move back to authorize

f0ssel · f0ssel · commit 1214b6275c27 · 2024-07-24T17:09:36.000Z
diff --git a/coderd/httpmw/provisionerdaemon.go b/coderd/httpmw/provisionerdaemon.go
@@ -30,7 +30,6 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			org := OrganizationParam(r)
 
 			handleOptional := func(code int, response codersdk.Response) {
 				if opts.Optional {
@@ -103,13 +102,6 @@ func ExtractProvisionerDaemonAuthenticated(opts ExtractProvisionerAuthConfig) fu
 				return
 			}
 
-			if pk.OrganizationID != org.ID {
-				handleOptional(http.StatusUnauthorized, codersdk.Response{
-					Message: "provisioner daemon key invalid",
-				})
-				return
-			}
-
 			// The provisioner key does not indicate a specific provisioner daemon. So just
 			// store a boolean so the caller can check if the request is from an
 			// authenticated provisioner daemon.
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -284,7 +284,6 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Use(
 				api.provisionerDaemonsEnabledMW,
 				apiKeyMiddlewareOptional,
-				httpmw.ExtractOrganizationParam(api.Database),
 				httpmw.ExtractProvisionerDaemonAuthenticated(httpmw.ExtractProvisionerAuthConfig{
 					DB:              api.Database,
 					Optional:        true,
@@ -294,6 +293,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				// Either a user auth or provisioner auth is required
 				// to move forward.
 				httpmw.RequireAPIKeyOrProvisionerDaemonAuth(),
+				httpmw.ExtractOrganizationParam(api.Database),
 			)
 			r.With(apiKeyMiddleware).Get("/", api.provisionerDaemons)
 			r.With(apiKeyMiddlewareOptional).Get("/serve", api.provisionerDaemonServe)
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -108,6 +108,13 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, orgID uuid.UUID, tags
 		return nil, false
 	}
 
+	pk, ok := httpmw.ProvisionerKeyAuthOptional(r)
+	if ok {
+		if pk.OrganizationID != orgID {
+			return nil, false
+		}
+	}
+
 	// If using provisioner key / PSK auth, the daemon is, by definition, scoped to the organization.
 	tags = provisionersdk.MutateTags(uuid.Nil, tags)
 	return tags, true
