coder
diff --git a/‎cli/resetpassword.go
Lines changed: 2 additions & 1 deletion b/‎cli/resetpassword.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 2 additions & 1 deletion b/‎cli/server.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/authorize.go
Lines changed: 6 additions & 4 deletions b/‎coderd/authorize.go
Lines changed: 6 additions & 4 deletions
diff --git a/‎coderd/coderdtest/authtest.go
Lines changed: 13 additions & 5 deletions b/‎coderd/coderdtest/authtest.go
Lines changed: 13 additions & 5 deletions
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/db_test.go
Lines changed: 18 additions & 1 deletion b/‎coderd/database/db_test.go
Lines changed: 18 additions & 1 deletion
diff --git a/‎coderd/database/dump.sql
Lines changed: 7 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 7 additions & 1 deletion
diff --git a/‎coderd/database/gen/dump/main.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/gen/dump/main.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/migrations/000050_apikey_scope.down.sql
Lines changed: 6 additions & 0 deletions b/‎coderd/database/migrations/000050_apikey_scope.down.sql
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000050_apikey_scope.up.sql
Lines changed: 6 additions & 0 deletions b/‎coderd/database/migrations/000050_apikey_scope.up.sql
Lines changed: 6 additions & 0 deletions
@@ -10,6 +10,7 @@ import (
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/migrations"
 	"github.com/coder/coder/coderd/userpassword"
 )
 
@@ -35,7 +36,7 @@ func resetPassword() *cobra.Command {
 				return xerrors.Errorf("ping postgres: %w", err)
 			}
 
-			err = database.EnsureClean(sqlDB)
+			err = migrations.EnsureClean(sqlDB)
 			if err != nil {
 				return xerrors.Errorf("database needs migration: %w", err)
 			}
 
@@ -53,6 +53,7 @@ import (
 	"github.com/coder/coder/coderd/autobuild/executor"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/databasefake"
+	"github.com/coder/coder/coderd/database/migrations"
 	"github.com/coder/coder/coderd/devtunnel"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/prometheusmetrics"
@@ -430,7 +431,7 @@ func Server(newAPI func(*coderd.Options) *coderd.API) *cobra.Command {
 				if err != nil {
 					return xerrors.Errorf("ping postgres: %w", err)
 				}
-				err = database.MigrateUp(sqlDB)
+				err = migrations.Up(sqlDB)
 				if err != nil {
 					return xerrors.Errorf("migrate up: %w", err)
 				}
 
@@ -11,14 +11,15 @@ import (
 )
 
 func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) {
-	roles := httpmw.AuthorizationUserRoles(r)
-	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, action, objects)
+	roles := httpmw.UserAuthorization(r)
+	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objects)
 	if err != nil {
 		// Log the error as Filter should not be erroring.
 		h.Logger.Error(r.Context(), "filter failed",
 			slog.Error(err),
 			slog.F("user_id", roles.ID),
 			slog.F("username", roles.Username),
+			slog.F("scope", roles.Scope),
 			slog.F("route", r.URL.Path),
 			slog.F("action", action),
 		)
@@ -55,8 +56,8 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
 //		return
 //	}
 func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	roles := httpmw.AuthorizationUserRoles(r)
-	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
+	roles := httpmw.UserAuthorization(r)
+	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, object.RBACObject())
 	if err != nil {
 		// Log the errors for debugging
 		internalError := new(rbac.UnauthorizedError)
@@ -70,6 +71,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
 			slog.F("roles", roles.Roles),
 			slog.F("user_id", roles.ID),
 			slog.F("username", roles.Username),
+			slog.F("scope", roles.Scope),
 			slog.F("route", r.URL.Path),
 			slog.F("action", action),
 			slog.F("object", object),
 
@@ -163,6 +163,8 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 	// Some quick reused objects
 	workspaceRBACObj := rbac.ResourceWorkspace.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
 	workspaceExecObj := rbac.ResourceWorkspaceExecution.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
+	applicationConnectObj := rbac.ResourceWorkspaceApplicationConnect.InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
+
 	// skipRoutes allows skipping routes from being checked.
 	skipRoutes := map[string]string{
 		"POST:/api/v2/users/logout": "Logging out deletes the API Key for other routes",
@@ -408,11 +410,11 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 
 	assertAllHTTPMethods("/%40{user}/{workspace_and_agent}/apps/{workspaceapp}/*", RouteCheck{
 		AssertAction: rbac.ActionCreate,
-		AssertObject: workspaceExecObj,
+		AssertObject: applicationConnectObj,
 	})
 	assertAllHTTPMethods("/@{user}/{workspace_and_agent}/apps/{workspaceapp}/*", RouteCheck{
 		AssertAction: rbac.ActionCreate,
-		AssertObject: workspaceExecObj,
+		AssertObject: applicationConnectObj,
 	})
 
 	return skipRoutes, assertRoute
@@ -518,6 +520,7 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
 type authCall struct {
 	SubjectID string
 	Roles     []string
+	Scope     rbac.Scope
 	Action    rbac.Action
 	Object    rbac.Object
 }
@@ -527,21 +530,25 @@ type recordingAuthorizer struct {
 	AlwaysReturn error
 }
 
-func (r *recordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, action rbac.Action, object rbac.Object) error {
+var _ rbac.Authorizer = (*recordingAuthorizer)(nil)
+
+func (r *recordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
 	r.Called = &authCall{
 		SubjectID: subjectID,
 		Roles:     roleNames,
+		Scope:     scope,
 		Action:    action,
 		Object:    object,
 	}
 	return r.AlwaysReturn
 }
 
-func (r *recordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
+func (r *recordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
 	return &fakePreparedAuthorizer{
 		Original:  r,
 		SubjectID: subjectID,
 		Roles:     roles,
+		Scope:     scope,
 		Action:    action,
 	}, nil
 }
@@ -554,9 +561,10 @@ type fakePreparedAuthorizer struct {
 	Original  *recordingAuthorizer
 	SubjectID string
 	Roles     []string
+	Scope     rbac.Scope
 	Action    rbac.Action
 }
 
 func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
-	return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Action, object)
+	return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object)
 }
@@ -1588,6 +1588,7 @@ func (q *fakeQuerier) InsertAPIKey(_ context.Context, arg database.InsertAPIKeyP
 		UpdatedAt:       arg.UpdatedAt,
 		LastUsed:        arg.LastUsed,
 		LoginType:       arg.LoginType,
+		Scope:           arg.Scope,
 	}
 	q.apiKeys = append(q.apiKeys, key)
 	return key, nil
 
@@ -4,12 +4,15 @@ package database_test
 
 import (
 	"context"
+	"database/sql"
 	"testing"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/migrations"
+	"github.com/coder/coder/coderd/database/postgres"
 )
 
 func TestNestedInTx(t *testing.T) {
@@ -20,7 +23,7 @@ func TestNestedInTx(t *testing.T) {
 
 	uid := uuid.New()
 	sqlDB := testSQLDB(t)
-	err := database.MigrateUp(sqlDB)
+	err := migrations.Up(sqlDB)
 	require.NoError(t, err, "migrations")
 
 	db := database.New(sqlDB)
@@ -48,3 +51,17 @@ func TestNestedInTx(t *testing.T) {
 	require.NoError(t, err, "user exists")
 	require.Equal(t, uid, user.ID, "user id expected")
 }
+
+func testSQLDB(t testing.TB) *sql.DB {
+	t.Helper()
+
+	connection, closeFn, err := postgres.Open()
+	require.NoError(t, err)
+	t.Cleanup(closeFn)
+
+	db, err := sql.Open("postgres", connection)
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = db.Close() })
+
+	return db
+}
@@ -9,7 +9,7 @@ import (
 	"path/filepath"
 	"runtime"
 
-	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/migrations"
 	"github.com/coder/coder/coderd/database/postgres"
 )
 
@@ -25,7 +25,7 @@ func main() {
 		panic(err)
 	}
 
-	err = database.MigrateUp(db)
+	err = migrations.Up(db)
 	if err != nil {
 		panic(err)
 	}
 
@@ -0,0 +1,6 @@
+-- Avoid "upgrading" devurl keys to fully fledged API keys.
+DELETE FROM api_keys WHERE scope != 'all';
+
+ALTER TABLE api_keys DROP COLUMN scope;
+
+DROP TYPE api_key_scope;
@@ -0,0 +1,6 @@
+CREATE TYPE api_key_scope AS ENUM (
+    'all',
+    'application_connect'
+);
+
+ALTER TABLE api_keys ADD COLUMN scope api_key_scope NOT NULL DEFAULT 'all';
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`"github.com/coder/coder/cli/cliflag"`
`11`	`11`	`"github.com/coder/coder/cli/cliui"`
`12`	`12`	`"github.com/coder/coder/coderd/database"`
	`13`	`+ "github.com/coder/coder/coderd/database/migrations"`
`13`	`14`	`"github.com/coder/coder/coderd/userpassword"`
`14`	`15`	`)`
`15`	`16`
`@@ -35,7 +36,7 @@ func resetPassword() *cobra.Command {`
`35`	`36`	`return xerrors.Errorf("ping postgres: %w", err)`
`36`	`37`	`}`
`37`	`38`
`38`		`- err = database.EnsureClean(sqlDB)`
	`39`	`+ err = migrations.EnsureClean(sqlDB)`
`39`	`40`	`if err != nil {`
`40`	`41`	`return xerrors.Errorf("database needs migration: %w", err)`
`41`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1588,6 +1588,7 @@ func (q *fakeQuerier) InsertAPIKey(_ context.Context, arg database.InsertAPIKeyP`
`1588`	`1588`	`UpdatedAt: arg.UpdatedAt,`
`1589`	`1589`	`LastUsed: arg.LastUsed,`
`1590`	`1590`	`LoginType: arg.LoginType,`
	`1591`	`+ Scope: arg.Scope,`
`1591`	`1592`	`}`
`1592`	`1593`	`q.apiKeys = append(q.apiKeys, key)`
`1593`	`1594`	`return key, nil`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`"path/filepath"`
`10`	`10`	`"runtime"`
`11`	`11`
`12`		`- "github.com/coder/coder/coderd/database"`
	`12`	`+ "github.com/coder/coder/coderd/database/migrations"`
`13`	`13`	`"github.com/coder/coder/coderd/database/postgres"`
`14`	`14`	`)`
`15`	`15`
`@@ -25,7 +25,7 @@ func main() {`
`25`	`25`	`panic(err)`
`26`	`26`	`}`
`27`	`27`
`28`		`- err = database.MigrateUp(db)`
	`28`	`+ err = migrations.Up(db)`
`29`	`29`	`if err != nil {`
`30`	`30`	`panic(err)`
`31`	`31`	`}`