/Unmarshaler for broader compatibility
+
+func (t APIAllowListTarget) MarshalText() ([]byte, error) { return []byte(t.String()), nil }
+
+func (t *APIAllowListTarget) UnmarshalText(b []byte) error {
+	return t.UnmarshalJSON([]byte("\"" + string(b) + "\""))
+}