feat: machine keys

f0ssel · f0ssel · commit 75e26afe6675 · 2022-10-05T20:00:11.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -399,7 +399,7 @@ func New(options *Options) *API {
 					r.Get("/roles", api.userRoles)
 
 					r.Route("/keys", func(r chi.Router) {
-						r.Post("/", api.postAPIKey)
+						r.Post("/machine", api.postMachineAPIKey)
 						r.Get("/{keyid}", api.apiKey)
 					})
 
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000055_api_key_application.down.sql b/coderd/database/migrations/000055_api_key_application.down.sql
@@ -0,0 +1,8 @@
+CREATE TYPE old_login_type AS ENUM (
+    'password',
+    'github',
+	'oidc'
+);
+ALTER TABLE api_keys ALTER COLUMN login_type TYPE old_login_type USING (login_type::text::old_login_type);
+DROP TYPE login_type;
+ALTER TYPE old_login_type RENAME TO login_type;
diff --git a/coderd/database/migrations/000055_api_key_application.up.sql b/coderd/database/migrations/000055_api_key_application.up.sql
@@ -0,0 +1 @@
+ALTER TYPE login_type ADD VALUE IF NOT EXISTS 'machine';
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/users.go b/coderd/users.go
@@ -943,8 +943,8 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// Creates a new session key, used for logging in via the CLI.
-func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
+// Creates a new machine session key that effectively doesn't expire.
+func (api *API) postMachineAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
 
@@ -953,7 +953,8 @@ func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	lifeTime := time.Hour * 24 * 7
+	// machine keys last 100 years
+	lifeTime := time.Hour * 876000
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:     user.ID,
 		LoginType:  database.LoginTypePassword,
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -285,15 +285,14 @@ func TestPostLogin(t *testing.T) {
 		require.NoError(t, err, "fetch login key")
 		require.Equal(t, int64(86400), key.LifetimeSeconds, "default should be 86400")
 
-		// Generated tokens have a longer life
-		token, err := client.CreateAPIKey(ctx, admin.UserID.String())
-		require.NoError(t, err, "make new api key")
+		// Machine tokens have a longer life
+		token, err := client.CreateMachineKey(ctx)
+		require.NoError(t, err, "make new machine api key")
 		split = strings.Split(token.Key, "-")
 		apiKey, err := client.GetAPIKey(ctx, admin.UserID.String(), split[0])
 		require.NoError(t, err, "fetch api key")
 
-		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*24*6)), "api key lasts more than 6 days")
-		require.True(t, apiKey.ExpiresAt.After(key.ExpiresAt.Add(time.Hour)), "api key should be longer expires")
+		require.True(t, apiKey.ExpiresAt.After(time.Now().Add(time.Hour*438300)), "api key lasts more than 50 years")
 		require.Greater(t, apiKey.LifetimeSeconds, key.LifetimeSeconds, "api key should have longer lifetime")
 	})
 }
@@ -1195,36 +1194,18 @@ func TestGetUsers(t *testing.T) {
 	})
 }
 
-func TestPostAPIKey(t *testing.T) {
+func TestPostMachineKey(t *testing.T) {
 	t.Parallel()
-	t.Run("InvalidUser", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		client.SessionToken = ""
-		_, err := client.CreateAPIKey(ctx, codersdk.Me)
-		var apiErr *codersdk.Error
-		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
-	})
-
-	t.Run("Success", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		_ = coderdtest.CreateFirstUser(t, client)
+	client := coderdtest.New(t, nil)
+	_ = coderdtest.CreateFirstUser(t, client)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
 
-		apiKey, err := client.CreateAPIKey(ctx, codersdk.Me)
-		require.NotNil(t, apiKey)
-		require.GreaterOrEqual(t, len(apiKey.Key), 2)
-		require.NoError(t, err)
-	})
+	apiKey, err := client.CreateMachineKey(ctx)
+	require.NotNil(t, apiKey)
+	require.GreaterOrEqual(t, len(apiKey.Key), 2)
+	require.NoError(t, err)
 }
 
 func TestWorkspacesByUser(t *testing.T) {
diff --git a/codersdk/api_key.go b/codersdk/api_key.go
@@ -0,0 +1,50 @@
+package codersdk
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type APIKey struct {
+	ID string `json:"id" validate:"required"`
+	// NOTE: do not ever return the HashedSecret
+	UserID          uuid.UUID `json:"user_id" validate:"required"`
+	LastUsed        time.Time `json:"last_used" validate:"required"`
+	ExpiresAt       time.Time `json:"expires_at" validate:"required"`
+	CreatedAt       time.Time `json:"created_at" validate:"required"`
+	UpdatedAt       time.Time `json:"updated_at" validate:"required"`
+	LoginType       LoginType `json:"login_type" validate:"required"`
+	LifetimeSeconds int64     `json:"lifetime_seconds" validate:"required"`
+}
+
+// CreateMachineKey generates an API key that doesn't expire.
+func (c *Client) CreateMachineKey(ctx context.Context) (*GenerateAPIKeyResponse, error) {
+	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/keys/machine", Me), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode > http.StatusCreated {
+		return nil, readBodyAsError(res)
+	}
+	apiKey := &GenerateAPIKeyResponse{}
+	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
+}
+
+func (c *Client) GetAPIKey(ctx context.Context, user string, id string) (*APIKey, error) {
+	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/users/%s/keys/%s", user, id), nil)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode > http.StatusCreated {
+		return nil, readBodyAsError(res)
+	}
+	apiKey := &APIKey{}
+	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
+}
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -55,18 +55,6 @@ type User struct {
 	AvatarURL       string      `json:"avatar_url"`
 }
 
-type APIKey struct {
-	ID string `json:"id" validate:"required"`
-	// NOTE: do not ever return the HashedSecret
-	UserID          uuid.UUID `json:"user_id" validate:"required"`
-	LastUsed        time.Time `json:"last_used" validate:"required"`
-	ExpiresAt       time.Time `json:"expires_at" validate:"required"`
-	CreatedAt       time.Time `json:"created_at" validate:"required"`
-	UpdatedAt       time.Time `json:"updated_at" validate:"required"`
-	LoginType       LoginType `json:"login_type" validate:"required"`
-	LifetimeSeconds int64     `json:"lifetime_seconds" validate:"required"`
-}
-
 type CreateFirstUserRequest struct {
 	Email            string `json:"email" validate:"required,email"`
 	Username         string `json:"username" validate:"required,username"`
@@ -287,33 +275,6 @@ func (c *Client) GetUserRoles(ctx context.Context, user string) (UserRoles, erro
 	return roles, json.NewDecoder(res.Body).Decode(&roles)
 }
 
-// CreateAPIKey generates an API key for the user ID provided.
-func (c *Client) CreateAPIKey(ctx context.Context, user string) (*GenerateAPIKeyResponse, error) {
-	res, err := c.Request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/keys", user), nil)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode > http.StatusCreated {
-		return nil, readBodyAsError(res)
-	}
-	apiKey := &GenerateAPIKeyResponse{}
-	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
-}
-
-func (c *Client) GetAPIKey(ctx context.Context, user string, id string) (*APIKey, error) {
-	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/users/%s/keys/%s", user, id), nil)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode > http.StatusCreated {
-		return nil, readBodyAsError(res)
-	}
-	apiKey := &APIKey{}
-	return apiKey, json.NewDecoder(res.Body).Decode(apiKey)
-}
-
 // LoginWithPassword creates a session token authenticating with an email and password.
 // Call `SetSessionToken()` to apply the newly acquired token to the client.
 func (c *Client) LoginWithPassword(ctx context.Context, req LoginWithPasswordRequest) (LoginWithPasswordResponse, error) {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TYPE login_type ADD VALUE IF NOT EXISTS 'machine';`