Skip to content

Commit 161842d

Browse files
johnstcnjohnstcn
committed
extract getAgentSubject()
1 parent 083bcf2 commit 161842d

File tree

1 file changed

+34
-34
lines changed

1 file changed

+34
-34
lines changed

coderd/httpmw/workspaceagent.go

Lines changed: 34 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -65,48 +65,48 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
6565
return
6666
}
6767

68-
workspace, err := db.GetWorkspaceByAgentID(systemCtx, agent.ID)
68+
subject, err := getAgentSubject(ctx, db, agent)
6969
if err != nil {
70-
// TODO: details
71-
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
72-
Message: "Workspace agent not authorized.",
73-
})
74-
return
75-
}
76-
77-
user, err := db.GetUserByID(systemCtx, workspace.OwnerID)
78-
if err != nil {
79-
// TODO: details
80-
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
81-
Message: "Workspace agent not authorized.",
82-
})
83-
return
84-
}
85-
86-
roles, err := db.GetAuthorizationUserRoles(systemCtx, user.ID)
87-
if err != nil {
88-
// TODO: details
89-
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
90-
Message: "Workspace agent not authorized.",
70+
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
71+
Message: "Internal error fetching workspace agent.",
72+
Detail: err.Error(),
9173
})
9274
return
9375
}
9476

95-
// A user that creates a workspace can use this agent auth token and
96-
// impersonate the workspace. So to prevent privilege escalation, the
97-
// subject inherits the roles of the user that owns the workspace.
98-
// We then add a workspace-agent scope to limit the permissions
99-
// to only what the workspace agent needs.
100-
subject := rbac.Subject{
101-
ID: user.ID.String(),
102-
Roles: rbac.RoleNames(roles.Roles),
103-
Groups: roles.Groups,
104-
Scope: rbac.WorkspaceAgentScope(workspace.ID),
105-
}
106-
10777
ctx = context.WithValue(ctx, workspaceAgentContextKey{}, agent)
10878
ctx = authzquery.WithAuthorizeContext(ctx, subject)
10979
next.ServeHTTP(rw, r.WithContext(ctx))
11080
})
11181
}
11282
}
83+
84+
func getAgentSubject(ctx context.Context, db database.Store, agent database.WorkspaceAgent) (rbac.Subject, error) {
85+
// TODO: make a different query that gets the workspace owner and roles along with the agent.
86+
workspace, err := db.GetWorkspaceByAgentID(ctx, agent.ID)
87+
if err != nil {
88+
return rbac.Subject{}, err
89+
}
90+
91+
user, err := db.GetUserByID(ctx, workspace.OwnerID)
92+
if err != nil {
93+
return rbac.Subject{}, err
94+
}
95+
96+
roles, err := db.GetAuthorizationUserRoles(ctx, user.ID)
97+
if err != nil {
98+
return rbac.Subject{}, err
99+
}
100+
101+
// A user that creates a workspace can use this agent auth token and
102+
// impersonate the workspace. So to prevent privilege escalation, the
103+
// subject inherits the roles of the user that owns the workspace.
104+
// We then add a workspace-agent scope to limit the permissions
105+
// to only what the workspace agent needs.
106+
return rbac.Subject{
107+
ID: user.ID.String(),
108+
Roles: rbac.RoleNames(roles.Roles),
109+
Groups: roles.Groups,
110+
Scope: rbac.WorkspaceAgentScope(workspace.ID),
111+
}, nil
112+
}

0 commit comments

Comments
 (0)