review improvements

ThomasK33 · ThomasK33 · commit 31e47515c00d · 2025-05-08T09:51:05.000+02:00
Change-Id: I7868299308cdf4fca36092025bf2692cfe652640
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -804,11 +804,6 @@ func New(options *Options) *API {
 		DB:       options.Database,
 		Optional: false,
 	})
-	// Same as above but optional
-	workspaceAgentInfoOptional := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
-		DB:       options.Database,
-		Optional: true,
-	})
 
 	// API rate limit middleware. The counter is local and not shared between
 	// replicas or instances of this middleware.
@@ -1029,7 +1024,6 @@ func New(options *Options) *API {
 		r.Route("/external-auth", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				workspaceAgentInfoOptional,
 			)
 			// Get without a specific external auth ID will return all external auths.
 			r.Get("/", api.listUserExternalAuths)
@@ -1265,12 +1259,8 @@ func New(options *Options) *API {
 							r.Get("/", api.workspaceByOwnerAndName)
 							r.Get("/builds/{buildnumber}", api.workspaceBuildByBuildNumber)
 						})
-						r.With(
-							workspaceAgentInfoOptional,
-						).Get("/gitsshkey", api.gitSSHKey)
-						r.With(
-							workspaceAgentInfoOptional,
-						).Put("/gitsshkey", api.regenerateGitSSHKey)
+						r.Get("/gitsshkey", api.gitSSHKey)
+						r.Put("/gitsshkey", api.regenerateGitSSHKey)
 						r.Route("/notifications", func(r chi.Router) {
 							r.Route("/preferences", func(r chi.Router) {
 								r.Get("/", api.userNotificationPreferences)
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -3988,7 +3988,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		check.Args(database.InsertWorkspaceAgentParams{
 			ID:          uuid.New(),
 			Name:        "dev",
-			APIKeyScope: database.ApiKeyScopeEnumDefault,
+			APIKeyScope: database.AgentKeyScopeEnumAll,
 		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
 	s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
@@ -210,7 +210,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
 		MOTDFile:                 takeFirst(orig.TroubleshootingURL, ""),
 		DisplayApps:              append([]database.DisplayApp{}, orig.DisplayApps...),
 		DisplayOrder:             takeFirst(orig.DisplayOrder, 1),
-		APIKeyScope:              takeFirst(orig.APIKeyScope, database.ApiKeyScopeEnumDefault),
+		APIKeyScope:              takeFirst(orig.APIKeyScope, database.AgentKeyScopeEnumAll),
 	})
 	require.NoError(t, err, "insert workspace agent")
 	return agt
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql b/coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql
@@ -3,4 +3,4 @@ ALTER TABLE workspace_agents
 DROP COLUMN IF EXISTS api_key_scope;
 
 -- Drop the enum type for API key scope
-DROP TYPE IF EXISTS api_key_scope_enum;
+DROP TYPE IF EXISTS agent_key_scope_enum;
diff --git a/coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql b/coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql
@@ -1,10 +1,10 @@
 -- Create the enum type for API key scope
-CREATE TYPE api_key_scope_enum AS ENUM ('default', 'no_user_data');
+CREATE TYPE agent_key_scope_enum AS ENUM ('all', 'no_user_data');
 
 -- Add the api_key_scope column to the workspace_agents table
--- It defaults to 'default' to maintain existing behavior for current agents.
+-- It defaults to 'all' to maintain existing behavior for current agents.
 ALTER TABLE workspace_agents
-ADD COLUMN api_key_scope api_key_scope_enum NOT NULL DEFAULT 'default';
+ADD COLUMN api_key_scope agent_key_scope_enum NOT NULL DEFAULT 'all';
 
 -- Add a comment explaining the purpose of the column
-COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''default'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
+COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''all'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/externalauth_test.go b/coderd/externalauth_test.go
@@ -713,7 +713,7 @@ func TestExternalAuthCallback(t *testing.T) {
 			apiKeyScope  string
 			expectsError bool
 		}{
-			{apiKeyScope: "default", expectsError: false},
+			{apiKeyScope: "all", expectsError: false},
 			{apiKeyScope: "no_user_data", expectsError: true},
 		} {
 			t.Run(tt.apiKeyScope, func(t *testing.T) {
@@ -746,6 +746,15 @@ func TestExternalAuthCallback(t *testing.T) {
 				token, err := agentClient.ExternalAuth(t.Context(), agentsdk.ExternalAuthRequest{
 					Match: "github.com/asd/asd",
 				})
+
+				if tt.expectsError {
+					require.Error(t, err)
+					var sdkErr *codersdk.Error
+					require.ErrorAs(t, err, &sdkErr)
+					require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
+					return
+				}
+
 				require.NoError(t, err)
 				require.NotEmpty(t, token.URL)
 
@@ -756,13 +765,8 @@ func TestExternalAuthCallback(t *testing.T) {
 						Match:  "github.com/asd/asd",
 						Listen: true,
 					})
-					if tt.expectsError {
-						assert.Error(t, err)
-						close(tokenChan)
-					} else {
-						assert.NoError(t, err)
-						tokenChan <- token
-					}
+					assert.NoError(t, err)
+					tokenChan <- token
 				}()
 
 				time.Sleep(250 * time.Millisecond)
@@ -771,9 +775,6 @@ func TestExternalAuthCallback(t *testing.T) {
 				require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 
 				token = <-tokenChan
-				if tt.expectsError {
-					return
-				}
 				require.Equal(t, "access_token", token.Username)
 
 				token, err = agentClient.ExternalAuth(t.Context(), agentsdk.ExternalAuthRequest{
diff --git a/coderd/gitsshkey_test.go b/coderd/gitsshkey_test.go
@@ -2,6 +2,7 @@ package coderd_test
 
 import (
 	"context"
+	"net/http"
 	"testing"
 
 	"github.com/google/uuid"
@@ -12,6 +13,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/gitsshkey"
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/provisioner/echo"
 	"github.com/coder/coder/v2/testutil"
@@ -134,7 +136,7 @@ func TestAgentGitSSHKey_APIKeyScopes(t *testing.T) {
 		apiKeyScope string
 		expectError bool
 	}{
-		{apiKeyScope: "default", expectError: false},
+		{apiKeyScope: "all", expectError: false},
 		{apiKeyScope: "no_user_data", expectError: true},
 	} {
 		t.Run(tt.apiKeyScope, func(t *testing.T) {
@@ -165,6 +167,9 @@ func TestAgentGitSSHKey_APIKeyScopes(t *testing.T) {
 
 			if tt.expectError {
 				require.Error(t, err)
+				var sdkErr *codersdk.Error
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
 			} else {
 				require.NoError(t, err)
 			}
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -118,7 +118,7 @@ func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuil
 					OwnerID:       row.WorkspaceTable.OwnerID,
 					TemplateID:    row.WorkspaceTable.TemplateID,
 					VersionID:     row.WorkspaceBuild.TemplateVersionID,
-					BlockUserData: row.WorkspaceAgent.APIKeyScope == database.ApiKeyScopeEnumNoUserData,
+					BlockUserData: row.WorkspaceAgent.APIKeyScope == database.AgentKeyScopeEnumNoUserData,
 				}),
 			)
 			if err != nil {
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -2003,9 +2003,9 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 			}
 		}
 
-		apiKeyScope := database.ApiKeyScopeEnumDefault
-		if prAgent.ApiKeyScope == string(database.ApiKeyScopeEnumNoUserData) {
-			apiKeyScope = database.ApiKeyScopeEnumNoUserData
+		apiKeyScope := database.AgentKeyScopeEnumAll
+		if prAgent.ApiKeyScope == string(database.AgentKeyScopeEnumNoUserData) {
+			apiKeyScope = database.AgentKeyScopeEnumNoUserData
 		}
 
 		agentID := uuid.New()
diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -97,14 +97,9 @@ var builtinScopes = map[ScopeName]Scope{
 		Role: Role{
 			Identifier:  RoleIdentifier{Name: fmt.Sprintf("Scope_%s", ScopeNoUserData)},
 			DisplayName: "Scope without access to user data",
-			Site: append(
-				// Workspace dormancy and workspace are omitted.
-				// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec
-				allPermsExcept(ResourceUser),
-				// This adds back in the Workspace permissions.
-				Permissions(map[string][]policy.Action{
-					ResourceUser.Type: {policy.ActionRead},
-				})...),
+			// Workspace dormancy and workspace are omitted.
+			// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec
+			Site: allPermsExcept(ResourceUser),
 			Org:  map[string][]Permission{},
 			User: []Permission{},
 		},
diff --git a/provisionerd/proto/version.go b/provisionerd/proto/version.go
@@ -12,9 +12,12 @@ import "github.com/coder/coder/v2/apiversion"
 //
 // API v1.4:
 //   - Add new field named `devcontainers` in the Agent.
+//
+// API v1.5:
+//   - Add new field named `api_key_scope` in the Agent.
 const (
 	CurrentMajor = 1
-	CurrentMinor = 4
+	CurrentMinor = 5
 )
 
 // CurrentVersion is the current provisionerd API version.
diff --git a/site/e2e/helpers.ts b/site/e2e/helpers.ts
@@ -644,7 +644,7 @@ const createTemplateVersionTar = async (
 						troubleshootingUrl: "",
 						token: randomUUID(),
 						devcontainers: [],
-						apiKeyScope: "default",
+						apiKeyScope: "all",
 						...agent,
 					} as Agent;
 
