Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add API key scope to restrict access to user data #17692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add API key scope to restrict access to user data #17692

wants to merge 1 commit into from

Conversation

ThomasK33
Copy link
Member

@ThomasK33 ThomasK33 commented May 6, 2025
edited
Loading

Part of #17649

Related to: coder/terraform-provider-coder#391

Add API Key Scope Restriction for Workspace Agents

This PR adds a new security feature that allows workspace agents to have restricted API key scopes. It introduces a new api_key_scope field to workspace agents with two possible values:

  • all: Full access to all endpoints (existing behavior)
  • no_user_data: Restricts access to user-specific data endpoints

The implementation includes:

  1. A new database migration that adds the api_key_scope column to the workspace_agents table
  2. Updated middleware to extract workspace agent information and check API key scope
  3. Support for specifying the scope in provisioners via the api_key_scope attribute

The scope restrictions have been applied to several endpoints that expose user data:

  • /external-auth endpoints
  • Git SSH key endpoints

This change allows administrators to create workspaces with agents that have limited access to sensitive user data, improving security in multi-agent environments where some agents may need to be more restricted than others.

@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented May 6, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request May 6, 2025
Merged
@ThomasK33 ThomasK33 changed the title feat(agent): add API key scope to restrict access to user data feat: add API key scope to restrict access to user data May 6, 2025
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from 6ee1c64 to fa4810b Compare May 6, 2025 16:17
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from 5ffda26 to f43c610 Compare May 6, 2025 16:18
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from fa4810b to 51a0361 Compare May 6, 2025 16:18
@ThomasK33 ThomasK33 requested a review from Copilot May 6, 2025 16:19
Copilot
Copilot AI reviewed May 6, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds the new API key scope feature for workspace agents to restrict access to user-specific data. Key changes include:

  • Adding an api_key_scope field in the Agent proto, database model, and terraform resource.
  • Integrating the new field into middleware (AgentAPIKeyScopeCheckMW) for access enforcement.
  • Updating audit logs and documentation to reflect the new API key scope attribute.

Reviewed Changes

Copilot reviewed 15 out of 19 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
site/e2e/provisionerGenerated.ts Adds the apiKeyScope field in the Agent interface and updates its encoding.
provisionersdk/proto/provisioner.proto Introduces the new api_key_scope field with field number 26.
provisioner/terraform/resources.go Updates agentAttributes and ConvertState to include APIKeyScope and improves slice allocation.
enterprise/audit/table.go & docs/admin/security/audit-logs.md Updates audit log configurations to include the api_key_scope field.
coderd/... Integrates api_key_scope handling in database queries, models, middleware, and tests, plus a minor improvement in tz_darwin.go using strings.ReplaceAll.
Files not reviewed (4)
  • coderd/database/dump.sql: Language not supported
  • coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql: Language not supported
  • coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql: Language not supported
  • coderd/database/queries/workspaceagents.sql: Language not supported

@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from 51a0361 to f685750 Compare May 6, 2025 19:07
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from f43c610 to 4fe32d3 Compare May 6, 2025 19:40
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch 2 times, most recently from 39814d8 to 07de6c8 Compare May 7, 2025 09:42
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch 2 times, most recently from 5734989 to 937e55a Compare May 7, 2025 09:45
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch 2 times, most recently from 67f2973 to d9b3dbc Compare May 7, 2025 09:56
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from 937e55a to 4deeaf3 Compare May 7, 2025 09:56
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from d9b3dbc to 9220437 Compare May 7, 2025 11:19
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from 4deeaf3 to 5582625 Compare May 7, 2025 12:34
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch 2 times, most recently from 171c263 to afa0215 Compare May 7, 2025 13:37
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from 5582625 to 6cc32e3 Compare May 7, 2025 13:37
@ThomasK33 ThomasK33 marked this pull request as ready for review May 7, 2025 13:58
@ThomasK33 ThomasK33 requested a review from Emyrk May 7, 2025 14:07
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from afa0215 to 795b6b5 Compare May 7, 2025 19:36
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication branch from 6cc32e3 to bc33d16 Compare May 7, 2025 19:36
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from 795b6b5 to d0766e9 Compare May 7, 2025 19:46
@ThomasK33 ThomasK33 changed the base branch from thomask33/05-06-feat_mcp_add_support_for_running_mcp_server_without_user_authentication to graphite-base/17692 May 7, 2025 19:53
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from d0766e9 to 2d58a59 Compare May 7, 2025 19:53
@ThomasK33 ThomasK33 force-pushed the graphite-base/17692 branch from bc33d16 to 29bce8d Compare May 7, 2025 19:53
@graphite-app graphite-app bot changed the base branch from graphite-base/17692 to main May 7, 2025 19:53
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch 2 times, most recently from 7440aa8 to 2bdc470 Compare May 7, 2025 20:01
Emyrk
Emyrk reviewed May 7, 2025
View reviewed changes
Emyrk
Emyrk reviewed May 7, 2025
View reviewed changes
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch 2 times, most recently from 57f1735 to 50943c1 Compare May 7, 2025 22:47
spikecurtis
spikecurtis previously requested changes May 8, 2025
View reviewed changes
Copy link
Contributor

@spikecurtis spikecurtis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to bump the provisionerd API version, since it adds a new (backward compatible) field.

@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from 50943c1 to 31e4751 Compare May 8, 2025 07:51
@ThomasK33 ThomasK33 requested review from spikecurtis and Emyrk May 8, 2025 07:53
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from 31e4751 to c453560 Compare May 8, 2025 07:59
@spikecurtis spikecurtis dismissed their stale review May 8, 2025 09:43

fixed; but I haven't reviewed the whole thing.

Emyrk
Emyrk reviewed May 8, 2025
View reviewed changes
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from c453560 to bc9cfb8 Compare May 8, 2025 19:55
@graphite-app Graphite App
Copy link

graphite-app bot commented May 8, 2025

Merge activity

  • May 8, 6:14 PM EDT: Graphite disabled "merge when ready" on this PR due to: a merge conflict with the target branch; resolve the conflict and try again..

@ThomasK33
feat: add API key scope for workspace agents to support running witho…
efbe50a 
…ut user data access

Change-Id: Ia5a7085afea6ad6ab7fdba2ab738357f4c519966
Signed-off-by: Thomas Kosiewski <[email protected]>
@ThomasK33 ThomasK33 force-pushed the thomask33/05-06-feat_add_api_key_scope_for_workspace_agents_to_support_running_without_user_data_access branch from bc9cfb8 to efbe50a Compare May 9, 2025 07:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Emyrk Emyrk Emyrk left review comments

Copilot code review Copilot Copilot left review comments

@johnstcn johnstcn Awaiting requested review from johnstcn johnstcn is a code owner

@spikecurtis spikecurtis Awaiting requested review from spikecurtis spikecurtis is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ThomasK33 @spikecurtis @Emyrk