synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-13 21:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add separate max token lifetime for administrators (#18267)

Browse Source 
# Add separate token lifetime limits for administrators

This PR introduces a new configuration option `--max-admin-token-lifetime` that allows administrators to create API tokens with longer lifetimes than regular users. By default, administrators can create tokens with a lifetime of up to 7 days (168 hours), while the existing `--max-token-lifetime` setting continues to apply to regular users.

The implementation:
- Adds a new `MaximumAdminTokenDuration` field to the session configuration
- Modifies the token validation logic to check the user's role and apply the appropriate lifetime limit
- Updates the token configuration endpoint to return the correct maximum lifetime based on the user's role
- Adds tests to verify that administrators can create tokens with longer and shorter lifetimes
- Updates documentation and help text to reflect the new option

This change allows organizations to grant administrators extended token lifetimes while maintaining tighter security controls for regular users.

Fixes #17395
This commit is contained in:
Thomas Kosiewski
2025-06-06 17:36:30 +02:00
committed by GitHub
parent 348d19ddb7
commit f569d9c33d
12 changed files with 178 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cli/testdata/coder_server_--help.golden vendored
View File

@ -332,6 +332,10 @@ NETWORKING / HTTP OPTIONS:
The maximum lifetime duration users can specify when creating an API The maximum lifetime duration users can specify when creating an API
token. token.
--max-admin-token-lifetime duration, $CODER_MAX_ADMIN_TOKEN_LIFETIME (default: 168h0m0s)
The maximum lifetime duration administrators can specify when creating
an API token.
--proxy-health-interval duration, $CODER_PROXY_HEALTH_INTERVAL (default: 1m0s) --proxy-health-interval duration, $CODER_PROXY_HEALTH_INTERVAL (default: 1m0s)
The interval in which coderd should be checking the status of The interval in which coderd should be checking the status of
workspace proxies. workspace proxies.

4
cli/testdata/server-config.yaml.golden vendored
View File

@ -25,6 +25,10 @@ networking:
# The maximum lifetime duration users can specify when creating an API token. # The maximum lifetime duration users can specify when creating an API token.
# (default: 876600h0m0s, type: duration) # (default: 876600h0m0s, type: duration)
maxTokenLifetime: 876600h0m0s maxTokenLifetime: 876600h0m0s
# The maximum lifetime duration administrators can specify when creating an API
# token.
# (default: 168h0m0s, type: duration)
maxAdminTokenLifetime: 168h0m0s
# The token expiry duration for browser sessions. Sessions may last longer if they # The token expiry duration for browser sessions. Sessions may last longer if they
# are actively making requests, but this functionality can be disabled via # are actively making requests, but this functionality can be disabled via
# --disable-session-expiry-refresh. # --disable-session-expiry-refresh.

3
coderd/apidoc/docs.go generated
View File

@ -15705,6 +15705,9 @@ const docTemplate = `{
"description": "DisableExpiryRefresh will disable automatically refreshing api\nkeys when they are used from the api. This means the api key lifetime at\ncreation is the lifetime of the api key.", "description": "DisableExpiryRefresh will disable automatically refreshing api\nkeys when they are used from the api. This means the api key lifetime at\ncreation is the lifetime of the api key.",
"type": "boolean" "type": "boolean"
}, },
"max_admin_token_lifetime": {
"type": "integer"
},
"max_token_lifetime": { "max_token_lifetime": {
"type": "integer" "type": "integer"
} }

3
coderd/apidoc/swagger.json generated
View File

@ -14283,6 +14283,9 @@
"description": "DisableExpiryRefresh will disable automatically refreshing api\nkeys when they are used from the api. This means the api key lifetime at\ncreation is the lifetime of the api key.", "description": "DisableExpiryRefresh will disable automatically refreshing api\nkeys when they are used from the api. This means the api key lifetime at\ncreation is the lifetime of the api key.",
"type": "boolean" "type": "boolean"
}, },
"max_admin_token_lifetime": {
"type": "integer"
},
"max_token_lifetime": { "max_token_lifetime": {
"type": "integer" "type": "integer"
} }

49
coderd/apikey.go
View File

@ -18,6 +18,7 @@ import (
"github.com/coder/coder/v2/coderd/database/dbtime" "github.com/coder/coder/v2/coderd/database/dbtime"
"github.com/coder/coder/v2/coderd/httpapi" "github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw" "github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy" "github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/telemetry" "github.com/coder/coder/v2/coderd/telemetry"
"github.com/coder/coder/v2/codersdk" "github.com/coder/coder/v2/codersdk"
@ -75,7 +76,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
} }
if createToken.Lifetime != 0 { if createToken.Lifetime != 0 {
err := api.validateAPIKeyLifetime(createToken.Lifetime) err := api.validateAPIKeyLifetime(ctx, user.ID, createToken.Lifetime)
if err != nil { if err != nil {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Failed to validate create API key request.", Message: "Failed to validate create API key request.",
@ -338,35 +339,69 @@ func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) {
// @Success 200 {object} codersdk.TokenConfig // @Success 200 {object} codersdk.TokenConfig
// @Router /users/{user}/keys/tokens/tokenconfig [get] // @Router /users/{user}/keys/tokens/tokenconfig [get]
func (api *API) tokenConfig(rw http.ResponseWriter, r *http.Request) { func (api *API) tokenConfig(rw http.ResponseWriter, r *http.Request) {
values, err := api.DeploymentValues.WithoutSecrets() user := httpmw.UserParam(r)
maxLifetime, err := api.getMaxTokenLifetime(r.Context(), user.ID)
if err != nil { if err != nil {
httpapi.InternalServerError(rw, err) httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
Message: "Failed to get token configuration.",
Detail: err.Error(),
})
return return
} }
httpapi.Write( httpapi.Write(
r.Context(), rw, http.StatusOK, r.Context(), rw, http.StatusOK,
codersdk.TokenConfig{ codersdk.TokenConfig{
MaxTokenLifetime: values.Sessions.MaximumTokenDuration.Value(), MaxTokenLifetime: maxLifetime,
}, },
) )
} }
func (api *API) validateAPIKeyLifetime(lifetime time.Duration) error { func (api *API) validateAPIKeyLifetime(ctx context.Context, userID uuid.UUID, lifetime time.Duration) error {
if lifetime <= 0 { if lifetime <= 0 {
return xerrors.New("lifetime must be positive number greater than 0") return xerrors.New("lifetime must be positive number greater than 0")
} }
if lifetime > api.DeploymentValues.Sessions.MaximumTokenDuration.Value() { maxLifetime, err := api.getMaxTokenLifetime(ctx, userID)
if err != nil {
return xerrors.Errorf("failed to get max token lifetime: %w", err)
}
if lifetime > maxLifetime {
return xerrors.Errorf( return xerrors.Errorf(
"lifetime must be less than %v", "lifetime must be less than %v",
api.DeploymentValues.Sessions.MaximumTokenDuration, maxLifetime,
) )
} }
return nil return nil
} }
// getMaxTokenLifetime returns the maximum allowed token lifetime for a user.
// It distinguishes between regular users and owners.
func (api *API) getMaxTokenLifetime(ctx context.Context, userID uuid.UUID) (time.Duration, error) {
subject, _, err := httpmw.UserRBACSubject(ctx, api.Database, userID, rbac.ScopeAll)
if err != nil {
return 0, xerrors.Errorf("failed to get user rbac subject: %w", err)
}
roles, err := subject.Roles.Expand()
if err != nil {
return 0, xerrors.Errorf("failed to expand user roles: %w", err)
}
maxLifetime := api.DeploymentValues.Sessions.MaximumTokenDuration.Value()
for _, role := range roles {
if role.Identifier.Name == codersdk.RoleOwner {
// Owners have a different max lifetime.
maxLifetime = api.DeploymentValues.Sessions.MaximumAdminTokenDuration.Value()
break
}
}
return maxLifetime, nil
}
func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*http.Cookie, *database.APIKey, error) { func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*http.Cookie, *database.APIKey, error) {
key, sessionToken, err := apikey.Generate(params) key, sessionToken, err := apikey.Generate(params)
if err != nil { if err != nil {

82
coderd/apikey_test.go
View File

@ -144,6 +144,88 @@ func TestTokenUserSetMaxLifetime(t *testing.T) {
require.ErrorContains(t, err, "lifetime must be less") require.ErrorContains(t, err, "lifetime must be less")
} }
func TestTokenAdminSetMaxLifetime(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
dc := coderdtest.DeploymentValues(t)
dc.Sessions.MaximumTokenDuration = serpent.Duration(time.Hour * 24 * 7)
dc.Sessions.MaximumAdminTokenDuration = serpent.Duration(time.Hour * 24 * 14)
client := coderdtest.New(t, &coderdtest.Options{
DeploymentValues: dc,
})
adminUser := coderdtest.CreateFirstUser(t, client)
nonAdminClient, _ := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
// Admin should be able to create a token with a lifetime longer than the non-admin max.
_, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 10,
})
require.NoError(t, err)
// Admin should NOT be able to create a token with a lifetime longer than the admin max.
_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 15,
})
require.Error(t, err)
require.Contains(t, err.Error(), "lifetime must be less")
// Non-admin should NOT be able to create a token with a lifetime longer than the non-admin max.
_, err = nonAdminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 8,
})
require.Error(t, err)
require.Contains(t, err.Error(), "lifetime must be less")
// Non-admin should be able to create a token with a lifetime shorter than the non-admin max.
_, err = nonAdminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 6,
})
require.NoError(t, err)
}
func TestTokenAdminSetMaxLifetimeShorter(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
dc := coderdtest.DeploymentValues(t)
dc.Sessions.MaximumTokenDuration = serpent.Duration(time.Hour * 24 * 14)
dc.Sessions.MaximumAdminTokenDuration = serpent.Duration(time.Hour * 24 * 7)
client := coderdtest.New(t, &coderdtest.Options{
DeploymentValues: dc,
})
adminUser := coderdtest.CreateFirstUser(t, client)
nonAdminClient, _ := coderdtest.CreateAnotherUser(t, client, adminUser.OrganizationID)
// Admin should NOT be able to create a token with a lifetime longer than the admin max.
_, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 8,
})
require.Error(t, err)
require.Contains(t, err.Error(), "lifetime must be less")
// Admin should be able to create a token with a lifetime shorter than the admin max.
_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 6,
})
require.NoError(t, err)
// Non-admin should be able to create a token with a lifetime longer than the admin max.
_, err = nonAdminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 10,
})
require.NoError(t, err)
// Non-admin should NOT be able to create a token with a lifetime longer than the non-admin max.
_, err = nonAdminClient.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
Lifetime: time.Hour * 24 * 15,
})
require.Error(t, err)
require.Contains(t, err.Error(), "lifetime must be less")
}
func TestTokenCustomDefaultLifetime(t *testing.T) { func TestTokenCustomDefaultLifetime(t *testing.T) {
t.Parallel() t.Parallel()

13
codersdk/deployment.go
View File

@ -468,6 +468,8 @@ type SessionLifetime struct {
DefaultTokenDuration serpent.Duration `json:"default_token_lifetime,omitempty" typescript:",notnull"` DefaultTokenDuration serpent.Duration `json:"default_token_lifetime,omitempty" typescript:",notnull"`
MaximumTokenDuration serpent.Duration `json:"max_token_lifetime,omitempty" typescript:",notnull"` MaximumTokenDuration serpent.Duration `json:"max_token_lifetime,omitempty" typescript:",notnull"`
MaximumAdminTokenDuration serpent.Duration `json:"max_admin_token_lifetime,omitempty" typescript:",notnull"`
} }
type DERP struct { type DERP struct {
@ -2340,6 +2342,17 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
YAML: "maxTokenLifetime", YAML: "maxTokenLifetime",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"), Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
}, },
{
Name: "Maximum Admin Token Lifetime",
Description: "The maximum lifetime duration administrators can specify when creating an API token.",
Flag: "max-admin-token-lifetime",
Env: "CODER_MAX_ADMIN_TOKEN_LIFETIME",
Default: (7 * 24 * time.Hour).String(),
Value: &c.Sessions.MaximumAdminTokenDuration,
Group: &deploymentGroupNetworkingHTTP,
YAML: "maxAdminTokenLifetime",
Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
},
{ {
Name: "Default Token Lifetime", Name: "Default Token Lifetime",
Description: "The default lifetime duration for API tokens. This value is used when creating a token without specifying a duration, such as when authenticating the CLI or an IDE plugin.", Description: "The default lifetime duration for API tokens. This value is used when creating a token without specifying a duration, such as when authenticating the CLI or an IDE plugin.",

1
docs/reference/api/general.md generated
View File

@ -454,6 +454,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
"default_duration": 0, "default_duration": 0,
"default_token_lifetime": 0, "default_token_lifetime": 0,
"disable_expiry_refresh": true, "disable_expiry_refresh": true,
"max_admin_token_lifetime": 0,
"max_token_lifetime": 0 "max_token_lifetime": 0
}, },
"ssh_keygen_algorithm": "string", "ssh_keygen_algorithm": "string",

16
docs/reference/api/schemas.md generated
View File

@ -2625,6 +2625,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"default_duration": 0, "default_duration": 0,
"default_token_lifetime": 0, "default_token_lifetime": 0,
"disable_expiry_refresh": true, "disable_expiry_refresh": true,
"max_admin_token_lifetime": 0,
"max_token_lifetime": 0 "max_token_lifetime": 0
}, },
"ssh_keygen_algorithm": "string", "ssh_keygen_algorithm": "string",
@ -3124,6 +3125,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
"default_duration": 0, "default_duration": 0,
"default_token_lifetime": 0, "default_token_lifetime": 0,
"disable_expiry_refresh": true, "disable_expiry_refresh": true,
"max_admin_token_lifetime": 0,
"max_token_lifetime": 0 "max_token_lifetime": 0
}, },
"ssh_keygen_algorithm": "string", "ssh_keygen_algorithm": "string",
@ -6767,18 +6769,20 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
"default_duration": 0, "default_duration": 0,
"default_token_lifetime": 0, "default_token_lifetime": 0,
"disable_expiry_refresh": true, "disable_expiry_refresh": true,
"max_admin_token_lifetime": 0,
"max_token_lifetime": 0 "max_token_lifetime": 0
} }
``` ```
### Properties ### Properties
| Name | Type | Required | Restrictions | Description | | Name | Type | Required | Restrictions | Description |
|--------------------------|---------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |----------------------------|---------|----------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `default_duration` | integer | false | | Default duration is only for browser, workspace app and oauth sessions. | | `default_duration` | integer | false | | Default duration is only for browser, workspace app and oauth sessions. |
| `default_token_lifetime` | integer | false | | | | `default_token_lifetime` | integer | false | | |
| `disable_expiry_refresh` | boolean | false | | Disable expiry refresh will disable automatically refreshing api keys when they are used from the api. This means the api key lifetime at creation is the lifetime of the api key. | | `disable_expiry_refresh` | boolean | false | | Disable expiry refresh will disable automatically refreshing api keys when they are used from the api. This means the api key lifetime at creation is the lifetime of the api key. |
| `max_token_lifetime` | integer | false | | | | `max_admin_token_lifetime` | integer | false | | |
| `max_token_lifetime` | integer | false | | |
## codersdk.SlimRole ## codersdk.SlimRole

11
docs/reference/cli/server.md generated
View File

@ -910,6 +910,17 @@ Periodically check for new releases of Coder and inform the owner. The check is
The maximum lifetime duration users can specify when creating an API token. The maximum lifetime duration users can specify when creating an API token.
### --max-admin-token-lifetime
| | |
|-------------|----------------------------------------------------|
| Type | <code>duration</code> |
| Environment | <code>$CODER_MAX_ADMIN_TOKEN_LIFETIME</code> |
| YAML | <code>networking.http.maxAdminTokenLifetime</code> |
| Default | <code>168h0m0s</code> |
The maximum lifetime duration administrators can specify when creating an API token.
### --default-token-lifetime ### --default-token-lifetime
| | | | | |

4
enterprise/cli/testdata/coder_server_--help.golden vendored
View File

@ -333,6 +333,10 @@ NETWORKING / HTTP OPTIONS:
The maximum lifetime duration users can specify when creating an API The maximum lifetime duration users can specify when creating an API
token. token.
--max-admin-token-lifetime duration, $CODER_MAX_ADMIN_TOKEN_LIFETIME (default: 168h0m0s)
The maximum lifetime duration administrators can specify when creating
an API token.
--proxy-health-interval duration, $CODER_PROXY_HEALTH_INTERVAL (default: 1m0s) --proxy-health-interval duration, $CODER_PROXY_HEALTH_INTERVAL (default: 1m0s)
The interval in which coderd should be checking the status of The interval in which coderd should be checking the status of
workspace proxies. workspace proxies.

1
site/src/api/typesGenerated.ts generated
View File

@ -2519,6 +2519,7 @@ export interface SessionLifetime {
readonly default_duration: number; readonly default_duration: number;
readonly default_token_lifetime?: number; readonly default_token_lifetime?: number;
readonly max_token_lifetime?: number; readonly max_token_lifetime?: number;
readonly max_admin_token_lifetime?: number;
} }
// From codersdk/client.go // From codersdk/client.go