release: 0.7.1 — API tokens with TTL + scope#139
Merged
Conversation
API tokens gain optional `expires_at:` (UTC ISO 8601) and `scope:`
(list of path globs) fields — tighten the blast radius of a leaked
CI runner token without rewriting the auth flow. Inspired by
Proxmox's API token model.
Configuration:
auth:
tokens:
- name: ci-runner
token_hash: "sha256:..."
role: admin
expires_at: "2026-12-31T23:59:59Z"
scope:
- /api/v1/containers/*
- /api/v1/exports/*
Scope rules:
- exact match: "/api/v1/host"
- trailing /*: "/api/v1/containers/*" matches any path starting
with "/api/v1/containers/" (slash REQUIRED — the
bare prefix "/api/v1/containers" does NOT match,
so per-resource access doesn't leak the
collection-list endpoint).
Backward compatibility: pre-0.7.1 configs unchanged. Missing
expires_at -> 0 -> never expires. Missing scope -> [] -> no
restriction. Existing tokens behave identically after upgrade.
Implementation:
- lib/auth_pure.{h,cpp}: extends with parseIso8601Utc(s) (returns
-1 on bad shape / bad month range / non-UTC offset; uses timegm),
isExpired(t, now) (strict-after; expiresAt=0 always false),
pathInScope(scope, path), checkBearerAuthFull(..., path, now).
- daemon/config.{h,cpp}: AuthToken gains expiresAt + scope.
YAML parser reads expires_at (rejects malformed) and scope
(scalar or sequence).
- daemon/auth.cpp: isAuthorized() calls checkBearerAuthFull with
req.path and time(nullptr).
- daemon/crated.conf.sample: documents new fields with ci-runner
example.
Tests: +13 new ATF cases in auth_pure_test.cpp (28/28 verified
locally; expect 737/737 cluster-wide on FreeBSD CI). Covers
parseIso8601Utc canonical/invalid/offset-zero, isExpired
strict-after invariant, pathInScope incl. the slash-required
property for trailing globs, and checkBearerAuthFull integration
(expired-rejected, out-of-scope-rejected, happy path,
backward-compat).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
API tokens gain optional
expires_at(UTC ISO 8601) andscope(list of path globs) fields — tighten the blast radius of a leaked CI runner token without rewriting the auth flow. Inspired by Proxmox's API token model.Scope rules
/api/v1/host/api/v1/containers/*matches any path starting with/api/v1/containers/. The slash is required — the bare prefix/api/v1/containersdoes NOT match the glob, so granting per-resource access doesn't leak the collection-list endpoint.Backward compatibility
Pre-0.7.1 configs work unchanged:
expires_at→0→isExpired()returns false → never expiresscope→[]→pathInScope()returns true → no restrictionExisting tokens with just
name/token_hash/rolebehave identically after upgrade.Implementation
lib/auth_pure.{h,cpp}—parseIso8601Utc(returns-1on bad shape, bad month range, non-UTC offset),isExpired(strict-after;expiresAt=0always false),pathInScope(empty scope → true; exact or/*-suffix),checkBearerAuthFull(combined hash+role+expiry+scope).daemon/config.{h,cpp}—AuthToken.expiresAt+AuthToken.scope. YAML parser readsexpires_at:andscope:(scalar or sequence).daemon/auth.cpp—isAuthorized()callscheckBearerAuthFullwithreq.pathandtime(nullptr).daemon/crated.conf.sample— documents new fields withci-runnerexample.Tests
tests/unit/auth_pure_test.cpp— 13 new ATF cases on top of the existing 15:parseIso8601Utc2026-13-31, slash separators),+00:00/-00:00parses as UTCisExpired0= never; strict-after at boundary (exact-second still alive)pathInScope/*glob; glob requires slash — bare prefix doesn't matchcheckBearerAuthFullVerified locally: 28/28 in
auth_pure_test. Cluster-wide expected at 737/737 on FreeBSD CI.Test plan
kyua test auth_pure_test— 28/28crated.conf.sampledocuments new fieldsTODO— TTL+scope moved to Donehttps://claude.ai/code/session_01X6t6tzVypHye5bDGLxzmZK
Generated by Claude Code