Add admin service account token issuance#896
Conversation
|
Warning Review limit reached
Next review available in: 2 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR adds a Django admin interface for issuing service account tokens, including a new form with scope/expiry validation, a custom admin view and URL route, an "Issue token" link in the admin list, a rendering template, corresponding tests, and documentation updates reflecting the new admin-based token issuance option. ChangesAdmin Issue Token Feature
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Admin
participant ServiceAccountAdmin
participant ServiceAccountTokenIssueForm
participant ServiceAccountToken
Admin->>ServiceAccountAdmin: Open "Issue token" link for account
ServiceAccountAdmin->>ServiceAccountAdmin: Load account, check change permission
Admin->>ServiceAccountAdmin: Submit scopes and optional expiry
ServiceAccountAdmin->>ServiceAccountTokenIssueForm: Validate scopes and expires_at
ServiceAccountTokenIssueForm-->>ServiceAccountAdmin: Cleaned data or validation errors
alt Form valid
ServiceAccountAdmin->>ServiceAccountToken: issue(account, scopes, expires_at)
ServiceAccountToken-->>ServiceAccountAdmin: token record + plaintext value
ServiceAccountAdmin-->>Admin: Render success page with plaintext token
else Form invalid
ServiceAccountAdmin-->>Admin: Re-render form with errors
end
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/service_accounts/admin.py`:
- Around line 17-41: The ServiceAccountTokenIssueForm currently accepts
arbitrary scope strings, so add validation in clean_scopes to reject values not
present in the allowed scope set used by the service-account views. Derive that
allowed set from the scopes referenced in required_scopes (or the existing
central scope registry if available), then check each parsed scope against it
before returning the deduplicated list. Keep the logic in
ServiceAccountTokenIssueForm.clean_scopes so invalid typos are blocked before
token creation.
In
`@backend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.html`:
- Around line 43-58: The plaintext token field in issue_token.html is missing a
programmatic label association, so update the label/input pair in the plaintext
token section to use matching for/id attributes. Keep the existing readonly
token display, but ensure the label text “Plaintext token:” is tied to the input
element so assistive technologies can announce it correctly.
In `@backend/service_accounts/tests/test_service_accounts.py`:
- Around line 207-226: The digest check in
test_admin_can_issue_token_for_service_account is too weak because it only
verifies the plaintext is not a substring of token.digest. Update the assertion
to compare token.digest against the actual SHA-256 digest of the issued
plaintext token in this test, using the existing plaintext and
ServiceAccountToken objects to locate the relevant values. This will ensure the
test validates the stored digest matches the expected hash, not just that it
differs from the plaintext.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 71a4ac4c-e3b1-4630-af71-b0f91868cb0a
📒 Files selected for processing (6)
.claude/skills/ai-review.mdbackend/CLAUDE.mdbackend/service_accounts/admin.pybackend/service_accounts/templates/admin/service_accounts/serviceaccount/issue_token.htmlbackend/service_accounts/tests/test_service_accounts.pybackend/submissions_review.md
Summary
Validation
Summary by CodeRabbit
New Features
Bug Fixes
Documentation