Skip to content

feat: add allow_list to resource-scoped API tokens#19964

Merged
ThomasK33 merged 1 commit into
mainfrom
thomask33/09-25-feat_add_allow_list_field_api_keys
Oct 9, 2025
Merged

feat: add allow_list to resource-scoped API tokens#19964
ThomasK33 merged 1 commit into
mainfrom
thomask33/09-25-feat_add_allow_list_field_api_keys

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Sep 25, 2025
edited
Loading

Add API key allow_list for resource-scoped tokens

This PR adds support for API key allow lists, enabling tokens to be scoped to specific resources. The implementation:

  1. Adds a new allow_list field to the CreateTokenRequest struct, allowing clients to specify resource-specific scopes when creating API tokens
  2. Implements APIAllowListTarget type to represent resource targets in the format <type>:<id> with support for wildcards
  3. Adds validation and normalization logic for allow lists to handle wildcards and deduplication
  4. Integrates with RBAC by creating an APIKeyEffectiveScope that merges API key scopes with allow list restrictions
  5. Updates API documentation and TypeScript types to reflect the new functionality

This feature enables creating tokens that are limited to specific resources (like workspaces or templates) by ID, making it possible to create more granular API tokens with limited access.

@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
This was referenced Sep 25, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@ThomasK33 Graphite App
Copy link
Copy Markdown
Member Author

ThomasK33 commented Sep 25, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Sep 25, 2025
Merged
@ThomasK33 ThomasK33 changed the title feat: add resource-scoped API tokens with allow lists feat: add allow_list ti resource-scoped API tokens Sep 25, 2025
@ThomasK33 ThomasK33 changed the title feat: add allow_list ti resource-scoped API tokens feat: add allow_list to resource-scoped API tokens Sep 25, 2025
@ThomasK33 ThomasK33 linked an issue Sep 25, 2025 that may be closed by this pull request
Allow-list model and parsing #19850
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 4522801 to 5050f89 Compare September 25, 2025 15:56
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from 01e4d20 to 84dc70d Compare September 25, 2025 15:56
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 5050f89 to 6451b31 Compare September 25, 2025 16:07
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from 26fbd88 to d90697e Compare September 25, 2025 16:25
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch 2 times, most recently from 30352b6 to 5e9b41c Compare September 25, 2025 16:50
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from d90697e to e6d4c8c Compare September 25, 2025 16:50
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 5e9b41c to 30352b6 Compare September 25, 2025 17:27
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from e6d4c8c to d90697e Compare September 25, 2025 17:27
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 30352b6 to deba62d Compare September 25, 2025 17:33
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch from d90697e to 2463c7f Compare September 25, 2025 17:33
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from deba62d to ff0d568 Compare September 25, 2025 17:39
@ThomasK33 ThomasK33 force-pushed the thomask33/09-24-add_composite_api_key_scopes branch 2 times, most recently from 2547799 to 71ff7de Compare September 25, 2025 18:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from ff0d568 to 4ec061d Compare September 25, 2025 18:09
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 6fd539f to ebe16f4 Compare September 29, 2025 11:17
@graphite-app graphite-app Bot changed the base branch from graphite-base/19964 to main September 29, 2025 11:18
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch 2 times, most recently from 8e7e58c to b40c4d4 Compare September 29, 2025 11:21
@ThomasK33 ThomasK33 mentioned this pull request Sep 29, 2025
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch 2 times, most recently from 542f60b to 430cc79 Compare September 29, 2025 16:15
@ThomasK33 ThomasK33 mentioned this pull request Sep 29, 2025
Closed
@ThomasK33 ThomasK33 force-pushed the thomask33/09-25-feat_add_allow_list_field_api_keys branch from 430cc79 to f7561f3 Compare September 30, 2025 11:03
@ThomasK33 ThomasK33 changed the base branch from main to graphite-base/19964 September 30, 2025 11:04
@ThomasK33 ThomasK33 changed the base branch from graphite-base/19964 to thomask33/09-30-add_wildcard_scope_entries_for_api_keys September 30, 2025 11:04
This was referenced Sep 30, 2025
Merged
Closed
Emyrk
Emyrk requested changes Oct 1, 2025
View reviewed changes
Comment thread codersdk/allowlist.go Outdated
Comment thread codersdk/allowlist.go
Comment thread codersdk/allowlist.go Outdated
Comment thread x/wildcard/wildcard.go Outdated
Emyrk
Emyrk reviewed Oct 2, 2025
View reviewed changes
Comment thread coderd/rbac/allowlist.go Outdated
Comment thread coderd/rbac/allowlist.go Outdated
Comment thread coderd/rbac/allowlist.go
Comment thread coderd/apikey/apikey.go
Comment thread coderd/database/modelmethods.go Outdated
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Oct 2, 2025
View reviewed changes
Comment thread scripts/apitypings/main.go Outdated
Emyrk
Emyrk reviewed Oct 2, 2025
View reviewed changes
Comment thread codersdk/allowlist.go
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods.go Outdated
Emyrk
Emyrk reviewed Oct 3, 2025
View reviewed changes
Comment thread coderd/database/modelmethods_internal_test.go Outdated
@Emyrk Graphite App
Copy link
Copy Markdown
Member

Emyrk commented Oct 3, 2025

The intersection code is a good pattern 👍

In scopes.go we have 2 places where the allow_list is empty by default. If we instead make it *:* by default, we don't need to treat empty lists as special.

coder/coderd/rbac/scopes.go

Lines 238 to 239 in 5dd3400

// Composites are site-level; allow-list empty by default
AllowIDList: []AllowListElement{},

coder/coderd/rbac/scopes.go

Lines 295 to 296 in 5dd3400

// Low-level scopes intentionally return an empty allow list.
AllowIDList: []AllowListElement{},

Emyrk
Emyrk reviewed Oct 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments, will approve after this round 👍

Comment thread coderd/rbac/allowlist.go Outdated
Comment thread coderd/database/modelmethods.go
Comment thread coderd/rbac/allowlist.go
Comment thread coderd/rbac/allowlist.go
Emyrk
Emyrk reviewed Oct 7, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last changes, then let's merge 👍

Comment thread coderd/rbac/allowlist.go
Comment thread coderd/rbac/allowlist.go
@ThomasK33
feat: add API key allow list handling
a1346f5 
Expose allow_list targets on CreateTokenRequest and persist them in the
database so API keys can be scoped to resources.

Introduce codersdk and rbac helpers to parse, validate, and normalize
allow lists to enforce consistent wildcard handling.

Regenerate OpenAPI documentation, API typing outputs, and TypeScript
bindings with stable serialization ordering for generated files.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@ThomasK33 ThomasK33

@Emyrk Emyrk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ThomasK33 @Emyrk