Skip to content

feat: implement API key scopes database migration#19861

Merged
ThomasK33 merged 1 commit into
mainfrom
thomask33/19845-database-migrations-scopes-array-typed-allow-list
Sep 22, 2025
Merged

feat: implement API key scopes database migration#19861
ThomasK33 merged 1 commit into
mainfrom
thomask33/19845-database-migrations-scopes-array-typed-allow-list

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Sep 17, 2025

Added database migration for API key scopes.

Fixes #19845

@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 2ba5550 to e548168 Compare September 17, 2025 17:50
@ThomasK33 ThomasK33 changed the title feat: API key scopes database migration feat: add database migration for API key scopes Sep 17, 2025
@ThomasK33 ThomasK33 changed the title feat: add database migration for API key scopes feat: implement API key scopes database migration Sep 17, 2025
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch 3 times, most recently from 7a7e6ad to 1aba733 Compare September 18, 2025 10:37
@ThomasK33 ThomasK33 changed the base branch from main to thomask33/nix-flake-node-bump September 18, 2025 10:37
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 1aba733 to 99b5b53 Compare September 18, 2025 11:26
@ThomasK33 ThomasK33 marked this pull request as ready for review September 18, 2025 12:14
@ThomasK33 ThomasK33 requested a review from Emyrk September 18, 2025 12:14
Emyrk
Emyrk previously requested changes Sep 18, 2025
View reviewed changes
Comment thread coderd/apikey/apikey.go Outdated
Comment thread coderd/coderdtest/authorize.go Outdated
Comment thread coderd/database/migrations/000371_api_key_scopes_array_allow_list.up.sql
Comment thread coderd/database/models.go Outdated
Comment thread coderd/httpmw/apikey.go Outdated
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 99b5b53 to db8b42e Compare September 18, 2025 16:26
@ThomasK33 ThomasK33 force-pushed the thomask33/nix-flake-node-bump branch from 241294b to 70b3a9f Compare September 18, 2025 16:28
@ThomasK33 ThomasK33 force-pushed the thomask33/nix-flake-node-bump branch 4 times, most recently from 3622f3e to 3e3a767 Compare September 18, 2025 16:57
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from db8b42e to 32e7137 Compare September 18, 2025 17:01
@ThomasK33 ThomasK33 mentioned this pull request Sep 18, 2025
Merged
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Sep 18, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Sep 18, 2025
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 32e7137 to 682511c Compare September 18, 2025 17:14
@ThomasK33 ThomasK33 marked this pull request as draft September 18, 2025 17:19
@ThomasK33 ThomasK33 dismissed Emyrk’s stale review September 18, 2025 17:19

removing you, since I goofed up the git history and don't want to spam you. will rerequest in the future

@ThomasK33 ThomasK33 force-pushed the thomask33/nix-flake-node-bump branch from 3e3a767 to 4e7f6cb Compare September 18, 2025 20:10
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 0fd28db to a1e7294 Compare September 18, 2025 20:28
@ThomasK33 ThomasK33 marked this pull request as ready for review September 18, 2025 20:30
@ThomasK33 ThomasK33 requested a review from Emyrk September 18, 2025 20:30
@ThomasK33 ThomasK33 changed the base branch from thomask33/nix-flake-node-bump to graphite-base/19861 September 18, 2025 21:08
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from a1e7294 to 81ce34a Compare September 18, 2025 21:09
@graphite-app graphite-app Bot changed the base branch from graphite-base/19861 to main September 18, 2025 21:09
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch 4 times, most recently from ae36958 to 391fa21 Compare September 19, 2025 18:02
@ThomasK33 ThomasK33 mentioned this pull request Sep 19, 2025
Merged
@ThomasK33 ThomasK33 requested a review from aslilac September 19, 2025 18:11
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch 2 times, most recently from 5b28178 to ec2d8fb Compare September 22, 2025 13:47
This was referenced Sep 22, 2025
Merged
Merged
Merged
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from ec2d8fb to 782f1c7 Compare September 22, 2025 15:28
Emyrk
Emyrk reviewed Sep 22, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Sep 22, 2025
View reviewed changes
Comment thread coderd/rbac/scopes.go Outdated
Emyrk
Emyrk approved these changes Sep 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes requested.

If the changes want to be pushed to another PR, we just need to open issues to address them.

Comment thread coderd/rbac/scopes.go Outdated
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch 2 times, most recently from 0eb0644 to 81b483f Compare September 22, 2025 16:53
@ThomasK33
feat: transition API keys from single scope to scopes array with allo…
b27f312 
…w list

Replace the single `scope` column with `scopes` array and add `allow_list`
column to API keys table. This enables fine-grained authorization control
using low-level resource:action permissions while maintaining backward
compatibility.

- Add database migration extending api_key_scope enum with all RBAC
  permissions
- Replace APIKey.Scope with APIKey.Scopes array and AllowList fields
- Implement APIKeyScopes.Expand() method for multi-scope authorization
- Add AllowList type with database serialization support
- Update RBAC scope expansion to support resource:action format
- Maintain response compatibility by deriving single scope from arrays
- Add comprehensive test coverage for scope expansion logic
@ThomasK33 ThomasK33 force-pushed the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch from 81b483f to b27f312 Compare September 22, 2025 17:03
@ThomasK33 ThomasK33 merged commit fb0ce38 into main Sep 22, 2025
29 checks passed
@ThomasK33 ThomasK33 deleted the thomask33/19845-database-migrations-scopes-array-typed-allow-list branch September 22, 2025 17:26
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 22, 2025
@ThomasK33 ThomasK33 linked an issue Sep 24, 2025 that may be closed by this pull request
RBAC: Introduce composable API key scopes and expansion #19848
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@aslilac aslilac Awaiting requested review from aslilac

Assignees

@ThomasK33 ThomasK33

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RBAC: Introduce composable API key scopes and expansion Database Migrations: scopes array + typed allow-list

2 participants

@ThomasK33 @Emyrk