Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(api-keys): add read_only field to api-keys #3554

Merged
merged 8 commits into from
Nov 17, 2023
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions bats/core/api-keys/api-keys.bats
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ new_key_name() {

name=$(echo "$key" | jq -r '.name')
[[ "${name}" = "${key_name}" ]] || exit 1

readOnly=$(echo "$key" | jq -r '.readOnly')
[[ "${readOnly}" = "false" ]] || exit 1

key_id=$(echo "$key" | jq -r '.id')
cache_value "api-key-id" "$key_id"

Expand Down Expand Up @@ -67,3 +71,44 @@ new_key_name() {
error="$(graphql_output '.error.code')"
[[ "${error}" = "401" ]] || exit 1
}

@test "api-keys: can create read-only" {
key_name="$(new_key_name)"

variables="{\"input\":{\"name\":\"${key_name}\",\"readOnly\": true}}"

exec_graphql 'alice' 'api-key-create' "$variables"
key="$(graphql_output '.data.apiKeyCreate.apiKey')"
secret="$(graphql_output '.data.apiKeyCreate.apiKeySecret')"
cache_value "api-key-secret" "$secret"

readOnly=$(echo "$key" | jq -r '.readOnly')
[[ "${readOnly}" = "true" ]] || exit 1

key_id=$(echo "$key" | jq -r '.id')
cache_value "api-key-id" "$key_id"

exec_graphql 'api-key-secret' 'api-keys'

name="$(graphql_output '.data.me.apiKeys[-1].name')"
[[ "${name}" = "${key_name}" ]] || exit 1
}

@test "api-keys: read-only key cannot mutate" {
bodymindarts marked this conversation as resolved.
Show resolved Hide resolved
key_name="$(new_key_name)"

variables="{\"input\":{\"name\":\"${key_name}\"}}"
exec_graphql 'api-key-secret' 'api-key-create' "$variables"
errors="$(graphql_output '.errors | length')"
[[ "${errors}" = "1" ]] || exit 1

variables="{\"input\":{\"currency\":\"USD\"}}"
exec_graphql 'api-key-secret' 'update-display-currency' "$variables"
errors="$(graphql_output '.errors | length')"
[[ "${errors}" = "1" ]] || exit 1

# Sanity check that it works with alice
exec_graphql 'alice' 'update-display-currency' "$variables"
errors="$(graphql_output '.errors | length')"
[[ "${errors}" = "0" ]] || exit 1
}
1 change: 1 addition & 0 deletions bats/gql/api-key-create.gql
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ mutation apiKeyCreate($input: ApiKeyCreateInput!) {
name
createdAt
expiresAt
readOnly
}
apiKeySecret
}
Expand Down
1 change: 1 addition & 0 deletions bats/gql/api-keys.gql
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ query apiKeys {
revoked
createdAt
expiresAt
readOnly
}
}
}
7 changes: 7 additions & 0 deletions bats/gql/update-display-currency.gql
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
mutation displayCurrencyUpdate($input: AccountUpdateDisplayCurrencyInput!) {
accountUpdateDisplayCurrency(input: $input) {
account {
displayCurrency
}
}
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ALTER TABLE identity_api_keys
ADD COLUMN read_only BOOL NOT NULL DEFAULT false;
11 changes: 8 additions & 3 deletions core/api-keys/src/app/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ impl ApiKeysApp {
pub async fn lookup_authenticated_subject(
&self,
key: &str,
) -> Result<String, ApplicationError> {
) -> Result<(String, bool), ApplicationError> {
Ok(self.identities.find_subject_by_key(&key).await?)
}

Expand All @@ -40,16 +40,21 @@ impl ApiKeysApp {
&self,
subject_id: &str,
name: String,
expire_in_days: Option<u16>,
read_only: bool,
) -> Result<(IdentityApiKey, ApiKeySecret), ApplicationError> {
let mut tx = self.pool.begin().await?;
let id = self
.identities
.find_or_create_identity_for_subject_in_tx(&mut tx, subject_id)
.await?;
let expiry = chrono::Utc::now() + self.config.default_expiry();
let expiry = chrono::Utc::now()
+ expire_in_days
.map(|days| std::time::Duration::from_secs(days as u64 * 24 * 60 * 60))
.unwrap_or_else(|| self.config.default_expiry());
let key = self
.identities
.create_key_for_identity_in_tx(&mut tx, id, name, expiry)
.create_key_for_identity_in_tx(&mut tx, id, name, expiry, read_only)
.await?;
tx.commit().await?;
Ok(key)
Expand Down
1 change: 1 addition & 0 deletions core/api-keys/src/graphql/convert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ impl From<IdentityApiKey> for ApiKey {
last_used_at: key.last_used_at.map(Timestamp::from),
created_at: Timestamp::from(key.created_at),
expires_at: Timestamp::from(key.expires_at),
read_only: key.read_only,
}
}
}
Expand Down
14 changes: 13 additions & 1 deletion core/api-keys/src/graphql/schema.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ use crate::{app::ApiKeysApp, identity::IdentityApiKeyId};

pub struct AuthSubject {
pub id: String,
pub read_only: bool,
}

#[derive(Clone, Copy)]
Expand Down Expand Up @@ -62,6 +63,7 @@ pub(super) struct ApiKey {
pub expired: bool,
pub last_used_at: Option<Timestamp>,
pub expires_at: Timestamp,
pub read_only: bool,
}

#[derive(SimpleObject)]
Expand Down Expand Up @@ -102,6 +104,8 @@ pub struct Mutation;
struct ApiKeyCreateInput {
name: String,
expire_in_days: Option<u16>,
#[graphql(default)]
read_only: bool,
}

#[derive(InputObject)]
Expand All @@ -118,8 +122,16 @@ impl Mutation {
) -> async_graphql::Result<ApiKeyCreatePayload> {
let app = ctx.data_unchecked::<ApiKeysApp>();
let subject = ctx.data::<AuthSubject>()?;
if subject.read_only {
return Err("Permission denied".into());
}
let key = app
.create_api_key_for_subject(&subject.id, input.name)
.create_api_key_for_subject(
&subject.id,
input.name,
input.expire_in_days,
input.read_only,
)
.await?;
Ok(ApiKeyCreatePayload::from(key))
}
Expand Down
20 changes: 14 additions & 6 deletions core/api-keys/src/identity/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ pub struct IdentityApiKey {
pub last_used_at: Option<chrono::DateTime<chrono::Utc>>,
pub revoked: bool,
pub expired: bool,
pub read_only: bool,
}

pub struct ApiKeySecret(String);
Expand Down Expand Up @@ -62,15 +63,17 @@ impl Identities {
identity_id: IdentityId,
name: String,
expires_at: chrono::DateTime<chrono::Utc>,
read_only: bool,
) -> Result<(IdentityApiKey, ApiKeySecret), IdentityError> {
let code = Alphanumeric.sample_string(&mut rand::thread_rng(), 64);
let record = sqlx::query!(
r#"INSERT INTO identity_api_keys (encrypted_key, identity_id, name, expires_at)
VALUES (crypt($1, gen_salt('bf')), $2, $3, $4) RETURNING id, created_at"#,
r#"INSERT INTO identity_api_keys (encrypted_key, identity_id, name, expires_at, read_only)
VALUES (crypt($1, gen_salt('bf')), $2, $3, $4, $5) RETURNING id, created_at"#,
code,
identity_id as IdentityId,
name,
expires_at,
read_only,
)
.fetch_one(&mut **tx)
.await?;
Expand All @@ -86,12 +89,13 @@ impl Identities {
revoked: false,
expired: false,
last_used_at: None,
read_only,
},
ApiKeySecret(key),
))
}

pub async fn find_subject_by_key(&self, key: &str) -> Result<String, IdentityError> {
pub async fn find_subject_by_key(&self, key: &str) -> Result<(String, bool), IdentityError> {
let code = match key.strip_prefix(&*self.key_prefix) {
None => return Err(IdentityError::MismatchedPrefix),
Some(code) => code,
Expand All @@ -106,16 +110,16 @@ impl Identities {
AND k.revoked = false
AND k.encrypted_key = crypt($1, k.encrypted_key)
AND k.expires_at > NOW()
RETURNING k.id, i.subject_id
RETURNING k.id, i.subject_id, k.read_only
)
SELECT subject_id FROM updated_key"#,
SELECT subject_id, read_only FROM updated_key"#,
code
)
.fetch_optional(&self.pool)
.await?;

if let Some(record) = record {
Ok(record.subject_id)
Ok((record.subject_id, record.read_only))
} else {
Err(IdentityError::NoActiveKeyFound)
}
Expand All @@ -135,6 +139,7 @@ impl Identities {
a.expires_at,
revoked,
expires_at < NOW() AS "expired!",
read_only,
last_used_at
FROM
identities i
Expand All @@ -160,6 +165,7 @@ impl Identities {
revoked: record.revoked,
expired: record.expired,
last_used_at: record.last_used_at,
read_only: record.read_only,
})
.collect();

Expand All @@ -186,6 +192,7 @@ impl Identities {
k.expires_at,
k.revoked,
expires_at < NOW() AS "expired!",
k.read_only,
k.last_used_at
"#,
subject_id,
Expand All @@ -204,6 +211,7 @@ impl Identities {
revoked: record.revoked,
expired: record.expired,
last_used_at: record.last_used_at,
read_only: record.read_only,
}),
None => Err(IdentityError::KeyNotFoundForRevoke),
}
Expand Down
1 change: 1 addition & 0 deletions core/api-keys/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ pub mod cli;
mod entity;
pub mod graphql;
pub mod identity;
pub mod scope;
pub mod server;
14 changes: 14 additions & 0 deletions core/api-keys/src/scope.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
pub const READ_SCOPE: &str = "read";
pub const WRITE_SCOPE: &str = "write";

pub fn read_only_scope() -> String {
format!("{READ_SCOPE}")
}

pub fn read_write_scope() -> String {
format!("{READ_SCOPE} {WRITE_SCOPE}")
}

pub fn is_read_only(scope: &String) -> bool {
!(scope.as_str().split(" ").any(|s| s == WRITE_SCOPE) || scope.is_empty())
}
Loading
Loading