Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API keys #1359

Merged
merged 30 commits into from Oct 7, 2020
Merged

API keys #1359

merged 30 commits into from Oct 7, 2020

Conversation

pfeuffer
Copy link
Member

@pfeuffer pfeuffer commented Oct 5, 2020

Proposed changes

This adds so called "API keys" aka Tokens a user can create as an alternative for his usual credentials to access the REST API and for scm client access (git, hg and svn).

The essential part of an API key is a random 20 digit passphrase. Together with the user name and an id this is packed as a json representation and encoded as a base64 string. This is presented once to the user (or as the result of the REST api call to create the key), but will be stored nowhere. Only a hashed value of this random passphrase is stored (like the normal user passwords), so that such a token can more or less be checked the same way (after extraction) a password is checked.

For this, a new realm has been added, that takes these api keys either as a bearer token or as a password for basic authentication.

API keys are limited to repositories and a specific role. Therefore they cannot be used for global configuration or user and group administration.

Your checklist for this pull request

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • PR is well described
  • Related issues linked to PR if existing and labels set
  • Target branch is not master (in most cases develop should bet the target of choice)
  • Code does not conflict with target branch
  • New code is covered with unit tests
  • CHANGELOG.md updated
  • Definition of Done's fulfilled: DoD // UI DoD
  • Documentation updated (only necessary for new features or changed behaviour)

Checklist for branch merge request (not required for forks)

@pfeuffer
Implement service for API keys
4129f55
@pfeuffer
Add rest resource for api keys
905fc41
@pfeuffer
Create and read tokens for api keys
2f96ec0
@pfeuffer
Use string tokens
0dc96c2
@pfeuffer
Create rest endpoint to create new api keys
0923c2d
@pfeuffer
Create rest endpoint to delete api keys
91471c0
@pfeuffer
Add realm for api key
12ab218
@pfeuffer
Use data instead of configuration store
e3e96f7
@pfeuffer
Add scope from role for api token realm
4ec7578
@pfeuffer
Rename role -> permissionRole
bd247a4
@pfeuffer
Add permission check
25a8729
@pfeuffer
Fix rest path
1def884
@pfeuffer
Add created date to api key
20345c8
@pfeuffer
Add UI for api keys
ec57dc0
@pfeuffer
Let api key realm check username/password authentication
95bad28
@pfeuffer
Delete api keys when user is deleted
a6814fb
@pfeuffer
Add integration test for api keys
4200aa1
@pfeuffer
Use icon instead of text for delete button
2c507a7
@pfeuffer
Show dialog after adding new key
2c582c4
@pfeuffer
Clean up ui
bf0a477
@pfeuffer
Fix creation of first key
50c0503
@pfeuffer
Add footer link
52aa9e1
@pfeuffer
Add api key documentation
cca4c87
@pfeuffer
Log change
22142d9
@pfeuffer
Clean up class
8733ca9
@pfeuffer
Add link to permission roles
d5532cb
@pfeuffer
Clean up class
b357c1d
eheimbuch
eheimbuch requested changes Oct 6, 2020
View reviewed changes
scm-ui/ui-webapp/src/users/components/apiKeys/AddApiKey.tsx Outdated Show resolved Hide resolved
scm-ui/ui-webapp/src/users/components/apiKeys/AddApiKey.tsx Show resolved Hide resolved
scm-ui/ui-webapp/src/users/components/apiKeys/ApiKeyCreatedModal.tsx Show resolved Hide resolved
scm-ui/ui-webapp/src/users/components/apiKeys/ApiKeyCreatedModal.tsx Show resolved Hide resolved
scm-ui/ui-webapp/src/users/components/apiKeys/ApiKeyEntry.tsx Show resolved Hide resolved
scm-webapp/src/main/java/sonia/scm/security/ApiKeyCollection.java Show resolved Hide resolved
scm-webapp/src/main/java/sonia/scm/security/ApiKeyWithPassphrase.java Show resolved Hide resolved
scm-webapp/src/main/java/sonia/scm/security/ScmWildcardPermission.java Show resolved Hide resolved
scm-webapp/src/test/java/sonia/scm/security/ApiKeyTokenHandlerTest.java Outdated Show resolved Hide resolved
scm-webapp/src/test/java/sonia/scm/security/ScopesTest.java Outdated Show resolved Hide resolved
@sonarcloud
Copy link

sonarcloud bot commented Oct 6, 2020

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 2 Code Smells

0.2% 0.2% Coverage
0.0% 0.0% Duplication

@eheimbuch eheimbuch merged commit 6eaae7b into develop Oct 7, 2020
@eheimbuch eheimbuch deleted the feature/api_keys branch October 7, 2020 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eheimbuch eheimbuch eheimbuch requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pfeuffer @eheimbuch